poodle64 · sk8ersquare · Mar 19, 2026 · Mar 19, 2026 · Mar 19, 2026 · Mar 19, 2026
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -16,8 +16,11 @@ jobs:
         include:
           # macOS ARM64 (all backends: Whisper Metal + Parakeet + FluidAudio Neural Engine)
           # macos-15 required for Swift 6.0+ (FluidAudio dependency)
+          # DMG bundling skipped in CI (requires create-dmg + Apple signing cert).
+          # The .app.tar.gz updater artifact is built via --bundles app,updater.
+          # DMG is produced locally via scripts/release.sh for distribution.
           - platform: macos-15
-            args: '--target aarch64-apple-darwin'
+            args: '--target aarch64-apple-darwin --bundles app,updater'
             rustflags: ''
           # Linux x86_64 (Whisper only; Parakeet excluded — upstream sherpa-onnx
           # Linux static archive lacks .a libs; FluidAudio is macOS-only)
@@ -34,29 +37,16 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: lts/*
-
-      - name: Install pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10
-
-      - name: Get pnpm store directory
-        shell: bash
-        run: |
-          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-
-      - name: Setup pnpm cache
-        uses: actions/cache@v4
-        with:
-          path: ${{ env.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
+          node-version: '22'
+          cache: 'npm'
 
       - name: Setup Rust
         uses: dtolnay/rust-toolchain@stable
 
+      - name: Add macOS ARM64 target
+        if: matrix.platform == 'macos-15'
+        run: rustup target add aarch64-apple-darwin
+
       - name: Install system dependencies (Linux)
         if: matrix.platform == 'ubuntu-22.04'
         run: |
@@ -69,7 +59,7 @@ jobs:
           workspaces: './src-tauri -> target'
 
       - name: Install frontend dependencies
-        run: pnpm install
+        run: npm ci
 
       - name: Build and release
         uses: tauri-apps/tauri-action@v0
@@ -87,3 +77,13 @@ jobs:
           releaseDraft: true
           prerelease: false
           args: ${{ matrix.args }}
+
+      # Attach the permission-reset helper to every release
+      - name: Upload fix-permissions.sh
+        if: matrix.platform == 'macos-15'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: |
+          VERSION=$(grep '^version' src-tauri/Cargo.toml | head -1 | sed 's/.*"\(.*\)"/\1/')
+          gh release upload "v${VERSION}" scripts/fix-permissions.sh --clobber
diff --git a/.github/workflows/security-audit.yaml b/.github/workflows/security-audit.yaml
@@ -0,0 +1,36 @@
+name: Security Audit
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Weekly on Monday at 06:00 UTC
+    - cron: '0 6 * * 1'
+
+jobs:
+  cargo-audit:
+    name: Cargo Audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install cargo-audit
+        run: cargo install cargo-audit
+      - name: Run cargo audit
+        working-directory: src-tauri
+        run: cargo audit
+
+  npm-audit:
+    name: npm Audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+      - run: npm ci
+      # Thoth is a Tauri desktop app — SSR is not used.
+      # Known low/moderate SVelte/SvelteKit SSR-only advisories (GHSA-pxg6-pf52-xh8x etc.)
+      # cannot be exploited at runtime. Fail only on critical severity.
+      - run: npm audit --audit-level=critical