docs: add LICENSE, README, CHANGELOG/CONTRIBUTING and validate CI#1
Merged
Conversation
Wave-2 polish for B-tier repos: - LICENSE — MIT (was missing) - README.md (was missing): badges row, why/how, tech stack table, configuration, limitations, Related Claude Code ecosystem block, expanded author block. Flags that BOT_TOKEN should move to Wrangler secrets. - CHANGELOG.md reconstructed from git history (Keep a Changelog) - CONTRIBUTING.md with priority list and PR checklist - .github/workflows/validate.yml: package.json validity, JS syntax check on src/ and test/, meta-files presence, README sections No source code changes.
4 tasks
CreatmanCEO
added a commit
that referenced
this pull request
May 6, 2026
…crets (#2)⚠️ The previous src/index.js shipped a real Telegram bot token, chat id, and production origin in the source. The token was publicly leaked in this repo from 2026-02-10 (GitHub secret-scanning alert #1, never resolved). Changes: - src/index.js — read BOT_TOKEN, CHAT_ID, ALLOWED_ORIGIN from env (Wrangler bindings), return 500 with a clear setup message if any is missing. No hardcoded values remain. - .env.example — document the required secrets and how to set them via `wrangler secret put`. The file contains placeholder values only. Note: this commit does NOT remove the leaked token from git history. The token must be revoked via @Botfather as a separate operational step (rotation, then `wrangler secret put BOT_TOKEN <new-token>`). After revoke, the GitHub secret-scanning alert can be closed as "revoked": https://github.com/CreatmanCEO/telegram-form-worker/security/secret-scanning/1 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Wave-2 polish for B-tier ecosystem repos. The repo had no README and no LICENSE — both added. No source code touched.
LICENSE— MIT (was missing)README.md(was missing): badges row, why/how, tech stack table, configuration, limitations, Related Claude Code ecosystem block, expanded author blockCHANGELOG.mdreconstructed from git log (Keep a Changelog)CONTRIBUTING.mdwith priority list and PR checklist.github/workflows/validate.yml— package.json validation, JS syntax check onsrc/andtest/, meta-files presence, README section checksSecurity note for reviewer
The README explicitly flags that
BOT_TOKEN,CHAT_ID, andALLOWED_ORIGINare currently hardcoded insrc/index.jsand recommends moving them to Wrangler secrets. Per polish scope, source code was not modified — this is a follow-up for Nick.Test plan
Notes