Skip to content

chore: slim SECURITY.md and move release-gate runbook to docs/#473

Merged
danieljohnmorris merged 2 commits into
nextfrom
chore/security-md-cleanup
May 20, 2026
Merged

chore: slim SECURITY.md and move release-gate runbook to docs/#473
danieljohnmorris merged 2 commits into
nextfrom
chore/security-md-cleanup

Conversation

@danieljohnmorris
Copy link
Copy Markdown
Collaborator

@danieljohnmorris danieljohnmorris commented May 19, 2026

Summary

  • SECURITY.md was a 2.7 KB internal release-engineering runbook mixed with the one thing researchers actually need: a private report channel. Split them.
  • SECURITY.md is now 5 lines - GitHub private-reporting link only (no email per Dan's decision).
  • docs/release-secret-scan.md holds the full runbook: gitleaks gate, allowlist, local commands, incident procedure, why release-only.
  • .gitleaks.toml header gets a cross-link comment to the new runbook.
  • CONTRIBUTING.md gets a one-line link to the new runbook.

Action item before merge

Flip on Private Vulnerability Reporting in repo settings before merging:

Repo Settings -> Code security and analysis -> "Private vulnerability reporting" -> Enable

This adds a "Report a vulnerability" button to the Security tab that opens a private form - the canonical reporting channel referenced in the new SECURITY.md. The agent cannot enable this via CLI without admin token scope.

Notes

  • No doc-sync needed: no ilo language surface change (no builtins, CLI flags, or syntax). SPEC.md, ai.txt, skills, site builtins all untouched.
  • docs/ is gitignored as scratch space, so docs/release-secret-scan.md is force-tracked via git add -f. Consider adding !docs/release-secret-scan.md to .gitignore as a follow-up to make the exception explicit.

Test plan

  • GitHub Security tab shows the slim 5-line SECURITY.md after merge
  • "Report a vulnerability" button appears once Private Vulnerability Reporting is enabled
  • git grep -nP 'SECURITY\.md' returns no hits (nothing points to old runbook content)
  • docs/release-secret-scan.md renders correctly on GitHub

@danieljohnmorris danieljohnmorris mentioned this pull request May 20, 2026
Merged
@danieljohnmorris
chore: slim SECURITY.md, move release-gate runbook to docs/
693b451 
SECURITY.md was a 2.7 KB internal release-engineering runbook. The only
thing a security researcher landing on that file needs is a private report
channel. Everything else is ops detail.

Split:
- SECURITY.md: 5-line researcher-facing doc with GitHub private-reporting link
- docs/release-secret-scan.md: full runbook (gitleaks gate, allowlist, local
  commands, incident procedure, why release-only)
- .gitleaks.toml: add cross-link comment to new runbook
- CONTRIBUTING.md: one-line link to new runbook
@danieljohnmorris
ci: trigger workflow on next
2e161ba
@danieljohnmorris danieljohnmorris force-pushed the chore/security-md-cleanup branch from 9fea529 to 2e161ba Compare May 20, 2026 16:03
@codecov
Copy link
Copy Markdown

codecov Bot commented May 20, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

@danieljohnmorris danieljohnmorris merged commit 90580fd into next May 20, 2026
5 checks passed
@danieljohnmorris danieljohnmorris deleted the chore/security-md-cleanup branch May 20, 2026 16:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@danieljohnmorris