GitHub Security Advisories Workflow Codified: New Private Vulnerability Intake & Disclosure Process Enforced by CI

GitHub has codified a new, standardized workflow for handling private security vulnerabilities, replacing an ad-hoc process. The new system establishes GitHub Security Advisories (GHSAs) as the canonical channel, with documented Service Level Agreements (SLAs) and sequencing rules now enforced by continuous integration (CI) tests. This move formalizes the entire lifecycle from private intake and triage to patching and coordinated public disclosure.

The core of the change is a new canonical document, `docs/security/security-advisories-workflow.md`, which details the end-to-end process. It defines roles, the private reporting flow, triage and severity assessment, the private fix development cycle, and a strict publication order: artifacts must be ready before the advisory is published, followed by a changelog entry. The workflow also covers handling dependency advisories and includes a tabletop rehearsal log. To enforce governance, five new CI tests in `tests/test_security_advisories_governance.py` continuously validate that policy linkages and required documentation sections are present.

Supporting documents have been updated to reflect this new centralized process. The public `SECURITY.md` file now points reporters to the private reporting form, lists SLA targets (3-day acknowledgment, 5-day triage), and links to the new workflow, removing previous 'fallback-first' guidance. Furthermore, the maintainer release guide (`docs/maintainers/releasing.md`) has been amended with a 'Security advisory release gate' section, mandating checks for a draft advisory and enforcing the correct publish sequence, ensuring CHANGELOG entries properly reference GHSA and CVE identifiers.