Manage repository meta documents consistently

.github/actions/spelling/expect.txt

@@ -116,6 +116,7 @@ cruft
 css
 csv
 Currin
+CVE
 CWD
 cygwin
 daringfireball

README.markdown

@@ -45,7 +45,7 @@ If you don't find the answer to your problem in our [docs](https://jekyllrb.com/
 ## Code of Conduct
 
 In order to have a more open and welcoming community, Jekyll adheres to a
-[code of conduct](CODE_OF_CONDUCT.markdown) adapted from the Ruby on Rails code of
+[code of conduct](https://jekyllrb.com/docs/conduct/) adapted from the Ruby on Rails code of
 conduct.
 
 Please adhere to this code of conduct in any interactions you have in the

docs/_docs/code_of_conduct.md

@@ -1,7 +1,7 @@
 ---
 title: Code of Conduct
 permalink: "/docs/code_of_conduct/"
-note: This file is autogenerated. Edit /CODE_OF_CONDUCT.markdown instead.
+note: This file is autogenerated. Edit /.github/CODE_OF_CONDUCT.markdown instead.
 redirect_from: "/conduct/index.html"
 editable: false
 ---

docs/_docs/community/community.md

@@ -10,6 +10,13 @@ As contributors and maintainers of this project, and in the interest of fosterin
 
 Read the full [code of conduct]({{ '/docs/conduct/' | relative_url }})
 
+## Reporting Security Vulnerabilities
+
+Find something in our codebase that could be exploited by malicious elements?
+
+Consult our [Security Policy]({{ '/docs/security/' | relative_url }}) to see if a product version is considered *outdated* and how to report
+the situation responsibly.
+
 ## Where to get support
 
 If you're looking for support for Jekyll, there are a lot of options:

docs/_docs/contributing.md

@@ -153,25 +153,6 @@ script/cucumber features/blah.feature
 Both `script/test` and `script/cucumber` can be run without arguments to
 run its entire respective suite.
 
-### Test Ruby Versions Locally
-
-The CI process runs the build against with several [Ruby](https://github.com/jekyll/jekyll/blob/master/.github/workflows/ci.yml#L22) versions.  This process can be repeated locally without changing your default installation by using [earthly](https://earthly.dev/get-earthly).
-
-To run the full CI process across all supported Ruby Versions:
-```sh
-earthly +all
-```
-
-To run the tests for a specific version of Ruby:
-```sh
-earthly --build-arg RUBY=2.5 +test
-```
-
-To run the tests for a specific version of JRuby specify the full version:
-```sh
-earthly --build-arg RUBY=jruby:9.2.14.0 +test
-```
-
 ## Visual Studio Code Development Container
 
 If you've got [Visual Studio Code](https://code.visualstudio.com/) with the [Remote Development Extension Pack](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.vscode-remote-extensionpack) installed then simply opening this repository in Visual Studio Code and following the prompts to "Re-open In A Development Container" will get you setup and ready to go with a fresh environment with all the requirements installed.

docs/_docs/security.md

@@ -0,0 +1,36 @@
+---
+title: Security Policy
+permalink: "/docs/security/"
+note: This file is autogenerated. Edit /.github/SECURITY.markdown instead.
+---
+
+## Supported Versions
+
+Security updates are applied to the latest MINOR version of Jekyll, and the version used by GitHub Pages, v3.9.x.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 4.2.x   | :white_check_mark: |
+| 3.9.x   | :white_check_mark: |
+| < 3.9.x | :x:                |
+
+## Reporting a Vulnerability
+
+Please report vulnerabilities by sending an email to security@jekyllrb.com with the following information:
+
+1. A description of the vulnerability
+2. Reproduction steps and/or a sample site (share a private repo to the [Jekyll Security Team](docs/pages/team.md))
+3. Your contact information
+
+The Jekyll security team will respond to your submission and notify you whether it has been confirmed by the team.
+Your confidentiality is kindly requested as we work on a fix. We will provide our patch to you to test and verify that the vulnerability has
+been closed.
+
+If you have created a patch and would like to submit that to us as well, we will happily consider it though we cannot guarantee that we will
+use it. If we use your patch, we will attribute authorship to you either as the commit author, or as a co-author.
+
+Once a fix is verified, we will release PATCH versions of the supported MINOR versions and assign a CVE to the vulnerability. You will receive
+credit in our release post.
+
+Once the patched version has been released, we will no longer request you to maintain confidentiality and you may choose to share details on
+how you found the vulnerability with the community.

docs/_docs/support.md

@@ -12,7 +12,7 @@ If you're looking for support for Jekyll, there are a lot of options:
 
 * Read [Jekyll Documentation](https://jekyllrb.com/docs/home/)
 * If you have a question about using Jekyll, start a discussion on [Jekyll Forum](https://talk.jekyllrb.com/) or [StackOverflow](https://stackoverflow.com/questions/tagged/jekyll)
-* Chat with Jekyllers — Join [our Gitter channel](https://gitter.im/jekyll/jekyll) or [our IRC channel on Freenode](irc://irc.freenode.net/jekyll)
+* Chat with Jekyllers — Join [our Gitter channel](https://gitter.im/jekyll/jekyll) or [our IRC channel on Freenode](irc:irc.freenode.net/jekyll)
 
 There are a bunch of helpful community members on these services that should be willing to point you in the right direction.
 

rake/site.rake

@@ -7,7 +7,7 @@
 #############################################################################
 
 namespace :site do
-  task :generated_pages => [:history, :latest_version, :conduct, :contributing, :support]
+  task :generated_pages => [:history, :latest_version, :conduct, :contributing, :security, :support]
 
   desc "Generate and view the site locally"
   task :preview => :generated_pages do
@@ -71,7 +71,7 @@ namespace :site do
       "redirect_from" => "/conduct/index.html",
       "editable"      => false,
     }
-    siteify_file("CODE_OF_CONDUCT.markdown", front_matter)
+    siteify_file(".github/CODE_OF_CONDUCT.markdown", front_matter)
   end
 
   desc "Copy the contributing file"
@@ -84,6 +84,11 @@ namespace :site do
     siteify_file(".github/SUPPORT.markdown", "title" => "Support")
   end
 
+  desc "Copy the security policy"
+  task :security do
+    siteify_file(".github/SECURITY.markdown", "title" => "Security Policy")
+  end
+
   desc "Write the latest Jekyll version"
   task :latest_version do
     next if version =~ %r!(beta|rc|alpha)!i