clidey · modelorona · Nov 28, 2025 · Nov 26, 2025 · Nov 26, 2025 · Nov 27, 2025
diff --git a/.github/actions/calculate-version/action.yml b/.github/actions/calculate-version/action.yml
@@ -24,8 +24,9 @@ inputs:
     description: 'Deploy to Apple App Store'
     required: false
     default: 'false'
+  # DISABLED: AppImage requires system WebKit2GTK - not truly portable
   deploy-appimage:
-    description: 'Build AppImage'
+    description: 'Build AppImage (DISABLED)'
     required: false
     default: 'false'
   deploy-linux-terminal:
@@ -61,9 +62,10 @@ outputs:
   deploy-apple:
     description: 'Deploy Apple flag'
     value: ${{ steps.stores.outputs.deploy-apple }}
+  # DISABLED: AppImage builds disabled
   deploy-appimage:
-    description: 'Deploy AppImage flag'
-    value: ${{ steps.stores.outputs.deploy-appimage }}
+    description: 'Deploy AppImage flag (DISABLED)'
+    value: 'false'
   deploy-linux-terminal:
     description: 'Deploy Linux Terminal flag'
     value: ${{ steps.stores.outputs.deploy-linux-terminal }}
@@ -74,6 +76,11 @@ outputs:
 runs:
   using: 'composite'
   steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+      with:
+        egress-policy: audit
+
     - name: Set deployment mode
       id: mode
       shell: bash
@@ -171,7 +178,7 @@ runs:
         echo "deploy-snap=${{ inputs.deploy-snap }}" >> $GITHUB_OUTPUT
         echo "deploy-microsoft=${{ inputs.deploy-microsoft }}" >> $GITHUB_OUTPUT
         echo "deploy-apple=${{ inputs.deploy-apple }}" >> $GITHUB_OUTPUT
-        echo "deploy-appimage=${{ inputs.deploy-appimage }}" >> $GITHUB_OUTPUT
+        echo "deploy-appimage=false" >> $GITHUB_OUTPUT  # DISABLED: AppImage requires system WebKit2GTK
         echo "deploy-linux-terminal=${{ inputs.deploy-linux-terminal }}" >> $GITHUB_OUTPUT
 
         if [ "$MODE" = "production" ]; then

diff --git a/.github/actions/deployment-summary/action.yml b/.github/actions/deployment-summary/action.yml
@@ -47,6 +47,11 @@ inputs:
 runs:
   using: 'composite'
   steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+      with:
+        egress-policy: audit
+
     - name: Generate summary
       shell: bash
       run: |

diff --git a/.github/templates/RELEASE_TEMPLATE.md b/.github/templates/RELEASE_TEMPLATE.md
@@ -16,26 +16,6 @@ sudo snap install whodb
 ```
 [View on Snapcraft](https://snapcraft.io/whodb)
 
-### AppImage (Linux)
-
-Download the AppImage for your architecture from the assets below, make it executable, and run:
-
-```bash
-# For AMD64/x86_64
-chmod +x WhoDB-{{VERSION}}-amd64.AppImage
-./WhoDB-{{VERSION}}-amd64.AppImage
-
-# For ARM64/aarch64
-chmod +x WhoDB-{{VERSION}}-arm64.AppImage
-./WhoDB-{{VERSION}}-arm64.AppImage
-```
-
-All AppImages are signed with Sigstore. To verify:
-
-```bash
-cosign verify-blob --signature WhoDB-{{VERSION}}-amd64.AppImage.sig --certificate WhoDB-{{VERSION}}-amd64.AppImage.pem WhoDB-{{VERSION}}-amd64.AppImage
-```
-
 ### Docker
 ```bash
 docker pull clidey/whodb:{{VERSION}}
@@ -55,7 +35,6 @@ See assets below for platform-specific packages (DMG, MSIX, etc.).
 To upgrade from a previous version:
 - **Docker**: Pull the latest image and restart your container
 - **Snap**: Run `sudo snap refresh whodb`
-- **AppImage**: Download the new AppImage and replace the old one
 - **Desktop Apps**: Download and install the new version
 
 ---
diff --git a/.github/workflows/_build-appimage.yml b/.github/workflows/_build-appimage.yml
@@ -30,6 +30,11 @@ jobs:
           - runner: ubuntu-24.04-arm
             arch: arm64
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:

diff --git a/.github/workflows/_build-apple.yml b/.github/workflows/_build-apple.yml
@@ -26,7 +26,7 @@ jobs:
   build-apple:
     name: Build macOS (${{ matrix.build-type }})
     runs-on: macos-latest
-    environment: deploy-apple
+    environment: build-apple
     strategy:
       matrix:
         include:

diff --git a/.github/workflows/_build-docker.yml b/.github/workflows/_build-docker.yml
@@ -39,6 +39,11 @@ jobs:
             platform: linux/arm64
             arch: arm64
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:

diff --git a/.github/workflows/_build-linux-terminal.yml b/.github/workflows/_build-linux-terminal.yml
@@ -18,6 +18,11 @@ jobs:
     runs-on: ubuntu-latest
     environment: permission-required
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:

diff --git a/.github/workflows/_build-snap.yml b/.github/workflows/_build-snap.yml
@@ -33,6 +33,11 @@ jobs:
       SNAPCRAFT_ENABLE_EXPERIMENTAL_EXTENSIONS: "1"
       SNAPCRAFT_PROJECT_VERSION: ${{ inputs.version }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:

diff --git a/.github/workflows/_deploy-docker.yml b/.github/workflows/_deploy-docker.yml
@@ -24,6 +24,11 @@ jobs:
     runs-on: ubuntu-latest
     environment: deploy-docker
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
       - name: Checkout for scripts
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:

diff --git a/.github/workflows/_deploy-homebrew.yml b/.github/workflows/_deploy-homebrew.yml
@@ -17,6 +17,11 @@ jobs:
     name: Generate Homebrew Cask
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:

diff --git a/.github/workflows/_deploy-snap.yml b/.github/workflows/_deploy-snap.yml
@@ -23,6 +23,11 @@ jobs:
     runs-on: ubuntu-latest
     environment: deploy-snap
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
       - name: Checkout for scripts
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:

diff --git a/.github/workflows/_sign-validate.yml b/.github/workflows/_sign-validate.yml
@@ -17,11 +17,12 @@ on:
         required: false
         type: boolean
         default: true
+      # DISABLED: AppImage builds disabled - requires system WebKit2GTK
       validate-appimage:
         description: 'Whether to validate AppImage builds'
         required: false
         type: boolean
-        default: true
+        default: false
 
 jobs:
   sign-with-sigstore:
@@ -31,6 +32,11 @@ jobs:
       contents: write
       id-token: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
@@ -50,18 +56,19 @@ jobs:
           pattern: desktop-*
           path: artifacts/
 
-      - name: Download AppImages
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
-        continue-on-error: true
-        with:
-          pattern: appimage-*
-          path: artifacts/
+      # DISABLED: AppImage builds disabled
+      # - name: Download AppImages
+      #   uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      #   continue-on-error: true
+      #   with:
+      #     pattern: appimage-*
+      #     path: artifacts/
 
-      - name: Restore executable permissions
-        run: |
-          echo "Restoring executable permissions for AppImages..."
-          find artifacts -name "*.AppImage" -type f -exec chmod +x {} \;
-          echo "✅ Permissions restored"
+      # - name: Restore executable permissions
+      #   run: |
+      #     echo "Restoring executable permissions for AppImages..."
+      #     find artifacts -name "*.AppImage" -type f -exec chmod +x {} \;
+      #     echo "✅ Permissions restored"
 
       - name: Install Cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
@@ -104,6 +111,11 @@ jobs:
     permissions:
       contents: read
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
       - name: Checkout for scripts
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
@@ -123,18 +135,19 @@ jobs:
           pattern: desktop-*
           path: artifacts/
 
-      - name: Download AppImages
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
-        continue-on-error: true
-        with:
-          pattern: appimage-*
-          path: artifacts/
+      # DISABLED: AppImage builds disabled
+      # - name: Download AppImages
+      #   uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      #   continue-on-error: true
+      #   with:
+      #     pattern: appimage-*
+      #     path: artifacts/
 
-      - name: Restore executable permissions
-        run: |
-          echo "Restoring executable permissions for AppImages..."
-          find artifacts -name "*.AppImage" -type f -exec chmod +x {} \;
-          echo "✅ Permissions restored"
+      # - name: Restore executable permissions
+      #   run: |
+      #     echo "Restoring executable permissions for AppImages..."
+      #     find artifacts -name "*.AppImage" -type f -exec chmod +x {} \;
+      #     echo "✅ Permissions restored"
 
       - name: Download signatures
         uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
@@ -218,8 +231,9 @@ jobs:
             exit 1
           fi
 
+      # DISABLED: AppImage builds disabled - requires system WebKit2GTK
       - name: Validate AppImage artifacts
-        if: inputs.validate-appimage
+        if: inputs.validate-appimage  # Will be false - AppImage disabled
         run: |
           echo "🐧 Validating AppImage artifacts..."
           FAILED=false
@@ -280,7 +294,7 @@ jobs:
               "desktop": ${{ inputs.validate-desktop }},
               "appimage": ${{ inputs.validate-appimage }}
             },
-            "artifacts": $(find artifacts -type f -name "*.snap" -o -name "*.AppImage" -o -name "*.exe" -o -name "*.dmg" | wc -l)
+            "artifacts": $(find artifacts -type f -name "*.snap" -o -name "*.exe" -o -name "*.dmg" | wc -l)
           }
           EOF
 

diff --git a/.github/workflows/_verify-deployment.yml b/.github/workflows/_verify-deployment.yml
@@ -50,6 +50,11 @@ jobs:
       github-verified: ${{ steps.verify-github.outputs.verified }}
       all-verified: ${{ steps.summary.outputs.all-verified }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
@@ -20,6 +20,11 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
       - name: Post instruction comment
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
@@ -49,6 +54,11 @@ jobs:
       id-token: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
       - name: Checkout base branch (safe checkout)
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:

diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -41,6 +41,11 @@ jobs:
       id-token: write
       actions: read # Required for Claude to read CI results on PRs
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with: