auth/env hardening and reliability updates

.github/workflows/ci.yml

@@ -2,9 +2,9 @@ name: CI
 
 on:
   push:
-    branches: [ master, dev ]
+    branches: [ main, dev ]
   pull_request:
-    branches: [ master, dev ]
+    branches: [ main, dev ]
 
 jobs:
   test:
@@ -17,14 +17,17 @@ jobs:
     - name: Setup Bun
       uses: oven-sh/setup-bun@v2
       with:
-        bun-version: latest
+        bun-version: 1.3.3
 
     - name: Install dependencies
       run: bun install --frozen-lockfile
 
     - name: Type check
       run: bun run tsc --noEmit
 
+    - name: Run unit tests
+      run: bun run test:unit
+
     - name: Build frontend
       run: bun run build
 
@@ -54,7 +57,7 @@ jobs:
     - name: Setup Bun
       uses: oven-sh/setup-bun@v2
       with:
-        bun-version: latest
+        bun-version: 1.3.3
 
     - name: Install dependencies
       run: bun install --frozen-lockfile
@@ -71,16 +74,51 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@v4
 
+    - name: Setup Bun
+      uses: oven-sh/setup-bun@v2
+      with:
+        bun-version: 1.3.3
+
+    - name: Install dependencies
+      run: bun install --frozen-lockfile
+
     - name: Run security audit
       run: |
-        bun audit || true  # Don't fail on audit issues for now
+        audit_log="$(mktemp)"
+        last_exit=0
+        for attempt in 1 2 3; do
+          if bun audit >"$audit_log" 2>&1; then
+            cat "$audit_log"
+            rm -f "$audit_log"
+            exit 0
+          else
+            audit_exit=$?
+            last_exit=$audit_exit
+            last_attempt=$attempt
+            if [ "$attempt" -lt 3 ]; then
+              echo "bun audit failed (attempt $attempt), retrying..."
+              sleep 5
+            fi
+          fi
+        done
+
+        audit_output="$(cat "$audit_log")"
+        echo "bun audit failed after ${last_attempt:-3} attempts with exit code ${last_exit}"
+        if grep -Eiq 'network|registry|ENOTFOUND|ECONNREFUSED|EAI_AGAIN|ETIMEDOUT' <<< "$audit_output"; then
+          echo "bun audit failed after retries due to network/registry error: $audit_output"
+        else
+          echo "bun audit failed after retries - vulnerabilities detected: $audit_output"
+        fi
+        rm -f "$audit_log"
+        exit 1
 
     - name: Check for secrets
-      uses: trufflesecurity/trufflehog@main
+      # Pinned to immutable commit (v3.93.4) for supply-chain safety.
+      # Maintenance: periodically verify this SHA still corresponds to the intended upstream release.
+      uses: trufflesecurity/trufflehog@7c0734f987ad0bb30ee8da210773b800ee2016d3
       with:
         path: ./
         extra_args: --debug --only-verified
-      continue-on-error: true
 
   docker:
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -1,8 +1,6 @@
 name: Release
 
 on:
-  push:
-    branches: [ master ]
   workflow_dispatch:
     inputs:
       version:
@@ -13,7 +11,7 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/master' && github.event_name == 'workflow_dispatch'
+    if: github.ref == 'refs/heads/main' && github.event_name == 'workflow_dispatch'
     permissions:
       contents: write
       pull-requests: write
@@ -31,7 +29,7 @@ jobs:
     - name: Setup Bun
       uses: oven-sh/setup-bun@v2
       with:
-        bun-version: latest
+        bun-version: 1.3.3
 
     - name: Install dependencies
       run: bun install --frozen-lockfile
@@ -73,6 +71,12 @@ jobs:
         echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
         echo "version_number=${NEW_VERSION#v}" >> $GITHUB_OUTPUT
 
+    - name: Type check
+      run: bun run tsc --noEmit
+
+    - name: Run backend tests
+      run: bun run test:unit
+
     - name: Build application
       run: bun run build
 
@@ -122,28 +126,27 @@ jobs:
           --exclude=.git \
           --exclude=release \
           --exclude=frontend \
-          src static package.json bun.lock tsconfig.json dockerfile compose.yml README.md LICENSE
+          src static package.json bun.lock tsconfig.json Dockerfile compose.yml README.md LICENSE
 
     - name: Create release tag
       run: |
         # Create git tag for release (works with branch protection)
-        # Note: Version changes are not committed back to master due to branch protection
+        # Note: Version changes are not committed back to main due to branch protection
         # The release archives will contain the correct versions
         git tag ${{ steps.new_version.outputs.new_version }}
         git push origin ${{ steps.new_version.outputs.new_version }}
 
-    - name: Create GitHub Release
-      uses: actions/create-release@v1
-      id: create_release
+    - name: Create GitHub release and upload assets
+      uses: softprops/action-gh-release@v2
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
         tag_name: ${{ steps.new_version.outputs.new_version }}
-        release_name: Release ${{ steps.new_version.outputs.new_version }}
+        name: Release ${{ steps.new_version.outputs.new_version }}
         body: |
           ## Changes in ${{ steps.new_version.outputs.new_version }}
 
-          See [CHANGELOG.md](https://github.com/FROSTR-ORG/igloo-server/blob/master/CHANGELOG.md) for full details.
+          See [CHANGELOG.md](https://github.com/FROSTR-ORG/igloo-server/blob/main/CHANGELOG.md) for full details.
 
           ### Installation
 
@@ -162,26 +165,9 @@ jobs:
           ```
         draft: false
         prerelease: false
-
-    - name: Upload source archive
-      uses: actions/upload-release-asset@v1
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        upload_url: ${{ steps.create_release.outputs.upload_url }}
-        asset_path: ./release/igloo-server-${{ steps.new_version.outputs.version_number }}-src.tar.gz
-        asset_name: igloo-server-${{ steps.new_version.outputs.version_number }}-src.tar.gz
-        asset_content_type: application/gzip
-
-    - name: Upload binary archive
-      uses: actions/upload-release-asset@v1
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        upload_url: ${{ steps.create_release.outputs.upload_url }}
-        asset_path: ./release/igloo-server-${{ steps.new_version.outputs.version_number }}.tar.gz
-        asset_name: igloo-server-${{ steps.new_version.outputs.version_number }}.tar.gz
-        asset_content_type: application/gzip
+        files: |
+          ./release/igloo-server-${{ steps.new_version.outputs.version_number }}-src.tar.gz
+          ./release/igloo-server-${{ steps.new_version.outputs.version_number }}.tar.gz
 
   docker:
     runs-on: ubuntu-latest
@@ -191,7 +177,7 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@v4
       with:
-        ref: master
+        ref: refs/tags/${{ needs.release.outputs.new_version }}
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3

.github/workflows/umbrel-dev.yml

@@ -3,7 +3,7 @@ name: Umbrel Dev Image
 on:
   push:
     branches:
-      - master
+      - main
       - dev
   workflow_dispatch:
 
@@ -39,11 +39,16 @@ jobs:
 
       - name: Smoke test Umbrel image
         run: |
+          set -e
+          cleanup() {
+            docker rm -f umbrel-dev-test >/dev/null 2>&1 || true
+          }
+          trap cleanup EXIT
+
           docker run -d --name umbrel-dev-test -p 8003:8002 \
             -e ADMIN_SECRET=ci-admin-secret \
             -e ALLOWED_ORIGINS=http://localhost:8003 \
             -e TRUST_PROXY=true \
             igloo-server-umbrel:dev-ci
           sleep 12
           curl -f http://localhost:8003/api/status
-          docker rm -f umbrel-dev-test

.gitignore

@@ -64,7 +64,7 @@ data/.session-secret
 test-*.sh
 debug-*.js
 verify-*.md
-.DS_Store
+test-results/
 
 # LLM files
 .claude

Dockerfile

@@ -1,5 +1,5 @@
 # Multi-stage build for smaller production image
-FROM oven/bun:latest AS build
+FROM oven/bun:1.3.10 AS build
 
 WORKDIR /app
 
@@ -21,7 +21,7 @@ COPY tsconfig.json ./
 RUN bun run build
 
 # --- Production stage ---
-FROM oven/bun:latest AS production
+FROM oven/bun:1.3.10 AS production
 
 WORKDIR /app