Add disclaimer about usage in README
Closed this issue · 2 comments
While our action is dead simple, it uses other actions and tools, and what's more there's github itself. TL;DR We try our best to ensure the binaries released are safe, but there is a chain of trust at work here. Use at your own risk, and do xyz (e.g., verify the binary using the sha sum that went along with it, etc.) to help protect yourself.
Yeah, I think a disclaimer is good. This, tied with:
- the community's 👀
- a SECURITY.md
- a LICENSE
- GitHub Actions secbot
- our reading of the hardening rules and implementing them
should already be good steps in the right direction.
I'd like to deal with the "removal of 3rd party" before, though, so we wanna have the best disclaimer possible (and updated too).
For security mention issues tagged with security consideration: https://github.com/jelly-beam/otp-macos/issues?q=label%3A%22security+consideration%22