lightshell-dev
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 8 additions & 5 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 8 additions & 5 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 5 additions & 5 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎.github/workflows/deploy.yml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/deploy.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/govulncheck.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/govulncheck.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 11 additions & 11 deletions b/‎.github/workflows/release.yml‎
Lines changed: 11 additions & 11 deletions
diff --git a/‎.github/workflows/scorecard.yml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/scorecard.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎SECURITY.md‎
Lines changed: 38 additions & 0 deletions b/‎SECURITY.md‎
Lines changed: 38 additions & 0 deletions
@@ -2,13 +2,16 @@ name: CI
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   test-macos:
     runs-on: macos-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: '1.23'
 
@@ -32,17 +35,17 @@ jobs:
 
       - name: Upload coverage
         if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: coverage-macos
           path: coverage.out
 
   test-linux:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: '1.23'
 
 
@@ -21,9 +21,9 @@ jobs:
       matrix:
         language: ['go', 'javascript']
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         if: matrix.language == 'go'
         with:
           go-version: '1.23'
@@ -32,10 +32,10 @@ jobs:
         if: matrix.language == 'go'
         run: sudo apt-get update && sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev
 
-      - uses: github/codeql-action/init@v3
+      - uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
         with:
           languages: ${{ matrix.language }}
 
-      - uses: github/codeql-action/autobuild@v3
+      - uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
 
-      - uses: github/codeql-action/analyze@v3
+      - uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
@@ -18,9 +18,9 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20
 
@@ -43,7 +43,7 @@ jobs:
           cp -r docs/dist/* _site/docs/ 2>/dev/null || mkdir -p _site/docs && cp -r docs/dist/* _site/docs/
 
       - name: Upload Pages artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
         with:
           path: _site
 
@@ -56,4 +56,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
@@ -16,9 +16,9 @@ jobs:
     name: Go Vulnerability Check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: '1.23'
 
 
@@ -12,8 +12,8 @@ jobs:
   test:
     runs-on: macos-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: '1.23'
       - name: Test with coverage
@@ -58,9 +58,9 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: '1.23'
 
@@ -91,7 +91,7 @@ jobs:
           go build -ldflags="-s -w" -o ${{ matrix.artifact }} ./cmd/lightshell
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: ${{ matrix.artifact }}
           path: ${{ matrix.artifact }}
@@ -101,10 +101,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Download all artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           path: artifacts
 
@@ -119,7 +119,7 @@ jobs:
           done
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
         with:
           generate_release_notes: true
           files: release/*.tar.gz
@@ -129,15 +129,15 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20
           registry-url: https://registry.npmjs.org
 
       - name: Download all artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           path: artifacts
 
 
@@ -19,22 +19,22 @@ jobs:
       contents: read
       actions: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
-      - uses: ossf/scorecard-action@v2.4.0
+      - uses: ossf/scorecard-action@05b42c624433fc40578a4c7a362e21f42750e7eb # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
           publish_results: true
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
-      - uses: github/codeql-action/upload-sarif@v3
+      - uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
         with:
           sarif_file: results.sarif
@@ -31,3 +31,4 @@ claude.md
 CLAUDE.md
 private.pem
 public.pem
+build/
@@ -0,0 +1,38 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| latest  | Yes                |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in LightShell, please report it responsibly.
+
+**Do not open a public GitHub issue for security vulnerabilities.**
+
+Instead, please send an email to **security@lightshell.dev** with:
+
+1. A description of the vulnerability
+2. Steps to reproduce the issue
+3. The potential impact
+4. Any suggested fixes (optional)
+
+### What to expect
+
+- **Acknowledgment**: We will acknowledge receipt of your report within 48 hours.
+- **Assessment**: We will assess the vulnerability and determine its severity within 5 business days.
+- **Fix timeline**: Critical vulnerabilities will be patched within 7 days. Other issues will be addressed in the next scheduled release.
+- **Disclosure**: We will coordinate with you on public disclosure timing. We ask that you allow us a reasonable window to release a fix before any public disclosure.
+
+## Security Practices
+
+- All GitHub Actions workflows use pinned SHA references to prevent supply-chain attacks.
+- Dependencies are regularly audited with `govulncheck` and GitHub's Dependabot.
+- CodeQL static analysis runs on every push and pull request.
+- The OpenSSF Scorecard is monitored to maintain supply-chain security best practices.
+
+## Scope
+
+This security policy applies to the LightShell project repository and its official npm packages (`lightshell`, `create-lightshell`, and `@lightshell/*` platform packages).