Skip to content

[Maintenance] docs(security): add Release path & compromise scope appendix to SECURITY.md #183

Description

@Chris-Wolfgang

Scope

Land the "Release path & compromise scope" appendix in this repo's SECURITY.md. Approximately 10 lines appended after the existing "Reporting a Vulnerability" / "Response Timeline" / "Thank You" sections. Canonical shape from Etl-DbClient PR #240.

Generic incident-response steps (rotate credentials, revoke OAuth apps, unlist vs delete NuGet packages, security advisories) are not duplicated per repo — GitHub and NuGet publish authoritative docs for those that update faster than a checked-in runbook. This appendix only carries the load-bearing per-repo facts.

Content template

Text to append to SECURITY.md, with the placeholders filled in for this repo:

## Release path & compromise scope

Facts a maintainer would need at 2am if the release identity is compromised. Generic incident-response steps (rotating credentials, revoking OAuth apps, publishing advisories, unlisting NuGet packages) are not duplicated here — GitHub's and NuGet's own docs update faster than a checked-in runbook.

- **Release path**: OIDC / NuGet Trusted Publishing via `NuGet/login@v1` in `.github/workflows/release.yaml`. The workflow mints an ephemeral push token per run via OIDC — the release path does not depend on a long-lived API key stored in GitHub secrets or on the NuGet account. During an incident, check the NuGet account for any long-lived API keys anyway (they can be created outside of CI) and delete anything you don't recognize.
- **Fallback**: none. If Trusted Publishing is compromised, the incident is at the GitHub-account level (the OIDC identity is `Chris-Wolfgang/ICollection-Extensions`).
- **Owner**: @Chris-Wolfgang.
- **Downstream consumers**: [fill in — known Wolfgang.* dependents; note that unknown external consumers may exist on nuget.org].
- **Package coordinates for unlisting**: [fill in — `<PackageId>` on nuget.org — https://www.nuget.org/packages/<PackageId>/. Some repos ship multiple packages; list each].

Prerequisites

This repo currently publishes via secrets.NUGET_API_KEY. Blocked by #207 — the "Release path" bullet needs to name OIDC/Trusted Publishing for the fleet to be consistent. Land the OIDC migration first, then this appendix.

Acceptance criteria

  • SECURITY.md on main contains the "Release path & compromise scope" section.
  • All 5 bullets are filled in with this repo's specific values (no [fill in] placeholders left).
  • Bullet text matches the canonical structure from Etl-DbClient #240 (no full-runbook expansions).

Notes

  • Docs-only change; no version bump required.
  • NOT docs/DISASTER-RECOVERY.md — that scope was closed as superseded by the OIDC decision. This issue's original acceptance criteria (a full runbook) no longer apply; the appendix pattern is what stays.
  • Fleet-wide standardization tracked across 26 DR issues; canonical shape lives in Etl-DbClient's main once its vNext merges.
  • Board: https://github.com/users/Chris-Wolfgang/projects/6

Metadata

Metadata

Assignees

No one assigned

    Labels

    maintenance - CI/CDMaintenance: Docker, CI workflow, build/publish pipelinemaintenance-taskA Maintenance sub-issue — actionable improvement workthorough-reviewDeferred deep-review tier — work on canonical Tier-1 issues first

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions