chore: add cargo-audit CI gate and CHANGELOG skeleton

[membphis]

Closes #64 (partial), #66 (partial)

Summary by CodeRabbit

• New Features

  • Added automated security audits to CI pipeline to check for supply-chain vulnerabilities.

• Chores

  • Initialized changelog with structured release history and versioning.
  • Updated README to reference changelog for release notes.
  • Made dependency lock file trackable in version control.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR establishes project release management infrastructure and supply-chain security. It introduces a Keep-a-Changelog file documenting past and future releases, enables version-controlled dependency tracking via Cargo.lock, updates the README to reference the changelog, and adds a GitHub Actions job to audit dependencies for known vulnerabilities during CI.

Changes

Release Management and Dependency Tracking

Layer / File(s)	Summary
Changelog initialization and release notes CHANGELOG.md	Introduces a Keep-a-Changelog-formatted file with an [Unreleased] section documenting the new cargo-audit CI job and changelog itself, plus backfilled 0.1.0 release notes with dates and comparison links.
README updates and lock file tracking README.md, .gitignore	README now references CHANGELOG.md for release notes; Cargo.lock is enabled for version control by removing it from .gitignore to ensure reproducible builds. Minor line wrapping adjustment in the RFC 8259 known gaps section.
CI supply-chain audit job .github/workflows/ci.yml	New jobs.audit step in CI installs stable Rust, cargo-audit, and runs a security audit to detect known vulnerabilities in project dependencies.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR partially addresses #64 by creating CHANGELOG.md with Keep a Changelog format and v0.1.0 backfill, but omits required updates to release.yml workflow and policy documentation in CONTRIBUTING.md/README.	Complete the remaining #64 objectives: update release.yml to require CHANGELOG entries, include released section in GitHub Release body, and document policy in CONTRIBUTING.md or README.
Out of Scope Changes check	❓ Inconclusive	Changes to .gitignore (removing Cargo.lock) and README.md formatting are scope-adjacent but not explicitly tied to the linked issues, introducing minor unrelated modifications.	Clarify whether .gitignore and README.md formatting changes are necessary for the audit/changelog objectives or should be moved to a separate PR.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main changes: adding cargo-audit to CI and creating a CHANGELOG skeleton, matching the PR's core objectives.
E2e Test Quality Review	✅ Passed	This PR contains no test code—only CI infrastructure and documentation changes. The E2E test quality review check is not applicable to PRs without tests.
Security Check	✅ Passed	PR adds cargo-audit CI, Cargo.lock versioning, CHANGELOG, README updates. JSON parser library lacks auth/DB/crypto; none of 7 security categories applicable to this codebase.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/issue-64-66-audit-changelog

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 16: Replace the mutable actions/checkout@v4 reference with the GitHub
Actions runner pinned to a full commit SHA: locate the workflow step that uses
"actions/checkout@v4" and change it to "actions/checkout@<FULL_COMMIT_SHA>"
where <FULL_COMMIT_SHA> is the exact commit SHA from the actions/checkout
repository for the v4 tag (use the official actions/checkout repo to copy the
commit SHA), commit the updated workflow, and ensure the workflow still runs
successfully in CI.
- Line 12: The audit job currently lacks least-privilege settings and uses a
mutable checkout tag; add a top-level permissions: block granting only the
minimal scopes needed for the workflow (e.g., contents: read for GITHUB_TOKEN),
update the jobs.audit checkout step to include persist-credentials: false to
avoid leaving the token in the repo remote, and replace actions/checkout@v4 with
a specific pinned commit SHA for the actions/checkout reference to satisfy
supply-chain pinning.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: eb28ed31-685f-4bf4-a243-0568a3797f27

📥 Commits

Reviewing files that changed from the base of the PR and between c11da3f and 414b7a0.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (4)

• .github/workflows/ci.yml
• .gitignore
• CHANGELOG.md
• README.md

💤 Files with no reviewable changes (1)

• .gitignore

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/ci.yml"

echo "== File: $FILE =="
ls -l "$FILE" || true
echo

echo "== Workflow (lines 1-200) =="
nl -ba "$FILE" | sed -n '1,200p'
echo

Repository: api7/lua-qjson

Length of output: 261

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/ci.yml"

echo "== First 200 lines (numbered) =="
cat -n "$FILE" | sed -n '1,200p'

echo
echo "== Find permissions blocks =="
rg -n "^\s*permissions\s*:" "$FILE" || true

echo
echo "== Extract jobs.audit section (best-effort) =="
# Print from 'jobs:' until end (bounded) to locate audit job
cat -n "$FILE" | sed -n '1,200p' | sed -n '/jobs:/,/^  [a-zA-Z0-9_-]+:/p'

Repository: api7/lua-qjson

Length of output: 15043

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/ci.yml"

echo "== File length =="
wc -l "$FILE"

echo
echo "== permissions: occurrences =="
rg -n "^\s*permissions\s*:" "$FILE" || true

echo
echo "== persist-credentials occurrences =="
rg -n "persist-credentials" "$FILE" || true

echo
echo "== actions/checkout steps =="
rg -n "uses:\s*actions/checkout@" "$FILE" -n || true

echo
echo "== Show actions/checkout blocks (context) =="
rg -n "uses:\s*actions/checkout@" "$FILE" -n -C 3 || true

Repository: api7/lua-qjson

Length of output: 1297

---

Add least-privilege permissions for the audit job

• The workflow has no top-level permissions: block, so the default GITHUB_TOKEN scopes are broader than necessary for jobs.audit.
• jobs.audit uses actions/checkout@v4 without persist-credentials: false, leaving the token configured in the git remote.
• actions/checkout is referenced via a mutable tag (@v4); pin to a commit SHA to match strict supply-chain policy.

Suggested patch

 name: CI

 on:
   push:
     branches: [master, main]
   pull_request:

+permissions:
+  contents: read
+
 env:
   CARGO_TERM_COLOR: always

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 12-26: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 12, The audit job currently lacks
least-privilege settings and uses a mutable checkout tag; add a top-level
permissions: block granting only the minimal scopes needed for the workflow
(e.g., contents: read for GITHUB_TOKEN), update the jobs.audit checkout step to
include persist-credentials: false to avoid leaving the token in the repo
remote, and replace actions/checkout@v4 with a specific pinned commit SHA for
the actions/checkout reference to satisfy supply-chain pinning.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin actions/checkout to a full commit SHA.

.github/workflows/ci.yml (line 16) uses the mutable tag actions/checkout@v4; pinning to an immutable commit SHA improves CI supply-chain integrity.

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 16-16: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 16, Replace the mutable actions/checkout@v4
reference with the GitHub Actions runner pinned to a full commit SHA: locate the
workflow step that uses "actions/checkout@v4" and change it to
"actions/checkout@<FULL_COMMIT_SHA>" where <FULL_COMMIT_SHA> is the exact commit
SHA from the actions/checkout repository for the v4 tag (use the official
actions/checkout repo to copy the commit SHA), commit the updated workflow, and
ensure the workflow still runs successfully in CI.