From 434cb3bd39c910dc64614324175a0bc8bb665d59 Mon Sep 17 00:00:00 2001 From: Gauvain Date: Tue, 16 Jun 2026 17:12:32 +0200 Subject: [PATCH] ci: ARM Android runners, slimmer APK artifacts, Renovate-pinned tool versions (#1733) --- .github/renovate.json | 10 ++- .github/workflows/artifact-comment.yml | 16 ++++- .github/workflows/build-apps.yml | 93 ++++++++++++++++--------- .github/workflows/check-lockfile.yml | 9 ++- .github/workflows/ci-codeql.yml | 5 +- .github/workflows/conflict.yml | 2 +- .github/workflows/crowdin.yml | 2 +- .github/workflows/detect-duplicate.yml | 5 +- .github/workflows/linting.yml | 21 +++--- .github/workflows/notification.yml | 4 +- .github/workflows/release.yml | 14 ++-- .github/workflows/trivy-scan.yml | 18 ++--- .github/workflows/update-issue-form.yml | 5 +- eas.json | 8 +-- scripts/ios/build-ios.ts | 6 +- 15 files changed, 135 insertions(+), 83 deletions(-) diff --git a/.github/renovate.json b/.github/renovate.json index 45c62042..21c5b931 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -30,9 +30,17 @@ "customType": "regex", "managerFilePatterns": ["/\\.ya?ml$/"], "matchStrings": [ - "# renovate: datasource=(?\\S+) depName=(?\\S+)(?: versioning=(?\\S+))?\\s+xcode-version:\\s*[\"']?(?[^\"'\\s]+)" + "# renovate: datasource=(?\\S+) depName=(?\\S+)(?: versioning=(?\\S+))?\\s+[A-Za-z0-9._-]+:\\s*[\"']?(?[^\"'\\s]+)" ], "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}loose{{/if}}" + }, + { + "customType": "regex", + "description": "Track the Bun version pinned in eas.json build profiles (strict JSON can't hold inline annotations)", + "managerFilePatterns": ["/(^|/)eas\\.json$/"], + "matchStrings": ["\"bun\"\\s*:\\s*\"(?[^\"]+)\""], + "datasourceTemplate": "npm", + "depNameTemplate": "bun" } ], "customDatasources": { diff --git a/.github/workflows/artifact-comment.yml b/.github/workflows/artifact-comment.yml index 72c7ff77..b81eeeaf 100644 --- a/.github/workflows/artifact-comment.yml +++ b/.github/workflows/artifact-comment.yml @@ -18,7 +18,7 @@ jobs: comment-artifacts: if: github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request' || (github.event_name == 'workflow_run' && github.event.workflow_run.event == 'pull_request') name: 📦 Post Build Artifacts - runs-on: ubuntu-latest + runs-on: ubuntu-26.04 permissions: contents: read pull-requests: write @@ -451,6 +451,20 @@ jobs: commentBody += `- **Android APK**: Download and install directly on your device (enable "Install from unknown sources")\n`; commentBody += `- **iOS IPA**: Install using [AltStore](https://altstore.io/), [Sideloadly](https://sideloadly.io/), or Xcode\n\n`; commentBody += `> ⚠️ **Note**: Artifacts expire in 7 days from build date\n\n`; + + // Collapsible rundown of the build optimisations + what each + // artifact actually installs on, so testers grab the right file. + commentBody += `
\n`; + commentBody += `📦 Build details & device compatibility\n\n`; + commentBody += `These CI builds are trimmed for size and speed. What that means for installing them:\n\n`; + commentBody += `| Artifact | Architectures | Installs on |\n`; + commentBody += `|---|---|---|\n`; + commentBody += `| 🤖 Android Phone APK | \`arm64-v8a\` | Every 64-bit Android phone (all since ~2017). **Not** an x86_64 emulator or a 32-bit device. |\n`; + commentBody += `| 📺 Android TV APK | \`arm64-v8a\` + \`armeabi-v7a\` | Modern boxes **and** older / cheap 32-bit Android TV sticks. No x86_64. |\n`; + commentBody += `| 🍎 iOS / tvOS IPA | \`arm64\` | iPhone / Apple TV (all current devices). |\n\n`; + commentBody += `**Why no x86_64?** That slice only runs on Android emulators / Chromebooks, never a real phone or TV box — dropping it shrinks the APK and speeds up the build. Local \`bun run android\` is unaffected (it still builds x86_64 from \`app.json\`).\n\n`; + commentBody += `**Runners:** Android on \`ubuntu-26.04\`; iOS / tvOS on Apple Silicon (\`macos-26\`). The size/speed win comes from the ABI trim above, not the runner.\n`; + commentBody += `
\n\n`; } else { commentBody += `⏳ **Builds are starting up...** This comment will update automatically as each build completes.\n\n`; } diff --git a/.github/workflows/build-apps.yml b/.github/workflows/build-apps.yml index 0a27bac1..38f1dd23 100644 --- a/.github/workflows/build-apps.yml +++ b/.github/workflows/build-apps.yml @@ -23,7 +23,7 @@ env: jobs: build-android-phone: if: (!contains(github.event.head_commit.message, '[skip ci]')) - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 name: 🤖 Build Android APK (Phone) permissions: contents: read @@ -52,31 +52,40 @@ jobs: - name: 🍞 Setup Bun uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: - bun-version: latest + # renovate: datasource=npm depName=bun + bun-version: "1.3.14" - name: 💾 Cache Bun dependencies uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.bun/install/cache - key: ${{ runner.os }}-${{ runner.arch }}-bun-develop-${{ hashFiles('bun.lock') }} + key: ${{ runner.os }}-${{ runner.arch }}-bun-${{ hashFiles('bun.lock') }} restore-keys: | - ${{ runner.os }}-${{ runner.arch }}-bun-develop - ${{ runner.os }}-bun-develop + ${{ runner.os }}-${{ runner.arch }}-bun- - name: 📦 Install dependencies and reload submodules run: | bun install --frozen-lockfile bun run submodule-reload + - name: ☕ Set up JDK 17 + # ubuntu-26.04 defaults to JDK 25, which breaks the RN/AGP native build + # (Kotlin falls back to JVM_23, the foojay toolchain + CMake configure + # fail). Pin Temurin 17 for a deterministic Android build. + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 + with: + distribution: temurin + java-version: "17" + - name: 💾 Cache Gradle global uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | - ~/.gradle/caches + ~/.gradle/caches/modules-2 ~/.gradle/wrapper - key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} + key: ${{ runner.os }}-${{ runner.arch }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} restore-keys: | - ${{ runner.os }}-gradle- + ${{ runner.os }}-${{ runner.arch }}-gradle- - name: 🛠️ Generate project files run: bun run prebuild @@ -85,12 +94,16 @@ jobs: uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: android/.gradle - key: ${{ runner.os }}-android-gradle-develop-${{ hashFiles('android/**/build.gradle', 'android/gradle/wrapper/gradle-wrapper.properties') }} - restore-keys: ${{ runner.os }}-android-gradle-develop + key: ${{ runner.os }}-${{ runner.arch }}-android-gradle-develop-${{ hashFiles('android/**/build.gradle', 'android/gradle/wrapper/gradle-wrapper.properties') }} + restore-keys: ${{ runner.os }}-${{ runner.arch }}-android-gradle-develop - name: 🚀 Build APK env: EXPO_TV: 0 + # CI artifact ships arm64 only (phones; emulators/Chromebooks not a + # sideload target). Overrides app.json buildArchs for this build only, + # so local `bun run android` (x86_64 emulator) is unaffected. + ORG_GRADLE_PROJECT_reactNativeArchitectures: arm64-v8a run: bun run build:android:local - name: 📅 Set date tag @@ -106,7 +119,7 @@ jobs: build-android-tv: if: (!contains(github.event.head_commit.message, '[skip ci]')) - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 name: 🤖 Build Android APK (TV) permissions: contents: read @@ -135,31 +148,40 @@ jobs: - name: 🍞 Setup Bun uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: - bun-version: latest + # renovate: datasource=npm depName=bun + bun-version: "1.3.14" - name: 💾 Cache Bun dependencies uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.bun/install/cache - key: ${{ runner.os }}-${{ runner.arch }}-bun-develop-${{ hashFiles('bun.lock') }} + key: ${{ runner.os }}-${{ runner.arch }}-bun-${{ hashFiles('bun.lock') }} restore-keys: | - ${{ runner.os }}-${{ runner.arch }}-bun-develop - ${{ runner.os }}-bun-develop + ${{ runner.os }}-${{ runner.arch }}-bun- - name: 📦 Install dependencies and reload submodules run: | bun install --frozen-lockfile bun run submodule-reload + - name: ☕ Set up JDK 17 + # ubuntu-26.04 defaults to JDK 25, which breaks the RN/AGP native build + # (Kotlin falls back to JVM_23, the foojay toolchain + CMake configure + # fail). Pin Temurin 17 for a deterministic Android build. + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 + with: + distribution: temurin + java-version: "17" + - name: 💾 Cache Gradle global uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | - ~/.gradle/caches + ~/.gradle/caches/modules-2 ~/.gradle/wrapper - key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} + key: ${{ runner.os }}-${{ runner.arch }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} restore-keys: | - ${{ runner.os }}-gradle- + ${{ runner.os }}-${{ runner.arch }}-gradle- - name: 🛠️ Generate project files run: bun run prebuild:tv @@ -168,12 +190,15 @@ jobs: uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: android/.gradle - key: ${{ runner.os }}-android-gradle-develop-${{ hashFiles('android/**/build.gradle', 'android/gradle/wrapper/gradle-wrapper.properties') }} - restore-keys: ${{ runner.os }}-android-gradle-develop + key: ${{ runner.os }}-${{ runner.arch }}-android-gradle-develop-${{ hashFiles('android/**/build.gradle', 'android/gradle/wrapper/gradle-wrapper.properties') }} + restore-keys: ${{ runner.os }}-${{ runner.arch }}-android-gradle-develop - name: 🚀 Build APK env: EXPO_TV: 1 + # TV artifact keeps armeabi-v7a too: many older/cheap Android TV boxes + # and sticks are still 32-bit ARM. Drops only x86_64. CI build only. + ORG_GRADLE_PROJECT_reactNativeArchitectures: arm64-v8a,armeabi-v7a run: bun run build:android:local - name: 📅 Set date tag @@ -206,15 +231,16 @@ jobs: - name: 🍞 Setup Bun uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: - bun-version: latest + # renovate: datasource=npm depName=bun + bun-version: "1.3.14" - name: 💾 Cache Bun dependencies uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.bun/install/cache - key: ${{ runner.os }}-bun-cache-${{ hashFiles('bun.lock') }} + key: ${{ runner.os }}-${{ runner.arch }}-bun-${{ hashFiles('bun.lock') }} restore-keys: | - ${{ runner.os }}-bun-cache + ${{ runner.os }}-${{ runner.arch }}-bun- - name: 📦 Install dependencies and reload submodules run: | @@ -273,15 +299,16 @@ jobs: - name: 🍞 Setup Bun uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: - bun-version: latest + # renovate: datasource=npm depName=bun + bun-version: "1.3.14" - name: 💾 Cache Bun dependencies uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.bun/install/cache - key: ${{ runner.os }}-bun-cache-${{ hashFiles('bun.lock') }} + key: ${{ runner.os }}-${{ runner.arch }}-bun-${{ hashFiles('bun.lock') }} restore-keys: | - ${{ runner.os }}-bun-cache + ${{ runner.os }}-${{ runner.arch }}-bun- - name: 📦 Install dependencies and reload submodules run: | @@ -335,15 +362,16 @@ jobs: - name: 🍞 Setup Bun uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: - bun-version: latest + # renovate: datasource=npm depName=bun + bun-version: "1.3.14" - name: 💾 Cache Bun dependencies uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.bun/install/cache - key: ${{ runner.os }}-bun-cache-${{ hashFiles('bun.lock') }} + key: ${{ runner.os }}-${{ runner.arch }}-bun-${{ hashFiles('bun.lock') }} restore-keys: | - ${{ runner.os }}-bun-cache + ${{ runner.os }}-${{ runner.arch }}-bun- - name: 📦 Install dependencies and reload submodules run: | @@ -403,15 +431,16 @@ jobs: - name: 🍞 Setup Bun uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: - bun-version: latest + # renovate: datasource=npm depName=bun + bun-version: "1.3.14" - name: 💾 Cache Bun dependencies uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.bun/install/cache - key: ${{ runner.os }}-bun-cache-${{ hashFiles('bun.lock') }} + key: ${{ runner.os }}-${{ runner.arch }}-bun-${{ hashFiles('bun.lock') }} restore-keys: | - ${{ runner.os }}-bun-cache + ${{ runner.os }}-${{ runner.arch }}-bun- - name: 📦 Install dependencies and reload submodules run: | diff --git a/.github/workflows/check-lockfile.yml b/.github/workflows/check-lockfile.yml index 0cb8afc3..efb5f221 100644 --- a/.github/workflows/check-lockfile.yml +++ b/.github/workflows/check-lockfile.yml @@ -13,7 +13,7 @@ concurrency: jobs: check-lockfile: name: 🔍 Check bun.lock and package.json consistency - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 permissions: contents: read @@ -29,14 +29,17 @@ jobs: - name: 🍞 Setup Bun uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: - bun-version: latest + # renovate: datasource=npm depName=bun + bun-version: "1.3.14" - name: 💾 Cache Bun dependencies uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | ~/.bun/install/cache - key: ${{ runner.os }}-bun-${{ hashFiles('bun.lock') }} + key: ${{ runner.os }}-${{ runner.arch }}-bun-${{ hashFiles('bun.lock') }} + restore-keys: | + ${{ runner.os }}-${{ runner.arch }}-bun- - name: 🛡️ Verify lockfile consistency run: | diff --git a/.github/workflows/ci-codeql.yml b/.github/workflows/ci-codeql.yml index f79cf58a..b77665f5 100644 --- a/.github/workflows/ci-codeql.yml +++ b/.github/workflows/ci-codeql.yml @@ -8,11 +8,14 @@ on: schedule: - cron: '24 2 * * *' +concurrency: + group: codeql-${{ github.ref }} + cancel-in-progress: true jobs: analyze: name: 🔎 Analyze with CodeQL - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 permissions: contents: read security-events: write diff --git a/.github/workflows/conflict.yml b/.github/workflows/conflict.yml index de854ab6..125ad771 100644 --- a/.github/workflows/conflict.yml +++ b/.github/workflows/conflict.yml @@ -10,7 +10,7 @@ on: jobs: label: name: 🏷️ Labeling Merge Conflicts - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 if: ${{ github.repository == 'streamyfin/streamyfin' }} permissions: contents: read diff --git a/.github/workflows/crowdin.yml b/.github/workflows/crowdin.yml index b0ea48a2..d3792502 100644 --- a/.github/workflows/crowdin.yml +++ b/.github/workflows/crowdin.yml @@ -19,7 +19,7 @@ permissions: jobs: sync-translations: - runs-on: ubuntu-latest + runs-on: ubuntu-26.04 steps: - name: 📥 Checkout Repository diff --git a/.github/workflows/detect-duplicate.yml b/.github/workflows/detect-duplicate.yml index 265f9efe..26da4f57 100644 --- a/.github/workflows/detect-duplicate.yml +++ b/.github/workflows/detect-duplicate.yml @@ -15,7 +15,7 @@ jobs: detect: name: 🔍 Find similar issues if: github.actor != 'github-actions[bot]' - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 permissions: issues: write contents: read @@ -26,7 +26,8 @@ jobs: - name: 🍞 Setup Bun uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: - bun-version: latest + # renovate: datasource=npm depName=bun + bun-version: "1.3.14" - name: 🔍 Detect duplicate issues run: bun scripts/detect-duplicate-issue.mjs diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 8edb8916..d36da31f 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -15,7 +15,7 @@ jobs: validate_pr_title: name: "📝 Validate PR Title" if: github.event_name == 'pull_request' - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 permissions: pull-requests: write contents: read @@ -46,7 +46,7 @@ jobs: dependency-review: name: 🔍 Vulnerable Dependencies - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 permissions: contents: read steps: @@ -65,8 +65,7 @@ jobs: expo-doctor: name: 🚑 Expo Doctor Check - if: false - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 steps: - name: 🛒 Checkout repository uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 @@ -78,17 +77,21 @@ jobs: - name: 🍞 Setup Bun uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: - bun-version: latest + # renovate: datasource=npm depName=bun + bun-version: "1.3.14" - name: 📦 Install dependencies (bun) run: bun install --frozen-lockfile - name: 🚑 Run Expo Doctor + # Re-enabled but non-blocking: surfaces doctor warnings in the logs + # without failing the gate (some checks are known-noisy for this setup). + continue-on-error: true run: bun expo-doctor code_quality: name: "🔍 Lint & Test (${{ matrix.command }})" - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 strategy: fail-fast: false matrix: @@ -110,12 +113,14 @@ jobs: - name: "🟢 Setup Node.js" uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: - node-version: '24.x' + # renovate: datasource=node-version depName=node versioning=node + node-version: "24.16.0" - name: "🍞 Setup Bun" uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: - bun-version: latest + # renovate: datasource=npm depName=bun + bun-version: "1.3.14" - name: "📦 Install dependencies" run: bun install --frozen-lockfile diff --git a/.github/workflows/notification.yml b/.github/workflows/notification.yml index cf0e4624..df9e4fa5 100644 --- a/.github/workflows/notification.yml +++ b/.github/workflows/notification.yml @@ -12,7 +12,7 @@ on: jobs: notify: - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 if: github.event_name == 'pull_request' steps: - name: 🛎️ Notify Discord @@ -29,7 +29,7 @@ jobs: 🔗 ${{ github.event.pull_request.html_url }} notify-on-failure: - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 if: github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'failure' steps: - name: 🚨 Notify Discord on Failure diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c06e8b34..454f8645 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,8 +22,9 @@ on: jobs: approve: name: 🔐 Approve release - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 environment: production + permissions: {} steps: - name: ✅ Release approved run: echo "Release approved for ${{ github.sha }}" @@ -31,7 +32,7 @@ jobs: build: name: 🚀 ${{ matrix.name }} needs: approve - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 permissions: contents: read strategy: @@ -72,15 +73,16 @@ jobs: - name: 🍞 Setup Bun uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: - bun-version: latest + # renovate: datasource=npm depName=bun + bun-version: "1.3.14" - name: 💾 Cache Bun dependencies uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.bun/install/cache - key: ${{ runner.os }}-bun-cache-${{ hashFiles('bun.lock') }} + key: ${{ runner.os }}-${{ runner.arch }}-bun-${{ hashFiles('bun.lock') }} restore-keys: | - ${{ runner.os }}-bun-cache + ${{ runner.os }}-${{ runner.arch }}-bun- - name: 📦 Install dependencies and reload submodules run: | @@ -176,7 +178,7 @@ jobs: name: 📦 Draft GitHub Release needs: build if: ${{ !cancelled() }} - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 permissions: contents: write actions: read # required for `gh run download` to list/fetch this run's artifacts diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml index 4972e14f..2f02dcfc 100644 --- a/.github/workflows/trivy-scan.yml +++ b/.github/workflows/trivy-scan.yml @@ -21,7 +21,7 @@ concurrency: jobs: trivy: name: 🔎 Filesystem scan - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 permissions: contents: read security-events: write # upload SARIF to code scanning @@ -29,19 +29,9 @@ jobs: - name: 📥 Checkout repository uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - # Rotate the DB cache weekly (matches the scheduled scan): cache hits within the week - # instead of a fresh immutable entry per run, still refreshing the DB every week. - - name: 🗓️ Compute weekly Trivy cache key - id: trivy-cache-key - run: echo "value=trivy-db-${{ runner.os }}-$(date -u +%G-%V)" >> "$GITHUB_OUTPUT" - - - name: 💾 Cache Trivy vulnerability DB - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 - with: - path: ~/.cache/trivy - key: ${{ steps.trivy-cache-key.outputs.value }} - restore-keys: trivy-db-${{ runner.os }}- - + # Trivy's own action caches the vulnerability DB + binary internally + # (cache-trivy-* / trivy-binary-* entries), so no manual ~/.cache/trivy + # step is needed — it only duplicated the cache. - name: 🔎 Run Trivy filesystem scan uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: diff --git a/.github/workflows/update-issue-form.yml b/.github/workflows/update-issue-form.yml index 8b5af9c8..0754735e 100644 --- a/.github/workflows/update-issue-form.yml +++ b/.github/workflows/update-issue-form.yml @@ -20,7 +20,7 @@ permissions: jobs: update-issue-form: name: 🔢 Populate version dropdown - runs-on: ubuntu-24.04 + runs-on: ubuntu-26.04 permissions: contents: write pull-requests: write @@ -36,7 +36,8 @@ jobs: - name: 🍞 Setup Bun uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: - bun-version: latest + # renovate: datasource=npm depName=bun + bun-version: "1.3.14" - name: 🔢 Populate version dropdown from GitHub releases id: populate diff --git a/eas.json b/eas.json index f4099eda..23e28e82 100644 --- a/eas.json +++ b/eas.json @@ -52,7 +52,7 @@ } }, "production": { - "bun": "1.3.5", + "bun": "1.3.14", "environment": "production", "autoIncrement": true, "android": { @@ -64,7 +64,7 @@ } }, "production-apk": { - "bun": "1.3.5", + "bun": "1.3.14", "environment": "production", "autoIncrement": true, "android": { @@ -74,7 +74,7 @@ } }, "production-apk-tv": { - "bun": "1.3.5", + "bun": "1.3.14", "environment": "production", "autoIncrement": true, "android": { @@ -87,7 +87,7 @@ } }, "production_tv": { - "bun": "1.3.5", + "bun": "1.3.14", "environment": "production", "autoIncrement": true, "env": { diff --git a/scripts/ios/build-ios.ts b/scripts/ios/build-ios.ts index 33110507..f5592ae3 100644 --- a/scripts/ios/build-ios.ts +++ b/scripts/ios/build-ios.ts @@ -302,7 +302,7 @@ function parseArgs(argv: string[]): BuildOptions { if (!configArg) { throw new Error("--configuration requires an argument"); } - options.configuration = (configArg as "Debug" | "Release") || "Debug"; + options.configuration = configArg as "Debug" | "Release"; break; } case "--device": @@ -997,10 +997,6 @@ async function waitForSimulatorBoot( } } catch { // Simulator not found or not booted yet, continue polling - if (pollIntervalMs > 1000) { - // Only log if we've been waiting a while to avoid spam - // console.warn("Simulator polling failed, retrying..."); - } } // Wait before next poll