chore(security): harden helpers + document conflict-labeler safety

From the workflow security audit: - symlink-native-dirs.js: drop the execSync shell strings for fs.symlink/mkdir (removes a latent shell-injection surface; also clears dead commented code). - automerge.sh: add 'set -euo pipefail' and restore the starting branch on exit so a mid-merge failure can't leave the repo on the wrong branch. - conflict.yml: document that this pull_request_target workflow must never check out or run PR-head code (it only labels via the API today).
2026-06-02 12:08:37 +01:00 · 2026-06-01 20:35:05 +02:00
10 changed files with 144 additions and 135 deletions
--- a/.github/workflows/conflict.yml
+++ b/.github/workflows/conflict.yml
@@ -1,24 +1,29 @@
-name: 🏷️🔀Merge Conflict Labeler
-
-on:
-  push:
-    branches: [develop]
-  pull_request_target:
-    branches: [develop]
-    types: [synchronize]
-
-jobs:
-  label:
-    name: 🏷️ Labeling Merge Conflicts
-    runs-on: ubuntu-24.04
-    if: ${{ github.repository == 'streamyfin/streamyfin' }}
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: 🚩 Apply merge conflict label
-        uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
-        with:
-          dirtyLabel: '⚔️ merge-conflict'
-          commentOnDirty: 'This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged.'
-          repoToken: '${{ secrets.GITHUB_TOKEN }}'
+name: 🏷️🔀Merge Conflict Labeler
+
+on:
+  push:
+    branches: [develop]
+  # SECURITY: pull_request_target runs with the base repo's write token and secrets.
+  # This job only labels via the API and is safe ONLY because it never checks out or
+  # runs the PR head's code. NEVER add `actions/checkout` of the PR head (or any `run:`
+  # that interpolates PR-controlled data) to this workflow — that would turn it into a
+  # full repo-compromise vector.
+  pull_request_target:
+    branches: [develop]
+    types: [synchronize]
+
+jobs:
+  label:
+    name: 🏷️ Labeling Merge Conflicts
+    runs-on: ubuntu-24.04
+    if: ${{ github.repository == 'streamyfin/streamyfin' }}
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: 🚩 Apply merge conflict label
+        uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
+        with:
+          dirtyLabel: '⚔️ merge-conflict'
+          commentOnDirty: 'This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged.'
+          repoToken: '${{ secrets.GITHUB_TOKEN }}'
--- a/app/(auth)/(tabs)/(libraries)/_layout.tsx
+++ b/app/(auth)/(tabs)/(libraries)/_layout.tsx
@@ -166,7 +166,7 @@ export default function IndexLayout() {
                open={dropdownOpen}
                onOpenChange={setDropdownOpen}
                trigger={
-                  <View>
+                  <View className='pl-1.5'>
                    <Ionicons
                      name='ellipsis-horizontal-outline'
                      size={24}
--- a/components/PlatformDropdown.tsx
+++ b/components/PlatformDropdown.tsx
@@ -1,7 +1,13 @@
 import { Ionicons } from "@expo/vector-icons";
 import { BottomSheetScrollView } from "@gorhom/bottom-sheet";
-import React, { useEffect } from "react";
-import { Platform, StyleSheet, TouchableOpacity, View } from "react-native";
+import React, { useEffect, useState } from "react";
+import {
+  type LayoutChangeEvent,
+  Platform,
+  StyleSheet,
+  TouchableOpacity,
+  View,
+} from "react-native";
 import { useSafeAreaInsets } from "react-native-safe-area-context";
 import { Text } from "@/components/common/Text";
 import { useGlobalModal } from "@/providers/GlobalModalProvider";
@@ -211,6 +217,24 @@ const PlatformDropdownComponent = ({
 }: PlatformDropdownProps) => {
  const { showModal, hideModal, isVisible } = useGlobalModal();

+  // @expo/ui's <Host> (SDK 55) fills its available space by default, and
+  // `matchContents` doesn't help here: it reports the native Menu's size via
+  // setStyleSize and overrides any explicit size. Instead we measure the
+  // trigger's intrinsic size in plain RN (off-layout) and pin it on the Host.
+  const [triggerSize, setTriggerSize] = useState<{
+    width: number;
+    height: number;
+  } | null>(null);
+
+  const handleMeasureTrigger = (e: LayoutChangeEvent) => {
+    const { width, height } = e.nativeEvent.layout;
+    setTriggerSize((prev) =>
+      prev && prev.width === width && prev.height === height
+        ? prev
+        : { width, height },
+    );
+  };
+
  // Handle controlled open state for Android
  useEffect(() => {
    if (Platform.OS === "android" && controlledOpen === true) {
@@ -241,11 +265,25 @@ const PlatformDropdownComponent = ({
  }, [isVisible, controlledOpen, controlledOnOpenChange]);

  if (Platform.OS === "ios" && !Platform.isTV) {
-    // @expo/ui's <Host> can't size to content, so an in-flow invisible copy of
-    // the trigger sizes the wrapper while the Host overlays the real Menu.
+    // Pin the wrapper to the measured trigger size. @expo/ui's <Host> (SDK 55)
+    // fills its parent and reports its own size via setStyleSize, so it can't
+    // size itself to content. If the wrapper has no size, the Host's `flex: 1`
+    // height depends on the parent while the parent depends on the Host — a
+    // circular dependency that collapses to 0 for any selector nested more than
+    // one level deep (so only the first, shallowest dropdown stays visible).
+    // Giving the wrapper the measured size breaks the cycle; the Host then
+    // fills a concrete box.
    return (
-      <View>
-        <View pointerEvents='none' aria-hidden style={{ opacity: 0 }}>
+      <View style={triggerSize ?? { opacity: 0 }}>
+        {/* Hidden measurer: lays the trigger out off-flow to capture its
+            intrinsic size. Absolutely positioned WITHOUT right/bottom so it
+            sizes to the trigger's content rather than to its parent. */}
+        <View
+          style={{ position: "absolute", top: 0, left: 0, opacity: 0 }}
+          pointerEvents='none'
+          aria-hidden
+          onLayout={handleMeasureTrigger}
+        >
          {trigger}
        </View>
        <Host style={[StyleSheet.absoluteFill, expoUIConfig?.hostStyle as any]}>
--- a/components/home/Home.tsx
+++ b/components/home/Home.tsx
@@ -133,6 +133,7 @@ const HomeMobile = () => {
          onPress={() => {
            router.push("/(auth)/downloads");
          }}
+          className='ml-1.5'
          style={{ marginRight: Platform.OS === "android" ? 16 : 0 }}
        >
          <Feather
--- a/components/search/TVJellyseerrSearchResults.tsx
+++ b/components/search/TVJellyseerrSearchResults.tsx
@@ -401,6 +401,10 @@ export const TVJellyseerrSearchResults: React.FC<
 }) => {
  const { t } = useTranslation();

+  const hasMovies = movieResults && movieResults.length > 0;
+  const hasTv = tvResults && tvResults.length > 0;
+  const hasPersons = personResults && personResults.length > 0;
+
  if (loading) {
    return null;
  }
@@ -427,26 +431,22 @@ export const TVJellyseerrSearchResults: React.FC<

  return (
    <View>
-      {/* No section requests `hasTVPreferredFocus`: the native search field
-          keeps focus while typing, otherwise the first result would re-grab
-          focus on every keystroke as results re-render. The user navigates
-          down to the grid manually. */}
      <TVJellyseerrMovieSection
        title={t("search.request_movies")}
        items={movieResults}
-        isFirstSection={false}
+        isFirstSection={hasMovies}
        onItemPress={onMoviePress}
      />
      <TVJellyseerrTvSection
        title={t("search.request_series")}
        items={tvResults}
-        isFirstSection={false}
+        isFirstSection={!hasMovies && hasTv}
        onItemPress={onTvPress}
      />
      <TVJellyseerrPersonSection
        title={t("search.actors")}
        items={personResults}
-        isFirstSection={false}
+        isFirstSection={!hasMovies && !hasTv && hasPersons}
        onItemPress={onPersonPress}
      />
    </View>
--- a/components/search/TVSearchPage.tsx
+++ b/components/search/TVSearchPage.tsx
@@ -235,13 +235,10 @@ export const TVSearchPage: React.FC<TVSearchPageProps> = ({
            module). It renders the native search bar + grid keyboard and
            forwards typed text into the existing query pipeline via setSearch;
            our own results grid renders below. */}
-        {/* No horizontal margin here: the native tvOS search bar centers itself
-            and renders a trailing "Hold to Dictate in <Language>" hint. Extra
-            margins squeeze the bar's width and clip that trailing hint, so let
-            the native view span the full width and own its own insets. */}
        <View
          style={{
            marginBottom: 24,
+            marginHorizontal: HORIZONTAL_PADDING,
            height: SEARCH_AREA_HEIGHT,
          }}
        >
@@ -283,17 +280,13 @@ export const TVSearchPage: React.FC<TVSearchPageProps> = ({
        {/* Library Search Results */}
        {isLibraryMode && !loading && (
          <View style={{ gap: SECTION_GAP }}>
-            {sections.map((section) => (
+            {sections.map((section, index) => (
              <TVSearchSection
                key={section.key}
                title={section.title}
                items={section.items!}
                orientation={section.orientation || "vertical"}
-                // Never auto-focus a result. The native search field owns focus
-                // while typing; `hasTVPreferredFocus` here would re-grab focus on
-                // every keystroke as results re-render. User navigates down to the
-                // grid manually.
-                isFirstSection={false}
+                isFirstSection={index === 0}
                onItemPress={onItemPress}
                onItemLongPress={onItemLongPress}
                imageUrlGetter={
--- a/components/search/TVSearchSection.tsx
+++ b/components/search/TVSearchSection.tsx
@@ -297,12 +297,12 @@ export const TVSearchSection: React.FC<TVSearchSectionProps> = ({
        removeClippedSubviews={false}
        getItemLayout={getItemLayout}
        style={{ overflow: "visible" }}
-        // Edge padding via contentContainerStyle, NOT contentInset+contentOffset.
-        // contentOffset only applies on initial mount; since this FlatList is
-        // reused across searches (stable key), a second search left the inset
-        // without the offset and the grid snapped flush to the left edge.
+        contentInset={{
+          left: edgePadding,
+          right: edgePadding,
+        }}
+        contentOffset={{ x: -edgePadding, y: 0 }}
        contentContainerStyle={{
-          paddingHorizontal: edgePadding,
          paddingVertical: SCALE_PADDING,
        }}
      />
--- a/modules/mpv-player/ios/MpvPlayerView.swift
+++ b/modules/mpv-player/ios/MpvPlayerView.swift
@@ -81,6 +81,7 @@ class MpvPlayerView: ExpoView {
 	private func setupView() {
 		clipsToBounds = true
 		backgroundColor = .black
+		configureAudioSession()

 		videoContainer = UIView()
 		videoContainer.translatesAutoresizingMaskIntoConstraints = false
@@ -140,26 +141,21 @@ class MpvPlayerView: ExpoView {
 		CATransaction.commit()
 	}

-	// MARK: - Audio Session & Notifications
-
 	private func configureAudioSession() {
-		let session = AVAudioSession.sharedInstance()
+		let audioSession = AVAudioSession.sharedInstance()
 		do {
-			try session.setCategory(.playback, mode: .moviePlayback, policy: .longFormAudio, options: [])
-			try session.setActive(true)
+			try audioSession.setCategory(
+				.playback,
+				mode: .moviePlayback,
+				policy: .longFormAudio,
+				options: []
+			)
+			try audioSession.setActive(true)
 		} catch {
 			print("Failed to configure audio session: \(error)")
 		}
 	}
-
-	/// Deactivate the session AND reset the category — `setActive(false)` alone
-	/// leaves `.playback`/`.longFormAudio` on the shared singleton, so any later
-	/// reactivation (foreground, route change, other modules) re-steals audio.
-	private func tearDownAudioSession() {
-		let session = AVAudioSession.sharedInstance()
-		try? session.setActive(false, options: .notifyOthersOnDeactivation)
-		try? session.setCategory(.ambient, mode: .default, options: [.mixWithOthers])
-	}
+	// MARK: - Audio Session & Notifications

 	private func setupNotifications() {
 		// Handle audio session interruptions (e.g., incoming calls, other apps playing audio)
@@ -274,7 +270,6 @@ class MpvPlayerView: ExpoView {

 	func play() {
 		intendedPlayState = true
-		configureAudioSession()
 		setupRemoteCommands()
 		renderer?.play()
 		pipController?.setPlaybackRate(1.0)
@@ -445,7 +440,6 @@ class MpvPlayerView: ExpoView {
 		renderer?.stop()
 		displayLayer.removeFromSuperlayer()
 		clearNowPlayingInfo()
-		tearDownAudioSession()
 		NotificationCenter.default.removeObserver(self)
 	}
 }
@@ -525,7 +519,9 @@ extension MpvPlayerView: MPVLayerRendererDelegate {
 	}

 	func renderer(_: MPVLayerRenderer, didSelectAudioOutput audioOutput: String) {
-		print("[MPV] Audio output ready (\(audioOutput)), syncing Now Playing")
+		// Audio output is now active - this is the right time to activate audio session and set Now Playing
+		print("[MPV] Audio output ready (\(audioOutput)), activating audio session and syncing Now Playing")
+		nowPlayingManager.activateAudioSession()
 		syncNowPlaying(isPlaying: !isPaused())
 	}
 }
--- a/scripts/automerge.sh
+++ b/scripts/automerge.sh
@@ -1,12 +1,22 @@
 #!/bin/bash
-[[ -z $(git status --porcelain) ]] &&
-git checkout master &&
-git pull --ff-only &&
-git checkout develop &&
-git merge master &&
-git push --follow-tags &&
-git checkout master &&
-git merge develop --ff-only &&
-git push &&
-git checkout develop ||
-(echo "Error: Failed to merge" && exit 1)
+# Local helper: fast-forward master into develop and back. Aborts on any failure and
+# restores the branch you started on. Not used in CI.
+set -euo pipefail
+
+if [[ -n $(git status --porcelain) ]]; then
+  echo "Error: working tree is not clean — commit or stash first." >&2
+  exit 1
+fi
+
+start_branch=$(git rev-parse --abbrev-ref HEAD)
+trap 'git checkout "$start_branch" >/dev/null 2>&1 || true' EXIT
+
+git checkout master
+git pull --ff-only
+git checkout develop
+git merge master
+git push --follow-tags
+git checkout master
+git merge develop --ff-only
+git push
+git checkout develop
--- a/scripts/symlink-native-dirs.js
+++ b/scripts/symlink-native-dirs.js
@@ -1,62 +1,28 @@
 #!/usr/bin/env node

-const _fs = require("node:fs");
+// Symlinks the platform-specific native dirs to `ios` / `android` depending on EXPO_TV.
+// Uses fs APIs (no shell) so there is no command-injection surface.
+
+const fs = require("node:fs");
 const path = require("node:path");
-const process = require("node:process");
-const { execSync } = require("node:child_process");

 const root = process.cwd();
-// const tvosPath = path.join(root, 'iostv');
-// const iosPath = path.join(root, 'iosmobile');
-// const androidPath = path.join(root, 'androidmobile');
-// const androidTVPath = path.join(root, 'androidtv');
-// const device = process.argv[2];
-// const platform = process.argv[2];
-const isTV = process.env.EXPO_TV || false;
+const isTV = process.env.EXPO_TV && process.env.EXPO_TV !== "0";

-const paths = new Map([
-  ["tvos", path.join(root, "iostv")],
-  ["ios", path.join(root, "iosmobile")],
-  ["android", path.join(root, "androidmobile")],
-  ["androidtv", path.join(root, "androidtv")],
-]);
+const links = isTV
+  ? { ios: path.join(root, "iostv"), android: path.join(root, "androidtv") }
+  : {
+      ios: path.join(root, "iosmobile"),
+      android: path.join(root, "androidmobile"),
+    };

-// const platformPath = paths.get(platform);
-
-if (isTV) {
-  stdout = execSync(
-    `mkdir -p ${paths.get("tvos")}; ln -nsf ${paths.get("tvos")} ios`,
-  );
-  console.log(stdout.toString());
-  stdout = execSync(
-    `mkdir -p ${paths.get("androidtv")}; ln -nsf ${paths.get(
-      "androidtv",
-    )} android`,
-  );
-  console.log(stdout.toString());
-} else {
-  stdout = execSync(
-    `mkdir -p ${paths.get("ios")}; ln -nsf ${paths.get("ios")} ios`,
-  );
-  console.log(stdout.toString());
-  stdout = execSync(
-    `mkdir -p ${paths.get("android")}; ln -nsf ${paths.get("android")} android`,
-  );
-  console.log(stdout.toString());
+for (const [link, target] of Object.entries(links)) {
+  fs.mkdirSync(target, { recursive: true });
+  try {
+    fs.unlinkSync(link); // replace an existing symlink/file (ln -nsf)
+  } catch {
+    // nothing to remove
+  }
+  fs.symlinkSync(target, link);
+  console.log(`${link} -> ${target}`);
 }
-
-// target = "";
-// switch (platform) {
-//   case "tvos":
-//     target = "ios";
-//     break;
-//   case "ios":
-//     target = "ios";
-//     break;
-//   case "android":
-//     target = "android";
-//     break;
-//   case "androidtv":
-//     target = "android";
-//     break;
-// }