Please report security vulnerabilities by opening a GitHub Security Advisory. Do not file a public issue.

The maintainer aims to acknowledge reports within five business days.

Only the latest minor release receives security updates. Pin to a specific patch version in CI and update via dependabot.

The release pipeline lives in docs/development/release.md. It is the single source of truth. It covers the workflow structure, the OIDC trusted publishers, the release environment that gates publishing jobs, and the supply-chain hardening features baked into the pipeline. Each publishing channel has its own file under docs/development/release-channels/. The release-pipeline doc enumerates them via a <?catalog?> directive.

Cosign, gh attestation verify, and sha256sum -c commands live in the installation guide. Every step resolves through the workflow's GitHub OIDC identity. A forged binary or rewritten checksums file fails verification unless the attacker also controls release.yml on this repository.

Point-in-time security reviews live in docs/security/. Each review is a directory named YYYY-MM-DD-<slug>/. It holds a report.md next to its machine-readable companions: findings.json, findings.sarif, and inline-annotations.json. The report records the scope, the method, the findings, and the follow-up.

The security-audit-sarif workflow uploads every audit on the most recent date to GitHub code scanning. The findings then show in the Security tab, beside CodeQL and zizmor.