auths-dev · bordumb · Apr 6, 2026 · Apr 6, 2026 · Apr 6, 2026 · Apr 6, 2026
diff --git a/.auths/allowed_signers b/.auths/allowed_signers
@@ -1,4 +1,5 @@
 # auths:managed — do not edit manually
 # auths:attestation
 z6MkhPJCPXd5A9VN4wScJkxTtz6de7egZQx78vsiAT1vg3PZ@auths.local namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuPK6OfYp7ngZp40Q+Dsrahhks472v6gPIMD0upCRnM
+z6MkhfnUUc2UJJ5C9sQQ7GvXmSbQJsdtNKV6HNYcQtTjc7xE@auths.local namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/Ib83sxXogDnEVzLjFBkyC+DhP+cssbPzZAmQhB+Lz
 # auths:manual
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -17,4 +17,12 @@ ignore = [
     # -> hyper-rustls 0.24 -> rustls 0.21). Pinned by AWS SDK's legacy TLS stack.
     # No update available until AWS SDK drops rustls 0.21 support.
     "RUSTSEC-2026-0049",
+
+    # lru IterMut stacked-borrows violation (via aws-sdk-s3 -> lru 0.12.5).
+    # Patched in lru >= 0.16.3, but blocked until aws-sdk-s3 updates its dep.
+    "RUSTSEC-2026-0002",
 ]
+
+[yanked]
+# uds_windows 1.2.0 is yanked but is a transitive dep of zbus; no direct fix available.
+ignore = true
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -18,7 +18,6 @@ on:
 
 permissions:
   contents: read
-  checks: write
 
 env:
   CARGO_TERM_COLOR: always
@@ -132,11 +131,12 @@ jobs:
       - name: Run doc tests
         run: cargo test --all --doc
 
+      - name: Install cargo-audit
+        if: matrix.os == 'ubuntu-latest'
+        uses: taiki-e/install-action@cargo-audit
       - name: Security audit
         if: matrix.os == 'ubuntu-latest'
-        uses: rustsec/audit-check@v2.0.0
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+        run: cargo audit
 
   # capsec-audit:
   #   name: Capability Audit

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -21,6 +21,13 @@ repos:
       # ── Fast gates (commit) ──────────────────────────────────────────────
       # These run on every `git commit`. They should take < 3 seconds incrementally.
 
+      - id: check-workflow-secrets
+        name: "Workflow secret leak check (no ${{ secrets.* }} in body: blocks)"
+        entry: bash scripts/check_workflow_secrets.sh
+        language: system
+        files: \.github/workflows/.*\.yml$
+        pass_filenames: false
+
       - id: check-sdk-boundary
         name: SDK boundary check (CLI must not import core/id/storage)
         entry: bash scripts/check_sdk_boundary.sh

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/auths-cli/src/commands/ci/mod.rs b/crates/auths-cli/src/commands/ci/mod.rs
@@ -4,6 +4,9 @@ pub mod forge_backend;
 pub mod rotate;
 pub mod setup;
 
+/// Key alias used by all CI commands (setup, rotate).
+pub(crate) const CI_DEVICE_ALIAS: &str = "ci-release-device";
+
 use anyhow::Result;
 use clap::{Args, Subcommand};
 use std::sync::Arc;

diff --git a/crates/auths-cli/src/commands/ci/rotate.rs b/crates/auths-cli/src/commands/ci/rotate.rs
@@ -18,8 +18,7 @@ use crate::commands::ci::forge_backend::backend_for_forge;
 use crate::commands::ci::setup::warn_short_ttl;
 use crate::subprocess::git_stdout;
 
-/// CI device key alias (same as setup).
-const CI_DEVICE_ALIAS: &str = "ci-release-device";
+use super::CI_DEVICE_ALIAS;
 
 /// Run the `auths ci rotate` flow.
 ///

diff --git a/crates/auths-cli/src/commands/ci/setup.rs b/crates/auths-cli/src/commands/ci/setup.rs
@@ -23,8 +23,7 @@ use crate::commands::ci::forge_backend::backend_for_forge;
 use crate::factories::storage::build_auths_context;
 use crate::subprocess::git_stdout;
 
-/// CI device key alias used by `auths ci setup`.
-const CI_DEVICE_ALIAS: &str = "ci-release-device";
+use super::CI_DEVICE_ALIAS;
 
 /// Run the `auths ci setup` flow.
 ///

diff --git a/crates/xtask/Cargo.toml b/crates/xtask/Cargo.toml
@@ -17,11 +17,6 @@ schemars.workspace = true
 serde_json = "1"
 base64.workspace = true
 clap = { version = "4", features = ["derive"] }
-flate2 = "1"
-rand = "0.10.0"
-rpassword = "7"
-tar = "0.4"
-tempfile = "3"
 walkdir = "2"
 
 [lints]