Private vulnerability reporting

sethmlarson · sethmlarson · commit 41a449e826be · 2022-12-11T14:46:08.000-06:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -23,15 +23,6 @@ jobs:
     steps:
     - name: "Checkout repository"
       uses: "actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846"
-      with:
-        fetch-depth: 0
-
-    - name: "Require signed git tag"
-      run: |
-        # Work-around for actions/checkout#882 replacing all tags with lightweight tags.
-        git fetch --tags --force origin
-        git show ${{ github.ref_name }}
-        git verify-tag ${{ github.ref_name }}
 
     - name: "Setup Python"
       uses: "actions/setup-python@13ae5bb136fac2878aff31522b9efb785519f984"
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,7 +7,7 @@
 ### Added
 
 - Added instructions for configuring signed commits and tags automatically from git.
-- Added requirement that the triggering git tag be signed in the `publish` GitHub workflow.
+- Added security policy and instructions for configuring private vulnerability reporting.
 
 <a id='changelog-0.4.0'></a>
 ## 0.4.0 (2022-12-09)
diff --git a/README.md b/README.md
@@ -217,6 +217,13 @@ If you don't have 2FA enabled on PyPI already there's a section in the [PyPI Hel
 - Select "Add secret" in the environment secrets section
 - Add the PyPI API token value under `PYPI_TOKEN`
 
+### Private vulnerability reporting
+
+- Settings > Code security and analysis
+- Select "Enable" for "Private vulnerability reporting". This will allow
+  users to privately submit vulnerability reports directly to the repository.
+- Update the URL in the `SECURITY.md` file to the URL of your own repository.
+
 ## Verifying configurations
 
 ### Verifying reproducible builds
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,15 @@
+# Security Policy
+
+This is where you'd put your project's security policy. Be sure to
+enable "Private vulnerability reporting" on GitHub within the "Code security and analysis"
+section of repository settings and update the below URL to your repository's (owner/name) slug.
+
+## Supported Versions
+
+Use this section to inform users about which versions of your project are
+currently being supported with security updates.
+
+## Reporting a Vulnerability
+
+Vulnerabilities can be disclosed privately by [creating a new security advisory](https://github.com/sethmlarson/secure-python-package-template/security/advisories).
+Maintainers will follow up with a fix and coordinate a release within the security advisory.
