CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 57s
CI/CD Pipeline / Build Debian Package (push) Failing after 4s
CI/CD Pipeline / Build RPM Package (push) Successful in 2m12s
CI/CD Pipeline / Build Arch Package (push) Successful in 2m18s
CI/CD Pipeline / Build Alpine Package (push) Failing after 3m7s
- Remove all private key files from git tracking (git rm --cached)
- configs/certs/ca.key.pem, server.key.pem, client001.key.pem
- tests/e2e/certs/client.key
- Also remove public certs from configs/certs/ (generated at runtime)
- Add .gitignore patterns for *.key, *.key.pem, configs/certs/*.pem, *.srl
- Add scripts/generate-dev-certs.sh for runtime test cert generation
- Update Python e2e test to generate certs on demand (ensure_certs())
- Update test_wrong_cert_connection to generate wrong-CA certs at runtime
- Add gitleaks secret scanning job to CI workflow
- Update SECURITY_FINDINGS_REPORT.md with critical finding for Issue #12
- Update SECURITY_CONTROLS_MATRIX.md evidence references
- Add README.md to configs/certs/ and tests/e2e/certs/
Private keys were dev/test only - no production key rotation needed.
Git history purge with filter-repo will follow after PR merge.
Co-authored-by: git-echo <git-echo@moon-dragon.us>
CI/CD Pipeline / Build Debian Package (push) Failing after 4s
CI/CD Pipeline / Build Arch Package (push) Successful in 2m24s
CI/CD Pipeline / Build RPM Package (push) Successful in 2m15s
CI/CD Pipeline / Build Alpine Package (push) Successful in 3m16s
* test: add CRL unit tests and CrlAwareVerifier construction tests (PR 6 of 6)
* fix(ci): rename fmt job to match required status check context
---------
Co-authored-by: git-echo <git-echo@moon-dragon.us>
Previous build runs leave root-owned artifacts in releases/ directory
which causes actions/checkout@v4 to fail with EACCES on subsequent runs.
- Added sudo rm -rf releases/ before checkout in all 6 self-hosted jobs
- Alpine build unaffected (runs in Docker container, clean each run)
Co-authored-by: git-echo <git-echo@moon-dragon.us>
- Force HOME=/root in build-alpine.sh for consistent key location
- Use find instead of ls for key discovery (handles dash-prefixed filenames)
- Search multiple paths for generated keys
- Copy keys from KEY_DIR to builduser home directory
- Set env.HOME=/root in Alpine container spec
- Remove separate abuild-keygen step (handled by build-alpine.sh)
- Add error exit if no signing key found
Co-authored-by: git-echo <git-echo@moon-dragon.us>
CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 1m5s
CI/CD Pipeline / Build Debian Package (push) Failing after 4s
CI/CD Pipeline / Build Arch Package (push) Successful in 2m22s
CI/CD Pipeline / Build RPM Package (push) Successful in 2m17s
CI/CD Pipeline / Build Alpine Package (push) Successful in 3m7s
* fix: switch to build-package.sh for .deb builds
Replace dpkg-buildpackage with scripts/build-package.sh using
dpkg-deb --build approach. This bypasses the dpkg-buildpackage
subprocess chain (dh → make → debian/rules → cargo) which
does not inherit the rustup environment (RUSTUP_HOME, CARGO_HOME,
default toolchain) from GitHub Actions.
Same approach as Linux-Patch-Manager which passes CI.
- Add scripts/build-package.sh (modeled after Manager)
- Add Version and Installed-Size to debian/control
- Update CI workflow to use build-package.sh
- Fix release files path (project root, not ../)
* fix: extract only binary package paragraph from debian/control
dpkg-deb --build expects a single control paragraph starting
with Package: field. The debian/control file has two paragraphs
(source + binary). The awk command extracts only the binary
package paragraph to avoid dpkg-deb parse errors.
* fix: generate DEBIAN/control from scratch in build-package.sh
dpkg-deb --build is fundamentally incompatible with debian/control
which uses dpkg-buildpackage substitution variables like
${shlibs:Depends} and ${misc:Depends}. Generate a clean control
file from scratch in the script to eliminate all incompatibilities.
- No substitution variables
- No source paragraph
- No Build-Depends
- Homepage points to GitHub
- Installed-Size calculated before control file generation
---------
Co-authored-by: git-echo <git-echo@moon-dragon.us>
CI/CD Pipeline / Build RPM Package (push) Successful in 2m35s
CI/CD Pipeline / Build Arch Package (push) Successful in 2m37s
CI/CD Pipeline / Build Alpine Package (push) Successful in 3m32s
CI/CD Pipeline / Build Debian Package (push) Successful in 2m2s
- Add debhelper to system dependencies for dpkg-buildpackage
- Add permissions: contents: write for GitHub Release creation
- Fixes Build & Release job failures on tag push
Co-authored-by: git-echo <git-echo@moon-dragon.us>
- Separated checkout step from dependency installation step
- Each step must have either 'uses:' OR 'run:', not both
- Added proper 'name:' field for install dependencies step
