chore(hardening): tighten security and footprint defaults

This commit is contained in:
2026-04-24 19:03:57 +01:00
parent 55b34d8ffc
commit b333c6229e
36 changed files with 8702 additions and 254 deletions

View File

@@ -169,3 +169,13 @@ jobs:
path: ${{ matrix.artifact_glob }}
retention-days: 30
if-no-files-found: warn
- name: Report artifact sizes
if: always()
shell: bash
run: |
if [ -d src-tauri/target/release/bundle ]; then
find src-tauri/target/release/bundle -type f \
\( -name '*.AppImage' -o -name '*.deb' -o -name '*.msi' -o -name '*.exe' -o -name '*.dmg' -o -name '*.app' \) \
-exec du -h {} + | sort -h
fi

View File

@@ -111,6 +111,8 @@ jobs:
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt, clippy
# Cache the Cargo target dir + registry per OS so the heavy
# whisper-rs-sys C++ build only happens on a clean cache.
@@ -128,12 +130,24 @@ jobs:
- name: cargo check (workspace)
run: cargo check --workspace --all-targets
- name: cargo fmt
run: cargo fmt --all -- --check
- name: cargo clippy
run: cargo clippy --workspace --all-targets -- -D warnings
# Library tests only — no runtime/GPU deps. Linux-gated to keep
# the macOS + Windows legs focused on compile coverage.
- name: cargo test (workspace, libs)
if: matrix.os == 'ubuntu-22.04'
run: cargo test --workspace --lib
- name: cargo audit
if: matrix.os == 'ubuntu-22.04'
run: |
cargo install cargo-audit --locked
cargo audit
frontend:
name: svelte build + lint
runs-on: ubuntu-22.04
@@ -150,6 +164,9 @@ jobs:
- name: Install JS deps
run: npm ci
- name: npm audit
run: npm audit --audit-level=high
# `tauri build` inside check.yml would trigger the full Rust build
# which is owned by the rust job. Here we only validate that the
# Svelte/Vite frontend compiles cleanly.