KeiSeiKit-1.0

History

Parfii-bot c27b626af7 fix(v0.19.1): SHA-pin release.yml GitHub Actions + require bun.lock Partial supply-chain hardening (rate-limited before completing). release.yml (H5 — CVE-2025-30066 class defense): - actions/checkout@34e114876b... (v4.3.1) - dtolnay/rust-toolchain@3c5f7ea28... (rust 1.94.1) - Swatinem/rust-cache@c19371144... (v2.9.1) - actions/upload-artifact@ea165f8d6... (v4.6.2) - actions/download-artifact@<pinned> - oven-sh/setup-bun@0c5077e51... (v2.2.0) - softprops/action-gh-release@<pinned> release.yml (H4 — reproducible build): - Removed '\|\| bun install' fallback from build-mcp-binary job. - bun.lock now REQUIRED — missing lockfile fails the build. NOT YET DONE (deferred to follow-up agent): - ci.yml same SHA-pinning (separate commit) - .github/dependabot.yml (weekly SHA update PRs) - _ts_packages/packages/mcp-server/bun.lock (placeholder commit) - BUILD.md 'Lockfile' subsection - CHANGELOG Security section under [Unreleased] Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-22 17:09:16 +08:00
..
ci.yml	fix(v0.15.1): RED-1 CVE + typed-handoff + schema minItems	2026-04-22 15:08:51 +08:00
release.yml	fix(v0.19.1): SHA-pin release.yml GitHub Actions + require bun.lock	2026-04-22 17:09:16 +08:00

Parfii-bot c27b626af7 fix(v0.19.1): SHA-pin release.yml GitHub Actions + require bun.lock

Partial supply-chain hardening (rate-limited before completing).

release.yml (H5 — CVE-2025-30066 class defense):
  - actions/checkout@34e114876b... (v4.3.1)
  - dtolnay/rust-toolchain@3c5f7ea28... (rust 1.94.1)
  - Swatinem/rust-cache@c19371144... (v2.9.1)
  - actions/upload-artifact@ea165f8d6... (v4.6.2)
  - actions/download-artifact@<pinned>
  - oven-sh/setup-bun@0c5077e51... (v2.2.0)
  - softprops/action-gh-release@<pinned>

release.yml (H4 — reproducible build):
  - Removed '|| bun install' fallback from build-mcp-binary job.
  - bun.lock now REQUIRED — missing lockfile fails the build.

NOT YET DONE (deferred to follow-up agent):
  - ci.yml same SHA-pinning (separate commit)
  - .github/dependabot.yml (weekly SHA update PRs)
  - _ts_packages/packages/mcp-server/bun.lock (placeholder commit)
  - BUILD.md 'Lockfile' subsection
  - CHANGELOG Security section under [Unreleased]

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-22 17:09:16 +08:00

ci.yml

fix(v0.15.1): RED-1 CVE + typed-handoff + schema minItems

2026-04-22 15:08:51 +08:00

release.yml

fix(v0.19.1): SHA-pin release.yml GitHub Actions + require bun.lock

2026-04-22 17:09:16 +08:00