ci: SHA-pin secret-bearing third-party actions + audit the web dep tree
- Pin android-actions/setup-android, appleboy/scp-action, and appleboy/ssh-action to commit SHAs (version kept in a trailing comment). These run in jobs holding the Android signing keystore, Play service-account, and deploy SSH key, so a moved tag on a third-party action could exfiltrate them. - Add a bun-audit job to audit.yml over web/bun.lock — the console holds the login gate, session sealing, and mgmt token, so its deps matter too — and trigger the workflow on web/bun.lock changes alongside Cargo.lock. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -25,7 +25,8 @@ jobs:
|
|||||||
java-version: "21"
|
java-version: "21"
|
||||||
|
|
||||||
- name: Android SDK
|
- name: Android SDK
|
||||||
uses: android-actions/setup-android@v3
|
# SHA-pinned for parity with android.yml (third-party action). v3 = 9fc6c4e.
|
||||||
|
uses: android-actions/setup-android@9fc6c4e9069bf8d3d10b2204b1fb8f6ef7065407 # v3
|
||||||
|
|
||||||
# No NDK/CMake — the screenshot unit tests are pure JVM. compileSdk 37 auto-downloads via AGP
|
# No NDK/CMake — the screenshot unit tests are pure JVM. compileSdk 37 auto-downloads via AGP
|
||||||
# if the platform channel lacks it (same note as android.yml).
|
# if the platform channel lacks it (same note as android.yml).
|
||||||
|
|||||||
@@ -43,7 +43,9 @@ jobs:
|
|||||||
"$RUSTUP" target add aarch64-linux-android armv7-linux-androideabi x86_64-linux-android
|
"$RUSTUP" target add aarch64-linux-android armv7-linux-androideabi x86_64-linux-android
|
||||||
|
|
||||||
- name: Android SDK
|
- name: Android SDK
|
||||||
uses: android-actions/setup-android@v3
|
# SHA-pinned: this workflow's release job carries the signing keystore + Play service-account
|
||||||
|
# secrets, so a moved tag on a third-party action could exfiltrate them. v3 = 9fc6c4e.
|
||||||
|
uses: android-actions/setup-android@9fc6c4e9069bf8d3d10b2204b1fb8f6ef7065407 # v3
|
||||||
|
|
||||||
- name: NDK r30 + platform 36 + build-tools + CMake (libopus cross-build)
|
- name: NDK r30 + platform 36 + build-tools + CMake (libopus cross-build)
|
||||||
# cmake;3.22.1 installs cmake + ninja under $ANDROID_SDK/cmake/3.22.1/bin — the exact path
|
# cmake;3.22.1 installs cmake + ninja under $ANDROID_SDK/cmake/3.22.1/bin — the exact path
|
||||||
|
|||||||
@@ -1,7 +1,10 @@
|
|||||||
# Supply-chain advisory scan for the (network-facing, crypto-heavy) Rust dependency tree.
|
# Supply-chain advisory scan for BOTH dependency trees the project ships to users:
|
||||||
# Runs `cargo audit` against the RustSec advisory DB: weekly (catch newly-disclosed CVEs in
|
# * cargo-audit → the (network-facing, crypto-heavy) Rust tree, against the RustSec advisory DB.
|
||||||
# pinned deps), on every Cargo.lock change (catch a bad dep the moment it lands), and on demand.
|
# * bun audit → the web management console (Nitro/Bun BFF) — the component that holds the login
|
||||||
# To silence a known-unfixable advisory, add it to `.cargo/audit.toml` ([advisories] ignore = [...]).
|
# gate, session sealing, and the mgmt bearer token, so its deps matter too.
|
||||||
|
# Triggers: weekly (catch newly-disclosed CVEs in pinned deps), on every lockfile change (catch a bad
|
||||||
|
# dep the moment it lands), and on demand.
|
||||||
|
# To silence a known-unfixable Rust advisory, add it to `.cargo/audit.toml` ([advisories] ignore=[…]).
|
||||||
name: audit
|
name: audit
|
||||||
|
|
||||||
on:
|
on:
|
||||||
@@ -9,7 +12,7 @@ on:
|
|||||||
- cron: '0 6 * * 1' # Mondays 06:00 UTC
|
- cron: '0 6 * * 1' # Mondays 06:00 UTC
|
||||||
push:
|
push:
|
||||||
branches: [main]
|
branches: [main]
|
||||||
paths: ['Cargo.lock', '.gitea/workflows/audit.yml']
|
paths: ['Cargo.lock', 'web/bun.lock', '.gitea/workflows/audit.yml']
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
@@ -31,3 +34,25 @@ jobs:
|
|||||||
git config --global --add safe.directory "$PWD"
|
git config --global --add safe.directory "$PWD"
|
||||||
command -v cargo-audit >/dev/null 2>&1 || cargo install --locked cargo-audit
|
command -v cargo-audit >/dev/null 2>&1 || cargo install --locked cargo-audit
|
||||||
cargo audit
|
cargo audit
|
||||||
|
|
||||||
|
bun-audit:
|
||||||
|
runs-on: ubuntu-24.04
|
||||||
|
container:
|
||||||
|
image: oven/bun:1
|
||||||
|
timeout-minutes: 15
|
||||||
|
defaults:
|
||||||
|
run:
|
||||||
|
working-directory: web
|
||||||
|
steps:
|
||||||
|
# oven/bun's slim base lacks a CA bundle + git — actions/checkout's HTTPS fetch needs them
|
||||||
|
# (same preamble as web-screenshots.yml / ci.yml's web job).
|
||||||
|
- name: Install git + CA certs
|
||||||
|
working-directory: /
|
||||||
|
run: apt-get update && apt-get install -y --no-install-recommends ca-certificates git
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
# `bun audit` queries the registry advisory DB for the versions pinned in web/bun.lock. No
|
||||||
|
# install/build needed — it reads the manifest + lockfile. Fails the job on any advisory, the
|
||||||
|
# same fail-on-vulnerability stance as cargo-audit above; triage a finding by bumping the dep
|
||||||
|
# (or, if genuinely unfixable + inapplicable, pinning a resolution and noting why here).
|
||||||
|
- name: bun audit
|
||||||
|
run: bun audit
|
||||||
|
|||||||
@@ -86,7 +86,10 @@ jobs:
|
|||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Sync compose file
|
- name: Sync compose file
|
||||||
uses: appleboy/scp-action@v0.1.7
|
# SHA-pinned (not tag-pinned): this action receives DEPLOY_SSH_KEY + host/user/port, so a
|
||||||
|
# moved tag would mean credential exfiltration. v0.1.7 = 917f8b8. Bump both the SHA and the
|
||||||
|
# trailing version together when upgrading.
|
||||||
|
uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7
|
||||||
with:
|
with:
|
||||||
host: ${{ secrets.DEPLOY_HOST }}
|
host: ${{ secrets.DEPLOY_HOST }}
|
||||||
username: ${{ secrets.DEPLOY_USER }}
|
username: ${{ secrets.DEPLOY_USER }}
|
||||||
@@ -97,7 +100,8 @@ jobs:
|
|||||||
overwrite: true
|
overwrite: true
|
||||||
|
|
||||||
- name: Pull and start docs
|
- name: Pull and start docs
|
||||||
uses: appleboy/ssh-action@v1.2.5
|
# SHA-pinned: receives DEPLOY_SSH_KEY + REGISTRY_TOKEN (see the scp step above). v1.2.5 = 0ff4204.
|
||||||
|
uses: appleboy/ssh-action@0ff4204d59e8e51228ff73bce53f80d53301dee2 # v1.2.5
|
||||||
env:
|
env:
|
||||||
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
||||||
with:
|
with:
|
||||||
|
|||||||
Reference in New Issue
Block a user