fix(detect-duplicate): sanitize reposted issue titles

Security audit: the bot echoes other issues' titles back into a comment, so a
maliciously-named issue could ping (@everyone) or inject markdown/HTML. Break
@-mentions with a zero-width space and strip markdown/HTML control chars before
posting.

.github/ISSUE_TEMPLATE/issue_report.yml

@@ -77,12 +77,10 @@ body:
       label: Streamyfin Version
       description: What version of Streamyfin are you running?
       options:
-        - 0.54.1 (TestFlight)
-        - 0.51.0
         - 0.47.1
         - 0.30.2
-        - 0.28.0
         - older
+        - TestFlight/Development build
     validations:
       required: true
 

.github/workflows/detect-duplicate.yml

@@ -0,0 +1,38 @@
+name: 🔁 Detect Duplicate Issues
+
+on:
+  issues:
+    types: [opened]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: detect-duplicate-${{ github.event.issue.number }}
+  cancel-in-progress: true
+
+jobs:
+  detect:
+    name: 🔍 Find similar issues
+    if: github.actor != 'github-actions[bot]'
+    runs-on: ubuntu-24.04
+    permissions:
+      issues: write
+      contents: read
+    steps:
+      - name: 📥 Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: 🍞 Setup Bun
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
+        with:
+          bun-version: latest
+
+      - name: 🔍 Detect duplicate issues
+        run: bun scripts/detect-duplicate-issue.mjs
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          ISSUE_TITLE: ${{ github.event.issue.title }}
+          ISSUE_BODY: ${{ github.event.issue.body }}

.github/workflows/update-issue-form.yml

@@ -1,91 +1,67 @@
-name: 🐛 Update Issue Form Versions
+name: 🐛 Update Bug Report Template
 
 on:
   release:
-    # Also fire on drafts/prereleases so versions that aren't a full release yet
+    types: [published]  # Run on every published release on any branch
-    # (TestFlight / dev builds) still land in the dropdown.
-    types: [published, released, prereleased, created, deleted]
-  schedule:
-    - cron: "0 3 * * 1" # Weekly safety net (Mondays 03:00 UTC) in case a release event was missed
-  workflow_dispatch:
 
 concurrency:
    group: update-issue-form-${{ github.event.release.tag_name || github.run_id }}
    cancel-in-progress: true
 
-permissions:
-  contents: read
-
 jobs:
-  update-issue-form:
+  update-bug-report:
-    name: 🔢 Populate version dropdown
-    runs-on: ubuntu-24.04
     permissions:
       contents: write
       pull-requests: write
+      issues: write
+    runs-on: ubuntu-24.04
+
     steps:
       - name: 📥 Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: 🍞 Setup Bun
+      - name: "🟢 Setup Node.js"
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          bun-version: latest
+          node-version: '24.x'
+          cache: 'npm'
 
-      - name: 🔢 Populate version dropdown from GitHub releases
+      - name: 🔍 Extract minor version from app.json
-        id: populate
+        id: minor
-        run: bun scripts/update-issue-form.mjs
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # main
-        env:
+        with:
-          GH_TOKEN: ${{ github.token }}
+          result-encoding: string
-          GITHUB_REPOSITORY: ${{ github.repository }}
+          script: |
+            const fs = require('fs-extra');
+            const semver = require('semver');
+            const content = fs.readJsonSync('./app.json');
+            const version = content.expo.version;
+            const minorVersion = semver.minor(version);
+            return minorVersion.toString();
 
-      - name: 📬 Create pull request
+      - name: 📝 Update bug report version
-        id: cpr
+        uses: ShaMan123/gha-populate-form-version@be012141ca560dbb92156e3fe098c46035f6260d #v2.0.5
+        with:
+          semver: '^0.${{ steps.minor.outputs.result }}.0'
+          dry_run: no-push
+
+      - name: ⚙️ Update bug report node version dropdown
+        uses: ShaMan123/gha-populate-form-version@be012141ca560dbb92156e3fe098c46035f6260d #v2.0.5
+        with:
+          dropdown: _node_version
+          package: node
+          semver: '>=24.0.0'
+          dry_run: no-push
+
+      - name: 📬 Commit and create pull request
         uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
-          add-paths: .github/ISSUE_TEMPLATE/issue_report.yml
+          add-paths: .github/ISSUE_TEMPLATE/bug_report.yml
-          branch: ci/update-issue-form
+          branch: ci-update-bug-report
           base: develop
           delete-branch: true
           labels: ⚙️ ci, 🤖 github-actions
-          commit-message: "chore: update issue form version dropdown"
+          title: 'chore(): Update bug report template to match release version'
-          title: "chore: update issue form version dropdown"
-          # Follows .github/pull_request_template.md so the bot PR isn't flagged by PR validation.
           body: |
-            # 📦 Pull Request
+            Automated update to `.github/ISSUE_TEMPLATE/bug_report.yml`
-
+            Triggered by workflow run [${{ github.run_id }}](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
-            ## 📝 Description
-
-            Automated update of the **Streamyfin Version** dropdown in `.github/ISSUE_TEMPLATE/issue_report.yml`, populated from the latest GitHub releases by `scripts/update-issue-form.mjs` (draft releases shown as `X (TestFlight)`).
-
-            **Version dropdown now lists:** ${{ steps.populate.outputs.versions }}
-
-            Triggered by `${{ github.event_name }}`${{ github.event.release.tag_name && format(' — release {0}', github.event.release.tag_name) || '' }} · [run ${{ github.run_id }}](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}).
-
-            ## 🏷️ Ticket / Issue
-
-            N/A — automated maintenance.
-
-            ### 🖼️ Screenshots / GIFs (if UI)
-
-            N/A — issue-template metadata only, no app UI.
-
-            ## ✅ Checklist
-
-            - [x] I’ve read the [contribution guidelines](CONTRIBUTING.md)
-            - [x] Verified that changes behave as expected for all platforms
-            - [x] Code passes lint/formatting and type checks (`tsc`/`biome`)
-            - [x] No secrets, hardcoded credentials, or private config files are included
-            - [x] I've declared if AI was used to assist with this PR (by uncommenting the line at the bottom, or not)
-
-            ## 🔍 Testing Instructions
-
-            N/A — generated by CI from published releases; review the dropdown diff in `issue_report.yml`.
-
-      - name: 🔀 Enable auto-merge
-        if: steps.cpr.outputs.pull-request-operation == 'created'
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          gh pr merge --squash --auto "${{ steps.cpr.outputs.pull-request-number }}" \
-            || echo "::warning::Could not enable auto-merge — enable 'Allow auto-merge' in repo settings (and branch protection); merge the PR manually for now."

components/video-player/controls/Controls.tv.tsx

@@ -1254,7 +1254,7 @@ export const Controls: FC<Props> = ({
                 <Text
                   style={[styles.endsAtText, { fontSize: typography.callout }]}
                 >
-                  {t("player.ends_at")} {getFinishTime()}
+                  {t("player.ends_at", { time: getFinishTime() })}
                 </Text>
               </View>
             )}
@@ -1448,7 +1448,7 @@ export const Controls: FC<Props> = ({
                 <Text
                   style={[styles.endsAtText, { fontSize: typography.callout }]}
                 >
-                  {t("player.ends_at")} {getFinishTime()}
+                  {t("player.ends_at", { time: getFinishTime() })}
                 </Text>
               </View>
             )}

scripts/detect-duplicate-issue.mjs

@@ -0,0 +1,202 @@
+#!/usr/bin/env bun
+/**
+ * Flags likely-duplicate issues when a new issue is opened, using lexical similarity
+ * (Jaccard over word sets of the title and body) — no API key, no embeddings.
+ *
+ * On a match it posts ONE comment listing the closest open issues and adds the
+ * "possible duplicate" label. If nothing is similar enough, it does nothing.
+ *
+ * Env:
+ *   GITHUB_REPOSITORY   owner/repo
+ *   ISSUE_NUMBER        the new issue number
+ *   ISSUE_TITLE         the new issue title
+ *   ISSUE_BODY          the new issue body
+ *   GH_TOKEN/GITHUB_TOKEN  for gh (provided in CI)
+ *   DUP_THRESHOLD       similarity threshold 0..1 (default 0.3)
+ *   DUP_MAX             max matches to report (default 5)
+ *   DUP_FIXTURE         optional path to a JSON array of {number,title,body} (local testing)
+ *   DRY_RUN             if set, print results instead of commenting/labelling
+ */
+
+import { execFileSync } from "node:child_process";
+import { readFileSync } from "node:fs";
+
+const REPO = process.env.GITHUB_REPOSITORY || "streamyfin/streamyfin";
+const NUMBER = Number(process.env.ISSUE_NUMBER);
+const TITLE = process.env.ISSUE_TITLE || "";
+const BODY = process.env.ISSUE_BODY || "";
+const THRESHOLD = Number(process.env.DUP_THRESHOLD) || 0.3;
+const MAX = Number(process.env.DUP_MAX) || 5;
+const DRY = !!process.env.DRY_RUN;
+const LABEL = "possible duplicate";
+
+// Generic stop words only — keep domain/feature/platform words (android, downloads,
+// subtitles…) since those are exactly what makes two reports the same or different.
+const STOP = new Set(
+  (
+    "a an the and or but if then of to in on at by for with from as is are was were be been being do does did " +
+    "it its this that these those i you we they me my your our their he she him her " +
+    "when while where what which who how why so just then than too very can could would should will " +
+    "not no nor only own same s t don dont im ive please thanks hi hello also still get got use used using " +
+    "app application streamyfin issue bug"
+  ).split(/\s+/),
+);
+
+const stem = (w) => w.replace(/(ing|ed|es|s)$/, "");
+
+const tokens = (s) =>
+  (s || "")
+    .toLowerCase()
+    .replace(/```[\s\S]*?```/g, " ") // drop code blocks
+    .replace(/<!--[\s\S]*?-->/g, " ") // drop html comments
+    .replace(/https?:\/\/\S+/g, " ") // drop urls
+    .replace(/[^a-z0-9\s]/g, " ")
+    .split(/\s+/)
+    .filter((w) => w.length > 2 && !STOP.has(w))
+    .map(stem)
+    .filter((w) => w.length > 2);
+
+const jaccard = (a, b) => {
+  const A = new Set(a);
+  const B = new Set(b);
+  if (!A.size || !B.size) return 0;
+  let inter = 0;
+  for (const x of A) if (B.has(x)) inter++;
+  return inter / (A.size + B.size - inter);
+};
+
+const newTitle = tokens(TITLE);
+const newBody = tokens(BODY);
+const score = (o) =>
+  0.6 * jaccard(newTitle, tokens(o.title)) +
+  0.4 * jaccard(newBody, tokens(o.body));
+
+// fetch open issues (excluding PRs and the new issue itself)
+let issues;
+if (process.env.DUP_FIXTURE) {
+  issues = JSON.parse(readFileSync(process.env.DUP_FIXTURE, "utf8"));
+} else {
+  const raw = execFileSync(
+    "gh",
+    [
+      "api",
+      `repos/${REPO}/issues`,
+      "--paginate",
+      "-X",
+      "GET",
+      "-f",
+      "state=open",
+      "-f",
+      "per_page=100",
+      "--jq",
+      ".[] | select(.pull_request | not) | {number, title, body}",
+    ],
+    { encoding: "utf8", maxBuffer: 1e8 },
+  );
+  issues = raw
+    .split("\n")
+    .filter(Boolean)
+    .map((l) => JSON.parse(l));
+}
+
+const matches = issues
+  .filter((o) => o.number !== NUMBER)
+  .map((o) => ({ ...o, s: score(o) }))
+  .filter((o) => o.s >= THRESHOLD)
+  .sort((a, b) => b.s - a.s)
+  .slice(0, MAX);
+
+if (!matches.length) {
+  console.log("No likely duplicates found.");
+  process.exit(0);
+}
+
+// Neutralise other issues' titles before echoing them back: break @mentions and
+// strip markdown/HTML control chars so a maliciously-named issue can't ping people
+// or inject formatting into our comment. GitHub linkifies "#123" on its own.
+const safeTitle = (t) =>
+  (t || "")
+    .replace(/@/g, "@​")
+    .replace(/[`<>|*_~[\]]/g, " ")
+    .replace(/\s+/g, " ")
+    .trim()
+    .slice(0, 140);
+const list = matches
+  .map(
+    (m) =>
+      `- #${m.number} — ${safeTitle(m.title)} (≈ ${Math.round(m.s * 100)}% similar)`,
+  )
+  .join("\n");
+const comment = [
+  "<!-- duplicate-detector -->",
+  "🔍 **This looks like it might be a duplicate.** Possibly related open issues:",
+  "",
+  list,
+  "",
+  "If yours is different, ignore this — a maintainer will confirm. Otherwise, please 👍 the existing issue and add any extra details there.",
+].join("\n");
+
+console.log(`Found ${matches.length} possible duplicate(s):\n${list}`);
+
+if (DRY) {
+  console.log("\nDRY_RUN: not commenting/labelling.");
+  process.exit(0);
+}
+
+execFileSync(
+  "gh",
+  [
+    "api",
+    "-X",
+    "POST",
+    `repos/${REPO}/issues/${NUMBER}/comments`,
+    "-f",
+    `body=${comment}`,
+  ],
+  { stdio: "ignore" },
+);
+try {
+  execFileSync(
+    "gh",
+    [
+      "api",
+      "-X",
+      "POST",
+      `repos/${REPO}/issues/${NUMBER}/labels`,
+      "-f",
+      `labels[]=${LABEL}`,
+    ],
+    { stdio: "ignore" },
+  );
+} catch {
+  // label may not exist yet — create then add
+  execFileSync(
+    "gh",
+    [
+      "api",
+      "-X",
+      "POST",
+      `repos/${REPO}/labels`,
+      "-f",
+      `name=${LABEL}`,
+      "-f",
+      "color=fbca04",
+      "-f",
+      "description=Automatically flagged as a possible duplicate",
+    ],
+    { stdio: "ignore" },
+  );
+  execFileSync(
+    "gh",
+    [
+      "api",
+      "-X",
+      "POST",
+      `repos/${REPO}/issues/${NUMBER}/labels`,
+      "-f",
+      `labels[]=${LABEL}`,
+    ],
+    { stdio: "ignore" },
+  );
+}
+console.log("Commented and labelled.");

scripts/update-issue-form.mjs

@@ -1,119 +0,0 @@
-#!/usr/bin/env bun
-/**
- * Populates the "Streamyfin Version" dropdown in the issue report form with the
- * latest GitHub releases. Run by the "Update Issue Form Versions" workflow on
- * release events + a weekly cron (and manually via workflow_dispatch).
- *
- * Source: GitHub releases, newest first, INCLUDING drafts and prereleases — those
- * are the builds release.yml pushes to TestFlight (iOS) / beta (Android), and the
- * app shows that same version to users. Draft releases are labelled "X (TestFlight)".
- * Non-version sentinels (e.g. "older") are preserved at the end of the list.
- *
- * Usage:
- *   bun scripts/update-issue-form.mjs            # rewrite the form in place
- *   ISSUE_FORM_LIMIT=8 bun scripts/update-issue-form.mjs
- *   bun scripts/update-issue-form.mjs --dry-run  # print the new options, don't write
- *
- * Env: GITHUB_REPOSITORY (owner/repo), GH_TOKEN/GITHUB_TOKEN (for gh, provided in CI).
- */
-
-import { execFileSync } from "node:child_process";
-import {
-  appendFileSync,
-  readFileSync as read,
-  writeFileSync as write,
-} from "node:fs";
-
-const FORM = ".github/ISSUE_TEMPLATE/issue_report.yml";
-const DROPDOWN_ID = "version"; // the `id:` of the dropdown to populate
-const parsedLimit = Number.parseInt(process.env.ISSUE_FORM_LIMIT ?? "", 10);
-const LIMIT =
-  Number.isInteger(parsedLimit) && parsedLimit > 0 ? parsedLimit : 5;
-const REPO = process.env.GITHUB_REPOSITORY || "streamyfin/streamyfin";
-const DRY = process.argv.includes("--dry-run");
-
-// Matches "0.54.1" and prerelease/beta tags like "0.54.0-beta.1".
-const isVersion = (s) => /^\d+\.\d+/.test(s.trim());
-
-// 1. Fetch releases (newest first) with their draft flag. Drafts are the builds pushed
-//    to TestFlight (iOS) / beta (Android) by release.yml, so they aren't a full release
-//    yet — we label those "X (TestFlight)". (Listing drafts needs the token to have repo
-//    write access, which the workflow grants.)
-const raw = execFileSync(
-  "gh",
-  [
-    "api",
-    `repos/${REPO}/releases`,
-    "--paginate",
-    "--jq",
-    ".[] | [.tag_name, .draft] | @tsv",
-  ],
-  { encoding: "utf8" },
-);
-const seen = new Set();
-const versions = [];
-for (const line of raw.split("\n")) {
-  const [tag, draft] = line.split("\t");
-  if (!tag) continue;
-  const ver = tag.trim().replace(/^v/, "");
-  if (!isVersion(ver) || seen.has(ver)) continue;
-  seen.add(ver);
-  versions.push(draft === "true" ? `${ver} (TestFlight)` : ver);
-  if (versions.length >= LIMIT) break;
-}
-
-if (!versions.length) {
-  console.error("No release versions found — leaving the form untouched.");
-  process.exit(1);
-}
-
-// 2. rewrite the dropdown options, preserving non-version sentinels (e.g. "older").
-//    The old generic "TestFlight/Development build" entry is dropped — TestFlight
-//    versions are now shown individually as "X (TestFlight)".
-const lines = read(FORM, "utf8").split("\n");
-const idIdx = lines.findIndex((l) =>
-  l.match(new RegExp(`^\\s*id:\\s*${DROPDOWN_ID}\\s*$`)),
-);
-if (idIdx === -1)
-  throw new Error(`dropdown id: ${DROPDOWN_ID} not found in ${FORM}`);
-const optIdx = lines.findIndex(
-  (l, i) => i > idIdx && /^\s*options:\s*$/.test(l),
-);
-if (optIdx === -1)
-  throw new Error(`options: not found after id: ${DROPDOWN_ID}`);
-
-const itemIndent = lines[optIdx].match(/^\s*/)[0] + "  "; // options items are nested one level deeper
-let end = optIdx + 1;
-const sentinels = [];
-while (end < lines.length && /^\s*-\s+/.test(lines[end])) {
-  const val = lines[end].replace(/^\s*-\s+/, "");
-  if (!isVersion(val) && !/testflight/i.test(val)) sentinels.push(val);
-  end++;
-}
-
-const newOptions = [...versions, ...sentinels].map(
-  (v) => `${itemIndent}- ${v}`,
-);
-const updated = [
-  ...lines.slice(0, optIdx + 1),
-  ...newOptions,
-  ...lines.slice(end),
-].join("\n");
-
-console.log(
-  `Versions: ${versions.join(", ")}${sentinels.length ? ` | kept: ${sentinels.join(", ")}` : ""}`,
-);
-if (DRY) {
-  console.log("--dry-run: not writing.");
-} else {
-  write(FORM, updated);
-  console.log(`Updated ${FORM}.`);
-}
-
-// Expose the resulting list for the workflow (PR description).
-if (process.env.GITHUB_OUTPUT) {
-  appendFileSync(
-    process.env.GITHUB_OUTPUT,
-    `versions=${versions.join(", ")}\n`,
-  );
-}