5a51b0d8e7
- Pin android-actions/setup-android, appleboy/scp-action, and appleboy/ssh-action to commit SHAs (version kept in a trailing comment). These run in jobs holding the Android signing keystore, Play service-account, and deploy SSH key, so a moved tag on a third-party action could exfiltrate them. - Add a bun-audit job to audit.yml over web/bun.lock — the console holds the login gate, session sealing, and mgmt token, so its deps matter too — and trigger the workflow on web/bun.lock changes alongside Cargo.lock. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
59 lines
2.4 KiB
YAML
59 lines
2.4 KiB
YAML
# Supply-chain advisory scan for BOTH dependency trees the project ships to users:
|
|
# * cargo-audit → the (network-facing, crypto-heavy) Rust tree, against the RustSec advisory DB.
|
|
# * bun audit → the web management console (Nitro/Bun BFF) — the component that holds the login
|
|
# gate, session sealing, and the mgmt bearer token, so its deps matter too.
|
|
# Triggers: weekly (catch newly-disclosed CVEs in pinned deps), on every lockfile change (catch a bad
|
|
# dep the moment it lands), and on demand.
|
|
# To silence a known-unfixable Rust advisory, add it to `.cargo/audit.toml` ([advisories] ignore=[…]).
|
|
name: audit
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '0 6 * * 1' # Mondays 06:00 UTC
|
|
push:
|
|
branches: [main]
|
|
paths: ['Cargo.lock', 'web/bun.lock', '.gitea/workflows/audit.yml']
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
cargo-audit:
|
|
runs-on: ubuntu-24.04
|
|
container:
|
|
image: git.unom.io/unom/punktfunk-rust-ci:latest
|
|
timeout-minutes: 30
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
# Cache /usr/local/cargo so the cargo-audit binary (and the advisory DB clone) persist.
|
|
- uses: actions/cache@v4
|
|
with:
|
|
path: /usr/local/cargo
|
|
key: cargo-audit-${{ hashFiles('Cargo.lock') }}
|
|
restore-keys: cargo-audit-
|
|
- name: cargo audit
|
|
run: |
|
|
git config --global --add safe.directory "$PWD"
|
|
command -v cargo-audit >/dev/null 2>&1 || cargo install --locked cargo-audit
|
|
cargo audit
|
|
|
|
bun-audit:
|
|
runs-on: ubuntu-24.04
|
|
container:
|
|
image: oven/bun:1
|
|
timeout-minutes: 15
|
|
defaults:
|
|
run:
|
|
working-directory: web
|
|
steps:
|
|
# oven/bun's slim base lacks a CA bundle + git — actions/checkout's HTTPS fetch needs them
|
|
# (same preamble as web-screenshots.yml / ci.yml's web job).
|
|
- name: Install git + CA certs
|
|
working-directory: /
|
|
run: apt-get update && apt-get install -y --no-install-recommends ca-certificates git
|
|
- uses: actions/checkout@v4
|
|
# `bun audit` queries the registry advisory DB for the versions pinned in web/bun.lock. No
|
|
# install/build needed — it reads the manifest + lockfile. Fails the job on any advisory, the
|
|
# same fail-on-vulnerability stance as cargo-audit above; triage a finding by bumping the dep
|
|
# (or, if genuinely unfixable + inapplicable, pinning a resolution and noting why here).
|
|
- name: bun audit
|
|
run: bun audit
|