We support the latest major release tag (e.g. v1) and the most recent patch versions. Older tags may receive critical fixes only.
Please use GitHub Security Advisories ("Report a vulnerability" button in the repository) for confidential disclosure. Provide:
- Affected version/tag
- Description of the issue and potential impact
- Steps to reproduce (minimal example)
- Suggested fix (if available)
Do NOT open a public issue for sensitive security problems.
- Triage within 5 business days.
- Reproduce and assess severity.
- Patch and create a prerelease for validation if needed.
- Publish fixed tag and coordinated security advisory.
This action processes local repository files only. It does not make external network calls beyond GitHub APIs used by Actions runtime.
- Pin a major or exact version to avoid unexpected changes.
- Review generated sitemap output before deploying to production if you include experimental flags.
- Avoid including sensitive or private directories in
public_dir.
If GitHub advisories are not available, open an issue with the prefix [SECURITY] requesting a private communication channel.