Add self-updating expiry field to security.txt#28740
Merged
Merged
Conversation
Contributor
SiAdcock
reviewed
Apr 27, 2026
SiAdcock
reviewed
Apr 27, 2026
NovemberTang
force-pushed
the
nt/update-expiry
branch
from
eb068b0 to
d9fb558
Compare
NovemberTang
commented
May 15, 2026
Contributor
Author
NovemberTang
left a comment
NovemberTang
left a comment
There was a problem hiding this comment.
After moving the file and migrating to JS, you can see the output here
SiAdcock
reviewed
May 27, 2026
SiAdcock
approved these changes
May 27, 2026
Contributor
SiAdcock
left a comment
SiAdcock
left a comment
There was a problem hiding this comment.
This looks good to me! One small question around dates.
alongside dotcom-platform, infosec and the security team will be notified of, and can approve changes to the security.txt and security-txt.yaml files
NovemberTang
force-pushed
the
nt/update-expiry
branch
from
b281815 to
efdafda
Compare
gu-prout
Bot
added
Pending-on-ADMIN-PROD
Pending-on-FRONTS-PROD
Seen-on-ADMIN-PROD
and removed
Pending-on-ADMIN-PROD
labels
|
Seen on ADMIN-PROD (merged by @NovemberTang 9 minutes and 7 seconds ago)
|
|
Seen on FRONTS-PROD (merged by @NovemberTang 9 minutes and 15 seconds ago)
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is the value of this and can you measure success?
Following up to #28706, a security.txt requires two fields to be valid.
Contact:andExpires:Maintaining theExpires:field isn't much work, but it is one additional thing to remember to do, so this PR (along with introducing it), adds a cron job to update that field annually, reducing the burden on dev teams. It sets the expiry date 13 months into the future. Typically people recommend updating this every 12 months, I've added a month just in case reviews are slow.What does this change?
This has been written in JS for maintainability reasons - it's a lot shorter and more readable than the bash alternative. This doesn't really pose a security risk as I am using standard library (which is already installed on GitHub runners) with no dependencies, and accept no user input.
In order for this PR to be valid, the codeowner teams would require explicit write access to the repo, which doesn't represent a significant expansion of anyone's permissions. I can do this after the PR is approved, or we can talk about alternatives.
Screenshots
You can see an example of the change made by the bot in this PR commit
Checklist
data/databasefiles generated by tests are committed with this PR (the tests will fail in CI if you've forgotten to do this)