From 5e308ffba9b2a9259ad19e6a006c08dd0ea9e79c Mon Sep 17 00:00:00 2001 From: Jeremiah Russell Date: Wed, 11 Feb 2026 13:42:16 +0000 Subject: [PATCH 1/3] feat: add security improvements to CI Add commit signature verification, split security jobs for forked/trusted PRs, and add forked PR isolation on update_prlog. Co-Authored-By: Claude Opus 4.6 Signed-off-by: Jeremiah Russell --- .circleci/config.yml | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 995cd22..8c92125 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -49,6 +49,25 @@ workflows: - << pipeline.parameters.validation_flag >> - not: << pipeline.parameters.release_flag >> jobs: + # Signature verification for trusted PRs (with write access for comments) + - toolkit/verify_commit_signatures: + name: verify_commit_signatures_trusted + context: bot-check + post_comment: true + update_pcu: false + filters: + branches: + ignore: + - main + - /pull\/[0-9]+/ + # Signature verification for forked PRs (read-only, no comments) + - toolkit/verify_commit_signatures: + name: verify_commit_signatures_forked + post_comment: false + update_pcu: false + filters: + branches: + only: /pull\/[0-9]+/ - toolkit/label: min_rust_version: << pipeline.parameters.min_rust_version >> context: pcu-app @@ -73,18 +92,34 @@ workflows: - toolkit/idiomatic_rust: min_rust_version: << pipeline.parameters.min_rust_version >> - toolkit/security: + name: security audit only + sonarcloud: false + ignore_advisories: RUSTSEC-2025-0066 + filters: + branches: + only: /pull\/[0-9]+/ + - toolkit/security: + name: security with sonarcloud context: SonarCloud ignore_advisories: RUSTSEC-2025-0066 + filters: + branches: + ignore: + - /pull\/[0-9]+/ + - main - toolkit/update_prlog: filters: branches: ignore: + - /pull\/[0-9]+/ - main requires: + - verify_commit_signatures_trusted - toolkit/required_builds - toolkit/test_doc_build - toolkit/idiomatic_rust - - toolkit/security + - security audit only + - security with sonarcloud - toolkit/common_tests context: - release From a8f63e8257a2bb258dd7314c6d69a99b064cac49 Mon Sep 17 00:00:00 2001 From: Jeremiah Russell Date: Wed, 11 Feb 2026 14:09:24 +0000 Subject: [PATCH 2/3] fix(deps): update bytes and time for security Update bytes 1.11.0 -> 1.11.1 (RUSTSEC-2026-0007) and time 0.3.44 -> 0.3.47 (RUSTSEC-2026-0009). Co-Authored-By: Claude Opus 4.6 Signed-off-by: Jeremiah Russell --- Cargo.lock | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index ccc11c0..8f1b3fb 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -222,9 +222,9 @@ checksum = "5dd9dc738b7a8311c7ade152424974d8115f2cdad61e8dab8dac9f2362298510" [[package]] name = "bytes" -version = "1.11.0" +version = "1.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b35204fbdc0b3f4446b89fc1ac2cf84a8a68971995d0bf2e925ec7cd960f9cb3" +checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33" dependencies = [ "serde", ] @@ -1422,9 +1422,9 @@ checksum = "61807f77802ff30975e01f4f071c8ba10c022052f98b3294119f3e615d13e5be" [[package]] name = "num-conv" -version = "0.1.0" +version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9" +checksum = "cf97ec579c3c42f953ef76dbf8d55ac91fb219dde70e49aa4a6b7d74e9919050" [[package]] name = "num-traits" @@ -2090,9 +2090,9 @@ dependencies = [ [[package]] name = "time" -version = "0.3.44" +version = "0.3.47" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "91e7d9e3bb61134e77bde20dd4825b97c010155709965fedf0f49bb138e52a9d" +checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c" dependencies = [ "deranged", "itoa", @@ -2100,22 +2100,22 @@ dependencies = [ "num-conv", "num_threads", "powerfmt", - "serde", + "serde_core", "time-core", "time-macros", ] [[package]] name = "time-core" -version = "0.1.6" +version = "0.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "40868e7c1d2f0b8d73e4a8c7f0ff63af4f6d19be117e90bd73eb1d62cf831c6b" +checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca" [[package]] name = "time-macros" -version = "0.2.24" +version = "0.2.27" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "30cfb0125f12d9c277f35663a0a33f8c30190f4e4574868a330595412d34ebf3" +checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215" dependencies = [ "num-conv", "time-core", From 3c58611aed2d1ced9b15dc41c973b5974aec8404 Mon Sep 17 00:00:00 2001 From: Jerus Bot <171541392+jerus-bot@users.noreply.github.com> Date: Wed, 11 Feb 2026 14:12:03 +0000 Subject: [PATCH 3/3] chore: update prlog for pr Signed-off-by: Jerus Bot <171541392+jerus-bot@users.noreply.github.com> --- PRLOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/PRLOG.md b/PRLOG.md index 6e1efb3..0aee3f9 100644 --- a/PRLOG.md +++ b/PRLOG.md @@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - ✨ add optional rules path argument to cli(pr [#110]) - ✨ enhance rules configuration(pr [#112]) - BREAKING: migrate to circleci-toolkit v4.2.1(pr [#134]) +- add security improvements to CI(pr [#142]) ### Changed @@ -413,6 +414,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 [#139]: https://github.com/jerus-org/cull-gmail/pull/139 [#140]: https://github.com/jerus-org/cull-gmail/pull/140 [#141]: https://github.com/jerus-org/cull-gmail/pull/141 +[#142]: https://github.com/jerus-org/cull-gmail/pull/142 [Unreleased]: https://github.com/jerus-org/cull-gmail/compare/v0.0.16...HEAD [0.0.16]: https://github.com/jerus-org/cull-gmail/compare/v0.0.15...v0.0.16 [0.0.15]: https://github.com/jerus-org/cull-gmail/compare/v0.0.14...v0.0.15