chore(hardening): tighten security and footprint defaults
This commit is contained in:
10
.github/workflows/build.yml
vendored
10
.github/workflows/build.yml
vendored
@@ -169,3 +169,13 @@ jobs:
|
||||
path: ${{ matrix.artifact_glob }}
|
||||
retention-days: 30
|
||||
if-no-files-found: warn
|
||||
|
||||
- name: Report artifact sizes
|
||||
if: always()
|
||||
shell: bash
|
||||
run: |
|
||||
if [ -d src-tauri/target/release/bundle ]; then
|
||||
find src-tauri/target/release/bundle -type f \
|
||||
\( -name '*.AppImage' -o -name '*.deb' -o -name '*.msi' -o -name '*.exe' -o -name '*.dmg' -o -name '*.app' \) \
|
||||
-exec du -h {} + | sort -h
|
||||
fi
|
||||
|
||||
17
.github/workflows/check.yml
vendored
17
.github/workflows/check.yml
vendored
@@ -111,6 +111,8 @@ jobs:
|
||||
|
||||
- name: Install Rust toolchain
|
||||
uses: dtolnay/rust-toolchain@stable
|
||||
with:
|
||||
components: rustfmt, clippy
|
||||
|
||||
# Cache the Cargo target dir + registry per OS so the heavy
|
||||
# whisper-rs-sys C++ build only happens on a clean cache.
|
||||
@@ -128,12 +130,24 @@ jobs:
|
||||
- name: cargo check (workspace)
|
||||
run: cargo check --workspace --all-targets
|
||||
|
||||
- name: cargo fmt
|
||||
run: cargo fmt --all -- --check
|
||||
|
||||
- name: cargo clippy
|
||||
run: cargo clippy --workspace --all-targets -- -D warnings
|
||||
|
||||
# Library tests only — no runtime/GPU deps. Linux-gated to keep
|
||||
# the macOS + Windows legs focused on compile coverage.
|
||||
- name: cargo test (workspace, libs)
|
||||
if: matrix.os == 'ubuntu-22.04'
|
||||
run: cargo test --workspace --lib
|
||||
|
||||
- name: cargo audit
|
||||
if: matrix.os == 'ubuntu-22.04'
|
||||
run: |
|
||||
cargo install cargo-audit --locked
|
||||
cargo audit
|
||||
|
||||
frontend:
|
||||
name: svelte build + lint
|
||||
runs-on: ubuntu-22.04
|
||||
@@ -150,6 +164,9 @@ jobs:
|
||||
- name: Install JS deps
|
||||
run: npm ci
|
||||
|
||||
- name: npm audit
|
||||
run: npm audit --audit-level=high
|
||||
|
||||
# `tauri build` inside check.yml would trigger the full Rust build
|
||||
# which is owned by the rust job. Here we only validate that the
|
||||
# Svelte/Vite frontend compiles cleanly.
|
||||
|
||||
Reference in New Issue
Block a user