Commit Graph

2 Commits

Author SHA1 Message Date
enricobuehler 5a51b0d8e7 ci: SHA-pin secret-bearing third-party actions + audit the web dep tree
- Pin android-actions/setup-android, appleboy/scp-action, and
  appleboy/ssh-action to commit SHAs (version kept in a trailing comment).
  These run in jobs holding the Android signing keystore, Play
  service-account, and deploy SSH key, so a moved tag on a third-party
  action could exfiltrate them.
- Add a bun-audit job to audit.yml over web/bun.lock — the console holds
  the login gate, session sealing, and mgmt token, so its deps matter too
  — and trigger the workflow on web/bun.lock changes alongside Cargo.lock.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-06 07:28:45 +02:00
enricobuehler 837b6fabb1 feat(dist): aarch64 honesty, Debian KWin-unit parity, cargo-audit CVE scan (P1/P2)
- spec: narrow ExclusiveArch to x86_64 — no aarch64 build is produced/published (NVENC is
  desktop-NVIDIA), so claiming aarch64 advertised an arch we never ship.
- build-deb.sh: ship punktfunk-kde-session.service (ExecStart repointed to the packaged
  run-headless-kde.sh) + host.env.kde, matching the RPM/Arch — the deb README's "mirrors the
  Fedora RPM" claim now holds.
- audit.yml: weekly + Cargo.lock-change `cargo audit` over the network-facing crypto dep tree
  (RustSec advisories); ignore unfixables via .cargo/audit.toml.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-15 10:34:32 +00:00