diff --git a/.gitea/workflows/audit.yml b/.gitea/workflows/audit.yml new file mode 100644 index 0000000..b855906 --- /dev/null +++ b/.gitea/workflows/audit.yml @@ -0,0 +1,33 @@ +# Supply-chain advisory scan for the (network-facing, crypto-heavy) Rust dependency tree. +# Runs `cargo audit` against the RustSec advisory DB: weekly (catch newly-disclosed CVEs in +# pinned deps), on every Cargo.lock change (catch a bad dep the moment it lands), and on demand. +# To silence a known-unfixable advisory, add it to `.cargo/audit.toml` ([advisories] ignore = [...]). +name: audit + +on: + schedule: + - cron: '0 6 * * 1' # Mondays 06:00 UTC + push: + branches: [main] + paths: ['Cargo.lock', '.gitea/workflows/audit.yml'] + workflow_dispatch: + +jobs: + cargo-audit: + runs-on: ubuntu-24.04 + container: + image: git.unom.io/unom/punktfunk-rust-ci:latest + timeout-minutes: 30 + steps: + - uses: actions/checkout@v4 + # Cache /usr/local/cargo so the cargo-audit binary (and the advisory DB clone) persist. + - uses: actions/cache@v4 + with: + path: /usr/local/cargo + key: cargo-audit-${{ hashFiles('Cargo.lock') }} + restore-keys: cargo-audit- + - name: cargo audit + run: | + git config --global --add safe.directory "$PWD" + command -v cargo-audit >/dev/null 2>&1 || cargo install --locked cargo-audit + cargo audit diff --git a/packaging/debian/build-deb.sh b/packaging/debian/build-deb.sh index f0cec39..4ab6b7f 100755 --- a/packaging/debian/build-deb.sh +++ b/packaging/debian/build-deb.sh @@ -45,12 +45,18 @@ install -Dm0644 scripts/punktfunk-host.service "$STAGE/usr/lib/systemd/user/ # /usr/bin. Rewrite it so a fresh apt install (no hand-rolled unit) starts the installed binary. sed -i 's#%h/punktfunk/target/release/punktfunk-host#/usr/bin/punktfunk-host#' \ "$STAGE/usr/lib/systemd/user/punktfunk-host.service" +# Optional headless KWin session unit (the kwin --virtual appliance), as the RPM/Arch ship. +# Repoint its ExecStart from the dev source tree to the packaged script. NOT enabled by default. +install -Dm0644 scripts/punktfunk-kde-session.service "$STAGE/usr/lib/systemd/user/punktfunk-kde-session.service" +sed -i 's#%h/punktfunk/scripts/headless/run-headless-kde.sh#/usr/share/punktfunk-host/headless/run-headless-kde.sh#' \ + "$STAGE/usr/lib/systemd/user/punktfunk-kde-session.service" install -Dm0755 scripts/headless/run-headless-kde.sh "$SHAREDIR/headless/run-headless-kde.sh" install -Dm0755 scripts/headless/run-headless-sway.sh "$SHAREDIR/headless/run-headless-sway.sh" install -Dm0644 scripts/headless/kde-authorized "$SHAREDIR/headless/kde-authorized" install -Dm0644 scripts/headless/punktfunk-sink.conf "$SHAREDIR/headless/punktfunk-sink.conf" install -Dm0644 scripts/host.env.example "$SHAREDIR/host.env.example" install -Dm0644 packaging/bazzite/host.env "$SHAREDIR/host.env.bazzite" +install -Dm0644 packaging/kde/host.env "$SHAREDIR/host.env.kde" install -Dm0644 docs/api/openapi.json "$SHAREDIR/openapi.json" install -Dm0644 LICENSE-MIT "$DOCDIR/LICENSE-MIT" install -Dm0644 LICENSE-APACHE "$DOCDIR/LICENSE-APACHE" diff --git a/packaging/rpm/punktfunk.spec b/packaging/rpm/punktfunk.spec index fa2b9a7..93d4880 100644 --- a/packaging/rpm/punktfunk.spec +++ b/packaging/rpm/punktfunk.spec @@ -31,8 +31,10 @@ URL: https://git.unom.io/unom/punktfunk # COPR SCM builds provide the checkout; for a tarball build, drop a git archive here: Source0: %{name}-%{version}.tar.gz -# punktfunk-host is Linux-only and links system FFmpeg/PipeWire/Opus. -ExclusiveArch: x86_64 aarch64 +# punktfunk-host is Linux-only and links system FFmpeg/PipeWire/Opus. x86_64 only for now: encode +# is NVENC (desktop NVIDIA) and no aarch64 build is produced/published by CI — claiming aarch64 +# here would advertise an arch we never ship. Re-add aarch64 once there's an arm64 build leg. +ExclusiveArch: x86_64 # The zerocopy FFI links the NVIDIA driver's libcuda.so.1; rpm's auto-dep generator would turn # that into a hard Requires on libcuda.so.1 (and we never want to pin the driver — NVENC/EGL come