Harden GitHub release controls

.github/PULL_REQUEST_TEMPLATE.md

@@ -12,5 +12,6 @@
 - [ ] Working copy branch was switched without changing its `LogbookVersion`
 - [ ] Updated copy was smoke tested manually in Excel
 - [ ] Binary workbook change is expected
+- [ ] Release tag will be created only after this PR is merged to `main`
 
 ## Notes

.github/workflows/publish-release.yml

@@ -8,15 +8,21 @@ on:
 permissions:
   contents: write
 
+concurrency:
+  group: publish-release
+  cancel-in-progress: false
+
 jobs:
   publish:
     name: Publish GitHub release assets
     runs-on: windows-latest
+    timeout-minutes: 15
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
+          fetch-depth: 0
           persist-credentials: false
 
       - name: Validate release metadata
@@ -27,6 +33,36 @@ jobs:
           if ($env:GITHUB_REF_NAME -ne "v$version") {
             throw "Tag $env:GITHUB_REF_NAME does not match version.txt ($version). Expected v$version."
           }
+          git merge-base --is-ancestor $env:GITHUB_SHA origin/main
+          if ($LASTEXITCODE -ne 0) {
+            throw "Tag $env:GITHUB_REF_NAME does not point to a commit on main."
+          }
+
+      - name: Build release integrity files
+        shell: pwsh
+        run: |
+          $version = (Get-Content version.txt -Raw).Trim()
+          $assets = @(
+            Get-Item Electronic_Logbook_Master.xlsm
+            Get-Item README.pdf
+          )
+
+          $manifestAssets = foreach ($asset in $assets) {
+            $hash = (Get-FileHash $asset.FullName -Algorithm SHA256).Hash.ToLowerInvariant()
+            "$hash  $($asset.Name)" | Add-Content SHA256SUMS.txt -Encoding ascii
+            [ordered]@{
+              name = $asset.Name
+              size = $asset.Length
+              sha256 = $hash
+            }
+          }
+
+          [ordered]@{
+            version = $version
+            tag = $env:GITHUB_REF_NAME
+            commit = $env:GITHUB_SHA
+            assets = @($manifestAssets)
+          } | ConvertTo-Json -Depth 4 | Set-Content release-manifest.json -Encoding utf8
 
       - name: Publish release
         shell: pwsh
@@ -36,6 +72,8 @@ jobs:
           gh release create $env:GITHUB_REF_NAME `
             Electronic_Logbook_Master.xlsm `
             README.pdf `
+            SHA256SUMS.txt `
+            release-manifest.json `
             --title $env:GITHUB_REF_NAME `
             --generate-notes `
             --verify-tag

.github/workflows/static-checks.yml

@@ -10,14 +10,21 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: static-checks-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   release-metadata:
     name: Release metadata
     runs-on: windows-latest
+    timeout-minutes: 10
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
 
       - name: Validate release metadata
         shell: pwsh

SECURITY.md

@@ -8,7 +8,7 @@ Only the latest published release is supported for security fixes.
 
 Please do not open a public issue for suspected security vulnerabilities.
 
-Report the issue privately to the repository owner with:
+Use GitHub's private vulnerability reporting for this repository. Include:
 
 - the affected version
 - a short description of the issue
@@ -20,3 +20,5 @@ Report the issue privately to the repository owner with:
 Electronic Logbook is a macro-enabled Excel workbook. Users should only download releases from this repository's GitHub Releases page and should not run modified workbooks from untrusted sources.
 
 The workbook update system downloads release files and VBA update code from this repository. Maintainers must protect the `main` branch, protect release tags, and verify that release workbooks do not contain private tokens or personal data before publishing.
+
+Published releases include `SHA256SUMS.txt` and `release-manifest.json` so downloaded assets can be checked against the release metadata.