From 5e308ffba9b2a9259ad19e6a006c08dd0ea9e79c Mon Sep 17 00:00:00 2001
From: Jeremiah Russell <jerry@jrussell.ie>
Date: Wed, 11 Feb 2026 13:42:16 +0000
Subject: [PATCH] feat: add security improvements to CI

Add commit signature verification, split security
jobs for forked/trusted PRs, and add forked PR
isolation on update_prlog.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Jeremiah Russell <jerry@jrussell.ie>
---
 .circleci/config.yml | 37 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 995cd22..8c92125 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -49,6 +49,25 @@ workflows:
         - << pipeline.parameters.validation_flag >>
         - not: << pipeline.parameters.release_flag >>
     jobs:
+      # Signature verification for trusted PRs (with write access for comments)
+      - toolkit/verify_commit_signatures:
+          name: verify_commit_signatures_trusted
+          context: bot-check
+          post_comment: true
+          update_pcu: false
+          filters:
+            branches:
+              ignore:
+                - main
+                - /pull\/[0-9]+/
+      # Signature verification for forked PRs (read-only, no comments)
+      - toolkit/verify_commit_signatures:
+          name: verify_commit_signatures_forked
+          post_comment: false
+          update_pcu: false
+          filters:
+            branches:
+              only: /pull\/[0-9]+/
       - toolkit/label:
           min_rust_version: << pipeline.parameters.min_rust_version >>
           context: pcu-app
@@ -73,18 +92,34 @@ workflows:
       - toolkit/idiomatic_rust:
           min_rust_version: << pipeline.parameters.min_rust_version >>
       - toolkit/security:
+          name: security audit only
+          sonarcloud: false
+          ignore_advisories: RUSTSEC-2025-0066
+          filters:
+            branches:
+              only: /pull\/[0-9]+/
+      - toolkit/security:
+          name: security with sonarcloud
           context: SonarCloud
           ignore_advisories: RUSTSEC-2025-0066
+          filters:
+            branches:
+              ignore:
+                - /pull\/[0-9]+/
+                - main
       - toolkit/update_prlog:
           filters:
             branches:
               ignore:
+                - /pull\/[0-9]+/
                 - main
           requires:
+            - verify_commit_signatures_trusted
             - toolkit/required_builds
             - toolkit/test_doc_build
             - toolkit/idiomatic_rust
-            - toolkit/security
+            - security audit only
+            - security with sonarcloud
             - toolkit/common_tests
           context:
             - release