Cherry-pick release pipeline security hardening

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: weekly
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/chromatic.yml

@@ -10,23 +10,26 @@ on:
     paths:
       - 'lib/**'
 
+permissions:
+  contents: read
+
 jobs:
   chromatic:
     name: Visual Regression Tests
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 22
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa # v4
         with:
           version: 10
 
@@ -35,7 +38,7 @@ jobs:
         working-directory: lib
 
       - name: Run Chromatic
-        uses: chromaui/action@latest
+        uses: chromaui/action@1fd1c4b0d4411b6de61818251f04b047850bf500 # latest
         with:
           projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}
           workingDir: lib

.github/workflows/ci.yml

@@ -5,18 +5,21 @@ on:
     branches: [main]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     name: Build & Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 22
 
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa # v4
         with:
           version: 10
 
@@ -33,17 +36,17 @@ jobs:
     name: Standalone Smoketest
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 22
 
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa # v4
         with:
           version: 10
 
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
 
       - name: Install system dependencies
         run: |

.github/workflows/release.yml

@@ -5,9 +5,16 @@ on:
     tags:
       - 'v*'
 
+permissions:
+  contents: read
+
 jobs:
   build-standalone:
     name: Build Standalone (${{ matrix.target }})
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
     strategy:
       matrix:
         include:
@@ -22,25 +29,25 @@ jobs:
             artifact-name: standalone-win-x64
     runs-on: ${{ matrix.platform }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 22
 
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa # v4
         with:
           version: 10
 
       - name: Install workspace dependencies
         run: pnpm install --frozen-lockfile
 
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
         with:
           targets: ${{ matrix.target }}
 
       - name: Rust cache
-        uses: swatinem/rust-cache@v2
+        uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2
         with:
           workspaces: standalone/src-tauri
 
@@ -50,13 +57,23 @@ jobs:
           sudo apt-get update -qq
           sudo apt-get install -y -qq libgtk-3-dev libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
 
+      - name: Generate ephemeral Tauri updater key
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          key_path="$RUNNER_TEMP/tauri-ci-updater.key"
+          pnpm --dir standalone exec tauri signer generate \
+            --ci \
+            --write-keys "$key_path" \
+            --force
+
+          echo "TAURI_SIGNING_PRIVATE_KEY_PATH=$key_path" >> "$GITHUB_ENV"
+
       - name: Build Tauri app
-        uses: tauri-apps/tauri-action@v0
+        uses: tauri-apps/tauri-action@fce9c6108b31ea247710505d3aaaa893ee6768d4 # v0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # Dummy key so Tauri generates updater artifacts; real signing happens locally
-          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
-          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
         with:
           projectPath: standalone
           tauriScript: pnpm tauri
@@ -75,11 +92,51 @@ jobs:
              standalone/src-tauri/target/${{ matrix.target }}/release/nsis/x64/plugins/
         shell: bash
 
+      - name: Generate artifact manifest
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          cd standalone
+          release_dir="src-tauri/target/${{ matrix.target }}/release"
+          manifest="artifact-manifest.sha256"
+
+          {
+            [[ -f "$release_dir/dormouse.exe" ]] && printf '%s\n' "$release_dir/dormouse.exe"
+            if [[ -d "$release_dir/bundle" ]]; then
+              find -L "$release_dir/bundle" -type f \( \
+                -name "*.exe" -o \
+                -name "*.msi" -o \
+                -name "*.dmg" -o \
+                -path "*.app/*" -o \
+                -name "*.AppImage" -o \
+                -path "*/nsis/*" \
+              \) -print
+            fi
+            [[ -d "$release_dir/nsis" ]] && find -L "$release_dir/nsis" -type f -print
+            [[ -d sidecar ]] && find -L sidecar -type f -print
+            [[ -d src-tauri/binaries ]] && find -L src-tauri/binaries -type f -print
+          } | sort -u | while IFS= read -r file; do
+            if command -v sha256sum >/dev/null 2>&1; then
+              sha256sum "$file"
+            else
+              shasum -a 256 "$file"
+            fi
+          done > "$manifest"
+
+          [[ -s "$manifest" ]]
+
+      - name: Attest artifact manifest
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-path: standalone/artifact-manifest.sha256
+
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: ${{ matrix.artifact-name }}
           path: |
+            standalone/artifact-manifest.sha256
             standalone/src-tauri/target/${{ matrix.target }}/release/dormouse.exe
             standalone/src-tauri/target/${{ matrix.target }}/release/bundle/**/*.exe
             standalone/src-tauri/target/${{ matrix.target }}/release/bundle/**/*.msi
@@ -94,14 +151,18 @@ jobs:
   build-vscode:
     name: Build VSCode Extension
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 22
 
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa # v4
         with:
           version: 10
 
@@ -118,36 +179,69 @@ jobs:
         run: pnpm --filter dormouse build
 
       - name: Package extension
-        run: cd vscode-ext && npx vsce package --no-dependencies
+        run: pnpm --dir vscode-ext exec vsce package --no-dependencies
+
+      - name: Generate artifact manifest
+        shell: bash
+        run: |
+          set -euo pipefail
+          shopt -s nullglob
+
+          cd vscode-ext
+          manifest="artifact-manifest.sha256"
+          files=(*.vsix)
+
+          {
+            for path in "${files[@]}"; do
+              [[ -f "$path" ]] && printf '%s\n' "$path"
+            done
+          } | sort -u | while IFS= read -r file; do
+            if command -v sha256sum >/dev/null 2>&1; then
+              sha256sum "$file"
+            else
+              shasum -a 256 "$file"
+            fi
+          done > "$manifest"
+
+          [[ -s "$manifest" ]]
+
+      - name: Attest artifact manifest
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-path: vscode-ext/artifact-manifest.sha256
 
       - name: Upload .vsix
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: vscode-extension
-          path: vscode-ext/*.vsix
+          path: |
+            vscode-ext/*.vsix
+            vscode-ext/artifact-manifest.sha256
 
   publish-vscode:
     name: Publish VSCode Extension
     needs:
       - build-standalone
       - build-vscode
     runs-on: ubuntu-latest
+    environment:
+      name: vscode-extension-publish
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 22
 
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa # v4
         with:
           version: 10
 
       - name: Install workspace dependencies
         run: pnpm install --frozen-lockfile
 
       - name: Download .vsix
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: vscode-extension
           path: vscode-ext
@@ -156,7 +250,7 @@ jobs:
         working-directory: vscode-ext
         run: |
           for i in 1 2 3; do
-            npx vsce publish --packagePath *.vsix --no-dependencies && exit 0
+            pnpm exec vsce publish --packagePath *.vsix --no-dependencies && exit 0
             echo "Attempt $i failed, retrying in 10s..."
             sleep 10
           done
@@ -168,7 +262,7 @@ jobs:
         working-directory: vscode-ext
         run: |
           for i in 1 2 3; do
-            npx ovsx publish --packagePath *.vsix --no-dependencies && exit 0
+            pnpm exec ovsx publish --packagePath *.vsix --no-dependencies && exit 0
             echo "Attempt $i failed, retrying in 10s..."
             sleep 10
           done