diff --git a/AUDIT_LOG.md b/AUDIT_LOG.md index e31d710..f3c5cfc 100644 --- a/AUDIT_LOG.md +++ b/AUDIT_LOG.md @@ -2,6 +2,15 @@ This log tracks all significant changes, updates, and versions in the PaperCache project. +## 2026-06-29 (Security & Repo Hygiene Audit Fixes) +**Change:** chore(ci): pin action references in `release.yml` to SHA digests; chore(repo): untrack build binary `PaperCache_aarch64.app.tar.gz` and update `.gitignore`; fix(rust): replace `#[allow(dead_code)]` with `#[cfg(not(target_os = "macos"))]` on debounce constants + +**Details/Why:** +1. **Supply-Chain Security**: Pinned `actions/checkout`, `actions/setup-node`, `dtolnay/rust-toolchain`, and `tauri-apps/tauri-action` in `.github/workflows/release.yml` to immutable SHA digests to prevent action tag hijacking on write-privileged workflows. +2. **Repository Hygiene**: Removed 7MB untracked build archive `PaperCache_aarch64.app.tar.gz` and added `*.app.tar.gz`, `dist/`, and `coverage/` patterns to `.gitignore`. +3. **Rust Config Gating**: Gated `FOCUS_LOSS_DEBOUNCE_MS` in `src-tauri/src/lib.rs` with `#[cfg(not(target_os = "macos"))]` so it is cleanly excluded on macOS where it is not used, eliminating dead-code warnings without blanket suppressions. + +**Files changed:** `.github/workflows/release.yml`, `.gitignore`, `src-tauri/src/lib.rs`, `CHANGELOG.md`, `AUDIT_LOG.md`. ## 2026-06-29 (Code Quality Refactor & Test Suite) **Change:** refactor(shortcuts): extract helper to deduplicate global shortcut trigger logic; fix(timers): manage completion timeout lifecycle in store; test(editor): add comprehensive unit test suite for `VariableScope` diff --git a/CHANGELOG.md b/CHANGELOG.md index d07c0f4..5f8dd85 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,6 +28,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - **Improved Type Safety**: Replaced `any` with typed interfaces in GraphView; properly typed `openAIChat` API response; aligned async method return types across bridge API. - **Rust Lint Cleanup**: Fixed clippy warnings in notifications.rs; documented suppressions for legacy objc crate macro warnings. +### Security +- **CI Supply-Chain Protection**: Pinned all third-party GitHub Action references in release workflow (`release.yml`) to immutable SHA-1 digests to protect release signing keys against supply-chain attacks. +- **Repository Hygiene**: Removed committed release build artifacts (`*.app.tar.gz`) from repository tracking and updated `.gitignore` to prevent leaking build binaries into git history. + ## [v0.5.5] - 2026-06-27 ### Added