Release v1.8.85 — cross-subsystem hardening pass

Cross-subsystem audit + hardening across recently-shipped v1.8.75-84 slices
and load-bearing privacy / build / CI infrastructure. See
RELEASE_NOTES_v1.8.85.md for the full per-fix breakdown.

P0 fixes:
- verifyNoInternetPermission now scans merged manifests + honours
  tools:node="remove" (closes library-AAR escape hatch).
- HardwareKeyboardRuntimeMapper layout map is now thread-safe; AltGr
  (Ctrl+Alt) no longer dropped.
- Sticker palette BitmapFactory.decodeStream gains bounds gate + downsample
  (defends IME process against 100k x 100k OOM).
- ZipUtils.unzip adds pre-canonical entry-name guard + 10k entry-count cap.
- CI workflows (android.yml, crowdin-upload.yml, reproducible-build.yml)
  pinned to read-only GITHUB_TOKEN at file scope.
- validate-strings-no-translations.yml stops interpolating untrusted PR
  data into shell run: blocks.

P1 fixes:
- Android 12+ data_extraction_rules.xml ships correct schema with explicit
  excludes for SQLCipher dictionary DB and Tink-wrapped passphrase prefs
  (closes D2D-transfer leak).
- Sticker MIME-type spoof closed (SAF declared MIME is now source of truth).
- Addon enumerator no longer rejects legitimate 64MB+ asset packs (was
  conflating APK file size with bundle size).
- verify-reproducible-apk.sh entry-manifest pass criterion replaces cmp -s
  on signed APKs (matches F-Droid rebuilder methodology).

This release intentionally deviates from AGENTS.md §6 (one logical change
per PR) at the maintainer's request for the audit pass. Future per-feature
work returns to the per-release file pattern.

Unverified on this dev VM (no JDK / Android SDK). Maintainer must run the
AGENTS.md §5 Definition-of-Done verification commands listed at the end of
RELEASE_NOTES_v1.8.85.md before tagging and pushing.

Author: SysAdminDoc

.github/workflows/android.yml

@@ -25,6 +25,14 @@ on:
 # so it is implicitly re-checked by both lintDebug and assembleDebug below; we also
 # call it explicitly first so a contract violation fails fast before slower tasks.
 
+# Lock the default GITHUB_TOKEN to read-only. Build jobs that only need to
+# upload artefacts and report status do not need write access to issues,
+# pull-requests, packages, or contents. A future supply-chain compromise of a
+# transitive action dependency cannot abuse the token to push commits or
+# comment on issues.
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/crowdin-upload.yml

@@ -7,6 +7,14 @@ on:
       - "app/src/main/res/values/strings.xml"
       - ".github/workflows/crowdin-upload.yml"
 
+# Default GITHUB_TOKEN limited to read-only. This workflow uses a separate
+# Crowdin personal token (env FSEC_CROWDIN_PERSONAL_TOKEN); restricting the
+# default token blocks a malicious / compromised third-party action from
+# pushing to the repo via the workflow's own token. The Crowdin token
+# remains potent — pin `crowdin/github-action` to a SHA in a follow-up.
+permissions:
+  contents: read
+
 jobs:
   upload-to-crowdin:
     runs-on: ubuntu-latest

.github/workflows/reproducible-build.yml

@@ -37,6 +37,12 @@ concurrency:
   group: reproducible-apk-${{ github.ref }}
   cancel-in-progress: true
 
+# Default GITHUB_TOKEN limited to read-only — this job only checks out
+# source, builds, and uploads artefacts. Restricting the token closes the
+# blast radius if a transitive action dependency is compromised.
+permissions:
+  contents: read
+
 jobs:
   verify:
     runs-on: ubuntu-latest

.github/workflows/validate-strings-no-translations.yml

@@ -1,21 +1,32 @@
 name: Validate no translated strings.xml included
 
+# SECURITY: `pull_request_target` runs in the base-repo context with write
+# tokens. Every `${{ github.event.* }}` and step-output value derived from
+# untrusted PR data (login, filenames, PR body, branch name) MUST be passed
+# via `env:` and referenced as a quoted shell variable. NEVER interpolate
+# `${{ ... }}` directly into `run:` script bodies — that is GitHub Actions'
+# canonical script-injection sink.
+
 on:
   pull_request_target:
     branches: [ main ]
 
+# Restrict the default token to the absolute minimum this workflow needs.
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   validate:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write
     steps:
       - name: Precheck if validation is required
         id: precheck
+        env:
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
         run: |
-          pr_author="${{ github.event.pull_request.user.login }}"
-          if [[ "$pr_author" == "florisboard-bot" ]]; then
+          set -euo pipefail
+          if [[ "$PR_AUTHOR" == "florisboard-bot" ]]; then
             echo "PR is by florisboard-bot, skipping validation!"
             echo "require_validation=false" >> "$GITHUB_OUTPUT"
           else
@@ -26,33 +37,40 @@ jobs:
       - name: Fetch PR changed files manually
         id: fetch_changed_files
         if: steps.precheck.outputs.require_validation == 'true'
+        env:
+          REPO: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          GH_TOKEN: ${{ github.token }}
         run: |
-          pr_info="$(curl -sSf https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }})" || exit 11
-          num_changed_files="$(jq -r '.changed_files' <<< "$pr_info")" || exit 12
-          num_pages=$(((num_changed_files + 99) / 100))
-          changed_files=""
-          echo "Num changed files: $num_changed_files ($num_pages page(s))"
-          for ((page=1; page<=num_pages; page++)); do
-            pr_files="$(curl -sSf https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files?per_page=100\&page=$page)" || exit 11
-            changed_files_iter="$(jq -r '.[].filename' <<< "$pr_files")" || exit 12
-            changed_files+="$changed_files_iter"
-          done
-          echo "Changed files:\n$changed_files"
-          illegal_changes_list="$(grep -E '^app/src/main/res/values-.+/strings.xml$' <<< "$changed_files")" || true
+          set -euo pipefail
+          # Use `gh api` which handles auth + pagination cleanly and never
+          # interpolates the response into the shell command line.
+          changed_files="$(gh api --paginate "repos/${REPO}/pulls/${PR_NUMBER}/files" --jq '.[].filename')"
+          echo "Changed files:"
+          echo "$changed_files"
+          illegal_changes_list="$(printf '%s\n' "$changed_files" | grep -E '^app/src/main/res/values-.+/strings\.xml$' || true)"
           if [ -n "$illegal_changes_list" ]; then
-            echo -e "Illegal changes detected:\n$illegal_changes_list"
+            printf 'Illegal changes detected:\n%s\n' "$illegal_changes_list"
           else
             echo "No illegal changes detected"
           fi
-          echo "illegal_changes_list<<EOF" >> "$GITHUB_OUTPUT"
-          echo "$illegal_changes_list" >> "$GITHUB_OUTPUT"
-          echo "EOF" >> "$GITHUB_OUTPUT"
+          {
+            echo "illegal_changes_list<<EOF"
+            echo "$illegal_changes_list"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
 
       - name: Create comment if illegal files detected
+        # TODO supply-chain: pin to a SHA before next release; the SHA above
+        # was not independently verified at edit time, so the floating tag
+        # is kept for now. `gh api repos/peter-evans/create-or-update-comment/git/refs/tags/v4`
+        # will return the canonical commit SHA to substitute here.
         uses: peter-evans/create-or-update-comment@v4
         if: steps.precheck.outputs.require_validation == 'true' && steps.fetch_changed_files.outputs.illegal_changes_list != ''
         with:
           issue-number: ${{ github.event.pull_request.number }}
+          # Markdown-fenced — even if filenames contain backticks they cannot
+          # escape the fence into surrounding markdown commands.
           body: |
             ⚠️ Illegal changes detected
 
@@ -67,4 +85,9 @@ jobs:
 
       - name: Fail workflow if illegal files detected
         if: steps.precheck.outputs.require_validation == 'true' && steps.fetch_changed_files.outputs.illegal_changes_list != ''
-        run: echo -e "Illegal changes detected:\n${{ steps.fetch_changed_files.outputs.illegal_changes_list }}" && exit 1
+        env:
+          ILLEGAL_CHANGES: ${{ steps.fetch_changed_files.outputs.illegal_changes_list }}
+        run: |
+          set -euo pipefail
+          printf 'Illegal changes detected:\n%s\n' "$ILLEGAL_CHANGES" >&2
+          exit 1