Merge branch 'develop' into ci/trivy-scan

Drop the push paths filter so secret and misconfig scans cover all file types
(YAML, JSON, native, scripts), not just JS/TS. Replace the per-run
github.run_id cache key with a weekly per-OS key, so the vulnerability DB is
reused within the week instead of writing a fresh immutable cache entry on
every run.

.github/ISSUE_TEMPLATE/issue_report.yml

@@ -1,5 +1,5 @@
 name: "🐛 Bug Report"
-description: Create a report to help Streamyfin improve
+description: Create a report to help us improve
 title: "[Bug]: "
 labels:
   - "🐛 bug"
@@ -36,7 +36,7 @@ body:
     attributes:
       label: What happened?
       description: A clear and concise description of what the bug is.
-      placeholder: Describe what happened in detail, the more precise the better.
+      placeholder: Describe what happened in detail.
     validations:
       required: true
 
@@ -67,7 +67,7 @@ body:
     attributes:
       label: Which device and operating system are you using?
       description: Please provide your device model and OS version
-      placeholder: e.g. iPhone 17 Pro / iOS 26.5.1, Samsung Galaxy S25 / Android 16, Apple TV / tvOS 26.5
+      placeholder: e.g. iPhone 15 Pro, iOS 18.1.1 or Samsung Galaxy S24, Android 14
     validations:
       required: true
 
@@ -75,11 +75,11 @@ body:
     id: version
     attributes:
       label: Streamyfin Version
-      description: What version of Streamyfin are you using?
+      description: What version of Streamyfin are you running?
       options:
-        - 0.54.1
-        - 0.51.0
-        - Older
+        - 0.47.1
+        - 0.30.2
+        - older
         - TestFlight/Development build
     validations:
       required: true
@@ -90,9 +90,9 @@ body:
       label: Jellyfin Server Information
       description: Please provide details about your Jellyfin server
       placeholder: |
-        - Jellyfin Server Version: e.g. 10.11.10
-        - Server OS: e.g. Ubuntu 26.04, Windows 11, Docker, Proxmox
-        - Connection: e.g. Local network, remote via domain, VPN
+        - Jellyfin Server Version: e.g. 10.10.7
+        - Server OS: e.g. Ubuntu 22.04, Windows 11, Docker
+        - Connection: e.g. Local network, Remote via domain, VPN
 
   - type: textarea
     id: screenshots
@@ -104,7 +104,7 @@ body:
     id: logs
     attributes:
       label: Relevant logs (if available)
-      description: If you have access to app logs or crash reports, please include them here. **Remember to remove any personal information like server URL, API keys or usernames.**
+      description: If you have access to app logs or crash reports, please include them here. **Remember to remove any personal information like server URLs or usernames.**
       render: shell
 
   - type: textarea

.github/workflows/ci-codeql.yml

@@ -27,13 +27,13 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: 🏁 Initialize CodeQL
-        uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           languages: ${{ matrix.language }}
           queries: +security-extended,security-and-quality
 
       - name: 🛠️ Autobuild
-        uses: github/codeql-action/autobuild@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
+        uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
 
       - name: 🧪 Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0

.github/workflows/trivy-scan.yml

@@ -0,0 +1,60 @@
+name: 🛡️ Trivy Security Scan
+
+# Filesystem scan (Streamyfin ships no container image): finds vulnerable dependencies,
+# leaked secrets and misconfigurations, and reports them to GitHub code scanning.
+# Runs post-merge + weekly (not on PRs — dependency-review already gates PRs, and SARIF
+# upload needs a write token that fork PRs don't get).
+on:
+  push:
+    branches: [develop, master]
+  schedule:
+    - cron: "50 7 * * 5" # Weekly, Friday 07:50 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: trivy-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  trivy:
+    name: 🔎 Filesystem scan
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write # upload SARIF to code scanning
+    steps:
+      - name: 📥 Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      # Rotate the DB cache weekly (matches the scheduled scan): cache hits within the week
+      # instead of a fresh immutable entry per run, still refreshing the DB every week.
+      - name: 🗓️ Compute weekly Trivy cache key
+        id: trivy-cache-key
+        run: echo "value=trivy-db-${{ runner.os }}-$(date -u +%G-%V)" >> "$GITHUB_OUTPUT"
+
+      - name: 💾 Cache Trivy vulnerability DB
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ~/.cache/trivy
+          key: ${{ steps.trivy-cache-key.outputs.value }}
+          restore-keys: trivy-db-${{ runner.os }}-
+
+      - name: 🔎 Run Trivy filesystem scan
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          scanners: vuln,secret,misconfig
+          ignore-unfixed: true
+          severity: CRITICAL,HIGH
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: 📤 Upload results to code scanning
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          sarif_file: trivy-results.sarif
+          category: trivy-fs