chore(deps-dev): bump the npm-minor-and-patch group across 1 directory with 4 updates #260
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [dev] | |
| pull_request: | |
| branches: [dev] | |
| concurrency: | |
| group: ci-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| name: build (${{ matrix.os }}) | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # ubuntu-24.04 is pinned (not ubuntu-latest) because Tauri 2 needs | |
| # libwebkit2gtk-4.1-dev, which only exists on Ubuntu 24.04+. If | |
| # ubuntu-latest ever shifts, the install step below would break. | |
| os: [ubuntu-24.04, windows-latest, macos-latest] | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 | |
| with: | |
| node-version: "20" | |
| cache: npm | |
| - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable | |
| - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 | |
| with: | |
| workspaces: src-tauri | |
| - name: Install Linux GUI deps | |
| if: startsWith(matrix.os, 'ubuntu-') | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| libgtk-3-dev \ | |
| libwebkit2gtk-4.1-dev \ | |
| libayatana-appindicator3-dev \ | |
| librsvg2-dev | |
| - run: npm ci | |
| - name: TypeScript type check | |
| run: npx tsc --noEmit | |
| - name: Build frontend | |
| run: npm run build | |
| # Renderer unit tests are Ubuntu-only for now: this layer is pure | |
| # JSDOM-style work in happy-dom, so cross-OS coverage adds runtime | |
| # without buying signal until something proves OS-specific. Issue #69. | |
| - name: JS unit tests | |
| if: startsWith(matrix.os, 'ubuntu-') | |
| run: npm run test:unit | |
| - name: Rust unit tests | |
| working-directory: src-tauri | |
| run: cargo test --lib --locked | |
| msrv: | |
| # Validates the MSRV declared in src-tauri/Cargo.toml (rust-version). | |
| # The main matrix runs on stable so it also catches upstream regressions; | |
| # this job proves we haven't accidentally leaned on a post-MSRV API. | |
| # 1.88 is the current floor imposed by Tauri 2.10's transitive deps | |
| # (darling, serde_with, time all require 1.88). If those deps bump again, | |
| # this job fails loudly rather than letting a stale MSRV ship. | |
| name: msrv (1.88) | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 | |
| with: | |
| node-version: "20" | |
| cache: npm | |
| - uses: dtolnay/rust-toolchain@98e1b82157cd469e843cb7f524c1313b4ad9492c # 1.88.0 | |
| - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 | |
| with: | |
| workspaces: src-tauri | |
| key: msrv | |
| - name: Install Linux GUI deps | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| libgtk-3-dev \ | |
| libwebkit2gtk-4.1-dev \ | |
| libayatana-appindicator3-dev \ | |
| librsvg2-dev | |
| - run: npm ci | |
| - name: Build frontend | |
| # Needed even for `cargo check` because tauri::generate_context!() | |
| # validates the frontendDist path at compile time. | |
| run: npm run build | |
| - name: Rust check (lib + tests) on MSRV | |
| working-directory: src-tauri | |
| run: cargo check --lib --tests --locked | |
| lint: | |
| # Mirrors `.pre-commit-config.yaml` — anything that fails here should | |
| # have failed locally. Splitting out as its own job keeps the signal | |
| # distinct from the matrix build, and runs in parallel so it's cheap. | |
| name: lint | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 | |
| with: | |
| python-version: "3.12" | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 | |
| with: | |
| node-version: "20" | |
| cache: npm | |
| # Pin explicitly (not @stable) so the set of clippy lints stays | |
| # deterministic over time. This is decoupled from the declared MSRV | |
| # — clippy runs here with a newer toolchain to pick up modern lints | |
| # while the `msrv` job above continues to gate on 1.88.0. | |
| # Bump this pin deliberately when we want newer clippy signal; | |
| # Dependabot is configured to ignore `dtolnay/rust-toolchain` so | |
| # bulk bumps can't silently re-bump the MSRV pin alongside this one. | |
| - uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # 1.95.0 | |
| with: | |
| components: rustfmt, clippy | |
| - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 | |
| with: | |
| workspaces: src-tauri | |
| key: lint | |
| - name: Install Linux GUI deps (for clippy) | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| libgtk-3-dev \ | |
| libwebkit2gtk-4.1-dev \ | |
| libayatana-appindicator3-dev \ | |
| librsvg2-dev | |
| - run: npm ci | |
| - name: Build frontend | |
| # clippy compiles the lib, and the tauri::generate_context!() macro | |
| # requires the frontendDist path to exist at compile time. | |
| run: npm run build | |
| - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 | |
| security: | |
| # Gate on known-CVE deps in both ecosystems. Runs in parallel with | |
| # build/msrv/lint — a fresh advisory on yesterday's working tree is a | |
| # real signal we should act on, so we want it loud and fast. | |
| # Per SECURITY.md: cargo-audit covers the Rust side, npm audit covers | |
| # the JS side. Severity threshold for npm is `high`; anything moderate | |
| # surfaces as a warning at `npm install` time but doesn't block the | |
| # pipeline. | |
| name: security | |
| runs-on: ubuntu-24.04 | |
| # `rustsec/audit-check` publishes a check-run with the advisory | |
| # summary when there are warnings (unmaintained / unsound crates). | |
| # That POST needs `checks: write`; without it we get | |
| # "Resource not accessible by integration" the moment a transitive | |
| # dep gets a fresh advisory. `contents: read` is the workflow-default | |
| # we'd otherwise inherit; declared here so this job's permissions are | |
| # self-contained and not a side-effect of repo defaults. | |
| permissions: | |
| contents: read | |
| checks: write | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 | |
| with: | |
| node-version: "20" | |
| cache: npm | |
| # rustsec/audit-check@v2 wraps cargo-audit with a self-updating copy | |
| # of the RustSec advisory DB. It defaults to reading ./Cargo.lock; | |
| # ours lives in src-tauri/ so we set the action's `working-directory` | |
| # input accordingly. | |
| - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| working-directory: src-tauri | |
| # `npm audit --package-lock-only` reads package-lock.json directly, | |
| # so we skip the full `npm ci` and the lifecycle scripts it would | |
| # otherwise run. The other CI jobs already validate the lockfile | |
| # via their own `npm ci`, so we don't lose that signal. | |
| - name: npm audit | |
| run: npm audit --package-lock-only --audit-level=high |