chore(deps): Bump hmac from 0.12.1 to 0.13.0 in /apps/helper/src-tauri#1083
Closed
dependabot[bot] wants to merge 1 commit into
Closed
chore(deps): Bump hmac from 0.12.1 to 0.13.0 in /apps/helper/src-tauri#1083dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [hmac](https://github.com/RustCrypto/MACs) from 0.12.1 to 0.13.0. - [Commits](RustCrypto/MACs@hmac-v0.12.1...hmac-v0.13.0) --- updated-dependencies: - dependency-name: hmac dependency-version: 0.13.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Deploying breeze with
|
| Latest commit: |
f5018bd
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://2e0e5b03.breeze-9te.pages.dev |
| Branch Preview URL: | https://dependabot-cargo-apps-helper-40dm.breeze-9te.pages.dev |
Collaborator
|
Superseded by #1146. Root cause this PR couldn't merge alone: sha2 0.11 and hmac 0.13 are a coupled pair — both pull in digest 0.11, which moved Fix: #1146 lands both bumps together with the one-line Dependabot should close this automatically once #1146 merges. |
ToddHebebrand
added a commit
that referenced
this pull request
Jun 9, 2026
…fix; add rust-check CI job (#1146) ## Why Supersedes the coupled dependabot pair **#1082** (sha2 0.10→0.11) and **#1083** (hmac 0.12→0.13). Both pull in digest 0.11, and merging either alone breaks the helper build: digest 0.11 moved `new_from_slice` to the `KeyInit` trait. Neither could merge safely because **PR CI never compiles the helper's Rust** — only cargo-audit (an advisory-DB scan) runs; the real build happens only in the release workflow. ## What - **Bump** `sha2 = "0.11"`, `hmac = "0.13"` in `apps/helper/src-tauri/Cargo.toml` + lockfile. - **Fix** `apps/helper/src-tauri/src/ipc/envelope.rs:18` — import `KeyInit` alongside `Mac` so `Hmac::new_from_slice` compiles under digest 0.11. - **New CI job `rust-check`** — `cargo check --locked --all-targets` for `apps/helper/src-tauri` **and** `apps/viewer/src-tauri` on every PR, using the same apt deps, pinned toolchain action, and rust-cache setup as the release workflow. Closes the merge-green-break-release blind spot this pair demonstrated. Non-blocking (not in the `ci-success` needs list) until its runtime/caching is proven. ## Verification - `cargo check --locked --all-targets` clean for **both** apps locally (macOS). - `cargo test` in the helper: **33 passed**, including the Go-compatible HMAC envelope parity tests that exercise the `KeyInit` code path. - The `rust-check` job runs on this very PR, so the bump is compile-verified in CI before merge. ## Notes - **#1081** (windows 0.58→0.61) is intentionally NOT included: it's `[target.'cfg(windows)']`-gated, so neither macOS nor the ubuntu rust-check job compiles it — only the Windows release build can verify it. It stays held. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Collaborator
|
Closing — superseded by #1146 (merged), which lands this bump together with sha2 0.11 and the required KeyInit import fix. |
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
dependabot
Bot
deleted the
dependabot/cargo/apps/helper/src-tauri/hmac-0.13.0
branch
ToddHebebrand
added a commit
that referenced
this pull request
Jun 9, 2026
…dows cargo check, dependabot staggering (#1165) ## Why Follow-up to the June red-main postmortem (#1144/#1146), with one organizing principle: **nothing is red by default — red means act now.** Main was red for 8 days partly because chronic background red trained everyone to ignore it. ## What **Blocking integration tests** — the API integration suite moves out of the non-blocking smoke-test job into its own `integration-test` job, required on PRs *and* main via `ci-success`. This is the gate that would have stopped #1042 and #1092 from merging. It boots only `docker-compose.test.yml` (no image builds) — ~2-3 min. The smoke job keeps the Docker build + endpoint smoke, still non-blocking on PRs. `rust-check` is promoted to required as well. **`bail: 1` removed** from the integration config — it surfaced only the first failure per run, which hid #1092's lockout behind #1042's 403 for a day. **Main-red alerting** — a `main-red-alert` job keeps exactly one open `ci-red` issue while main is red and auto-closes it on the next green main push. Cancelled runs (dependabot storms) are ignored. One loud, self-resolving signal instead of a wall of silently-cancelled runs. **`rust-check-windows`** — compiles both Tauri apps on a windows runner, path-filtered to `src-tauri/**` changes, closing the `cfg(windows)` gap the ubuntu rust-check can't cover (the #1081 problem). Skipped (fast, green) on non-Cargo PRs. **Workflow Lint job** (security workflow) — actionlint core checks + zizmor at medium severity, both verified green against this tree before gating. shellcheck integration is deliberately off (release.yml's 13 style nits would make it perma-red). `.github/zizmor.yml` encodes the pin policy (first-party actions float on tags, everything else hash-pinned) and the one accepted finding class (release build caches). zizmor's first sweep also scoped `security-events: write` per-job and added missing least-privilege `permissions:` blocks to three workflows. **Dependabot staggering + coupling groups** — npm Monday, Go Tuesday, Actions Wednesday, Cargo Thursday (no more Monday merge storm), plus groups for deps that break when bumped solo: `mobile` (expo/react-native/metro), `aws-sdk` (gomod), `rustcrypto` (the sha2/hmac pair from #1082/#1083). **Local-flake kill** — `audit-logs-rls.integration.test.ts` used hardcoded resourceIds against the append-only `audit_logs` table, so every second local run failed on accumulated rows (the "clear audit_logs between runs" papercut). Per-run UUIDs fix it; verified by running the suite twice against a dirty DB — 91/91 green both times. ## Deliberately deferred A nightly Playwright e2e job is viable but the suite currently has a broken import (`test-helpers.ts` doesn't exist) and unverified seed data for the catalog specs — shipping it now would create a red-by-default job. Tracked as a follow-up. ## Verification - `actionlint -shellcheck=` and `zizmor --min-severity medium` exit 0 across all workflows locally. - Integration suite (no-bail config): 22 files / 91 tests green, twice, against a dirty DB. - The new `integration-test`, `rust-check-windows` (skip path), and `workflow-lint` jobs all run on this very PR. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps hmac from 0.12.1 to 0.13.0.
Commits
0236c8ehmac v0.13.0 (#263)b895e50Migrate tests to the new blobby format (#264)3d1440bWorkspace-level lint configuration (#261)11d4f36hmac: use release versions ofdev-dependencies(#260)c40b82bhmac: bumpsha2dev-dependency to v0.11 (#259)1fa0781Cut rc.5 prereleases (#258)a008265hmac v0.13.0-rc.6 (#256)da485cdUse(Reset)MacTraits(#254)2c51e3bhmac: deriveCloneinstead of relying on(Reset)MacTraits(#253)669d805RelaxClonebounds (#250)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)