Common Repository Structure¶
LF Decentralized Trust (LFDT) projects are required to maintain a standard set of files in each repository. This document describes the required and recommended files.
Required Files with Specified Content¶
Repositories MUST have these files with the specific content in the linked files, or a file with a link to the specified content with minimal exposition. These files MUST be at the root of the repository.
- LICENSE(Unless an exception has been made by the LFDT Governing Board)
- CODE_OF_CONDUCT.md
- SECURITY.md
Required Files with Variable Content¶
Repositories MUST have these files. Named files MUST be at the root of the repository, and may have
format suffixes such as .md, .rst, or .txt.
- README\ A description of the project and contain information or links to information such as- A reference to the license (required).
- The current and important past releases
- Documentation for developers and users
- Suggestion for users to update the ADOPTERS.mdfile (see further below) upon awareness of practical usage
 
- MAINTAINERS\ A list of all current maintainers with contact info. A separate document covers the specifics.
- CONTRIBUTING\ Directions on how to contribute code to the project, or a pointer to that information. If a repository contains more than one CONTRIBUTING file, then the file shown in links is chosen from locations in the following order: the .github directory, then the repository's root directory, and finally the docs directory.
- Continuous Integration / Continuous Delivery (CI/CD) configurations \ Configurations needed to run CI/CD on LFDT Trust provided systems.
Required Content in Home Page¶
The README.md in the root folder of the repository MUST display the following badges right below the title:
- License: 
- OpenSSF Best Practices: [](https://bestpractices.coreinfrastructure.org/projects/:project-id)
- OpenSSF Scorecard: [](https://scorecard.dev/viewer/?uri=github.com/:user/:repo)
Recommended¶
Repositories SHOULD have these files. Named files SHOULD be at the root of the repository.
- NOTICE- As per section 4, subsection (d), of the Apache License, Version 2
 
- License Header information in each source code file. \
    For new files added to LFDT repositories they SHOULD include the snippet SPDX-License-Identifier: Apache-2.0as part of the header. (see the Copyright and Licencing Policy)
- Build files consistent with the implementation language, such as...- For JavaScript/Node.js a package.jsonfile
- For Ruby a Gemfilefile
- For Java, one of a Maven pom.xml, an Apache Antbuild.xml, or a Gradlebuild.gradle, file
- For Python setup.pyandrequirements.txtfiles
- For Go go.modand optionallygo.sum
- For Rust a cargo.tomlfile
- For multi-lingual repositories a Makefileor executablebuild.shscript
- For other languages, other standard build files a practitioner of the language would expect.
 
- For JavaScript/Node.js a 
- Testing code \ Code to test the code in the repository (such as unit tests), in a location appropriate for the language. \ Not all repositories can be tested (homebrew, docs), which is the only reason this is a SHOULD.
- ADOPTERS.md- Contains a list of notable usages of the project's releases and/or source code
- MUST contain publicly verifiable references in the form of URLs or article info
- Can be updated by maintainers as well as by adopters or any third party who is aware of adoption and can provide verifiable links.
- See Defining Adopters for more information on what an adopter is
 
- CHANGELOG\ A human-readable list of recent changes. Changes should at least include the current release. This file may be maintainer curated or mechanically produced. Consider making this file a link that points to the GitHub release notes.
Prohibited¶
Repositories MUST NOT have these files.
- Executable binaries and shared library files built by code in the repository \
    This includes .exe,.dll,.so,.aand.dylibfiles not otherwise part of a third party library.
Tooling¶
In order to help automate checks a repolinter file and supporting scripts can be found in LFDT Community Management Tools.
Note that this document takes precedence over documents in the folder linked above, wherever the instructions and tooling differ between the two.
Community Standards Verification for GitHub based Projects¶
GitHub provides an Insights feature called Community Standards that helps ensure a repository adheres to recommended structural guidelines. This feature is accessible via the Insights tab of a repository and evaluates whether the repository includes key components aligned with community best practices.
Specifically, the Community Standards tool checks for the presence of the following files and configurations, as outlined by the TAC's "must" and "recommended" criteria:
- Repository description
- README
- Code of Conduct
- Contribution guidelines (CONTRIBUTING)
- License file
- Security policy
- Issue templates
- Pull request templates
- Repository administrators' ability to receive content reports
For additional details, please refer to the GitHub public documentation.