Please do not open public issues for security problems involving credentials, token handling, or unintended secret exposure.

Report privately to the maintainer with:

• affected version
• reproduction steps
• expected behavior
• actual behavior
• whether credentials may have been exposed

• never persist GitHub tokens in git remote URLs
• avoid printing tokens to stdout or stderr
• keep secret-file workflows outside repository trees