WebDAV and SuperSync E2E tests require dedicated server infrastructure
and should only run in the scheduled E2E workflow or manually. This
prevents build failures when the required servers are not available.
- Added @webdav tag to all WebDAV test files for consistent filtering
- Updated build.yml to exclude @webdav and @supersync tagged tests
Add allowed_non_write_users parameter to bypass actor permission check for PRs from external contributors. This enables automated code reviews for all PRs, including those from forks, while maintaining security through pull_request_target context.
Pin all GitHub Actions to immutable commit SHAs to prevent supply chain attacks.
This protects against tag-poisoning attacks like the March 2025 tj-actions compromise
that affected 23,000+ repositories.
Changes:
- Pin 55 action references across 19 workflow files to commit SHAs
- Add version comments (e.g., "# v6") for readability
- Manually resolved: gradle/actions, github/codeql-action, actions/setup-node
All actions now use immutable references following GitHub security best practices:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
Future updates should be managed via Dependabot to automate SHA updates.
Contains both a first-draft of content as well as
a comprehensive GH Action to replicate from
docs/wiki to the `.wiki` sub-repo. The linting is
non-blocking at the moment.
- the existing markdown linking appears reliably
rendered in GH but more testing needed.
- style guide for contributions/expectations needs
to be added to the wiki
- **a significant re-work of the README** to
re-direct users to the Wiki is needed to avoid
doc duplication
- updates to the PR templates and contributor
guidelines to emphasize the importance of adding
documentation is still needed
Change trigger from pull_request to pull_request_target to allow the
workflow to run with write permissions even for external contributors.
This fixes the "Actor has insufficient permissions" error.
Also add condition to skip draft PRs to reduce API usage.
The E2E test suite has grown to 111+ spec files with an estimated
execution time of 80-100 minutes, exceeding the previous 60-minute
timeout limit. This increase prevents premature workflow termination.
- Change workflow runner from macos-latest to macos-26
- Add Xcode and SDK version verification step
- Ensures compliance with Apple's April 2026 requirement for iOS 26 SDK
- Maintains iOS 14.0 deployment target for backward compatibility
Docker Compose was failing because env_file: .env was referenced but the
file doesn't exist in CI (it's gitignored). Also updates deprecated
set-output command to use GITHUB_OUTPUT environment file.
The Claude Code Review workflow needs pull-requests: write permission to post review comments on PRs. Previously it only had read access, causing "Actor does not have write permissions" errors.
The Claude Code GitHub Action was failing with 403 errors when trying
to create comments on issues due to read-only permissions. Updated
contents, pull-requests, and issues permissions from read to write.
Angular Material overlay backdrops were not being properly cleared between
tag operations, causing subsequent clicks to timeout when overlays blocked
element interactions.
Added ensureOverlaysClosed() helper with:
- Early exit if no overlays present (performance)
- Escape key dismissal with retry for stacked overlays
- Logging for debugging when fallbacks trigger
- Uses Playwright's native locator.waitFor() instead of waitForFunction()
- Cleanup at operation start (prevent blocking) and end (clean state)
Benefits:
- Eliminates fixed timeouts, uses smart waiting (tests run 2x faster)
- Handles edge cases like stacked overlays
- Provides visibility into when overlays are unexpectedly present
Fixes 4 failing tests:
- Tag CRUD: remove tag via context menu
- Tag CRUD: delete tag and update tasks
- Tag CRUD: navigate to tag view
- Menu: toggle tags via submenu
- Remove PROVISIONING_PROFILE_SPECIFIER from archive (breaks Pods)
- Use CODE_SIGN_STYLE=Automatic for archive step
- Manual signing handled during export via ExportOptions.plist
- Add bundle ID verification to catch mismatches early
- Create build-ios.yml workflow triggered on releases
- Configure signing keychain with iOS distribution certificate
- Install provisioning profile for App Store distribution
- Sync version from package.json using agvtool
- Build, archive, and export IPA with manual code signing
- Validate and upload to App Store Connect via xcrun altool
- Add sync:ios and dist:ios:prod npm scripts
- Update bump-android-version.js to handle RC/alpha/beta versions
- Pre-releases use versionCode suffix 0001-8999, stable uses 9000
- This ensures users can upgrade from RC to stable without uninstalling
- Skip Play Store upload for pre-release tags (GitHub only)
- Skip fastlane changelog generation for pre-releases
Fixes#5964
- Add permissions: contents: write to build.yml and manual-build.yml
to fix GitHub release creation after org migration
- Update AUR PKGBUILD download URL to new org
- Update release notes changelog link
- Update GitHub project example hints in translation files
- Add explicit contents: write permission for GITHUB_TOKEN
- Increase wait time for release creation from 15 to 20 minutes
- Add failure check if release is not found after waiting
GitHub Actions requires explicit permissions for write operations.
Adding `issues: write` permission resolves the "Resource not accessible
by integration" error when posting auto-reply comments.
Fixes#5904
