ci: security-hardened CI + release with brew tap auto-update

prakersh · prakersh · commit 0f843206bd05 · 2026-04-05T18:51:24.000+05:30
CI workflow:
- Read-only permissions (contents: read)
- Skips fork PRs to prevent untrusted code execution
- Build + test + version verify on macos-15

Release workflow:
- Only runs on onllm-dev/onvault repo (not forks)
- Requires 'release' environment (manual approval in GitHub Settings)
- Verifies tag version matches VERSION file
- Runs full test suite before building dist
- Packages tarball with install script + SHA-256 checksums
- Creates GitHub Release with release notes
- Auto-updates onllm-dev/homebrew-tap formula via deploy key
- Pre-release tags (rc/beta/alpha) skip brew tap update
- Deploy key cleaned up after use

Security setup required:
1. Settings → Environments → Create "release" with required reviewers
2. Settings → Secrets → HOMEBREW_TAP_DEPLOY_KEY (SSH key with write to homebrew-tap)
3. Settings → Rules → Tag protection → v* (only maintainers can push tags)

Usage: git tag v0.1.0 &amp;&amp; git push origin v0.1.0
Users: brew tap onllm-dev/tap &amp;&amp; brew install onvault
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,9 +6,19 @@ on:
   pull_request:
     branches: [main]
 
+# Minimal permissions — CI only reads code and runs tests
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: macos-15
+
+    # Only run on trusted events — not from forks on PRs
+    if: >
+      github.event_name == 'push' ||
+      (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository)
+
     steps:
       - uses: actions/checkout@v4
 
@@ -22,3 +32,6 @@ jobs:
 
       - name: Run tests
         run: make test
+
+      - name: Verify version
+        run: ./onvault --version
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,15 +5,36 @@ on:
     tags:
       - 'v*'
 
+# Only maintainers can push tags — this is enforced by GitHub branch/tag protection rules.
+# Set up tag protection: Settings → Rules → Tag protection → Add rule → v*
+
+# Minimal required permissions
 permissions:
-  contents: write
+  contents: write  # Create GitHub Release + upload assets
 
 jobs:
   build-and-release:
     runs-on: macos-15
+
+    # SECURITY: Only run if the tag was pushed by a repo admin/maintainer
+    # This prevents forked PRs or compromised tokens from triggering releases
+    if: github.repository == 'onllm-dev/onvault'
+
+    environment: release  # Requires manual approval in GitHub Settings → Environments
+
     steps:
       - uses: actions/checkout@v4
 
+      - name: Verify tag matches VERSION file
+        run: |
+          TAG_VERSION="${GITHUB_REF_NAME#v}"
+          FILE_VERSION=$(cat VERSION)
+          if [ "$TAG_VERSION" != "$FILE_VERSION" ]; then
+            echo "ERROR: Tag version ($TAG_VERSION) does not match VERSION file ($FILE_VERSION)"
+            exit 1
+          fi
+          echo "Version verified: $TAG_VERSION"
+
       - name: Extract version from tag
         id: version
         run: echo "VERSION=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
@@ -30,7 +51,6 @@ jobs:
 
       - name: Build distribution
         run: |
-          echo "${{ steps.version.outputs.VERSION }}" > VERSION
           make clean
           make dist
 
@@ -49,7 +69,6 @@ jobs:
           cp install/com.onvault.daemon.plist dist/onvault-${VERSION}-macos-arm64/
           cp -r defaults dist/onvault-${VERSION}-macos-arm64/
 
-          # Create install script
           cat > dist/onvault-${VERSION}-macos-arm64/install.sh << 'INSTALL_EOF'
           #!/bin/bash
           set -e
@@ -68,48 +87,41 @@ jobs:
           INSTALL_EOF
           chmod +x dist/onvault-${VERSION}-macos-arm64/install.sh
 
-          # Create tarball
           cd dist
           tar czf onvault-${VERSION}-macos-arm64.tar.gz onvault-${VERSION}-macos-arm64/
-
-          # Generate SHA-256 checksum
           shasum -a 256 onvault-${VERSION}-macos-arm64.tar.gz > onvault-${VERSION}-macos-arm64.tar.gz.sha256
 
       - name: Generate release notes
-        id: notes
         run: |
           VERSION=${{ steps.version.outputs.VERSION }}
           cat > release_notes.md << EOF
           ## onvault v${VERSION}
 
           Seamless file encryption & per-process access control for macOS.
 
-          ### Installation
+          ### Install via Homebrew
 
           \`\`\`bash
-          # Prerequisites
-          brew install --cask macfuse
+          brew tap onllm-dev/tap
+          brew install onvault
+          \`\`\`
 
-          # Download and install
+          ### Install manually
+
+          \`\`\`bash
+          brew install --cask macfuse   # prerequisite
           tar xzf onvault-${VERSION}-macos-arm64.tar.gz
           cd onvault-${VERSION}-macos-arm64
           ./install.sh
-
-          # Get started
-          onvault init
-          onvault start
-          onvault unlock
-          onvault vault add ~/.ssh --smart
           \`\`\`
 
-          ### Build from Source
+          ### Get started
 
           \`\`\`bash
-          brew install openssl@3 argon2
-          brew install --cask macfuse
-          git clone https://github.com/onllm-dev/onvault.git
-          cd onvault
-          make && make test && make dist
+          onvault init                       # First-time setup
+          onvault start                      # Start daemon
+          onvault unlock                     # Authenticate
+          onvault vault add ~/.ssh --smart   # Protect SSH keys
           \`\`\`
 
           ### Requirements
@@ -133,3 +145,94 @@ jobs:
           files: |
             dist/onvault-${{ steps.version.outputs.VERSION }}-macos-arm64.tar.gz
             dist/onvault-${{ steps.version.outputs.VERSION }}-macos-arm64.tar.gz.sha256
+
+      # Update Homebrew tap — uses a deploy key with write access to homebrew-tap repo
+      # Set up: Settings → Secrets → HOMEBREW_TAP_DEPLOY_KEY (SSH private key)
+      - name: Update Homebrew tap
+        if: "!contains(github.ref_name, '-rc') && !contains(github.ref_name, '-beta') && !contains(github.ref_name, '-alpha')"
+        env:
+          DEPLOY_KEY: ${{ secrets.HOMEBREW_TAP_DEPLOY_KEY }}
+        run: |
+          if [ -z "$DEPLOY_KEY" ]; then
+            echo "HOMEBREW_TAP_DEPLOY_KEY not set — skipping brew tap update"
+            exit 0
+          fi
+
+          VERSION=${{ steps.version.outputs.VERSION }}
+          SHA256=$(cat dist/onvault-${VERSION}-macos-arm64.tar.gz.sha256 | awk '{print $1}')
+
+          # Set up SSH for homebrew-tap repo
+          mkdir -p ~/.ssh
+          echo "$DEPLOY_KEY" > ~/.ssh/tap_deploy_key
+          chmod 600 ~/.ssh/tap_deploy_key
+          export GIT_SSH_COMMAND="ssh -i ~/.ssh/tap_deploy_key -o StrictHostKeyChecking=no"
+
+          git clone git@github.com:onllm-dev/homebrew-tap.git /tmp/homebrew-tap-update
+          cd /tmp/homebrew-tap-update
+
+          # Update the formula with new version and SHA
+          cat > Formula/onvault.rb << FORMULA_EOF
+          class Onvault < Formula
+            desc "Seamless file encryption & per-process access control for macOS"
+            homepage "https://github.com/onllm-dev/onvault"
+            version "${VERSION}"
+            license "GPL-3.0-only"
+
+            on_macos do
+              if Hardware::CPU.arm?
+                url "https://github.com/onllm-dev/onvault/releases/download/v${VERSION}/onvault-${VERSION}-macos-arm64.tar.gz"
+                sha256 "${SHA256}"
+              end
+            end
+
+            depends_on :macos
+            depends_on "macfuse" => :cask
+
+            def install
+              bin.install "onvault"
+              bin.install "onvaultd"
+              (share/"onvault/defaults").install Dir["defaults/*"]
+              (prefix/"com.onvault.daemon.plist").install "com.onvault.daemon.plist"
+            end
+
+            def post_install
+              launch_agents = Pathname.new("#{Dir.home}/Library/LaunchAgents")
+              launch_agents.mkpath
+              plist_dst = launch_agents/"com.onvault.daemon.plist"
+              unless plist_dst.exist?
+                plist_dst.make_symlink(prefix/"com.onvault.daemon.plist")
+              end
+            end
+
+            def caveats
+              <<~EOS
+                onvault requires macFUSE to be installed and approved:
+
+                  brew install --cask macfuse
+                  # System Settings → Privacy & Security → Approve
+                  # Reboot required after first install
+
+                Get started:
+
+                  onvault init
+                  onvault start
+                  onvault unlock
+                  onvault vault add ~/.ssh --smart
+
+                Documentation: https://github.com/onllm-dev/onvault
+              EOS
+            end
+
+            test do
+              assert_match version.to_s, shell_output("#{bin}/onvault --version")
+            end
+          end
+          FORMULA_EOF
+
+          git add Formula/onvault.rb
+          git -c user.name="onvault-release" -c user.email="release@onllm.dev" \
+            commit -m "onvault ${VERSION}"
+          git push origin main
+
+          # Clean up deploy key
+          rm -f ~/.ssh/tap_deploy_key
