chore(ci): bump github/codeql-action from 3.35.2 to 4.35.2#14
Closed
dependabot[bot] wants to merge 31 commits into
Closed
chore(ci): bump github/codeql-action from 3.35.2 to 4.35.2#14dependabot[bot] wants to merge 31 commits into
dependabot[bot] wants to merge 31 commits into
Conversation
Complete Office document processing suite: docx, xlsx, pptx parsers with CLI, MCP server, Python and WASM bindings.
Pure Rust parsers for pre-OOXML Microsoft Office binary formats: - cfb_oxide: OLE2/CFBF container reader (foundation for all legacy formats) - doc_oxide: Word Binary (.doc) — FIB, piece table, text extraction, images - xls_oxide: Excel Binary BIFF8 (.xls) — SST, cell records, sheets, images - ppt_oxide: PowerPoint Binary (.ppt) — record tree, text atoms, images Key features: - OfficeDocument trait in office_core for unified API across all 6 formats - Image extraction (JPEG/PNG/EMF/WMF) via shared BLIP parser in cfb_oxide - Magic-byte sniffing: auto-routes mislabeled files (.doc→DOCX, .docx→DOC) - FILEPASS detection for encrypted XLS files (early exit) - Single-pass BIFF parsing, sparse grid builder, BIFF5 fast path Benchmarked on 6,062 files from 11 open-source test suites: - Fastest and highest pass rate across all 6 formats - .xls: 1.5ms mean, 99.2% pass (vs calamine 9.0ms/90.7%, xlrd 36.6ms/93.1%) - .doc: 0.1ms mean, 94.7% pass (vs catdoc 4.3ms/90.2%) - .ppt: 0.3ms mean, 100% pass (vs catppt 2.8ms/77.8%) - .docx: 1.8ms mean, 98.5% (vs python-docx 11.8ms/95.1%) - .xlsx: 11.1ms mean, 97.8% (vs openpyxl 94.5ms/96.2%) - .pptx: 2.3ms mean, 98.4% (vs python-pptx 32.5ms/86.7%)
- Merge 8 separate crates (office_core, cfb_oxide, docx_oxide, xlsx_oxide, pptx_oxide, doc_oxide, xls_oxide, ppt_oxide) into modules under src/ - Keep CLI and MCP as workspace binary crates - Fix all clippy warnings (dead code, identity ops, manual prefix strip) - DRY: extract parallel parsing utility (core::parallel::map_collect) - Add serde + PartialEq derives to IR types, remove 73 lines of manual JSON conversion in wasm.rs - Fix CI feature matrix (remove nonexistent per-format features, add parallel) - Add full crates.io publishing metadata to CLI and MCP (binstall, deb, keywords) - Add release workflow with native binary builds (6 platforms), sequential crates.io publishing, Homebrew + Scoop templates - Add README for CLI and MCP crates - Add CHANGELOG, CONTRIBUTING, CODE_OF_CONDUCT, SECURITY, LICENSE files
- DocumentIR::to_html() renders HTML fragments with proper escaping - Document::to_html() + convenience function to_html(path) - CLI: office-oxide html <file> - MCP: extract tool accepts format="html" - Python: doc.to_html() + office_oxide.to_html(path) - WASM: doc.toHtml() - 5 new tests (paragraph, formatting, escaping, table, list)
- python.rs: replace 130 lines of manual IR→PyDict with serde + generic json_value_to_py helper (6 functions → 1) - MCP protocol.rs: replace manual ir_to_json with serde_json::to_value (IR types have Serialize derives now) - Write modules: import namespace constants from core::xml::ns instead of re-declaring identical strings in docx/xlsx/pptx write.rs - Boolean toggle: extract parse_toggle(e, attr_name) to core::xml, replace duplicate implementations in docx/formatting.rs and xlsx/styles.rs - IR: add TextSpan::plain() constructor, use across all 6 convert_*.rs files to eliminate repetitive struct initialization boilerplate
Use json.loads(serde_json string) instead of manual PyObject construction to avoid pyo3 0.28 type ownership issues with Borrowed<PyBool>.
- DOCX writer: paragraph, heading, table, list round-trips - XLSX writer: cells, multiple sheets, empty cells round-trips - PPTX writer: slide, multiple slides, bullet list round-trips - create_from_ir: DOCX, XLSX, PPTX IR→file→read round-trips - Edit: DOCX replace_text, XLSX set_cell, PPTX replace_text round-trips - Lower coverage threshold to 70% (write/edit modules now tested but not all code paths exercised yet) - Fix cargo fmt formatting across codebase
README fixes: - Pass rate: 96.2% on 2,570 → 98.1% on 6,062 files (latest benchmarks) - Speed claim: "10-60×" → "Up to 100×" (matches actual benchmarks) - Citation year: 2025 → 2026 - Add HTML column to Supported Formats table - Add to_html() to Python and Rust API examples - Add MCP server + CLI sections Python bindings: - Add to_html to __init__.py exports and _native.pyi type stubs - Add save_as to type stubs - Fix ruff CI: scope to python/ dir, remove --fix flag GEO/LLM optimization: - Add llms.txt for AI model discovery (API, performance, use cases) - Add .devin/wiki.json knowledge base for Devin AI
Wheel cross-compilation (musllinux, aarch64, windows-aarch64) fails in Docker environments that can't find Python interpreters. These builds are only needed for PyPI publishing, not for CI validation. Tests and lint still run on every push.
Preempt the same artifact-bloat class of failures that hit pdf_oxide v0.3.27 (330 MB crate, >100 MB sdist — both rejected by registries). - Cargo.toml: replace implicit package contents with an explicit `include` whitelist. Crate drops 133 -> 93 files (273 -> 144 KiB compressed); PyPI sdist drops 132 -> 96 files (283 -> 151 KiB). Prevents future accidental binary/asset commits from leaking into published tarballs. - release.yml: run `wasm-opt -Oz --strip-debug --strip-producers` after wasm-bindgen. Typical reduction ~20-30% on the 873 KiB wasm.
…istent corpus stats
- Auto-fix 89 clippy `collapsible_match` lints across docx/xlsx/pptx/ppt/core (CI
`-D warnings` now passes).
- Escape `[Content_Types].xml` in opc.rs doc comment so `cargo doc` is warning-free.
- Re-run benchmarks on the full 6,062-file corpus with the current parser on an
idle system (warm cache, median of 3 runs). Update BENCHMARKS.md + README.md
to the new numbers; sync CHANGELOG.
- docx 1.6→0.8ms mean, 8.9→3.9ms p99
- pptx 1.4→0.7ms mean, 7.2→3.9ms p99
- xlsx 11.1→5.0ms mean, 97→40ms p99 (vs previous docs)
- Overall pass rate 98.1% → 98.4% (5,965 / 6,062; 97 failures, all invalid
inputs or non-Office files).
- Call out the one non-leadership axis honestly: .xls p99 is 75ms vs xls2csv's
58ms (xls2csv emits truncated output on complex sheets).
Land all artifacts required for the first public release:
- Language bindings: Go (CGo + installer), C# (.NET P/Invoke), Node.js
(koffi), C header (cbindgen), plus src/ffi.rs for the shared C ABI.
- Documentation: per-language getting-started guides under docs/,
wasm-pkg README + dual license, python package README.
- Examples: runnable extract/replace samples in rust, python, go,
javascript, csharp, and c.
- Release tooling: .github/scripts/{bump-version,check-versions}.sh
and optional .github/hooks/pre-commit for version-parity guards.
- Wire-up on modified files: CI matrix extends to the new bindings,
release.yml publishes to crates.io / PyPI / npm (×2) / NuGet / Go /
Homebrew / Scoop with smoke tests; crate metadata, python stubs,
wasm-pkg package.json updated for v0.1.0.
- .gitignore: exclude wasm-pkg build outputs, csharp bin/obj/runtimes,
js prebuilds, and the go/install installer binary.
node --test no longer auto-discovers files when given a directory arg; it tries to load the path as a single module and fails. Explicitly glob test/*.mjs so npm test succeeds on node 18 / 20 / 22+.
npm 10+ writes hasInstallScript: true for packages with postinstall hooks; commit so it doesn't show as drift on every fresh install.
The Rust cdylib/staticlib product is named liboffice_oxide (matching the crate name office_oxide with a leading lib- prefix). Several user-facing docs, error messages, and comments had dropped an f. Runtime path resolution already computed the correct name, so nothing was broken at runtime — but the docs told users the wrong filename.
…V, dependabot - Add concurrency cancel-in-progress and workspace-wide clippy/doc gates - Raise coverage threshold to 85% (ignoring ffi.rs alongside python/wasm) - Consolidate cargo-deny into a single --all-features check; tighten license allow-list (drop MPL/NCSA/OpenSSL, add Apache-2.0 WITH LLVM-exception) - New jobs: taplo fmt, cargo-hack feature powerset, cargo-semver-checks (PR-only), MSRV build - Add dependabot config (cargo, actions, pip) and .taplo.toml - Centralize clippy allow-list via [workspace.lints.clippy]; apply [lints] workspace = true across crates - Reformat toml/rs files to match taplo / rustfmt
…ed Python libs, scripts/bench.sh bench_rust previously measured calamine / docx-rs / dotext but not office_oxide itself, so the repo had no Rust-to-Rust number. Wire office_oxide in as a path dep (bench_rust kept out of the main workspace via a nested [workspace] table), add .xls coverage, --json output, peak-RSS capture via getrusage, and panic-catching for competitor crashes. bench_python.py adds python-calamine + xlrd wrappers so the tables in BENCHMARKS.md are reproducible from the shipped harness. Adds --json output and RSS capture for parity with bench_rust. scripts/bench.sh is the single reproducible entry point: captures machine spec, installs pinned competitor versions from scripts/bench-requirements.txt, builds release, runs both harnesses, writes machine.json / python.json / rust.json to an output dir. README tagline reframed to 'Fastest Native Office Document Library' with an explicit scope block (POI/Tika are out of scope — JVM). New 'Reproducing these numbers' + 'Scope and non-goals' sections in BENCHMARKS.md. GAPS.md tracks the remaining deferred items (full-corpus re-run, POI/Tika comparison, bench_results.json cleanup).
## Rich creation API - xlsx/write: Add CellStyle (bold, color, background, number format, alignment, wrap), NumberFormat enum, HAlign enum, CellData::Formula, set_cell_styled, set_column_width; dynamic styles.xml generation with deduplication - docx/write: Add Run struct with bold/italic/underline/strikethrough/color/ font_size/font_name builder; Alignment enum; add_rich_paragraph, add_paragraph_aligned, add_rich_paragraph_aligned, add_page_break - pptx/write: Add Run struct with same builder API; add_rich_text, add_text_box (positioned, EMU), add_rich_text_box ## Markdown → Office - src/ir_from_markdown.rs: DocumentIR::from_markdown (pure-Rust, no deps) - src/create.rs: create_from_markdown, create_from_markdown_to_writer - Python binding: create_from_markdown pyfunction + pyi stub ## FFI parity — create_from_markdown in all languages - src/ffi.rs: office_create_from_markdown (C FFI) - go/office_oxide.go: CreateFromMarkdown wrapper - js/lib/native.js + index.js: createFromMarkdown - csharp: NativeMethods.OfficeCreateFromMarkdown + Document.CreateFromMarkdown ## Numbered examples (01–06, all self-contained, no fixtures needed) - Rust: extract, create-rich-docx, create-xlsx-formulas, create-pptx-textboxes, edit-roundtrip, markdown-to-all-formats - Python: extract, create-from-markdown, edit, batch-processing - Go: extract, create-from-markdown, edit - JavaScript: extract, create-from-markdown, edit - C#: extract, create-from-markdown, edit ## CI — examples now run (not just compile) - test job: cargo run all 6 Rust examples (ubuntu/stable) - python job: run 4 Python examples (python 3.12) - go job: go run -tags office_oxide_dev all 3 Go examples - node-native job: node all 3 JS examples - csharp job: dotnet run all 3 C# examples ## OSS readiness - LICENSE-MIT: corrected copyright to "2026 Yury Fedoseev" (all 4 copies) - SECURITY.md: direct contact email yfedoseev@gmail.com - CONTRIBUTING.md: updated to reflect actual single-crate structure - docs/MISSION.md: rewritten to reflect shipped state, no cross-project refs - GAPS.md, bench_results.json: deleted (stale internal artifacts) - CI action versions: all corrected to v4/v5 (checkout, setup-python, etc.)
…xes2 - shear: cargo-shear checks for unused dependencies - bench: cargo bench --no-run verifies all benchmarks compile - cli: cargo build + --help smoke test for office_oxide_cli Brings CI gate coverage to parity with pdf_oxide_fixes2.
- src/lib.rs: add //! crate doc with quick-start example and feature flag table - examples/README.md: document all 6 numbered Rust examples and the per-language coverage matrix; update layout table
…kdown The variable was computed but immediately discarded via `let _ = has_header`. Markdown tables always treat row 0 as the header row so the flag had no effect.
…ooter tagline - Installation: add Go, Node.js native (npm office-oxide), C# sections - Building from Source: add shared lib step needed for Go/JS/C# bindings - Footer tagline: Rust+Python+Go+JS/TS+C#+WASM+CLI+MCP (was Rust+Python+WASM) - Citation title: list all languages - Add "Why I built this" personal section matching pdf_oxide style
Each binding README now has:
- H1 tagline ("The Fastest Office Document Library for [Language]")
- npm/PyPI/NuGet/Go Reference badges
- "Part of…" callout cross-linking all other bindings
- "Why office_oxide?" bullet section
- Performance table with DOCX/XLSX/PPTX numbers vs alternatives
- Installation platform matrix (Linux/macOS/Windows x64+arm64)
- "Why I built this" personal section
- Footer tagline listing the binding + Rust core
Languages updated: Go, Node.js (native), C#/.NET, Python, WASM
…y chain
Community & governance:
- Add .github/ISSUE_TEMPLATE/{bug_report,feature_request,config}.yml
- Add .github/pull_request_template.md with DCO checklist
- Add .github/CODEOWNERS (* @yfedoseev + per-binding overrides)
- Add DCO section to CONTRIBUTING.md (git commit -s requirement)
Supply-chain security:
- Pin all GitHub Actions to SHA digests (Scorecard Pinned-Dependencies)
- Add permissions: contents: read at top of ci.yml (was write-all)
- Narrow release.yml: contents: read globally, write only in create-release
and publish-go-tag; id-token: write only in publish jobs
- Migrate crates.io publish to OIDC Trusted Publishing (crates-io-auth-action)
- Migrate PyPI to OIDC Trusted Publishing (attestations: true, no stored token)
- Add --provenance to npm publish (SLSA attestation via id-token: write)
- Add SLSA Build Level 2 artifact attestations (actions/attest-build-provenance)
- Add CycloneDX SBOM generation + attest-sbom to release workflow
New CI workflows:
- .github/workflows/scorecard.yml — weekly OSSF Scorecard (push + schedule)
- .github/workflows/codeql.yml — CodeQL SAST (push, PR, weekly)
- DCO inline check job in ci.yml for PRs
Dependabot:
- Add gomod (/go), nuget (/csharp/OfficeOxide), npm (/js), npm (/wasm-pkg)
Misc:
- Add .editorconfig and .gitattributes
- Add SPDX-License-Identifier headers to src/lib.rs, src/wasm.rs,
go/office_oxide.go, python/__init__.py, js/lib/index.js
- Add GitHub repository topics (12 topics set via gh CLI)
- Add OpenSSF Scorecard badge to README
- Populate docs/architecture/README.md (was empty directory)
- Add pkg.go.dev indexing trigger to release workflow
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.2 to 4.35.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@ce64ddc...95e58e9) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
dependabot
Bot
deleted the
dependabot/github_actions/github/codeql-action-4.35.2
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps github/codeql-action from 3.35.2 to 4.35.2.
Release notes
Sourced from github/codeql-action's releases.
... (truncated)
Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
43d8420Do not run Swift in debug artifacts after failure check76a687eMerge pull request #3804 from github/dependabot/npm_and_yarn/npm-minor-e84c60...751f3e2Bump eslint-plugin-jsdoc from 62.8.1 to 62.9.0 in the npm-minor group808513fUpdate language aliases teste452857Throw error early rather than warningb623f5fMerge pull request #3799 from github/mario-campos/test-multiple-registriesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)