Skip to content

Pin dependencies + 7-day Dependabot cooldown + auto-merge#75

Merged
GordonBeeming merged 2 commits into
mainfrom
gb/pin-deps-and-cooldown
Jul 2, 2026
Merged

Pin dependencies + 7-day Dependabot cooldown + auto-merge#75
GordonBeeming merged 2 commits into
mainfrom
gb/pin-deps-and-cooldown

Conversation

@GordonBeeming

Copy link
Copy Markdown
Owner

Summary

Supply-chain hardening so builds are reproducible and updates only ever arrive through Dependabot, aged and CI-verified.

  • Pinned every dependency to an exact version — npm (package.json, no ^), Cargo (src-tauri/Cargo.toml, exact =x.y.z), GitHub Actions (ci.yml, commit-SHA pins with version comments). NuGet was already pinned via Directory.Packages.props. npm lockfile diff is spec-only; resolved versions are unchanged.
  • 7-day cooldown (dependabot.yml, default-days: 7 on all four ecosystems) — Dependabot never proposes a version younger than 7 days. Cooldown is version-updates-only, so security updates still come through immediately.
  • Auto-merge (.github/workflows/dependabot-auto-merge.yml) — approves and gh pr merge --auto --squash on Dependabot PRs; branch-protection CI stays the gate. Repo "Allow auto-merge" enabled.

Follow-up

The 15 open Dependabot PRs predate this policy — after merge they'll conflict and Dependabot recreates them under the cooldown on its next run (holding anything <7 days old). No manual merges.

Test plan

  • npm install → lockfile diff spec-only; npx tsc --noEmit + npm run build clean
  • cargo check --manifest-path src-tauri/Cargo.toml — exact = pins resolve, Cargo.lock unchanged
  • YAML valid for dependabot.yml, ci.yml, and the new workflow
  • PR CI green on all platforms with SHA-pinned actions

Supply-chain hardening. Floating specs let a fresh (possibly broken or
compromised) release slip into a build; this pins every dependency to an exact
version and gates future updates behind a 7-day cooldown so nothing younger than
a week is ever proposed. Aged-in, CI-green updates then auto-merge.

- package.json: npm deps pinned to exact resolved versions (no ^). Lockfile diff
  is spec-only; resolved versions unchanged.
- src-tauri/Cargo.toml: cargo deps pinned to exact =x.y.z from Cargo.lock.
- .github/workflows/ci.yml: every action pinned to a commit SHA (with a version
  comment) instead of a moving tag/branch.
- .github/dependabot.yml: cooldown default-days: 7 on all four ecosystems.
  Cooldown is version-updates-only, so security updates still land immediately.
- .github/workflows/dependabot-auto-merge.yml: approve + `gh pr merge --auto
  --squash` Dependabot PRs; branch-protection CI stays the gate. (NuGet was
  already pinned via Directory.Packages.props.)

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: GitButler <gitbutler@gitbutler.com>
@GordonBeeming GordonBeeming marked this pull request as ready for review July 2, 2026 12:20
Copilot AI review requested due to automatic review settings July 2, 2026 12:20

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces dependency pinning across npm (package.json) and Rust (Cargo.toml) configurations, and adds a 7-day cooldown period for Dependabot updates. The review feedback correctly points out that pinning exact Rust dependency versions using the = operator in Cargo.toml is an anti-pattern. It prevents automatic patch updates and can cause compatibility issues for library crates, so using standard caret requirements and relying on Cargo.lock for reproducible builds is recommended.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread src-tauri/Cargo.toml Outdated

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to harden the project’s supply chain by making builds reproducible (exact dependency pins) and routing dependency updates through Dependabot with a minimum package age, plus an automated path to merge Dependabot PRs once CI passes.

Changes:

  • Pinned Cargo and npm dependencies to exact versions (and updated package-lock.json to match the new npm spec strings).
  • Pinned GitHub Actions in CI to commit SHAs.
  • Added Dependabot “cooldown” configuration and a new workflow intended to auto-approve and enable auto-merge for Dependabot PRs.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
src-tauri/Cargo.toml Pins Rust/Tauri dependencies to exact versions for reproducible builds.
package.json Pins npm dependencies/devDependencies to exact versions.
package-lock.json Updates top-level dependency spec entries to align with the pinned package.json.
.github/workflows/dependabot-auto-merge.yml Adds an Actions workflow to auto-approve + enable auto-merge for Dependabot PRs.
.github/workflows/ci.yml Pins referenced GitHub Actions to specific commit SHAs.
.github/dependabot.yml Adds a 7-day cooldown/minimum-age gate for Dependabot version updates across ecosystems.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/dependabot-auto-merge.yml
Comment thread .github/workflows/dependabot-auto-merge.yml

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c5762d60f4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/ci.yml
Two review/CI follow-ups on the dependency-pinning change:

- Revert the exact `=` Cargo.toml pins to caret at the resolved versions. `=`
  pinning is a Rust anti-pattern (resolver conflicts when a transitive dep needs
  a different patch of serde/tokio/etc.), and the committed Cargo.lock already
  guarantees reproducible builds while still letting patch/security fixes flow.
- cargo audit now fails on quick-xml <0.41 (RUSTSEC-2026-0194/-0195, both
  DoS-only). It reaches us only transitively via tauri -> plist (build/bundle
  plist parsing, never attacker-controlled runtime XML), and plist 1.8.0 pins
  quick-xml ^0.38 so there is no upstream fix to pull. Ignore only those two
  advisory IDs in the audit step, with a comment to drop the ignore once a
  tauri/plist release moves to quick-xml >=0.41. Every other advisory still
  fails the build. This also unbreaks main, which the new advisories had turned
  red independently of this branch.

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: GitButler <gitbutler@gitbutler.com>
@GordonBeeming GordonBeeming merged commit 7e77e7c into main Jul 2, 2026
6 of 10 checks passed
@GordonBeeming GordonBeeming deleted the gb/pin-deps-and-cooldown branch July 2, 2026 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants