ci(deps): bump docker/build-push-action from 5 to 6#270
Open
dependabot[bot] wants to merge 1036 commits intomainfrom
Open
ci(deps): bump docker/build-push-action from 5 to 6#270dependabot[bot] wants to merge 1036 commits intomainfrom
dependabot[bot] wants to merge 1036 commits intomainfrom
Conversation
BREAKING PRIVACY FIX: Previously, matomo.js was loaded unconditionally on every page load, even when users opted out. This violated GDPR/privacy principles and was reported in GitHub issues. Changes: 1. Deferred initialization - no longer loads matomo.js on app startup 2. Privacy-first defaults - no tracking unless explicitly enabled: - Login page (no auth token): NO tracking - API fetch errors: NO tracking - Network errors: NO tracking 3. Re-check preferences after login (useEffect depends on isAuthenticated) 4. Removed duplicate disableCookies() and setDoNotTrack() calls 5. Only initialize tracking if analytics_enabled=true in user preferences Privacy guarantees: - Login page never loads matomo.js or sends tracking events - If user opts out, NO matomo.js script is loaded on any page - If user opts out, NO network requests to analytics server - Script only loads after successful login AND analytics_enabled=true - trackOptOut() and trackConsentResponse() only work if already initialized User flow: 1. Login page → No token → userOptedOut=true → NO tracking 2. After login → Fetch preferences from API 3. If analytics_enabled=true → initMatomoIfEnabled() loads matomo.js 4. If analytics_enabled=false → Nothing loads 5. User can toggle preference anytime via Settings → Preferences Technical details: - initMatomoScript() made internal, replaced with initMatomoIfEnabled() - Added matomoInitialized flag to prevent duplicate script loading - loadUserPreference() defaults to userOptedOut=true on all errors - useEffect in App.tsx runs on isAuthenticated change, not just mount Fixes GitHub issue where users saw requests to analytics.nullcodeai.dev even with "Enable analytics" unchecked. Also fixes Matomo console warning: "The method disableCookies is registered more than once in _paq variable. Only the last call has an effect." Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Major improvements to cron schedule management: **New Components:** - CronBuilder: Visual cron expression builder with 6 frequency types (minute, hourly, daily, weekly, monthly, custom) - CronBuilderDialog: Dialog wrapper with clock icon trigger - Added comprehensive unit tests for CronBuilder **Timezone Fixes:** - Fixed hourly intervals to run at clean local times instead of odd :30 minutes - Converts hourly intervals (*/8) to specific UTC hours (2,10,18) for proper timezone handling - Backend runs in UTC, frontend shows local time consistently - Fixed double-conversion bugs that caused time shifts on edit **UI Improvements:** - Removed hardcoded formatCronExpression lookup table (only worked for 10 patterns) - Removed redundant helper text below cron inputs - Table now shows raw cron expression in monospace font - CronBuilder preview shows human-readable description at bottom of dialog **Tests Added:** - End-to-end user experience tests verifying what users enter vs when jobs run - Hourly interval conversion tests (*/8 → specific hours) - Round-trip conversion tests ensuring edit shows original values - Day-of-week adjustment tests for timezone boundary crossing **Files Changed:** - Removed: CronPickerField.tsx (replaced by CronBuilder) - Updated: dateUtils.ts with hourly interval timezone logic - Updated: Schedule.tsx and ScheduledChecksSection.tsx to use new components Fixes issues where: - "Every 8 hours at :00" showed runs at 3:30 AM instead of 12 AM, 8 AM, 4 PM - Editing schedules caused time to shift by timezone offset - Helper text showed wrong/confusing cron expressions Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…hive paths - Fix missing Repository import in backup.py - Add source_ssh_connection_id to repository API responses - Use relative paths for SSHFS mounts to avoid ugly /tmp/sshfs_mount_xxx/ in archives - List actual directory contents instead of backing up "." to remove dot entry from archives - Improve CommandPreview with step-by-step UI showing mount, backup, and cleanup steps - Fix RepositoryWizard to properly initialize remote data source selection when editing - Add SSH prefix display (user@host:port:) in old repository form for remote sources - Fix wizard content height to prevent jumping between steps Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
The LC_ALL=C prefix broke Hetzner Storage Box because their restricted shell doesn't support environment variable assignment. Now the code: - Tries with LC_ALL=C first (works for normal Linux systems) - Falls back to plain df for restricted shells - Uses smarter header detection by checking if second column is numeric (works for any language: English, German, etc.) Adds 18 comprehensive tests for _run_df_command and collect_storage_info. Co-Authored-By: Claude <noreply@anthropic.com>
- Refactor RepositoryWizard to use step names instead of indices - Add required prop to SourceDirectoriesInput for optional source dirs in observe mode - Add comprehensive test suite (59 tests) covering: - Create mode (all 5 steps) - Import mode (full repository) - Import mode (observability only) - Edit mode - SSH connection handling - Navigation Co-Authored-By: Claude <noreply@anthropic.com>
- Repository health now based solely on backup status - Check/compact warnings moved to maintenance alerts (not health indicators) - Dashboard shows both unhealthy and healthy repos (up to 4 total) - Unhealthy repos shown first, remaining slots filled with healthy repos - Fix last_stats_refresh time format using serialize_datetime Co-Authored-By: Claude <noreply@anthropic.com>
- Add tests for 12 new components (642 total tests) - Improve branch coverage from 75% to 82% - Exclude api.ts from coverage (low-value API wrappers) - New test files: AnalyticsConsentBanner, CheckWarningDialog, CompactWarningDialog, CompressionSettings, CronBuilder, CronBuilderDialog, ExcludePatternInput, LockErrorDialog, PathSelectorField, RemoteMachineCard, RepositoryCell, SourceDirectoriesInput, matomo Co-Authored-By: Claude <noreply@anthropic.com>
Scripts now receive backup context via environment variables: - BORG_UI_BACKUP_STATUS: success/failure/warning (post-backup only) - BORG_UI_REPOSITORY_NAME: Repository name - BORG_UI_REPOSITORY_PATH: Repository path - BORG_UI_REPOSITORY_ID: Repository ID - BORG_UI_HOOK_TYPE: pre-backup or post-backup - BORG_UI_JOB_ID: Backup job ID This enables conditional actions in scripts based on backup result. Co-Authored-By: Claude <noreply@anthropic.com>
Add session-scoped event_loop fixture with proper cleanup to prevent "Event loop is closed" RuntimeError annotations in CI. Also adds warning filters to suppress asyncio subprocess transport warnings during test cleanup - a known Python 3.9+ issue. Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Add BORG_RELOCATED_REPO_ACCESS_IS_OK=yes environment variable to all borg command invocations. This fixes the error when importing a repository that was previously located at a different path. Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
- Add showSshMountPoints prop to FileExplorerDialog to hide SSH mount points - Add allowedSshConnectionId prop to filter specific SSH connections - Hide local paths when SSH source is selected and vice versa - Disable data source cards (Local/Remote) when directories are already selected - Show SSH prefix indicator for remote source directories immediately - Add source_connection_id support to old repository form for remote-to-local - Reset selection state when FileExplorerDialog reopens - Add comprehensive tests for new functionality Co-Authored-By: Claude <noreply@anthropic.com>
…nsive tests - Extract wizard step components into src/components/wizard/: - WizardStepLocation: Repository name, location (local/SSH), path selection - WizardStepDataSource: Data source selection with remote-to-remote blocking - WizardStepSecurity: Encryption, passphrase, keyfile handling - WizardStepBackupConfig: Compression, exclude patterns, advanced options - WizardStepReview: Configuration summary and command preview - WizardStepIndicator: Step navigation with completion state - BackupFlowPreview: Visual diagram of backup data flow - Extract dialogs from Repositories.tsx: - PruneRepositoryDialog: Repository pruning with retention policies - RepositoryInfoDialog: Repository details and storage statistics - Add comprehensive test coverage for all new components (831 tests total) - Tests for remote-to-remote blocking behavior - Tests for local-to-remote and remote-to-local (SSHFS) workflows - Tests for SSH connection handling and validation - Remove beta toggle for new wizard from Settings (now default) - Significant cleanup of Repositories.tsx Co-Authored-By: Claude (claude-opus-4-5) <noreply@anthropic.com>
- Add passphrase field to Repository and RepositoryData interfaces - Allow null for custom_flags field (matches API response) - Fix ssh_key_id to allow null when not set - Make Repository extend RepositoryData in Repositories.tsx Co-Authored-By: Claude (claude-opus-4-5) <noreply@anthropic.com>
…emote-to-remote prevention Fixes two critical issues in repository editing: 1. Repository type not updating when switching from local to SSH - Added missing fields to RepositoryUpdate model (repository_type, host, port, username, ssh_key_id, connection_id) - Backend now properly updates repository type and SSH connection details - Test: test_update_repository_type_local_to_ssh 2. Source connection not clearing when switching from remote to local - Frontend now explicitly sets source_connection_id to null for local sources - Backend uses model_dump(exclude_unset=True) to distinguish null from unset - WizardStepDataSource clears sourceSshConnectionId when directories are removed - Test: test_update_repository_clear_source_connection_id 3. Remote location disabled when data source is remote (prevents remote-to-remote) - WizardStepLocation now receives dataSource and sourceSshConnectionId props - SSH repository card disabled in edit mode when backing up from remote machine - Clear info alert explains why remote-to-remote is not supported - Test: enables Borg UI Server when remote directories are deleted Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Critical bug fix: When editing SSH repositories via the wizard and modifying source directories or other fields, the repository path was being corrupted from the SSH URL format (ssh://user@host:22/path) to just the plain path (/path), causing backup operations to fail with "Repository does not exist." Root cause: - The update_repository endpoint was directly saving the path without reconstructing the SSH URL, unlike the create_repository endpoint - The wizard extracts the path component when loading SSH repositories for editing, and sends back just the path component when saving - Without reconstruction, this plain path overwrote the SSH URL in the DB The fix: - Added SSH URL reconstruction logic to update_repository (similar to create) - When repository_type is "ssh", reconstruct full SSH URL from components: ssh://username@host:port/path - Handles paths already in SSH URL format by extracting path part first - Uses updated SSH connection details or falls back to existing values Tests added: - test_update_ssh_repository_path_reconstruction: Verifies path stays as SSH URL after updates with source directory changes - Updated test_update_repository_type_local_to_ssh to include path reconstruction verification This resolves the issue where editing any field in an SSH repository via the wizard would break the repository path, requiring manual repair via the classic UI. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…ocation to SSH When editing a repository and switching the location from local to SSH, the command preview in the review step was displaying the plain path instead of the SSH URL format (ssh://user@host:port/path). Root cause: - WizardStepReview was passing data.host, data.username, data.port directly to CommandPreview, but these wizard state fields are not populated when using SSH connection dropdown (only repoSshConnectionId is set) - The component needed to look up SSH connection details from the connections list, similar to how it handles source SSH connections The fix: - Added getRepoConnectionDetails() helper to look up SSH connection details from sshConnections array when repoSshConnectionId is set - Falls back to wizard state fields for backward compatibility - CommandPreview now receives correct host/username/port and displays proper SSH URL format Test: All 76 RepositoryWizard tests pass, including command preview tests Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…ocation When editing a repository and changing the path to a new location that doesn't have a borg repository yet, the system now automatically initializes a borg repository at that location (similar to create mode behavior). Previously, the update endpoint would just change the path in the database without validating whether it's a valid borg repository, leading to broken repositories when users corrected typos or relocated paths. How it works: 1. When path changes in edit mode, check if new path is already a borg repo 2. If new path is a valid borg repo → Just update the path (no reinitialization) 3. If new path is NOT a borg repo → Initialize it using the repository's existing encryption and passphrase settings 4. Log warnings when old path is being abandoned Tests added: - test_update_repository_path_change_initializes_new_repo: Verifies that changing to a non-existent path initializes the repository - test_update_repository_path_to_existing_repo_does_not_reinit: Verifies that changing to an existing borg repo doesn't reinitialize it - Updated test_update_repository_type_local_to_ssh to accept 500 status when SSH keys are unavailable in test environment Technical details: - Uses BorgInterface.get_repository_info() to check if path is valid repo - Calls initialize_borg_repository() if path is invalid or doesn't exist - Handles both local and SSH repository types - Preserves encryption, passphrase, and other settings from original repo Use cases: - Correcting a typo in the repository path after creation - Relocating a repository to a new storage location - Switching from one path to another during testing/development Warning: The old repository at the old path becomes orphaned when you change the path. This is intentional for path correction scenarios. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…d-only repos Adds --bypass-lock flag support to file extraction operations for observability/read-only repositories that cannot acquire exclusive locks. Changes: - app/core/borg.py: Add bypass_lock parameter to extract_archive() - app/api/archives.py: Pass bypass_lock from repo to file download extraction - app/services/restore_service.py: Add --bypass-lock to restore command when repo has bypass_lock enabled - app/api/restore.py: Pass bypass_lock to restore preview operations Fixes file downloads failing with "Read-only file system" errors when trying to acquire locks on observability-only repositories. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…estore preview paths - Show original/custom location radio buttons for SSH destinations once a connection is selected (previously only shown for local destinations) - SSH connection selector now renders before the strategy options so the flow reads top-to-bottom naturally - Original location description adapts to mention the remote machine for SSH - Unified path input: custom path field shown for any destination type when custom strategy is selected, removing the separate SSH-only path input - Simplified canProceed() validation: require customPath only when custom strategy is selected, regardless of destination type - Fix restore preview in review step: custom strategy now shows the full archive path under the custom destination (e.g. /mnt/disk/home/user/file) instead of only the last path component, matching actual borg extract behaviour - Remove dead else-if branch in getDestinationPath that was unreachable after the strategy/destination type unification Co-Authored-By: Claude <noreply@anthropic.com>
- Replace childish intro line with a direct one-liner - Split Docker Compose section into three explicit options: no Redis, bundled Redis, and external Redis — each a complete copy-paste config so users never need to manually add or remove sections - Option 3 (external Redis) now includes both the Redis-only compose for the Redis machine and the borg-ui compose that connects to it - Add upfront explanation of /local (source data) vs backup repositories (configured in the UI) to resolve the most common new-user confusion - Inline PUID/PGID and TZ hints directly in compose comments so users see them at the point of action, not buried in Customization - Remove version: '3.8' (deprecated in Compose v2) - Fix stale /mnt/backup-source reference in Customization section - Standardise permission instructions on id -u && id -g throughout Co-Authored-By: Claude <noreply@anthropic.com>
Replace the incorrect "container automatically mounts your host filesystem at /local" claim with an accurate explanation: mounts contain exactly what the user configured in docker-compose volumes, named however they like. Add a practical multi-drive example showing /photos, /nas, /external with LOCAL_MOUNT_POINTS so the file browser discovers all of them. Remove the "entire filesystem mounted by default" line and the confusing overlapping /local sub-path example. Co-Authored-By: Claude <noreply@anthropic.com>
Without this, disableCookies() caused every page load to generate a fresh random visitor ID, making unique-user counts meaningless. Each browser/installation gets a random UUID on first visit, persisted in localStorage as borg_ui_install_id. The Matomo user ID is then hash(installId + username), which is stable across sessions and unique across separate borg-ui instances — even when all users are named "admin". No resetUserId on logout: the same deterministic hash is set again on next login, so resetting just creates a pointless anonymous gap. Co-Authored-By: Claude <noreply@anthropic.com>
…ions/download-artifact-7 ci(deps): bump actions/download-artifact from 4 to 7
…er-evans/dockerhub-description-5 ci(deps): bump peter-evans/dockerhub-description from 4 to 5
chore(deps): bump gunicorn from 23.0.0 to 25.1.0
chore(deps): bump croniter from 1.4.1 to 6.0.0
Bumps [ajv](https://github.com/ajv-validator/ajv) from 6.12.6 to 6.14.0. - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v6.12.6...v6.14.0) --- updated-dependencies: - dependency-name: ajv dependency-version: 6.14.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [psutil](https://github.com/giampaolo/psutil) from 5.9.6 to 7.2.2. - [Changelog](https://github.com/giampaolo/psutil/blob/master/HISTORY.rst) - [Commits](giampaolo/psutil@release-5.9.6...release-7.2.2) --- updated-dependencies: - dependency-name: psutil dependency-version: 7.2.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [bcrypt](https://github.com/pyca/bcrypt) from 4.0.1 to 5.0.0. - [Changelog](https://github.com/pyca/bcrypt/blob/main/CHANGELOG.rst) - [Commits](pyca/bcrypt@4.0.1...5.0.0) --- updated-dependencies: - dependency-name: bcrypt dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
chore(deps): bump psutil from 5.9.6 to 7.2.2
chore(deps): bump pytest-cov from 4.1.0 to 7.0.0
chore(deps): bump structlog from 23.2.0 to 25.5.0
…end/ajv-6.14.0 chore(deps): bump ajv from 6.12.6 to 6.14.0 in /frontend
chore(deps): bump redis from 5.0.1 to 7.1.1
chore(deps): bump bcrypt from 4.0.1 to 5.0.0
…end/jsdom-28.1.0 chore(deps-dev): bump jsdom from 27.0.1 to 28.1.0 in /frontend
🔒 Security Scan ResultsCommit: 6c96b2f
📊 See workflow artifacts for detailed reports. |
…quency - Raise the default source size calculation timeout from 120s to 3600s (1 hour) so that large datasets (10TB+) can fully traverse before the du process is killed; previously only paths that completed within 120s contributed to the total, causing wildly inaccurate source sizes - Add SOURCE_SIZE_TIMEOUT as a user-configurable setting via UI (Settings → System → Operation Timeouts) and environment variable, backed by a new DB column (migration 070) with the same priority ordering as other timeouts (UI > env var > default) - Commit current_file to the DB immediately when it changes to a new value, so the frontend reflects the active file within one poll cycle instead of waiting up to 6s (3s file-duration threshold + 3s commit interval) Co-Authored-By: Claude <noreply@anthropic.com>
pytest-cov 7.0.0 requires coverage>=7.10.6, which conflicts with the previously pinned coverage==7.3.2. Co-Authored-By: Claude <noreply@anthropic.com>
…ility passlib 1.7.4 is unmaintained and incompatible with bcrypt >= 4.1 due to reliance on removed internal APIs. This caused all authentication to fail with 401 errors after the bcrypt 5.0.0 upgrade. Replace passlib's CryptContext with direct bcrypt.hashpw/checkpw calls and remove the passlib dependency entirely. Co-Authored-By: Claude <noreply@anthropic.com>
The test fixtures mock `settings` but didn't set the timeout attributes (borg_info_timeout, borg_list_timeout, source_size_timeout). This caused _get_operation_timeouts() to return MagicMock objects instead of integers, making asyncio.wait_for() fail and _calculate_source_size() return 0. Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
🔒 Security Scan ResultsCommit: 942d33b
📊 See workflow artifacts for detailed reports. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps docker/build-push-action from 5 to 6.
Release notes
Sourced from docker/build-push-action's releases.
Commits
10e90e3Merge pull request #1458 from crazy-max/git-auth-port5262538chore: update generated contentcd130e4preserve port in GIT_AUTH_TOKEN host806c751Merge pull request #1452 from crazy-max/update-yarn601a80bMerge pull request #1456 from crazy-max/auth-token-dyn-host8f7fd7cchore: update generated content710e335derive GIT_AUTH_TOKEN host from GitHub server URLc4ca848update yarn to 4.9.2ee4ca42Merge pull request #1398 from docker/dependabot/npm_and_yarn/tmp-0.2.4f1b3bb5chore: update generated contentDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)