update security workflow

[evanorti]

Update locations in script

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
cosmos-docs	🟢 Ready	View Preview	Apr 10, 2026, 8:27 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[greptile-apps]

Greptile Summary

This PR corrects the sync target for the security documentation workflow — previously writing to the archived sdk/v0.53/security/ directory (which CLAUDE.md prohibits editing), it now correctly outputs to sdk/latest/security/. The three MDX pages are refreshed with the latest content from cosmos/security, the "Additional Resources" links are updated from relative paths to absolute Mintlify paths, and a new Group Module Audit entry is added.

Confidence Score: 5/5

Safe to merge — the core fix (moving sync target off the archived v0.53 directory) is correct and all remaining findings are P2 style suggestions.

No P0 or P1 findings. The two P2 comments flag that sdk/next/security/ will drift and that the absolute link template is not parameterized for a potential next/ target — both are non-blocking quality notes.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/sync-security-docs.yml	Updated diff check path and PR body from sdk/v0.53/security/ to sdk/latest/security/ to match the script's corrected output directory; sdk/next/security/ is not checked or synced.
scripts/versioning/sync-security-docs.js	Changed OUTPUT_DIR from sdk/v0.53/security (archived, forbidden) to sdk/latest/security; updated "Additional Resources" links from relative (./security-policy) to absolute Mintlify paths (/sdk/latest/security/security-policy), which is the correct convention.
sdk/latest/security/audits.mdx	Updated sync date to Apr 10, 2026; added new "Group Module Audit" entry; fixed relative links to absolute Mintlify paths.
sdk/latest/security/bug-bounty.mdx	Updated sync date; added Zcash as an additional disclosure-practices reference alongside Ethereum Geth and Bitcoin Core.
sdk/latest/security/security-policy.mdx	Sync date updated to Apr 10, 2026; no other changes.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[GitHub Actions: weekly cron / manual trigger] --> B[sync-security-docs.js]
    B --> C[Fetch from cosmos/security repo]
    C --> D[POLICY.md → security-policy.mdx]
    C --> E[SECURITY.md → bug-bounty.mdx]
    C --> F[audits/ tree → audits.mdx]
    D --> G[Write to sdk/latest/security/]
    E --> G
    F --> G
    G --> H{git diff sdk/latest/security/}
    H -- changes detected --> I[create-pull-request: sync-security-docs branch]
    H -- no changes --> J[No PR created]
    K[sdk/next/security/] -.->|not synced| B

Loading

Comments Outside Diff (1)

1. .github/workflows/sync-security-docs.yml, line 37-43 (link)

   sdk/next/security/ is not checked or updated

   The workflow now correctly targets sdk/latest/security/, but sdk/next/security/ exists with its own copies of all three security pages (last synced Feb 23, 2026) and will continue to drift. Per the CLAUDE.md convention, changes made to latest/ should be mirrored in next/. If keeping next/ in sync is intentional, consider either running the script against both directories or adding a separate check-for-changes step for sdk/next/security/.

_{Reviews (1): Last reviewed commit: "update security workflow" | Re-trigger Greptile}

[greptile-apps]

Hardcoded latest/ paths won't work if next/ is also synced

The generated "Additional Resources" links are hardcoded to /sdk/latest/security/.... This is correct for sdk/latest/, but sdk/next/security/ also exists (with its own copies of these files) and is currently not touched by the sync. If the workflow is extended to also output to next/, the embedded links in next/ pages will still point to latest/ — which is arguably intentional, but worth being explicit about. If same-version cross-linking is ever needed for next/, the OUTPUT_DIR / target directory would need to be parameterized in the template.