* Add legacy-auth deprecation warning
Closes the #145 apiKeyAuthentication bundle. PR-A shipped the storage, PR-B
the auth wiring, PR-C the self-service UI; this last piece adds the operator
nudge for legacy authentication and the user-facing release-notes Highlights
for both apiKey availability and the legacy deprecation.
A new LEGACY_AUTH_WARNING_CACHE (existing JCache/EhCache infrastructure,
mirroring #228's ArtistByNameCache; bounded at 10000 entries, 24h TTL) backs
a single throttled WARN log emitted from
RESTRequestParameterProcessingFilter.successfulAuthentication on the first
legacy authentication per (user, client) within the window. The hook
distinguishes legacy auth by request parameters (u + (p OR (t AND s))) --
NOT by the authenticated token class -- because successfulAuthentication
fires for any non-null Authentication result, including pre-authed apiKey
and Basic requests. Request-param discrimination is the robust signal and
naturally bypasses apiKey-only requests.
The WARN line names the method (legacy username/password or legacy
token+salt), points operators at the new Personal Settings -> API Keys page,
and references #56 with soft timing. Inputs are sanitized
(Character.isISOControl -> U+FFFD) before both log substitution and
cache-key concatenation, which defeats CRLF log injection via the username
and collision attacks via U+001F on the throttle separator; a
MAX_FIELD_LENGTH = 256 early-reject prevents pathological-length keys from
inflating the cache. The log line contains no password, token, salt, IP,
or User-Agent.
The existing RESTRequestParameterProcessingFilter.attemptAuthentication
logic is byte-unchanged; only a setter, the maybeWarnLegacyAuth helper, and
the static identifyLegacyAuthMethod were added.
fixes#145
* CI: Update pm_ci workflow from self hosted to github hosted
---------
Co-authored-by: litebito <litebito@users.noreply.github.com>
Complete 13.1.0's supply-chain hardening sequence (following #175 SHA pinning
and #184 Actions major bumps) by signing every released container image
with Cosign keyless signing via GitHub Actions OIDC.
What changes in release.yml:
- Top-level permissions gain id-token: write for OIDC token issuance
- docker/build-push-action step gains id: build-push so its digest output
can be referenced by the cosign step
- New Install Cosign step using sigstore/cosign-installer@v4.1.2
(SHA-pinned matching the #175 convention; bundles Cosign 3.0.6 by default)
- New Sign image step calling cosign sign --yes against the manifest-list
digest from build-push. Signing by digest covers both :<version> and
(when applicable) :latest in a single call, and the manifest-list digest
also covers both linux/amd64 and linux/arm64 platform layers.
See docs/security/image-verification.md for the verification command,
success/failure interpretation, and the full trust-model explanation.
fixes#183
Co-authored-by: litebito <litebito@users.noreply.github.com>
Four major-version bumps held back from #175's SHA-pinning sweep because each
required a breaking-change review:
- actions/checkout v5.0.1 → v6.0.2 (6 workflow files)
- docker/setup-buildx-action v3.12.0 → v4.0.0 (release.yml)
- docker/login-action v3.7.0 → v4.1.0 (release.yml)
- docker/build-push-action v6.19.2 → v7.1.0 (release.yml)
Each bump is SHA-pinned to a specific commit with a # v<N>.x.x annotation
comment, matching the #175 convention. No tag-based references introduced.
Common change across all four: Node 24 default runtime. Self-hosted runner
fleet at v2.334.0 (well past the v2.327.1 / v2.329.0 minimums); fleet was
rebuilt in May 2026 with auto-update enabled.
Per-action breaking-change review:
- actions/checkout v6: persist-credentials moved to $RUNNER_TEMP — only
affects container-action scenarios we don't use.
- docker/setup-buildx-action v4: deprecated inputs/outputs removed — our
bare invocation has zero exposure.
- docker/login-action v4: misc cleanup; registry/username/password inputs
unchanged.
- docker/build-push-action v7: removed DOCKER_BUILD_NO_SUMMARY and
DOCKER_BUILD_EXPORT_RETENTION_DAYS envs (not set anywhere); removed
legacy export-build summary tool. Our 5 inputs (context, platforms,
push, tags, build-args) are stable in v7.
9 insertions / 9 deletions across 6 workflow files. No app code, Maven, or
non-workflow changes. Verification is CI on the PR plus next release tag
exercising release.yml end-to-end.
fixes#184
Co-authored-by: litebito <litebito@users.noreply.github.com>
Updates GitHub URLs from litebito/airsonic-pulse to
Airsonic-Pulse/airsonic-pulse and GHCR namespace from
ghcr.io/litebito/airsonic-pulse to ghcr.io/airsonic-pulse/airsonic-pulse,
in preparation for the org transfer.
Liquibase changesets, historical release notes (v13.1.0-rc.1.md),
HISTORY.md, intentional upstream-attribution references to
kagemomiji/airsonic-advanced, and the FUNDING.yml / CoC contact email
are explicitly excluded.
fixes#162
Co-authored-by: litebito <litebito@users.noreply.github.com>
* Pin trivy-action to SHA (supply chain hardening)
Pin aquasecurity/trivy-action to full commit SHA instead of
mutable tag, per recommendations from the March 2026 Trivy
supply chain compromise (GHSA-69fq-xp46-6x23).
Our repo was not affected (first workflow run was April 27,
attack window was March 19-20), but pinning prevents future
tag-based attacks.
* fix: updateUser REST endpoint maps streamRole from isStreamRole — fixes#57
---------
Co-authored-by: litebito <litebito@users.noreply.github.com>
- Remove actions/setup-java and apt-get (pre-installed on runner)
- Add Docker image build and push to ghcr.io/litebito/airsonic-pulse
- Multi-arch: amd64, arm64 via QEMU + buildx
- Version tag from git tag, latest only for non-prerelease
- Uses GITHUB_TOKEN for both release creation and GHCR push
Co-authored-by: litebito <litebito@users.noreply.github.com>
- pr_ci.yml: triggers on pull_request to main
- pm_ci.yml: triggers on push to main
- All workflows now use self-hosted runner
- Removed actions/setup-java and actions/cache (pre-installed on runner)
- Deleted ci.yml
Co-authored-by: litebito <litebito@users.noreply.github.com>
Remove stale contrib/ files superseded by current tooling:
- contrib/airsonic.service (superseded by install/systemd/)
- contrib/airsonic-systemd-env (superseded by installer override files)
- contrib/deploy.sh (Tomcat-based, not applicable to standalone WAR)
- contrib/release.md (manual process replaced by GitHub Actions)
Fix upstream references in install/:
- install/docker/Dockerfile: update LABEL url to litebito/airsonic-pulse
- install/compose/docker-compose.hsqldb.yaml: rename service/container,
update image to ghcr.io/litebito/airsonic-pulse
- install/compose/docker-compose.postgres.yaml: update image reference
Fix upstream reference in .github/CONTRIBUTING.md (line 5)
Retire lgtm.yml: LGTM was shut down November 2022; CodeQL workflow
(any_codeql_scan.yml) is the current replacement.
Fix .github/workflows/any_trivy_scan missing .yml extension so GitHub
Actions recognises the workflow file.
Update contrib/i18n_fix_encoding.go: replace deprecated io/ioutil with
io.ReadAll and os.WriteFile (Go 1.16+).
Fix contrib/library_autoupdater.sh: correct misleading comment
("10 minutes") to match actual sleep duration (3600s = 60 minutes).
Updated CI workflow to use self-hosted runner and Java setup action version 5. Removed ffmpeg installation step and added verification step.
Signed-off-by: litebito <3867999+litebito@users.noreply.github.com>
Remove the legacy .github/stale.yml Probot configuration and replace
it with a GitHub Actions workflow using actions/stale@v10.
Key changes from the old config:
- Days before close: 180 → 75 (stale period remains 90 days)
- Exempt milestones: false → true (protects 13.x.x and 14.x.x work)
- Exempt assignees: false → true (active assigned work never auto-closes)
- Exempt labels updated to match current label set: security, release,
pinned (dropped dead upstream labels: type: enhancement, accepted,
status: accepted, critical, priority: critical, neverstale)
- Operations per run: 10 → 30
- Close messages added for both issues and PRs (previously unset)
- Separate stale/close messages for issues vs. pull requests
- Runs daily at 02:30 UTC with workflow_dispatch for manual triggers