diff --git a/CODE_OF_CONDUCT.markdown b/.github/CODE_OF_CONDUCT.markdown similarity index 100% rename from CODE_OF_CONDUCT.markdown rename to .github/CODE_OF_CONDUCT.markdown diff --git a/SECURITY.md b/.github/SECURITY.markdown similarity index 100% rename from SECURITY.md rename to .github/SECURITY.markdown diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index 893b3f21..550b346a 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -116,6 +116,7 @@ cruft css csv Currin +CVE CWD cygwin daringfireball diff --git a/README.markdown b/README.markdown index b6e7b68a..26e3a3a9 100644 --- a/README.markdown +++ b/README.markdown @@ -45,7 +45,7 @@ If you don't find the answer to your problem in our [docs](https://jekyllrb.com/ ## Code of Conduct In order to have a more open and welcoming community, Jekyll adheres to a -[code of conduct](CODE_OF_CONDUCT.markdown) adapted from the Ruby on Rails code of +[code of conduct](https://jekyllrb.com/docs/conduct/) adapted from the Ruby on Rails code of conduct. Please adhere to this code of conduct in any interactions you have in the diff --git a/docs/_docs/code_of_conduct.md b/docs/_docs/code_of_conduct.md index 410eb1db..a0f52997 100644 --- a/docs/_docs/code_of_conduct.md +++ b/docs/_docs/code_of_conduct.md @@ -1,7 +1,7 @@ --- title: Code of Conduct permalink: "/docs/code_of_conduct/" -note: This file is autogenerated. Edit /CODE_OF_CONDUCT.markdown instead. +note: This file is autogenerated. Edit /.github/CODE_OF_CONDUCT.markdown instead. redirect_from: "/conduct/index.html" editable: false --- diff --git a/docs/_docs/community/community.md b/docs/_docs/community/community.md index 47321e1b..59d365ad 100644 --- a/docs/_docs/community/community.md +++ b/docs/_docs/community/community.md @@ -10,6 +10,13 @@ As contributors and maintainers of this project, and in the interest of fosterin Read the full [code of conduct]({{ '/docs/conduct/' | relative_url }}) +## Reporting Security Vulnerabilities + +Find something in our codebase that could be exploited by malicious elements? + +Consult our [Security Policy]({{ '/docs/security/' | relative_url }}) to see if a product version is considered *outdated* and how to report +the situation responsibly. + ## Where to get support If you're looking for support for Jekyll, there are a lot of options: diff --git a/docs/_docs/contributing.md b/docs/_docs/contributing.md index 4bdb03b2..4c9056a4 100644 --- a/docs/_docs/contributing.md +++ b/docs/_docs/contributing.md @@ -153,25 +153,6 @@ script/cucumber features/blah.feature Both `script/test` and `script/cucumber` can be run without arguments to run its entire respective suite. -### Test Ruby Versions Locally - -The CI process runs the build against with several [Ruby](https://github.com/jekyll/jekyll/blob/master/.github/workflows/ci.yml#L22) versions. This process can be repeated locally without changing your default installation by using [earthly](https://earthly.dev/get-earthly). - -To run the full CI process across all supported Ruby Versions: -```sh -earthly +all -``` - -To run the tests for a specific version of Ruby: -```sh -earthly --build-arg RUBY=2.5 +test -``` - -To run the tests for a specific version of JRuby specify the full version: -```sh -earthly --build-arg RUBY=jruby:9.2.14.0 +test -``` - ## Visual Studio Code Development Container If you've got [Visual Studio Code](https://code.visualstudio.com/) with the [Remote Development Extension Pack](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.vscode-remote-extensionpack) installed then simply opening this repository in Visual Studio Code and following the prompts to "Re-open In A Development Container" will get you setup and ready to go with a fresh environment with all the requirements installed. diff --git a/docs/_docs/security.md b/docs/_docs/security.md new file mode 100644 index 00000000..631a163f --- /dev/null +++ b/docs/_docs/security.md @@ -0,0 +1,36 @@ +--- +title: Security Policy +permalink: "/docs/security/" +note: This file is autogenerated. Edit /.github/SECURITY.markdown instead. +--- + +## Supported Versions + +Security updates are applied to the latest MINOR version of Jekyll, and the version used by GitHub Pages, v3.9.x. + +| Version | Supported | +| ------- | ------------------ | +| 4.2.x | :white_check_mark: | +| 3.9.x | :white_check_mark: | +| < 3.9.x | :x: | + +## Reporting a Vulnerability + +Please report vulnerabilities by sending an email to security@jekyllrb.com with the following information: + +1. A description of the vulnerability +2. Reproduction steps and/or a sample site (share a private repo to the [Jekyll Security Team](docs/pages/team.md)) +3. Your contact information + +The Jekyll security team will respond to your submission and notify you whether it has been confirmed by the team. +Your confidentiality is kindly requested as we work on a fix. We will provide our patch to you to test and verify that the vulnerability has +been closed. + +If you have created a patch and would like to submit that to us as well, we will happily consider it though we cannot guarantee that we will +use it. If we use your patch, we will attribute authorship to you either as the commit author, or as a co-author. + +Once a fix is verified, we will release PATCH versions of the supported MINOR versions and assign a CVE to the vulnerability. You will receive +credit in our release post. + +Once the patched version has been released, we will no longer request you to maintain confidentiality and you may choose to share details on +how you found the vulnerability with the community. diff --git a/docs/_docs/support.md b/docs/_docs/support.md index 3a0ff3db..d2233187 100644 --- a/docs/_docs/support.md +++ b/docs/_docs/support.md @@ -12,7 +12,7 @@ If you're looking for support for Jekyll, there are a lot of options: * Read [Jekyll Documentation](https://jekyllrb.com/docs/home/) * If you have a question about using Jekyll, start a discussion on [Jekyll Forum](https://talk.jekyllrb.com/) or [StackOverflow](https://stackoverflow.com/questions/tagged/jekyll) -* Chat with Jekyllers — Join [our Gitter channel](https://gitter.im/jekyll/jekyll) or [our IRC channel on Freenode](irc://irc.freenode.net/jekyll) +* Chat with Jekyllers — Join [our Gitter channel](https://gitter.im/jekyll/jekyll) or [our IRC channel on Freenode](irc:irc.freenode.net/jekyll) There are a bunch of helpful community members on these services that should be willing to point you in the right direction. diff --git a/rake/site.rake b/rake/site.rake index 8f93d08b..9e898477 100644 --- a/rake/site.rake +++ b/rake/site.rake @@ -7,7 +7,7 @@ ############################################################################# namespace :site do - task :generated_pages => [:history, :latest_version, :conduct, :contributing, :support] + task :generated_pages => [:history, :latest_version, :conduct, :contributing, :security, :support] desc "Generate and view the site locally" task :preview => :generated_pages do @@ -71,7 +71,7 @@ namespace :site do "redirect_from" => "/conduct/index.html", "editable" => false, } - siteify_file("CODE_OF_CONDUCT.markdown", front_matter) + siteify_file(".github/CODE_OF_CONDUCT.markdown", front_matter) end desc "Copy the contributing file" @@ -84,6 +84,11 @@ namespace :site do siteify_file(".github/SUPPORT.markdown", "title" => "Support") end + desc "Copy the security policy" + task :security do + siteify_file(".github/SECURITY.markdown", "title" => "Security Policy") + end + desc "Write the latest Jekyll version" task :latest_version do next if version =~ %r!(beta|rc|alpha)!i