Harden GitHub workflow security

.github/workflows/release.yml

@@ -22,6 +22,9 @@ jobs:
     environment: release
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+          persist-credentials: false
       - name: Set up Ruby
         uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
         with:

.github/workflows/standard.yml

@@ -30,6 +30,8 @@ jobs:
     name: StandardRB - Ruby ${{ matrix.ruby-version }} on Rails ${{ matrix.rails-version }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up Ruby ${{ matrix.ruby-version }} on Rails ${{ matrix.rails-version }}
         uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
         with:
@@ -38,3 +40,20 @@ jobs:
       - name: Run StandardRB (via Rubocop)
         run: |
           bundle exec rubocop --format offenses --format github
+
+  required:
+    name: StandardRB Required
+    if: ${{ always() }}
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Check matrix result
+        env:
+          RESULT: ${{ needs.build.result }}
+        run: |
+          if [ "$RESULT" != "success" ]; then
+            echo "StandardRB matrix result: $RESULT"
+            exit 1
+          fi

.github/workflows/steep.yml

@@ -29,6 +29,8 @@ jobs:
     name: Steep - Ruby ${{ matrix.ruby-version }} on Rails ${{ matrix.rails-version }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up Ruby ${{ matrix.ruby-version }} on Rails ${{ matrix.rails-version }}
         uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
         with:
@@ -40,3 +42,20 @@ jobs:
       - name: Verify Ruby Types (Runtime)
         run: |
           bundle exec rake rbs:spec
+
+  required:
+    name: Steep Required
+    if: ${{ always() }}
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Check matrix result
+        env:
+          RESULT: ${{ needs.build.result }}
+        run: |
+          if [ "$RESULT" != "success" ]; then
+            echo "Steep matrix result: $RESULT"
+            exit 1
+          fi

.github/workflows/tests.yml

@@ -52,6 +52,8 @@ jobs:
     name: Specs - Ruby ${{ matrix.ruby-version }} on Rails ${{ matrix.rails-version }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up Ruby ${{ matrix.ruby-version }} on Rails ${{ matrix.rails-version }}
         uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
         with:
@@ -62,3 +64,20 @@ jobs:
           ENABLE_CODE_COVERAGE: ${{ matrix.code-coverage || 'false' }}
         run: |
           bundle exec rspec --format documentation
+
+  required:
+    name: Tests Required
+    if: ${{ always() }}
+    needs: test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Check matrix result
+        env:
+          RESULT: ${{ needs.test.result }}
+        run: |
+          if [ "$RESULT" != "success" ]; then
+            echo "Tests matrix result: $RESULT"
+            exit 1
+          fi

.github/workflows/yard-lint.yml

@@ -29,6 +29,8 @@ jobs:
     name: YARD-Lint - Ruby ${{ matrix.ruby-version }} on Rails ${{ matrix.rails-version }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up Ruby ${{ matrix.ruby-version }} on Rails ${{ matrix.rails-version }}
         uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
         with:
@@ -37,3 +39,20 @@ jobs:
       - name: Run YARD-Lint
         run: |
           bundle exec yard-lint lib/
+
+  required:
+    name: YARD-Lint Required
+    if: ${{ always() }}
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Check matrix result
+        env:
+          RESULT: ${{ needs.build.result }}
+        run: |
+          if [ "$RESULT" != "success" ]; then
+            echo "YARD-Lint matrix result: $RESULT"
+            exit 1
+          fi

SECURITY.md

@@ -0,0 +1,40 @@
+# Security Policy
+
+## Supported Versions
+
+Security fixes are provided for the latest released version of `meta-tags`.
+
+Older releases may not receive security updates. If you are reporting a vulnerability, please confirm whether it affects the latest release.
+
+## Reporting a Vulnerability
+
+Please do not report security issues through public GitHub issues, discussions, or pull requests.
+
+Use GitHub's private vulnerability reporting feature in the repository's `Security` tab to report a vulnerability.
+
+If private reporting through GitHub is unavailable for any reason, send a report by email to `kpumuk@kpumuk.info` with `SECURITY` in the subject line.
+
+When possible, include:
+
+- a short description of the issue
+- the affected version, commit, or tag
+- any required environment or configuration details
+- step-by-step reproduction instructions
+- proof-of-concept code, logs, or screenshots
+- an explanation of the likely impact
+
+## Disclosure Policy
+
+Please allow a reasonable amount of time to investigate and prepare a fix before making the issue public.
+
+If the report is confirmed, the fix will be released as soon as practical. Public disclosure will generally happen through a GitHub security advisory and/or release notes after a fix is available.
+
+## Scope Notes
+
+`meta-tags` is a Ruby gem for Rails applications that renders HTML metadata such as titles, descriptions, canonical links, robots directives, and social tags.
+
+Some behavior may depend on the host Rails application, layouts, templates, framework version, gem version, or deployment/runtime configuration. If a report depends on a specific setup, include those details.
+
+## Response Expectations
+
+This is a single-maintainer project, so response times may vary. Good-faith reports are appreciated, and I will try to acknowledge valid reports as quickly as practical.