diff --git a/.github/workflows/security-txt-expiry.yml b/.github/workflows/security-txt-expiry.yml new file mode 100644 index 0000000000000..5ca46fd5f4824 --- /dev/null +++ b/.github/workflows/security-txt-expiry.yml @@ -0,0 +1,55 @@ +# Refreshes apps/site/public/.well-known/security.txt so its RFC 9116 Expires +# field never silently lapses. Runs once a year and opens a PR bumping Expires +# ~13 months out — a human must confirm the contact/policy are still valid +# before merging. The generous window (>1yr) means the file never expires even +# if a run is delayed, and anchoring to the fixed yearly run avoids drift. +name: Refresh security.txt Expires + +on: + workflow_dispatch: + schedule: + - cron: '0 8 1 1 *' # once a year, Jan 1 at 08:00 UTC + +permissions: {} + +jobs: + refresh-expires: + runs-on: ubuntu-latest + if: github.repository_owner == 'nodejs' + permissions: + contents: write + pull-requests: write + steps: + - name: Checkout + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + + - name: Bump Expires (~13 months out) + env: + SECURITY_TXT: apps/site/public/.well-known/security.txt + run: | + set -euo pipefail + new=$(date -u -d '+400 days' +%Y-%m-%dT23:59:59.000Z) + sed -i "s/^Expires:.*/Expires: ${new}/I" "$SECURITY_TXT" + + - name: Create Pull Request (only if the date changed) + uses: gr2m/create-or-update-pull-request-action@b65137ca591da0b9f43bad7b24df13050ea45d1b # v1.10.1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + commit-message: 'chore: refresh security.txt Expires' + title: 'chore: refresh security.txt Expires' + body: | + Annual refresh of the `Expires` field in `apps/site/public/.well-known/security.txt` so it + never silently lapses. + + **Before merging, please confirm the rest of the file is still accurate:** + - The `Contact` (HackerOne) is still the correct, actively-monitored channel + - The linked `Policy` is still the intended vulnerability-disclosure path + + If anything has changed, update it in this PR before extending the expiration. + + cc: @nodejs/security-wg + labels: security + branch: automated/security-txt-expiry diff --git a/apps/site/public/.well-known/security.txt b/apps/site/public/.well-known/security.txt index 1163a25b230c0..370bfb41de0d3 100644 --- a/apps/site/public/.well-known/security.txt +++ b/apps/site/public/.well-known/security.txt @@ -1,2 +1,3 @@ Contact: https://hackerone.com/nodejs +Expires: 2027-06-30T23:59:59.000Z Policy: https://github.com/nodejs/node/security/policy#security