Skip to content

Security infrastructure: CI audit, gem signing, safety docs#9

Merged
ardavis merged 3 commits into
masterfrom
fizzy-855-activeitem-remaining-security-infrastruc
May 26, 2026
Merged

Security infrastructure: CI audit, gem signing, safety docs#9
ardavis merged 3 commits into
masterfrom
fizzy-855-activeitem-remaining-security-infrastruc

Conversation

@ardavis
Copy link
Copy Markdown
Contributor

@ardavis ardavis commented May 23, 2026

Summary

Addresses remaining security & infrastructure items from card #855 (security audit follow-up from #849).

Infrastructure (implemented)

  • CI pipeline: Added bundler-audit security scanning job alongside existing RSpec + rubocop
  • Gem signing: Configured cert chain, conditional signing key, release workflow integration, and consumer verification docs

Architecture (documented in-code)

  • Thread safety: Documented that Aws::DynamoDB::Client is thread-safe (internal connection pooling) — the Mutex in parallel preload protects only the shared hash, not the client
  • Uniqueness TOCTOU: Added limitation docs to the validator — recommends conditional puts for strong uniqueness, and GSI-backed attributes to avoid scan-based DoS

Setup required

  • Add GEM_SIGNING_KEY secret to GitHub (PEM-encoded private key for gem signing)

Fizzy #855

@ardavis
Add security infrastructure: CI audit, gem signing, safety docs
255ed0b 
- Add bundler-audit security job to CI pipeline
- Configure gem signing with cert chain and conditional signing key
- Add signing key setup to release workflow (uses GEM_SIGNING_KEY secret)
- Document thread safety of DynamoDB client in parallel preload
- Document TOCTOU and DoS limitations of uniqueness validator
- Add signature verification instructions to README

Fizzy #855
github-advanced-security[bot]
github-advanced-security AI found potential problems May 23, 2026
View reviewed changes
Comment thread .github/workflows/ci.yml Fixed
ardavis
ardavis commented May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@ardavis ardavis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Look into the comment on ci.yml

@ardavis
Add permissions block to CI workflow
312e94d 
Restrict GITHUB_TOKEN to contents:read per CodeQL recommendation.
Addresses github-advanced-security bot review comment.
@ardavis
Copy link
Copy Markdown
Contributor Author

ardavis commented May 26, 2026

Added a top-level permissions: contents: read block to ci.yml — this restricts the GITHUB_TOKEN to read-only for CI jobs, which is all they need. Addresses the CodeQL finding from github-advanced-security bot.

The release workflow (auto-tag.yml) already had permissions: contents: write since it needs to push tags.

@ardavis ardavis merged commit b751db5 into master May 26, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ardavis @github-advanced-security