Never commit:
- Private keys (
.pem,.key,*-key.json) - GCP service account keys
- GitHub tokens or API keys
- Passwords or credentials
.envfiles with secrets
- GCP credentials: Use GitHub Actions secrets (
GCP_SERVICE_ACCOUNT_KEY,GCP_WORKLOAD_IDENTITY_*) or environment variables at runtime. Never store in repo. - Release signing: Locked-image release assets are keyless-signed with Sigstore (GitHub OIDC identity). No signing private key is stored in this repository.
- Packer vars: Use
vars.GCP_*in workflows; sensitive values go in GitHub repo variables/secrets. - Ansible: No hardcoded secrets. Use
metrics-secret-name/logs-secret-namemetadata (GCP Secret Manager) for observability.
published-mrtds.jsonandrelease-provenance.jsonare shipped with Sigstore signatures (.sig) and certificates (.pem).- Users verify MRTDs before trusting deployed nodes.
- See docs/architecture/trust-boundaries.md for the trust model.
Please do not open public GitHub issues for suspected vulnerabilities.
- Contact: info@calimero.network
- Include:
- affected component/path
- reproduction steps or proof-of-concept
- potential impact
- proposed mitigations (if any)
We will acknowledge receipt and triage as quickly as possible.
Security fixes are generally applied to the latest master branch and latest
released version stream.