Commit Graph

370 Commits

Author SHA1 Message Date
Tink bot 632579b304 ci(veans): add fast veans-test job for unit tests 2026-05-27 08:21:57 +00:00
Tink bot 202a5f60b0 ci(veans): add veans-lint job to Test workflow 2026-05-27 08:21:57 +00:00
Tink bot 35aa486eb5 feat(veans): use OAuth 2.0 Authorization Code + PKCE as default auth
Vikunja's built-in OAuth server (Vikunja 2.3+) does not require client
registration and accepts arbitrary client_ids — it just enforces PKCE
(S256) and constrains redirect URIs to the vikunja- scheme. Earlier I
deferred OAuth on the assumption it needed a registered client; that
was wrong, and the docs make the path much smoother than POST /login.

The custom-scheme constraint (no http:// loopback) is side-stepped by
manual paste-back: veans prints the authorize URL, the user signs in,
their browser fails to open vikunja-veans-cli://callback?code=... and
shows an error, the user copies the URL from the address bar and
pastes it back. CLI extracts code + state, verifies state for CSRF,
exchanges via POST /api/v1/oauth/token (JSON body — Vikunja rejects
form-encoded), and returns the access token.

Resolution order in AcquireHumanToken:
  1. --token (paste-in JWT or personal API token; SSO/OIDC users)
  2. --use-password / --username + --password (POST /login)
  3. OAuth flow (interactive default)

login command supports the same --use-password / --token escape hatches
for token rotation on instances with OAuth disabled.

Includes unit tests for the PKCE generator (verifier shape per RFC 7636,
challenge = SHA256(verifier) base64url-no-pad), authorize-URL
construction, and the lenient callback parser (full URL / query-only /
bare code).
2026-05-27 08:21:57 +00:00
Tink bot 950d41df91 ci(veans): add veans-e2e workflow 2026-05-27 08:21:57 +00:00
Tink bot 52f3dd6806 fix(ci): commit newly added Crowdin translation files
The Crowdin sync workflow used `git diff --quiet` and `git commit -am`,
both of which only consider tracked files. New language files downloaded
by Crowdin (e.g. el-GR, th-TH) were therefore left untracked and silently
dropped on each run.

Switch the change check to `git status --porcelain` scoped to the
translation directories and stage them explicitly before committing so
new locales are included.
2026-05-18 17:57:21 +00:00
kolaente 12f07529e5
chore: update stale workflow 2026-04-29 09:10:09 +02:00
kolaente 1d637a4ac6 refactor(magefile): consolidate api+frontend translation checks into one task
Previously the PR introduced a separate `check:frontendTranslations` mage
task and a second CI job. Merge both into the existing `check:translations`
task and a single CI job. Also rename internal references from "backend" to
"api" to match the project convention (Vikunja's Go server is the api, not
the backend).
2026-04-23 13:30:51 +02:00
kolaente edd83f5e92 ci: run frontend translation check as a hard failure
Add a frontend-check-translations job that runs the new
check:frontendTranslations mage task. Like the existing
api-check-translations job, failures hard-fail CI. This makes
reviewers catch dead keys and missing $t() wiring up front instead of
having to flag them manually in pull request review.
2026-04-23 13:30:51 +02:00
kolaente 0b45cff583
feat(ci): sign archlinux packages with GPG for pacman verification
Pacman verifies individual package signatures (.sig files). Add GPG
setup and detach-sign step for archlinux packages in the os-package
job. The .sig is uploaded alongside the package to S3.
2026-04-14 19:35:23 +02:00
kolaente c970f87e89
fix(ci): resolve symlinks before upload instead of deleting them
S3 can't store symlinks. Previously all symlinks were deleted, which
removed vikunja.db -> vikunja.db.tar.gz needed by pacman. Now resolve
symlinks into real file copies first, then delete package files.
2026-04-14 17:08:27 +02:00
kolaente fdeacd3eaf
fix(ci): write GPG key directly to file instead of importing and exporting
No need to import the key into GPG and then export it again. Just
write the secret key data directly to a file for nfpm to use.
2026-04-14 16:22:52 +02:00
kolaente f6ec5d8e96
feat(ci): sign RPM packages with GPG via nfpm
Add GPG signing configuration to nfpm.yaml for rpm packages. The
os-package job now sets up GPG and exports the key for nfpm to use
during package creation.
2026-04-14 15:47:31 +02:00
kolaente 4d8c37f8ff
fix(ci): exclude package files from repo metadata upload
The dl.vikunja.io worker redirects package file requests under /repos/
to the existing artifacts, so uploading them again is redundant.
Remove .deb, .rpm, .apk, .archlinux, .pacman, .pkg.tar.zst files
and symlinks before uploading to R2.
2026-04-14 14:36:00 +02:00
kolaente 77167eb356
fix(ci): pin s3-action to main branch 2026-04-14 12:47:18 +02:00
kolaente 3d08a4f78f
fix(ci): update s3-action to skip directories during upload
The s3-action glob matched directories causing EISDIR errors. Fixed
the action to filter with fs.statSync().isFile(). Updated all
s3-action references to the new version.
2026-04-14 12:25:43 +02:00
kolaente 797c813091
fix(ci): revert S3 glob to **/* and clean up directories before upload
The **/*.* glob skipped extensionless files like Release, InRelease,
and Packages. Revert to **/* and instead remove reprepro's internal
db/conf directories and directory symlinks before uploading.
2026-04-14 10:02:50 +02:00
kolaente cff690fb5f
fix(ci): skip desktop .apk in APK repo, not a valid Alpine package
The desktop .apk file from electron-builder is not an Alpine APK
package and causes apk index to fail with "v2 package format error".
2026-04-13 16:15:41 +02:00
kolaente a110642093
fix(ci): inline APK repo generation to avoid glibc binary on Alpine
The mage-static binary is compiled with glibc which can't run on
Alpine's musl. Instead of fighting compatibility, inline the APK
repo generation as shell commands since the logic is simple.
2026-04-13 15:18:08 +02:00
kolaente 29098aee62
fix(ci): add libc6-compat for Alpine, fix S3 upload glob, add debug
- Install libc6-compat on Alpine so the glibc-linked mage binary runs
- Change S3 upload glob from **/* to **/*.* to skip directories
- Add debug step to inspect mage-static binary on Alpine
2026-04-13 12:13:05 +02:00
kolaente f3aaf27242
fix(ci): set RELEASE_VERSION to avoid git dependency in containers
The mage initVars calls git describe when RELEASE_VERSION is not
set. Setting it avoids needing git in the container images.
2026-04-13 11:45:37 +02:00
kolaente cd61db4415
refactor(ci): split publish-repos into matrix with native containers
Each package format now runs in its native container image:
- apt: ubuntu:noble (reprepro)
- rpm: fedora:latest (createrepo_c)
- pacman: archlinux:latest (repo-add + bsdtar built-in)
- apk: alpine:latest (apk + abuild-sign built-in)

This eliminates cross-distro tool availability issues. Desktop
packages are downloaded and renamed per format to match the mage
target glob patterns. Also adds --allow-untrusted to apk index
since nfpm-produced .apk packages are unsigned.
2026-04-13 11:19:12 +02:00
kolaente 136fafdf37
fix(ci): install libarchive-tools for repo-add bsdtar dependency
repo-add uses bsdtar to validate packages, which requires
libarchive-tools. The .archlinux extension works fine with repo-add
so the rename to .pkg.tar.zst was unnecessary. Also removes debug
steps.
2026-04-13 10:50:56 +02:00
kolaente 2a2b3c787e
fix(ci): add deeper debug for archlinux/pacman package contents 2026-04-13 08:22:18 +02:00
kolaente ab6cdf91eb
fix(ci): add debug step to list incoming package files 2026-04-12 19:56:03 +02:00
kolaente e1fed9e252
fix(ci): install makepkg for repo-add utility scripts
repo-add from pacman-package-manager sources scripts from
/usr/share/makepkg/util/ which are shipped in the separate
makepkg package on Ubuntu.
2026-04-12 17:59:32 +02:00
kolaente 80ecaeb567
fix(ci): sign APT Release files manually instead of via reprepro gpgme
reprepro uses gpgme for signing which fails in CI environments because
gpgme cannot access pinentry. Instead, remove SignWith from the reprepro
distributions config and sign Release files manually with gpg after
reprepro finishes, producing both Release.gpg and InRelease.
2026-04-12 17:32:11 +02:00
kolaente e8d12186d1
fix(ci): configure gpg loopback pinentry for reprepro signing
reprepro uses gpgme which bypasses the preset passphrase cache and
tries to launch a pinentry dialog, failing in CI with
"Inappropriate ioctl for device". Adding loopback pinentry mode
allows gpgme to obtain the passphrase without a dialog.
2026-04-12 16:49:36 +02:00
kolaente b375399e34 feat(ci): add publish-repos job for OS package repository metadata
New CI job runs after os-package and desktop jobs complete. Downloads
all package artifacts, runs Mage repo targets to generate repository
metadata (APT, RPM, APK, Pacman), GPG-signs the metadata, and uploads
to R2 under /repos/.

Publishes to stable suite for tagged releases, unstable for main
branch builds. Artifact uploads from os-package and desktop jobs are
no longer gated on tags to support this.
2026-04-12 12:06:14 +00:00
kolaente 1cde0a1705
feat(ci): add multi-architecture support for OS package builds (#2610) 2026-04-12 12:24:08 +02:00
kolaente 3e59a654b5
fix(ci): don’t close issue directly 2026-04-12 10:40:42 +02:00
kolaente a11abb46b4 ci: add tests using mysql-8 2026-04-11 17:20:53 +00:00
kolaente c9809f1385
fix(ci): use working model 2026-04-11 17:55:47 +02:00
kolaente c4cc6d34f6 ci: add AI-powered auto-labeling for new issues and PRs
Uses actions/ai-inference with GPT-5 to classify newly opened issues
and pull requests against the area/*, integration/*, db/*, and
concern/* label namespaces.

The system prompt is rendered at runtime from the live repo label list
plus descriptions, so GitHub label state is the single source of truth
for the taxonomy. Suggested labels are re-validated against the live
list before being applied, capped at 6 per item.
2026-04-11 17:45:36 +02:00
kolaente 2796fffbc1 fix(ci): skip interactive prompt in nixpkgs update workflow
The nixpkgs update.py script prompts for confirmation before running,
which fails with EOFError in CI since there is no TTY. Pass skip-prompt
to maintainers/scripts/update.nix to bypass the prompt.
2026-04-11 15:00:42 +00:00
kolaente 1b8d52ced0 fix(ci): use actual docker meta tags for preview comment SHA links
The docker/metadata-action uses github.sha for the SHA tag, which for
pull_request_target events is the base branch commit, not the PR head.
The comment step was independently constructing SHA tags from the PR
head SHA, causing preview URLs that didn't match any actual docker
image tag. Now reads the actual tags from docker meta output instead.
2026-04-07 15:05:48 +00:00
kolaente 856011f132 ci: auto-close 'waiting for reply' issues after 30 days of inactivity 2026-04-05 12:04:33 +00:00
kolaente 9839e8989d ci: move caldav and e2e-api tests to dedicated CI jobs
Split caldav and e2e-api tests out of the test-api matrix into their
own standalone jobs running only with sqlite-in-memory. This reduces
the matrix size (no longer 5 DBs × 4 test types = 20 jobs) and avoids
spinning up unnecessary database services for tests that only need
in-memory SQLite.
2026-04-02 11:34:55 +00:00
kolaente e2478e2fd6 test(caldav): add caldavtests package with infrastructure, helpers, and mage target
- Package skeleton with TestMain, setupTestEnv, and fixture users
- HTTP request helpers (PROPFIND, REPORT, GET, PUT, DELETE, OPTIONS)
- XML/iCal response parsers and assertion utilities
- VTodoBuilder for constructing test VTODO payloads
- Common PROPFIND/REPORT XML body constants
- Smoke test validating the infrastructure works end-to-end
- mage test:caldav command and CI matrix entry
2026-04-02 11:34:55 +00:00
kolaente 6bc1635a9f
chore(ci): update nix update PR message [skip ci] 2026-03-25 23:25:28 +01:00
kolaente cb07b6608c feat: add CI workflow to auto-update nixpkgs on release
Triggers on release publish or manual dispatch. Uses the nixpkgs
update infrastructure (maintainers/scripts/update.nix) to update
both vikunja and vikunja-desktop, then pushes to the go-vikunja
nixpkgs fork and opens a PR on NixOS/nixpkgs.

Skips early if an open update PR already exists.
2026-03-25 23:23:57 +01:00
kolaente 752ae42879 fix: support merge queue in issue-closed-comment workflow
When a PR is merged via merge queue, the issue close event has no
commit_id and no referenced event. Fall back to the GraphQL
closedByPullRequestsReferences field to find the closing PR.

Also simplifies the commit-to-PR lookup by using
listPullRequestsAssociatedWithCommit instead of iterating all PRs.
2026-03-25 10:20:36 +01:00
kolaente dc4be950e0
chore(ci): update golangci-lint to v2.10.1 2026-03-23 16:24:40 +01:00
kolaente 763d25ca18
feat(ci): enable merge queue trigger 2026-03-20 11:53:08 +01:00
kolaente 06ead58ea3
chore: remove feature request issue template
Feature requests should be suggested via the forum, not via GitHub
issues. The config.yml already directs users to the forum for this.
2026-03-09 23:35:43 +01:00
kolaente 7fce34eda2 ci: upgrade ParadeDB image to support v2 fuzzy search API
The v2 operators (|||, ::pdb.fuzzy()) require a recent ParadeDB
version. Update the pinned image digest to latest-pg17.
2026-03-05 13:57:05 +01:00
kolaente 62eb72c9f7 ci: add e2e API tests to CI pipeline 2026-03-05 12:49:27 +01:00
kolaente f0ead6049d
fix(ci): remove HTML comments inside table that break markdown rendering 2026-03-03 17:04:06 +01:00
kolaente c7fa08c14c
feat(ci): post preview deployment comment on PRs
Add a github-script step to the preview workflow that creates or updates
a comment with preview URLs (pr-number and per-commit SHA) and Docker
image tags. Past SHA URLs are preserved across pushes so reviewers can
access any previously built version.
2026-03-03 16:51:21 +01:00
kolaente 8f48b585b7 feat: add dependency diff and provenance GitHub Action for PRs 2026-02-17 12:00:31 +01:00
kolaente 82469618ca chore(ci): update golangci-lint from v2.6.0 to v2.9.0 2026-02-11 09:56:20 +01:00