Tracking: kg-microbe governance & cleanup backlog from 2026-04-17 audit

[turbomam]

What this is

Single rollup of every item surfaced during a 2026-04-17 repo-cleanup audit. Use this as the entry point; each sub-item has its own issue or PR linked below.

Open issues (already filed)

#	Topic	Type
#544	BacDive transformer opens ncbitaxon.owl with a sqlite adapter	bug
#545	.gitignore is inconsistent for data/transformed/ subdirs	hygiene
#546	Security & governance baseline (umbrella — full audit in comments)	umbrella
#547	KGX transform produces URIs with unencoded characters	bug
#549	master fails ruff check on 3.12 — 7 errors blocking all PR CI	blocker

Open PRs (already filed)

#	What	State
#548	Add .github/dependabot.yml	DRAFT for team discussion
#550	Fix pre-existing ruff lint errors in tests/test_mediadive_bulk_download.py (closes #549)	ready to merge — unblocks all other CI
#551	Manual poetry update to close ~9 of ~30 Dependabot alerts	DRAFT for team discussion
#552	Add SECURITY.md vulnerability-reporting policy	DRAFT for team discussion

Admin toggles — not in a dedicated issue; captured here

Require admin permission (my role is maintain). All free on public repos.

Settings → Code security & analysis (https://github.com/Knowledge-Graph-Hub/kg-microbe/settings/security_analysis)

• Dependabot alerts → Enable. Currently off; the "33 vulnerabilities" badge reflects a stale DB snapshot and won't refresh until this is on.
• Dependabot security updates → Enable. Separate from version updates; opens fix-PRs when patched versions exist.
• Secret scanning → Enable.
• Secret scanning push protection → Enable. Blocks git push of diffs containing detected secrets.
• Private vulnerability reporting → Enable. Pairs with the SECURITY.md in DRAFT: Add SECURITY.md vulnerability-reporting policy #552.
• Code scanning → Set up → Default (CodeQL). No workflow file to own; GitHub manages the queries.

Settings → General (https://github.com/Knowledge-Graph-Hub/kg-microbe/settings)

• Allow auto-merge → check. Capability only (per-PR opt-in).
• Automatically delete head branches → check. Cleans up after merge; this audit pruned 17 stale tracking branches locally that wouldn't have accumulated with this on.

Settings → Branches (https://github.com/Knowledge-Graph-Hub/kg-microbe/settings/branches)

• Add branch protection rule on master. Require status checks: build (3.10), build (3.11), build (3.12) (+ CodeQL once it runs). Disallow force-push and deletion.
• Only do this after Fix pre-existing ruff lint errors in tests/test_mediadive_bulk_download.py (closes #549) #550 merges (otherwise every PR is blocked by the pre-existing lint failure).

CODEOWNERS — not in an issue; captured here

• Team decision: who owns which paths? Candidate split:
  • kg_microbe/transform_utils/bacdive/ → BacDive owner
  • kg_microbe/transform_utils/metatraits/ → MetaTraits owner
  • kg_microbe/query_utils/ → query-stack owner (PR Enhance MetaTraits transform with chemical mapping and expanded METPO predicates #531 adds this)
  • .github/ → CI/governance owner
  • default * → fallback maintainer(s)
• Once decided, open a small PR adding .github/CODEOWNERS.
• Optional follow-up: flip Require code owner reviews in branch protection once the file is meaningful.

Suggested sequence

1. Admin: flip the six Code-security-and-analysis toggles (<5 minutes total).
2. Merge Fix pre-existing ruff lint errors in tests/test_mediadive_bulk_download.py (closes #549) #550 (ruff lint fix) to unblock CI.
3. Admin: add branch protection on master requiring the qc.yml jobs.
4. Admin: flip auto-merge and auto-delete-branches in General settings.
5. Team review of Add .github/dependabot.yml to open weekly dependency PRs #548 (dependabot.yml), DRAFT: Manual poetry update to close Dependabot alerts — for team discussion #551 (poetry update), DRAFT: Add SECURITY.md vulnerability-reporting policy #552 (SECURITY.md); merge or close each.
6. Team discussion on CODEOWNERS.
7. PR for CODEOWNERS when ready.

Out of scope for this rollup

• PR Enhance MetaTraits transform with chemical mapping and expanded METPO predicates #531 (realmarcin's MetaTraits + query_utils PR) — tracked separately; related follow-up issues Post-merge: apply leftover MediaDive bug fixes from closed PR #535 #538–Add tests for DuckDB query stack and kg query-organism CLI #543 were filed by another session.
• Operational questions about rebuilding the KG after dependency bumps — would warrant its own issue if pursued.