We support the latest release with security updates.

We take security seriously. If you discover a security vulnerability, please follow responsible disclosure practices:

Email: Create a new issue on GitHub with the security label, or contact the maintainer directly if the issue is sensitive.

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Initial Response: Within 48 hours
• Assessment: Within 7 days
• Fix & Disclosure: Coordinated with reporter

1. Acknowledgment of your report
2. Regular updates on progress
3. Credit in release notes (if desired)
4. Coordinated public disclosure

This repository uses age encryption for secrets management:

• Secrets are encrypted with age before committing
• Key stored in ~/.config/chezmoi/key.txt (never committed)
• See SECRETS.md for full documentation

• All contributors must use gitleaks pre-commit hook
• Secrets scanning runs in CI on every commit
• See .pre-commit-config.yaml for configuration

• Dependencies managed via Renovate
• Automated patch updates with CI validation
• Security updates prioritized

• GitHub Actions use explicit permissions (least privilege)
• Actions pinned to specific versions or commit SHAs
• Tokens use github.token (automatic expiration)

This repository's bootstrap process installs tools via automated scripts. For security-conscious users, we recommend verification before execution.

Option 1: Package Manager (Most Secure)

# Debian/Ubuntu
sudo apt install mise

# Arch Linux
sudo pacman -S mise

# macOS
brew install mise

Option 2: Verify Install Script

# Download mise GPG key
gpg --keyserver hkps://keys.openpgp.org --recv-keys 24853EC9F655CE80B48E6C3A8B81C9D17413A06D

# Download and review installer
curl -fsSL https://mise.run -o install-mise.sh
less install-mise.sh  # Review before executing

# Run installer (includes embedded checksums)
bash install-mise.sh

Option 3: Cargo (Rust Toolchain)

cargo binstall mise

Option 1: Package Manager (Most Secure)

# Debian/Ubuntu
sudo apt install chezmoi

# Arch Linux
sudo pacman -S chezmoi

# macOS
brew install chezmoi

Option 2: Verify Binary with cosign

# Install cosign for verification
brew install cosign  # or use package manager

# Download chezmoi binary and signature
VERSION="2.54.0"  # Check latest: https://github.com/twpayne/chezmoi/releases
curl -LO "https://github.com/twpayne/chezmoi/releases/download/v${VERSION}/chezmoi_${VERSION}_linux_amd64.tar.gz"
curl -LO "https://github.com/twpayne/chezmoi/releases/download/v${VERSION}/checksums.txt"
curl -LO "https://github.com/twpayne/chezmoi/releases/download/v${VERSION}/checksums.txt.sig"

# Verify signature (requires chezmoi's public key)
cosign verify-blob --signature checksums.txt.sig checksums.txt

# Verify checksum
sha256sum -c checksums.txt --ignore-missing

Option 3: Review Install Script

# Download and review installer
curl -fsSL get.chezmoi.io -o install-chezmoi.sh
less install-chezmoi.sh  # Review before executing

# Run installer
sh install-chezmoi.sh

Our scripts/bootstrap uses the convenience installers for ease of setup. For production or security-sensitive environments:

1. Review the bootstrap script before execution:

   curl -fsSL https://raw.githubusercontent.com/jerdaw/dotfiles/main/scripts/bootstrap -o bootstrap.sh
   less bootstrap.sh
   bash bootstrap.sh

2. Use package managers instead: Install mise and chezmoi via your system's package manager, then manually clone and apply dotfiles:

   # Install via package manager
   sudo apt install mise chezmoi  # or brew/pacman
   
   # Clone and setup
   git clone https://github.com/jerdaw/dotfiles.git ~/localsync/dotfiles
   cd ~/localsync/dotfiles
   mise trust && mise install
   mise run install

3. Pin installer versions: For CI/CD, consider pinning specific versions in your automation scripts.

• Age Encryption: Modern, secure secrets encryption
• Gitleaks: Prevent secret leaks in commits
• Renovate: Automated dependency updates
• Health Checks: mise run doctor validates security posture
• Server Mode: Production-hardened deployment mode

For security questions or concerns, please open a GitHub issue or see our documentation.