Security Policy

Security information and hardening guidance for ActionsManager Self-Hosted Beta.

Table of contents
  1. Reporting a Vulnerability
  2. Supported Versions
  3. Self-Hosted Hardening
    1. Credential Protection
    2. Network Security
    3. Operational Security
    4. Access Control
  4. No Formal Compliance Claim
  5. Related Topics

Beta notice: ActionsManager Self-Hosted is currently a free beta preview provided as-is, without warranty, SLA, support guarantee, uptime guarantee, production-readiness guarantee, or formal compliance certification. The beta may interact with GitHub repositories, workflow files, pull requests, secrets metadata, tokens, OAuth credentials, environment variables, and local databases.

Reporting a Vulnerability

Do not open a public GitHub issue for suspected vulnerabilities. Report security issues privately by using GitHub private vulnerability reporting if enabled, or the maintainer contact channel listed on the repository profile.

When reporting, please include:

  • Affected version, commit, image tag, or deployment mode
  • A clear description of the vulnerability and affected component
  • Reproduction steps or proof-of-concept details
  • Expected and actual impact
  • Relevant logs or screenshots with all secrets redacted
  • Suggested fix or mitigation, if known

Please follow responsible disclosure: allow maintainers a reasonable opportunity to investigate and fix before public disclosure.

Supported Versions

Security fixes are prioritized for the active beta branch and current published self-hosted beta image. Older pre-1.0 snapshots may not receive backported fixes. No formal SLA or response-time guarantee is provided during beta.

Self-Hosted Hardening

Operators are responsible for securing their own deployment. At minimum:

Credential Protection

  • Keep .env.self-hosted and all real .env files private — never commit them
  • Protect GitHub OAuth client secrets, PATs, webhook secrets, and database files
  • Rotate credentials immediately if they may have been exposed in logs, shell history, screenshots, issues, or commits

Network Security

  • Use HTTPS behind a reverse proxy if exposing ActionsManager beyond localhost
  • Restrict access to port 8080 to trusted networks when not behind a proxy
  • Do not expose the container directly to the public internet without TLS

Operational Security

  • Review all generated or edited workflow changes before merging or applying them
  • Prefer PR-based delivery for beta testing — direct commits cannot be reviewed before taking effect
  • Keep the container image updated and pin image tags for controlled upgrades
  • Back up the SQLite volume or PostgreSQL database before upgrades
  • Disable debug, mock, and stub settings for any shared or exposed deployment

Access Control

  • Prefer fine-grained GitHub PATs or OAuth with least-privilege repository access
  • Do not grant ActionsManager access to repositories it does not need to manage
  • Do not use placeholder credentials such as admin/admin in production deployments

No Formal Compliance Claim

This repository may use security tools and secure-development practices, but the beta does not claim SOC 2, ISO 27001, HIPAA, FedRAMP, PCI, or other formal compliance certification.