If you discover a security issue, please do not open a public issue first.

Use GitHub's private vulnerability reporting for this repository:

1. Go to the Security tab.
2. Choose Report a vulnerability.
3. Provide reproduction steps, impact, and any suggested remediation.

If private reporting is unavailable in your fork/context, contact maintainers and avoid posting exploit details publicly.

Security reports are especially helpful for:

• Token and secret handling
• GitHub Actions workflow trust boundaries
• PR/fork permission model
• Supply-chain risks (actions, dependencies, release artifacts)

• We will acknowledge reports as quickly as possible.
• We will validate and triage severity.
• Fixes will be prepared and released responsibly.
• Public disclosure should happen after a fix is available.