ci: add cargo-audit supply-chain gate, drop orphaned -git PKGBUILD
Hygiene audit found deps clean but CI ran no vulnerability scan, so a future advisory against a locked crate would go undetected. Add an Audit workflow running cargo audit on push/PR — parses Cargo.lock, needs no GTK4 build env. Remove pkg/PKGBUILD: orphaned moonlock-git VCS recipe from the pre-tag-build era, two minors behind; canonical packaging lives in moonarch-pkgbuilds and is auto-bumped by update-pkgver.yaml. Drop the now-dead pkg/* makepkg ignore lines and add .pytest_cache/. No version bump — no change to the binary.
This commit is contained in:
@@ -0,0 +1,22 @@
|
|||||||
|
# ABOUTME: Runs cargo audit (RustSec CVE scan) against the locked dependency tree.
|
||||||
|
# ABOUTME: Supply-chain gate — fails on a known advisory.
|
||||||
|
|
||||||
|
name: Audit
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches: [main]
|
||||||
|
tags: ['v*']
|
||||||
|
pull_request:
|
||||||
|
branches: [main]
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
cargo-audit:
|
||||||
|
runs-on: moonarch
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
run: git clone http://gitea:3000/nevaforget/moonlock.git src
|
||||||
|
- name: Install cargo-audit
|
||||||
|
run: cargo install cargo-audit --locked
|
||||||
|
- name: Audit
|
||||||
|
run: cd src && cargo audit
|
||||||
+1
-5
@@ -1,7 +1,3 @@
|
|||||||
/target
|
/target
|
||||||
|
|
||||||
# makepkg build artifacts
|
.pytest_cache/
|
||||||
pkg/src/
|
|
||||||
pkg/pkg/
|
|
||||||
pkg/moonlock/
|
|
||||||
pkg/*.pkg.tar.*
|
|
||||||
|
|||||||
@@ -2,6 +2,13 @@
|
|||||||
|
|
||||||
Architectural and design decisions for Moonlock, in reverse chronological order.
|
Architectural and design decisions for Moonlock, in reverse chronological order.
|
||||||
|
|
||||||
|
## 2026-06-17 – Add cargo-audit CI gate, remove orphaned `-git` PKGBUILD
|
||||||
|
|
||||||
|
- **Who**: ClaudeCode, Dom
|
||||||
|
- **Why**: A hygiene audit found supply chain and dependency health clean (`cargo audit` 0.22.2: 0 vulnerabilities across 116 crates), but flagged repo-hygiene gaps: CI (`.gitea/workflows/`) only auto-bumped pkgver and ran no vulnerability scan, so a future advisory against a locked dependency would go undetected; `pkg/PKGBUILD` was an orphaned `moonlock-git` VCS PKGBUILD (`pkgver=0.4.1.r1...`, two minor versions behind v0.6.18) left over from the pre-tag-build era — the canonical packaging now lives in `moonarch-pkgbuilds/moonlock/PKGBUILD` and is auto-bumped by `update-pkgver.yaml`; a stray `.pytest_cache/` sat in the repo root of this pure-Rust project, only suppressed by a user-global gitignore.
|
||||||
|
- **Tradeoffs**: CI gate scoped to `cargo audit` only, not `cargo test`/`clippy`/`build` — `cargo audit` parses `Cargo.lock` and needs no GTK4/PAM build environment, whereas the broader checks depend on the `moonarch` runner having the full dev toolchain, which is unverified and beyond the hygiene scope. `cargo install cargo-audit` recompiles per run (~2-3 min); accepted, caching deferred. Open risk: the runner must provide a Rust toolchain (`cargo`); `update-pkgver.yaml` only uses `git`, so this needs validation on first run. Deleting `pkg/PKGBUILD` rather than updating it: it is not in the build pipeline and the `-git` variant was abandoned at the tag-build switch (see `moonarch-pkgbuilds/DECISIONS.md` 2026-06-10).
|
||||||
|
- **How**: New `.gitea/workflows/ci.yaml` (`Audit` workflow, triggers on push to `main`, `v*` tags, and PRs to `main`) clones the repo and runs `cargo audit`. Removed `pkg/PKGBUILD` and the empty `pkg/` dir; dropped the now-dead `pkg/*` makepkg-artifact lines from `.gitignore` and added `.pytest_cache/`. No version bump — no code or behavior change to the binary.
|
||||||
|
|
||||||
## 2026-06-17 – Restore hardened release profile after the crash hunt (v0.6.18)
|
## 2026-06-17 – Restore hardened release profile after the crash hunt (v0.6.18)
|
||||||
|
|
||||||
- **Who**: ClaudeCode, Dom
|
- **Who**: ClaudeCode, Dom
|
||||||
|
|||||||
@@ -1,51 +0,0 @@
|
|||||||
# ABOUTME: PKGBUILD for Moonlock — secure Wayland lockscreen.
|
|
||||||
# ABOUTME: Builds from git source with automatic version detection.
|
|
||||||
|
|
||||||
# Maintainer: Dominik Kressler
|
|
||||||
|
|
||||||
pkgname=moonlock-git
|
|
||||||
pkgver=0.4.1.r1.g78bcf90
|
|
||||||
pkgrel=1
|
|
||||||
pkgdesc="A secure Wayland lockscreen with GTK4, PAM and fingerprint support"
|
|
||||||
arch=('x86_64')
|
|
||||||
url="https://gitea.moonarch.de/nevaforget/moonlock"
|
|
||||||
license=('MIT')
|
|
||||||
depends=(
|
|
||||||
'gtk4'
|
|
||||||
'gtk4-layer-shell'
|
|
||||||
'gtk-session-lock'
|
|
||||||
'pam'
|
|
||||||
'systemd-libs'
|
|
||||||
)
|
|
||||||
makedepends=(
|
|
||||||
'git'
|
|
||||||
'cargo'
|
|
||||||
)
|
|
||||||
optdepends=(
|
|
||||||
'fprintd: fingerprint authentication support'
|
|
||||||
)
|
|
||||||
provides=('moonlock')
|
|
||||||
conflicts=('moonlock')
|
|
||||||
source=("git+${url}.git")
|
|
||||||
sha256sums=('SKIP')
|
|
||||||
|
|
||||||
pkgver() {
|
|
||||||
cd "$srcdir/moonlock"
|
|
||||||
git describe --long --tags | sed 's/^v//;s/-/.r/;s/-/./'
|
|
||||||
}
|
|
||||||
|
|
||||||
build() {
|
|
||||||
cd "$srcdir/moonlock"
|
|
||||||
cargo build --release --locked
|
|
||||||
}
|
|
||||||
|
|
||||||
package() {
|
|
||||||
cd "$srcdir/moonlock"
|
|
||||||
install -Dm755 target/release/moonlock "$pkgdir/usr/bin/moonlock"
|
|
||||||
|
|
||||||
# PAM configuration
|
|
||||||
install -Dm644 config/moonlock-pam "$pkgdir/etc/pam.d/moonlock"
|
|
||||||
|
|
||||||
# Example config
|
|
||||||
install -Dm644 config/moonlock.toml.example "$pkgdir/etc/moonlock/moonlock.toml.example"
|
|
||||||
}
|
|
||||||
Reference in New Issue
Block a user