Skip to content

Commit b87b443

Browse files
committed
chore: harden validation workflow and add SECURITY.md
what: - SHA-pin actions/checkout@v6 in both validation jobs - Pin awesome-lint to 2.3.0 instead of using latest through npx - Add push trigger and broaden path filters to include criteria, contributing, SECURITY.md, workflow, and validation script changes - Remove unused pip install pyyaml and use explicit python3 - Add SECURITY.md with vulnerability reporting and signing-boundary note why: Reduce CI supply-chain drift, ensure validation runs when its own rules change, remove dead dependency setup, and document the repo's vulnerability reporting path.
1 parent f41e6f0 commit b87b443

2 files changed

Lines changed: 42 additions & 7 deletions

File tree

.github/workflows/validate.yml

Lines changed: 20 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,24 @@ on:
44
workflow_dispatch:
55
schedule:
66
- cron: '0 6 * * 1' # weekly, Monday 06:00 UTC
7+
push:
8+
branches: [main]
9+
paths:
10+
- 'README.md'
11+
- 'CRITERIA.md'
12+
- 'contributing.md'
13+
- 'SECURITY.md'
14+
- '.github/scripts/**'
15+
- '.github/workflows/validate.yml'
716
pull_request:
817
branches: [main]
9-
paths: ['README.md']
18+
paths:
19+
- 'README.md'
20+
- 'CRITERIA.md'
21+
- 'contributing.md'
22+
- 'SECURITY.md'
23+
- '.github/scripts/**'
24+
- '.github/workflows/validate.yml'
1025

1126
permissions:
1227
contents: read
@@ -15,19 +30,17 @@ jobs:
1530
awesome-lint:
1631
runs-on: ubuntu-latest
1732
steps:
18-
- uses: actions/checkout@v6
33+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
1934
- name: Run awesome-lint
20-
run: npx awesome-lint
35+
run: npx --yes awesome-lint@2.3.0
2136

2237
validate-repos:
2338
runs-on: ubuntu-latest
2439
permissions:
2540
contents: read
2641
steps:
27-
- uses: actions/checkout@v6
28-
- name: Install dependencies
29-
run: pip install pyyaml
42+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
3043
- name: Validate all listed repos exist and are active
31-
run: python .github/scripts/validate-repos.py
44+
run: python3 .github/scripts/validate-repos.py
3245
env:
3346
GH_TOKEN: ${{ github.token }}

SECURITY.md

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
# Security Policy
2+
3+
## Supported Versions
4+
5+
This repo is a curated public awesome list with supporting validation tooling.
6+
There are no versioned releases — always use the latest commit from `main`.
7+
8+
## Reporting a Vulnerability
9+
10+
This project contains no secrets, runtime service, or deployed application. It
11+
ships a curated README plus GitHub Actions validation for listed repositories.
12+
If you find an issue with the content, criteria, or validation logic, please
13+
open a public issue on GitHub.
14+
15+
Do **not** open a public issue if the vulnerability involves the GitHub Actions
16+
workflow itself, such as leaked CI logs or token exposure. Report privately to
17+
the repository owner via GitHub's security advisory tool.
18+
19+
## Commit Signing
20+
21+
Maintainer commits from 2026-07-05 onward are SSH-signed. Earlier commits may
22+
be unsigned and are retained to avoid rewriting public history.

0 commit comments

Comments
 (0)