Skip to content

chore: add SECURITY.md, Dependabot, and fix CI build deps#20

Merged
thewrz merged 4 commits into
mainfrom
chore/security-dependabot
May 4, 2026
Merged

chore: add SECURITY.md, Dependabot, and fix CI build deps#20
thewrz merged 4 commits into
mainfrom
chore/security-dependabot

Conversation

@thewrz

@thewrz thewrz commented May 4, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Add SECURITY.md with vulnerability reporting policy (email contact, response timeline, scope)
  • Add Dependabot config for weekly Cargo crate + GitHub Actions version updates
  • Fix CI: install libgtk-3-dev, libglib2.0-dev, pkg-config in Rust workflow — resolves glib-2.0 not found build failure on both existing failed runs

Test plan

  • Rust workflow passes (previously failing with glib-sys build error)
  • SECURITY.md visible in GitHub repo Security tab
  • Dependabot starts opening PRs on next Monday cycle

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores

    • Enabled automated dependency updates on a weekly schedule with PR limits, labels, and standardized commit prefixes
    • CI now installs required system libraries before build and test steps
  • Documentation

    • Added a security policy covering supported versions, vulnerability reporting/process and timeline, scope, and key security considerations

- SECURITY.md with vulnerability reporting policy
- Dependabot for weekly Cargo + GitHub Actions updates
- Fix Rust workflow: install libgtk-3-dev/libglib2.0-dev (glib-sys build failure)
@coderabbitai

coderabbitai Bot commented May 4, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

Adds repository governance and CI infra: Dependabot config for cargo and github-actions, a CI step installing system libraries for Rust CI, and a SECURITY.md detailing vulnerability reporting, supported versions, scope, and security considerations.

Changes

Repository infrastructure (Dependabot, CI, Security policy)

Layer / File(s) Summary
Dependency metadata / Config
.github/dependabot.yml
Adds Dependabot updates for cargo and github-actions at the repo root, scheduled weekly on Mondays; sets open PR limits (10 for cargo, 5 for github-actions), labels (dependencies, ci), and commit-message prefixes (chore(deps), chore(ci)).
CI wiring / System deps
.github/workflows/rust.yml
Inserts an "Install system dependencies" step after checkout that runs sudo apt-get with Acquire::Retries=3 to update and installs libgtk-3-dev, libglib2.0-dev, libxdo-dev, and pkg-config before existing cargo build/cargo test steps.
Documentation / Governance
SECURITY.md
Adds a security policy: supported versions (0.1.x), private vulnerability reporting instructions (GitHub advisory + email), required report contents, response timeline (acknowledgment/assessment/fix targets), policy scope (app binary, build/packaging scripts, GitHub Actions) and out-of-scope items, and security considerations (PipeWire, D-Bus, filesystem; no network, no untrusted remote input, runs in userspace, XDG config storage).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰
In a meadow of commits I hop and hum,
Dependabot trims weeds, the CI drums.
Libraries settled, the gates stand bright,
Security lanterns glow through the night,
A tiny honk for tidy code and light.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The pull request title accurately summarizes all three main changes: adding SECURITY.md, configuring Dependabot, and fixing CI build dependencies. The title is specific, concise, and directly related to the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/security-dependabot

Review rate limit: 9/10 reviews remaining, refill in 6 minutes.

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@SECURITY.md`:
- Line 15: Replace the single personal email "djfreaq@gmail.com" in SECURITY.md
with a durable security contact such as a shared alias (for example
"security@yourdomain.com") or provide the GitHub private vulnerability reporting
path (e.g., "https://github.com/OWNER/REPO/security/policy") so security reports
are not reliant on an individual; update the SECURITY.md line and any related
wording to reference the chosen shared contact and optional PGP/public key
instructions if applicable.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: b13fecef-a676-4c49-bcde-af0dc1c1378e

📥 Commits

Reviewing files that changed from the base of the PR and between d308662 and 5464132.

📒 Files selected for processing (3)
  • .github/dependabot.yml
  • .github/workflows/rust.yml
  • SECURITY.md

Comment thread SECURITY.md Outdated
thewrz added 2 commits May 3, 2026 18:29
…il-only

Addresses CodeRabbit review — personal email as sole contact is fragile.
GitHub's private reporting is more durable and discoverable.
Linker fails with "unable to find library -lxdo" (tray-icon → libxdo-sys).

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/rust.yml:
- Around line 21-22: Replace the brittle direct apt commands by adding simple
retries and using --no-install-recommends: wrap the sudo apt-get update call and
the sudo apt-get install -y libgtk-3-dev libglib2.0-dev libxdo-dev pkg-config
command in a retry loop (e.g., retry up to 3 times with short sleep/backoff) and
add --no-install-recommends to the install invocation to avoid extra packages;
ensure non-interactive flags (DEBIAN_FRONTEND=noninteractive) are preserved if
present and exit with failure only after all retries fail.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: fc6f3e0a-eb0b-4550-ab9a-6dd525cba656

📥 Commits

Reviewing files that changed from the base of the PR and between 02f8cf4 and 9317b11.

📒 Files selected for processing (1)
  • .github/workflows/rust.yml

Comment thread .github/workflows/rust.yml Outdated
Reduces flaky CI from transient mirror issues and trims install size.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/rust.yml:
- Around line 19-23: Wrap the apt commands (the `sudo apt-get -o
Acquire::Retries=3 update` and `sudo apt-get -o Acquire::Retries=3 install -y
--no-install-recommends ...`) in a command-level retry loop that attempts the
entire command sequence up to 3 times with a short backoff (e.g., sleep between
attempts) and exits non-zero only if all attempts fail; update the workflow step
where the install runs to run the loop and preserve the existing
`Acquire::Retries` option so both command-level and package-acquisition retries
are active.
- Around line 19-23: Update the "Install system dependencies" step so the shell
is strict and apt is non-interactive: add a shell safety header (e.g., set -euo
pipefail or at minimum set -e) at the top of the run block and export
DEBIAN_FRONTEND=noninteractive before running apt-get; keep the existing -y and
--no-install-recommends flags and the Acquire::Retries setting to preserve
retries while ensuring failures are fail-fast and no interactive prompts block
the CI.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: bae43902-36ed-4ee2-89da-dde67f3899ee

📥 Commits

Reviewing files that changed from the base of the PR and between 9317b11 and 493d7c3.

📒 Files selected for processing (1)
  • .github/workflows/rust.yml

Comment on lines +19 to +23
- name: Install system dependencies
run: |
sudo apt-get -o Acquire::Retries=3 update
sudo apt-get -o Acquire::Retries=3 install -y --no-install-recommends \
libgtk-3-dev libglib2.0-dev libxdo-dev pkg-config

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Add a command-level retry loop around apt commands (not just Acquire::Retries).

Acquire::Retries primarily retries package acquisition; it may not cover failures where the entire apt-get update or apt-get install command fails before downloads begin (e.g., DNS resolution, transient network resets, mirror handshake failures). If CI flakes still occur, wrapping apt-get update + apt-get install in a small loop (3 attempts with short backoff) will make the workflow more robust.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/rust.yml around lines 19 - 23, Wrap the apt commands (the
`sudo apt-get -o Acquire::Retries=3 update` and `sudo apt-get -o
Acquire::Retries=3 install -y --no-install-recommends ...`) in a command-level
retry loop that attempts the entire command sequence up to 3 times with a short
backoff (e.g., sleep between attempts) and exits non-zero only if all attempts
fail; update the workflow step where the install runs to run the loop and
preserve the existing `Acquire::Retries` option so both command-level and
package-acquisition retries are active.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Harden the apt install script for CI reliability (non-interactive + strict bash).

Right now you rely on apt’s retry setting, but the step can still behave less deterministically if the runner shell doesn’t enforce strict error handling and/or if any package triggers interactive behavior. Consider:

  • setting DEBIAN_FRONTEND=noninteractive
  • adding set -euo pipefail (or at least set -e) to make failures fail-fast and deterministic
Proposed patch
     - name: Install system dependencies
       run: |
-        sudo apt-get -o Acquire::Retries=3 update
-        sudo apt-get -o Acquire::Retries=3 install -y --no-install-recommends \
+        set -euo pipefail
+        export DEBIAN_FRONTEND=noninteractive
+        sudo apt-get -o Acquire::Retries=3 update
+        sudo apt-get -o Acquire::Retries=3 install -y --no-install-recommends \
           libgtk-3-dev libglib2.0-dev libxdo-dev pkg-config
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/rust.yml around lines 19 - 23, Update the "Install system
dependencies" step so the shell is strict and apt is non-interactive: add a
shell safety header (e.g., set -euo pipefail or at minimum set -e) at the top of
the run block and export DEBIAN_FRONTEND=noninteractive before running apt-get;
keep the existing -y and --no-install-recommends flags and the Acquire::Retries
setting to preserve retries while ensuring failures are fail-fast and no
interactive prompts block the CI.

@thewrz thewrz merged commit 76b3921 into main May 4, 2026
7 checks passed
@thewrz thewrz deleted the chore/security-dependabot branch May 4, 2026 03:14
@coderabbitai coderabbitai Bot mentioned this pull request May 17, 2026
@thewrz thewrz added this to HonkHonk Jun 21, 2026
@github-project-automation github-project-automation Bot moved this to Backlog in HonkHonk Jun 21, 2026
@github-project-automation github-project-automation Bot moved this from Backlog to Done in HonkHonk Jun 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

1 participant