diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 0dd51ad..c89e33a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,3 +1,5 @@ +# Dependabot version updates for fluid-pub/agent-core. +# Security alerts are configured separately in repository settings. version: 2 updates: - package-ecosystem: gomod @@ -6,6 +8,9 @@ updates: interval: weekly day: monday target-branch: develop + assignees: + - "fuse" + open-pull-requests-limit: 5 commit-message: prefix: chore(deps) labels: @@ -18,8 +23,15 @@ updates: interval: weekly day: monday target-branch: develop + assignees: + - "fuse" + open-pull-requests-limit: 5 commit-message: prefix: chore(deps) labels: - dependencies - github-actions + groups: + github-actions: + patterns: + - "*" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3accbf8..eb65f73 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,3 +1,4 @@ +# CodeQL analysis for Go (fluid-pub/agent-core). name: CodeQL on: diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ef4599..2d5540e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ Downstream agents should note **agent-core** upgrades in their own changelogs. ### Security +- Repository security aligned with **probe-core**: `SECURITY.md`, Dependabot assignees and grouped GitHub Actions updates, private vulnerability reporting and push protection enabled on GitHub. - **execution**: validate `fluid_log_path` before `os.Stat` / `os.ReadFile` (CodeQL `go/path-injection`); only absolute paths under `/tmp/fluid/`. - **execution**: expand `safeFluidLogPath` test coverage (valid/invalid paths, prefix attacks, `startFileLogForwarder` rejection). diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..c4a4872 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,27 @@ +# Security policy + +## Supported versions + +Security fixes are applied on the latest release line published from this repository (semver tags on `develop` / GitHub Releases). Older tags are not maintained unless stated in a release advisory. + +## Reporting a vulnerability + +**Do not** open a public GitHub issue for security vulnerabilities. + +Preferred channels: + +1. **Private vulnerability reporting** (when enabled): use **Security → Advisories → Report a vulnerability** on GitHub. +2. **GitHub Security Advisories** for this repository: [fluid-pub/agent-core security advisories](https://github.com/fluid-pub/agent-core/security/advisories). +3. If neither channel is available, contact the Fluid maintainers through your usual Fluid support or security contact path. + +Include enough detail to reproduce the issue (affected version, configuration, steps, impact). We aim to acknowledge reports within a few business days and will coordinate disclosure once a fix is available. + +## What to expect + +- Confirmed issues are tracked as security advisories or private reports until a fix is released. +- Credit is given to reporters when they agree, unless anonymity is requested. +- Dependabot and CodeQL may open pull requests for dependency or static-analysis findings; those are handled like other contributions via `develop`. + +## Scope + +This policy covers the **agent-core** Go library published from this repository and consumed as the `core/` submodule by public Fluid execution agents. It does not cover downstream agent images, operator deployments, or third-party services you integrate with agents.