Only the latest released version of semrel is actively supported. Security fixes are released as patch versions following Semantic Versioning.
Please do not open a public GitHub issue for security vulnerabilities.
Report vulnerabilities by sending a private security advisory via GitHub Security Advisories or by emailing security@nrk.no.
Include as much detail as possible:
- A description of the vulnerability and its impact
- Steps to reproduce or a minimal proof-of-concept
- Affected version(s)
- Any suggested mitigation
We will acknowledge your report within 3 business days and aim to release a fix within 14 days for critical issues.
In scope:
- The
semrelGo binary and its internal packages - The container image published to GHCR
- The GitHub Actions workflow definitions in this repository
- Supply-chain issues (compromised dependencies, unsigned images)
Out of scope:
- Vulnerabilities in third-party dependencies that have no available fix
- Social-engineering attacks against NRK employees
- Issues that require physical access to systems
We follow coordinated disclosure. Please allow us reasonable time to release a fix before any public disclosure. We will credit reporters in the release notes unless anonymity is requested.
Container images are signed with cosign keyless on every release. Verify an image signature:
cosign verify ghcr.io/nrkno/github-action-sematic-release:<tag> \
--certificate-identity-regexp="https://github.com/nrkno/github-action-sematic-release/.*" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com"