Do not open a public issue for security vulnerabilities.
Report security issues privately by emailing the maintainers or using GitHub's private vulnerability reporting on the affected repository.
Include:
- A description of the vulnerability and its potential impact
- Steps to reproduce
- Any relevant file paths, line numbers, or workflow names
We will acknowledge receipt within 48 hours and aim to resolve confirmed vulnerabilities within 30 days.
This policy covers all repositories in the skogai organization, with particular attention to:
- GitHub Actions workflows and reusable workflows
- Scripts that handle secrets or credentials (
scripts/) - Anything that interacts with organization-level secrets (
CLAUDE_CODE_OAUTH_TOKEN)
All Claude Code workflows in this org:
- Use
CLAUDE_CODE_OAUTH_TOKENas an organization-level secret (never hardcoded) - Scope permissions to the minimum required for each workflow
- Pin
actions/checkoutto a specific major version tag