pezkuwichain/pwap - pwap - PezkuwiChain Git

pezkuwichain/pwap

Fork 0

mirror of https://github.com/pezkuwichain/pwap.git synced 2026-06-11 21:11:01 +00:00

Commit Graph

Author	SHA1	Message	Date
pezkuwichain	06ed9734c6	ci(security): Faz 3 + ekstra — runner consolidation, auto-rollback, cosign, SRI, dep cleanup * Faz 3.1 — All CI jobs moved to self-hosted pwap-runner (DEV VPS). No more dependency on GitHub-hosted runners — supply-chain attack surface from GHA runner image compromise eliminated. * Faz 3.3 — Automatic rollback on health-check fail. Each deploy stamps /.deploy-sha into the artifact. On health-check failure, the deploy job reads the previous SHA from the live site, pulls that image, and redeploys. Telegram notification differentiates: rolled-back-OK, rollback-also-failed, no-prev-available, manual-rollback-needed. * E.3 — cosign keyless image signing. build-image signs the GHCR manifest via Sigstore Fulcio (OIDC, no long-lived keys). deploy-app and deploy-pex verify the signature before extracting /dist — unsigned or tampered images cannot deploy. Identity-pinned to this workflow file. * E.5 — Subresource Integrity (SRI). vite-plugin-subresource-integrity injects sha384 integrity= into <script>/<link> tags at build time. CDN/proxy compromise cannot inject tampered JS — browser blocks on hash mismatch. * E.2 — Dependabot triage. 14 alerts: 7 high + 4 moderate cleared via npm audit fix + npm overrides (elliptic, create-ecdh). 6 low (transitive in vite-plugin-node-polyfills chain) accepted; the upstream fix proposes a semver-major DOWNGRADE which makes no sense. * E.1 — Branch protection on main: CI Gate ✅ required, 1 review required, force-push and deletion blocked.	2026-05-09 12:08:49 +03:00
pezkuwichain	ca3976fe62	ci(security): Faz 1+2 — Telegram CEO gate, image-based deploy, hardened audits Faz 1 — State-actor threat-model defenses: * Telegram approval gate via PEXSEC_BOT — CEO must approve every deploy in Telegram (30-min timeout). Runs on new self-hosted pwap-runner on DEV VPS, shares /tmp/pexsec-gates/ with pexsec-bot.service. * DEV VPS app-deploy user privilege drop — deploys no longer run as root. CI key restricted with no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-user-rc. Privilege drop verified (cannot read /etc/shadow, /root/, sudo blocked). * Image-based deploy — Dockerfile (node 20 build → busybox:musl dist) pushed to GHCR with SHA tag. Deploys pull image, extract /dist, scp to VPS. Immutable artifacts, full provenance. * Health check + Telegram failure alert post-deploy. * Rollback path: workflow_dispatch with rollback_to=<sha> — skips build, redeploys old image. CEO gate still required. Faz 2 — Higher-tier defenses: * TruffleHog secret scan — PR diff (fast) + push full-repo (verified secrets only). * CodeQL SAST workflow — javascript-typescript, security-extended + security-and-quality queries. PR + push + weekly cron. * npm audit raised from --audit-level=critical to --audit-level=high (caught more CVEs). * CI Gate ✅ explicit merge-block job — fails if any required check is not success/skipped.	2026-05-08 20:32:48 +03:00

Author

SHA1

Message

Date

pezkuwichain

06ed9734c6

ci(security): Faz 3 + ekstra — runner consolidation, auto-rollback, cosign, SRI, dep cleanup

* Faz 3.1 — All CI jobs moved to self-hosted pwap-runner (DEV VPS).
  No more dependency on GitHub-hosted runners — supply-chain attack
  surface from GHA runner image compromise eliminated.
* Faz 3.3 — Automatic rollback on health-check fail. Each deploy stamps
  /.deploy-sha into the artifact. On health-check failure, the deploy
  job reads the previous SHA from the live site, pulls that image, and
  redeploys. Telegram notification differentiates: rolled-back-OK,
  rollback-also-failed, no-prev-available, manual-rollback-needed.
* E.3 — cosign keyless image signing. build-image signs the GHCR
  manifest via Sigstore Fulcio (OIDC, no long-lived keys). deploy-app
  and deploy-pex verify the signature before extracting /dist —
  unsigned or tampered images cannot deploy. Identity-pinned to this
  workflow file.
* E.5 — Subresource Integrity (SRI). vite-plugin-subresource-integrity
  injects sha384 integrity= into <script>/<link> tags at build time.
  CDN/proxy compromise cannot inject tampered JS — browser blocks on
  hash mismatch.
* E.2 — Dependabot triage. 14 alerts: 7 high + 4 moderate cleared via
  npm audit fix + npm overrides (elliptic, create-ecdh). 6 low
  (transitive in vite-plugin-node-polyfills chain) accepted; the
  upstream fix proposes a semver-major DOWNGRADE which makes no sense.
* E.1 — Branch protection on main: CI Gate ✅ required, 1 review
  required, force-push and deletion blocked.

2026-05-09 12:08:49 +03:00

pezkuwichain

ca3976fe62

ci(security): Faz 1+2 — Telegram CEO gate, image-based deploy, hardened audits

Faz 1 — State-actor threat-model defenses:
* Telegram approval gate via PEXSEC_BOT — CEO must approve every deploy in Telegram (30-min timeout). Runs on new self-hosted pwap-runner on DEV VPS, shares /tmp/pexsec-gates/ with pexsec-bot.service.
* DEV VPS app-deploy user privilege drop — deploys no longer run as root. CI key restricted with no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-user-rc. Privilege drop verified (cannot read /etc/shadow, /root/, sudo blocked).
* Image-based deploy — Dockerfile (node 20 build → busybox:musl dist) pushed to GHCR with SHA tag. Deploys pull image, extract /dist, scp to VPS. Immutable artifacts, full provenance.
* Health check + Telegram failure alert post-deploy.
* Rollback path: workflow_dispatch with rollback_to=<sha> — skips build, redeploys old image. CEO gate still required.

Faz 2 — Higher-tier defenses:
* TruffleHog secret scan — PR diff (fast) + push full-repo (verified secrets only).
* CodeQL SAST workflow — javascript-typescript, security-extended + security-and-quality queries. PR + push + weekly cron.
* npm audit raised from --audit-level=critical to --audit-level=high (caught more CVEs).
* CI Gate ✅ explicit merge-block job — fails if any required check is not success/skipped.

2026-05-08 20:32:48 +03:00

2 Commits