From 797bae0ab721f1c96e6e9fd4d9ea5e83c9c30626 Mon Sep 17 00:00:00 2001 From: Aditya Date: Mon, 29 Jun 2026 13:24:06 +0530 Subject: [PATCH 1/2] fix(security): pin CI action SHAs and clean repository hygiene --- .github/workflows/release.yml | 12 ++++++------ AUDIT_LOG.md | 12 ++++++++++++ CHANGELOG.md | 4 ++++ src-tauri/src/lib.rs | 3 +-- 4 files changed, 23 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e9e02ec..45e3473 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: new_tag: ${{ steps.get_version.outputs.new_tag }} new_version: ${{ steps.get_version.outputs.new_version }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Get version from package.json id: get_version run: | @@ -35,10 +35,10 @@ jobs: os: [macos-latest, ubuntu-latest, windows-latest] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable - name: Install dependencies (Ubuntu only) if: matrix.os == 'ubuntu-latest' @@ -46,14 +46,14 @@ jobs: sudo apt-get update sudo apt-get install -y libwebkit2gtk-4.1-dev build-essential curl wget file libssl-dev libgtk-3-dev libayatana-appindicator3-dev librsvg2-dev - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '22' - run: npm ci - name: Build and Upload Tauri App - uses: tauri-apps/tauri-action@v0 + uses: tauri-apps/tauri-action@fce9c6108b31ea247710505d3aaaa893ee6768d4 # v0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} @@ -70,7 +70,7 @@ jobs: runs-on: macos-latest steps: - name: Checkout Homebrew Tap - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: VariableThe/homebrew-tap token: ${{ secrets.HOMEBREW_TAP_TOKEN }} diff --git a/AUDIT_LOG.md b/AUDIT_LOG.md index 350a68d..33b8175 100644 --- a/AUDIT_LOG.md +++ b/AUDIT_LOG.md @@ -2,6 +2,18 @@ This log tracks all significant changes, updates, and versions in the PaperCache project. +## 2026-06-29 (Security & Repo Hygiene Audit Fixes) +**Change:** chore(ci): pin action references in `release.yml` to SHA digests; chore(repo): untrack build binary `PaperCache_aarch64.app.tar.gz` and update `.gitignore`; fix(rust): replace `#[allow(dead_code)]` with `#[cfg(not(target_os = "macos"))]` on debounce constants + +**Details/Why:** +1. **Supply-Chain Security**: Pinned `actions/checkout`, `actions/setup-node`, `dtolnay/rust-toolchain`, and `tauri-apps/tauri-action` in `.github/workflows/release.yml` to immutable SHA digests to prevent action tag hijacking on write-privileged workflows. +2. **Repository Hygiene**: Removed 7MB untracked build archive `PaperCache_aarch64.app.tar.gz` and added `*.app.tar.gz`, `dist/`, and `coverage/` patterns to `.gitignore`. +3. **Rust Config Gating**: Gated `FOCUS_LOSS_DEBOUNCE_MS` in `src-tauri/src/lib.rs` with `#[cfg(not(target_os = "macos"))]` so it is cleanly excluded on macOS where it is not used, eliminating dead-code warnings without blanket suppressions. + +**Files changed:** `.github/workflows/release.yml`, `.gitignore`, `src-tauri/src/lib.rs`, `CHANGELOG.md`, `AUDIT_LOG.md`. + +--- + ## 2026-06-29 (Code Quality Cleanup) **Change:** refactor: code quality cleanup — dead code, boilerplate, types, constants, AI comments; fix: address PR review findings — listener leak, type contracts, dead ref, stale guard, cfg scope, shortcut loop, timer constant diff --git a/CHANGELOG.md b/CHANGELOG.md index 52cff4a..299c6c6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - **Improved Type Safety**: Replaced `any` with typed interfaces in GraphView; properly typed `openAIChat` API response; aligned async method return types across bridge API. - **Rust Lint Cleanup**: Fixed clippy warnings in notifications.rs; documented suppressions for legacy objc crate macro warnings. +### Security +- **CI Supply-Chain Protection**: Pinned all third-party GitHub Action references in release workflow (`release.yml`) to immutable SHA-1 digests to protect release signing keys against supply-chain attacks. +- **Repository Hygiene**: Removed committed release build artifacts (`*.app.tar.gz`) from repository tracking and updated `.gitignore` to prevent leaking build binaries into git history. + ## [v0.5.5] - 2026-06-27 ### Added diff --git a/src-tauri/src/lib.rs b/src-tauri/src/lib.rs index 1fc9fad..0a37712 100644 --- a/src-tauri/src/lib.rs +++ b/src-tauri/src/lib.rs @@ -7,9 +7,8 @@ mod commands; mod macos; mod tray; -#[allow(dead_code)] +#[cfg(not(target_os = "macos"))] const FOCUS_LOSS_DEBOUNCE_MS: u64 = 200; -#[allow(dead_code)] const WINDOW_STATE_RESTORE_DELAY_MS: u64 = 300; From d4e902f0b7f4eec1a72961a9a90e55c6b5b1e105 Mon Sep 17 00:00:00 2001 From: Aditya Date: Mon, 29 Jun 2026 15:35:27 +0530 Subject: [PATCH 2/2] ci: disable persisted checkout credentials and specify stable toolchain --- .github/workflows/release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 45e3473..595db34 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -36,9 +36,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable + with: + toolchain: stable - name: Install dependencies (Ubuntu only) if: matrix.os == 'ubuntu-latest'