From 7e0d7503f8b1e873f4281f4386d5eadea71549bf Mon Sep 17 00:00:00 2001 From: Takashi Masuda Date: Fri, 22 Nov 2024 15:36:13 +0900 Subject: [PATCH 1/2] Create /.well-known/security.txt --- public/.well-known/security.txt | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 public/.well-known/security.txt diff --git a/public/.well-known/security.txt b/public/.well-known/security.txt new file mode 100644 index 00000000..06435a36 --- /dev/null +++ b/public/.well-known/security.txt @@ -0,0 +1,6 @@ +Contact: mailto:security@giselles.ai +Expires: 2024-12-31T23:59:59Z + +Preferred-Languages: en, ja +Policy: https://github.com/giselles-ai/giselle/security/policy +Canonical: https://studio.giselles.ai/.well-known/security.txt From 4c9f755b508963e34b0c031f1c2ff454b8b01808 Mon Sep 17 00:00:00 2001 From: Takashi Masuda Date: Fri, 22 Nov 2024 16:04:36 +0900 Subject: [PATCH 2/2] Create GitHub Actions workflow "Create an issue to remind updating of security.txt" --- .../workflows/create_issue_security_txt.yml | 27 +++++++++++++++++++ .../templates/create_issue_security_txt.md | 14 ++++++++++ 2 files changed, 41 insertions(+) create mode 100644 .github/workflows/create_issue_security_txt.yml create mode 100644 .github/workflows/templates/create_issue_security_txt.md diff --git a/.github/workflows/create_issue_security_txt.yml b/.github/workflows/create_issue_security_txt.yml new file mode 100644 index 00000000..7c3eac33 --- /dev/null +++ b/.github/workflows/create_issue_security_txt.yml @@ -0,0 +1,27 @@ +name: Create an issue to remind updating of security.txt + +on: + workflow_dispatch: + schedule: + - cron: "0 0 1 6,12 *" # Every year on 6/1 and 12/1 at 9:00am JST + +jobs: + get_date: + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - name: Get this month + id: get_this_month + run: | + echo "this_month=$(date +%Y/%m)" >> "$GITHUB_OUTPUT" + outputs: + this_month: ${{ steps.get_this_month.outputs.this_month }} + create_issue: + needs: get_date + uses: route06/actions/.github/workflows/create_gh_issue.yml@v2 + permissions: + contents: read + issues: write + with: + title: "[Action Required] Update security.txt - ${{ needs.get_date.outputs.this_month }} Maintenance" + description_template_path: .github/workflows/templates/create_issue_security_txt.md diff --git a/.github/workflows/templates/create_issue_security_txt.md b/.github/workflows/templates/create_issue_security_txt.md new file mode 100644 index 00000000..851c6331 --- /dev/null +++ b/.github/workflows/templates/create_issue_security_txt.md @@ -0,0 +1,14 @@ +## Summary + +This issue reminds you to update your `security.txt` file to comply with the latest standards and maintain its relevance. + +🔗 [RFC 9116: A File Format to Aid in Security Vulnerability Disclosure](https://www.rfc-editor.org/rfc/rfc9116) + +> The "Expires" field indicates the date and time after which the data contained in the "security.txt" file is considered stale and should not be used (as per Section 5.3). (snip) It is RECOMMENDED that the value of this field be less than a year into the future to avoid staleness. + +## What to do + +Please create a pull request to address the following tasks: + +* Update the `Expires` field in `security.txt` to a date less than a year in the future +* Review and update any other fields in the file to ensure they remain accurate and relevant