github-actions follows Semantic Versioning. Security fixes are issued against the latest minor release and propagated forward through the moving major tag (v1 advances to the new patch); older minor releases do not receive backports unless coordinated case-by-case with the maintainers. Consumers pinned to @v1 pick up fixes automatically; consumers pinned to an immutable tag (@v1.2.0) must bump to the new patch tag.

Please do not open a public issue for security-sensitive bugs. Use either of these channels:

• Email security@peaceful.studio. This is the always-available path and the simplest if you're not sure which to pick.
• Or, if it's enabled on this repo, use GitHub's private vulnerability reporting (Repo → Security tab → Report a vulnerability). The button only appears once the maintainers have turned PVR on; if you don't see it, fall back to email.

If the report is sensitive enough that even email feels too open, say so in your first message and the maintainers will arrange an encrypted channel before you share details.

• A clear description of the issue and its impact.
• Steps to reproduce, or a minimal proof-of-concept.
• The version, environment, and any relevant configuration (with secrets redacted).
• Your preferred contact method and whether you want public credit in the advisory.

• Acknowledgement within 5 business days.
• Initial assessment (severity, affected versions) within 10 business days.
• Fix or mitigation plan communicated to the reporter before public disclosure.
• Coordinated disclosure — we will agree a public-disclosure date with the reporter. Default embargo is 90 days from initial report unless a fix is released sooner.

• Vulnerabilities in upstream dependencies — please report those upstream. We will pull in fixes as they become available.
• Misconfiguration of a deployer's own environment (weak secrets, exposed endpoints, missing auth).
• Issues with consumer repos that pre-date a tag bump — pin to a tag (e.g. @v1.2.0) rather than @dev for reproducible runs.

We are happy to credit reporters in the public advisory and the changelog unless you prefer to remain anonymous.