If you believe you have found a security issue in the runner itself, please report it privately to the maintainers before opening a public issue.
When reporting:
- describe the impact
- include the affected file paths
- include reproduction steps
- avoid posting live secrets, tokens, or webhook URLs
This project is an orchestration layer. Repo-specific validator commands, release policies, and external integrations may introduce additional risk that is outside the core runner.