Skip to content

build(deps): bump actions/setup-java from 4 to 5#3

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/actions/setup-java-5
Open

build(deps): bump actions/setup-java from 4 to 5#3
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/actions/setup-java-5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 14, 2026

Copy link
Copy Markdown

Bumps actions/setup-java from 4 to 5.

Release notes

Sourced from actions/setup-java's releases.

v5.0.0

What's Changed

Breaking Changes

Make sure your runner is updated to this version or newer to use this release. v2.327.1 Release Notes

Dependency Upgrades

Bug Fixes

New Contributors

Full Changelog: actions/setup-java@v4...v5.0.0

v4.8.0

What's Changed

Full Changelog: actions/setup-java@v4...v4.8.0

v4.7.1

What's Changed

Documentation changes

Dependency updates:

Full Changelog: actions/setup-java@v4...v4.7.1

v4.7.0

What's Changed

... (truncated)

Commits
  • ad2b381 Bump @​vercel/ncc from 0.38.1 to 0.44.0 (#1018)
  • b24df5b Make the Adoptopenjdk package type look at the Temurin repo first for latest ...
  • 43120bc Implement pagination with link headers for Adoptium based apis (#1014)
  • ad9d6a6 Bump @​types/node from 24.1.0 to 25.9.3 (#950)
  • 039af37 Bump picomatch, @​types/jest, jest, jest-circus and ts-jest (#1016)
  • 1756ab6 Bump eslint-config-prettier from 8.10.0 to 10.1.8 (#881)
  • 662bb59 Bump @​typescript-eslint/eslint-plugin from 8.35.1 to 8.46.2 (#952)
  • 1071fc1 fix: resolve npm audit vulnerabilities in fast-xml-builder and fast-xml-parse...
  • 576b821 Merge pull request #674 from gdams/alpine
  • 307d3a2 update readme for ubuntu sudo java_home behavior (#1013)
  • Additional commits viewable in compare view

@dependabot @github

dependabot Bot commented on behalf of github Jun 14, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: ci, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

miningtheblocks added a commit that referenced this pull request Jun 17, 2026
… distribuido

Tres CRIT del audit Round 2 que comparten el área del mint processor + feed
realtime multiplayer. Eran independientes pero juntos cierran el bloque
"robustez onchain + realtime":

1. Schema canónico `minedAt` en mineCube.

   Antes se escribía `ts: Date.now()` en mined/{cubeId}, pero
   firestore.indexes.json declara mined[K, minedAt DESC] y DynamicCube201.js
   subscribe con orderBy('minedAt', 'desc'). El index quedaba unused y el
   feed multiplayer recibía snapshot vacío — solo aparentaba funcionar
   por el optimistic local update del usuario que minó.
   (Agentes #2 CRIT + #5 CRIT-1 + #12 cross-ref)

2. tx.wait(SAFE_CONFIRMATIONS=30) en runMintProcessing.

   Polygon PoS confirma checkpoints cada ~30min y reorgs de hasta 100
   bloques se observaron históricamente. tx.wait() sin parámetro vuelve al
   primer block include — un reorg posterior puede revertir el mint
   mientras Firestore ya tiene status:completed. User queda sin NFT
   on-chain y sin trail para reclamo.

   30 bloques @ ~2.2s ≈ 66s extra de espera por mint. Aceptable para un
   cron 5min con queue chica; reduce a ~0% el riesgo de "NFT fantasma".
   (Agentes #3 CRIT-6 + #8 CRIT-1)

3. Lock distribuido en `runtime/mintProcessor` con TTL 10min.

   Antes, `processPendingMints` (onCall admin manual) y
   `mintProcessorScheduled` (onSchedule cron 5min) podían correr
   concurrentes y enviaban mintGem() con el MISMO nonce de la company
   wallet → una falla con "nonce too low", MATIC quemado en gas, race
   en doc.status=processing, backlog stuck.

   Lock pattern: TX read snapshot, check expiresAt, write si libre.
   Auto-release en finally + TTL backup si el worker crashea. Las rules
   son default-deny para /runtime/* — cliente no puede tocarlo.
   (Agentes #3 CRIT-4 + #8 CRIT-3)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Bumps [actions/setup-java](https://github.com/actions/setup-java) from 4 to 5.
- [Release notes](https://github.com/actions/setup-java/releases)
- [Commits](actions/setup-java@v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-java
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump actions/setup-java from 4 to 5 build(deps): bump actions/setup-java from 4 to 5 Jun 17, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/setup-java-5 branch from ef5acf1 to 403f34f Compare June 17, 2026 16:32
miningtheblocks added a commit that referenced this pull request Jun 17, 2026
Postmortem 2026-06-17: el password de @miningtheblock__miningtheblocks.jks
(y del mtb-release.keystore previo) se perdió. 2 candidates en Bitwarden
no abrieron ninguno → v1.1.0 release en GitHub firmada con cert
84eb85b5... quedó deprecated (sin posibilidad de update OTA encadenada).

Acciones tomadas:
  - Generado mtb-release-v2.keystore (PKCS12, RSA-4096, SHA384,
    validity 10000 días). Cert SHA-256 BF:8F:25:AC:...:4D:AB:7D:C1.
  - Password guardada en Bitwarden ANTES de generar el keystore
    (workflow corregido — evita repetir el mismo error).
  - 2/3 backups offline ya hechos: Bitwarden Notes (base64 del .gpg)
    + Email a miningtheblocks@gmail.com con .gpg adjunto. Backup #3
    USB físico pendiente (task #53).
  - v1.1.0 GitHub release marcada prerelease + body con warning de
    deprecation. Latest ya no apunta a v1.1.0.
  - Keystore obsoleto @miningtheblock__miningtheblocks.jks removido
    del working tree del repo (estaba ahí por accidente, gitignored
    pero exponía superficie innecesaria).

Impacto real del incidente: 0. Smoke test fase, sin users reales con
v1.1.0 instalado. La keystore nueva es la canonical desde 2026-06-17.

RUNBOOK actualizado:
  - Quick reference: nueva keystore path + hashes documentados.
  - Sección "Keystore JKS pérdida": mitigación pre-incident con los
    3 mediums actualmente en uso (Bitwarden + Gmail + USB pendiente).
  - Postmortem completo con root cause + acción correctiva.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks added a commit that referenced this pull request Jun 18, 2026
Agente #3 CRIT-5 del audit Round 2: Pinata era SPOF — outage / DMCA /
cierre de cuenta = NFTs sin imagen para siempre. Sin mitigación.

Solución: multi-pin a Filebase como mirror redundante.

Cambios:
- scripts/_ipfs_pin.js NUEVO: helper compartido con pinFile() + pinJSON()
  que sube en paralelo a Pinata (canónico) + Filebase (mirror via S3
  con AWS SDK). Si Filebase falla, queda warning y continúa (single-pin
  legacy fallback con warning explícito).
- scripts/upload-to-ipfs.js: refactor para usar _ipfs_pin.pinFile(). Output
  muestra ambos CIDs por gem, indica si matchean (mismo chunker) o
  difieren (Pinata CIDv1 raw vs Filebase CIDv0 dag-pb).
- scripts/upload-metadata-to-ipfs.js: ídem con pinJSON().
- @aws-sdk/client-s3 agregado como devDependency (no va al APK; solo
  scripts admin).

Verificado end-to-end 2026-06-17:
- 9 PNG gems re-uploaded → Pinata CIDs idénticos a los del IMAGE_CIDS
  existente (confirma determinismo content-addressed)
- Filebase mirror: 9 PNGs + 9 JSONs nuevos CIDs Qm... registrados en
  RUNBOOK como failover plan.

Failover plan documentado en RUNBOOK.md → DR scenario #13:
- Filebase mirror CIDs documentados explícitos
- Pasos para regenerar metadata con CIDs Filebase si Pinata cae permanente
- Mitigación parcial para NFTs ya minteados (tokenURI on-chain inmutable)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks added a commit that referenced this pull request Jun 23, 2026
Smart contract V2 (cierra CRIT-S1/S2/S3 + MED-S1 + HIGH-S1):
- Deploy: 0x2933Ff14AdeC0a4D74aD8380E5c491321bBd3195 (Polygon mainnet, verified)
- AccessControl 2-of-3 Safe (0x83a3F5...86aCD) ADMIN+PAUSER, EOA nftv2 MINTER
- Supply caps inmutables por tier [1,1,5,50,100,500,1000,4000,10000]
- tokenURI canónico por tier (caller no controla URI)
- renounceRole(ADMIN) bloqueado (anti-bricking)
- functions/index.js: ABI actualizado (mintGem 3 args sin tokenURI_)

Backend fixes (batch 3):
- #2 HIGH-1 cross-attribution USDC: senderWalletAddress opt-in + match con event.args.from
- #4 HIGH-M1 gem-loss window: gem + pendingMint dentro del TX con docIds determinísticos
- #4 HIGH-R1 cap referrer bonus: 50 invitados rewarded max (campo referralsRewarded)
- #2 HIGH-2 rateLimits TTL: expiresAt usa Timestamp.fromMillis
- #3 MED-4 Sentry PII scrubber: beforeSend + beforeBreadcrumb sobre email/wallet/phone

Build / Deploy (batch 1):
- #9 HIGH-1 credentialsSource:local en eas.json production
- #9 HIGH-3 versionCode:5 en app.json
- #9 HIGH-4 runtimeVersion appVersion en app.json
- #9 HIGH-7 MTB-v1.1.0.apk.sha256 copiado a docs/
- #9 HIGH-8 download URL -> releases/latest

Supply chain (batch 1+2):
- #5 HIGH-2 nodemailer ^8.0.10 -> ^9.0.1
- #5 HIGH-3 npm overrides ws@^8.21.0 + undici@^6.27.0
- #5 HIGH-4 npm audit en root agregado al CI
- #5 HIGH-5 @cyclonedx/cdxgen pinned a 11.5.0 (no @latest)

Privacy / Legal (batch 1+2):
- #8 HIGH-1 retention 5y AML/KYC explícito (EN + ES)
- #8 HIGH-2 governing law: Argentina/Buenos Aires (EN + ES)
- #8 HIGH-8 clarificado solo email+password sin OAuth Apple/Google (EN + ES)

Frontend security (batch 2):
- #3 HIGH-1 verify.html inline script -> public/verify.js + removido unsafe-inline
- #3 HIGH-2 el() helper sin innerHTML

Web / SEO / a11y (batch 1+2):
- #10 HIGH-5 frame-buster JS anti-clickjacking
- #10 HIGH-6 docs/robots.txt + docs/sitemap.xml
- #10 HIGH-7 OG + Twitter Card + canonical en docs/index.html
- #10 HIGH-8 label for=... en form inputs + .sr-only utility

Smart contract tooling:
- contracts/MTBGemsV2.sol (source) + contracts_build/ (hardhat 0.8.27 cancun, 17/17 tests)

Pre-commit hook: refinado patrón anti-secret para no flagear tx hashes públicos
en docs y constantes role de OpenZeppelin.

Pendiente acción manual (documentado en PENDING_FIXES.md):
- cd functions && npm install
- firebase deploy --only functions / --only hosting
- GitHub Settings -> Pages -> Enforce HTTPS
- DNS records SPF/DMARC/CAA en Cloudflare

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks added a commit that referenced this pull request Jun 23, 2026
Doc en RUNBOOK de las copias offline del keystore release v2 hechas el
2026-06-23:
- Copia #1: Hitachi sda /run/media/code/datos/keystore-backup-2026-06-23/
- Copia #2: USB Kingston DT 101 G2 (DataTraveler, extraído físicamente)
- Copia #3: off-site (pendiente)

Test recovery EXITOSO 2026-06-23: descifrado con password de Bitwarden,
SHA-256 raw matches 36785fb2...af9f6f64. Próximo test recovery 2027-Q1.

Pre-fix: 1 keystore + 1 .gpg, ambos en el MISMO disco sdb (PNY SSD). Disk
failure = bricked release line forever (mismo modo del v1 perdido).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants