Skip to content

chore(deps-dev): bump the npm-minor-and-patch group across 1 directory with 4 updates #260

chore(deps-dev): bump the npm-minor-and-patch group across 1 directory with 4 updates

chore(deps-dev): bump the npm-minor-and-patch group across 1 directory with 4 updates #260

Workflow file for this run

name: CI
on:
push:
branches: [dev]
pull_request:
branches: [dev]
concurrency:
group: ci-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
name: build (${{ matrix.os }})
permissions:
contents: read
strategy:
fail-fast: false
matrix:
# ubuntu-24.04 is pinned (not ubuntu-latest) because Tauri 2 needs
# libwebkit2gtk-4.1-dev, which only exists on Ubuntu 24.04+. If
# ubuntu-latest ever shifts, the install step below would break.
os: [ubuntu-24.04, windows-latest, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version: "20"
cache: npm
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
with:
workspaces: src-tauri
- name: Install Linux GUI deps
if: startsWith(matrix.os, 'ubuntu-')
run: |
sudo apt-get update
sudo apt-get install -y \
libgtk-3-dev \
libwebkit2gtk-4.1-dev \
libayatana-appindicator3-dev \
librsvg2-dev
- run: npm ci
- name: TypeScript type check
run: npx tsc --noEmit
- name: Build frontend
run: npm run build
# Renderer unit tests are Ubuntu-only for now: this layer is pure
# JSDOM-style work in happy-dom, so cross-OS coverage adds runtime
# without buying signal until something proves OS-specific. Issue #69.
- name: JS unit tests
if: startsWith(matrix.os, 'ubuntu-')
run: npm run test:unit
- name: Rust unit tests
working-directory: src-tauri
run: cargo test --lib --locked
msrv:
# Validates the MSRV declared in src-tauri/Cargo.toml (rust-version).
# The main matrix runs on stable so it also catches upstream regressions;
# this job proves we haven't accidentally leaned on a post-MSRV API.
# 1.88 is the current floor imposed by Tauri 2.10's transitive deps
# (darling, serde_with, time all require 1.88). If those deps bump again,
# this job fails loudly rather than letting a stale MSRV ship.
name: msrv (1.88)
permissions:
contents: read
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version: "20"
cache: npm
- uses: dtolnay/rust-toolchain@98e1b82157cd469e843cb7f524c1313b4ad9492c # 1.88.0
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
with:
workspaces: src-tauri
key: msrv
- name: Install Linux GUI deps
run: |
sudo apt-get update
sudo apt-get install -y \
libgtk-3-dev \
libwebkit2gtk-4.1-dev \
libayatana-appindicator3-dev \
librsvg2-dev
- run: npm ci
- name: Build frontend
# Needed even for `cargo check` because tauri::generate_context!()
# validates the frontendDist path at compile time.
run: npm run build
- name: Rust check (lib + tests) on MSRV
working-directory: src-tauri
run: cargo check --lib --tests --locked
lint:
# Mirrors `.pre-commit-config.yaml` — anything that fails here should
# have failed locally. Splitting out as its own job keeps the signal
# distinct from the matrix build, and runs in parallel so it's cheap.
name: lint
permissions:
contents: read
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version: "20"
cache: npm
# Pin explicitly (not @stable) so the set of clippy lints stays
# deterministic over time. This is decoupled from the declared MSRV
# — clippy runs here with a newer toolchain to pick up modern lints
# while the `msrv` job above continues to gate on 1.88.0.
# Bump this pin deliberately when we want newer clippy signal;
# Dependabot is configured to ignore `dtolnay/rust-toolchain` so
# bulk bumps can't silently re-bump the MSRV pin alongside this one.
- uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # 1.95.0
with:
components: rustfmt, clippy
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
with:
workspaces: src-tauri
key: lint
- name: Install Linux GUI deps (for clippy)
run: |
sudo apt-get update
sudo apt-get install -y \
libgtk-3-dev \
libwebkit2gtk-4.1-dev \
libayatana-appindicator3-dev \
librsvg2-dev
- run: npm ci
- name: Build frontend
# clippy compiles the lib, and the tauri::generate_context!() macro
# requires the frontendDist path to exist at compile time.
run: npm run build
- uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
security:
# Gate on known-CVE deps in both ecosystems. Runs in parallel with
# build/msrv/lint — a fresh advisory on yesterday's working tree is a
# real signal we should act on, so we want it loud and fast.
# Per SECURITY.md: cargo-audit covers the Rust side, npm audit covers
# the JS side. Severity threshold for npm is `high`; anything moderate
# surfaces as a warning at `npm install` time but doesn't block the
# pipeline.
name: security
runs-on: ubuntu-24.04
# `rustsec/audit-check` publishes a check-run with the advisory
# summary when there are warnings (unmaintained / unsound crates).
# That POST needs `checks: write`; without it we get
# "Resource not accessible by integration" the moment a transitive
# dep gets a fresh advisory. `contents: read` is the workflow-default
# we'd otherwise inherit; declared here so this job's permissions are
# self-contained and not a side-effect of repo defaults.
permissions:
contents: read
checks: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version: "20"
cache: npm
# rustsec/audit-check@v2 wraps cargo-audit with a self-updating copy
# of the RustSec advisory DB. It defaults to reading ./Cargo.lock;
# ours lives in src-tauri/ so we set the action's `working-directory`
# input accordingly.
- uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
working-directory: src-tauri
# `npm audit --package-lock-only` reads package-lock.json directly,
# so we skip the full `npm ci` and the lifecycle scripts it would
# otherwise run. The other CI jobs already validate the lockfile
# via their own `npm ci`, so we don't lose that signal.
- name: npm audit
run: npm audit --package-lock-only --audit-level=high