Enact security policy (#1604)

### What kind of change does this PR introduce?

* Adds a security policy

### Does this PR introduce a breaking change?

No.

### Other information:

This Pull Request is waiting on the following:
- [x] Creation of a mail account/redirect specific for the GitHub
Organization Admins and major project leads.
    - Done (Office email group redirect for [email protected]) 
- [x] Make this email redirect group public.
- [x] Creation of a PGP key pair for encrypted emails (following email
creation).
- [x] `CHANGES.rst` should be updated with this information as an
announcement.

This information will be reusable for all projects falling under
Ouranosinc.

.github/workflows/main.yml

@@ -84,6 +84,8 @@ jobs:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
+            api.github.com:443
+            dap.service.does.not.exist:443
             files.pythonhosted.org:443
             github.com:443
             pypi.org:443

CHANGES.rst

@@ -11,6 +11,7 @@ Announcements
 * `xclim` now officially supports Python3.12 (requires `numba>=0.59.0`). (:pull:`1613`).
 * `xclim` now adheres to the `Semantic Versioning 2.0.0 <https://semver.org/>`_ specification. (:issue:`1556`, :pull:`1569`).
 * The `xclim` repository now uses `GitHub Discussions <https://github.com/Ouranosinc/xclim/discussions>`_ to offer help for users, coordinate translation efforts, and support general Q&A for the `xclim` community. The `xclim` `Gitter` room has been deprecated in favour of GitHub Discussions. (:issue:`1571`, :pull:`1572`).
+* For secure correspondence, `xclim` now offers a PGP key for users to encrypt sensitive communications. For more information, see the ``SECURITY.md``. (:issue:`1181`, :pull:`1604`).
 
 New features and enhancements
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

CODE_OF_CONDUCT.md

@@ -60,7 +60,7 @@ representative at an online or offline event.
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported to the community leaders responsible for enforcement at
-[email protected].
+[github-[email protected]](mailto:[email protected]).
 All complaints will be reviewed and investigated promptly and fairly.
 
 All community leaders are obligated to respect the privacy and security of the

SECURITY.md

@@ -0,0 +1,38 @@
+# Security Policy
+
+## Supported Versions
+
+`xclim` is in rapid development and receives regular updates every four to six (4-6) weeks. In the event of a security-related bug discovery soon after the release of an `xclim` version, the last supported version will receive a patch release.
+
+## Reporting a Vulnerability
+
+If you believe you have found a security vulnerability in `xclim`, we encourage you to let us know right away. We take all security vulnerabilities seriously and appreciate your efforts to responsibly disclose them.
+
+Please follow these steps to report a security vulnerability:
+
+1. **Email**: Email [[email protected]](mailto:[email protected]) with a detailed description of the vulnerability. If applicable, please include any steps or a proof-of-concept to help us understand and reproduce the issue.
+
+2. **Encryption (Optional)**: If you are concerned about the sensitivity of the information you are sharing, you can use the PGP key found below to encrypt your communication.
+
+3. **Response**: We will acknowledge your email within 48 hours and work with you to understand and confirm the vulnerability.
+
+4. **Fix and Disclosure**: Once the vulnerability is confirmed, we will work to address it promptly. We appreciate your patience as we investigate and implement a fix. Once resolved, we will coordinate the disclosure and provide credit to the reporter unless they prefer to remain anonymous.
+
+## PGP Encryption Key
+
+You can use the following PGP key to encrypt your communications with us:
+
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+    mDMEZamQrhYJKwYBBAHaRw8BAQdA+saPvmvr1MYe1nQy3n3QDcRE9T7UzTJ1XH31
+    EI4Zb6u0Mk91cmFub3MgR2l0SHViIFN1cHBvcnQgPGdpdGh1Yi1zdXBwb3J0QG91
+    cmFub3MuY2E+iJkEExYKAEEWIQSeAu+Cbjupx79jy9VeVFD6o5TVcwUCZamQrgIb
+    AwUJCWYBgAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRBeVFD6o5TVc4ho
+    AQDXjDkx0b3A7yl6PQ4hBJ2uYzw0UWbml7mUwVdhMmdZkQD/VJZQNWrCQeOtYEM8
+    icZJYwR/OsKFOWqlDytusGGtjwa4OARlqZCuEgorBgEEAZdVAQUBAQdAa41Zabjz
+    P9O+p6tI69Cnft6U5om3+qCcMo8amTqauH0DAQgHiH4EGBYKACYWIQSeAu+Cbjup
+    x79jy9VeVFD6o5TVcwUCZamQrgIbDAUJCWYBgAAKCRBeVFD6o5TVcwmaAQClDxW6
+    2gir7lhRXAcO+vmRImpGd29TrkcQVh+ak7VlwQEA706d7Kusiorlf/h8pLSoNMmS
+    kuLGmHpUJ8NVGppU+wo=
+    =wuxr
+    -----END PGP PUBLIC KEY BLOCK-----

docs/conf.py

@@ -103,6 +103,7 @@
     "sphinx_autodoc_typehints",
     "sphinx_codeautolink",
     "sphinx_copybutton",
+    "sphinx_mdinclude",
     "sphinx_rtd_theme",
 ]
 
@@ -248,7 +249,7 @@ class XCStyle(AlphaStyle):
 # the built documents.
 #
 # The short X.Y version.
-version = xclim.__version__
+version = xclim.__version__.split("-")[0]
 # The full version, including alpha/beta/rc tags.
 release = xclim.__version__
 
@@ -267,6 +268,7 @@ class XCStyle(AlphaStyle):
     "Thumbs.db",
     ".DS_Store",
     "notebooks/xclim_training",
+    "paper/paper.md",
     "**.ipynb_checkpoints",
 ]
 

docs/index.rst

@@ -41,6 +41,7 @@ Leveraging xarray and dask, users can easily bias-adjust climate simulations ove
 
    authors
    changes
+   security
    references
 
 .. toctree::

docs/security.rst

@@ -0,0 +1 @@
+.. mdinclude:: ../SECURITY.md

environment.yml

@@ -65,6 +65,7 @@ dependencies:
   - sphinx-autodoc-typehints
   - sphinx-codeautolink
   - sphinx-copybutton
+  - sphinx-mdinclude
   - sphinx-rtd-theme >=1.0
   - sphinxcontrib-bibtex
   - tokenize-rt

pyproject.toml

@@ -98,6 +98,7 @@ dev = [
   "sphinx-autodoc-typehints",
   "sphinx-codeautolink",
   "sphinx-copybutton",
+  "sphinx-mdinclude",
   "sphinx-rtd-theme >=1.0",
   "sphinxcontrib-bibtex",
   "sphinxcontrib-svg2pdfconverter[Cairosvg]"