Report suspected vulnerabilities privately via GitHub Security Advisories: https://github.com/NDDev-it-com/nddev-ci-workflows/security/advisories/new
Do not open public issues for security reports. You will receive an initial response as soon as reasonably possible.
- Always pin by full commit SHA, never by tag or branch:
uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/<name>.yml@<40-char-sha>. Tags are mutable; a full SHA is immutable. Dependabot can bump the pinned SHA. - Grant the calling job only the permissions the reusable declares it needs.
- Treat the private free tier (
enable_harden_runner: false,upload_sarif: false) as the correct choice for private repositories, where code scanning, native secret scanning, and harden-runner are paid features.
- Every third-party action is pinned to a full commit SHA with a version comment.
- Every workflow declares least-privilege
permissions,concurrency, and atimeout-minutes. ci.ymlruns static validators (scripts/validate_all.py),actionlint, andzizmor(regular persona, SARIF) against this repository's own workflows on every push and pull request;ci-gateaggregates them.mainis protected by a repository ruleset (.github/rulesets/branch-main.json): signed commits, required review + code-owner review, linear history, no force-push or deletion, and theci-gatestatus check. Release tags are protected by.github/rulesets/tag-semver.json.- Releases are tag-driven and immutable, and ship an SPDX SBOM, SHA256SUMS, a
build-provenance attestation, and an SBOM attestation (SLSA v1.0 Build L3,
built inside the reusable
release-supply-chain.yml). Verify withscripts/verify_attestations.sh.