ci(security): add Trivy filesystem scan to code scanning

Streamyfin ships no container image, so this runs a Trivy *filesystem* scan (vulnerable deps, secrets, misconfig) and uploads SARIF to GitHub code scanning, complementing CodeQL and dependency-review. Runs on push to develop/master, weekly, and on demand (not on PRs — fork PRs can't upload SARIF, and dependency-review already gates PR dependencies). Reports findings (CRITICAL/HIGH, ignore-unfixed) without failing the build; the Security tab surfaces them.
2026-06-02 12:08:37 +01:00 · 2026-06-01 17:31:29 +02:00
8 changed files with 136 additions and 46 deletions
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -0,0 +1,62 @@
+name: 🛡️ Trivy Security Scan
+
+# Filesystem scan (Streamyfin ships no container image): finds vulnerable dependencies,
+# leaked secrets and misconfigurations, and reports them to GitHub code scanning.
+# Runs post-merge + weekly (not on PRs — dependency-review already gates PRs, and SARIF
+# upload needs a write token that fork PRs don't get).
+on:
+  push:
+    branches: [develop, master]
+    paths:
+      - "package.json"
+      - "bun.lock"
+      - "**/*.ts"
+      - "**/*.tsx"
+      - "**/*.js"
+      - "**/*.jsx"
+      - ".github/workflows/trivy-scan.yml"
+  schedule:
+    - cron: "50 7 * * 5" # Weekly, Friday 07:50 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: trivy-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  trivy:
+    name: 🔎 Filesystem scan
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write # upload SARIF to code scanning
+    steps:
+      - name: 📥 Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: 💾 Cache Trivy vulnerability DB
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ~/.cache/trivy
+          key: trivy-db-${{ github.run_id }}
+          restore-keys: trivy-db-
+
+      - name: 🔎 Run Trivy filesystem scan
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          scanners: vuln,secret,misconfig
+          ignore-unfixed: true
+          severity: CRITICAL,HIGH
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: 📤 Upload results to code scanning
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          sarif_file: trivy-results.sarif
+          category: trivy-fs
--- a/app/(auth)/(tabs)/(libraries)/_layout.tsx
+++ b/app/(auth)/(tabs)/(libraries)/_layout.tsx
@@ -166,7 +166,7 @@ export default function IndexLayout() {
                open={dropdownOpen}
                onOpenChange={setDropdownOpen}
                trigger={
-                  <View>
+                  <View className='pl-1.5'>
                    <Ionicons
                      name='ellipsis-horizontal-outline'
                      size={24}
--- a/components/PlatformDropdown.tsx
+++ b/components/PlatformDropdown.tsx
@@ -1,7 +1,13 @@
 import { Ionicons } from "@expo/vector-icons";
 import { BottomSheetScrollView } from "@gorhom/bottom-sheet";
-import React, { useEffect } from "react";
-import { Platform, StyleSheet, TouchableOpacity, View } from "react-native";
+import React, { useEffect, useState } from "react";
+import {
+  type LayoutChangeEvent,
+  Platform,
+  StyleSheet,
+  TouchableOpacity,
+  View,
+} from "react-native";
 import { useSafeAreaInsets } from "react-native-safe-area-context";
 import { Text } from "@/components/common/Text";
 import { useGlobalModal } from "@/providers/GlobalModalProvider";
@@ -211,6 +217,24 @@ const PlatformDropdownComponent = ({
 }: PlatformDropdownProps) => {
  const { showModal, hideModal, isVisible } = useGlobalModal();

+  // @expo/ui's <Host> (SDK 55) fills its available space by default, and
+  // `matchContents` doesn't help here: it reports the native Menu's size via
+  // setStyleSize and overrides any explicit size. Instead we measure the
+  // trigger's intrinsic size in plain RN (off-layout) and pin it on the Host.
+  const [triggerSize, setTriggerSize] = useState<{
+    width: number;
+    height: number;
+  } | null>(null);
+
+  const handleMeasureTrigger = (e: LayoutChangeEvent) => {
+    const { width, height } = e.nativeEvent.layout;
+    setTriggerSize((prev) =>
+      prev && prev.width === width && prev.height === height
+        ? prev
+        : { width, height },
+    );
+  };
+
  // Handle controlled open state for Android
  useEffect(() => {
    if (Platform.OS === "android" && controlledOpen === true) {
@@ -241,11 +265,25 @@ const PlatformDropdownComponent = ({
  }, [isVisible, controlledOpen, controlledOnOpenChange]);

  if (Platform.OS === "ios" && !Platform.isTV) {
-    // @expo/ui's <Host> can't size to content, so an in-flow invisible copy of
-    // the trigger sizes the wrapper while the Host overlays the real Menu.
+    // Pin the wrapper to the measured trigger size. @expo/ui's <Host> (SDK 55)
+    // fills its parent and reports its own size via setStyleSize, so it can't
+    // size itself to content. If the wrapper has no size, the Host's `flex: 1`
+    // height depends on the parent while the parent depends on the Host — a
+    // circular dependency that collapses to 0 for any selector nested more than
+    // one level deep (so only the first, shallowest dropdown stays visible).
+    // Giving the wrapper the measured size breaks the cycle; the Host then
+    // fills a concrete box.
    return (
-      <View>
-        <View pointerEvents='none' aria-hidden style={{ opacity: 0 }}>
+      <View style={triggerSize ?? { opacity: 0 }}>
+        {/* Hidden measurer: lays the trigger out off-flow to capture its
+            intrinsic size. Absolutely positioned WITHOUT right/bottom so it
+            sizes to the trigger's content rather than to its parent. */}
+        <View
+          style={{ position: "absolute", top: 0, left: 0, opacity: 0 }}
+          pointerEvents='none'
+          aria-hidden
+          onLayout={handleMeasureTrigger}
+        >
          {trigger}
        </View>
        <Host style={[StyleSheet.absoluteFill, expoUIConfig?.hostStyle as any]}>
--- a/components/home/Home.tsx
+++ b/components/home/Home.tsx
@@ -133,6 +133,7 @@ const HomeMobile = () => {
          onPress={() => {
            router.push("/(auth)/downloads");
          }}
+          className='ml-1.5'
          style={{ marginRight: Platform.OS === "android" ? 16 : 0 }}
        >
          <Feather
--- a/components/search/TVJellyseerrSearchResults.tsx
+++ b/components/search/TVJellyseerrSearchResults.tsx
@@ -401,6 +401,10 @@ export const TVJellyseerrSearchResults: React.FC<
 }) => {
  const { t } = useTranslation();

+  const hasMovies = movieResults && movieResults.length > 0;
+  const hasTv = tvResults && tvResults.length > 0;
+  const hasPersons = personResults && personResults.length > 0;
+
  if (loading) {
    return null;
  }
@@ -427,26 +431,22 @@ export const TVJellyseerrSearchResults: React.FC<

  return (
    <View>
-      {/* No section requests `hasTVPreferredFocus`: the native search field
-          keeps focus while typing, otherwise the first result would re-grab
-          focus on every keystroke as results re-render. The user navigates
-          down to the grid manually. */}
      <TVJellyseerrMovieSection
        title={t("search.request_movies")}
        items={movieResults}
-        isFirstSection={false}
+        isFirstSection={hasMovies}
        onItemPress={onMoviePress}
      />
      <TVJellyseerrTvSection
        title={t("search.request_series")}
        items={tvResults}
-        isFirstSection={false}
+        isFirstSection={!hasMovies && hasTv}
        onItemPress={onTvPress}
      />
      <TVJellyseerrPersonSection
        title={t("search.actors")}
        items={personResults}
-        isFirstSection={false}
+        isFirstSection={!hasMovies && !hasTv && hasPersons}
        onItemPress={onPersonPress}
      />
    </View>
--- a/components/search/TVSearchPage.tsx
+++ b/components/search/TVSearchPage.tsx
@@ -235,13 +235,10 @@ export const TVSearchPage: React.FC<TVSearchPageProps> = ({
            module). It renders the native search bar + grid keyboard and
            forwards typed text into the existing query pipeline via setSearch;
            our own results grid renders below. */}
-        {/* No horizontal margin here: the native tvOS search bar centers itself
-            and renders a trailing "Hold to Dictate in <Language>" hint. Extra
-            margins squeeze the bar's width and clip that trailing hint, so let
-            the native view span the full width and own its own insets. */}
        <View
          style={{
            marginBottom: 24,
+            marginHorizontal: HORIZONTAL_PADDING,
            height: SEARCH_AREA_HEIGHT,
          }}
        >
@@ -283,17 +280,13 @@ export const TVSearchPage: React.FC<TVSearchPageProps> = ({
        {/* Library Search Results */}
        {isLibraryMode && !loading && (
          <View style={{ gap: SECTION_GAP }}>
-            {sections.map((section) => (
+            {sections.map((section, index) => (
              <TVSearchSection
                key={section.key}
                title={section.title}
                items={section.items!}
                orientation={section.orientation || "vertical"}
-                // Never auto-focus a result. The native search field owns focus
-                // while typing; `hasTVPreferredFocus` here would re-grab focus on
-                // every keystroke as results re-render. User navigates down to the
-                // grid manually.
-                isFirstSection={false}
+                isFirstSection={index === 0}
                onItemPress={onItemPress}
                onItemLongPress={onItemLongPress}
                imageUrlGetter={
--- a/components/search/TVSearchSection.tsx
+++ b/components/search/TVSearchSection.tsx
@@ -297,12 +297,12 @@ export const TVSearchSection: React.FC<TVSearchSectionProps> = ({
        removeClippedSubviews={false}
        getItemLayout={getItemLayout}
        style={{ overflow: "visible" }}
-        // Edge padding via contentContainerStyle, NOT contentInset+contentOffset.
-        // contentOffset only applies on initial mount; since this FlatList is
-        // reused across searches (stable key), a second search left the inset
-        // without the offset and the grid snapped flush to the left edge.
+        contentInset={{
+          left: edgePadding,
+          right: edgePadding,
+        }}
+        contentOffset={{ x: -edgePadding, y: 0 }}
        contentContainerStyle={{
-          paddingHorizontal: edgePadding,
          paddingVertical: SCALE_PADDING,
        }}
      />
--- a/modules/mpv-player/ios/MpvPlayerView.swift
+++ b/modules/mpv-player/ios/MpvPlayerView.swift
@@ -81,6 +81,7 @@ class MpvPlayerView: ExpoView {
 	private func setupView() {
 		clipsToBounds = true
 		backgroundColor = .black
+		configureAudioSession()

 		videoContainer = UIView()
 		videoContainer.translatesAutoresizingMaskIntoConstraints = false
@@ -140,26 +141,21 @@ class MpvPlayerView: ExpoView {
 		CATransaction.commit()
 	}

-	// MARK: - Audio Session & Notifications
-
 	private func configureAudioSession() {
-		let session = AVAudioSession.sharedInstance()
+		let audioSession = AVAudioSession.sharedInstance()
 		do {
-			try session.setCategory(.playback, mode: .moviePlayback, policy: .longFormAudio, options: [])
-			try session.setActive(true)
+			try audioSession.setCategory(
+				.playback,
+				mode: .moviePlayback,
+				policy: .longFormAudio,
+				options: []
+			)
+			try audioSession.setActive(true)
 		} catch {
 			print("Failed to configure audio session: \(error)")
 		}
 	}
-
-	/// Deactivate the session AND reset the category — `setActive(false)` alone
-	/// leaves `.playback`/`.longFormAudio` on the shared singleton, so any later
-	/// reactivation (foreground, route change, other modules) re-steals audio.
-	private func tearDownAudioSession() {
-		let session = AVAudioSession.sharedInstance()
-		try? session.setActive(false, options: .notifyOthersOnDeactivation)
-		try? session.setCategory(.ambient, mode: .default, options: [.mixWithOthers])
-	}
+	// MARK: - Audio Session & Notifications

 	private func setupNotifications() {
 		// Handle audio session interruptions (e.g., incoming calls, other apps playing audio)
@@ -274,7 +270,6 @@ class MpvPlayerView: ExpoView {

 	func play() {
 		intendedPlayState = true
-		configureAudioSession()
 		setupRemoteCommands()
 		renderer?.play()
 		pipController?.setPlaybackRate(1.0)
@@ -445,7 +440,6 @@ class MpvPlayerView: ExpoView {
 		renderer?.stop()
 		displayLayer.removeFromSuperlayer()
 		clearNowPlayingInfo()
-		tearDownAudioSession()
 		NotificationCenter.default.removeObserver(self)
 	}
 }
@@ -525,7 +519,9 @@ extension MpvPlayerView: MPVLayerRendererDelegate {
 	}

 	func renderer(_: MPVLayerRenderer, didSelectAudioOutput audioOutput: String) {
-		print("[MPV] Audio output ready (\(audioOutput)), syncing Now Playing")
+		// Audio output is now active - this is the right time to activate audio session and set Now Playing
+		print("[MPV] Audio output ready (\(audioOutput)), activating audio session and syncing Now Playing")
+		nowPlayingManager.activateAudioSession()
 		syncNowPlaying(isPlaying: !isPaused())
 	}
 }