diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index f33a02cd16..1eaf7a5cfa 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,12 +1,54 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for more information:
-# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-# https://containers.dev/guide/dependabot
+# Dependabot configuration for automated dependency updates
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates
version: 2
updates:
- - package-ecosystem: "devcontainers"
- directory: "/"
- schedule:
- interval: weekly
+ # NuGet (.NET packages)
+ - package-ecosystem: nuget
+ directory: /
+ schedule:
+ interval: weekly
+ day: monday
+ open-pull-requests-limit: 5
+ labels:
+ - dependencies
+ - .net
+ commit-message:
+ prefix: "chore(deps)"
+
+ # npm (frontend)
+ - package-ecosystem: npm
+ directory: /frontend
+ schedule:
+ interval: weekly
+ day: monday
+ open-pull-requests-limit: 5
+ labels:
+ - dependencies
+ - frontend
+ commit-message:
+ prefix: "chore(deps)"
+
+ # Docker (base images)
+ - package-ecosystem: docker
+ directory: /
+ schedule:
+ interval: weekly
+ day: monday
+ labels:
+ - dependencies
+ - docker
+ commit-message:
+ prefix: "chore(deps)"
+
+ # GitHub Actions
+ - package-ecosystem: github-actions
+ directory: /
+ schedule:
+ interval: weekly
+ day: monday
+ labels:
+ - dependencies
+ - ci
+ commit-message:
+ prefix: "ci(deps)"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 480b768aa4..6bb5028b69 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -28,7 +28,7 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@v6
with:
fetch-depth: 1
@@ -42,7 +42,7 @@ jobs:
echo "DATE=$(date --rfc-3339=date)" >> "$GITHUB_ENV"
- name: Cache NuGet packages
- uses: actions/cache@v4
+ uses: actions/cache@v5
with:
path: _cache/nuget
key: nuget-${{ runner.os }}-${{ hashFiles('src/Directory.Packages.props', 'src/**/*.csproj', 'global.json') }}
@@ -50,7 +50,7 @@ jobs:
nuget-${{ runner.os }}-
- name: Cache Node modules
- uses: actions/cache@v4
+ uses: actions/cache@v5
with:
path: |
_cache/node
@@ -60,7 +60,7 @@ jobs:
node-${{ runner.os }}-
- name: Cache MSBuild outputs
- uses: actions/cache@v4
+ uses: actions/cache@v5
with:
path: _cache/msbuild
key: msbuild-${{ runner.os }}-${{ hashFiles('src/**/*.cs', 'src/**/*.csproj', 'src/**/*.targets', 'src/**/*.props') }}
@@ -69,7 +69,7 @@ jobs:
msbuild-${{ runner.os }}-
- name: Cache Webpack
- uses: actions/cache@v4
+ uses: actions/cache@v5
with:
path: _cache/webpack
key: webpack-${{ runner.os }}-${{ hashFiles('frontend/src/**/*', 'yarn.lock') }}
@@ -118,7 +118,7 @@ jobs:
reporttypes: "HtmlInline;Cobertura;TextSummary"
- name: Upload coverage to Codecov
- uses: codecov/codecov-action@v4
+ uses: codecov/codecov-action@v5
if: always()
continue-on-error: true
with:
diff --git a/.github/workflows/label-actions.yml b/.github/workflows/label-actions.yml
index a7fc89446a..1ae680fc8d 100644
--- a/.github/workflows/label-actions.yml
+++ b/.github/workflows/label-actions.yml
@@ -12,6 +12,6 @@ jobs:
action:
runs-on: ubuntu-latest
steps:
- - uses: dessant/label-actions@v3
+ - uses: dessant/label-actions@v5
with:
process-only: 'issues'
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
new file mode 100644
index 0000000000..d20e22a6fa
--- /dev/null
+++ b/.github/workflows/sonarcloud.yml
@@ -0,0 +1,50 @@
+# SonarCloud analysis for code quality and security
+#
+# Setup required:
+# 1. Create project at sonarcloud.io using your GitHub account
+# 2. Add SONAR_TOKEN secret to repository (Settings > Secrets > Actions)
+# 3. Update projectKey and organization below
+
+name: SonarCloud
+
+on:
+ push:
+ branches: [develop, main]
+ pull_request:
+ branches: [develop]
+ workflow_dispatch:
+
+permissions:
+ pull-requests: read
+
+jobs:
+ analyze:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Check for SONAR_TOKEN
+ id: check-secret
+ run: |
+ if [ -n "${{ secrets.SONAR_TOKEN }}" ]; then
+ echo "available=true" >> $GITHUB_OUTPUT
+ else
+ echo "available=false" >> $GITHUB_OUTPUT
+ echo "::warning::SONAR_TOKEN not configured - skipping SonarCloud scan"
+ fi
+
+ - name: Checkout
+ if: steps.check-secret.outputs.available == 'true'
+ uses: actions/checkout@v6
+ with:
+ fetch-depth: 0
+
+ - name: SonarCloud Scan
+ if: steps.check-secret.outputs.available == 'true'
+ uses: SonarSource/sonarcloud-github-action@v2
+ env:
+ SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+ with:
+ args: >
+ -Dsonar.projectKey=cheir-mneme_aletheia
+ -Dsonar.organization=cheir-mneme
+ -Dsonar.sources=src
+ -Dsonar.exclusions=**/node_modules/**,**/bin/**,**/obj/**,**/*.min.js
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
new file mode 100644
index 0000000000..e02b0ed0e0
--- /dev/null
+++ b/.github/workflows/super-linter.yml
@@ -0,0 +1,38 @@
+# Super Linter for code quality checks on changed files
+# https://github.com/super-linter/super-linter
+
+name: Lint Code Base
+
+on:
+ push:
+ branches: [develop, main]
+ pull_request:
+ branches: [develop]
+
+permissions:
+ contents: read
+ statuses: write
+
+jobs:
+ lint:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v6
+ with:
+ fetch-depth: 0
+
+ - name: Lint Code Base
+ uses: super-linter/super-linter/slim@v6
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ DEFAULT_BRANCH: develop
+ VALIDATE_ALL_CODEBASE: false
+ # Disable linters not needed or handled elsewhere
+ VALIDATE_CSHARP: false
+ VALIDATE_JSCPD: false
+ VALIDATE_NATURAL_LANGUAGE: false
+ VALIDATE_MARKDOWN: false
+ VALIDATE_GITLEAKS: false
+ VALIDATE_CHECKOV: false
+ VALIDATE_GITHUB_ACTIONS: false
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
new file mode 100644
index 0000000000..774d5f135b
--- /dev/null
+++ b/.github/workflows/trivy.yml
@@ -0,0 +1,41 @@
+# Trivy vulnerability scanner
+# Scans for CVEs in filesystem/dependencies and uploads to GitHub Security tab
+# Note: Image scanning requires built artifacts, use release workflow for that
+
+name: Trivy Security Scan
+
+on:
+ push:
+ branches: [develop, main]
+ pull_request:
+ branches: [develop]
+ schedule:
+ - cron: '0 6 * * 1' # Weekly on Monday at 6am UTC
+
+permissions:
+ contents: read
+ security-events: write
+ actions: read
+
+jobs:
+ scan:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v6
+
+ - name: Run Trivy filesystem scanner
+ uses: aquasecurity/trivy-action@master
+ with:
+ scan-type: 'fs'
+ scan-ref: '.'
+ format: 'sarif'
+ output: 'trivy-results.sarif'
+ severity: 'CRITICAL,HIGH'
+ ignore-unfixed: true
+
+ - name: Upload Trivy results to GitHub Security
+ uses: github/codeql-action/upload-sarif@v3
+ if: always()
+ with:
+ sarif_file: 'trivy-results.sarif'
diff --git a/CLA.md b/CLA.md
index 05ce7890dd..5a1b566bf3 100644
--- a/CLA.md
+++ b/CLA.md
@@ -1,6 +1,6 @@
-# Radarr Individual Contributor License Agreement #
+# Aletheia Individual Contributor License Agreement #
-Thank you for your interest in contributing to Radarr ("We" or "Us").
+Thank you for your interest in contributing to Aletheia ("We" or "Us").
This contributor agreement ("Agreement") documents the rights granted by contributors to Us. To make this document effective, please complete the form below. This is a legally binding document, so please read it carefully before agreeing to it. The Agreement may cover more than one software project managed by Us.
## 1. Definitions ##
diff --git a/src/NzbDrone.Common/Radarr.Common.csproj b/src/NzbDrone.Common/Radarr.Common.csproj
index 8a25ce5619..27ea960f82 100644
--- a/src/NzbDrone.Common/Radarr.Common.csproj
+++ b/src/NzbDrone.Common/Radarr.Common.csproj
@@ -27,6 +27,7 @@
+
True
True
diff --git a/yarn.lock b/yarn.lock
index fa96151173..6568a76631 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -4344,9 +4344,9 @@ jquery@3.7.1:
integrity sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==
js-yaml@^4.1.0:
- version "4.1.0"
- resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-4.1.0.tgz#c1fb65f8f5017901cdd2c951864ba18458a10602"
- integrity sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==
+ version "4.1.1"
+ resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-4.1.1.tgz#854c292467705b699476e1a2decc0c8a3458806b"
+ integrity sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==
dependencies:
argparse "^2.0.1"