docs: add security.txt (#1974)

Signed-off-by: Sebastian Beltran <bjohansebas@gmail.com> Co-authored-by: shubham oulkar <91728992+ShubhamOulkar@users.noreply.github.com> Co-authored-by: Ulises Gascón <ulisesgascongonzalez@gmail.com> Co-authored-by: Jon Church <me@jonchurch.com>
2026-02-21 19:41:33 +00:00 · 2026-01-19 15:55:57 -05:00
parent c2106f9470
commit 9bb1ff2109
3 changed files with 50 additions and 1 deletions
--- a/.github/workflows/update-external-docs.yml
+++ b/.github/workflows/update-external-docs.yml
@@ -10,6 +10,47 @@ permissions:
    contents: write

 jobs:
+    update-security:
+        runs-on: ubuntu-latest
+        if: github.repository_owner == 'expressjs'
+        steps:
+            - uses: actions/checkout@v6
+
+            - name: Check security.txt expiry
+              id: expiry
+              run: |
+                set -eo pipefail
+                expires=$(grep -i '^Expires:' .well-known/security.txt | sed 's/.*: //')
+                if [ "$(date -d "$expires" +%s)" -le "$(date -d '+30 days' +%s)" ]; then
+                  echo "bump=true" >> "$GITHUB_OUTPUT"
+                fi
+
+            - name: Bump Expires
+              if: steps.expiry.outputs.bump == 'true'
+              run: sed -i "s/^Expires:.*/Expires: $(date -u -d '+180 days' +%Y-%m-%dT00:00:00Z)/I" .well-known/security.txt
+
+            - name: Create Pull Request
+              if: steps.expiry.outputs.bump == 'true'
+              uses: gr2m/create-or-update-pull-request-action@v1
+              env:
+                GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              with:
+                commit-message: 'docs: update security.txt expiry'
+                title: 'docs: update security.txt expiry'
+                body: |
+                  This PR extends the `Expires` date in `.well-known/security.txt`.
+
+                  Before merging, please explicitly confirm that:
+                  - The security contact listed is still correct and actively monitored
+                  - The linked security policy is still accurate
+                  - The project's preferred vulnerability disclosure path has not changed
+
+                  Only merge if the above information is still valid; otherwise, update it before extending the expiration.
+
+                  cc: @expressjs/security-wg
+                labels: docs
+                branch: bot/security-expiry
+
    update-docs:
        runs-on: ubuntu-latest
        if: github.repository_owner == 'expressjs'
@@ -38,7 +79,7 @@ jobs:
                  
                  cc: @expressjs/docs-wg
                labels: docs
-                branch: external-docs
+                branch: bot/update-external-docs

    synchronize-with-crowdin:
        runs-on: ubuntu-latest
--- a/.well-known/security.txt
+++ b/.well-known/security.txt
@@ -0,0 +1,6 @@
+# Our security contact
+Contact: mailto:express-security@lists.openjsf.org
+# Our security policy
+Policy: https://github.com/expressjs/express/security/policy
+# Expires this policy
+Expires: 2025-12-31T00:00:00Z
--- a/_config.yml
+++ b/_config.yml
@@ -106,3 +106,5 @@ exclude:
  - [uk/CHANGELOG.md]
  - vendor/bundle
  - node_modules/
+
+include: [".well-known"]