CI Pipeline / Rust Format Check (push) Successful in 3s
CI Pipeline / Clippy Lints (push) Successful in 52s
CI Pipeline / Rust Unit Tests (push) Failing after 1m21s
CI Pipeline / Security Audit (push) Successful in 5s
CI Pipeline / Frontend Lint & Type Check (push) Successful in 16s
CI Pipeline / Build .deb & Release (push) Has been skipped
The Rust pm-ca crate (crates/pm-ca/src/ca.rs) only parses PKCS#8
format private keys. openssl ecparam -genkey produces SEC1 format
(BEGIN EC PRIVATE KEY), which the Rust ring/RSA parser rejects
with "parse CA private-key PEM", causing the service to crash-loop
on startup.
Proven on LPM: converting ca.key with openssl pkcs8 -topk8 -nocrypt
and restarting patch-manager-web results in:
Root CA loaded successfully
Listening (HTTPS) on 0.0.0.0:443
CI Pipeline / Rust Format Check (push) Successful in 4s
CI Pipeline / Clippy Lints (push) Successful in 52s
CI Pipeline / Rust Unit Tests (push) Failing after 1m22s
CI Pipeline / Security Audit (push) Successful in 5s
CI Pipeline / Frontend Lint & Type Check (push) Successful in 15s
CI Pipeline / Build .deb & Release (push) Has been skipped
- Generate internal CA + CA-signed web TLS cert in postinst (port 443 was
falling back to plain HTTP because no cert files existed)
- Repair stale sqlx migration checksums for upgrades from <= 1.1.7
- Restore health check as advisory only (never fails the install)
- Use runuser instead of sudo (sudo is not guaranteed on minimal images)
- Replace predictable /tmp password file with mktemp under /run
- Frontend assets root-owned read-only (security)
- Drop Pre-Depends: postgresql-16 (misuse); drop argon2 dep (unused)
- Add openssl, curl, cron, util-linux as proper dependencies
Automates version bumps across all version source files:
- Cargo.toml (PRIMARY - workspace.package.version)
- debian/changelog (prepend new entry)
- debian/control (update Version field)
- scripts/build-package.sh (update VERSION variable)
- frontend/package.json (update version field)
- Stale references check after bump
Usage: ./scripts/bump-version.sh <new_version> <old_version>
