Addresses review: github.rest.issues.listComments only returns the first page,
so the sticky-comment marker could be missed on busy PRs — use github.paginate.
And guard readFileSync so a missing/unreadable body file exits 2 (per the doc)
instead of crashing without JSON.
Security audit fixes:
- The jobs gated on github.event_name == 'pull_request' but the trigger is
pull_request_target, so they never ran (validation was silently disabled).
Gate on 'pull_request_target'.
- Replace the loop-until-stable HTML-comment strip with a single linear pass
(+ trailing-unterminated strip): still leaves no <!-- (CodeQL-clean) but
removes the quadratic re-scan a crafted nested-comment body could abuse.
New .github/workflows/pr-validation.yml (pull_request_target, like seerr, so it
works on fork PRs without checking out fork code): moves the Conventional-Commits
title check out of the quality gate and adds a PR template check
(scripts/check-pr-template.mjs) — Description/Ticket/Testing filled, contribution
+ AI-disclosure boxes ticked (maintainers bypass AI), and Screenshots required
when the PR changes UI (.tsx under app/ or components/). Posts a sticky comment +
'blocked: template' label on failure, clears on success; skips bots + synchronize.
Robust comment stripping (CodeQL-safe). Inspired by seerr's pr-validation.
Build #9 proved `-weak_framework SwiftUICore` does NOT bypass the allowed-client
check, and applying it to the tvOS app target regressed tvOS — reverted that
plugin (withSwiftUICoreWeakLink).
Confirmed root cause from build #8/#9 logs: both iOS jobs fail at the app
*executable* link (`Ld … Streamyfin`), not at any pod. SwiftUI was split into
SwiftUI + SwiftUICore on iOS 26; the SwiftUI pods emit a `-framework SwiftUICore`
autolink directive that, under use_frameworks :static, is inherited by the app's
static link, and the app isn't an allowed client of the private SwiftUICore.tbd.
Fix: in the pod post_install, compile pods with
`-Xfrontend -disable-autolink-framework -Xfrontend SwiftUICore` so they stop
emitting that direct autolink. SwiftUICore symbols then resolve through SwiftUI's
re-export (SwiftUI.tbd re-exports SwiftUICore). Scoped to phone
(ENV['EXPO_TV'] != '1') to leave the green tvOS build untouched.
Also harden scripts/ios/build-ios.ts: displayBuildError now surfaces the
"Undefined symbols for architecture …" linker block, which the error:-only
pattern filter was swallowing (so unsigned-build failures show the real symbol).
