Report vulnerabilities via GitHub Security Advisories or email security@garnet.ai.
We acknowledge within 48 hours and provide a resolution timeline within 5 business days. Please do not open public issues for security vulnerabilities.
| Version | Supported |
|---|---|
| v2 | ✅ Active |
| v1 | |
| v0 | ❌ Unsupported |
- garnet-org/action
- Jibril binary distributed via this action
- Garnet API and dashboard at app.garnet.ai
Out of scope: third-party dependencies, GitHub Actions infrastructure.
Releases are built from the main branch via GitHub Actions
(release.yaml).
- Stable tags (
v1,v2) — advanced manually viaworkflow_dispatchfrom a reviewed commit onmain. - Daily builds (
v0) — rebuilt nightly from HEAD for early testing. - CI gate — every push and pull request runs typecheck, build, and dist-verification (ci.yaml).
At runtime the action downloads two binaries:
| Binary | Source | Transport |
|---|---|---|
garnetctl |
garnet-org/garnetctl-releases | HTTPS (enforced) |
jibril |
garnet-org/jibril-releases | HTTPS (enforced) |
Both are fetched from GitHub Releases over HTTPS. The action refuses to
download over non-HTTPS (enforceHttps: true). Secrets written to disk
during setup (/etc/default/jibril) are installed with mode 600 and
deleted in the post step.
This action is open source. The entrypoint code is at:
- Main step:
src/action.js - Post step:
src/post.js
Pre-built bundles in dist/ are verified against source on every PR
by the CI workflow. Read the source before you install.