ghd-test is a public release fixture for ghd, not an end-user security product. The release pipeline is still security-sensitive because ghd uses its artifacts and attestations for functional verification.

Only the latest published release is supported.

Report vulnerabilities privately through GitHub private vulnerability reporting for this repository.

Do not use public GitHub issues, pull requests, discussions, chat channels, or other public forums for vulnerability reports.

Include as much of the following as possible:

• affected release, commit, or workflow run;
• a description of the issue and its impact on release verification;
• steps to reproduce or a minimal proof of concept;
• any relevant logs or attestation verification output.