Merge branch 'v2' into add-flag-i18nReady

Author: GuoJikun

.github/workflows/assign.yml

@@ -7,11 +7,10 @@ on:
 jobs:
   auto_assign:
     runs-on: ubuntu-latest
-
     steps:
       - name: Auto-assign PR to author
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.ORG_TAURI_BOT_PAT }}
         run: |
           pr_number=${{ github.event.pull_request.number }}
           pr_author=${{ github.event.pull_request.user.login }}

.github/workflows/priority.yml

@@ -13,7 +13,12 @@ jobs:
     permissions:
       pull-requests: write
       issues: write
+    env:
+      GITHUB_TOKEN: ${{ secrets.ORG_TAURI_BOT_PAT }}
     steps:
+      - name: Set up GitHub CLI
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | gh auth login --with-token
       - name: Get project data
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/status.yml

@@ -8,17 +8,10 @@ jobs:
   set_statuses:
     runs-on: ubuntu-latest
     if: ${{ !contains(github.event.issue.labels.*.name, 'manual') && !contains(github.event.pull_request.labels.*.name, 'manual') }}
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
     steps:
-      - name: Set up GitHub CLI
-        run: |
-          echo "${{ secrets.GITHUB_TOKEN }}" | gh auth login --with-token
       - name: Get project data
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.ORG_TAURI_BOT_PAT }}
           ORGANIZATION: tauri-apps
           PROJECT_NUMBER: 27
         run: |
@@ -56,7 +49,7 @@ jobs:
 
       - name: Add/get item id
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.ORG_TAURI_BOT_PAT }}
         run: |
           if [ "${{ github.event.pull_request.node_id }}" != "" ]; then
             echo "NODE_ID=${{ github.event.pull_request.node_id }}" >> $GITHUB_ENV
@@ -109,7 +102,7 @@ jobs:
 
       - name: Set fields
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.ORG_TAURI_BOT_PAT }}
         run: |
           gh api graphql -f query='
             mutation (

pnpm-lock.yaml

@@ -18,14 +18,25 @@ import CommandTabs from '@components/CommandTabs.astro';
 
 ### 1. Start Your Dev server
 
-Now that you have [everything set up](../start/), you should start your application development server provided by your UI framework or bundler (assuming you're using one, of course). If you followed our guides you will have `beforeDevCommand` configured to do this for you in step 2.
+Now that you have [everything set up](../start/), you should start your application development server
+provided by your UI framework or bundler (assuming you're using one, of course).
+If you followed our guides you will have `beforeDevCommand` configured to do this for you in step 2.
 
 :::note
 
 Every framework has its own development tooling. It is outside of the scope of this document to cover them all or stay up to date.
 
 :::
 
+:::caution[Plain/Vanilla Dev Server Security]
+
+The built-in Tauri development server does not support mutual authentication
+or encryption. You should never use it for development on untrusted networks.
+See the [development server security considerations](/security/lifecycle#development-server)
+for a more detailed explanation.
+
+:::
+
 ### 2. Start Tauri Development Window
 
 <CommandTabs
@@ -41,7 +52,7 @@ Once Rust has finished building, the webview opens, displaying your web app. You
 
 Note that Tauri's APIs only work in your app windows, so once you start using them you won't be able to open your frontend in your system's browser anymore.
 
-:::caution[About Cargo.toml and Source Control]
+:::note[About Cargo.toml and Source Control]
 
 In your project repository, you **SHOULD** commit the `src-tauri/Cargo.lock` along with the `src-tauri/Cargo.toml` to git because Cargo uses the lockfile to provide deterministic builds. As a result, it is recommended that all applications check in their `Cargo.lock`. You **SHOULD NOT** commit the `src-tauri/target` folder or any of its contents.
 

src/content/docs/develop/index.mdx

@@ -221,7 +221,26 @@ fn main() {
 
 ### Applying Migrations
 
-Migrations are applied automatically when the plugin is initialized. The plugin runs these migrations against the database specified by the connection string. Ensure that the migrations are defined in the correct order and are idempotent (safe to run multiple times).
+To apply the migrations when the plugin is initialized, add the connection string to the `tauri.conf.json` file:
+
+```json title="src-tauri/tauri.conf.json" {3-5}
+{
+  "plugins": {
+    "sql": {
+      "preload": ["sqlite:mydatabase.db"]
+    }
+  }
+}
+```
+
+Alternatively, the client side `load()` also runs the migrations for a given connection string:
+
+```ts
+import Database from '@tauri-apps/plugin-sql';
+const db = await Database.load('sqlite:mydatabase.db');
+```
+
+Ensure that the migrations are defined in the correct order and are safe to run multiple times.
 
 ### Migration Management
 

src/content/docs/plugin/sql.mdx

@@ -71,6 +71,30 @@ which are usually considered to be attacks on direct dependencies of your projec
 However, a growing class of attacks in the wild directly target development machines,
 and you would be well off to address this head-on.
 
+### Development Server
+
+Tauri application frontends can be developed using a number of web frameworks.
+Each of these frameworks usually ship their own development server, which is exposing
+the frontend assets via an open port to the local system or network.
+This allows the frontend to be hot-reloaded and debugged in the WebView or Browser.
+
+In practice this connection is often neither encrypted nor authenticated by default.
+This is also the case for the built-in Tauri development server and exposes your
+frontend and assets to the local network. Additionally, this allows attackers
+to push their own frontend code to development devices in the same network as the attacker.
+Depending on what kind of functionality is exposed this could lead to device compromise
+in the worst case.
+
+You should only develop on trusted networks where you can safely expose your
+development device. If this is not possible you MUST ensure that your development
+server uses **mutual** authentication and encryption (e.g. mTLS) for connections
+with your development devices.
+
+:::note
+The built-in Tauri development server does not support
+mutual authentication and transport encryption at the moment and should not be used on untrusted networks.
+:::
+
 ### Harden Development machines
 
 Hardening your development systems depends on various factors and on your personal

src/content/docs/security/lifecycle.mdx

@@ -0,0 +1,157 @@
+---
+title: Snapcraft
+sidebar:
+  order: 1
+---
+
+## 前置条件
+
+import { Tabs, TabItem, Card } from '@astrojs/starlight/components';
+
+**1. 安装 `snap`**
+
+{/* prettier-ignore */}
+<Tabs>
+  <TabItem label="Debian">
+    ```shell
+    sudo apt install snapd
+    ```
+  </TabItem>
+  <TabItem label="Arch">
+    ```shell
+    sudo pacman -S --needed git base-devel
+    git clone https://aur.archlinux.org/snapd.git
+    cd snapd
+    makepkg -si
+    sudo systemctl enable --now snapd.socket
+    sudo systemctl start snapd.socket
+    sudo systemctl enable --now snapd.apparmor.service
+    ```
+  </TabItem>
+  <TabItem label="Fedora">
+    ```shell
+    sudo dnf install snapd
+    # Enable classic snap support
+    sudo ln -s /var/lib/snapd/snap /snap
+    ```
+
+    然后重新启动系统。
+
+  </TabItem>
+</Tabs>
+
+**2. 安装 snap 基座**
+
+```shell
+sudo snap install core22
+```
+
+**3. 安装 `snapcraft`**
+
+```shell
+sudo snap install snapcraft --classic
+```
+
+## 配置
+
+1. 创建一个 UbuntuOne 账号。
+2. 请前往 [Snapcraft](https://snapcraft.io) 网站注册一个应用名称。
+3. 在你项目的根目录创建一个 snapcraft.yaml 文件。
+4. 调整 snapcraft.yaml 文件中的 name。
+
+```yaml
+name: app
+base: core22
+version: '2.0.4'
+summary: Your summary # 79 char long summary
+description: |
+  Your Description
+
+grade: stable
+confinement: strict
+
+apps:
+  app:
+    command: bin/app
+    desktop: usr/share/applications/app.desktop
+
+package-repositories:
+  - type: apt
+    components: [main]
+    suites: [noble]
+    key-id: 78E1918602959B9C59103100F1831DDAFC42E99D
+    url: http://ppa.launchpad.net/snappy-dev/snapcraft-daily/ubuntu
+
+parts:
+  prep:
+    plugin: dump
+    build-snaps:
+      - node/20/stable
+      - rustup/latest/stable
+    build-packages:
+      - libwebkit2gtk-4.1-dev
+      - build-essential
+      - curl
+      - wget
+      - file
+      - libxdo-dev
+      - libssl-dev
+      - libayatana-appindicator3-dev
+      - librsvg2-dev
+      - dpkg
+    stage-packages:
+      - libwebkit2gtk-4.1-0
+      - libglu1-mesa
+      - libsoup-3.0-0
+      - freeglut3
+    source: .
+    override-pull: |
+      set -eu
+      craftctl default
+      rustup default nightly
+      npm install
+      npm run tauri build -- --bundles deb
+      dpkg -x src-tauri/target/release/bundle/deb/*.deb here
+      sed -i -e "s|Icon=app|Icon=/usr/share/icons/hicolor/32x32/apps/app.png|g" here/usr/share/applications/app.desktop
+      cp -r here/* .
+    organize:
+      usr/bin/app: bin/app
+```
+
+### 解释
+
+- `name` 变量定义了你的应用程序的名称，并且必须设置为之前注册的名称。
+- `base` 变量定义了你正在使用的核心。
+- `version` 变量定义了版本，并且应该随着源代码库的每次更改而更新。
+- `apps` 部分允许你公开桌面和二进制文件以供用户运行你的应用。
+- `package-repositories` 部分允许你添加一个包仓库来帮助你满足你的依赖。
+- `build-packages`/`build-snaps` 为你的 snap 定义构建依赖。
+- `stage-packages`/`stage-snaps` 定义了你的 snap 的运行时依赖。
+- `override-pull` 部分在拉取数据源之前运行一系列命令。
+- `craftctl default` 执行默认的拉取命令。
+- `organize` 部分将文件移动到合适的目录，以便二进制文件和桌面文件可以暴露给 `apps` 部分。
+
+## 构建
+
+```sh
+sudo snapcraft
+```
+
+## 测试
+
+```shell
+snap run your-app
+```
+
+## 手动发布
+
+```shell
+snapcraft login # 用你的 UbuntuOne 凭证登录
+snapcraft upload --release=stable mysnap_latest_amd64.snap
+```
+
+## 自动构建
+
+1. 在你的 app 开发者页面上，点击 `builds` 选项卡。
+2. 点击 `login with github`.
+3. 输入存储库的详细信息。