# HG changeset patch
# User Simon Heath <icefox@dreamquest.io>
# Date 1591981355 14400
#      Fri Jun 12 13:02:35 2020 -0400
# Node ID 3a0966a1fd09e077d6e2db9e993e1d8b2f02eb92
# Parent  521be340cc8bbd4bcf0c4bf285c20d0331904971
Harden user account for CI

diff --git a/.build.yml b/.build.yml
--- a/.build.yml
+++ b/.build.yml
@@ -5,7 +5,7 @@
  - libssl-dev
  - cargo
 secrets:
- - 384fc780-f42a-4945-854e-cbd952d6802b
+ -  3a468e17-bc01-4c2b-b6fd-d20691b54278
 sources:
  - hg+https://hg.sr.ht/~icefox/oorandom
 tasks:
@@ -20,16 +20,16 @@
     # rather than
     # Someday we'll have a debian package for it, but it's non-trivial
     # to make; see https://todo.sr.ht/~icefox/garnet/2
-    curl -o ~/cargo-tarpaulin http://alopex.li/ci/common/cargo-tarpaulin
+    curl -o ~/cargo-tarpaulin https://alopex.li/ci/common/cargo-tarpaulin.stripped
     # We set this here rather than downloading it from the server
     # so if the server gets compromised we don't execute arbitrary
     # programs.
     # If the hg repo is compromised though... well, it compromises the
     # ci account on the server, but that's all.
-    echo 'ba0c29ef08c890cae7b3f342a7f19ced92af7e063cde0b256a0f0aa6e38b11931b3b550d6badf02333bee6f7171fb06d041614e5ca055c16c61bcbec02e6c2ce  cargo-tarpaulin > ~/cargo-tarpaulin.sha512'
+    echo 'ee0a51f252fab2227bf535acfa0219593240fdadf2e19201dc9b34196ce0c0e48112a35095887ed60c9083f3588a44b52c9d306d224989547921b357efb6bb11  cargo-tarpaulin' > ~/cargo-tarpaulin.sha512
     sha512sum -c ~/cargo-tarpaulin.sha512
     chmod +x ~/cargo-tarpaulin
     cd oorandom
-    ~/cargo-tarpaulin -o Html
-    scp -o StrictHostKeyChecking=no tarpaulin-report.html icefox@roc.alopex.li:htdocs/ci/oorandom/tarpaulin-report.html
+    ~/cargo-tarpaulin tarpaulin -o Html
+    scp -o StrictHostKeyChecking=no tarpaulin-report.html ci@roc.alopex.li:htdocs/oorandom/tarpaulin-report.html