actions/setup-uv
1
0
Fork 0
mirror of https://github.com/astral-sh/setup-uv.git synced 2026-06-23 21:12:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

docs: address threat model review feedback

Browse Source
This commit is contained in:
Zsolt Dollenstein
2026-06-23 12:58:48 +01:00
parent 81e0b4e357
commit 1de985f1b7
2 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
SECURITY.md
+5
View File
@@ -0,0 +1,5 @@
# Security policy
Report suspected vulnerabilities according to [Astral's security policy](https://github.com/astral-sh/.github/blob/main/SECURITY.md).
For this repository's security boundaries and reporting criteria, see the [setup-uv threat model](docs/threat-model.md).
docs/threat-model.md
+2 -2
View File
@@ -2,7 +2,7 @@
## Overview
`setup-uv` is a GitHub Action that installs or reuses `uv`, changes later-step paths and environment, may discover and execute a Python interpreter, may create or clear a virtual environment, and may restore or save caches. It runs with the workflow job's filesystem, network, token, secrets, OIDC, artifact, and release authority.
`setup-uv` is a GitHub Action that installs or reuses `uv`, modifies `PATH` and the environment for later steps, may execute a discovered Python interpreter, may create or clear a virtual environment, and may restore or save caches. It may use `github-token` to authenticate GitHub downloads; it requires no OIDC credential or additional workflow secret.
The consumer runtime is the selected ref's committed action metadata, bundles, and runner-interpreted companion files; source alone is not evidence of shipped behavior. Privileged automation that generates, updates, or publishes those artifacts is also in scope.
@@ -50,7 +50,7 @@ Material failures are unauthorized executable selection, credential disclosure,
Before reporting, identify the attacker and victim principals; exact controlled input; scanned action and checkout refs; runtime reachability in committed bundles; effective token, secrets/OIDC, environment gates, cache scope, and runner persistence; applicable defaults and opt-ins; validation performed or skipped; declared trust roots; baseline versus incremental capability; and concrete impact. Reproduce platform-specific behavior and distinguish the scanned ref from other versions.
Missing independent attacker control, a violated guarantee, committed-runtime reachability, incremental capability, or practical impact is `NOT_APPLICABLE`, `INTENDED_BEHAVIOR`, `CORRECTNESS`, `DEFENSE_IN_DEPTH`, or `NEEDS_EVIDENCE`, not a security severity.
A report must demonstrate independent attacker control, a violated guarantee, committed-runtime reachability, incremental capability, and practical impact; otherwise it is not a security finding and should not be reported as one.
## Attack Surface, Mitigations, and Attacker Stories