diff --git a/.claude/settings.json b/.claude/settings.json index b8d0bd970..524891982 100644 --- a/.claude/settings.json +++ b/.claude/settings.json @@ -1,4 +1,12 @@ { + "permissions": { + "deny": [ + "Edit(scripts/**)", + "Write(scripts/**)", + "Edit(.github/workflows/**)", + "Write(.github/workflows/**)" + ] + }, "hooks": { "SessionStart": [ { diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index 9d5239dd1..b0607826b 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -35,3 +35,7 @@ jobs: uses: anthropics/claude-code-action@v1 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN_LKLIMEK }} + claude_args: | + --model opus + --allowedTools 'Bash(git fetch *),Bash(git merge *),Bash(git checkout *),Bash(git rebase *),Bash(git push *),Bash(scripts/safe-cargo.sh build *),Bash(scripts/safe-cargo.sh test *),Bash(scripts/safe-cargo.sh clippy *),Bash(scripts/safe-cargo.sh +nightly fmt *),Bash(scripts/safe-cargo.sh fmt *)' + --disallowedTools 'Bash(cargo *)' diff --git a/CLAUDE.md b/CLAUDE.md index a1552d670..4d92446c2 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -35,6 +35,17 @@ Test locations: Always run `cargo clippy` and `cargo +nightly fmt` when finalizing your work. +## CI: Safe Cargo Wrapper + +In GitHub Actions (Claude Code workflow), use `scripts/safe-cargo.sh` instead of `cargo` directly. This wrapper strips CI secrets from the environment before running cargo, preventing build scripts from accessing credentials. + +```bash +scripts/safe-cargo.sh build --all-features +scripts/safe-cargo.sh test --all-features --workspace +scripts/safe-cargo.sh clippy --all-features --all-targets -- -D warnings +scripts/safe-cargo.sh +nightly fmt --all +``` + ## Architecture Overview **Dash Evo Tool** is a cross-platform GUI application (Rust + egui) for interacting with Dash Evolution. It enables DPNS username registration, contest voting, state transition viewing, wallet management, and identity operations across Mainnet/Testnet/Devnet. diff --git a/scripts/safe-cargo.sh b/scripts/safe-cargo.sh new file mode 100755 index 000000000..b299eaa3f --- /dev/null +++ b/scripts/safe-cargo.sh @@ -0,0 +1,44 @@ +#!/bin/bash +set -euo pipefail +# +# safe-cargo.sh — Run cargo without CI secrets leaking to build scripts. +# +# WHY THIS FILE EXISTS +# -------------------- +# Cargo build scripts (build.rs / proc-macros) execute arbitrary code during +# compilation. In CI the runner environment contains secrets such as +# CLAUDE_CODE_OAUTH_TOKEN and GITHUB_TOKEN. A compromised or malicious +# dependency could read those variables and exfiltrate them. +# +# This wrapper uses `env -i` (an allowlist approach) so that cargo and every +# child process it spawns start with only the variables listed below. +# Any new secret added to CI in the future is automatically excluded without +# having to update a denylist. +# +# USAGE (GitHub Actions) +# scripts/safe-cargo.sh build --all-features +# scripts/safe-cargo.sh test --all-features --workspace +# scripts/safe-cargo.sh clippy --all-features --all-targets -- -D warnings +# scripts/safe-cargo.sh +nightly fmt --all +# + +# Build the environment allowlist. Only pass variables that are set +# to avoid empty values confusing tools (e.g. PROTOC="" breaks prost). +ENV_ARGS=( + HOME="$HOME" + PATH="$PATH" + CARGO_HOME="${CARGO_HOME:-$HOME/.cargo}" + RUSTUP_HOME="${RUSTUP_HOME:-$HOME/.rustup}" + TMPDIR="${TMPDIR:-/tmp}" + LANG="${LANG:-C.UTF-8}" + TERM="${TERM:-dumb}" +) + +# Conditionally pass optional variables only if they are set and non-empty. +for var in PROTOC CC CXX PKG_CONFIG_PATH USER SHELL; do + if [ -n "${!var:-}" ]; then + ENV_ARGS+=("$var=${!var}") + fi +done + +exec env -i "${ENV_ARGS[@]}" cargo "$@"