From 78683f656f46f9da6d29de8416c8445f708be930 Mon Sep 17 00:00:00 2001 From: JSONbored <49853598+JSONbored@users.noreply.github.com> Date: Mon, 30 Mar 2026 13:11:57 -0600 Subject: [PATCH 1/4] Reduce smoke-test CI usage --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 00b9e68..18e9e37 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,7 +26,7 @@ on: run_smoke_test: description: "Run the smoke-test job" required: false - default: true + default: false type: boolean publish_image: description: "Publish image tags from the current ref" @@ -67,7 +67,7 @@ jobs: PY smoke-test: - if: ${{ github.event_name != 'workflow_dispatch' || inputs.run_smoke_test == true }} + if: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') || (github.event_name == 'workflow_dispatch' && inputs.run_smoke_test == true) }} needs: validate runs-on: ubuntu-latest permissions: From fc385f96a4d731a4bc6e95552889e2f08dcbc0de Mon Sep 17 00:00:00 2001 From: JSONbored <49853598+JSONbored@users.noreply.github.com> Date: Mon, 30 Mar 2026 13:22:03 -0600 Subject: [PATCH 2/4] Standardize funding and security docs --- .github/FUNDING.yml | 2 ++ SECURITY.md | 22 ++++++++++++++-------- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml index d382aa6..8b15bef 100644 --- a/.github/FUNDING.yml +++ b/.github/FUNDING.yml @@ -1 +1,3 @@ +github: + - JSONbored ko_fi: jsonbored diff --git a/SECURITY.md b/SECURITY.md index f2b717d..7a1513e 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,19 +2,25 @@ ## Supported Versions -Only the current `latest` tag, the current upstream-matching version tags, and the `main` branch are supported with security fixes. +Only the `main` branch, the current `latest` image tag, and the current upstream-aligned version tags are supported with security fixes. | Version | Supported | | ------- | --------- | -| latest | yes | -| current upstream version tags | yes | -| older | no | +| main | yes | +| latest | yes | +| current upstream-aligned tags | yes | +| older | no | ## Reporting a Vulnerability -Please report security issues privately instead of opening a public issue. +Do not open public issues for suspected vulnerabilities. -- Preferred: GitHub private vulnerability reporting for this repository -- Fallback: `security@aethereal.dev` +- Preferred: GitHub private vulnerability report for this repository +- Fallback: email `security@aethereal.dev` -Include the affected image tag, reproduction details, impact, and any mitigations you already verified. +Include: + +- affected repo, branch, or image tag +- reproduction steps +- impact assessment +- any confirmed mitigation From 3427513cee405b68aad10e9ac445512adb13a0c1 Mon Sep 17 00:00:00 2001 From: JSONbored <49853598+JSONbored@users.noreply.github.com> Date: Mon, 30 Mar 2026 13:52:19 -0600 Subject: [PATCH 3/4] Add standard community templates --- .github/ISSUE_TEMPLATE/bug_report.yml | 30 ++++++++++++++++++ .github/ISSUE_TEMPLATE/config.yml | 1 + .github/ISSUE_TEMPLATE/feature_request.yml | 25 +++++++++++++++ .github/ISSUE_TEMPLATE/installation_help.yml | 32 ++++++++++++++++++++ .github/pull_request_template.md | 14 +++++++++ 5 files changed, 102 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.yml create mode 100644 .github/ISSUE_TEMPLATE/config.yml create mode 100644 .github/ISSUE_TEMPLATE/feature_request.yml create mode 100644 .github/ISSUE_TEMPLATE/installation_help.yml create mode 100644 .github/pull_request_template.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml new file mode 100644 index 0000000..a147b4f --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -0,0 +1,30 @@ +name: Bug report +description: Report a problem with the AIO container, XML, or docs +title: "[Bug]: " +labels: + - bug +body: + - type: textarea + id: summary + attributes: + label: Summary + description: What is broken? + validations: + required: true + - type: textarea + id: steps + attributes: + label: Steps to reproduce + validations: + required: true + - type: textarea + id: expected + attributes: + label: Expected behavior + validations: + required: true + - type: textarea + id: environment + attributes: + label: Environment + description: Include Unraid version, image tag, and relevant settings diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000..3ba13e0 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1 @@ +blank_issues_enabled: false diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml new file mode 100644 index 0000000..41dbdfa --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -0,0 +1,25 @@ +name: Feature request +description: Suggest an improvement to the template, AIO image, or Unraid CA experience +title: "[Feature]: " +labels: + - enhancement +body: + - type: textarea + id: problem + attributes: + label: Problem to solve + description: What is missing, confusing, or unnecessarily hard today? + validations: + required: true + - type: textarea + id: proposed + attributes: + label: Proposed improvement + description: Describe the change you want and why it would help. + validations: + required: true + - type: textarea + id: context + attributes: + label: Additional context + description: Include app-specific, Unraid-specific, or user-experience details that matter. diff --git a/.github/ISSUE_TEMPLATE/installation_help.yml b/.github/ISSUE_TEMPLATE/installation_help.yml new file mode 100644 index 0000000..89bbdaa --- /dev/null +++ b/.github/ISSUE_TEMPLATE/installation_help.yml @@ -0,0 +1,32 @@ +name: Installation help +description: Get help with first-run setup, Unraid mapping choices, or upgrade behavior +title: "[Help]: " +labels: + - question +body: + - type: textarea + id: goal + attributes: + label: What are you trying to do? + description: Describe the install, upgrade, or configuration task you are working through. + validations: + required: true + - type: textarea + id: current + attributes: + label: What is happening now? + description: Include the exact symptom, error, or point where you got stuck. + validations: + required: true + - type: textarea + id: environment + attributes: + label: Environment + description: Include Unraid version, image tag, relevant template values, and whether this is a fresh install or an upgrade. + validations: + required: true + - type: textarea + id: logs + attributes: + label: Relevant logs or screenshots + description: Paste container logs or screenshots that will help reproduce the problem faster. diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..470dbbb --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,14 @@ +## Summary + +- what changed +- why it changed + +## Validation + +- [ ] local smoke test passed +- [ ] docs updated if behavior changed +- [ ] XML updated if config surface changed + +## Risks + +- note any migration, data, or compatibility risk From 23100b0868fbee374dc89b1b2bf29145107b3e5b Mon Sep 17 00:00:00 2001 From: JSONbored <49853598+JSONbored@users.noreply.github.com> Date: Mon, 30 Mar 2026 14:09:30 -0600 Subject: [PATCH 4/4] Consolidate CI workflows --- .github/workflows/build.yml | 101 +++++++++++++++++++++++++++- .github/workflows/security.yml | 71 ------------------- .github/workflows/sync-template.yml | 54 --------------- 3 files changed, 100 insertions(+), 126 deletions(-) delete mode 100644 .github/workflows/security.yml delete mode 100644 .github/workflows/sync-template.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 18e9e37..97f35af 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,6 +5,8 @@ on: branches: [ main ] paths: - 'Dockerfile' + - 'mem0-aio.xml' + - 'assets/**' - 'rootfs/**' - 'scripts/**' - 'openmemory' @@ -15,6 +17,8 @@ on: branches: [ main ] paths: - 'Dockerfile' + - 'mem0-aio.xml' + - 'assets/**' - 'rootfs/**' - 'scripts/**' - 'openmemory' @@ -66,9 +70,58 @@ jobs: print("Parsed mem0-aio.xml successfully") PY + pinned-actions: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + + - name: Enforce pinned action SHAs + run: | + python3 - <<'PY' + import pathlib + import re + import sys + + workflow_dir = pathlib.Path(".github/workflows") + pattern = re.compile(r"^\s*uses:\s*([^@\s]+)@([^\s#]+)") + sha_pattern = re.compile(r"^[0-9a-f]{40}$") + failures = [] + + for path in sorted(workflow_dir.glob("*.yml")): + for lineno, line in enumerate(path.read_text().splitlines(), start=1): + match = pattern.match(line) + if not match: + continue + target, ref = match.groups() + if target.startswith("./"): + continue + if not sha_pattern.fullmatch(ref): + failures.append(f"{path}:{lineno}: action is not pinned to a full SHA -> {line.strip()}") + + if failures: + print("\n".join(failures), file=sys.stderr) + sys.exit(1) + print("All workflow actions are pinned to full commit SHAs.") + PY + + dependency-review: + if: ${{ github.event_name == 'pull_request' }} + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - name: Dependency review + uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2 + smoke-test: if: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') || (github.event_name == 'workflow_dispatch' && inputs.run_smoke_test == true) }} - needs: validate + needs: + - validate + - pinned-actions runs-on: ubuntu-latest permissions: contents: read @@ -108,6 +161,7 @@ jobs: if: ${{ github.event_name != 'pull_request' && ((github.event_name == 'push' && github.ref == 'refs/heads/main') || (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main' && inputs.publish_image == true)) }} needs: - validate + - pinned-actions - smoke-test runs-on: ubuntu-latest permissions: @@ -164,3 +218,48 @@ jobs: platforms: linux/amd64,linux/arm64 cache-from: type=gha cache-to: type=gha,mode=max + + sync-awesome-unraid: + if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} + needs: + - validate + - pinned-actions + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Verify sync token is present + id: token + env: + SYNC_TOKEN: ${{ secrets.SYNC_TOKEN }} + run: | + if [[ -n "${SYNC_TOKEN}" ]]; then + echo "enabled=true" >> "${GITHUB_OUTPUT}" + else + echo "enabled=false" >> "${GITHUB_OUTPUT}" + echo "SYNC_TOKEN is not configured; skipping." + fi + + - name: Checkout Source Repository + if: ${{ steps.token.outputs.enabled == 'true' }} + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + + - name: Checkout Target Repository + if: ${{ steps.token.outputs.enabled == 'true' }} + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + repository: JSONbored/awesome-unraid + token: ${{ secrets.SYNC_TOKEN }} + path: target-repo + + - name: Copy and Commit Template + if: ${{ steps.token.outputs.enabled == 'true' }} + run: | + cp mem0-aio.xml target-repo/mem0-aio.xml + mkdir -p target-repo/icons + cp assets/mem0.jpeg target-repo/icons/mem0.jpeg + cd target-repo + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git add mem0-aio.xml icons/mem0.jpeg + git diff --quiet && git diff --staged --quiet || (git commit -m "chore: auto-sync mem0-aio assets from upstream" && git push) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml deleted file mode 100644 index f1e0fba..0000000 --- a/.github/workflows/security.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: Workflow And Dependency Security - -on: - push: - branches: [ main ] - paths: - - '.github/workflows/**' - - 'Dockerfile' - - 'renovate.json' - pull_request: - branches: [ main ] - paths: - - '.github/workflows/**' - - 'Dockerfile' - - 'renovate.json' - workflow_dispatch: - -env: - FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - pinned-actions: - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - - name: Enforce pinned action SHAs - run: | - python3 - <<'PY' - import pathlib - import re - import sys - - workflow_dir = pathlib.Path(".github/workflows") - pattern = re.compile(r"^\s*uses:\s*([^@\s]+)@([^\s#]+)") - sha_pattern = re.compile(r"^[0-9a-f]{40}$") - failures = [] - - for path in sorted(workflow_dir.glob("*.yml")): - for lineno, line in enumerate(path.read_text().splitlines(), start=1): - match = pattern.match(line) - if not match: - continue - target, ref = match.groups() - if target.startswith("./"): - continue - if not sha_pattern.fullmatch(ref): - failures.append(f"{path}:{lineno}: action is not pinned to a full SHA -> {line.strip()}") - - if failures: - print("\n".join(failures), file=sys.stderr) - sys.exit(1) - print("All workflow actions are pinned to full commit SHAs.") - PY - - dependency-review: - if: ${{ github.event_name == 'pull_request' }} - runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: write - steps: - - name: Dependency review - uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2 diff --git a/.github/workflows/sync-template.yml b/.github/workflows/sync-template.yml deleted file mode 100644 index bf4cf12..0000000 --- a/.github/workflows/sync-template.yml +++ /dev/null @@ -1,54 +0,0 @@ -name: Sync Template to Awesome-Unraid - -on: - push: - paths: - - 'mem0-aio.xml' - - 'assets/mem0.jpeg' - - '.github/workflows/sync-template.yml' - branches: - - main - - workflow_dispatch: - -permissions: - contents: read - -jobs: - sync: - runs-on: ubuntu-latest - steps: - - name: Checkout Source Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - - name: Check sync token availability - id: sync-token - env: - SYNC_TOKEN: ${{ secrets.SYNC_TOKEN }} - run: | - if [[ -n "${SYNC_TOKEN}" ]]; then - echo "enabled=true" >> "${GITHUB_OUTPUT}" - else - echo "enabled=false" >> "${GITHUB_OUTPUT}" - echo "SYNC_TOKEN is not configured; skipping sync." - fi - - - name: Checkout Target Repository - if: ${{ steps.sync-token.outputs.enabled == 'true' }} - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - with: - repository: JSONbored/awesome-unraid - token: ${{ secrets.SYNC_TOKEN }} - path: target-repo - - - name: Copy and commit template - if: ${{ steps.sync-token.outputs.enabled == 'true' }} - run: | - cp mem0-aio.xml target-repo/mem0-aio.xml - mkdir -p target-repo/icons - cp assets/mem0.jpeg target-repo/icons/mem0.jpeg - cd target-repo - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - git add mem0-aio.xml icons/mem0.jpeg - git diff --quiet && git diff --staged --quiet || (git commit -m "chore: auto-sync mem0-aio assets from upstream" && git push)