From 152d7a966ff9d1d9cd7b5e8e913471da488ebe7f Mon Sep 17 00:00:00 2001 From: LukeLarge <162439255+LukeLarge@users.noreply.github.com> Date: Fri, 16 May 2025 01:00:53 -0500 Subject: [PATCH 1/9] Create go-ossf-slsa3-publish.yml --- .github/workflows/go-ossf-slsa3-publish.yml | 38 +++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/go-ossf-slsa3-publish.yml diff --git a/.github/workflows/go-ossf-slsa3-publish.yml b/.github/workflows/go-ossf-slsa3-publish.yml new file mode 100644 index 0000000..79ea193 --- /dev/null +++ b/.github/workflows/go-ossf-slsa3-publish.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you compile your Go project using a SLSA3 compliant builder. +# This workflow will generate a so-called "provenance" file describing the steps +# that were performed to generate the final binary. +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA Go releaser +on: + workflow_dispatch: + release: + types: [created] + +permissions: read-all + +jobs: + # ======================================================================================================================================== + # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. + # See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file + #========================================================================================================================================= + build: + permissions: + id-token: write # To sign. + contents: write # To upload release assets. + actions: read # To read workflow path. + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.4.0 + with: + go-version: 1.17 + # ============================================================================================================= + # Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects + # ============================================================================================================= + From 71abcb311f6629339124ca92f4b4c9930197eca7 Mon Sep 17 00:00:00 2001 From: LukeLarge <162439255+LukeLarge@users.noreply.github.com> Date: Fri, 16 May 2025 01:01:31 -0500 Subject: [PATCH 2/9] Create go.yml --- .github/workflows/go.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/workflows/go.yml diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml new file mode 100644 index 0000000..0b443f3 --- /dev/null +++ b/.github/workflows/go.yml @@ -0,0 +1,28 @@ +# This workflow will build a golang project +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go + +name: Go + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v4 + with: + go-version: '1.20' + + - name: Build + run: go build -v ./... + + - name: Test + run: go test -v ./... From e18ce94f1ae3ce00f7c39b06e5bcce68a89064df Mon Sep 17 00:00:00 2001 From: Lawrence Lucas Large <162439255+LukeLarge@users.noreply.github.com> Date: Tue, 9 Dec 2025 19:05:46 -0600 Subject: [PATCH 3/9] Create SECURITY.md for security policy Added a security policy document outlining supported versions and vulnerability reporting. --- SECURITY.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..034e848 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. From fe6a2fef3dc9f04b62c08cbf94af206edbea1445 Mon Sep 17 00:00:00 2001 From: Lawrence Lucas Large <162439255+LukeLarge@users.noreply.github.com> Date: Tue, 9 Dec 2025 19:08:46 -0600 Subject: [PATCH 4/9] Update SECURITY.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- SECURITY.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 034e848..5d1504e 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -14,8 +14,8 @@ currently being supported with security updates. ## Reporting a Vulnerability -Use this section to tell people how to report a vulnerability. +To report a security vulnerability, please email our security team at [security@example.com](mailto:security@example.com) with details of the issue. -Tell them where to go, how often they can expect to get an update on a -reported vulnerability, what to expect if the vulnerability is accepted or -declined, etc. +We aim to acknowledge your report within 3 business days and provide a more detailed response within 7 business days. + +After receiving your report, we will investigate the issue and keep you informed of our progress. If the vulnerability is confirmed, we will work to release a fix as soon as possible and credit you in the release notes if you wish. From 9384e71b98a984660b724bb34592d907c4a71606 Mon Sep 17 00:00:00 2001 From: Lawrence Lucas Large <162439255+LukeLarge@users.noreply.github.com> Date: Tue, 9 Dec 2025 19:10:39 -0600 Subject: [PATCH 5/9] Update SECURITY.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- SECURITY.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 5d1504e..647de76 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,8 +2,6 @@ ## Supported Versions -Use this section to tell people about which versions of your project are -currently being supported with security updates. | Version | Supported | | ------- | ------------------ | From fdbffd55509eaeb6fdc18e86c0b8cf32c39b8a4b Mon Sep 17 00:00:00 2001 From: Lawrence Lucas Large <162439255+LukeLarge@users.noreply.github.com> Date: Tue, 9 Dec 2025 19:10:49 -0600 Subject: [PATCH 6/9] Update SECURITY.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 647de76..69fbdc8 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,7 +12,7 @@ ## Reporting a Vulnerability -To report a security vulnerability, please email our security team at [security@example.com](mailto:security@example.com) with details of the issue. +To report a security vulnerability, please email our security team at [security@yourdomain.com](mailto:security@yourdomain.com) with details of the issue. We aim to acknowledge your report within 3 business days and provide a more detailed response within 7 business days. From bafe2a7eb5fab57f3a9fbd130a2a336dfcf550e4 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Sun, 14 Dec 2025 11:15:51 -0600 Subject: [PATCH 7/9] Remove placeholder text from SECURITY.md Supported Versions section (#4) * Initial plan * Remove placeholder text from SECURITY.md and update with project-specific content Co-authored-by: LukeLarge <162439255+LukeLarge@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: LukeLarge <162439255+LukeLarge@users.noreply.github.com> --- SECURITY.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 69fbdc8..73463cd 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,13 +2,11 @@ ## Supported Versions +We recommend always using the latest version of tonapi-go from the main branch. Security updates will be applied to the main branch. | Version | Supported | | ------- | ------------------ | -| 5.1.x | :white_check_mark: | -| 5.0.x | :x: | -| 4.0.x | :white_check_mark: | -| < 4.0 | :x: | +| latest | :white_check_mark: | ## Reporting a Vulnerability From b840571b3ca4ecf725a8279241d3a206c953e120 Mon Sep 17 00:00:00 2001 From: Lawrence Lucas Large <162439255+LukeLarge@users.noreply.github.com> Date: Sun, 14 Dec 2025 12:31:21 -0600 Subject: [PATCH 8/9] Update .github/workflows/go-ossf-slsa3-publish.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/go-ossf-slsa3-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go-ossf-slsa3-publish.yml b/.github/workflows/go-ossf-slsa3-publish.yml index 79ea193..77a3941 100644 --- a/.github/workflows/go-ossf-slsa3-publish.yml +++ b/.github/workflows/go-ossf-slsa3-publish.yml @@ -31,7 +31,7 @@ jobs: actions: read # To read workflow path. uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.4.0 with: - go-version: 1.17 + go-version: 1.20 # ============================================================================================================= # Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects # ============================================================================================================= From 1c0650eef622ecdb8b10eeaaadec6dfb14bb13c0 Mon Sep 17 00:00:00 2001 From: Lawrence Lucas Large <162439255+LukeLarge@users.noreply.github.com> Date: Sun, 14 Dec 2025 12:31:50 -0600 Subject: [PATCH 9/9] Update SECURITY.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 73463cd..17ebe1f 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -10,7 +10,7 @@ We recommend always using the latest version of tonapi-go from the main branch. ## Reporting a Vulnerability -To report a security vulnerability, please email our security team at [security@yourdomain.com](mailto:security@yourdomain.com) with details of the issue. +To report a security vulnerability, please email our security team at [security@tonapi.io](mailto:security@tonapi.io) with details of the issue. We aim to acknowledge your report within 3 business days and provide a more detailed response within 7 business days.