pezkuwichain/pwap
1
0
Fork 0
mirror of https://github.com/pezkuwichain/pwap.git synced 2026-06-13 04:21:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci(security): Faz 3 + ekstra — runner consolidation, auto-rollback, cosign, SRI, dep cleanup

Browse Source 
* Faz 3.1 — All CI jobs moved to self-hosted pwap-runner (DEV VPS).
  No more dependency on GitHub-hosted runners — supply-chain attack
  surface from GHA runner image compromise eliminated.
* Faz 3.3 — Automatic rollback on health-check fail. Each deploy stamps
  /.deploy-sha into the artifact. On health-check failure, the deploy
  job reads the previous SHA from the live site, pulls that image, and
  redeploys. Telegram notification differentiates: rolled-back-OK,
  rollback-also-failed, no-prev-available, manual-rollback-needed.
* E.3 — cosign keyless image signing. build-image signs the GHCR
  manifest via Sigstore Fulcio (OIDC, no long-lived keys). deploy-app
  and deploy-pex verify the signature before extracting /dist —
  unsigned or tampered images cannot deploy. Identity-pinned to this
  workflow file.
* E.5 — Subresource Integrity (SRI). vite-plugin-subresource-integrity
  injects sha384 integrity= into <script>/<link> tags at build time.
  CDN/proxy compromise cannot inject tampered JS — browser blocks on
  hash mismatch.
* E.2 — Dependabot triage. 14 alerts: 7 high + 4 moderate cleared via
  npm audit fix + npm overrides (elliptic, create-ecdh). 6 low
  (transitive in vite-plugin-node-polyfills chain) accepted; the
  upstream fix proposes a semver-major DOWNGRADE which makes no sense.
* E.1 — Branch protection on main: CI Gate  required, 1 review
  required, force-push and deletion blocked.
This commit is contained in:
Kurdistan Tech Ministry
2026-05-09 12:08:49 +03:00
parent d93d4c6cd0
commit 06ed9734c6
5 changed files with 207 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/package.json
+4 -1
View File
@@ -120,7 +120,9 @@
"@pezkuwi/x-textdecoder": "^14.0.25",
"@pezkuwi/x-textencoder": "^14.0.25",
"@pezkuwi/x-ws": "^14.0.25",
"@pezkuwi/networks": "^14.0.25"
"@pezkuwi/networks": "^14.0.25",
"elliptic": "^6.6.1",
"create-ecdh": "^5.0.1"
},
"devDependencies": {
"@eslint/js": "^9.9.0",
@@ -147,6 +149,7 @@
"typescript-eslint": "^8.0.1",
"vite": "^7.3.1",
"vite-plugin-node-polyfills": "^0.25.0",
"vite-plugin-subresource-integrity": "^0.0.12",
"vitest": "^4.0.10"
}
}