Commit graph

265 commits

Author SHA1 Message Date
litebito
c6c2b893c1 CI: Update pm_ci workflow from self hosted to github hosted(2) 2026-05-30 14:57:15 +02:00
litebito
f5aa50cc8e
Add legacy-auth deprecation warning (fixes #145) (#241)
* Add legacy-auth deprecation warning

Closes the #145 apiKeyAuthentication bundle. PR-A shipped the storage, PR-B
the auth wiring, PR-C the self-service UI; this last piece adds the operator
nudge for legacy authentication and the user-facing release-notes Highlights
for both apiKey availability and the legacy deprecation.

A new LEGACY_AUTH_WARNING_CACHE (existing JCache/EhCache infrastructure,
mirroring #228's ArtistByNameCache; bounded at 10000 entries, 24h TTL) backs
a single throttled WARN log emitted from
RESTRequestParameterProcessingFilter.successfulAuthentication on the first
legacy authentication per (user, client) within the window. The hook
distinguishes legacy auth by request parameters (u + (p OR (t AND s))) --
NOT by the authenticated token class -- because successfulAuthentication
fires for any non-null Authentication result, including pre-authed apiKey
and Basic requests. Request-param discrimination is the robust signal and
naturally bypasses apiKey-only requests.

The WARN line names the method (legacy username/password or legacy
token+salt), points operators at the new Personal Settings -> API Keys page,
and references #56 with soft timing. Inputs are sanitized
(Character.isISOControl -> U+FFFD) before both log substitution and
cache-key concatenation, which defeats CRLF log injection via the username
and collision attacks via U+001F on the throttle separator; a
MAX_FIELD_LENGTH = 256 early-reject prevents pathological-length keys from
inflating the cache. The log line contains no password, token, salt, IP,
or User-Agent.

The existing RESTRequestParameterProcessingFilter.attemptAuthentication
logic is byte-unchanged; only a setter, the maybeWarnLegacyAuth helper, and
the static identifyLegacyAuthMethod were added.

fixes #145

* CI: Update pm_ci workflow from self hosted to github hosted

---------

Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-05-30 14:52:40 +02:00
litebito
7b970975e9
Update dependency review workflow configuration
Signed-off-by: litebito <3867999+litebito@users.noreply.github.com>
2026-05-20 21:26:47 +02:00
litebito
55f1d1342f
ci: sign container images with Cosign on release (keyless OIDC) (#195)
Complete 13.1.0's supply-chain hardening sequence (following #175 SHA pinning
and #184 Actions major bumps) by signing every released container image
with Cosign keyless signing via GitHub Actions OIDC.

What changes in release.yml:
- Top-level permissions gain id-token: write for OIDC token issuance
- docker/build-push-action step gains id: build-push so its digest output
  can be referenced by the cosign step
- New Install Cosign step using sigstore/cosign-installer@v4.1.2
  (SHA-pinned matching the #175 convention; bundles Cosign 3.0.6 by default)
- New Sign image step calling cosign sign --yes against the manifest-list
  digest from build-push. Signing by digest covers both :<version> and
  (when applicable) :latest in a single call, and the manifest-list digest
  also covers both linux/amd64 and linux/arm64 platform layers.

See docs/security/image-verification.md for the verification command,
success/failure interpretation, and the full trust-model explanation.

fixes #183

Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-05-18 18:51:45 +02:00
litebito
0632b023f7
ci: bump GitHub Actions major versions across all workflows (#189)
Four major-version bumps held back from #175's SHA-pinning sweep because each
required a breaking-change review:

- actions/checkout            v5.0.1  → v6.0.2   (6 workflow files)
- docker/setup-buildx-action  v3.12.0 → v4.0.0   (release.yml)
- docker/login-action         v3.7.0  → v4.1.0   (release.yml)
- docker/build-push-action    v6.19.2 → v7.1.0   (release.yml)

Each bump is SHA-pinned to a specific commit with a # v<N>.x.x annotation
comment, matching the #175 convention. No tag-based references introduced.

Common change across all four: Node 24 default runtime. Self-hosted runner
fleet at v2.334.0 (well past the v2.327.1 / v2.329.0 minimums); fleet was
rebuilt in May 2026 with auto-update enabled.

Per-action breaking-change review:
- actions/checkout v6: persist-credentials moved to $RUNNER_TEMP — only
  affects container-action scenarios we don't use.
- docker/setup-buildx-action v4: deprecated inputs/outputs removed — our
  bare invocation has zero exposure.
- docker/login-action v4: misc cleanup; registry/username/password inputs
  unchanged.
- docker/build-push-action v7: removed DOCKER_BUILD_NO_SUMMARY and
  DOCKER_BUILD_EXPORT_RETENTION_DAYS envs (not set anywhere); removed
  legacy export-build summary tool. Our 5 inputs (context, platforms,
  push, tags, build-args) are stable in v7.

9 insertions / 9 deletions across 6 workflow files. No app code, Maven, or
non-workflow changes. Verification is CI on the PR plus next release tag
exercising release.yml end-to-end.

fixes #184

Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-05-17 22:24:54 +02:00
litebito
a7af2b1945
ci: SHA-pin third-party actions and finish paths-ignore cleanup (#175)
Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-05-16 17:08:14 +02:00
litebito
1c1b9b4753
ci: update Trivy Scan scope and rename CodeQL workflow file (#174)
Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-05-16 13:05:39 +02:00
litebito
0be37c4b8c
ci: update runner in pr_ci.yml (#170)
* ci: update runner in pr_ci.yml

* ci: update runner setup in pr_ci.yml

* ci: update runner setup in pr_ci.yml

* ci: update runner setup in pr_ci.yml

---------

Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-05-15 23:42:34 +02:00
litebito
5e1ed930ef
chore: rename in-repo references for Airsonic-Pulse org transfer (#163)
Updates GitHub URLs from litebito/airsonic-pulse to
Airsonic-Pulse/airsonic-pulse and GHCR namespace from
ghcr.io/litebito/airsonic-pulse to ghcr.io/airsonic-pulse/airsonic-pulse,
in preparation for the org transfer.

Liquibase changesets, historical release notes (v13.1.0-rc.1.md),
HISTORY.md, intentional upstream-attribution references to
kagemomiji/airsonic-advanced, and the FUNDING.yml / CoC contact email
are explicitly excluded.

fixes #162

Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-05-14 16:43:38 +02:00
litebito
e7c2cba67c ci(codeql): move to ubuntu-latest, bump setup-node to v5 2026-05-14 13:10:31 +02:00
litebito
cf4b98dc2d ci(codeql): add install Node.js for javascript-typescript extractor 2026-05-14 12:28:57 +02:00
litebito
ed6b12245a ci(codeql): modernize workflow per current GitHub template
- Switch Java/Kotlin to build-mode: none (no compile needed, ~3-5x faster)
- Add 'actions' language to scan workflow files themselves
- Update 'javascript' → 'javascript-typescript' identifier
- Add packages: read permission for CodeQL query pack fetching
- Use matrix.include syntax for per-language build-mode config
- Rename workflow to 'CodeQL Advanced' to match GitHub convention
- Drop now-unused setup-java and mvn package build steps
2026-05-14 12:13:08 +02:00
litebito
2b84f00fa1 ci: update CodeQL scanning 2026-05-14 11:22:58 +02:00
litebito
45bf7da4b0 ci: re-enable CodeQL scanning 2026-05-14 11:13:15 +02:00
litebito
f4c8111043 ci: re-enable CodeQL scanning 2026-05-14 11:11:11 +02:00
litebito
2bf5fffc46 docs: update github documentation 2026-05-14 10:54:09 +02:00
litebito
76a1cdf7c5 docs: update route and doc for security reports/reporting 2026-05-13 20:06:04 +02:00
litebito
05a904b17c docs: update github docs 2026-05-13 18:34:51 +02:00
litebito
bac4bfe608
chore: update release workflow (#160)
Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-05-13 12:33:54 +02:00
litebito
a2687aaa2e
chore: update release workflow (#159)
Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-05-13 12:00:11 +02:00
litebito
8a315f5508
chore: rename Trivy job display name to 'Trivy scan' for clarity (#148)
Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-05-09 21:49:09 +02:00
litebito
84aa6a0781
chore: ignore liquibase-core major version updates in Dependabot — fixes #87 (#88)
Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-05-03 15:24:15 +02:00
dependabot[bot]
c0a1183e87
ci: bump docker/setup-qemu-action from 3 to 4 (#74)
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 3 to 4.
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](https://github.com/docker/setup-qemu-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-03 00:09:06 +02:00
litebito
334730ce03 Re-enable Dependabot for GitHub Actions and Maven dependencies 2026-05-02 21:54:56 +02:00
litebito
8ee547aae3 Add repo/github tools: release notes formatting script 2026-05-02 14:53:19 +02:00
litebito
b01804a1e2 Documentation updates 2026-05-02 11:38:58 +02:00
litebito
f4cac3cfa2 Add SHA-256 checksums to release artifacts 2026-05-02 11:37:49 +02:00
litebito
a936f9b6a4
fix: updateUser REST endpoint maps streamRole from isStreamRole — fixes #57 (#58)
* Pin trivy-action to SHA (supply chain hardening)

Pin aquasecurity/trivy-action to full commit SHA instead of
mutable tag, per recommendations from the March 2026 Trivy
supply chain compromise (GHSA-69fq-xp46-6x23).

Our repo was not affected (first workflow run was April 27,
attack window was March 19-20), but pinning prevents future
tag-based attacks.

* fix: updateUser REST endpoint maps streamRole from isStreamRole — fixes #57

---------

Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-05-01 21:06:48 +02:00
litebito
7afd5f238b
Update paths-ignore in PR CI workflow
Signed-off-by: litebito <3867999+litebito@users.noreply.github.com>
2026-04-29 18:32:44 +02:00
litebito
036cce76d2
Update paths-ignore in pm_ci.yml
Ignore specified file types and directories in CI workflow

Signed-off-by: litebito <3867999+litebito@users.noreply.github.com>
2026-04-29 18:21:15 +02:00
litebito
b072398dd6
Update documentation request template options
Signed-off-by: litebito <3867999+litebito@users.noreply.github.com>
2026-04-29 16:12:36 +02:00
litebito
1c74e38998
Update release workflow: fix runner compat, add Docker publish, fixes #51 (#52)
- Remove actions/setup-java and apt-get (pre-installed on runner)
- Add Docker image build and push to ghcr.io/litebito/airsonic-pulse
- Multi-arch: amd64, arm64 via QEMU + buildx
- Version tag from git tag, latest only for non-prerelease
- Uses GITHUB_TOKEN for both release creation and GHCR push

Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-04-29 14:04:45 +02:00
litebito
7c1ce3b0d0 Skip Trivy scan on workflow-only and doc-only changes 2026-04-27 22:11:04 +02:00
litebito
6ca3ce4d15
Rename CI workflow to 'CI - Push to Main'
Signed-off-by: litebito <3867999+litebito@users.noreply.github.com>
2026-04-27 22:07:38 +02:00
litebito
e4f8be18fb
Rename workflow from 'PR CI' to 'CI - Pull Request'
Signed-off-by: litebito <3867999+litebito@users.noreply.github.com>
2026-04-27 22:07:11 +02:00
litebito
99ca0df7de
Workflow maintenance: fix Trivy, disable CodeQL (#46)
- Trivy: switch to table output, increase timeout, skip Java source dirs
  (SARIF upload requires Advanced Security, not available on private repos)
- CodeQL: disabled (same reason) — will re-enable when repo goes public
- codeql-action updated to v4

Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-04-27 21:57:15 +02:00
litebito
b807da0e2a
Add multi-database test matrix to pr_ci.yml — fixes #38 (#39)
* Add multi-database test matrix to pr_ci.yml, fixes #38

- HSQLDB (embedded, current default)
- PostgreSQL 16 (service container)
- MariaDB 11 (service container)
- fail-fast: false for full visibility
- Excludes EmbeddedTestCategory for external databases

* Update trivy-action to v0.36.0 (old unprefixed tags removed upstream)

* Update actions/checkout to v5 (Node.js 20 deprecation)

* Fix Trivy SARIF upload permissions, update codeql-action to v4

* Fix Trivy timeout: increase timeout, skip Java source dirs

---------

Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-04-26 22:43:37 +02:00
litebito
525e819137
Split ci.yml into pr_ci.yml and pm_ci.yml, fixes #36 (#37)
- pr_ci.yml: triggers on pull_request to main
- pm_ci.yml: triggers on push to main
- All workflows now use self-hosted runner
- Removed actions/setup-java and actions/cache (pre-installed on runner)
- Deleted ci.yml

Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-04-26 18:07:06 +02:00
litebito
b7918b7899 chore: clean up contrib/, fix upstream refs, retire lgtm.yml
Remove stale contrib/ files superseded by current tooling:
- contrib/airsonic.service (superseded by install/systemd/)
- contrib/airsonic-systemd-env (superseded by installer override files)
- contrib/deploy.sh (Tomcat-based, not applicable to standalone WAR)
- contrib/release.md (manual process replaced by GitHub Actions)

Fix upstream references in install/:
- install/docker/Dockerfile: update LABEL url to litebito/airsonic-pulse
- install/compose/docker-compose.hsqldb.yaml: rename service/container,
  update image to ghcr.io/litebito/airsonic-pulse
- install/compose/docker-compose.postgres.yaml: update image reference

Fix upstream reference in .github/CONTRIBUTING.md (line 5)

Retire lgtm.yml: LGTM was shut down November 2022; CodeQL workflow
(any_codeql_scan.yml) is the current replacement.

Fix .github/workflows/any_trivy_scan missing .yml extension so GitHub
Actions recognises the workflow file.

Update contrib/i18n_fix_encoding.go: replace deprecated io/ioutil with
io.ReadAll and os.WriteFile (Go 1.16+).

Fix contrib/library_autoupdater.sh: correct misleading comment
("10 minutes") to match actual sleep duration (3600s = 60 minutes).
2026-04-26 14:05:53 +02:00
litebito
3b535f39a8
Fix CodeQL OOM and rename workflow to naming convention (#31)
- Increase CodeQL analyze RAM to 4096 MB
- Add MAVEN_OPTS=-Xmx2048m to the Java build step
- Rename codeql.yml to any_codeql_scan.yml

fixes #30

Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-04-26 12:35:45 +02:00
litebito
48e0d51d7e
Rename any_trivy_scan workflow file
Signed-off-by: litebito <3867999+litebito@users.noreply.github.com>
2026-04-26 11:32:53 +02:00
litebito
2ec7809bcc
Add Trivy scan workflow for vulnerability scanning
Signed-off-by: litebito <3867999+litebito@users.noreply.github.com>
2026-04-26 09:48:12 +02:00
litebito
f0fc4c9cb0
Add CodeQL analysis
Signed-off-by: litebito <3867999+litebito@users.noreply.github.com>
2026-04-26 00:09:26 +02:00
litebito
ded59769f9
Modify CI workflow for self-hosted runner and Java 21
Updated CI workflow to use self-hosted runner and Java setup action version 5. Removed ffmpeg installation step and added verification step.

Signed-off-by: litebito <3867999+litebito@users.noreply.github.com>
2026-04-25 21:08:43 +02:00
litebito
d15395741e
Add runner-smoke workflow for self-hosted runner
Signed-off-by: litebito <3867999+litebito@users.noreply.github.com>
2026-04-25 18:05:53 +02:00
litebito
f23455961c
Add Ko-fi for tips
Added Ko-fi for tips.

Signed-off-by: litebito <3867999+litebito@users.noreply.github.com>
2026-04-19 11:22:03 +02:00
litebito
62f0e17619 ci: replace Probot stale config with actions/stale workflow
Remove the legacy .github/stale.yml Probot configuration and replace
it with a GitHub Actions workflow using actions/stale@v10.

Key changes from the old config:
- Days before close: 180 → 75 (stale period remains 90 days)
- Exempt milestones: false → true (protects 13.x.x and 14.x.x work)
- Exempt assignees: false → true (active assigned work never auto-closes)
- Exempt labels updated to match current label set: security, release,
  pinned (dropped dead upstream labels: type: enhancement, accepted,
  status: accepted, critical, priority: critical, neverstale)
- Operations per run: 10 → 30
- Close messages added for both issues and PRs (previously unset)
- Separate stale/close messages for issues vs. pull requests
- Runs daily at 02:30 UTC with workflow_dispatch for manual triggers
2026-04-18 17:21:01 +02:00
litebito
276ba9e47e ci: add placeholder to bug_report configuration field 2026-04-18 16:53:16 +02:00
litebito
7e347f29e1 ci: rebrand and expand GitHub issue templates
Replace five upstream .yaml templates with eight rebranded .yml
issue forms plus a PR template and config.yml.

New templates:
- migration_issue.yml — upgrade and Airsonic-Advanced migration issues
- security_vulnerability.yml — responsible disclosure with private
  advisory redirect for critical vulnerabilities
- PULL_REQUEST_TEMPLATE.md — type of change, test and style checklists

Replaced templates (renamed .yaml → .yml, expanded):
- bug_report.yml — adds Expected Behavior field, fixes DB version
  options (MySQL 8.x / MariaDB 10.x), improves copy throughout
- feature_request.yml — rebrands description, expands scope options,
  adds Alternatives Considered field
- documentation_request.yml — adds request type, location, and
  what's-missing fields (replaces thin documentation.yaml)
- chore.yml — full codebase area taxonomy with motivation and
  acceptance criteria (replaces narrow repository_maintenance.yaml)
- release_checklist.yml — removes empty assignees, adds CI-green
  and test-deploy checkboxes (replaces release_preparation.yaml)

config.yml:
- Disables blank issues (forces template chooser)
- Adds contact links: GitHub Discussions, Subsonic API reference,
  Security Advisories (for critical vulnerabilities)
2026-04-18 16:51:46 +02:00
litebito
7c6d1403cf
Add 'Settings' option to feature request template 2026-04-18 14:43:53 +02:00