diff --git a/.gitea/workflows/android-screenshots.yml b/.gitea/workflows/android-screenshots.yml index a548aa8..4df40dc 100644 --- a/.gitea/workflows/android-screenshots.yml +++ b/.gitea/workflows/android-screenshots.yml @@ -25,7 +25,8 @@ jobs: java-version: "21" - name: Android SDK - uses: android-actions/setup-android@v3 + # SHA-pinned for parity with android.yml (third-party action). v3 = 9fc6c4e. + uses: android-actions/setup-android@9fc6c4e9069bf8d3d10b2204b1fb8f6ef7065407 # v3 # No NDK/CMake — the screenshot unit tests are pure JVM. compileSdk 37 auto-downloads via AGP # if the platform channel lacks it (same note as android.yml). diff --git a/.gitea/workflows/android.yml b/.gitea/workflows/android.yml index e708a91..3e8eacd 100644 --- a/.gitea/workflows/android.yml +++ b/.gitea/workflows/android.yml @@ -43,7 +43,9 @@ jobs: "$RUSTUP" target add aarch64-linux-android armv7-linux-androideabi x86_64-linux-android - name: Android SDK - uses: android-actions/setup-android@v3 + # SHA-pinned: this workflow's release job carries the signing keystore + Play service-account + # secrets, so a moved tag on a third-party action could exfiltrate them. v3 = 9fc6c4e. + uses: android-actions/setup-android@9fc6c4e9069bf8d3d10b2204b1fb8f6ef7065407 # v3 - name: NDK r30 + platform 36 + build-tools + CMake (libopus cross-build) # cmake;3.22.1 installs cmake + ninja under $ANDROID_SDK/cmake/3.22.1/bin — the exact path diff --git a/.gitea/workflows/audit.yml b/.gitea/workflows/audit.yml index b855906..9d0d84a 100644 --- a/.gitea/workflows/audit.yml +++ b/.gitea/workflows/audit.yml @@ -1,7 +1,10 @@ -# Supply-chain advisory scan for the (network-facing, crypto-heavy) Rust dependency tree. -# Runs `cargo audit` against the RustSec advisory DB: weekly (catch newly-disclosed CVEs in -# pinned deps), on every Cargo.lock change (catch a bad dep the moment it lands), and on demand. -# To silence a known-unfixable advisory, add it to `.cargo/audit.toml` ([advisories] ignore = [...]). +# Supply-chain advisory scan for BOTH dependency trees the project ships to users: +# * cargo-audit → the (network-facing, crypto-heavy) Rust tree, against the RustSec advisory DB. +# * bun audit → the web management console (Nitro/Bun BFF) — the component that holds the login +# gate, session sealing, and the mgmt bearer token, so its deps matter too. +# Triggers: weekly (catch newly-disclosed CVEs in pinned deps), on every lockfile change (catch a bad +# dep the moment it lands), and on demand. +# To silence a known-unfixable Rust advisory, add it to `.cargo/audit.toml` ([advisories] ignore=[…]). name: audit on: @@ -9,7 +12,7 @@ on: - cron: '0 6 * * 1' # Mondays 06:00 UTC push: branches: [main] - paths: ['Cargo.lock', '.gitea/workflows/audit.yml'] + paths: ['Cargo.lock', 'web/bun.lock', '.gitea/workflows/audit.yml'] workflow_dispatch: jobs: @@ -31,3 +34,25 @@ jobs: git config --global --add safe.directory "$PWD" command -v cargo-audit >/dev/null 2>&1 || cargo install --locked cargo-audit cargo audit + + bun-audit: + runs-on: ubuntu-24.04 + container: + image: oven/bun:1 + timeout-minutes: 15 + defaults: + run: + working-directory: web + steps: + # oven/bun's slim base lacks a CA bundle + git — actions/checkout's HTTPS fetch needs them + # (same preamble as web-screenshots.yml / ci.yml's web job). + - name: Install git + CA certs + working-directory: / + run: apt-get update && apt-get install -y --no-install-recommends ca-certificates git + - uses: actions/checkout@v4 + # `bun audit` queries the registry advisory DB for the versions pinned in web/bun.lock. No + # install/build needed — it reads the manifest + lockfile. Fails the job on any advisory, the + # same fail-on-vulnerability stance as cargo-audit above; triage a finding by bumping the dep + # (or, if genuinely unfixable + inapplicable, pinning a resolution and noting why here). + - name: bun audit + run: bun audit diff --git a/.gitea/workflows/docker.yml b/.gitea/workflows/docker.yml index 13fce1d..bd14194 100644 --- a/.gitea/workflows/docker.yml +++ b/.gitea/workflows/docker.yml @@ -86,7 +86,10 @@ jobs: - uses: actions/checkout@v4 - name: Sync compose file - uses: appleboy/scp-action@v0.1.7 + # SHA-pinned (not tag-pinned): this action receives DEPLOY_SSH_KEY + host/user/port, so a + # moved tag would mean credential exfiltration. v0.1.7 = 917f8b8. Bump both the SHA and the + # trailing version together when upgrading. + uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7 with: host: ${{ secrets.DEPLOY_HOST }} username: ${{ secrets.DEPLOY_USER }} @@ -97,7 +100,8 @@ jobs: overwrite: true - name: Pull and start docs - uses: appleboy/ssh-action@v1.2.5 + # SHA-pinned: receives DEPLOY_SSH_KEY + REGISTRY_TOKEN (see the scp step above). v1.2.5 = 0ff4204. + uses: appleboy/ssh-action@0ff4204d59e8e51228ff73bce53f80d53301dee2 # v1.2.5 env: REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} with: