Configure Renovate

[Mehdi-Bl]

Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.

🚦 To activate Renovate, merge this Pull Request. To disable Renovate, simply close this Pull Request unmerged.

---

Detected Package Files

• .github/workflows/release.yml (github-actions)
• package.json (npm)

What to Expect

With your current configuration, Renovate will create 34 Pull Requests:

Update dependency electron to v40 [SECURITY]

• Branch name: renovate/npm-electron-vulnerability
• Merge into: main
• Upgrade electron to ^40.0.0

Update actions/checkout action to v6

• Schedule: ["at any time"]
• Branch name: renovate/actions-checkout-6.x
• Merge into: main
• Upgrade actions/checkout to v6

Update actions/download-artifact action to v7

• Schedule: ["at any time"]
• Branch name: renovate/actions-download-artifact-7.x
• Merge into: main
• Upgrade actions/download-artifact to v7

Update actions/setup-node action to v6

• Schedule: ["at any time"]
• Branch name: renovate/actions-setup-node-6.x
• Merge into: main
• Upgrade actions/setup-node to v6

Update actions/upload-artifact action to v6

• Schedule: ["at any time"]
• Branch name: renovate/actions-upload-artifact-6.x
• Merge into: main
• Upgrade actions/upload-artifact to v6

Update dependency @​electron/rebuild to v4

• Schedule: ["at any time"]
• Branch name: renovate/electron-rebuild-4.x
• Merge into: main
• Upgrade @electron/rebuild to ^4.0.0

Update dependency @​headlessui/react to v2

• Schedule: ["at any time"]
• Branch name: renovate/headlessui-react-2.x
• Merge into: main
• Upgrade @headlessui/react to ^2.0.0

Update dependency @​jest/globals to v30

• Schedule: ["at any time"]
• Branch name: renovate/jest-globals-30.x
• Merge into: main
• Upgrade @jest/globals to ^30.0.0

Update dependency @testing-library/react to v16

• Schedule: ["at any time"]
• Branch name: renovate/testing-library-react-16.x
• Merge into: main
• Upgrade @testing-library/react to ^16.0.0

Update dependency babel-jest to v30

• Schedule: ["at any time"]
• Branch name: renovate/babel-jest-30.x
• Merge into: main
• Upgrade babel-jest to ^30.0.0

Update dependency babel-loader to v10

• Schedule: ["at any time"]
• Branch name: renovate/babel-loader-10.x
• Merge into: main
• Upgrade babel-loader to ^10.0.0

Update dependency concurrently to v9

• Schedule: ["at any time"]
• Branch name: renovate/concurrently-9.x
• Merge into: main
• Upgrade concurrently to ^9.0.0

Update dependency cross-env to v10

• Schedule: ["at any time"]
• Branch name: renovate/cross-env-10.x
• Merge into: main
• Upgrade cross-env to ^10.0.0

Update dependency css-loader to v7

• Schedule: ["at any time"]
• Branch name: renovate/css-loader-7.x
• Merge into: main
• Upgrade css-loader to ^7.0.0

Update dependency electron-builder to v26

• Schedule: ["at any time"]
• Branch name: renovate/electron-builder-26.x
• Merge into: main
• Upgrade electron-builder to ^26.0.0

Update dependency electron-devtools-installer to v4

• Schedule: ["at any time"]
• Branch name: renovate/electron-devtools-installer-4.x
• Merge into: main
• Upgrade electron-devtools-installer to ^4.0.0

Update dependency electron-store to v11

• Schedule: ["at any time"]
• Branch name: renovate/electron-store-11.x
• Merge into: main
• Upgrade electron-store to ^11.0.0

Update dependency eslint to v10

• Schedule: ["at any time"]
• Branch name: renovate/eslint-10.x
• Merge into: main
• Upgrade eslint to ^10.0.0

Update dependency eslint-config-prettier to v10

• Schedule: ["at any time"]
• Branch name: renovate/eslint-config-prettier-10.x
• Merge into: main
• Upgrade eslint-config-prettier to ^10.0.0

Update dependency eslint-plugin-react-hooks to v7

• Schedule: ["at any time"]
• Branch name: renovate/eslint-plugin-react-hooks-7.x
• Merge into: main
• Upgrade eslint-plugin-react-hooks to ^7.0.0

Update dependency husky to v9

• Schedule: ["at any time"]
• Branch name: renovate/husky-9.x
• Merge into: main
• Upgrade husky to ^9.0.0

Update dependency jest to v30

• Schedule: ["at any time"]
• Branch name: renovate/jest-30.x
• Merge into: main
• Upgrade jest to ^30.0.0

Update dependency jest-environment-jsdom to v30

• Schedule: ["at any time"]
• Branch name: renovate/jest-environment-jsdom-30.x
• Merge into: main
• Upgrade jest-environment-jsdom to ^30.0.0

Update dependency lint-staged to v16

• Schedule: ["at any time"]
• Branch name: renovate/lint-staged-16.x
• Merge into: main
• Upgrade lint-staged to ^16.0.0

Update dependency minimatch to v10

• Schedule: ["at any time"]
• Branch name: renovate/minimatch-10.x
• Merge into: main
• Upgrade minimatch to ^10.0.0

Update dependency react to v19

• Schedule: ["at any time"]
• Branch name: renovate/react-19.x
• Merge into: main
• Upgrade react to ^19.0.0

Update dependency react-dom to v19

• Schedule: ["at any time"]
• Branch name: renovate/react-dom-19.x
• Merge into: main
• Upgrade react-dom to ^19.0.0

Update dependency react-router-dom to v7

• Schedule: ["at any time"]
• Branch name: renovate/react-router-dom-7.x
• Merge into: main
• Upgrade react-router-dom to ^7.0.0

Update dependency rimraf to v6

• Schedule: ["at any time"]
• Branch name: renovate/rimraf-6.x
• Merge into: main
• Upgrade rimraf to ^6.0.0

Update dependency sonarqube-scanner to v4

• Schedule: ["at any time"]
• Branch name: renovate/sonarqube-scanner-4.x
• Merge into: main
• Upgrade sonarqube-scanner to ^4.0.0

Update dependency style-loader to v4

• Schedule: ["at any time"]
• Branch name: renovate/style-loader-4.x
• Merge into: main
• Upgrade style-loader to ^4.0.0

Update dependency tailwindcss to v4

• Schedule: ["at any time"]
• Branch name: renovate/tailwindcss-4.x
• Merge into: main
• Upgrade tailwindcss to ^4.0.0

Update dependency webpack-cli to v6

• Schedule: ["at any time"]
• Branch name: renovate/webpack-cli-6.x
• Merge into: main
• Upgrade webpack-cli to ^6.0.0

Update softprops/action-gh-release action to v2

• Schedule: ["at any time"]
• Branch name: renovate/softprops-action-gh-release-2.x
• Merge into: main
• Upgrade softprops/action-gh-release to v2

🚸 Branch creation will be limited to maximum 2 per hour, so it doesn't swamp any CI resources or overwhelm the project. See docs for prhourlylimit for details.

---

❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section.
If you need any further assistance then you can also request help here.

---

This PR has been generated by Renovate Bot.

Summary by Sourcery

Chores:

• Introduce Renovate configuration file to manage automated updates for npm packages and GitHub Actions dependencies.

Summary by CodeRabbit

• Chores
  • Added automated dependency management configuration.
  • Added an automated dependency review workflow to surface vulnerable or policy-violating dependencies on PRs.
  • Added a secret-scanning workflow to detect and report exposed secrets.
  • Added SBOM generation and upload for supply-chain visibility.
  • Added SonarCloud quality gate integration and CI test coverage reporting.
  • Updated release/build workflows for more consistent, reproducible artifact creation.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Initial onboarding/configuration of Renovate to manage dependency updates for npm (package.json) and GitHub Actions workflows, via a new repository-level renovate.json configuration file using mostly default behavior and documented rate limiting.

File-Level Changes

Change	Details	Files
Add initial Renovate configuration to enable automated dependency update PRs.	Introduce a new renovate.json configuration file at the repo root to activate Renovate for this project. Configure Renovate to scan detected package files (package.json and GitHub Actions workflow files) and generate individual upgrade pull requests for each dependency family. Apply Renovate defaults for scheduling and grouping, including a documented limit of 2 new branches/PRs per hour to avoid overloading CI.	renovate.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Add Renovate configuration for automated dependency updates

✨ Enhancement

Walkthroughs

Description

• Add Renovate configuration file for dependency updates
• Enable automated dependency management and security updates
• Configure Renovate bot to manage npm and GitHub Actions dependencies

Diagram

flowchart LR
  A["Project Root"] -- "adds configuration" --> B["renovate.json"]
  B -- "enables" --> C["Automated Dependency Updates"]
  C -- "manages" --> D["npm & GitHub Actions"]

Loading

File Changes

1. renovate.json ⚙️ Configuration changes +3/-0

Add Renovate configuration with schema

• Create new Renovate configuration file with schema reference
• Enable Renovate bot to manage project dependencies
• Configure automated updates for npm packages and GitHub Actions

renovate.json

---

[gemini-code-assist]

Summary of Changes

Hello @Mehdi-Bl, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request integrates and configures Renovate Bot, an automated dependency update tool, into the repository. The primary goal is to establish a system that automatically keeps project dependencies up-to-date, enhancing security, maintaining compatibility, and reducing the manual overhead associated with dependency management.

Highlights

• Renovate Bot Integration: This pull request introduces Renovate Bot to the repository, setting up automated dependency management.
• Initial Configuration: A renovate.json file has been added to provide the basic configuration for the bot, ensuring it adheres to project standards.
• Automated Dependency Updates: The integration enables automatic detection and updating of dependencies across both npm packages and github-actions.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• renovate.json
  • Added a new configuration file to enable and define the initial settings for Renovate Bot.

Activity

• Renovate Bot has been initiated with this onboarding pull request.
• The bot has successfully identified github-actions and npm as package ecosystems within the repository to monitor for updates.
• Renovate anticipates creating 34 subsequent pull requests to update various dependencies, including major version bumps for core components like electron, react, jest, webpack, and several GitHub Actions.
• A rate limit has been configured to create a maximum of 2 branches per hour, preventing an overload of CI resources.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Warning

Rate limit exceeded

@Mehdi-Bl has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 20 minutes and 54 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

Adds Renovate config and multiple GitHub Actions workflows for dependency review, secret scanning (Gitleaks), release builds, SBOM generation, and SonarCloud QA gating; updates release workflow to Node 20 and modifies build, artifact, and action pinning details.

Changes

Cohort / File(s)	Summary
Renovate Configuration renovate.json	Adds Renovate configuration file with official Renovate schema reference.
Dependency Review Workflow .github/workflows/dependency-review.yml	Adds a workflow to run the dependency-review Action on PRs targeting main and publish results to PR summary.
Gitleaks Secret Scan .github/workflows/gitleaks.yml	Adds Gitleaks secret scanning workflow for pushes, PRs, and manual runs; writes/upload report artifact and fails on detections.
Release Workflow .github/workflows/release.yml	Overhauls release workflow: pins/changes several actions, moves Node to v20, switches to npm ci, adjusts artifacts (expanded patterns per OS), adds per-OS build steps and permission tweaks.
SBOM Generation .github/workflows/sbom.yml	Adds workflow to generate CycloneDX SBOM via npm script and upload the SBOM artifact.
SonarCloud QA Gate .github/workflows/sonarcloud.yml	Adds SonarCloud analysis and quality gate workflow; runs tests with coverage, uploads scan, and enforces quality gate.

Sequence Diagram(s)

sequenceDiagram
  participant PR as "GitHub PR / Push"
  participant Runner as "GitHub Actions Runner"
  participant Repo as "Repository"
  participant Node as "Node/npm (build & test)"
  participant Sonar as "SonarCloud"
  participant Gitleaks as "Gitleaks Action"
  participant DepRev as "Dependency Review"
  participant Artifacts as "Artifacts Storage"

  PR->>Runner: trigger workflows (dependency-review, gitleaks, sbom, sonarcloud, release)
  Runner->>Repo: checkout code
  Runner->>Node: install (npm ci) & run build/test/sbom
  Node-->>Runner: build artifacts & SBOM
  Runner->>Sonar: upload scan & coverage
  Runner->>Gitleaks: run secret scan -> produce report
  Runner->>DepRev: run dependency review -> publish PR summary
  Runner->>Artifacts: upload artifacts (release bundles, sbom, gitleaks-report)
  Sonar-->>Runner: quality gate result
  Gitleaks-->>Runner: scan result (fail if secrets)
  DepRev-->>PR: post dependency review summary
  Artifacts-->>PR: artifacts available for release

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I hopped through workflows, tidy and spry,
I chased down secrets and logged them with "why",
I built, I scanned, pushed SBOM with delight,
Renovate nudged versions into the light,
A rabbit's cheer for CI, clean and bright!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Configure Renovate' directly corresponds to the main purpose of the PR, which adds Renovate configuration to enable automated dependency updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/configure

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Hey - I've left some high level feedback:

• The PR introduces renovate.json but the diff does not show any actual configuration; consider at least defining extends (e.g. "config:base") and any project-specific rules so Renovate behavior is explicit and reproducible.
• Given that Renovate is about to open 30+ PRs, it may be useful to add packageRules to group related updates (e.g., React + react-dom, Jest-related packages, webpack loaders, GitHub Actions) to reduce noise and make upgrade testing easier.
• If CI capacity or release cadence is a concern, consider configuring schedule and prConcurrentLimit/prHourlyLimit in renovate.json rather than relying only on defaults, so dependency update flow matches your team’s workflow.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The PR introduces `renovate.json` but the diff does not show any actual configuration; consider at least defining `extends` (e.g. `"config:base"`) and any project-specific rules so Renovate behavior is explicit and reproducible.
- Given that Renovate is about to open 30+ PRs, it may be useful to add `packageRules` to group related updates (e.g., React + react-dom, Jest-related packages, webpack loaders, GitHub Actions) to reduce noise and make upgrade testing easier.
- If CI capacity or release cadence is a concern, consider configuring `schedule` and `prConcurrentLimit`/`prHourlyLimit` in `renovate.json` rather than relying only on defaults, so dependency update flow matches your team’s workflow.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Code Review

This pull request introduces a basic configuration for Renovate. While the configuration is valid, it will lead to a large number of individual pull requests for dependency updates. My review includes a suggestion to enhance the configuration by grouping related dependencies. This is a common best practice that will significantly reduce the number of pull requests and make them easier to manage.

[gemini-code-assist]

The current Renovate configuration is very basic and will result in a large number of individual pull requests (34, as noted in the PR description), which can be overwhelming to manage.

To improve this, I suggest grouping related dependencies. This will consolidate updates for packages like Babel, Jest, ESLint, and GitHub Actions into single, more manageable PRs. Extending config:base is also a good practice for sensible defaults.

Here is a suggested configuration that implements these improvements:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:base"
  ],
  "packageRules": [
    {
      "matchDatasources": ["github-actions"],
      "groupName": "github actions"
    },
    {
      "matchPackagePatterns": ["^@babel/"],
      "groupName": "babel"
    },
    {
      "matchPackagePatterns": ["^@testing-library/"],
      "groupName": "testing-library"
    },
    {
      "matchPackagePatterns": ["^eslint"],
      "groupName": "eslint"
    },
    {
      "matchPackagePatterns": ["^jest", "^@jest/", "babel-jest"],
      "groupName": "jest"
    }
  ]
}

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Renovate PRs unvalidated 🐞 Bug ⛯ Reliability

Description

• The repo now contains renovate.json, which enables Renovate-driven dependency update PRs, but
  the existing GitHub Actions workflow shown triggers only on tag pushes and won’t validate pull
  requests.
• With dependencies like Electron/electron-builder in the toolchain, merging unvalidated dependency
  bumps can more easily break builds or runtime behavior.

Code

renovate.json[R1-3]

+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+}

Evidence

renovate.json enables Renovate configuration presence in the repo; meanwhile the only workflow
visible (release.yml) is configured to run on tag pushes only (no pull_request trigger), so it
won’t run against Renovate PRs. The repo’s dependency stack includes Electron/build tooling where
updates commonly need validation.

renovate.json[1-3]
.github/workflows/release.yml[1-7]
package.json[96-151]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Renovate will open dependency update PRs, but the repo’s GitHub Actions workflow shown runs only on tag pushes, meaning Renovate PRs won’t be validated by CI.
## Issue Context
The repo uses Electron and build tooling where dependency bumps can break builds/runtime.
## Fix Focus Areas
- .github/workflows/release.yml[1-7]
- renovate.json[1-3]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Empty Renovate configuration 🐞 Bug ⛯ Reliability

Description

• renovate.json contains only $schema and no explicit Renovate policy (no presets/extends, no PR
  limits, no grouping, no schedule, no major-update strategy).
• This leaves behavior to implicit defaults and can result in noisy PR creation and disruptive
  upgrades without repo-specific guardrails.

Code

renovate.json[R1-3]

+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+}

Evidence

The Renovate config file includes no configuration beyond $schema, so there are no
repository-specific constraints on update cadence/volume or update strategy, despite a non-trivial
dependency set.

renovate.json[1-3]
package.json[96-151]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`renovate.json` is effectively empty (only `$schema`), so Renovate will run without any repository-specific guardrails.
## Issue Context
The repo has a sizable dependency/tooling surface (Electron, electron-builder, webpack, eslint, etc.). Without grouping/limits/scheduling, Renovate can generate noisy PRs and propose disruptive updates.
## Fix Focus Areas
- renovate.json[1-3]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[qodo-free-for-open-source-projects]

1. Renovate prs unvalidated 🐞 Bug ⛯ Reliability

• The repo now contains renovate.json, which enables Renovate-driven dependency update PRs, but
  the existing GitHub Actions workflow shown triggers only on tag pushes and won’t validate pull
  requests.
• With dependencies like Electron/electron-builder in the toolchain, merging unvalidated dependency
  bumps can more easily break builds or runtime behavior.

Agent Prompt

## Issue description
Renovate will open dependency update PRs, but the repo’s GitHub Actions workflow shown runs only on tag pushes, meaning Renovate PRs won’t be validated by CI.

## Issue Context
The repo uses Electron and build tooling where dependency bumps can break builds/runtime.

## Fix Focus Areas
- .github/workflows/release.yml[1-7]
- renovate.json[1-3]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/SonarSource/sonarqube-quality-gate-action	cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b	🟢 5.5	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/SonarSource/sonarqube-scan-action	a31c9398be7ace6bbfaf30c0bd5d415f843d45e9	🟢 5.1	Details Check Score Reason Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Vulnerabilities 🟢 9 1 existing vulnerabilities detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 7 3 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-node	6044e13b5dc448c55e2357c09f80417699197238	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 8 10 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 9 binaries present in source code Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9 Vulnerabilities 🟢 4 6 existing vulnerabilities detected

Scanned Files

• .github/workflows/sonarcloud.yml

[coderabbitai]

Actionable comments posted: 5

🤖 Fix all issues with AI agents

In @.github/workflows/dependency-review.yml:
- Around line 11-17: The workflow currently sets "pull-requests: write" at the
workflow-level permissions; move that permission into the dependency-review job
to follow least-privilege. Remove or change the top-level "pull-requests: write"
and add a permissions block under the "dependency-review" job with
"pull-requests: write" (keeping top-level contents: read), so only the job named
"dependency-review" has write access to pull-requests.

In @.github/workflows/release.yml:
- Around line 183-199: The three download steps ("Download Windows artifacts",
"Download Linux artifacts", "Download macOS artifacts") currently all use path:
artifacts causing later downloads to overwrite earlier ones; update each step to
write into separate OS-specific subdirectories (e.g., path: artifacts/windows,
artifacts/linux, artifacts/macos) so files don't collide, and leave the existing
artifacts/** release glob as-is so it still matches recursively; ensure the step
names and path values are the only changes.

In @.github/workflows/sonarcloud.yml:
- Around line 28-29: Replace the CI dependency step "Install dependencies" that
currently runs `npm install` with `npm ci` to ensure a clean, lockfile-based
install; update the step command in the "Install dependencies" job to `npm ci`
and ensure the repository includes a package-lock.json so the workflow uses the
lockfile for reproducible builds.
- Around line 1-15: Add a top-level permissions key to the workflow to constrain
the default token scope: add a top-level permissions: {} entry at the top of the
workflow file so the default GitHub token has no privileges, and leave the
existing job-level permissions under the sonarcloud job (permissions: contents:
read, pull-requests: write) intact; update the workflow so the top-level
permissions block is present and empty while job-level permissions continue to
grant only the minimum required rights.
- Around line 34-45: Replace the archived action usage with SonarSource's
supported action: update the step that currently "uses:
SonarSource/sonarcloud-github-action@..." (the "SonarCloud scan" step) to use
"SonarSource/sonarqube-scan-action@<latest-stable-tag>" instead, keeping the
same env entries (GITHUB_TOKEN, SONAR_TOKEN) and preserving the with.args block
(the -Dsonar.* properties and lcov path) so the SonarCloud/SonarQube scan
behavior remains identical; verify the chosen tag is a stable release and adjust
any action-specific input names if the new action requires them.

🧹 Nitpick comments (1)

.github/workflows/dependency-review.yml (1)

20-25: Pinned action SHAs — good hardening, but add version comments for maintainability.

The SHA pins are excellent for supply-chain security. Adding inline version comments (e.g., # v4.2.2) next to each uses: line makes it easier to identify which version is pinned and spot when Renovate proposes an update.

Example

-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
 
-        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261
+        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.x

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Potential artifact file overwrites — all OS artifacts downloaded to the same directory.

All three download-artifact steps write into path: artifacts without OS-specific subdirectories. If any files share the same name across platforms (e.g., blockmap files, or if electron-builder generates identically named latest.yml), later downloads silently overwrite earlier ones, and the release will be missing artifacts.

Consider downloading into OS-specific subdirectories:

Proposed fix

       - name: Download Windows artifacts
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:
           name: windows-artifacts
-          path: artifacts
+          path: artifacts/windows

       - name: Download Linux artifacts
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:
           name: linux-artifacts
-          path: artifacts
+          path: artifacts/linux

       - name: Download macOS artifacts
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:
           name: macos-artifacts
-          path: artifacts
+          path: artifacts/macos

The existing artifacts/** glob on line 208 would still match all files recursively.

🤖 Prompt for AI Agents

In @.github/workflows/release.yml around lines 183 - 199, The three download
steps ("Download Windows artifacts", "Download Linux artifacts", "Download macOS
artifacts") currently all use path: artifacts causing later downloads to
overwrite earlier ones; update each step to write into separate OS-specific
subdirectories (e.g., path: artifacts/windows, artifacts/linux, artifacts/macos)
so files don't collide, and leave the existing artifacts/** release glob as-is
so it still matches recursively; ensure the step names and path values are the
only changes.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add a top-level permissions: {} to restrict default token scope.

Without a top-level permissions key, the workflow inherits the repository's default token permissions (often broad). Adding permissions: {} at the workflow level and keeping the job-level grants ensures least-privilege. This also addresses the Zizmor warning about overly broad permissions.

Proposed fix

 on:
   workflow_dispatch:
   pull_request:
   push:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   sonarcloud:
     runs-on: ubuntu-latest
     permissions:
       contents: read
       pull-requests: write

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	name: SonarCloud QA Gate
	on:
	workflow_dispatch:
	pull_request:
	push:
	branches:
	- main
	jobs:
	sonarcloud:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	pull-requests: write
	name: SonarCloud QA Gate
	on:
	workflow_dispatch:
	pull_request:
	push:
	branches:
	- main
	permissions: {}
	jobs:
	sonarcloud:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	pull-requests: write

🧰 Tools

🪛 GitHub Actions: Required Workflow - Zizmor

[warning] 1-1: excessive-permissions: overly broad permissions at workflow level (pull-requests: write)

🤖 Prompt for AI Agents

In @.github/workflows/sonarcloud.yml around lines 1 - 15, Add a top-level
permissions key to the workflow to constrain the default token scope: add a
top-level permissions: {} entry at the top of the workflow file so the default
GitHub token has no privileges, and leave the existing job-level permissions
under the sonarcloud job (permissions: contents: read, pull-requests: write)
intact; update the workflow so the top-level permissions block is present and
empty while job-level permissions continue to grant only the minimum required
rights.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Use npm ci instead of npm install for reproducible CI builds.

All other workflows in this PR (sbom.yml, release.yml) use npm ci. This should be consistent — npm ci ensures a clean, lockfile-based install.

Proposed fix

       - name: Install dependencies
-        run: npm install
+        run: npm ci

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Install dependencies
	run: npm install
	- name: Install dependencies
	run: npm ci

🤖 Prompt for AI Agents

In @.github/workflows/sonarcloud.yml around lines 28 - 29, Replace the CI
dependency step "Install dependencies" that currently runs `npm install` with
`npm ci` to ensure a clean, lockfile-based install; update the step command in
the "Install dependencies" job to `npm ci` and ensure the repository includes a
package-lock.json so the workflow uses the lockfile for reproducible builds.