Skip to content

Commit 3251cea

Browse files
author
liuyuran02
committed
ci(security): fix scorecard publication [skip changelog]
1 parent 071eb2c commit 3251cea

3 files changed

Lines changed: 16 additions & 13 deletions

File tree

.github/workflows/codeql.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -39,23 +39,23 @@ jobs:
3939
- name: Checkout
4040
uses: actions/checkout@v4
4141

42-
- name: Initialize CodeQL
43-
uses: github/codeql-action/init@v3
44-
with:
45-
languages: ${{ matrix.language }}
46-
queries: security-extended,security-and-quality
47-
4842
- name: Set up Go
4943
if: matrix.language == 'go'
5044
uses: actions/setup-go@v5
5145
with:
5246
go-version: "1.22"
5347
cache-dependency-path: sdk/go/go.mod
5448

49+
- name: Initialize CodeQL
50+
uses: github/codeql-action/init@v4
51+
with:
52+
languages: ${{ matrix.language }}
53+
queries: security-extended,security-and-quality
54+
5555
- name: Build Go SDK
5656
if: matrix.language == 'go'
5757
working-directory: sdk/go
5858
run: go test ./...
5959

6060
- name: Perform CodeQL Analysis
61-
uses: github/codeql-action/analyze@v3
61+
uses: github/codeql-action/analyze@v4

.github/workflows/scorecard.yml

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,9 +13,6 @@ permissions:
1313
id-token: write
1414
security-events: write
1515

16-
env:
17-
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
18-
1916
concurrency:
2017
group: scorecard-${{ github.workflow }}-${{ github.ref }}
2118
cancel-in-progress: true
@@ -38,6 +35,6 @@ jobs:
3835
publish_results: true
3936

4037
- name: Upload SARIF
41-
uses: github/codeql-action/upload-sarif@v3
38+
uses: github/codeql-action/upload-sarif@v4
4239
with:
4340
sarif_file: scorecard.sarif

SECURITY.md

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,11 @@ Security fixes target the current `main` branch and the latest tagged release. O
88

99
## Reporting a Vulnerability
1010

11-
Use GitHub Private Vulnerability Reporting from the repository's **Security** tab when it is enabled. Include:
11+
Use GitHub Private Vulnerability Reporting from the repository's **Security** tab when it is enabled:
12+
13+
https://github.com/Kickflip73/agent-communication-protocol/security/advisories/new
14+
15+
Include:
1216

1317
- A short description of the issue and affected component
1418
- Reproduction steps or a proof of concept
@@ -25,4 +29,6 @@ Please avoid opening public GitHub issues for vulnerabilities until a maintainer
2529

2630
## Security Documentation
2731

28-
See [docs/security.md](docs/security.md) for the relay security model, identity notes, and operational hardening guidance.
32+
See the published security model for relay identity notes and operational hardening guidance:
33+
34+
https://kickflip73.github.io/agent-communication-protocol/security/

0 commit comments

Comments
 (0)