We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0.0 | ❌ |
We take security vulnerabilities seriously. If you discover a vulnerability, please follow these steps:
- Do NOT create a public GitHub issue for security vulnerabilities
- Email the maintainers at [security contact] with details
- Include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any suggested fixes or mitigations
- Initial Response: Within 48 hours of report
- Assessment: Within 7 days of report
- Fix Development: Timeline depends on severity and complexity
- Public Disclosure: After fix is available and deployed
Since gh-deployer manages application deployments, security is critical:
- GitHub Token Security: Store tokens securely, use environment variables
- File System Access: Deployer requires write access to deployment directories
- Network Access: Deployer makes HTTPS requests to GitHub API
- Process Execution: Deployer executes post-deployment scripts
- Symlink Management: Atomic symlink operations prevent race conditions
When deploying gh-deployer:
- Run with minimal privileges - Use dedicated deployer user account
- Secure configuration files - Protect config.yaml with appropriate permissions
- Monitor logs - Watch for unusual deployment patterns or failures
- Validate releases - Verify GitHub release authenticity
- Network security - Use HTTPS for all API communication
- Regular updates - Keep gh-deployer updated with latest security patches
- Post-deploy scripts run with deployer user privileges
- Deployment directories must be writable by deployer user
- GitHub API access requires valid authentication token
- Symlink race conditions are prevented by atomic operations
We appreciate responsible disclosure of security vulnerabilities and will acknowledge security researchers who help improve the security of gh-deployer.