From 60305a18bb65b5c31402d59a934443bb97ba272c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Mart=C3=ADnez?= Date: Sun, 3 May 2026 07:50:36 -0700 Subject: [PATCH 1/2] Create SECURITY.md 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 --- SECURITY.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..034e848 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. From caebe54908fa73ddf372647a695a7d9171b0302e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Mart=C3=ADnez?= Date: Sun, 3 May 2026 07:53:12 -0700 Subject: [PATCH 2/2] Create go-ossf-slsa3-publish.yml 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 --- .github/workflows/go-ossf-slsa3-publish.yml | 38 +++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/go-ossf-slsa3-publish.yml diff --git a/.github/workflows/go-ossf-slsa3-publish.yml b/.github/workflows/go-ossf-slsa3-publish.yml new file mode 100644 index 0000000..79ea193 --- /dev/null +++ b/.github/workflows/go-ossf-slsa3-publish.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you compile your Go project using a SLSA3 compliant builder. +# This workflow will generate a so-called "provenance" file describing the steps +# that were performed to generate the final binary. +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA Go releaser +on: + workflow_dispatch: + release: + types: [created] + +permissions: read-all + +jobs: + # ======================================================================================================================================== + # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. + # See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file + #========================================================================================================================================= + build: + permissions: + id-token: write # To sign. + contents: write # To upload release assets. + actions: read # To read workflow path. + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.4.0 + with: + go-version: 1.17 + # ============================================================================================================= + # Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects + # ============================================================================================================= +