Skip to content

fix(ci): unblock OSV (paste unmaintained) + silence Vercel rate-limit status#81

Merged
qnbs merged 1 commit into
mainfrom
ci/osv-paste-vercel-silent
Jun 3, 2026
Merged

fix(ci): unblock OSV (paste unmaintained) + silence Vercel rate-limit status#81
qnbs merged 1 commit into
mainfrom
ci/osv-paste-vercel-silent

Conversation

@qnbs

@qnbs qnbs commented Jun 3, 2026

Copy link
Copy Markdown
Owner

User description

Why

Two CI-infra issues are blocking the open Dependabot PRs (#74–#80):

  1. RUSTSEC-2024-0436 (paste 1.0.15 β€” unmaintained) was newly published in the OSV DB and now fails the required Security Audit (OSV) check on every branch β€” first surfaced on the cargo PR build(deps): bump log from 0.4.30 to 0.4.31 in /src-tauriΒ #78. paste is a build-time proc-macro helper: no runtime exposure, no CVSS, no fix release (1.0.15 is final). Added to src-tauri/osv-scanner.toml with the same justified pattern already used for proc-macro-error, unic-*, and the GTK3 bindings.
  2. Vercel preview deployments hit the free-tier 24h rate limit and post a red "fail" status on PRs. Vercel was never a required status check (required = Security Audit, Build, Quality Gate 22/24), so it never actually blocked merges β€” but to remove the cosmetic hard-fail noise, vercel.json now sets "github": { "silent": true }: deployments still run, no commit statuses/comments are posted.

Effect

  • Unblocks the required Security Audit on all branches (incl. the Dependabot PRs once rebased onto main).
  • Removes the Vercel rate-limit red-X noise on PRs without disabling deployment.

πŸ€– Generated with Claude Code


CodeAnt-AI Description

Unblock security checks and remove noisy Vercel PR failures

What Changed

  • The required Security Audit check no longer fails on the newly published paste advisory, which unblocks affected branches and Dependabot PRs.
  • Vercel preview deployments still run, but they no longer post red failure statuses or comments when the free-tier rate limit is hit.
  • The changelog now records both CI fixes under the unreleased section.

Impact

βœ… Fewer blocked dependency updates
βœ… Fewer false PR failures
βœ… Cleaner CI status on pull requests

πŸ’‘ Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

… status

Two CI-infra fixes that were blocking the open Dependabot PRs:

1. RUSTSEC-2024-0436 (`paste` 1.0.15 β€” unmaintained) was newly published and now
   fails the required Security Audit (OSV) on every branch (surfaced on cargo PR
   #78). `paste` is a build-time proc-macro helper with no runtime exposure and
   no fix release β€” added to src-tauri/osv-scanner.toml with the same justified
   pattern as proc-macro-error / unic-* / the GTK3 bindings.

2. Vercel preview deployments hit the free-tier 24h rate limit and reported a
   red "fail" status on PRs. Vercel was never a required check (so it never
   actually blocked merges), but to remove the cosmetic hard-fail noise,
   vercel.json now sets `github.silent: true` β€” deployments still run, but no
   commit statuses/comments are posted.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@codeant-ai

codeant-ai Bot commented Jun 3, 2026

Copy link
Copy Markdown

CodeAnt AI is reviewing your PR.


Thanks for using CodeAnt! πŸŽ‰

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X Β·
Reddit Β·
LinkedIn

@vercel

vercel Bot commented Jun 3, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
storycraft-studio Ready Ready Preview, Comment Jun 3, 2026 5:48pm

@codeant-ai codeant-ai Bot added the size:S This PR changes 10-29 lines, ignoring generated files label Jun 3, 2026
@codeant-ai

codeant-ai Bot commented Jun 3, 2026

Copy link
Copy Markdown

CodeAnt AI finished reviewing your PR.

@qnbs
qnbs enabled auto-merge (squash) June 3, 2026 17:53
@qnbs
qnbs disabled auto-merge June 3, 2026 17:54
@qnbs
qnbs enabled auto-merge (squash) June 3, 2026 18:06
@qnbs qnbs self-assigned this Jun 3, 2026
@qnbs
qnbs merged commit 6e5f408 into main Jun 3, 2026
16 checks passed
@qnbs
qnbs deleted the ci/osv-paste-vercel-silent branch June 3, 2026 18:09
qnbs added a commit that referenced this pull request Jun 3, 2026
Dependabot's react group PR (#79) bumped only react-dom (19.2.6 β†’ 19.2.7) and
left react at 19.2.6. That version skew breaks @testing-library rendering β€”
every hook/component test file failed to collect ("0 test") in the Quality Gate.
React and react-dom are released in lockstep and must match: bump both to 19.2.7.

Rebuilt on current main, so it also inherits the RUSTSEC-2024-0436 paste-ignore
(Security Audit) from #81.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
qnbs added a commit that referenced this pull request Jun 3, 2026
Dependabot's react group PR (#79) bumped only react-dom (19.2.6 β†’ 19.2.7) and
left react at 19.2.6. That version skew breaks @testing-library rendering β€”
every hook/component test file failed to collect ("0 test") in the Quality Gate.
React and react-dom are released in lockstep and must match: bump both to 19.2.7.

Rebuilt on current main, so it also inherits the RUSTSEC-2024-0436 paste-ignore
(Security Audit) from #81.

Co-authored-by: qnbs <155236708+qnbs@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size:S This PR changes 10-29 lines, ignoring generated files

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant