| Version | Supported |
|---|---|
| Latest release | Yes |
| Previous minor | Best-effort |
| Older | No |
If you discover a security vulnerability in this project, please report it responsibly.
Please report security vulnerabilities by opening a GitHub issue.
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: within 48 hours
- Initial assessment: within 1 week
- Fix or mitigation: best effort, typically within 2 weeks for critical issues
This policy covers:
- The reusable GitHub Actions workflows in
.github/workflows/ - The scripts in
scripts/ - The configuration templates in
configs/
If you use these workflows in your project:
- Pin to a release tag or commit SHA (e.g.,
@v1.2.3) rather than@mainfor production - Review workflow permissions — only grant what each workflow needs
- Use
enable_dangerous_workflows: trueininfra-lint.ymlto detect injection patterns in your CI - Enable Dependabot to keep action versions current
- Add a SECURITY.md to your own repo (template available in
configs/SECURITY.md)