* chore(security): add gitleaks config allowlisting vendored/test fixtures
Suppress false positives so `gitleaks detect` is clean:
- third_party/* (cargokit ships a public binary-verification key)
- workspace_management_unit_test.dart (obfuscated "token" fixture)
- gatewayruntime/runtime_test.go (hardcoded "device-1" test key pair)
Real leaked secrets are purged from history, not allowlisted.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* chore(security): remove historical secret fixtures
* chore(release): bump build metadata for 1.1.5+2
* chore(release): bump version to 1.1.5+2
* chore(release): bump build metadata for 1.1.5+2
---------
Co-authored-by: Haitao Pan <manbuzhe2009@qq.com>
* ci(release): add TestFlight release matrix
* chore(release): bump version to 1.1.5+2
* chore(release): bump build metadata for 1.1.5+2
* ci(release): add TestFlight release matrix
---------
Co-authored-by: Haitao Pan <manbuzhe2009@qq.com>
* ci(release): load Vault secrets per-platform in build matrix
The build matrix loaded all 17 signing secrets in one shared block for
every platform. vault-action's ignoreNotFound only suppresses path-level
404s, not field-level "No match data" errors, so a single missing field
(e.g. APPLE_MAC_PROVISION_PROFILE_BASE64) failed every leg — including
linux/windows/android that need no Apple secrets.
Split the load into per-OS-family steps gated by matrix.platform:
- Apple (macos/ios): Apple cert + provisioning + keychain + export method
- Windows: WINDOWS_PFX_* + codesign subject
- Android: ANDROID_KEYSTORE_* + key alias/password
Linux requests nothing.
Also drop APP_STORE_CONNECT_* from the build matrix: only
testflight_upload.sh consumes them and it runs in the release job, which
loads them itself. The build matrix no longer depends on them.
Add shell: bash to the Export step (its `{ … } >> $GITHUB_ENV` brace
syntax is bash-only and would fail under the default pwsh on windows).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---------
Co-authored-by: Haitao Pan <haitao.pan@xworkmate.ai>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: Haitao Pan <manbuzhe2009@qq.com>
Haitao Pan
fa161247d3