From e4a1c0bd3ae039fbfb8a496a0766181d0607fbb1 Mon Sep 17 00:00:00 2001 From: Joe Constant Date: Sun, 26 May 2024 14:16:08 -0600 Subject: [PATCH 1/3] feat: add SECURITY.md to outline security issue reporting Add a SECURITY.md file to provide guidelines for reporting security issues. This will help in the responsible disclosure of security bugs by detailing the process for reporting vulnerabilities. It includes a link to the GitHub Security Advisory for ease of access and ensures contributors are informed about the handling of their reports. --- SECURITY.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..4196bc8 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,9 @@ +# Reporting Security Issues + +The Sublinks team and community take security bugs in Sublinks seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions. + +To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/sublinks/sublinks-federation/security/advisories/new) tab. + +The Sublinks Core Owner team will send a response indicating the next steps in handling your report. After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. + +Report security bugs in third-party libraries/modules to the person or team maintaining the library/module. From b505b2179334a8450db14a97d2dc238ff8fe7578 Mon Sep 17 00:00:00 2001 From: Joe Constant Date: Sun, 26 May 2024 23:45:13 -0600 Subject: [PATCH 2/3] Switch to using a fork of coverage action Appears to be a bug in action where it attempts to push a change during open PRs --- .github/workflows/go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index c514cd7..26647e7 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -47,7 +47,7 @@ jobs: run: go test -v ./... - name: Coverage - uses: gwatts/go-coverage-action@v2.0.0 + uses: lazyguru/go-coverage-action@9b496d245c69f85ab8cef4ce57d857cc727506ee with: # Fail the build if the coverage drops below supplied percentage coverage-threshold: 0 # Change this as coverage improves From c33efa1287004ded8a0b9d708bb952447b3da84c Mon Sep 17 00:00:00 2001 From: Joe Constant Date: Mon, 27 May 2024 01:36:04 -0600 Subject: [PATCH 3/3] Disable adding comment to PR for code coverage Due to running from a fork, we can no longer add comments --- .github/workflows/go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 26647e7..ac23420 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -54,7 +54,7 @@ jobs: # Fail the build if coverage drops below coverage-threshold. One of "always", "never" or "only_pull_requests" fail-coverage: only_pull_requests # Adds a comment to the PR with coverage information if true. If false will only add an action summary report - add-comment: true + add-comment: false # One or more regular expressions matching filenames to exclude from coverage statistics (e.g. for generated Go files) #ignore-pattern: