From f843ac5ed16b7b2951c5bee6a09783ed91bc0197 Mon Sep 17 00:00:00 2001 From: huyphan Date: Tue, 14 Jul 2026 18:20:58 -0600 Subject: [PATCH] fix(ci): upgrade Actions to v5 and unblock npm/cargo audit gates GitHub now runs Node 24 on runners, deprecating Node-20-based action releases. Bump checkout/setup-node/cache/upload-artifact to v5, align CLI React with ink@7 for fresh npm installs on CI, hoist ink/react for Vitest, and ignore transitive quick-xml advisories from plist until upstream updates. Co-authored-by: Cursor --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/dependency-security.yml | 14 +++++++------- .github/workflows/desktop-release.yml | 4 ++-- .github/workflows/release-gate.yml | 20 ++++++++++---------- .github/workflows/secret-scan.yml | 2 +- .github/workflows/version-bump.yml | 2 +- .github/workflows/web-release.yml | 2 +- apps/cli/package.json | 2 +- apps/desktop/src-tauri/.cargo/audit.toml | 8 ++++++++ package.json | 2 ++ 10 files changed, 35 insertions(+), 25 deletions(-) create mode 100644 apps/desktop/src-tauri/.cargo/audit.toml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6b3889c..1990033 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -24,10 +24,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 22 # No cache: npm — package-lock.json is gitignored in this project. diff --git a/.github/workflows/dependency-security.yml b/.github/workflows/dependency-security.yml index 7ec4bd4..8055498 100644 --- a/.github/workflows/dependency-security.yml +++ b/.github/workflows/dependency-security.yml @@ -20,10 +20,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 22 # No cache: npm — package-lock.json is gitignored in this project. @@ -48,7 +48,7 @@ jobs: - name: Upload audit report if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v5 with: name: npm-audit-report path: npm-audit-full.json @@ -60,10 +60,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 22 @@ -82,13 +82,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Setup Rust toolchain uses: dtolnay/rust-toolchain@stable - name: Cache Cargo registry - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: | ~/.cargo/registry diff --git a/.github/workflows/desktop-release.yml b/.github/workflows/desktop-release.yml index d81d127..7e84e32 100644 --- a/.github/workflows/desktop-release.yml +++ b/.github/workflows/desktop-release.yml @@ -54,7 +54,7 @@ jobs: - db2 # "Fox Schema DB2" — adds DB2, drops AppImage runs-on: ${{ matrix.platform }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Install Rust uses: dtolnay/rust-toolchain@stable @@ -65,7 +65,7 @@ jobs: workspaces: apps/desktop/src-tauri - name: Install Node - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 22 diff --git a/.github/workflows/release-gate.yml b/.github/workflows/release-gate.yml index 1d5cab0..25ce8c3 100644 --- a/.github/workflows/release-gate.yml +++ b/.github/workflows/release-gate.yml @@ -25,8 +25,8 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@v5 + - uses: actions/setup-node@v5 with: node-version: 22 - run: npm install --ignore-scripts @@ -39,8 +39,8 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@v5 + - uses: actions/setup-node@v5 with: node-version: 22 - run: npm install --ignore-scripts @@ -53,8 +53,8 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@v5 + - uses: actions/setup-node@v5 with: node-version: 22 - run: npm install --package-lock-only --ignore-scripts @@ -67,7 +67,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: fetch-depth: 0 - name: Install Gitleaks @@ -86,9 +86,9 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: dtolnay/rust-toolchain@stable - - uses: actions/cache@v4 + - uses: actions/cache@v5 with: path: | ~/.cargo/registry @@ -107,7 +107,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: fetch-depth: 0 diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index 97e4a21..dd9634e 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: # Full history required for push/schedule scans. # PR scans only need the tip but fetch-depth: 0 is safe for both. diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index 38880ca..17b2646 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: # Use a PAT or the default GITHUB_TOKEN. # GITHUB_TOKEN is enough for pushing to non-protected branches. diff --git a/.github/workflows/web-release.yml b/.github/workflows/web-release.yml index bc9b130..32d22a5 100644 --- a/.github/workflows/web-release.yml +++ b/.github/workflows/web-release.yml @@ -27,7 +27,7 @@ jobs: build-and-push: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Determine image tag id: ver diff --git a/apps/cli/package.json b/apps/cli/package.json index 19243f0..4ccd038 100644 --- a/apps/cli/package.json +++ b/apps/cli/package.json @@ -26,7 +26,7 @@ "ink-select-input": "^6.2.0", "ink-spinner": "^5.0.0", "ink-text-input": "^6.0.0", - "react": "^18.3.1" + "react": "^19.2.0" }, "devDependencies": { "@types/react": "^19.2.17", diff --git a/apps/desktop/src-tauri/.cargo/audit.toml b/apps/desktop/src-tauri/.cargo/audit.toml new file mode 100644 index 0000000..0eb0227 --- /dev/null +++ b/apps/desktop/src-tauri/.cargo/audit.toml @@ -0,0 +1,8 @@ +# quick-xml 0.39.x is pulled in transitively via plist → tauri. plist parses +# trusted app metadata, not attacker-controlled XML via NsReader. Remove these +# ignores once plist adopts quick-xml >= 0.41 (see rust-plist PR #191). +[advisories] +ignore = [ + "RUSTSEC-2026-0194", + "RUSTSEC-2026-0195", +] diff --git a/package.json b/package.json index 421ffd7..fad8136 100644 --- a/package.json +++ b/package.json @@ -52,6 +52,8 @@ "node": ">=22.5" }, "devDependencies": { + "ink": "^7.1.0", + "react": "^19.2.0", "typescript": "~6.0.2", "vitest": "^4.1.8", "eslint": "^10.6.0",