ci: libdbus-1-dev for keyring build, drop appimage target (#79) #84

Merged

maximus merged 1 commit from issue-79-ci-libdbus into main 2026-04-14 00:35:37 +00:00

Conversation 1 Commits 1 Files changed 3 +14 -3

maximus commented 2026-04-14 00:27:52 +00:00

Owner

Copy link

Fixes #79
Refs #66

Summary

• libdbus-1-dev added to check.yml rust job + release.yml Linux deps (required by the dbus-secret-service crate pulled in by keyring via sync-secret-service).
• Non-blocking cargo audit step added to check.yml to watch the transitive dep graph (zbus, dbus-secret-service, etc.) without failing unrelated PRs.
• appimage removed from bundle.targets — release.yml only builds --bundles deb,rpm, so AppImage was dormant; removing it eliminates the risk of a silent plaintext-fallback trap for local tauri build runs without libdbus bundled in the AppImage.

Note vs original spec

The spec mentioned libsecret-1-dev, but the final backend choice is sync-secret-service + crypto-rust, which talks to the Secret Service D-Bus API through dbus-secret-service → dbus crate. That needs libdbus-1-dev (not libsecret-1-dev) at build time. Net: one apt package, runtime libdbus-1-3 is universal.

Test plan

• CI rust job installs libdbus-1-dev and compiles keyring + token_store
• cargo audit step runs (non-blocking) and reports any advisories
• release.yml, once triggered, builds deb + rpm without linking errors

Fixes #79 Refs #66 ## Summary - `libdbus-1-dev` added to `check.yml` rust job + `release.yml` Linux deps (required by the `dbus-secret-service` crate pulled in by `keyring` via `sync-secret-service`). - Non-blocking `cargo audit` step added to check.yml to watch the transitive dep graph (zbus, dbus-secret-service, etc.) without failing unrelated PRs. - `appimage` removed from `bundle.targets` — release.yml only builds `--bundles deb,rpm`, so AppImage was dormant; removing it eliminates the risk of a silent plaintext-fallback trap for local `tauri build` runs without libdbus bundled in the AppImage. ## Note vs original spec The spec mentioned `libsecret-1-dev`, but the final backend choice is `sync-secret-service` + `crypto-rust`, which talks to the Secret Service D-Bus API through `dbus-secret-service` → `dbus` crate. That needs `libdbus-1-dev` (not libsecret-1-dev) at build time. Net: one apt package, runtime `libdbus-1-3` is universal. ## Test plan - [ ] CI rust job installs libdbus-1-dev and compiles keyring + token_store - [ ] cargo audit step runs (non-blocking) and reports any advisories - [ ] release.yml, once triggered, builds deb + rpm without linking errors

maximus added 1 commit 2026-04-14 00:27:53 +00:00

ci: install libdbus-1-dev for keyring build, drop appimage target (#79) ... 481018e1e3

The new token_store module (#78) depends on `sync-secret-service` via
`dbus-secret-service`, which in turn links to libdbus-1 at build time
through the `dbus` crate. Add `libdbus-1-dev` to:

- `check.yml` rust job (alongside the existing webkit/appindicator
  system deps), so every PR run compiles the keyring backend.
- `release.yml` Linux deps step, so tagged builds link correctly.

Runtime requires `libdbus-1-3`, which is present on every desktop
Linux distro by default, so `.deb` / `.rpm` depends stay unchanged.

Also add a non-blocking `cargo audit` step to check.yml to surface
advisories across the transitive dep graph (zbus, dbus-secret-service,
etc.) without failing unrelated PRs.

Drop `appimage` from `bundle.targets` in tauri.conf.json: the release
workflow explicitly builds `--bundles deb,rpm` so AppImage was never
shipped, and its presence in the config risks a silent fallback to
plaintext token storage for anyone running `tauri build` locally
without libsecret/libdbus bundled into the AppImage. No behaviour
change for CI; follow-up to re-enable AppImage properly would need a
linuxdeploy workflow that bundles the backend.

Refs #66

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

maximus commented 2026-04-14 00:29:44 +00:00

Author

Owner

Copy link

Review — APPROVE ✓

Security

• ✓ libdbus-1-dev est un package apt standard (freedesktop.org)
• ✓ cargo audit non-bloquant surface les advisories sans casser des PRs non-liées
• ✓ Drop d'AppImage ferme le trap identifié par la revue spec (silent fallback plaintext si libsecret/libdbus pas bundlé)

Correctness

• ✓ Touche seulement le job rust dans check.yml (pas frontend)
• ✓ release.yml modifié au bon step Install Linux dependencies
• ✓ cargo audit --file src-tauri/Cargo.lock est le chemin valide (audit lit Cargo.lock, pas Cargo.toml)

Quality

• ✓ Diff minimal : 14 lignes net
• ✓ Commentaire YAML explique le rationale continue-on-error

Note vs spec originale

La revue spec parlait de libsecret-1-dev. Le backend final (sync-secret-service) passe par dbus-secret-service → dbus crate → libdbus-1-dev. Même classe de dep, même ajout d'une ligne apt, aucun impact runtime (libdbus-1-3 est universel sur Linux desktop).

Verdict : APPROVE

## Review — APPROVE ✓ ### Security - ✓ `libdbus-1-dev` est un package apt standard (freedesktop.org) - ✓ `cargo audit` non-bloquant surface les advisories sans casser des PRs non-liées - ✓ Drop d'AppImage ferme le trap identifié par la revue spec (silent fallback plaintext si libsecret/libdbus pas bundlé) ### Correctness - ✓ Touche seulement le job `rust` dans check.yml (pas frontend) - ✓ release.yml modifié au bon step `Install Linux dependencies` - ✓ `cargo audit --file src-tauri/Cargo.lock` est le chemin valide (audit lit Cargo.lock, pas Cargo.toml) ### Quality - ✓ Diff minimal : 14 lignes net - ✓ Commentaire YAML explique le rationale `continue-on-error` ### Note vs spec originale La revue spec parlait de `libsecret-1-dev`. Le backend final (`sync-secret-service`) passe par `dbus-secret-service` → `dbus` crate → `libdbus-1-dev`. Même classe de dep, même ajout d'une ligne apt, aucun impact runtime (`libdbus-1-3` est universel sur Linux desktop). **Verdict : APPROVE**

maximus merged commit b684c88d2b into main 2026-04-14 00:35:37 +00:00

maximus deleted branch issue-79-ci-libdbus 2026-04-14 00:35:37 +00:00

maximus referenced this pull request from a commit 2026-04-14 00:35:38 +00:00

Merge pull request 'ci: libdbus-1-dev for keyring build, drop appimage target (#79)' (#84) from issue-79-ci-libdbus into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

source:analyste

Créée par le Super-Analyste

  

source:defenseur

Créée par l Escouade Défenseur

  

source:human

Créée par un humain

  

source:medic

Créée par le Medic (auto-détection)

  

status:approved

PR approuvée, prête à merger

  

status:blocked

Bloquée (question, dépendance, clarification)

  

status:in-progress

Un agent (Medic/Dev) travaille dessus

  

status:needs-fix

Reviewer demande des corrections

  

status:ready

Analysée et documentée, prête à prendre

  

status:review

PR créée, en attente du Reviewer

  

status:triage

Nouvelle issue, pas encore analysée

  

type:bug

Correction de bug → Medic

  

type:feature

Nouvelle fonctionnalité → Dev

  

type:infra

Config, CI/CD, déploiement → Dev

  

type:refactor

Refactoring / amélioration technique → Dev

  

type:schema

Modèle de données / migrations → Dev

  

type:security

Issue de sécurité → Medic ou Dev

No labels

source:analyste

source:defenseur

source:human

source:medic

status:approved

status:blocked

status:in-progress

status:needs-fix

status:ready

status:review

status:triage

type:bug

type:feature

type:infra

type:refactor

type:schema

type:security

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: maximus/Simpl-Resultat#84

No description provided.