Sign web release manifests

[tomcasaburi]

Summary

• generate a signed SHA-256 manifest for the static web release build
• include manifest and signature assets in the HTML release archive
• ignore local release signing PEM files and generated release assets

Verification

• configured GitHub Actions secret RELEASE_MANIFEST_PRIVATE_KEY_PEM for bitsocialnet/5chan
• corepack yarn install
• corepack yarn build
• corepack yarn lint (passes with existing warnings)
• corepack yarn type-check
• corepack yarn knip
• generated a signed manifest from build/ and verified the ECDSA signature locally
• confirmed the local release public key matches the pinned JWK in /Users/Tommaso/Desktop/bitsocial/bitsocial-web-5chan-app-version-status

---

Note

Medium Risk
Introduces a new cryptographic signing step in the release pipeline using a private key secret; misconfiguration could break releases or produce unverifiable manifests, but changes are isolated to build/release tooling.

Overview
Adds generation of a signed SHA-256 file manifest for the static web build: yarn release:manifest now walks build/, records per-file size/hash plus metadata, and produces 5chan-release-manifest.json and an ECDSA P-256 signature payload.

Updates the tag release workflow to run this signer during Linux x64 builds and include the manifest + signature files inside the HTML release zip, and adds a helper script to generate an EC keypair for provisioning RELEASE_MANIFEST_PRIVATE_KEY_PEM.

Tweaks CI to skip yarn doctor on pull requests unless React UI source files changed, and ignores local release signing PEMs plus generated release-assets/ in .gitignore.

^{Reviewed by Cursor Bugbot for commit 85c9a9f. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
5chan	Ready	Preview, Comment	May 10, 2026 7:49am

[coderabbitai]

Warning

Rate limit exceeded

@tomcasaburi has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 48 minutes before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 989cacbe-3b18-4a5e-8e6f-cb640c2b6f59

📥 Commits

Reviewing files that changed from the base of the PR and between cbc5088 and 85c9a9f.

📒 Files selected for processing (6)

• .github/workflows/ci.yml
• .github/workflows/release.yml
• .gitignore
• package.json
• scripts/generate-release-manifest-keypair.mjs
• scripts/generate-release-manifest.mjs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/feature/signed-release-manifest

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tomcasaburi]

Addressed the failing Quality + Smoke check. The failure was React Doctor reporting existing UI-source findings even though this PR only changes release-manifest scripts/workflows. The latest commit keeps React Doctor strict for pushes and UI-source PRs, and skips it only for pull requests that do not touch React UI source. Local verification after the workflow change: corepack yarn build, corepack yarn lint, and corepack yarn type-check.