Scope
Land the "Release path & compromise scope" appendix in this repo's SECURITY.md. Approximately 10 lines appended after the existing "Reporting a Vulnerability" / "Response Timeline" / "Thank You" sections. Canonical shape from Etl-DbClient PR #240.
Generic incident-response steps (rotate credentials, revoke OAuth apps, unlist vs delete NuGet packages, security advisories) are not duplicated per repo — GitHub and NuGet publish authoritative docs for those that update faster than a checked-in runbook. This appendix only carries the load-bearing per-repo facts.
Content template
Text to append to SECURITY.md, with the placeholders filled in for this repo:
## Release path & compromise scope
Facts a maintainer would need at 2am if the release identity is compromised. Generic incident-response steps (rotating credentials, revoking OAuth apps, publishing advisories, unlisting NuGet packages) are not duplicated here — GitHub's and NuGet's own docs update faster than a checked-in runbook.
- **Release path**: OIDC / NuGet Trusted Publishing via `NuGet/login@v1` in `.github/workflows/release.yaml`. The workflow mints an ephemeral push token per run via OIDC — the release path does not depend on a long-lived API key stored in GitHub secrets or on the NuGet account. During an incident, check the NuGet account for any long-lived API keys anyway (they can be created outside of CI) and delete anything you don't recognize.
- **Fallback**: none. If Trusted Publishing is compromised, the incident is at the GitHub-account level (the OIDC identity is `Chris-Wolfgang/ICollection-Extensions`).
- **Owner**: @Chris-Wolfgang.
- **Downstream consumers**: [fill in — known Wolfgang.* dependents; note that unknown external consumers may exist on nuget.org].
- **Package coordinates for unlisting**: [fill in — `<PackageId>` on nuget.org — https://www.nuget.org/packages/<PackageId>/. Some repos ship multiple packages; list each].
Prerequisites
This repo currently publishes via secrets.NUGET_API_KEY. Blocked by #207 — the "Release path" bullet needs to name OIDC/Trusted Publishing for the fleet to be consistent. Land the OIDC migration first, then this appendix.
Acceptance criteria
SECURITY.md on main contains the "Release path & compromise scope" section.
- All 5 bullets are filled in with this repo's specific values (no
[fill in] placeholders left).
- Bullet text matches the canonical structure from Etl-DbClient #240 (no full-runbook expansions).
Notes
- Docs-only change; no version bump required.
- NOT
docs/DISASTER-RECOVERY.md — that scope was closed as superseded by the OIDC decision. This issue's original acceptance criteria (a full runbook) no longer apply; the appendix pattern is what stays.
- Fleet-wide standardization tracked across 26 DR issues; canonical shape lives in Etl-DbClient's
main once its vNext merges.
- Board: https://github.com/users/Chris-Wolfgang/projects/6
Scope
Land the "Release path & compromise scope" appendix in this repo's
SECURITY.md. Approximately 10 lines appended after the existing "Reporting a Vulnerability" / "Response Timeline" / "Thank You" sections. Canonical shape from Etl-DbClient PR #240.Generic incident-response steps (rotate credentials, revoke OAuth apps, unlist vs delete NuGet packages, security advisories) are not duplicated per repo — GitHub and NuGet publish authoritative docs for those that update faster than a checked-in runbook. This appendix only carries the load-bearing per-repo facts.
Content template
Text to append to
SECURITY.md, with the placeholders filled in for this repo:Prerequisites
This repo currently publishes via
secrets.NUGET_API_KEY. Blocked by #207 — the "Release path" bullet needs to name OIDC/Trusted Publishing for the fleet to be consistent. Land the OIDC migration first, then this appendix.Acceptance criteria
SECURITY.mdonmaincontains the "Release path & compromise scope" section.[fill in]placeholders left).Notes
docs/DISASTER-RECOVERY.md— that scope was closed as superseded by the OIDC decision. This issue's original acceptance criteria (a full runbook) no longer apply; the appendix pattern is what stays.mainonce its vNext merges.