This repository is small and maintained on the default branch. Security fixes are applied there first.
Do not open a public issue for credential leaks, auth bypasses, or other sensitive security problems.
Instead:
- Use GitHub security advisories if enabled for the repository.
- If advisories are unavailable, contact the maintainer privately before disclosure.
When reporting, include:
- affected file or workflow
- reproduction steps
- impact assessment
- proposed mitigation if available
This repository must never contain:
- OAuth client secrets
- refresh tokens
- access tokens
- service account keys
- private Workspace resource identifiers that are not already public