Merge pull request #23 from dyaskur/improve-security

Improve Security
dyaskur · Sep 5, 2023 · 605e3df · 605e3df
2 parents cf44c77 + 7bb737f
commit 605e3df
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 6 deletions.
diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml
@@ -8,15 +8,15 @@ on:
     branches: [ "master" ]
   pull_request:
     branches: [ "master" ]
-
+permissions: read-all
 jobs:
   build:
 
     runs-on: ubuntu-latest
 
     strategy:
       matrix:
-        node-version: [18.x, 19.x]
+        node-version: [18.x, 19.x, 20.x]
         # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
 
     steps:
@@ -31,6 +31,6 @@ jobs:
     - name: Run ESLint
       run: yarn eslint .
     - name: Coveralls
-      uses: coverallsapp/github-action@master
+      uses: coverallsapp/github-action@3b7078ee895f74fc267b7b267c88211df59fa816
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,7 +4,7 @@ on:
   push:
     tags:
       - "v*"
-permissions: write-all
+permissions: read-all
 jobs:
   tagged-release:
     name: "Tagged Release"
@@ -13,14 +13,14 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: Archive Release
-        uses: thedoctor0/zip-release@0.7.1
+        uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464
         with:
           type: 'zip'
           filename: 'release.zip'
           exclusions: '*.git* /*node_modules/* /*tests/* *tests/* *.github*'
 
       - name: Upload Release
-        uses: ncipollo/release-action@v1.12.0
+        uses: ncipollo/release-action@6c75be85e571768fa31b40abf38de58ba0397db5
         with:
           artifacts: "release.zip"
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/security.md b/security.md
@@ -0,0 +1,36 @@
+<!-- BEGIN YASKUR SECURITY.MD V0.0.1 BLOCK -->
+
+## Security
+
+Yaskur.com takes the security of our software products and services seriously, which includes all source code repositories managed through my personal account and my GitHub organizations, which include [Dyaskur](https://github.com/dyaskur), [HalalSoft](https://github.com/halalsoft) and [0fat](https://github.com/0fat).
+
+If you believe you have found a security vulnerability in any Yaskur.com-owned repository, please report it to me as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them via email to support@yaskur.com or at website contact form: https://absolute-poll.yaskur.com/contact-us
+
+I will try to response ASAP. If for some reason you do not, please follow up via email to ensure we received your original message. 
+
+To assist me in gaining a deeper understanding of the potential issue, please provide the following requested details to the best of your ability:
+
+ * The type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.).
+ * Complete paths to the source file(s) relevant to the manifestation of the issue.
+ * The location of the affected source code, including the tag, branch, commit, or direct URL. 
+ * Any specific configuration settings necessary to replicate the issue. 
+ * Step-by-step instructions for reproducing the issue. 
+ * If possible, include a proof-of-concept or exploit code. 
+ * Describe the potential impact of the issue, including how it could be exploited by an attacker.
+
+This information will significantly expedite my ability to evaluate your report.
+## Preferred Languages
+
+We prefer all communications to be in English or Bahasa Indonesia.
+
+## Policy
+
+I will adhere to global standard policy.
+
+<!-- END YASKUR SECURITY.MD BLOCK -->