feat(ci): implement signed commit verification and update security policy

Added a CI/CD step to verify cryptographic signatures for deployments. Updated SECURITY.md with the new trust model and refined GHA workflows for consistency.
2026-03-17 18:26:47 +01:00 · 2026-03-17 18:26:47 +01:00 · c55843ffa7
commit c55843ffa7
parent 17c5d0ee48
4 changed files with 222 additions and 27 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -1,43 +1,40 @@
-name: "Build"
+name: Build
+
 on:
-  pull_request:
  push:
+    branches:
+      - main
+      - 'test-*'
+  pull_request:

 jobs:
-  determine-hosts:
-    name: "Determining hosts to build"
+  # Job to find all hosts that should be built
+  get-hosts:
    runs-on: ubuntu-latest
    container: catthehacker/ubuntu:act-24.04
    outputs:
-      hosts: ${{ steps.hosts.outputs.hostnames }}
+      hosts: ${{ steps.set-hosts.outputs.hosts }}
    steps:
-      - uses: actions/checkout@v5
-      - uses: https://github.com/cachix/install-nix-action@v31
-        with:
-          nix_path: nixpkgs=channel:nixos-unstable
-      - name: "Determine hosts"
-        id: hosts
+      - uses: actions/checkout@v4
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27
+      - id: set-hosts
        run: |
-          hostnames="$(nix eval .#nixosConfigurations --apply builtins.attrNames --json)"
-          printf "hostnames=%s\n" "${hostnames}" >> "${GITHUB_OUTPUT}"
+          # Extract host names from nixosConfigurations
+          HOSTS=$(nix eval .#nixosConfigurations --apply "builtins.attrNames" --json)
+          echo "hosts=$HOSTS" >> $GITHUB_OUTPUT

  build:
+    needs: get-hosts
    runs-on: ubuntu-latest
    container: catthehacker/ubuntu:act-24.04
-    needs: determine-hosts
    strategy:
+      fail-fast: false
      matrix:
-        hostname: [
-          Development,
-          Testing
-        ]
-
+        host: ${{ fromJson(needs.get-hosts.outputs.hosts) }}
    steps:
-      - uses: actions/checkout@v5
-      - uses: https://github.com/cachix/install-nix-action@v31
-        with:
-          nix_path: nixpkgs=channel:nixos-unstable
-      - name: "Build host"
-        run: |
-          nix build ".#nixosConfigurations.${{ matrix.hostname }}.config.system.build.toplevel" --verbose
-
+      - uses: actions/checkout@v4
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27
+      - name: Build NixOS configuration
+        run: nix build .#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel