diff --git a/.github/workflows/cla-check.yaml b/.github/workflows/cla-check.yaml new file mode 100644 index 0000000..2c7cc9d --- /dev/null +++ b/.github/workflows/cla-check.yaml @@ -0,0 +1,14 @@ +name: CLA check + +on: + issue_comment: + types: [created] + pull_request_target: + types: [opened, closed, synchronize] + +jobs: + cla-workflow: + uses: pimcore/workflows-collection-public/.github/workflows/reusable-cla-check.yaml@v1.3.0 + if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' + secrets: + CLA_ACTION_ACCESS_TOKEN: ${{ secrets.CLA_ACTION_ACCESS_TOKEN }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml new file mode 100644 index 0000000..553c3b5 --- /dev/null +++ b/.github/workflows/stale.yml @@ -0,0 +1,10 @@ +name: Handle stale issues + +on: + workflow_dispatch: + schedule: + - cron: '37 7 * * *' + +jobs: + call-stale-workflow: + uses: pimcore/workflows-collection-public/.github/workflows/stale.yml@v1.1.0 diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..15268a0 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,22 @@ +# Security Policy + +## Reporting a Vulnerability + +If you think that you have found a security issue, +don’t use the bug tracker and don’t publish it publicly. +Instead, all security issues must be reported via a private vulnerability report. + +Please follow the [instructions](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability) to submit a private report. + + +## Resolving Process +Every submitted security issue is handled with top priority by following these steps: + +1. Confirm the vulnerability +2. Determine the severity +3. Contact reporter +4. Work on a patch +5. Get a CVE identification number (may be done by the reporter or a security service provider) +6. Patch reviewing +7. Tagging a new release for supported versions +8. Publish security announcement