| Version | Supported |
|---|---|
| 2.1.x | Yes |
| 2.0.x | Yes |
| < 2.0 | No |
Security fixes are released as patch versions on the latest minor release line.
Please report security issues privately through GitHub Security Advisories.
Do not open public issues for suspected token handling, GitHub App permission, workflow, or comment injection vulnerabilities.
Include:
- Affected version or tag
- Steps to reproduce
- Expected vs actual behavior
- Impact assessment if known
| Permission | Access |
|---|---|
| Contents | Read |
| Pull requests | Read & write |
| Issues | Read & write |
permissions:
contents: read
pull-requests: write
issues: writeGrant only what ContextLevy needs. It reads PR diffs and writes PR comments — it does not need contents: write.
Pull requests from forks often receive a read-only GITHUB_TOKEN. ContextLevy still analyzes diffs and writes a job summary, but comment creation may fail with Resource not accessible by integration. The workflow remains successful unless you enable fail mode.
For fork PRs, install the ContextLevy GitHub App when your organization policy allows it.
- Pin the action to a major tag (
@v2) or full commit SHA for high-security environments. - Release artifacts are built in CI from tagged commits; see
.github/workflows/release.yml. - Report supply-chain concerns through Security Advisories.