Pin dependencies + 7-day Dependabot cooldown + auto-merge#75
Conversation
Supply-chain hardening. Floating specs let a fresh (possibly broken or compromised) release slip into a build; this pins every dependency to an exact version and gates future updates behind a 7-day cooldown so nothing younger than a week is ever proposed. Aged-in, CI-green updates then auto-merge. - package.json: npm deps pinned to exact resolved versions (no ^). Lockfile diff is spec-only; resolved versions unchanged. - src-tauri/Cargo.toml: cargo deps pinned to exact =x.y.z from Cargo.lock. - .github/workflows/ci.yml: every action pinned to a commit SHA (with a version comment) instead of a moving tag/branch. - .github/dependabot.yml: cooldown default-days: 7 on all four ecosystems. Cooldown is version-updates-only, so security updates still land immediately. - .github/workflows/dependabot-auto-merge.yml: approve + `gh pr merge --auto --squash` Dependabot PRs; branch-protection CI stays the gate. (NuGet was already pinned via Directory.Packages.props.) Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: GitButler <gitbutler@gitbutler.com>
There was a problem hiding this comment.
Code Review
This pull request introduces dependency pinning across npm (package.json) and Rust (Cargo.toml) configurations, and adds a 7-day cooldown period for Dependabot updates. The review feedback correctly points out that pinning exact Rust dependency versions using the = operator in Cargo.toml is an anti-pattern. It prevents automatic patch updates and can cause compatibility issues for library crates, so using standard caret requirements and relying on Cargo.lock for reproducible builds is recommended.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
There was a problem hiding this comment.
Pull request overview
This PR aims to harden the project’s supply chain by making builds reproducible (exact dependency pins) and routing dependency updates through Dependabot with a minimum package age, plus an automated path to merge Dependabot PRs once CI passes.
Changes:
- Pinned Cargo and npm dependencies to exact versions (and updated
package-lock.jsonto match the new npm spec strings). - Pinned GitHub Actions in CI to commit SHAs.
- Added Dependabot “cooldown” configuration and a new workflow intended to auto-approve and enable auto-merge for Dependabot PRs.
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
src-tauri/Cargo.toml |
Pins Rust/Tauri dependencies to exact versions for reproducible builds. |
package.json |
Pins npm dependencies/devDependencies to exact versions. |
package-lock.json |
Updates top-level dependency spec entries to align with the pinned package.json. |
.github/workflows/dependabot-auto-merge.yml |
Adds an Actions workflow to auto-approve + enable auto-merge for Dependabot PRs. |
.github/workflows/ci.yml |
Pins referenced GitHub Actions to specific commit SHAs. |
.github/dependabot.yml |
Adds a 7-day cooldown/minimum-age gate for Dependabot version updates across ecosystems. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c5762d60f4
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Two review/CI follow-ups on the dependency-pinning change: - Revert the exact `=` Cargo.toml pins to caret at the resolved versions. `=` pinning is a Rust anti-pattern (resolver conflicts when a transitive dep needs a different patch of serde/tokio/etc.), and the committed Cargo.lock already guarantees reproducible builds while still letting patch/security fixes flow. - cargo audit now fails on quick-xml <0.41 (RUSTSEC-2026-0194/-0195, both DoS-only). It reaches us only transitively via tauri -> plist (build/bundle plist parsing, never attacker-controlled runtime XML), and plist 1.8.0 pins quick-xml ^0.38 so there is no upstream fix to pull. Ignore only those two advisory IDs in the audit step, with a comment to drop the ignore once a tauri/plist release moves to quick-xml >=0.41. Every other advisory still fails the build. This also unbreaks main, which the new advisories had turned red independently of this branch. Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: GitButler <gitbutler@gitbutler.com>
Summary
Supply-chain hardening so builds are reproducible and updates only ever arrive through Dependabot, aged and CI-verified.
package.json, no^), Cargo (src-tauri/Cargo.toml, exact=x.y.z), GitHub Actions (ci.yml, commit-SHA pins with version comments). NuGet was already pinned viaDirectory.Packages.props. npm lockfile diff is spec-only; resolved versions are unchanged.dependabot.yml,default-days: 7on all four ecosystems) — Dependabot never proposes a version younger than 7 days. Cooldown is version-updates-only, so security updates still come through immediately..github/workflows/dependabot-auto-merge.yml) — approves andgh pr merge --auto --squashon Dependabot PRs; branch-protection CI stays the gate. Repo "Allow auto-merge" enabled.Follow-up
The 15 open Dependabot PRs predate this policy — after merge they'll conflict and Dependabot recreates them under the cooldown on its next run (holding anything <7 days old). No manual merges.
Test plan
npm install→ lockfile diff spec-only;npx tsc --noEmit+npm run buildcleancargo check --manifest-path src-tauri/Cargo.toml— exact=pins resolve, Cargo.lock unchangeddependabot.yml,ci.yml, and the new workflow