Please do not open a public issue for security problems. Instead, report them privately through GitHub's private vulnerability reporting, or email the maintainers. We'll acknowledge your report and work with you on a fix and disclosure timeline.

This action authenticates to Self-Host Pro with your account email and a team access token via HTTP Basic auth.

• Always pass email and token from secrets.*, never hard-coded in the workflow.
• The action calls ::add-mask:: on the token so it is redacted from logs.
• Scope tokens to the team that owns the product, and rotate them if a token may have been exposed.

For supply-chain safety, pin the action to a commit SHA in production workflows (serversideup/github-action-selfhostpro-release@<sha>) rather than a moving tag. Dependabot is configured in this repo to keep the actions it uses up to date.