Merge dev to stable

.dockerignore

@@ -1,5 +1,6 @@
 *
-!dist/backend.step2.tmp.js
+!src/
+!bun.lockb
 !bunfig.toml
 !LICENSE
 !package.json

.env.example

@@ -1,6 +1,6 @@
 ## SERVER:
 # Set log verbosity [2]:integer
-# 0=error <- 1=warn <- 2=info <- 3=debug
+# (0=error <- 1=warn <- 2=info <- 3=debug)
 #LOGLEVEL=2
 
 # Port for the server [4000]:integer

.github/workflows/release.yml

@@ -1,28 +1,28 @@
-name: "CD -> Release"
+name: CD -> Release
 on:
   workflow_dispatch:
     inputs:
       artifact-action:
-        description: "Artifact action"
+        description: Artifact action
         type: choice
         required: true
-        default: "none"
+        default: none
         options:
-          - "none"
-          - "build"
-          - "build-release"
+          - none
+          - build
+          - build-release
       image-action:
-        description: "Container image action"
+        description: Container image action
         type: choice
         required: true
-        default: "none"
+        default: none
         options:
-          - "none"
-          - "build"
-          - "build-release"
+          - none
+          - build
+          - build-release
 
 concurrency:
-  group: "${{ github.workflow }}-${{ github.ref }}"
+  group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
 
 permissions:
@@ -31,23 +31,23 @@ permissions:
 jobs:
   artifact:
     if: ${{ github.repository_owner == 'jspaste' && inputs.artifact-action != 'none' }}
-    name: "Build artifact"
+    name: Build artifact
     runs-on: ubuntu-latest
     permissions:
       attestations: write
       contents: write
       id-token: write
 
     steps:
-      - name: "Harden Runner"
+      - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
 
-      - name: "Setup Bun"
+      - name: Setup Bun
         uses: oven-sh/setup-bun@4bc047ad259df6fc24a6c9b0f9a0cb08cf17fbe5 # v2.0.1
 
-      - name: "Setup tags"
+      - name: Setup tags
         id: tags-artifact
         run: |
           TIMESTAMP="$(date +%Y.%m.%d)"
@@ -62,41 +62,49 @@ jobs:
           echo "tag=${TAG}" >>"$GITHUB_OUTPUT"
           echo "extended=${TIMESTAMP}-${GITHUB_SHA_SHORT}" >>"$GITHUB_OUTPUT"
 
-      - name: "Checkout"
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           persist-credentials: false
 
-      - name: "Setup production dependencies"
+      - name: Setup production dependencies
         run: bun install --frozen-lockfile --production
 
-      - name: "Build artifact"
+      - name: Build artifact
         run: |
           bun run build:standalone:darwin-arm64
-          tar -czf ./dist/backend_${{ steps.tags-artifact.outputs.tag }}_darwin-arm64.tar.gz .env.example LICENSE README.md -C ./dist/ backend
+          chmod 755 ./dist/backend
+          tar -c --owner=0 --group=0 --mtime='now' --utc .env.example LICENSE README.md -C ./dist/ backend | gzip --best >./dist/backend_${{ steps.tags-artifact.outputs.tag }}_darwin-arm64.tar.gz
+          tar -tzf ./dist/backend_${{ steps.tags-artifact.outputs.tag }}_darwin-arm64.tar.gz >/dev/null
 
           bun run build:standalone:linux-amd64
-          tar -czf ./dist/backend_${{ steps.tags-artifact.outputs.tag }}_linux-amd64.tar.gz .env.example LICENSE README.md -C ./dist/ backend
+          chmod 755 ./dist/backend
+          tar -c --owner=0 --group=0 --mtime='now' --utc .env.example LICENSE README.md -C ./dist/ backend | gzip --best >./dist/backend_${{ steps.tags-artifact.outputs.tag }}_linux-amd64.tar.gz
+          tar -tzf ./dist/backend_${{ steps.tags-artifact.outputs.tag }}_linux-amd64.tar.gz >/dev/null
 
           bun run build:standalone:linux-arm64
-          tar -czf ./dist/backend_${{ steps.tags-artifact.outputs.tag }}_linux-arm64.tar.gz .env.example LICENSE README.md -C ./dist/ backend
+          chmod 755 ./dist/backend
+          tar -c --owner=0 --group=0 --mtime='now' --utc .env.example LICENSE README.md -C ./dist/ backend | gzip --best >./dist/backend_${{ steps.tags-artifact.outputs.tag }}_linux-arm64.tar.gz
+          tar -tzf ./dist/backend_${{ steps.tags-artifact.outputs.tag }}_linux-arm64.tar.gz >/dev/null
 
           bun run build:standalone:windows-amd64
-          zip -j -X ./dist/backend_${{ steps.tags-artifact.outputs.tag }}_windows-amd64.zip .env.example LICENSE README.md ./dist/backend.exe
+          chmod 755 ./dist/backend.exe
+          zip -j -X -9 -l -o ./dist/backend_${{ steps.tags-artifact.outputs.tag }}_windows-amd64.zip .env.example LICENSE README.md ./dist/backend.exe
+          zip -T ./dist/backend_${{ steps.tags-artifact.outputs.tag }}_windows-amd64.zip
 
       - if: ${{ inputs.artifact-action == 'build-release' }}
-        name: "Release artifact"
+        name: Release artifact
         uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
         with:
           name: ${{ steps.tags-artifact.outputs.extended }}
           tag: ${{ steps.tags-artifact.outputs.extended }}
-          artifacts: "dist/*.tar.gz,dist/*.zip"
+          artifacts: dist/*.tar.gz,dist/*.zip
           makeLatest: true
           prerelease: ${{ github.ref != 'refs/heads/stable' }}
           generateReleaseNotes: true
 
       - if: ${{ inputs.artifact-action == 'build-release' }}
-        name: "Attest artifact"
+        name: Attest artifact
         uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
         with:
           subject-path: |
@@ -105,7 +113,7 @@ jobs:
 
   container:
     if: ${{ github.repository_owner == 'jspaste' && inputs.image-action != 'none' }}
-    name: "Build container image"
+    name: Build container image
     runs-on: ubuntu-latest
     env:
       REGISTRY: ghcr.io
@@ -116,20 +124,17 @@ jobs:
       packages: write
 
     steps:
-      - name: "Harden Runner"
+      - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
 
-      - name: "Setup Bun"
-        uses: oven-sh/setup-bun@4bc047ad259df6fc24a6c9b0f9a0cb08cf17fbe5 # v2.0.1
-
-      - name: "Setup QEMU"
+      - name: Setup QEMU
         run: |
           sudo apt-get update
           sudo apt-get install -y qemu-user-static
 
-      - name: "Setup tags"
+      - name: Setup tags
         id: tags-image
         run: |
           TIMESTAMP="$(date +%Y.%m.%d)"
@@ -148,18 +153,12 @@ jobs:
 
           echo "tags=${TAGS[*]}" >>"$GITHUB_OUTPUT"
 
-      - name: "Checkout"
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           persist-credentials: false
 
-      - name: "Setup production dependencies"
-        run: bun install --frozen-lockfile --production
-
-      - name: "Run build"
-        run: bun run build
-
-      - name: "Build image"
+      - name: Build image
         id: build-image
         uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
         with:
@@ -171,15 +170,15 @@ jobs:
           tags: ${{ steps.tags-image.outputs.tags }}
 
       - if: ${{ inputs.image-action == 'build-release' }}
-        name: "Login to GHCR"
+        name: Login to GHCR
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ${{ env.REGISTRY }}
 
       - if: ${{ inputs.image-action == 'build-release' }}
-        name: "Push to GHCR"
+        name: Push to GHCR
         id: push-image
         uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
         with:
@@ -188,7 +187,7 @@ jobs:
           registry: ${{ env.REGISTRY }}
 
       - if: ${{ inputs.image-action == 'build-release' }}
-        name: "Attest image"
+        name: Attest image
         uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
         with:
           subject-name: "${{ env.REGISTRY }}/${{ steps.build-image.outputs.image }}"

.github/workflows/security.yml

@@ -1,87 +1,52 @@
-name: "CI -> Security"
+name: CI -> Security
 on:
   branch_protection_rule:
   schedule:
-    - cron: "33 3 * * 1"
+    - cron: 33 3 * * 1
 
   push:
     branches:
       - dev
     paths-ignore:
-      - "*.md"
-      - ".*ignore"
+      - '*.md'
+      - '.*ignore'
 
   pull_request:
     branches:
       - dev
     paths-ignore:
-      - "*.md"
-      - ".*ignore"
+      - '*.md'
+      - '.*ignore'
 
 permissions: read-all
 
 jobs:
-  codeql:
-    name: "CodeQL"
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - language: javascript-typescript
-            build-mode: none
-
-    permissions:
-      security-events: write
-
-    steps:
-      - name: "Harden Runner"
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
-        with:
-          egress-policy: audit
-
-      - name: "Checkout"
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
-        with:
-          persist-credentials: false
-
-      - name: "Setup CodeQL"
-        uses: github/codeql-action/init@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
-        with:
-          languages: ${{ matrix.language }}
-          build-mode: ${{ matrix.build-mode }}
-
-      - name: "Run analysis"
-        uses: github/codeql-action/analyze@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
-        with:
-          category: "/language:${{matrix.language}}"
-
   scoreboard:
-    name: "Scorecard"
+    name: Scorecard
     runs-on: ubuntu-latest
     permissions:
       security-events: write
       id-token: write
 
     steps:
-      - name: "Harden Runner"
+      - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
 
-      - name: "Checkout"
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           persist-credentials: false
 
-      - name: "Run analysis"
+      - name: Run analysis
         uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: scoreboard.sarif
           results_format: sarif
           publish_results: true
 
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
         with:
           sarif_file: scoreboard.sarif

.github/workflows/test.yml

@@ -1,53 +1,53 @@
-name: "CI -> Test"
+name: CI -> Test
 on:
   workflow_dispatch:
   push:
     branches:
       - dev
     paths-ignore:
-      - "*.md"
-      - ".*ignore"
+      - '*.md'
+      - '.*ignore'
 
   pull_request:
     branches:
       - dev
     paths-ignore:
-      - "*.md"
-      - ".*ignore"
+      - '*.md'
+      - '.*ignore'
 
 concurrency:
-  group: "${{ github.workflow }}-${{ github.ref }}"
+  group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 permissions:
   contents: read
 
 jobs:
-  lint:
-    name: "Lint"
+  test:
+    name: Test
     runs-on: ubuntu-latest
     steps:
-      - name: "Harden Runner"
+      - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
 
-      - name: "Setup Bun"
+      - name: Setup Bun
         uses: oven-sh/setup-bun@4bc047ad259df6fc24a6c9b0f9a0cb08cf17fbe5 # v2.0.1
 
-      - name: "Checkout"
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           persist-credentials: false
 
-      - name: "Setup production dependencies"
+      - name: Setup production dependencies
         run: bun install --frozen-lockfile --production
 
-      - name: "Run build"
-        run: bun run build
+      - name: Run build:server
+        run: bun run build:server
 
-      - name: "Setup development dependencies"
+      - name: Setup development dependencies
         run: bun install --frozen-lockfile
 
-      - name: "Run lint"
+      - name: Run lint
         run: bun run lint