From d10a3abacf089d3f8e1c2d8aeaaff66a9761ba29 Mon Sep 17 00:00:00 2001 From: Aditya Date: Mon, 29 Jun 2026 15:49:47 +0530 Subject: [PATCH] docs: consolidate and resolve merge formatting in audit logs and changelog --- AUDIT_LOG.md | 7 +++++-- CHANGELOG.md | 6 ++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/AUDIT_LOG.md b/AUDIT_LOG.md index e31d710..20e2bbb 100644 --- a/AUDIT_LOG.md +++ b/AUDIT_LOG.md @@ -11,11 +11,14 @@ This log tracks all significant changes, updates, and versions in the PaperCache 3. **VariableScope Unit Tests**: Created `src/lib/editor/VariableScope.test.ts` testing global/note scope merging and debounced regex mathematical expression parsing (`/var x = ...`) using fake timers. **Files changed:** `src-tauri/src/commands/shortcuts.rs`, `src/store/useTimerStore.ts`, `src/lib/editor/VariableScope.test.ts`, `AUDIT_LOG.md`, `CHANGELOG.md`. + +--- + ## 2026-06-29 (Security & Auto-Update Overhaul) -**Change:** fix(security): pin third-party GitHub Action references in release workflow to immutable SHA-1 digests; fix(updater): overhaul Tauri auto-update mechanism to emit granular status events and require user-triggered restarts +**Change:** fix(security): pin third-party GitHub Action references in release workflow to immutable SHA-1 digests, disable persisted checkout credentials, and pass stable toolchain selector; fix(updater): overhaul Tauri auto-update mechanism to emit granular status events and require user-triggered restarts **Details/Why:** -1. **Supply-Chain Security**: Pinned `actions/checkout`, `dtolnay/rust-toolchain`, `actions/setup-node`, and `tauri-apps/tauri-action` to immutable SHA-1 commit hashes in `.github/workflows/release.yml` to prevent supply-chain attacks. +1. **Supply-Chain & CI Security**: Pinned `actions/checkout`, `dtolnay/rust-toolchain`, `actions/setup-node`, and `tauri-apps/tauri-action` to immutable SHA-1 commit hashes in `.github/workflows/release.yml`. Disabled persisted checkout credentials (`persist-credentials: false`) so read-only clones do not store auth tokens. Explicitly passed `toolchain: stable` to `rust-toolchain` action since pinned SHA references do not inherit default branch selectors. 2. **Updater Artifact Configuration**: Enabled `"createUpdaterArtifacts": "v1Compatible"` in `tauri.conf.json` and added `updaterJsonPreferNsis: true` to `release.yml` to ensure manifest generation (`latest.json`) functions properly for both v1 and v2 clients. 3. **Event-Driven Update Flow**: Refactored `check_for_updates` in `system.rs` to emit `update-status` events (`checking`, `available`, `downloading`, `ready`, `error`, `up-to-date`) instead of executing opaque silent updates. Added a user-triggered `restart_app` command. 4. **Contextual UI Feedback**: Updated `Settings.tsx` button to display "Checking…" visual state with disabled interaction during update checks. Updated `App.tsx` to display a persistent toast notification when an update is downloaded and ready, featuring a prominent "Restart Now" button that calls `restart_app`. diff --git a/CHANGELOG.md b/CHANGELOG.md index d07c0f4..6d5be5c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,13 +7,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] -### Changed -- **Code Quality & Test Reliability**: Refactored global shortcut registration to remove duplicate event handling logic in the backend. Improved countdown timer cleanup reliability by properly tracking and clearing async timeouts when timers complete or are removed. Added comprehensive unit tests for inline DSL variable evaluation (`VariableScope`). ### Added - **Contextual Auto-Update UI**: When checking for updates in Settings, visual feedback is now displayed ("Checking…"). When an update is downloaded and ready, a persistent toast notification appears with a prominent "Restart Now" button so users can restart when convenient rather than experiencing unexpected application restarts. +### Changed +- **Code Quality & Test Reliability**: Refactored global shortcut registration to remove duplicate event handling logic in the backend. Improved countdown timer cleanup reliability by properly tracking and clearing async timeouts when timers complete or are removed. Added comprehensive unit tests for inline DSL variable evaluation (`VariableScope`). + ### Fixed - **Updater Artifact Manifest Generation**: Fixed an issue where auto-updates failed due to missing or improperly configured updater manifests (`latest.json`) in GitHub release assets. +- **CI Workflow Hardening**: Disabled persisted checkout credentials in GitHub Actions release workflow and explicitly specified the stable Rust toolchain selector. ## [v0.5.6] - 2026-06-28