Commit graph

3 commits

Author SHA1 Message Date
kite
e1a6a404ba feat(ci): add Sigstore attestation for release artifacts
Add build provenance attestation to the release workflow using
actions/attest-build-provenance with OIDC keyless signing.
Document release signature verification in SECURITY.md.
2026-06-26 22:18:03 +08:00
kite
410cabf488 docs: add GOVERNANCE.md, CODE_OF_CONDUCT.md and clean up SECURITY.md
- Rewrite GOVERNANCE.md with expanded structure: goals, scope, project
  values, detailed roles, decision-making process, merge expectations,
  maintainer lifecycle, and continuity sections.
- Add CODE_OF_CONDUCT.md covering expected behavior, unacceptable
  behavior, scope, reporting, and enforcement.
- Remove fictitious email address from SECURITY.md, keeping only
  GitHub Private Vulnerability Reporting as the reporting channel.
2026-06-26 19:38:37 +08:00
kite
10a02c8508 docs: add SECURITY.md for OpenSSF Best Practices badge compliance
Add security policy covering vulnerability reporting channels
(GitHub Private Vulnerability Reporting + email), response timeline,
and scope definition to meet OpenSSF Best Practices Reporting criteria.
2026-06-22 16:17:58 +08:00