Skip to content

chore: sync develop with main#301

Merged
chodeus merged 9 commits into
developfrom
main
Jul 4, 2026
Merged

chore: sync develop with main#301
chodeus merged 9 commits into
developfrom
main

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Automated back-merge of main into develop. Sync direction is main -> develop and shared files are byte-identical, so this should merge cleanly. Review and merge to bring main's changes (releases, fixes, dependency bumps) onto develop. Opened by the sync-develop workflow.

github-actions Bot and others added 9 commits July 1, 2026 20:29
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…sy, logout cache, CI perms

- database: escape %/_ on SELECT-side LIKE (poster_cache, media_cache) and delete_poster
  (posters.py) via the repo's esc() + ESCAPE
- posters.py: guard poster optimize from overwriting a different pre-existing file
- plex_metadata.py: don't negative-cache a transient Plex-DB-copy failure
- InputBase.jsx: value ?? '' so a legitimate 0 renders (0-is-falsy)
- AuthContext.jsx: clear the apiCore GET cache on logout
- stale.yml / repo-events.yml: least-privilege permissions blocks
…ache test)

scan_bundles legitimately caches a Metadata-dir walk even when the Plex DB copy
is None (test_plex_metadata_scan_job_warms_cache pins this); my change skipped
that cache. Reverting to keep CI green — the transient-DB-failure negative-cache
needs a dedicated fix that distinguishes a transient copy failure from a genuine
no-DB scan and updates the test. Other 7 audit fixes stay.
…iled

When the Plex DB copy fails (locked/unwritable) but posters exist on disk, the
scan has no in-use data and flags every poster as deletable bloat with a blank
title. Caching that for the 5-min TTL let the in-use-unguarded per-variant delete
remove active custom artwork. Now returns an unavailable result and skips the
cache when db_path is None AND posters are present; an empty Metadata tree can't
misclassify anything so it still caches. Regression test added.

Refines the earlier reverted change (which over-broadly skipped caching for an
empty tree and broke the cache-warming test).
…lim image

- branch-isolation-guard now runs on every ref (no job-level if) and no-ops on
  non-main-bound refs, so it is a satisfiable needs: dependency. Add it to the
  needs of docker-validate, docker-push, and notify-failure — a develop-only
  extension leaking to main now blocks (and reports) the publish instead of
  racing it.
- Add pyproject.toml, requirements-*.txt, Makefile and compose.yaml to both CI
  path filters so config/dependency-only PRs still run the gate.
- Drop the builder's npm-ci frontend/node_modules from the runtime image
  (.dockerignore only filters the host context, not --from=builder) and fix the
  misleading comment.
Extensions that serve <img>/SSE endpoints need their routes on AuthMiddleware's
scope="stream" token allowlist, but STREAM_PATH_PREFIXES is a core (main) file
with no extension seam. Add a generic stream_prefixes() manifest hook + the
extension_stream_prefixes() aggregate, and have AuthMiddleware merge it into the
allowlist. No-op on main (no manifests); lets a develop-only extension serve
token-proxied images without hardcoding its prefix in core.
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…f9d (#303)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
The delete-local endpoint already authorizes by realpath-membership against
gdrive_list, so the deleted path was never arbitrary — but it passed the
request-derived realpath (req_real) to shutil.rmtree, which CodeQL flags as
py/path-injection and which reuses a path resolved several lines earlier.
Delete the matched CONFIGURED location's realpath instead: identical value by
the membership match, but a trusted source, re-resolved immediately before the
rmtree. Clears the two py/path-injection alerts and tightens the destructive op.
@chodeus chodeus merged commit 6dee5a0 into develop Jul 4, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant