build(deps): bump actions/setup-java from 4 to 5#3
Open
dependabot[bot] wants to merge 1 commit into
Open
Conversation
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
miningtheblocks
added a commit
that referenced
this pull request
Jun 17, 2026
… distribuido
Tres CRIT del audit Round 2 que comparten el área del mint processor + feed
realtime multiplayer. Eran independientes pero juntos cierran el bloque
"robustez onchain + realtime":
1. Schema canónico `minedAt` en mineCube.
Antes se escribía `ts: Date.now()` en mined/{cubeId}, pero
firestore.indexes.json declara mined[K, minedAt DESC] y DynamicCube201.js
subscribe con orderBy('minedAt', 'desc'). El index quedaba unused y el
feed multiplayer recibía snapshot vacío — solo aparentaba funcionar
por el optimistic local update del usuario que minó.
(Agentes #2 CRIT + #5 CRIT-1 + #12 cross-ref)
2. tx.wait(SAFE_CONFIRMATIONS=30) en runMintProcessing.
Polygon PoS confirma checkpoints cada ~30min y reorgs de hasta 100
bloques se observaron históricamente. tx.wait() sin parámetro vuelve al
primer block include — un reorg posterior puede revertir el mint
mientras Firestore ya tiene status:completed. User queda sin NFT
on-chain y sin trail para reclamo.
30 bloques @ ~2.2s ≈ 66s extra de espera por mint. Aceptable para un
cron 5min con queue chica; reduce a ~0% el riesgo de "NFT fantasma".
(Agentes #3 CRIT-6 + #8 CRIT-1)
3. Lock distribuido en `runtime/mintProcessor` con TTL 10min.
Antes, `processPendingMints` (onCall admin manual) y
`mintProcessorScheduled` (onSchedule cron 5min) podían correr
concurrentes y enviaban mintGem() con el MISMO nonce de la company
wallet → una falla con "nonce too low", MATIC quemado en gas, race
en doc.status=processing, backlog stuck.
Lock pattern: TX read snapshot, check expiresAt, write si libre.
Auto-release en finally + TTL backup si el worker crashea. Las rules
son default-deny para /runtime/* — cliente no puede tocarlo.
(Agentes #3 CRIT-4 + #8 CRIT-3)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Bumps [actions/setup-java](https://github.com/actions/setup-java) from 4 to 5. - [Release notes](https://github.com/actions/setup-java/releases) - [Commits](actions/setup-java@v4...v5) --- updated-dependencies: - dependency-name: actions/setup-java dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
ef5acf1 to
403f34f
Compare
miningtheblocks
added a commit
that referenced
this pull request
Jun 17, 2026
Postmortem 2026-06-17: el password de @miningtheblock__miningtheblocks.jks
(y del mtb-release.keystore previo) se perdió. 2 candidates en Bitwarden
no abrieron ninguno → v1.1.0 release en GitHub firmada con cert
84eb85b5... quedó deprecated (sin posibilidad de update OTA encadenada).
Acciones tomadas:
- Generado mtb-release-v2.keystore (PKCS12, RSA-4096, SHA384,
validity 10000 días). Cert SHA-256 BF:8F:25:AC:...:4D:AB:7D:C1.
- Password guardada en Bitwarden ANTES de generar el keystore
(workflow corregido — evita repetir el mismo error).
- 2/3 backups offline ya hechos: Bitwarden Notes (base64 del .gpg)
+ Email a miningtheblocks@gmail.com con .gpg adjunto. Backup #3
USB físico pendiente (task #53).
- v1.1.0 GitHub release marcada prerelease + body con warning de
deprecation. Latest ya no apunta a v1.1.0.
- Keystore obsoleto @miningtheblock__miningtheblocks.jks removido
del working tree del repo (estaba ahí por accidente, gitignored
pero exponía superficie innecesaria).
Impacto real del incidente: 0. Smoke test fase, sin users reales con
v1.1.0 instalado. La keystore nueva es la canonical desde 2026-06-17.
RUNBOOK actualizado:
- Quick reference: nueva keystore path + hashes documentados.
- Sección "Keystore JKS pérdida": mitigación pre-incident con los
3 mediums actualmente en uso (Bitwarden + Gmail + USB pendiente).
- Postmortem completo con root cause + acción correctiva.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks
added a commit
that referenced
this pull request
Jun 18, 2026
Agente #3 CRIT-5 del audit Round 2: Pinata era SPOF — outage / DMCA / cierre de cuenta = NFTs sin imagen para siempre. Sin mitigación. Solución: multi-pin a Filebase como mirror redundante. Cambios: - scripts/_ipfs_pin.js NUEVO: helper compartido con pinFile() + pinJSON() que sube en paralelo a Pinata (canónico) + Filebase (mirror via S3 con AWS SDK). Si Filebase falla, queda warning y continúa (single-pin legacy fallback con warning explícito). - scripts/upload-to-ipfs.js: refactor para usar _ipfs_pin.pinFile(). Output muestra ambos CIDs por gem, indica si matchean (mismo chunker) o difieren (Pinata CIDv1 raw vs Filebase CIDv0 dag-pb). - scripts/upload-metadata-to-ipfs.js: ídem con pinJSON(). - @aws-sdk/client-s3 agregado como devDependency (no va al APK; solo scripts admin). Verificado end-to-end 2026-06-17: - 9 PNG gems re-uploaded → Pinata CIDs idénticos a los del IMAGE_CIDS existente (confirma determinismo content-addressed) - Filebase mirror: 9 PNGs + 9 JSONs nuevos CIDs Qm... registrados en RUNBOOK como failover plan. Failover plan documentado en RUNBOOK.md → DR scenario #13: - Filebase mirror CIDs documentados explícitos - Pasos para regenerar metadata con CIDs Filebase si Pinata cae permanente - Mitigación parcial para NFTs ya minteados (tokenURI on-chain inmutable) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks
added a commit
that referenced
this pull request
Jun 23, 2026
Smart contract V2 (cierra CRIT-S1/S2/S3 + MED-S1 + HIGH-S1): - Deploy: 0x2933Ff14AdeC0a4D74aD8380E5c491321bBd3195 (Polygon mainnet, verified) - AccessControl 2-of-3 Safe (0x83a3F5...86aCD) ADMIN+PAUSER, EOA nftv2 MINTER - Supply caps inmutables por tier [1,1,5,50,100,500,1000,4000,10000] - tokenURI canónico por tier (caller no controla URI) - renounceRole(ADMIN) bloqueado (anti-bricking) - functions/index.js: ABI actualizado (mintGem 3 args sin tokenURI_) Backend fixes (batch 3): - #2 HIGH-1 cross-attribution USDC: senderWalletAddress opt-in + match con event.args.from - #4 HIGH-M1 gem-loss window: gem + pendingMint dentro del TX con docIds determinísticos - #4 HIGH-R1 cap referrer bonus: 50 invitados rewarded max (campo referralsRewarded) - #2 HIGH-2 rateLimits TTL: expiresAt usa Timestamp.fromMillis - #3 MED-4 Sentry PII scrubber: beforeSend + beforeBreadcrumb sobre email/wallet/phone Build / Deploy (batch 1): - #9 HIGH-1 credentialsSource:local en eas.json production - #9 HIGH-3 versionCode:5 en app.json - #9 HIGH-4 runtimeVersion appVersion en app.json - #9 HIGH-7 MTB-v1.1.0.apk.sha256 copiado a docs/ - #9 HIGH-8 download URL -> releases/latest Supply chain (batch 1+2): - #5 HIGH-2 nodemailer ^8.0.10 -> ^9.0.1 - #5 HIGH-3 npm overrides ws@^8.21.0 + undici@^6.27.0 - #5 HIGH-4 npm audit en root agregado al CI - #5 HIGH-5 @cyclonedx/cdxgen pinned a 11.5.0 (no @latest) Privacy / Legal (batch 1+2): - #8 HIGH-1 retention 5y AML/KYC explícito (EN + ES) - #8 HIGH-2 governing law: Argentina/Buenos Aires (EN + ES) - #8 HIGH-8 clarificado solo email+password sin OAuth Apple/Google (EN + ES) Frontend security (batch 2): - #3 HIGH-1 verify.html inline script -> public/verify.js + removido unsafe-inline - #3 HIGH-2 el() helper sin innerHTML Web / SEO / a11y (batch 1+2): - #10 HIGH-5 frame-buster JS anti-clickjacking - #10 HIGH-6 docs/robots.txt + docs/sitemap.xml - #10 HIGH-7 OG + Twitter Card + canonical en docs/index.html - #10 HIGH-8 label for=... en form inputs + .sr-only utility Smart contract tooling: - contracts/MTBGemsV2.sol (source) + contracts_build/ (hardhat 0.8.27 cancun, 17/17 tests) Pre-commit hook: refinado patrón anti-secret para no flagear tx hashes públicos en docs y constantes role de OpenZeppelin. Pendiente acción manual (documentado en PENDING_FIXES.md): - cd functions && npm install - firebase deploy --only functions / --only hosting - GitHub Settings -> Pages -> Enforce HTTPS - DNS records SPF/DMARC/CAA en Cloudflare Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks
added a commit
that referenced
this pull request
Jun 23, 2026
Doc en RUNBOOK de las copias offline del keystore release v2 hechas el 2026-06-23: - Copia #1: Hitachi sda /run/media/code/datos/keystore-backup-2026-06-23/ - Copia #2: USB Kingston DT 101 G2 (DataTraveler, extraído físicamente) - Copia #3: off-site (pendiente) Test recovery EXITOSO 2026-06-23: descifrado con password de Bitwarden, SHA-256 raw matches 36785fb2...af9f6f64. Próximo test recovery 2027-Q1. Pre-fix: 1 keystore + 1 .gpg, ambos en el MISMO disco sdb (PNY SSD). Disk failure = bricked release line forever (mismo modo del v1 perdido). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/setup-java from 4 to 5.
Release notes
Sourced from actions/setup-java's releases.
... (truncated)
Commits
ad2b381Bump@vercel/nccfrom 0.38.1 to 0.44.0 (#1018)b24df5bMake the Adoptopenjdk package type look at the Temurin repo first for latest ...43120bcImplement pagination with link headers for Adoptium based apis (#1014)ad9d6a6Bump@types/nodefrom 24.1.0 to 25.9.3 (#950)039af37Bump picomatch,@types/jest, jest, jest-circus and ts-jest (#1016)1756ab6Bump eslint-config-prettier from 8.10.0 to 10.1.8 (#881)662bb59Bump@typescript-eslint/eslint-pluginfrom 8.35.1 to 8.46.2 (#952)1071fc1fix: resolve npm audit vulnerabilities in fast-xml-builder and fast-xml-parse...576b821Merge pull request #674 from gdams/alpine307d3a2update readme for ubuntu sudo java_home behavior (#1013)