Use GitHub Security Advisories for private vulnerability reports:
https://github.com/automagik-dev/omni/security/advisories/new.
Include a description of the issue and steps to reproduce. We will
acknowledge within 2 business days and target a fix window proportional to
severity. Do NOT file public issues for security-sensitive reports.
@automagik/omni release tarballs are signed with cosign keyless OIDC
via GitHub Actions. There is no long-lived signing key — the pin is the
three-value tuple below, witnessed across four channels in this repo. Any
single-channel edit is rejected at PR-merge time by the
signing-identity-pin workflow.
certificate-identity-regexp: ^https://github.com/automagik-dev/omni/.github/workflows/sign-attest.yml@
certificate-oidc-issuer: https://token.actions.githubusercontent.com
provenance source-uri: github.com/automagik-dev/omni
SECURITY.md— this file, repo root.well-known/security.txt— RFC 9116 mirror at/.well-known/security.txton the project site.github/ISSUE_TEMPLATE/signing-key-fingerprint.md— out-of-band issue template.github/cosign.pub— NO-KEY sentinel (no public key — keyless contract)
# Sigstore bundle (cosign keyless)
cosign verify-blob \
--bundle omni-<version>-<platform>.tar.gz.bundle \
--certificate-identity-regexp '^https://github.com/automagik-dev/omni/.github/workflows/sign-attest.yml@' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
omni-<version>-<platform>.tar.gz
# SLSA L3 provenance
slsa-verifier verify-artifact omni-<version>-<platform>.tar.gz \
--provenance-path omni-<version>-<platform>.tar.gz.intoto.jsonl \
--source-uri github.com/automagik-dev/omni
# GitHub Attestations API
gh attestation verify omni-<version>-<platform>.tar.gz --owner automagik-devpgserve verify --slug omni (pgserve v3+) verifies omni release tarballs
against this exact certificate identity. Downstream trust lists anchor on
this regex literally — renaming the sign-attest.yml workflow file breaks
the trust loop.
Rotating the signing identity (workflow rename, repo rename, OIDC issuer change, source-URI rebind) requires:
- Two project maintainers landing a single PR that updates all four
witnesses AND
scripts/check-fingerprint-pinning.sh. - A new
.github/ISSUE_TEMPLATE/signing-key-fingerprint.mdfiling datedSIGNING_CERT_IDENTITY_YYYYMMDDthat supersedes the previous pin. - Coordination with downstream consumers (notably pgserve's trust-list) to land the matching regex update in lockstep.
Any drift in fewer than all four channels is treated as a compromise — operators should stop using the latest release until the four channels re-converge.