diff --git a/.github/workflows/sync-cnb.yml b/.github/workflows/sync-cnb.yml index f8f6be62..f6198813 100644 --- a/.github/workflows/sync-cnb.yml +++ b/.github/workflows/sync-cnb.yml @@ -88,7 +88,10 @@ jobs: if [[ "${GITHUB_REF}" == refs/tags/* ]]; then TAG="${GITHUB_REF#refs/tags/}" - push_with_retry "tag ${TAG}" "refs/tags/${TAG}:refs/tags/${TAG}" + # Release tags may be repointed while rebuilding a failed + # publish attempt. CNB is a one-way mirror, so force the tag + # there to match GitHub instead of failing on "already exists". + push_with_retry "tag ${TAG}" "+refs/tags/${TAG}:refs/tags/${TAG}" elif [[ "${GITHUB_REF}" == refs/heads/main ]]; then # Plain --force. The CNB mirror is one-way by design — # nothing else pushes to it, so there's no contributor work diff --git a/SECURITY.md b/SECURITY.md index f5388083..0acf247a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -19,8 +19,8 @@ Check the [releases page](https://github.com/Hmbown/DeepSeek-TUI/releases) for t Report privately via one of: -- **Email**: [hmbown.dev@gmail.com](mailto:hmbown.dev@gmail.com) — include `[SECURITY]` in the subject line - **GitHub private advisory**: [github.com/Hmbown/DeepSeek-TUI/security/advisories/new](https://github.com/Hmbown/DeepSeek-TUI/security/advisories/new) +- **Email**: [security@deepseek-tui.com](mailto:security@deepseek-tui.com) — include `[SECURITY]` in the subject line Include in your report: diff --git a/scripts/release/check-versions.sh b/scripts/release/check-versions.sh index d22a28f7..3fbda7ed 100755 --- a/scripts/release/check-versions.sh +++ b/scripts/release/check-versions.sh @@ -9,7 +9,8 @@ # `version` in the root `Cargo.toml`. # 3. Internal `deepseek-*` path dependency pins match the workspace version. # 4. The TUI crate's packaged changelog copy matches root `CHANGELOG.md`. -# 5. `Cargo.lock` is in sync with the manifests (`cargo metadata --locked` +# 5. `SECURITY.md` keeps the dedicated security contact. +# 6. `Cargo.lock` is in sync with the manifests (`cargo metadata --locked` # fails if not). set -euo pipefail @@ -51,7 +52,18 @@ if ! cmp -s CHANGELOG.md crates/tui/CHANGELOG.md; then fail=1 fi -# 5) Cargo.lock in sync. +# 5) Security contact guard. +security_email="security@deepseek-tui.com" +if ! grep -qF "${security_email}" SECURITY.md; then + echo "::error::SECURITY.md must list ${security_email} as the security contact." >&2 + fail=1 +fi +if grep -qF "hmbown.dev@gmail.com" SECURITY.md; then + echo "::error::SECURITY.md must not use the personal fallback email; use ${security_email}." >&2 + fail=1 +fi + +# 6) Cargo.lock in sync. if ! cargo metadata --locked --format-version 1 --no-deps >/dev/null 2>&1; then echo "::error::Cargo.lock is out of sync with the manifests. Run 'cargo update -p deepseek-tui' or 'cargo build' and commit the result." >&2 fail=1 diff --git a/web/components/footer.tsx b/web/components/footer.tsx index 443f50c8..ba5f6af5 100644 --- a/web/components/footer.tsx +++ b/web/components/footer.tsx @@ -127,8 +127,8 @@ export function Footer({ locale = "en" }: { locale?: Locale }) {
- {isZh ? "咨询、投资、研究合作、媒体采访 — " : "For consulting, investors, researchers, or press — "} - hunter@shannonlabs.dev + {isZh ? "安全报告、负责任披露、漏洞协调 — " : "For security reports, responsible disclosure, or vulnerability coordination — "} + security@deepseek-tui.com
© {new Date().getFullYear()} · DeepSeek TUI · Hmbown diff --git a/website/index.html b/website/index.html index 9c1f1f99..1f3a4de4 100644 --- a/website/index.html +++ b/website/index.html @@ -546,7 +546,7 @@ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh Docs Issues Support - Contact + Security

Not affiliated with DeepSeek Inc.

© DeepSeek TUI contributors. MIT License.

diff --git a/website/zh/index.html b/website/zh/index.html index f3be5c76..4f939015 100644 --- a/website/zh/index.html +++ b/website/zh/index.html @@ -553,7 +553,7 @@ chmod +x ~/.local/bin/deepseek ~/.local/bin/deepseek-tui 文档 Issues 赞助 - 联系 + 安全

本项目与 DeepSeek Inc. 无隶属关系。

© DeepSeek TUI contributors. MIT License.