ci(security): add Trivy filesystem scan to code scanning

Streamyfin ships no container image, so this runs a Trivy *filesystem* scan
(vulnerable deps, secrets, misconfig) and uploads SARIF to GitHub code scanning,
complementing CodeQL and dependency-review. Runs on push to develop/master,
weekly, and on demand (not on PRs — fork PRs can't upload SARIF, and
dependency-review already gates PR dependencies). Reports findings (CRITICAL/HIGH,
ignore-unfixed) without failing the build; the Security tab surfaces them.

.gitattributes

@@ -1,28 +1 @@
-# Normalise line endings to LF for everyone. Files are stored as LF in git and
+.modules/vlc-player/Frameworks/*.xcframework filter=lfs diff=lfs merge=lfs -text
-# checked out as LF on every OS, so Windows clones stop producing CRLF churn
-# (no more "LF will be replaced by CRLF" warnings) regardless of core.autocrlf.
-* text=auto eol=lf
-
-# Windows-only scripts must stay CRLF
-*.bat text eol=crlf
-*.cmd text eol=crlf
-
-# Binary assets — never touched / never normalised
-*.png binary
-*.jpg binary
-*.jpeg binary
-*.gif binary
-*.webp binary
-*.ico binary
-*.icns binary
-*.ttf binary
-*.otf binary
-*.woff binary
-*.woff2 binary
-*.mp3 binary
-*.mp4 binary
-*.mov binary
-*.pdf binary
-*.keystore binary
-*.jks binary
-*.p12 binary

.github/workflows/trivy-scan.yml

@@ -0,0 +1,62 @@
+name: 🛡️ Trivy Security Scan
+
+# Filesystem scan (Streamyfin ships no container image): finds vulnerable dependencies,
+# leaked secrets and misconfigurations, and reports them to GitHub code scanning.
+# Runs post-merge + weekly (not on PRs — dependency-review already gates PRs, and SARIF
+# upload needs a write token that fork PRs don't get).
+on:
+  push:
+    branches: [develop, master]
+    paths:
+      - "package.json"
+      - "bun.lock"
+      - "**/*.ts"
+      - "**/*.tsx"
+      - "**/*.js"
+      - "**/*.jsx"
+      - ".github/workflows/trivy-scan.yml"
+  schedule:
+    - cron: "50 7 * * 5" # Weekly, Friday 07:50 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: trivy-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  trivy:
+    name: 🔎 Filesystem scan
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write # upload SARIF to code scanning
+    steps:
+      - name: 📥 Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: 💾 Cache Trivy vulnerability DB
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ~/.cache/trivy
+          key: trivy-db-${{ github.run_id }}
+          restore-keys: trivy-db-
+
+      - name: 🔎 Run Trivy filesystem scan
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          scanners: vuln,secret,misconfig
+          ignore-unfixed: true
+          severity: CRITICAL,HIGH
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: 📤 Upload results to code scanning
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          sarif_file: trivy-results.sarif
+          category: trivy-fs

.gitignore

@@ -1,5 +1,6 @@
 # Dependencies and Package Managers
 node_modules/
+bun.lock
 bun.lockb
 package-lock.json
 
@@ -20,8 +21,10 @@ web-build/
 # Gradle caches (top-level + per-module native projects)
 **/.gradle/
 
-# Native module build outputs (any module)
+# Module-specific Builds
-modules/*/android/build/
+modules/mpv-player/android/build
+modules/player/android
+modules/hls-downloader/android/build
 
 # Generated Applications
 Streamyfin.app
@@ -66,6 +69,10 @@ certs/
 
 # Version and Backup Files
 /version-backup-*
+/modules/sf-player/android/build
+/modules/music-controls/android/build
+modules/background-downloader/android/build/*
+/modules/mpv-player/android/build
 
 # ios:unsigned-build Artifacts
 build/

components/video-player/controls/Controls.tv.tsx

@@ -1254,7 +1254,7 @@ export const Controls: FC<Props> = ({
                 <Text
                   style={[styles.endsAtText, { fontSize: typography.callout }]}
                 >
-                  {t("player.ends_at")} {getFinishTime()}
+                  {t("player.ends_at", { time: getFinishTime() })}
                 </Text>
               </View>
             )}
@@ -1448,7 +1448,7 @@ export const Controls: FC<Props> = ({
                 <Text
                   style={[styles.endsAtText, { fontSize: typography.callout }]}
                 >
-                  {t("player.ends_at")} {getFinishTime()}
+                  {t("player.ends_at", { time: getFinishTime() })}
                 </Text>
               </View>
             )}