As a CI setup tool, this GitHub Action may be subject to supply-chain attacks, which makes security an important topic. Issues therefore must be taken seriously and have to be managed with extreme caution.

If you find a security issue, we kindly ask you for responsible disclosure and for giving us appropriate time to react, analyze and develop a fix to mitigate the found security vulnerability.

Please report vulnerabilities, including as much details as possible, by using GitHub private vulnerability reporting.

We will do our best to react quickly on your inquiry and to coordinate a fix and disclosure with you. Sometimes, it might take a little longer for us to react, for example during out of office conditions, so please bear with us in these cases.

We will publish security advisories using the GitHub Security Advisories feature to keep our community well-informed, and will credit you for your findings (unless you prefer to stay anonymous, of course).

We will publish fixes for the discovered security vulnerabilities using patch releases for the supported versions of the application.

Prior unsupported versions might receive critical security fixes on a best effort basis, however, it cannot be guaranteed that security fixes get back-ported to these versions.

In case a security fix needs complex re-design of a feature, or is otherwise very intrusive, or there’s a workaround available, we may decide to postpone the release of the fix to the next minor version, instead of releasing it for the currently supported versions.