Add a threat model for setup-uv (#923)

This adds a threat model for `setup-uv` so security scanners can use it
as a baseline in terms of what's in-, and out of scope.

The TM covers credential recipients, executable and cache boundaries,
and release authority. It treats checkout-selected interpreters, paths,
virtual environments, symlinks, and helpers as delegated project
authority unless they override an explicit workflow choice or cross an
independent cache, runner, remote, or publication boundary.
This commit is contained in:
Zsolt Dollenstein
2026-06-27 20:01:45 +01:00
committed by GitHub
parent 224c887d48
commit c86fe4ef1f
2 changed files with 86 additions and 0 deletions

5
SECURITY.md Normal file
View File

@@ -0,0 +1,5 @@
# Security policy
Report suspected vulnerabilities according to [Astral's security policy](https://github.com/astral-sh/.github/blob/main/SECURITY.md).
For this repository's security boundaries and reporting criteria, see the [setup-uv threat model](docs/threat-model.md).