Skip to content

v0.1.1

Choose a tag to compare

@github-actions github-actions released this 06 Apr 06:32

Notepatra v0.1.1 — bug fixes

Bug-fix release. Fixes the issues users hit on the v0.1.0 binaries — same features, same shortcuts, same APIs, just things actually working everywhere now.

Fixed

🪟 Windows: Markdown / SQL / JSON files now have syntax highlighting

Problem: The v0.1.0 Windows binary used a third-party CMake wrapper around the QScintilla source. The wrapper was missing the Lexilla bindings, leaving every QScintilla lexer class as a runtime no-op stub. Opening a .md, .sql, or .json file produced no highlighting at all.

Fix: The Windows CI now builds QScintilla 2.14.1 from Riverbank Computing's official source via qmake + nmake — the same source path that Linux (apt package) and macOS (Homebrew brew install qt@5 + source-built QScintilla) use. The Windows build now also runs the same test_lexers smoke test that Linux and macOS run, which instantiates every QsciLexer used by Notepatra and asserts each one produces non-empty styling. Any future stub-lexer regression on any platform will fail CI loudly with the lexer name.

🪟 Windows: notepatra.exe now has an embedded icon

Problem: v0.1.0 shipped without resources/notepatra.rc and resources/notepatra.ico, so MSVC's resource compiler had nothing to embed. Windows Explorer showed the generic "exe" icon for installed Notepatra.

Fix: Added a multi-resolution notepatra.ico (16/24/32/48/64/128/256) generated from notepatra-256.png, plus a notepatra.rc resource script with IDI_ICON1 ICON directive and full Windows VERSIONINFO (CompanyName, FileDescription, LegalCopyright, ProductVersion). Right-click notepatra.exe → Properties → Details now shows real metadata.

🍎 macOS: Notepatra.app now has an embedded icon

Problem: Same root cause — resources/notepatra.icns didn't exist, so macOS bundled Notepatra.app with the default app icon.

Fix: Generated a proper notepatra.icns with all required Apple icon sizes (16/32/128/256/512/1024) plus retina @2x variants. CMakeLists.txt was already wired to embed it; now it has something to embed.

🐧 Linux: launcher icon now resolves through hicolor theme

Problem: v0.1.0's install.sh set Icon=accessories-text-editor in the desktop entry, so launchers showed a generic editor icon.

Fix: install.sh now downloads the Notepatra PNGs into ~/.local/share/icons/hicolor/<size>x<size>/apps/notepatra.png for sizes 16/32/48/64/128/256 and runs gtk-update-icon-cache. The desktop entry now uses Icon=notepatra which resolves through the hicolor theme search path. Bonus: the desktop entry got GenericName, StartupWMClass, more Categories, more MimeType entries, and Keywords for better launcher search.

📝 JSON files with CRLF line endings were misclassified as JavaScript

Problem: editor.cpp had a CRLF-blind heuristic: trimmed.startsWith("{\n"). On Windows, JSON files almost always have CRLF line endings, so the second character is \r not \n. Every Windows JSON file was being misclassified and falling back to the JavaScript lexer.

Fix: New CRLF-agnostic heuristic. trimmed() already strips \r and \n, so just check whether the first non-whitespace char is { or [ and whether anything quoted appears in the first 200 chars. Works correctly on LF, CRLF, BOM, and indented JSON alike.

📝 CoffeeScript / Diff lexers — minor cleanup

  • Empty #ifdef HAS_LEXER_COFFEESCRIPT block in editor.cpp had no body — added the missing QsciLexerCoffeeScript instantiation that should have been there.
  • The Diff lexer was wrapped in #ifdef HAS_LEXER_D (the D language guard) — removed the incorrect wrap. qscilexerdiff.h is unconditionally included at the top of editor.cpp, so the wrap was both wrong AND preventing Diff highlighting.

Added (since v0.1.0)

🛡️ SECURITY.md + RFC 9116 security.txt

Notepatra now has a documented vulnerability disclosure path:

  • SECURITY.md — full policy, threat model, verification guide, what's done and what's honestly not yet
  • /.well-known/security.txt — RFC 9116 contact + canonical + policy
  • Private vulnerability reporting via GitHub Security Advisories

🔐 Supply chain hardening for releases

Every release artifact (this one and all future) now ships with three independent integrity checks:

  1. SHA-256 checksumsSHA256SUMS file alongside the binaries. install.sh and install.ps1 verify automatically and refuse to install on mismatch.
  2. Cosign signatures — keyless OIDC signing via Sigstore, certs recorded in the public Rekor transparency log. Verifies that the binary was built by the official singhpratech/notepatra GitHub Actions workflow.
  3. SLSA build provenanceactions/attest-build-provenance cryptographically links each binary to the git commit + workflow file + runner that built it. Verify with gh attestation verify.

✅ Lexer smoke test in CI on every platform

test_lexers.cpp instantiates every QsciLexer used by Notepatra (21 of them), feeds each a sample document, runs the lexer, and asserts it produces ≥2 distinct styles. Stub lexers fail the test by name. Runs on Linux, macOS Apple Silicon, and Windows in every CI run.

✅ Windows runtime smoke test in CI

notepatra.exe --version actually runs in the Windows CI job after windeployqt + QScintilla DLL bundling. If any DLL is missing or wrong, the build fails before publishing.

🔍 CodeQL static analysis

New .github/workflows/codeql.yml runs CodeQL on the C++ source on every PR + weekly cron with the security-extended and security-and-quality query packs.

🤖 Dependabot

Weekly scans of /rust-core (cargo) and /.github/workflows/ (github-actions) for security and version updates.

🪪 Plain-English warranty disclaimer

The GPL-3.0 LICENSE file already had §15 (Disclaimer of Warranty) and §16 (Limitation of Liability) — the README and website footer now also surface them in plain English so users actually see them.

📜 Version history on the website

Notepatra.org has a new "Versions" section listing every release with dated highlights, just like Notepad++. Append-only — every future release adds a card.

Verifying this release

# Quick: verify SHA-256
sha256sum -c SHA256SUMS --ignore-missing

# Better: verify Sigstore signature
cosign verify-blob \
  --certificate-identity-regexp '^https://github.com/singhpratech/notepatra/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --certificate notepatra-linux-x64.tar.gz.pem \
  --signature  notepatra-linux-x64.tar.gz.sig \
  notepatra-linux-x64.tar.gz

# Best: verify SLSA build provenance
gh attestation verify notepatra-linux-x64.tar.gz --owner singhpratech

Full guide in SECURITY.md.

Upgrading from v0.1.0

Re-run the same install command — install.sh / install.ps1 will fetch v0.1.1 and verify the SHA-256 before extracting.

# Linux / macOS
curl -fsSL https://notepatra.org/install.sh | sh

# Windows PowerShell
irm https://notepatra.org/install.ps1 | iex

Your settings, sessions, plugins, and recovery files are untouched.

Credits

Envisioned by Prateek Singh. Built by Claude.

GPL-3.0. No warranty (see LICENSE §15/§16).