From 905a8aa03d4aad33ee2256a28e63c4bec8457f8e Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 2 Jan 2025 16:00:40 +0100 Subject: [PATCH 1/3] gha: set default permissions to "read" Signed-off-by: Sebastiaan van Stijn --- .github/workflows/test.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0e6f3bf..442f1ac 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,4 +1,14 @@ name: Test + +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + on: [push, pull_request] jobs: test: From ca22ebc1e2bc1564b62ad2b063e24dac635a1227 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 2 Jan 2025 16:04:51 +0100 Subject: [PATCH 2/3] gha: add concurrency check add concurrency check in our workflows to ensure that only a single workflow using the same concurrency group will run at a time. more info: https://docs.github.com/en/actions/using-jobs/using-concurrency Signed-off-by: Sebastiaan van Stijn --- .github/workflows/test.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 442f1ac..5c0103e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,6 +10,11 @@ permissions: contents: read on: [push, pull_request] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: test: strategy: From 1700fcb009fba7d7add9f50e2bef37f4347125de Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 2 Jan 2025 16:08:46 +0100 Subject: [PATCH 3/3] Add security policy Signed-off-by: Sebastiaan van Stijn --- .github/SECURITY.md | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/SECURITY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 0000000..42d4c04 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,41 @@ +# Security Policy + +The maintainers of the Moby project take security seriously. If you discover +a security issue, please bring it to their attention right away! + +## Reporting a Vulnerability + +Please **DO NOT** file a public issue, instead send your report privately +to [security@docker.com](mailto:security@docker.com). + +Reporter(s) can expect a response within 72 hours, acknowledging the issue was +received. + +## Review Process + +After receiving the report, an initial triage and technical analysis is +performed to confirm the report and determine its scope. We may request +additional information in this stage of the process. + +Once a reviewer has confirmed the relevance of the report, a draft security +advisory will be created on GitHub. The draft advisory will be used to discuss +the issue with maintainers, the reporter(s), and where applicable, other +affected parties under embargo. + +If the vulnerability is accepted, a timeline for developing a patch, public +disclosure, and patch release will be determined. If there is an embargo period +on public disclosure before the patch release, the reporter(s) are expected to +participate in the discussion of the timeline and abide by agreed upon dates +for public disclosure. + +## Accreditation + +Security reports are greatly appreciated and we will publicly thank you, +although we will keep your name confidential if you request it. We also like to +send gifts - if you're into swag, make sure to let us know. We do not currently +offer a paid security bounty program at this time. + +## Supported Versions + +This project does not provide long-term-supported releases. Only the current +release is maintained.