chore(security): harden helpers + document conflict-labeler safety

From the workflow security audit:
- symlink-native-dirs.js: drop the execSync shell strings for fs.symlink/mkdir
  (removes a latent shell-injection surface; also clears dead commented code).
- automerge.sh: add 'set -euo pipefail' and restore the starting branch on exit
  so a mid-merge failure can't leave the repo on the wrong branch.
- conflict.yml: document that this pull_request_target workflow must never check
  out or run PR-head code (it only labels via the API today).

.github/workflows/conflict.yml

@@ -1,24 +1,29 @@
-name: 🏷️🔀Merge Conflict Labeler
-
-on:
-  push:
-    branches: [develop]
-  pull_request_target:
-    branches: [develop]
-    types: [synchronize]
-
-jobs:
-  label:
-    name: 🏷️ Labeling Merge Conflicts
-    runs-on: ubuntu-24.04
-    if: ${{ github.repository == 'streamyfin/streamyfin' }}
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: 🚩 Apply merge conflict label
-        uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
-        with:
-          dirtyLabel: '⚔️ merge-conflict'
-          commentOnDirty: 'This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged.'
-          repoToken: '${{ secrets.GITHUB_TOKEN }}'
+name: 🏷️🔀Merge Conflict Labeler
+
+on:
+  push:
+    branches: [develop]
+  # SECURITY: pull_request_target runs with the base repo's write token and secrets.
+  # This job only labels via the API and is safe ONLY because it never checks out or
+  # runs the PR head's code. NEVER add `actions/checkout` of the PR head (or any `run:`
+  # that interpolates PR-controlled data) to this workflow — that would turn it into a
+  # full repo-compromise vector.
+  pull_request_target:
+    branches: [develop]
+    types: [synchronize]
+
+jobs:
+  label:
+    name: 🏷️ Labeling Merge Conflicts
+    runs-on: ubuntu-24.04
+    if: ${{ github.repository == 'streamyfin/streamyfin' }}
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: 🚩 Apply merge conflict label
+        uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
+        with:
+          dirtyLabel: '⚔️ merge-conflict'
+          commentOnDirty: 'This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged.'
+          repoToken: '${{ secrets.GITHUB_TOKEN }}'

.github/workflows/trivy-scan.yml

@@ -1,62 +0,0 @@
-name: 🛡️ Trivy Security Scan
-
-# Filesystem scan (Streamyfin ships no container image): finds vulnerable dependencies,
-# leaked secrets and misconfigurations, and reports them to GitHub code scanning.
-# Runs post-merge + weekly (not on PRs — dependency-review already gates PRs, and SARIF
-# upload needs a write token that fork PRs don't get).
-on:
-  push:
-    branches: [develop, master]
-    paths:
-      - "package.json"
-      - "bun.lock"
-      - "**/*.ts"
-      - "**/*.tsx"
-      - "**/*.js"
-      - "**/*.jsx"
-      - ".github/workflows/trivy-scan.yml"
-  schedule:
-    - cron: "50 7 * * 5" # Weekly, Friday 07:50 UTC
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-concurrency:
-  group: trivy-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  trivy:
-    name: 🔎 Filesystem scan
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-      security-events: write # upload SARIF to code scanning
-    steps:
-      - name: 📥 Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: 💾 Cache Trivy vulnerability DB
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-        with:
-          path: ~/.cache/trivy
-          key: trivy-db-${{ github.run_id }}
-          restore-keys: trivy-db-
-
-      - name: 🔎 Run Trivy filesystem scan
-        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
-        with:
-          scan-type: fs
-          scan-ref: .
-          scanners: vuln,secret,misconfig
-          ignore-unfixed: true
-          severity: CRITICAL,HIGH
-          format: sarif
-          output: trivy-results.sarif
-
-      - name: 📤 Upload results to code scanning
-        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
-        with:
-          sarif_file: trivy-results.sarif
-          category: trivy-fs

scripts/automerge.sh

@@ -1,12 +1,22 @@
 #!/bin/bash
-[[ -z $(git status --porcelain) ]] &&
-git checkout master &&
-git pull --ff-only &&
-git checkout develop &&
-git merge master &&
-git push --follow-tags &&
-git checkout master &&
-git merge develop --ff-only &&
-git push &&
-git checkout develop ||
-(echo "Error: Failed to merge" && exit 1)
+# Local helper: fast-forward master into develop and back. Aborts on any failure and
+# restores the branch you started on. Not used in CI.
+set -euo pipefail
+
+if [[ -n $(git status --porcelain) ]]; then
+  echo "Error: working tree is not clean — commit or stash first." >&2
+  exit 1
+fi
+
+start_branch=$(git rev-parse --abbrev-ref HEAD)
+trap 'git checkout "$start_branch" >/dev/null 2>&1 || true' EXIT
+
+git checkout master
+git pull --ff-only
+git checkout develop
+git merge master
+git push --follow-tags
+git checkout master
+git merge develop --ff-only
+git push
+git checkout develop

scripts/symlink-native-dirs.js

@@ -1,62 +1,28 @@
 #!/usr/bin/env node
 
-const _fs = require("node:fs");
+// Symlinks the platform-specific native dirs to `ios` / `android` depending on EXPO_TV.
+// Uses fs APIs (no shell) so there is no command-injection surface.
+
+const fs = require("node:fs");
 const path = require("node:path");
-const process = require("node:process");
-const { execSync } = require("node:child_process");
 
 const root = process.cwd();
-// const tvosPath = path.join(root, 'iostv');
-// const iosPath = path.join(root, 'iosmobile');
-// const androidPath = path.join(root, 'androidmobile');
-// const androidTVPath = path.join(root, 'androidtv');
-// const device = process.argv[2];
-// const platform = process.argv[2];
-const isTV = process.env.EXPO_TV || false;
+const isTV = process.env.EXPO_TV && process.env.EXPO_TV !== "0";
 
-const paths = new Map([
-  ["tvos", path.join(root, "iostv")],
-  ["ios", path.join(root, "iosmobile")],
-  ["android", path.join(root, "androidmobile")],
-  ["androidtv", path.join(root, "androidtv")],
-]);
+const links = isTV
+  ? { ios: path.join(root, "iostv"), android: path.join(root, "androidtv") }
+  : {
+      ios: path.join(root, "iosmobile"),
+      android: path.join(root, "androidmobile"),
+    };
 
-// const platformPath = paths.get(platform);
-
-if (isTV) {
-  stdout = execSync(
-    `mkdir -p ${paths.get("tvos")}; ln -nsf ${paths.get("tvos")} ios`,
-  );
-  console.log(stdout.toString());
-  stdout = execSync(
-    `mkdir -p ${paths.get("androidtv")}; ln -nsf ${paths.get(
-      "androidtv",
-    )} android`,
-  );
-  console.log(stdout.toString());
-} else {
-  stdout = execSync(
-    `mkdir -p ${paths.get("ios")}; ln -nsf ${paths.get("ios")} ios`,
-  );
-  console.log(stdout.toString());
-  stdout = execSync(
-    `mkdir -p ${paths.get("android")}; ln -nsf ${paths.get("android")} android`,
-  );
-  console.log(stdout.toString());
+for (const [link, target] of Object.entries(links)) {
+  fs.mkdirSync(target, { recursive: true });
+  try {
+    fs.unlinkSync(link); // replace an existing symlink/file (ln -nsf)
+  } catch {
+    // nothing to remove
+  }
+  fs.symlinkSync(target, link);
+  console.log(`${link} -> ${target}`);
 }
-
-// target = "";
-// switch (platform) {
-//   case "tvos":
-//     target = "ios";
-//     break;
-//   case "ios":
-//     target = "ios";
-//     break;
-//   case "android":
-//     target = "android";
-//     break;
-//   case "androidtv":
-//     target = "android";
-//     break;
-// }