pre-release-checklist.md

Pre-Release Security Checklist

Use this checklist for every public release candidate before publishing artifacts.

CI And Security Gate Status

• PR Security / build-and-test is green on main.
• PR Security / dependency-scan is green on main.
• CodeQL / Analyze (javascript-typescript) is green on main.
• CodeQL / Analyze (rust) is green on main.

Vulnerability And Advisory Status

• No open high/critical code scanning alerts in GitHub Security.
• npm audit reports no high/critical vulnerabilities for release dependency scope.
• cargo audit reports no RustSec vulnerabilities.
• Any non-blocking advisories (unmaintained/yanked) are reviewed and tracked.

Artifact And Evidence Collection

• release-security.yml completed successfully.
• sbom-npm.json was generated.
• sbom-cargo.json was generated.
• cargo-audit.json and npm-audit-summary.txt were generated.
• If the release tag has an existing GitHub Release, security artifacts were attached.
• If no release exists yet, workflow artifacts were retained and reviewed.

Tauri Surface Review

• src-tauri/tauri.conf.json CSP remains explicit and restrictive.
• Tauri capabilities grant minimum required permissions only.
• No unnecessary Tauri plugins are enabled.
• No newly added command handlers expose unsafe/unvalidated inputs.

Signing And Notarization Readiness

• Required secrets are present in repository settings:
  • APPLE_SIGNING_CERT_BASE64
  • APPLE_SIGNING_CERT_PASSWORD
  • APPLE_SIGNING_IDENTITY
  • APPLE_TEAM_ID
  • APPLE_ID
  • APPLE_APP_SPECIFIC_PASSWORD
• Release Security / signing-readiness job passed.

Manual macOS Smoke Test

• App launches on supported macOS version.
• Device connection succeeds.
• Keymap read works.
• Keycode write works and persists.
• Macro read/write works.
• Lighting read/write works.
• Disconnect/reconnect behavior is correct.
• No high-severity errors in runtime logs during test.

Release Decision

• Security owner approved release.
• Known risks and accepted exceptions are documented.