chore: Trufflehog and workflow hardening#87
Conversation
Removes .build/checkouts entries (Sparkle, swift-syntax, swift-testing) that were incorrectly tracked as gitlinks. These are SPM build artifacts that should be in .gitignore.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (20)
✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
codeant-ai
Bot
added
the
size:L
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request establishes core project scaffolding by adding essential configuration files such as .dockerignore, .editorconfig, .gitattributes, and .pre-commit-config.yaml, alongside documentation updates and the addition of an MIT license. Feedback suggests refining the .dockerignore file to eliminate redundant entries and include lock files to ensure reproducible Docker builds. Furthermore, pinning pre-commit hooks to specific commit SHAs is recommended to enhance CI/CD security.
| target/ | ||
| dist/ | ||
| build/ | ||
| *.o | ||
| *.a | ||
| *.so | ||
| # IDE | ||
| .vscode/ | ||
| .idea/ | ||
| *.swp | ||
| .DS_Store | ||
| # Test/nested | ||
| **/node_modules | ||
| **/target | ||
| **/.pytest_cache | ||
| **/__pycache__ | ||
| **/*.test | ||
| **/tests/ | ||
| # Logs | ||
| *.log | ||
| **/*.log | ||
| # Coverage reports | ||
| coverage/ | ||
| .coverage | ||
| *.coverage | ||
| # Python virtual environments | ||
| venv/ | ||
| env/ | ||
| virtualenv/ | ||
| # npm/yarn | ||
| package-lock.json | ||
| yarn.lock | ||
| pnpm-lock.yaml | ||
| # Rust | ||
| **/.cargo | ||
| **/Cargo.lock | ||
| # Go | ||
| go.sum | ||
| vendor/ | ||
| go-build/ | ||
| # Java | ||
| *.class | ||
| **/.gradle | ||
| **/build/ | ||
| **/target/ | ||
| **/.maven/ | ||
| # Node.js | ||
| .next/ | ||
| .nuxt/ | ||
| /.output/ | ||
| .dist/ | ||
| # TypeScript | ||
| **/tsconfig.tsbuildinfo | ||
| # Docker compose | ||
| docker-compose.override.yml | ||
| # Local dev files | ||
| local.env | ||
| .env.local |
There was a problem hiding this comment.
The .dockerignore file contains several redundant entries and ignores critical lock files.
- Redundancy:
target/(line 7) and**/target/(line 51) are redundant given**/target(line 20). Similarly,build/(line 9) and**/build/(line 50) overlap..env.localandlocal.env(lines 63-64) are already covered by the wildcard.env*on line 4. - Lock Files: Ignoring lock files like
package-lock.json,yarn.lock,Cargo.lock, andgo.sum(lines 37-44) is generally discouraged for Docker builds as it prevents reproducible dependency resolution within the container. It is recommended to include these files to ensure the same dependency versions are used in all environments.
|
|
||
| repos: | ||
| - repo: https://github.com/pre-commit/pre-commit-hooks | ||
| rev: v5.0.0 |
There was a problem hiding this comment.
To align with the 'workflow hardening' goal mentioned in the PR description, consider pinning the pre-commit hooks to a specific commit SHA rather than a tag like v5.0.0. Tags are mutable and can be updated to point to different commits, whereas SHAs provide a cryptographic guarantee of the code being executed, which is a standard security best practice for CI/CD pipelines.
![codeant-ai[bot]](https://avatars.githubusercontent.com/in/646884?s=60&v=4){kind=small}
| MIT License | ||
|
|
||
| Copyright (c) 2024 Koosha Pari |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
The repository now includes an MIT LICENSE file, but README.md and CLAUDE.md still describe the project license as Apache-2.0 and even say "Apache-2.0. See LICENSE", creating conflicting and ambiguous licensing terms.
Suggestion: Align all license declarations in this PR by updating README.md and CLAUDE.md (or adjusting LICENSE) so that there is a single, consistent authoritative license statement for the repository.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** LICENSE
**Line:** 1:3
**Comment:**
*HIGH: The repository now includes an MIT LICENSE file, but README.md and CLAUDE.md still describe the project license as Apache-2.0 and even say "Apache-2.0. See LICENSE", creating conflicting and ambiguous licensing terms.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished reviewing your PR. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Deleted
deny.tomlbreaks the cargo-deny CI workflow- Restored the deny.toml configuration file with all advisory ignores, license allow-list, and bans/sources policies to prevent cargo-deny workflow failures.
Or push these changes by commenting:
@cursor push f23c672698
Preview (f23c672698)
diff --git a/deny.toml b/deny.toml
new file mode 100644
--- /dev/null
+++ b/deny.toml
@@ -1,0 +1,67 @@
+[advisories]
+ignore = [
+ # gtk-rs GTK3 - hwledger-ui desktop display; no GTK4 replacement path
+ { id = "RUSTSEC-2024-0411", reason = "gtk-rs GTK3 bindings - hwledger-ui desktop GUI" },
+ { id = "RUSTSEC-2024-0414", reason = "gtk-rs GTK3 bindings - same" },
+ { id = "RUSTSEC-2024-0415", reason = "gtk-rs GTK3 bindings - same" },
+ { id = "RUSTSEC-2024-0417", reason = "gtk-rs GTK3 bindings - same" },
+ { id = "RUSTSEC-2024-0419", reason = "gtk-rs GTK3 bindings - same" },
+ { id = "RUSTSEC-2024-0420", reason = "gtk-rs GTK3 bindings - same" },
+ # dev/test only - via Tauri bundler / wiremock
+ { id = "RUSTSEC-2024-0384", reason = "instant dev-only via Tauri bundler test fixtures" },
+ { id = "RUSTSEC-2025-0134", reason = "rustls-pemfile dev-only via reqwest test deps" },
+ # tracing-subscriber transitive
+ { id = "RUSTSEC-2024-0370", reason = "atty transitive through tracing-subscriber" },
+ # Tauri v2 chain - no safe upgrade without breaking tauri v2
+ { id = "RUSTSEC-2025-0075", reason = "tarpc transitive through Tauri v2 chain" },
+ { id = "RUSTSEC-2025-0080", reason = "winapi transitive through Tauri v2 chain" },
+ { id = "RUSTSEC-2025-0081", reason = "winapi transitive through Tauri v2 chain" },
+ { id = "RUSTSEC-2025-0098", reason = "parking_lot transitive through Tauri v2 deps" },
+ { id = "RUSTSEC-2025-0100", reason = "parking_lot transitive through Tauri v2 deps" },
+ { id = "RUSTSEC-2025-0119", reason = "tiny_http transitive through Tauri v2 dev-deps" },
+ # Additional gtk-rs / Tauri transitive advisories
+ { id = "RUSTSEC-2024-0375", reason = "atty transitive through tracing-subscriber, no upgrade path" },
+ { id = "RUSTSEC-2024-0412", reason = "gtk-rs GTK3 bindings - same as other gtk-rs ignores" },
+ { id = "RUSTSEC-2024-0413", reason = "gtk-rs GTK3 bindings - same" },
+ { id = "RUSTSEC-2024-0416", reason = "gtk-rs GTK3 bindings - same" },
+ { id = "RUSTSEC-2024-0418", reason = "gtk-rs GTK3 bindings - same" },
+ { id = "RUSTSEC-2025-0012", reason = "backoff transitive through Tauri plugin chain" },
+ { id = "RUSTSEC-2025-0057", reason = "fxhash transitive through Tauri v2 chain, no upgrade path" },
+ # old/unmaintained - no active exploit surface
+ { id = "RUSTSEC-2023-0071", reason = "old serde-yaml dep, hwLedger does not parse untrusted YAML" },
+ { id = "RUSTSEC-2017-0008", reason = "old time crate dep, no active use in hot path" },
+]
+db-path = "$CARGO_HOME/advisory-db"
+
+[licenses]
+version = 2
+allow = [
+ "Apache-2.0",
+ "Apache-2.0 WITH LLVM-exception",
+ "BSD-2-Clause",
+ "BSD-3-Clause",
+ "BSD-3-Clause-Clear",
+ "CC0-1.0",
+ "CC-BY-SA-4.0",
+ "GPL-3.0-only",
+ "ISC",
+ "MIT",
+ "MPL-2.0",
+ "Unicode-3.0",
+ "Unicode-DFS-2016",
+ "Zlib",
+ "0BSD",
+ "BlueOak-1.0.0",
+ "CDLA-Permissive-2.0",
+ "Unlicense",
+ "WTFPL",
+]
+
+[bans]
+multiple-versions = "warn"
+wildcards = "warn"
+
+[sources]
+unknown-git = "deny"
+unknown-registry = "warn"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]You can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit 2f0e13b. Configure here.
|
|
||
| - name: Run cargo-deny | ||
| uses: EmbarkStudios/cargo-deny-action@v2 | ||
| uses: EmbarkStudios/cargo-deny-action@91bf2b620e09e18d6eb78b92e7861937469acedb # v6 |
There was a problem hiding this comment.
Deleted deny.toml breaks the cargo-deny CI workflow
High Severity
The entire deny.toml configuration file was deleted, but the cargo-deny.yml workflow still exists and runs EmbarkStudios/cargo-deny-action. Without this config file, cargo-deny loses ~20+ advisory ignores for known transitive vulnerabilities (gtk-rs, Tauri, tracing-subscriber), the license allow-list, and the bans/sources policy. This will cause the cargo-deny CI job to fail on every run due to the previously-suppressed advisories.
Reviewed by Cursor Bugbot for commit 2f0e13b. Configure here.
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s security posture by pinning GitHub Actions to commit SHAs, tightening workflow permissions, and adding several repository hygiene/config files (pre-commit, EditorConfig, attributes/ignore rules, and governance docs).
Changes:
- Pin multiple GitHub Actions to specific commit SHAs and add/adjust workflow permissions.
- Add repo hygiene/config files (.editorconfig, .gitattributes, .dockerignore, pre-commit config, issue template config).
- Update security/docs content and add a LICENSE file.
Reviewed changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| SECURITY.md | Updates the vulnerability reporting link. |
| README.md | Adjusts documentation references/wording and removes some links. |
| LICENSE | Adds an MIT license text file. |
| docs/governance/site-infrastructure.md | Adds a short note describing site hosting/mirroring. |
| deny.toml | Removes the cargo-deny configuration file. |
| .pre-commit-config.yaml | Adds basic pre-commit hooks (format/safety checks). |
| .github/workflows/trufflehog.yml | Pins action SHAs and adds minimal permissions. |
| .github/workflows/scorecard.yml | Pins action SHAs for scorecard + SARIF upload. |
| .github/workflows/codeql.yml | Pins CodeQL action SHAs. |
| .github/workflows/codeql-rust.yml | Pins CodeQL action SHAs for Rust autobuild workflow. |
| .github/workflows/cargo-deny.yml | Pins action SHAs and adds read-only contents permission. |
| .github/workflows/cargo-audit.yml | Pins action SHAs for cargo-audit workflow. |
| .github/ISSUE_TEMPLATE/config.yml | Adds issue template configuration with a contact link. |
| .gitattributes | Adds text/binary handling and diff settings. |
| .editorconfig | Adds editor formatting rules. |
| .dockerignore | Adds docker build context exclusions. |
Comments suppressed due to low confidence (2)
README.md:9
- README.md references PLAN.md (roadmap/component map/math rationale), but there is no PLAN.md in the repository root. Either add the referenced file or update these references to point to the correct existing documentation path.
**Status:** pre-alpha, Phase 0 bootstrap. See PLAN.md for the implementation roadmap.
README.md:55
- This references docs-site/getting-started/, but there is no docs-site/ directory in the repository. Please update the path to the actual docs location (e.g., under docs/) or add the missing docs-site content so the guidance isn’t a dead end.
See docs-site/getting-started/ for ports, log locations, and troubleshooting (FFI auto-build, Swift "engine missing" sheet, streamlit hot-reload).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| MIT License | ||
|
|
||
| Copyright (c) 2024 Koosha Pari | ||
|
|
||
| Permission is hereby granted, free of charge, to any person obtaining a copy | ||
| of this software and associated documentation files (the "Software"), to deal | ||
| in the Software without restriction, including without limitation the rights | ||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
| copies of the Software, and to permit persons to whom the Software is | ||
| furnished to do so, subject to the following conditions: | ||
|
|
||
| The above copyright notice and this permission notice shall be included in all | ||
| copies or substantial portions of the Software. | ||
|
|
||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
| SOFTWARE. |
| **Status:** pre-alpha, Phase 0 bootstrap. See [PLAN.md](./PLAN.md) for the implementation roadmap. | ||
| **Status:** pre-alpha, Phase 0 bootstrap. See PLAN.md for the implementation roadmap. | ||
|
|
||
| hwLedger is an Apache-2.0 desktop app + agent/server pair that: |
| Please report security vulnerabilities via GitHub Security Advisories: | ||
|
|
||
| - Open a [private security advisory](../../security/advisories/new) | ||
| - Open a [private security advisory](https://github.com/KooshaPari/hwLedger/security/advisories/new) |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | ||
| - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 | ||
| with: | ||
| token: ${{ secrets.GITHUB_TOKEN }} |
| - name: Run cargo-deny | ||
| uses: EmbarkStudios/cargo-deny-action@v2 | ||
| uses: EmbarkStudios/cargo-deny-action@91bf2b620e09e18d6eb78b92e7861937469acedb # v6 | ||
| with: | ||
| rust-version: stable |
Code Review SummaryStatus: Issues Found | Recommendation: Address before merge Overview
Issue Details (click to expand)CRITICAL
SUGGESTION
Other Observations (not in diff)Issues found in unchanged code that cannot receive inline comments:
Files Reviewed (12 files)
Reviewed by laguna-m.1-20260312:free · 379,849 tokens |
User description
Pinned trufflehog action SHA, hardened workflow permissions, added security blocks.
Note
Medium Risk
Mostly CI/security hardening (pinned action SHAs and tighter workflow permissions), but these changes can break or alter security scanning/CI behavior (e.g., cargo-deny config removal).
Overview
Hardens the repo’s security/CI posture by pinning GitHub Actions to specific SHAs (CodeQL, Scorecard, cargo-audit, cargo-deny, TruffleHog) and tightening permissions (notably adding explicit
contents: readand workflow-level permissions where missing).Adds baseline repo hygiene/config files (
.dockerignore,.editorconfig,.gitattributes,.pre-commit-config.yaml, issue template config) and small docs updates (README link cleanup, SECURITY advisory link), plus adds an MITLICENSEand removesdeny.toml.Reviewed by Cursor Bugbot for commit 2f0e13b. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Harden repository checks and clean up tracked build artifacts
What Changed
deny.toml, so the Rust license/advisory deny workflow is no longer part of the repoImpact
✅ Fewer CI surprises from upstream action changes✅ Cleaner repository history and smaller checkouts✅ Clearer security and contribution guidance💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.