nevaforget/moonlock
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: add cargo-audit supply-chain gate, drop orphaned -git PKGBUILD

Browse Source 
Hygiene audit found deps clean but CI ran no vulnerability scan, so a
future advisory against a locked crate would go undetected. Add an
Audit workflow running cargo audit on push/PR — parses Cargo.lock,
needs no GTK4 build env.

Remove pkg/PKGBUILD: orphaned moonlock-git VCS recipe from the
pre-tag-build era, two minors behind; canonical packaging lives in
moonarch-pkgbuilds and is auto-bumped by update-pkgver.yaml. Drop the
now-dead pkg/* makepkg ignore lines and add .pytest_cache/.

No version bump — no change to the binary.
This commit is contained in:
nevaforget
2026-06-17 11:06:23 +02:00
parent d292eaa4c8
commit 56a8634a58
4 changed files with 30 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files
DECISIONS.md
+7
View File
@@ -2,6 +2,13 @@
Architectural and design decisions for Moonlock, in reverse chronological order.
## 2026-06-17 Add cargo-audit CI gate, remove orphaned `-git` PKGBUILD
- **Who**: ClaudeCode, Dom
- **Why**: A hygiene audit found supply chain and dependency health clean (`cargo audit` 0.22.2: 0 vulnerabilities across 116 crates), but flagged repo-hygiene gaps: CI (`.gitea/workflows/`) only auto-bumped pkgver and ran no vulnerability scan, so a future advisory against a locked dependency would go undetected; `pkg/PKGBUILD` was an orphaned `moonlock-git` VCS PKGBUILD (`pkgver=0.4.1.r1...`, two minor versions behind v0.6.18) left over from the pre-tag-build era — the canonical packaging now lives in `moonarch-pkgbuilds/moonlock/PKGBUILD` and is auto-bumped by `update-pkgver.yaml`; a stray `.pytest_cache/` sat in the repo root of this pure-Rust project, only suppressed by a user-global gitignore.
- **Tradeoffs**: CI gate scoped to `cargo audit` only, not `cargo test`/`clippy`/`build``cargo audit` parses `Cargo.lock` and needs no GTK4/PAM build environment, whereas the broader checks depend on the `moonarch` runner having the full dev toolchain, which is unverified and beyond the hygiene scope. `cargo install cargo-audit` recompiles per run (~2-3 min); accepted, caching deferred. Open risk: the runner must provide a Rust toolchain (`cargo`); `update-pkgver.yaml` only uses `git`, so this needs validation on first run. Deleting `pkg/PKGBUILD` rather than updating it: it is not in the build pipeline and the `-git` variant was abandoned at the tag-build switch (see `moonarch-pkgbuilds/DECISIONS.md` 2026-06-10).
- **How**: New `.gitea/workflows/ci.yaml` (`Audit` workflow, triggers on push to `main`, `v*` tags, and PRs to `main`) clones the repo and runs `cargo audit`. Removed `pkg/PKGBUILD` and the empty `pkg/` dir; dropped the now-dead `pkg/*` makepkg-artifact lines from `.gitignore` and added `.pytest_cache/`. No version bump — no code or behavior change to the binary.
## 2026-06-17 Restore hardened release profile after the crash hunt (v0.6.18)
- **Who**: ClaudeCode, Dom