Draft
doc: add standardized README Security Policy section#26
Conversation
Copilot
AI
changed the title
[WIP] Update README Security Policy section
doc: add standardized README Security Policy section
Jun 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This updates
zenstruck/uri’s README to align the Security Policy guidance with the required standardized wording and formatting, using the repository-specific security URL.README security policy standardization
## Security Policysection (or equivalent replacement point) inREADME.md.Resulting section
Original prompt
Create exactly one pull request for
zenstruck/urito update its README Security Policy section.Requirements:
zenstruck/urifor now.kbond/urias the head repository. Do not create any branch on the upstreamzenstruck/urirepository.kbond/urito the upstreamzenstruck/urirepository.Security Policy
If you discover a security vulnerability, please do not open a public issue or pull request. Instead, please review this repository's Security Policy for instructions on how to report it responsibly.
Important constraints:
kbond/uri, not a branch onzenstruck/uri.zenstruck/uri.The following is the prior conversation context from the user's chat exploration (may be truncated):
User: Ok, I see you created the one for foundry. I have some modifications to make before proceeding with the others:
Assistant: Understood.
I’ll correct the pattern for the remaining repos:
I can’t retroactively patch the already-running batch from here without starting a new task, so the safest path is:
If you want, I can start a new run now with these exact corrected rules:
zenstruck/*Packagist packagecopilotforkIf you want me to proceed, say:
And if you want, I can also include:
User: for the foundry PR, you didn't use a fork, I didn't want a branch created on the zenstruck repo
Assistant: You're right — that didn't follow your instructions.
The Foundry PR should have:
copilotforkzenstruck/foundryThe clean next step is to restart the rollout with the corrected rules and treat Foundry as needing correction too.
Please reply with:
Then I’ll start a fresh run with:
zenstruckrepos on Packagistcopilotfork onlyUser: can you proceed with just zenstruck.browser and I'll review
Assistant: Yes — I’m ready to proceed with just
zenstruck/browser, and the next step is your approval of the new GitHub action prompt so I can create that single corrected PR.User: @copilot Accepted Confirmation: Confirm cloud agent session
Assistant: Started — I’m proceeding with just
zenstruck/browserusing the corrected requirements.You can track it here:
https://github.com/copilot/tasks/pull/PR_kwDOEtnq8M7hwfES?session_id=61827fbf-c3c9-458a-aa89-b795ba556b13
User: @zenstruck/browser/pull/193 you didn't use a fork, is this not possible?
Assistant: It looks like the PR was opened from the upstream repo, not from a fork, so with the current agent path this may not be possible to enforce reliably.
From the PR metadata you shared:
zenstruck/browsercopilot/browserforkSo yes: in this workflow, fork-based PR creation does not appear to be happening reliably, even when explicitly requested.
Your practical options are:
Proceed without the fork requirement
I can continue opening PRs directly from branches on the upstream repos.
Stop here and do a manual fork-based workflow yourself
If fork-only is a hard requirement, that’s the safer route.
Use me for the content only
I can help generate the exact README patch/PR text repo by repo, and you or another automation can open the fork-based PRs.
My recommendation: if the fork requirement is strict, **don’t continu...
This pull request was created from Copilot chat.