From 9bb1ff2109d5fc0bb3d2d25b255bd0e416ad03c2 Mon Sep 17 00:00:00 2001
From: Sebastian Beltran <bjohansebas@gmail.com>
Date: Mon, 19 Jan 2026 15:55:57 -0500
Subject: [PATCH] docs: add security.txt (#1974)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Sebastian Beltran <bjohansebas@gmail.com>
Co-authored-by: shubham oulkar <91728992+ShubhamOulkar@users.noreply.github.com>
Co-authored-by: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Co-authored-by: Jon Church <me@jonchurch.com>
---
 .github/workflows/update-external-docs.yml | 43 +++++++++++++++++++++-
 .well-known/security.txt                   |  6 +++
 _config.yml                                |  2 +
 3 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 .well-known/security.txt

diff --git a/.github/workflows/update-external-docs.yml b/.github/workflows/update-external-docs.yml
index a62fa93e..93abc217 100644
--- a/.github/workflows/update-external-docs.yml
+++ b/.github/workflows/update-external-docs.yml
@@ -10,6 +10,47 @@ permissions:
     contents: write
 
 jobs:
+    update-security:
+        runs-on: ubuntu-latest
+        if: github.repository_owner == 'expressjs'
+        steps:
+            - uses: actions/checkout@v6
+
+            - name: Check security.txt expiry
+              id: expiry
+              run: |
+                set -eo pipefail
+                expires=$(grep -i '^Expires:' .well-known/security.txt | sed 's/.*: //')
+                if [ "$(date -d "$expires" +%s)" -le "$(date -d '+30 days' +%s)" ]; then
+                  echo "bump=true" >> "$GITHUB_OUTPUT"
+                fi
+
+            - name: Bump Expires
+              if: steps.expiry.outputs.bump == 'true'
+              run: sed -i "s/^Expires:.*/Expires: $(date -u -d '+180 days' +%Y-%m-%dT00:00:00Z)/I" .well-known/security.txt
+
+            - name: Create Pull Request
+              if: steps.expiry.outputs.bump == 'true'
+              uses: gr2m/create-or-update-pull-request-action@v1
+              env:
+                GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              with:
+                commit-message: 'docs: update security.txt expiry'
+                title: 'docs: update security.txt expiry'
+                body: |
+                  This PR extends the `Expires` date in `.well-known/security.txt`.
+
+                  Before merging, please explicitly confirm that:
+                  - The security contact listed is still correct and actively monitored
+                  - The linked security policy is still accurate
+                  - The project's preferred vulnerability disclosure path has not changed
+
+                  Only merge if the above information is still valid; otherwise, update it before extending the expiration.
+
+                  cc: @expressjs/security-wg
+                labels: docs
+                branch: bot/security-expiry
+
     update-docs:
         runs-on: ubuntu-latest
         if: github.repository_owner == 'expressjs'
@@ -38,7 +79,7 @@ jobs:
                   
                   cc: @expressjs/docs-wg
                 labels: docs
-                branch: external-docs
+                branch: bot/update-external-docs
 
     synchronize-with-crowdin:
         runs-on: ubuntu-latest
diff --git a/.well-known/security.txt b/.well-known/security.txt
new file mode 100644
index 00000000..f5502202
--- /dev/null
+++ b/.well-known/security.txt
@@ -0,0 +1,6 @@
+# Our security contact
+Contact: mailto:express-security@lists.openjsf.org
+# Our security policy
+Policy: https://github.com/expressjs/express/security/policy
+# Expires this policy
+Expires: 2025-12-31T00:00:00Z
\ No newline at end of file
diff --git a/_config.yml b/_config.yml
index a53e4539..5abcc77f 100644
--- a/_config.yml
+++ b/_config.yml
@@ -106,3 +106,5 @@ exclude:
   - [uk/CHANGELOG.md]
   - vendor/bundle
   - node_modules/
+
+include: [".well-known"]
\ No newline at end of file