Skip to content
Tauri 中文网
开发指南 参考手册 当前版本 v2.2

Tauri 生态系统安全

我们的 Tauri 组织生态系统托管在 GitHub 上,并提供多项功能,使我们的存储库更能抵御针对我们的源代码和版本的对手。

¥Our Tauri organization ecosystem is hosted on GitHub and facilitates several features to make our repositories more resilient against adversaries targeting our source code and releases.

为了降低风险并遵守普遍采用的最佳实践,我们采用了以下方法。

¥To reduce risk and to comply with commonly adopted best practices we have the following methods in place.

构建管道

¥Build Pipelines

在 GitHub 构建管道中使用 GitHub 操作发布我们的源代码工件的过程是高度自动化的,但要求真人启动和审查。

¥The process of releasing our source-code artifacts is highly automated in GitHub build pipelines using GitHub actions, yet mandates kickoff and review from real humans.

已签名的提交

¥Signed Commits

我们的核心存储库需要签名提交,以降低冒充风险,并在检测到可能的泄露后识别归属提交。

¥Our core repositores require signed commits to reduce risk of impersonation and to allow identification of attributed commits after detection of possible compromise.

代码审查

¥Code Review

合并到我们的存储库中的所有拉取请求 (PR) 都需要至少一名项目维护者的批准,在大多数情况下是工作组。代码通常在 PR 中进行审查,并运行默认安全工作流程和检查以确保代码符合通用标准。

¥All Pull Requests (PRs) merged into our repositories need approval from at least one maintainer of the project, which in most cases is the working group. Code is generally reviewed in PRs and default security workflows and checks are run to ensure the code adheres to common standards.

发布过程

¥Release Process

我们的工作组审查代码更改,用范围标记 PR,并确保所有内容保持最新。我们努力在发布小版本和大版本之前对所有与安全相关的 PR 进行内部审核。

¥Our working group reviews code changes, tags PRs with scope, and makes sure that everything stays up to date. We strive to internally audit all security relevant PRs before publishing minor and major releases.

当需要发布新版本时,其中一位维护者会在 dev 上标记一个新版本,其中:

¥And when its time to publish a new version, one of the maintainers tags a new release on dev, which:

  • 验证核心

    ¥Validates core

  • 运行测试

    ¥Runs tests

  • 审核板条箱和 npm 的安全性

    ¥Audits security for crates and npm

  • 生成变更日志

    ¥Generates changelogs

  • 创建工件

    ¥Creates artifacts

  • 创建草稿版本

    ¥Creates a draft release

然后维护者审查发行说明,如有必要进行编辑,并伪造新版本。

¥Then the maintainer reviews the release notes, edits if necessary, and a new release is forged.

Tauri 中文网 - 粤ICP备13048890号