Report security issues privately to the Keito team before opening public issues.

• Store KEITO_API_KEY in GitHub Secrets.
• Store KEITO_ACCOUNT_ID in Secrets or Variables.
• The action masks the API key and GitHub token immediately.
• Do not put Keito credentials in .keito/config.yml.

Use the least permissions needed by your workflow. Comment and reaction support needs issues: write and pull-requests: write; dry-run and no-comment usage can use read-only issue and pull request permissions.

Release builds commit dist/index.js so users can pin a tag or commit SHA. Consumers with stricter policies should pin to a full commit SHA.