feat(linux): opt-in headless token-file fallback#203
Merged
Conversation
Adds build-desktop (Linux deb+appimage, Windows nsis) + release-desktop jobs that attach the installers to the same GitHub Release on every v* tag. The build step is identical to the proven cross-platform-bundle spike. Decoupled from the macOS build/release jobs (mirrors the `mas` job): a flaky AppImage/NSIS build can't block a macOS release and vice versa. Unsigned today (Windows cert is the owner's call) and no auto-updater (Win/Linux updates are manual re-downloads) — both documented inline + in the hardening doc. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Linux Secret Service needs a running keyring daemon, which headless/server boxes lack. keyring errors now carry an actionable hint, and setting MARKUP_TOKEN_FILE_FALLBACK=1 stores the GitHub token in a 0600 file under $XDG_DATA_HOME instead. Opt-in on purpose — never a silent downgrade to on-disk storage. Weaker than the keyring but still keeps the token out of the webview (the original threat); roundtrip + 0600 perms unit-tested (runs on the macOS CI host via cfg(unix)). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves the last open P1 item (docs/CROSS-PLATFORM-HARDENING.md #2). On headless/server Linux there's often no Secret Service daemon, so the GitHub token store would fail at runtime.
What
MARKUP_TOKEN_FILE_FALLBACK=1→ store the token in a0600file under$XDG_DATA_HOMEinstead of the keyring.Why opt-in + plaintext (not auto + crypto)
Home-grown "encryption" with a host-derivable key is security theater — it implies protection it can't give. An explicit opt-in 0600 file is honest about its guarantee (filesystem perms on a single-user box) and unblocks GitHub features for headless users who knowingly accept it.
Tests
Roundtrip (save → load →
0600perms → delete → idempotent) is unit-tested. The module compiles on all Unix (cfg(unix)) so the test runs on the macOS CI host; it's only activated on Linux. The Linux activation paths are compile-checked by thecross-platformCI job (ubuntu).🤖 Generated with Claude Code