Skip to content

Cherry-pick release pipeline security hardening#73

Merged
nedtwigg merged 7 commits into
mainfrom
codex/cherry-pick-release-pipeline-security
May 19, 2026
Merged

Cherry-pick release pipeline security hardening#73
nedtwigg merged 7 commits into
mainfrom
codex/cherry-pick-release-pipeline-security

Conversation

@nedtwigg
Copy link
Copy Markdown
Member

@nedtwigg nedtwigg commented May 19, 2026

Summary

  • Pin GitHub Actions to commit SHAs and set explicit workflow permissions.
  • Gate VS Code publishing behind a protected GitHub environment.
  • Add CI artifact attestations plus local attestation/hash verification before signing.
  • Make release artifact selection strict and harden release-tool command resolution.
  • Generate an ephemeral CI-only Tauri updater key instead of relying on the production signing secret in CI.
  • Add Dependabot coverage for GitHub Actions, npm, and Cargo.

Testing

  • git diff --check passed.
  • bash -n scripts/sign-and-deploy.sh passed.
  • Workflow and Dependabot YAML parsed successfully.

@nedtwigg nedtwigg marked this pull request as ready for review May 19, 2026 06:08
@nedtwigg nedtwigg merged commit 469a0bd into main May 19, 2026
3 checks passed
@nedtwigg nedtwigg deleted the codex/cherry-pick-release-pipeline-security branch May 19, 2026 06:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nedtwigg