tauri-deployment-setup

[Skill Scanner] Hardcoded API key detected This skill is legitimate-looking documentation for Tauri deployment and Oasis update integration, and does not itself contain malicious code. However, it includes several supply-chain risk vectors that merit caution: it depends on a third-party reusable GitHub Action (porkytheblack/oasis) which will run with repository secrets; it requires many high-privilege secrets (code signing, R2, Oasis CI key) which could be exposed if the external action or CI steps are untrusted or misconfigured; the Tauri capabilities requested are broad and increase attack surface for compromised updates or plugins. Recommended mitigations: review the referenced reusable workflow source before use, restrict secrets' scope, enable GitHub Actions protections (required reviewers for reusable workflows, minimal permissions, repository-specific secrets), sign and pin update public keys and verify them in-build, and minimize Tauri runtime permissions where possible. LLM verification: No explicit malware found in the provided files. The primary security concerns are supply-chain and credential-exposure risks: (1) forwarding many high-privilege GitHub Secrets into an external reusable workflow (porkytheblack/oasis) expands the trust boundary and should be audited before use; (2) unpinned npm dependency examples encourage non-deterministic installs and increase dependency takeover risk; (3) placeholder hardcoded keys in docs could be accidentally copied into production. Operati