Dispatches¶

April 21, 2026
in Technology
11 min read

How to Write an Effective Security Policy for GitHub Repositories

A repository security policy is one of those documents that people often add because GitHub expects it, not because they have thought through what it needs to do. That is how you end up with policies that say little more than "email us if you find a problem" or, worse, tell researchers to open a public issue for a vulnerability report. An effective security policy is not a box-checking exercise. It is an operational document: it tells security researchers how to contact you safely, tells users which versions you still support, and tells everyone what kind of response process they can reasonably expect.

This post walks through how to write a security policy that is actually useful on GitHub: what sections it needs, how specific to be, which mistakes to avoid, and a practical SECURITY.md template you can adapt for your own repositories. The goal is not just to help you publish the file, but to help you publish one that will still read as clear, credible, and operational when someone actually needs it.

Useful beyond GitHub, too!

Although this post focuses on GitHub, most of the guidance applies equally well to GitLab and other source hosting platforms. The platform-specific details, such as where the policy is surfaced and how private vulnerability reporting works, may differ, but the core job of a security policy stays the same: define a private reporting path, set expectations, and make support boundaries clear.

April 20, 2026
in Technology
8 min read

How to Write an Effective Code of Conduct for GitHub Repositories

A GitHub repository does not become a healthy community just because the code is useful. The moment other people begin opening issues, commenting on pull requests, or submitting patches, you have a social space to maintain as well as a technical one. A code of conduct is the document that defines what kind of community you are trying to build, what behavior is expected, and what happens when those expectations are ignored.

The best code of conduct files are not there for optics. They are there to reduce ambiguity. They tell contributors what respectful participation looks like, give maintainers a clear basis for moderation, and provide a reporting path when something goes wrong. Done well, they make a project safer, more predictable, and easier to contribute to.

April 19, 2026
in Songwriting
2 min read

I'm Just a River

39 North · I'm Just a River

Trigger Warning

This piece includes themes of depression, hopelessness, and suicide. Please proceed with care.

In Loving Memory

Written to process the death of my nephew.
Rest in Peace, Phin.

Phineas Harvey Alexander Tillman
June 4, 2001–January 11, 2026

Lyrics

I'M JUST A RIVER

I’ve been carving through the valley
Long before they built this town
I’ve watched these waters rise
And families settle down
I’ve carried off the mountains
Every stone of joy and pain
I catch the ones who fall to me
And hold them year to year

The bridge has swallowed prayers
From quiet hums to raw-boned cries
I’ve seen the tired at midnight
Walking beneath a heavy sky
The moon hid behind the clouds
Too faint to see you leave
You fractured something in my depths
Searching only for relief

     I’m just a river, I don’t choose
     What the tired and hurting do
     But I’d trade every drop of me
     If love could’ve pulled you through
     The hard days spoke like the Gospel
     And you believed every word they said
     I’d have carried you a thousand miles
     But I couldn’t quiet your head

Now your name moves upstream
In your mother’s cry
In the silence your father swallows
When the house has lost its light
Your family passes by the rail
Holding breath inside their chests
Learning how to miss you
Without rehearsing how you left

Repeat Chorus

Standing on the bridge
Believing rest is letting go
A current only moves one way
But a heart can still turn home

Writer: J. Ryan Johnson (BMI)
Copyright: © 2026 J. Ryan Johnson. All rights reserved.
Phone: +1 (407) 902-5419
Email: hello [at] tenthirtyam [dot] org

Copyright

Audio Disclaimer

Lyrics: Original | Audio: AI-Generated

I’m a musician, but not a vocalist. I use AI to bridge that gap, turning my lyrics into concept demos that capture their intended style.

These tracks allow artists and agents to hear the full potential of my songwriting exactly as I’ve always heard it in my head.

April 18, 2026
in Technology
11 min read

A Deep Dive into golangci-lint

golangci-lint is one of the highest-leverage tools in the Go ecosystem because it turns a loose collection of static analysis tools into a single, fast, repeatable code-quality gate. Used well, it catches real bugs, reduces review noise, and helps maintainers keep a project consistent without turning style preferences into endless pull request commentary.

For many Go teams, the mistake is not adopting golangci-lint. The mistake is adopting it without a strategy. Enabling too many linters at once, tolerating unexplained //nolint comments, or treating the default output as a substitute for judgment quickly turns a useful signal into background noise.

This post walks through how golangci-lint works, how I think about configuring it for a real project, and how to run it in ways that are practical for both day-to-day development and long-term open source maintenance.

Much of what I know about golangci-lint was learned the unglamorous way: maintaining Go-based open source projects where lint output has to hold up in front of contributors, CI systems, release processes, and real users. That includes work across HashiCorp Terraform providers, HashiCorp Packer plugins, and Go SDKs.

If you want the broader project list behind that perspective, see the Open Source Projects section of my resume.

That context matters because this is not an abstract "here are the docs" walkthrough. It is an opinionated maintainer's view of what actually keeps linting useful in a long-lived Go codebase.

April 17, 2026
in Personal
4 min read

What the Record Shows

Imposter Syndrome

Image Source: InnerSloth

There is a kind of performance that no longer feels like performance because you have been doing it so long that it has settled into your bones.

Each morning arrives with its own familiar ritual: the steady voice, the practiced calm, the expression that says, "I belong here." After enough years, it becomes automatic. People hear you speak, ask for your judgment, trust what you have to say. Your name appears on work that matters.

From the outside, it can look like certainty.

But beneath all of that, there can still be a quieter voice saying something else entirely:

"Today will be the day they figure out I don't belong here after all."

It has a name, of course: Imposter Syndrome. That old habit of treating your own record like disputed evidence.

That voice is stubborn. It doesn't yield easily to experience, praise, or proof. It survives accomplishment with an almost insulting ease. It can sit in the same room with a long career, meaningful work, and the respect of other people, and remain completely unimpressed.

I've spent most of my professional life inside the orbit of very large institutions, places whose names carry their own kind of weather.

On paper, my record isn't especially mysterious. I've held serious roles. I've contributed to products and open source projects people actually use. I've written extensive designs and documentation that helped people do their jobs. I've even written a book. I've earned certifications and accreditations, sometimes less out of ambition than out of a private need to quiet the voice that keeps insisting I've not done enough. I've stood in rooms where others came to listen, and I've spoken at more technology conferences than I could name without stopping to count, somehow managing not to waste their time.