Do not place secrets, API keys, tokens, or private URLs into issues, pull requests, or logs.

If you find a security problem:

1. Describe the affected file or workflow.
2. Explain the impact.
3. Include a minimal reproduction if it is safe to do so.
4. Prefer a private report channel when one is available.

For local workflows, verify changes with the existing validation scripts before publishing.