chore: add SECURITY.md, Dependabot, and fix CI build deps#20
Conversation
- SECURITY.md with vulnerability reporting policy - Dependabot for weekly Cargo + GitHub Actions updates - Fix Rust workflow: install libgtk-3-dev/libglib2.0-dev (glib-sys build failure)
📝 WalkthroughWalkthroughAdds repository governance and CI infra: Dependabot config for ChangesRepository infrastructure (Dependabot, CI, Security policy)
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Review rate limit: 9/10 reviews remaining, refill in 6 minutes. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@SECURITY.md`:
- Line 15: Replace the single personal email "djfreaq@gmail.com" in SECURITY.md
with a durable security contact such as a shared alias (for example
"security@yourdomain.com") or provide the GitHub private vulnerability reporting
path (e.g., "https://github.com/OWNER/REPO/security/policy") so security reports
are not reliant on an individual; update the SECURITY.md line and any related
wording to reference the chosen shared contact and optional PGP/public key
instructions if applicable.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: b13fecef-a676-4c49-bcde-af0dc1c1378e
📒 Files selected for processing (3)
.github/dependabot.yml.github/workflows/rust.ymlSECURITY.md
…il-only Addresses CodeRabbit review — personal email as sole contact is fragile. GitHub's private reporting is more durable and discoverable.
Linker fails with "unable to find library -lxdo" (tray-icon → libxdo-sys).
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/rust.yml:
- Around line 21-22: Replace the brittle direct apt commands by adding simple
retries and using --no-install-recommends: wrap the sudo apt-get update call and
the sudo apt-get install -y libgtk-3-dev libglib2.0-dev libxdo-dev pkg-config
command in a retry loop (e.g., retry up to 3 times with short sleep/backoff) and
add --no-install-recommends to the install invocation to avoid extra packages;
ensure non-interactive flags (DEBIAN_FRONTEND=noninteractive) are preserved if
present and exit with failure only after all retries fail.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: fc6f3e0a-eb0b-4550-ab9a-6dd525cba656
📒 Files selected for processing (1)
.github/workflows/rust.yml
Reduces flaky CI from transient mirror issues and trims install size.
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/rust.yml:
- Around line 19-23: Wrap the apt commands (the `sudo apt-get -o
Acquire::Retries=3 update` and `sudo apt-get -o Acquire::Retries=3 install -y
--no-install-recommends ...`) in a command-level retry loop that attempts the
entire command sequence up to 3 times with a short backoff (e.g., sleep between
attempts) and exits non-zero only if all attempts fail; update the workflow step
where the install runs to run the loop and preserve the existing
`Acquire::Retries` option so both command-level and package-acquisition retries
are active.
- Around line 19-23: Update the "Install system dependencies" step so the shell
is strict and apt is non-interactive: add a shell safety header (e.g., set -euo
pipefail or at minimum set -e) at the top of the run block and export
DEBIAN_FRONTEND=noninteractive before running apt-get; keep the existing -y and
--no-install-recommends flags and the Acquire::Retries setting to preserve
retries while ensuring failures are fail-fast and no interactive prompts block
the CI.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: bae43902-36ed-4ee2-89da-dde67f3899ee
📒 Files selected for processing (1)
.github/workflows/rust.yml
| - name: Install system dependencies | ||
| run: | | ||
| sudo apt-get -o Acquire::Retries=3 update | ||
| sudo apt-get -o Acquire::Retries=3 install -y --no-install-recommends \ | ||
| libgtk-3-dev libglib2.0-dev libxdo-dev pkg-config |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial | ⚡ Quick win
Add a command-level retry loop around apt commands (not just Acquire::Retries).
Acquire::Retries primarily retries package acquisition; it may not cover failures where the entire apt-get update or apt-get install command fails before downloads begin (e.g., DNS resolution, transient network resets, mirror handshake failures). If CI flakes still occur, wrapping apt-get update + apt-get install in a small loop (3 attempts with short backoff) will make the workflow more robust.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/rust.yml around lines 19 - 23, Wrap the apt commands (the
`sudo apt-get -o Acquire::Retries=3 update` and `sudo apt-get -o
Acquire::Retries=3 install -y --no-install-recommends ...`) in a command-level
retry loop that attempts the entire command sequence up to 3 times with a short
backoff (e.g., sleep between attempts) and exits non-zero only if all attempts
fail; update the workflow step where the install runs to run the loop and
preserve the existing `Acquire::Retries` option so both command-level and
package-acquisition retries are active.
Harden the apt install script for CI reliability (non-interactive + strict bash).
Right now you rely on apt’s retry setting, but the step can still behave less deterministically if the runner shell doesn’t enforce strict error handling and/or if any package triggers interactive behavior. Consider:
- setting
DEBIAN_FRONTEND=noninteractive - adding
set -euo pipefail(or at leastset -e) to make failures fail-fast and deterministic
Proposed patch
- name: Install system dependencies
run: |
- sudo apt-get -o Acquire::Retries=3 update
- sudo apt-get -o Acquire::Retries=3 install -y --no-install-recommends \
+ set -euo pipefail
+ export DEBIAN_FRONTEND=noninteractive
+ sudo apt-get -o Acquire::Retries=3 update
+ sudo apt-get -o Acquire::Retries=3 install -y --no-install-recommends \
libgtk-3-dev libglib2.0-dev libxdo-dev pkg-config🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/rust.yml around lines 19 - 23, Update the "Install system
dependencies" step so the shell is strict and apt is non-interactive: add a
shell safety header (e.g., set -euo pipefail or at minimum set -e) at the top of
the run block and export DEBIAN_FRONTEND=noninteractive before running apt-get;
keep the existing -y and --no-install-recommends flags and the Acquire::Retries
setting to preserve retries while ensuring failures are fail-fast and no
interactive prompts block the CI.
Summary
libgtk-3-dev,libglib2.0-dev,pkg-configin Rust workflow — resolvesglib-2.0 not foundbuild failure on both existing failed runsTest plan
glib-sysbuild error)🤖 Generated with Claude Code
Summary by CodeRabbit
Chores
Documentation