docs: refine Security Batch governance hooks and CI smoke-fast schedule

[BrianCLong]

Motivation

• Formalize the recurring Security Batch sprint to ensure readiness alignment and auditable exception capture via a Governed Exceptions field.
• Make security work discoverable and actionable by adding lane:* labels and lane-specific Definitions of Done.
• Reduce CI duplication and add a nightly schedule plus a lightweight smoke-fast job to catch regressions outside of PR traffic.
• Update roadmap metadata for traceability of the governance refinements.

Description

• Added a Security Batch issue template at .github/ISSUE_TEMPLATE/security-batch.yml including a required Governed Exceptions textarea and a reference to docs/SUMMIT_READINESS_ASSERTION.md.
• Introduced lane labels in .github/labels.json and .github/labels.yml (lane:security, lane:bizdev, lane:infra) and documented lane semantics in CONTRIBUTING.md.
• Added or updated runbooks docs/security/SECURITY_BATCH.md and docs/security/SECURITY_CIS.md to reference the readiness authority and to require Governed Exception capture for deviations.
• Cleaned up duplicated CI setup steps and added a nightly schedule trigger plus a smoke-fast job in .github/workflows/ci.yml that runs pnpm ga:smoke and preserves existing typecheck/lint/unit pipelines.
• Updated docs/roadmap/STATUS.json last_updated and revision_note to reflect these governance refinements.

Testing

• Ran node scripts/check-boundaries.cjs to validate workspace boundary rules and it completed successfully.
• No repository-wide CI pipelines were executed in this change; the new nightly smoke-fast job will run under GitHub Actions on schedule.

---

Codex Task

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the project's operational governance and CI efficiency. It establishes a more structured approach to security sprints, improves the discoverability and accountability of different workstreams through new labeling conventions, and optimizes continuous integration processes to ensure earlier detection of regressions. These changes aim to streamline workflows and bolster overall project readiness and security posture.

Highlights

• Security Batch Governance: Formalized the recurring Security Batch sprint with a new issue template requiring 'Governed Exceptions' for auditable exception capture.
• Workstream Discoverability: Introduced 'lane:*' labels ('lane:security', 'lane:bizdev', 'lane:infra') and documented their lane-specific Definitions of Done in CONTRIBUTING.md.
• CI Pipeline Refinement: Reduced CI duplication, added a nightly 'schedule' trigger, and introduced a lightweight 'smoke-fast' job in .github/workflows/ci.yml to catch regressions.
• Documentation Updates: Updated security runbooks (SECURITY_BATCH.md, SECURITY_CIS.md) to reflect new governance and exception requirements, and revised docs/roadmap/STATUS.json metadata.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .github/ISSUE_TEMPLATE/security-batch.yml
  • Added a new issue template for formalizing security batch sprints.
  • Included required fields for sprint window, owner, dashboard review, CIS run evidence, acceptance criteria, execution log, and governed exceptions.
• .github/labels.json
  • Introduced new lane:security, lane:bizdev, and lane:infra labels.
• .github/labels.yml
  • Introduced new lane:security, lane:bizdev, and lane:infra labels.
• CONTRIBUTING.md
  • Documented the purpose and Definitions of Done for the new lane:security, lane:bizdev, and lane:infra labels.
• docs/roadmap/STATUS.json
  • Updated the last_updated timestamp and revision_note to reflect governance changes.
• docs/security/SECURITY_BATCH.md
  • Added a new runbook to standardize recurring security batch sprints, including execution steps and acceptance criteria.
• docs/security/SECURITY_CIS.md
  • Added a new runbook for repeatable and auditable CIS benchmark validation, detailing preconditions, execution, and evidence capture.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/ci.yml

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Warning

Rate limit exceeded

@BrianCLong has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 15 minutes and 14 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a3008d28-1b8a-4d65-8ea3-f80b356240b7

📥 Commits

Reviewing files that changed from the base of the PR and between 68c99c3 and 5b649dc.

📒 Files selected for processing (8)

• .github/ISSUE_TEMPLATE/security-batch.yml
• .github/labels.json
• .github/labels.yml
• .github/workflows/ci.yml
• CONTRIBUTING.md
• docs/roadmap/STATUS.json
• docs/security/SECURITY_BATCH.md
• docs/security/SECURITY_CIS.md

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/create-recurring-security-batch-template

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces significant improvements to the security governance process. It formalizes the 'Security Batch' sprint by adding a detailed issue template, new lane:* labels for workstream tracking, and comprehensive runbook documentation. The changes are well-structured and consistent across all modified files. I have one suggestion to simplify the new issue template by removing a redundant section, which should improve clarity for users.

[gemini-code-assist]

The verification checkboxes seem redundant as they largely overlap with the items in the acceptance-criteria checklist. This could lead to confusion and unnecessary duplication of effort.

To simplify the template, I suggest removing this verification section entirely. You could also consider changing the acceptance-criteria from a textarea to a checkboxes type to make it a more direct and enforceable checklist. For example:

  - type: checkboxes
    id: acceptance-criteria
    attributes:
      label: Acceptance Criteria
      description: Ensure all criteria are met before closing the issue.
      options:
        - label: No open **high/critical** alerts in GitHub `security/code` view.
          required: true
        - label: CIS benchmark run completed in the last 7 days and archived.
          required: true
        - label: CI green on `.github/workflows/ci.yml` for touched components.
          required: true
        - label: Security batch findings logged as follow-on issues.
          required: true

This would make the template clearer and more streamlined.

[github-actions]

🤖 Auto-approved by Mega Merge Orchestrator

[BrianCLong]

Temporarily closing to reduce Actions queue saturation and unblock #22241. Reopen after the golden-main convergence PR merges.

[BrianCLong]

Temporarily closing to reduce Actions queue saturation and unblock #22241. Reopen after the golden-main convergence PR merges.