Security Policy

Repository Configuration

Visibility: Public
Maintainer: @samuelho-dev (solo)
Contributions: Not accepted

GitHub Secrets

Secret	Purpose	Permissions
`B2_ACCESS_KEY_ID`	B2 S3 API access	Write: `ai-dev-env/nix/cache`
`B2_SECRET_ACCESS_KEY`	B2 S3 API secret	Write: `ai-dev-env/nix/cache`
`NIX_SIGNING_KEY`	Package signing	Sign: Nix store paths

Source: 1Password (Dev/backblaze)

Protection Mechanisms

Workflow Secret Access

Secrets accessible only when:

github.event_name == 'push'
  && github.ref == 'refs/heads/main'
  && inputs.skip_cache_push != 'true'

File Protection

CODEOWNERS: Workflow files require approval
Fork PR Approval: External workflows blocked
Secret Hygiene: Keys shredded after use (shred -u)

Incident Response

Compromised Secrets

Revoke B2 key via 1Password/B2 console
Generate new Nix signing keypair
Delete GitHub secrets: gh secret delete <name>
Update 1Password with new credentials
Re-add secrets to GitHub

Malicious Commit

Revert: git revert <sha> && git push --force
Audit: gh run list --limit 20
Check B2 for unauthorized uploads

Maintenance

Secret Rotation: Every 90 days
Audit Frequency: Monthly B2 cache review
Contact: @samuelho-dev via GitHub Issues

Last updated: 2025-12-04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security

.github/SECURITY.md

Security Policy

Repository Configuration

GitHub Secrets

Protection Mechanisms

Workflow Secret Access

File Protection

Incident Response

Compromised Secrets

Malicious Commit

Maintenance

There aren’t any published security advisories

Security: samuelho-dev/dev-config

Security

.github/SECURITY.md

Security Policy

Repository Configuration

GitHub Secrets

Protection Mechanisms

Workflow Secret Access

File Protection

Incident Response

Compromised Secrets

Malicious Commit

Maintenance

There aren’t any published security advisories