Skip to content

Commit 4a74a20

Browse files
aclark4lifeCopilot
aclark4life
and
Copilot
committed
Update Readiness Review: quarterly cadence, trim checklist
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 64ed471 commit 4a74a20

1 file changed

Lines changed: 6 additions & 15 deletions

File tree

.github/INCIDENT_RESPONSE.md

Lines changed: 6 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -27,24 +27,15 @@ will receive a patch.
2727
2828
### 1.2 Team Readiness
2929

30-
- Maintain a private list of current maintainer contact details (GitHub handles, email,
31-
Mastodon) in a location accessible to all maintainers (e.g. a pinned private team
32-
discussion or the Tidelift maintainer portal).
33-
- Ensure at least two maintainers have admin access to:
34-
- The GitHub repository (to manage Security Advisories)
35-
- The [PyPI Pillow project](https://pypi.org/project/Pillow/) (to yank releases)
36-
- The Tidelift maintainer portal
37-
- Rotate and audit PyPI API tokens and GitHub Actions secrets at least once per year,
38-
and immediately after any maintainer leaves the project.
30+
The four members of the Pillow core team are in regular contact and share collective
31+
responsibility for incident response. Any core team member may act as Incident Lead.
32+
Contact details are known to all team members.
3933

40-
### 1.3 Annual Readiness Review
34+
### 1.3 Readiness Review
4135

42-
Once per year (suggested: at the January quarterly release), maintainers should:
36+
At each quarterly release, maintainers should:
4337

4438
1. Re-read this document and update any stale content (version table, contacts, tooling).
45-
2. Verify the GitHub private security advisory flow still works (open and close a test advisory).
46-
3. Confirm PyPI yank access is functional.
47-
4. Review Dependabot and CodeQL alert settings are enabled on the repository.
4839

4940
---
5041

@@ -381,7 +372,7 @@ When a CVE is published for a bundled C library:
381372
This document is a living record. It should be kept current so it is useful when an
382373
incident actually occurs.
383374

384-
- **Annual review** — revisit during the §1.3 readiness review each January.
375+
- **Quarterly review** — revisit during the §1.3 readiness review at each quarterly release.
385376
- **Post-incident update** — if the response process revealed gaps or needed improvisation,
386377
update this document before the post-incident review is closed (§9).
387378
- **Ownership** — changes are approved by the Core Team and recorded in Git history.

0 commit comments

Comments
 (0)