feat: add security improvements to CI (#142)

## Summary

- Add dual commit signature verification (trusted PRs with comments,
forked PRs read-only)
- Split security job into audit-only (forked PRs) and SonarCloud-enabled
(trusted branches)
- Add forked PR isolation filter on `update_prlog`
- Add signature verification as gating requirement for `update_prlog`

Part of Phase 3 security improvements rollout across jerus-org repos.

## Test plan

- [ ] Signature verification jobs run on PRs
- [ ] Security jobs split correctly (audit-only vs SonarCloud)
- [ ] `update_prlog` filters forked PRs
- [ ] `update_prlog` requires signature verification

🤖 Generated with [Claude Code](https://claude.com/claude-code)

.circleci/config.yml

@@ -49,6 +49,25 @@ workflows:
         - << pipeline.parameters.validation_flag >>
         - not: << pipeline.parameters.release_flag >>
     jobs:
+      # Signature verification for trusted PRs (with write access for comments)
+      - toolkit/verify_commit_signatures:
+          name: verify_commit_signatures_trusted
+          context: bot-check
+          post_comment: true
+          update_pcu: false
+          filters:
+            branches:
+              ignore:
+                - main
+                - /pull\/[0-9]+/
+      # Signature verification for forked PRs (read-only, no comments)
+      - toolkit/verify_commit_signatures:
+          name: verify_commit_signatures_forked
+          post_comment: false
+          update_pcu: false
+          filters:
+            branches:
+              only: /pull\/[0-9]+/
       - toolkit/label:
           min_rust_version: << pipeline.parameters.min_rust_version >>
           context: pcu-app
@@ -73,18 +92,34 @@ workflows:
       - toolkit/idiomatic_rust:
           min_rust_version: << pipeline.parameters.min_rust_version >>
       - toolkit/security:
+          name: security audit only
+          sonarcloud: false
+          ignore_advisories: RUSTSEC-2025-0066
+          filters:
+            branches:
+              only: /pull\/[0-9]+/
+      - toolkit/security:
+          name: security with sonarcloud
           context: SonarCloud
           ignore_advisories: RUSTSEC-2025-0066
+          filters:
+            branches:
+              ignore:
+                - /pull\/[0-9]+/
+                - main
       - toolkit/update_prlog:
           filters:
             branches:
               ignore:
+                - /pull\/[0-9]+/
                 - main
           requires:
+            - verify_commit_signatures_trusted
             - toolkit/required_builds
             - toolkit/test_doc_build
             - toolkit/idiomatic_rust
-            - toolkit/security
+            - security audit only
+            - security with sonarcloud
             - toolkit/common_tests
           context:
             - release

Cargo.lock

@@ -222,9 +222,9 @@ checksum = "5dd9dc738b7a8311c7ade152424974d8115f2cdad61e8dab8dac9f2362298510"
 
 [[package]]
 name = "bytes"
-version = "1.11.0"
+version = "1.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b35204fbdc0b3f4446b89fc1ac2cf84a8a68971995d0bf2e925ec7cd960f9cb3"
+checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33"
 dependencies = [
  "serde",
 ]
@@ -1422,9 +1422,9 @@ checksum = "61807f77802ff30975e01f4f071c8ba10c022052f98b3294119f3e615d13e5be"
 
 [[package]]
 name = "num-conv"
-version = "0.1.0"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
+checksum = "cf97ec579c3c42f953ef76dbf8d55ac91fb219dde70e49aa4a6b7d74e9919050"
 
 [[package]]
 name = "num-traits"
@@ -2090,9 +2090,9 @@ dependencies = [
 
 [[package]]
 name = "time"
-version = "0.3.44"
+version = "0.3.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "91e7d9e3bb61134e77bde20dd4825b97c010155709965fedf0f49bb138e52a9d"
+checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c"
 dependencies = [
  "deranged",
  "itoa",
@@ -2100,22 +2100,22 @@ dependencies = [
  "num-conv",
  "num_threads",
  "powerfmt",
- "serde",
+ "serde_core",
  "time-core",
  "time-macros",
 ]
 
 [[package]]
 name = "time-core"
-version = "0.1.6"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "40868e7c1d2f0b8d73e4a8c7f0ff63af4f6d19be117e90bd73eb1d62cf831c6b"
+checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca"
 
 [[package]]
 name = "time-macros"
-version = "0.2.24"
+version = "0.2.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "30cfb0125f12d9c277f35663a0a33f8c30190f4e4574868a330595412d34ebf3"
+checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215"
 dependencies = [
  "num-conv",
  "time-core",

PRLOG.md

@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - ✨ add optional rules path argument to cli(pr [#110])
 - ✨ enhance rules configuration(pr [#112])
 - BREAKING: migrate to circleci-toolkit v4.2.1(pr [#134])
+- add security improvements to CI(pr [#142])
 
 ### Changed
 
@@ -413,6 +414,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [#139]: https://github.com/jerus-org/cull-gmail/pull/139
 [#140]: https://github.com/jerus-org/cull-gmail/pull/140
 [#141]: https://github.com/jerus-org/cull-gmail/pull/141
+[#142]: https://github.com/jerus-org/cull-gmail/pull/142
 [Unreleased]: https://github.com/jerus-org/cull-gmail/compare/v0.0.16...HEAD
 [0.0.16]: https://github.com/jerus-org/cull-gmail/compare/v0.0.15...v0.0.16
 [0.0.15]: https://github.com/jerus-org/cull-gmail/compare/v0.0.14...v0.0.15