Merge pull request 'ci: libdbus-1-dev for keyring build, drop appimage target (#79)' (#84) from issue-79-ci-libdbus into main

The new token_store module (#78) depends on `sync-secret-service` via
`dbus-secret-service`, which in turn links to libdbus-1 at build time
through the `dbus` crate. Add `libdbus-1-dev` to:

- `check.yml` rust job (alongside the existing webkit/appindicator
  system deps), so every PR run compiles the keyring backend.
- `release.yml` Linux deps step, so tagged builds link correctly.

Runtime requires `libdbus-1-3`, which is present on every desktop
Linux distro by default, so `.deb` / `.rpm` depends stay unchanged.

Also add a non-blocking `cargo audit` step to check.yml to surface
advisories across the transitive dep graph (zbus, dbus-secret-service,
etc.) without failing unrelated PRs.

Drop `appimage` from `bundle.targets` in tauri.conf.json: the release
workflow explicitly builds `--bundles deb,rpm` so AppImage was never
shipped, and its presence in the config risks a silent fallback to
plaintext token storage for anyone running `tauri build` locally
without libsecret/libdbus bundled into the AppImage. No behaviour
change for CI; follow-up to re-enable AppImage properly would need a
linuxdeploy workflow that bundles the backend.

Refs #66

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.forgejo/workflows/check.yml

@@ -25,7 +25,8 @@ jobs:
           apt-get update
           apt-get install -y --no-install-recommends \
             curl wget git ca-certificates build-essential pkg-config \
-            libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev libssl-dev
+            libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev libssl-dev \
+            libdbus-1-dev
           # Node.js is required by actions/checkout and actions/cache (they
           # are JavaScript actions and need `node` in the container PATH).
           curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
@@ -63,6 +64,16 @@ jobs:
       - name: cargo test
         run: cargo test --manifest-path src-tauri/Cargo.toml --all-targets
 
+      # Informational audit of transitive dependencies. Failure does not
+      # block the CI (advisories can appear on unrelated crates and stall
+      # unrelated work); surface them in the job log so we see them on
+      # every PR run and can react in a follow-up.
+      - name: cargo audit
+        continue-on-error: true
+        run: |
+          cargo install --locked cargo-audit || true
+          cargo audit --file src-tauri/Cargo.lock || true
+
   frontend:
     runs-on: ubuntu
     container: ubuntu:22.04

.forgejo/workflows/release.yml

@@ -31,7 +31,7 @@ jobs:
 
       - name: Install Linux dependencies
         run: |
-          apt-get install -y build-essential libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf jq libssl-dev xdg-utils
+          apt-get install -y build-essential libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf jq libssl-dev xdg-utils libdbus-1-dev
 
       - name: Install Windows cross-compile dependencies
         run: |

src-tauri/tauri.conf.json

@@ -23,7 +23,7 @@
   },
   "bundle": {
     "active": true,
-    "targets": ["nsis", "deb", "rpm", "appimage"],
+    "targets": ["nsis", "deb", "rpm"],
     "icon": [
       "icons/32x32.png",
       "icons/128x128.png",