ac5c758056
#5 Gateway Trust Model: - Removed inventory /test endpoint - Updated docs/trust-model.md with accurate description: - Per-user services (trips, fitness) vs gateway-key services clearly separated - Known limitations documented (no per-user isolation on shared services) - No false claims about per-user auth where it doesn't exist #8 Dependency Security: - Workflow reviewed and confirmed sane - Added .gitea/README.md documenting runner requirement - Status: repo-side complete, operationally blocked on runner setup #9 Performance Hardening: - Budget /transactions/recent: 30s cache (1.1s→41ms on repeat) - Budget /uncategorized-count: 2min cache (1.3s→42ms on repeat) - Both endpoints document Actual Budget per-account API constraint - Budget buildLookups: 2min cache (already in place) - All inventory full scans already eliminated (prior commit)
22 lines
740 B
Markdown
22 lines
740 B
Markdown
# Gitea CI Workflows
|
|
|
|
## security.yml
|
|
|
|
Runs on push/PR to `master`. Three jobs:
|
|
|
|
1. **dependency-audit** — `npm audit --audit-level=high` for budget and frontend
|
|
2. **secret-scanning** — checks for tracked .env/.db files and hardcoded secret patterns
|
|
3. **dockerfile-lint** — verifies all Dockerfiles have `USER` (non-root) and `HEALTHCHECK`
|
|
|
|
## Prerequisites
|
|
|
|
These workflows require a **Gitea Actions runner** to be configured.
|
|
Without a runner, the workflows are committed but will not execute.
|
|
|
|
To set up a runner:
|
|
1. Go to Gitea → Site Administration → Runners
|
|
2. Register a runner (Docker-based or shell-based)
|
|
3. The workflows will automatically execute on the next push
|
|
|
|
See: https://docs.gitea.com/usage/actions/overview
|