| Version | Supported |
|---|---|
| v2.x.x | ✅ |
| v1.x.x | ❌ End of life |
If you discover a security vulnerability in ZAD Actions, please report it responsibly:
- Do not open a public GitHub issue for security vulnerabilities
- Email the maintainers directly or use GitHub's private vulnerability reporting feature
- Include a detailed description of the vulnerability and steps to reproduce
- Always store your ZAD API key as a GitHub secret (
ZAD_API_KEY) - Never commit API keys to your repository
- The action uses the API key via environment variables and never logs it
The actions validate all inputs to prevent injection attacks:
project-id,deployment-name, andcomponentare validated to contain only alphanumeric characters, hyphens, underscores, and dots- Container-related inputs are validated to prevent command injection
Use the principle of least privilege when configuring GitHub tokens:
github-token: Only needsdeployments: writeandpackages: delete(if using container cleanup)github-admin-token: Required only for environment deletion; use a dedicated token with minimal scope
- Pin to specific versions: Use
@v2.0.0instead of@v2in production workflows for reproducibility - Review actions before use: Audit the action code before using it in your workflows
- Limit secret access: Only expose secrets to jobs that need them
- Use environments: Configure GitHub environments with required reviewers for production deployments