Merge branch 'develop' of https://github.com/TriliumNext/Notes into develop

2025-10-31 10:26:08 +01:00 · 2025-04-18 10:39:44 +03:00
parent 728d5ac68a 9ef6f3e947
commit 837cdea26f
6 changed files with 145 additions and 259 deletions
--- a/.github/actions/build-electron/action.yml
+++ b/.github/actions/build-electron/action.yml
@@ -18,143 +18,152 @@ inputs:
 runs:
  using: composite
  steps:
-  # Certificate setup
+    # Certificate setup
-  - name: Import Apple certificates
+    - name: Import Apple certificates
-    if: inputs.os == 'macos'
+      if: inputs.os == 'macos'
-    uses: apple-actions/import-codesign-certs@v3
+      uses: apple-actions/import-codesign-certs@v3
-    with:
+      with:
-      p12-file-base64: ${{ env.APPLE_APP_CERTIFICATE_BASE64 }}
+        p12-file-base64: ${{ env.APPLE_APP_CERTIFICATE_BASE64 }}
-      p12-password: ${{ env.APPLE_APP_CERTIFICATE_PASSWORD }}
+        p12-password: ${{ env.APPLE_APP_CERTIFICATE_PASSWORD }}
-      keychain: build
+        keychain: build-app-${{ github.run_id }}
-      keychain-password: ${{ github.run_id }}
+        keychain-password: ${{ github.run_id }}
-  - name: Install Installer certificate
+    - name: Install Installer certificate
-    if: inputs.os == 'macos'
+      if: inputs.os == 'macos'
-    uses: apple-actions/import-codesign-certs@v3
+      uses: apple-actions/import-codesign-certs@v3
-    with:
+      with:
-      p12-file-base64: ${{ env.APPLE_INSTALLER_CERTIFICATE_BASE64 }}
+        p12-file-base64: ${{ env.APPLE_INSTALLER_CERTIFICATE_BASE64 }}
-      p12-password: ${{ env.APPLE_INSTALLER_CERTIFICATE_PASSWORD }}
+        p12-password: ${{ env.APPLE_INSTALLER_CERTIFICATE_PASSWORD }}
-      keychain: build
+        keychain: build-installer-${{ github.run_id }}
-      keychain-password: ${{ github.run_id }}
+        keychain-password: ${{ github.run_id }}
      # We don't need to create a keychain here because we're using the build keychain that was created in the previous step
      create-keychain: false
-  - name: Verify certificates
+    - name: Verify certificates
-    if: inputs.os == 'macos'
+      if: inputs.os == 'macos'
-    shell: ${{ inputs.shell }}
+      shell: ${{ inputs.shell }}
-    run: |
+      run: |
-      echo "Available signing identities:"
+        echo "Available signing identities in app keychain:"
-      security find-identity -v -p codesigning build.keychain
+        security find-identity -v -p codesigning build-app-${{ github.run_id }}.keychain
-  - name: Set up Python and other macOS dependencies
+        echo "Available signing identities in installer keychain:"
-    if: ${{ inputs.os == 'macos' }}
+        security find-identity -v -p codesigning build-installer-${{ github.run_id }}.keychain
    shell: ${{ inputs.shell }}
    run: |
      brew install python-setuptools
      brew install create-dmg
-  - name: Install dependencies for RPM and Flatpak package building
+        # Make the keychains searchable
-    if: ${{ inputs.os == 'linux' }}
+        security list-keychains -d user -s build-app-${{ github.run_id }}.keychain build-installer-${{ github.run_id }}.keychain $(security list-keychains -d user | tr -d '"')
-    shell: ${{ inputs.shell }}
+        security default-keychain -s build-app-${{ github.run_id }}.keychain
-    run: |
+        security unlock-keychain -p ${{ github.run_id }} build-app-${{ github.run_id }}.keychain
-      sudo apt-get update && sudo apt-get install rpm flatpak-builder elfutils
+        security unlock-keychain -p ${{ github.run_id }} build-installer-${{ github.run_id }}.keychain
-      flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
+        security set-keychain-settings -t 3600 -l build-app-${{ github.run_id }}.keychain
-      FLATPAK_ARCH=$(if [[ ${{ inputs.arch }} = 'arm64' ]]; then echo 'aarch64'; else echo 'x86_64'; fi)
+        security set-keychain-settings -t 3600 -l build-installer-${{ github.run_id }}.keychain
      FLATPAK_VERSION='24.08'
      flatpak install --user --no-deps --arch $FLATPAK_ARCH --assumeyes runtime/org.freedesktop.Platform/$FLATPAK_ARCH/$FLATPAK_VERSION runtime/org.freedesktop.Sdk/$FLATPAK_ARCH/$FLATPAK_VERSION org.electronjs.Electron2.BaseApp/$FLATPAK_ARCH/$FLATPAK_VERSION
-  # Build setup
+    - name: Set up Python and other macOS dependencies
-  - name: Install dependencies
+      if: ${{ inputs.os == 'macos' }}
-    shell: ${{ inputs.shell }}
+      shell: ${{ inputs.shell }}
-    run: npm ci
+      run: |
        brew install python-setuptools
        brew install create-dmg
-  - name: Update build info
+    - name: Install dependencies for RPM and Flatpak package building
-    shell: ${{ inputs.shell }}
+      if: ${{ inputs.os == 'linux' }}
-    run: npm run chore:update-build-info
+      shell: ${{ inputs.shell }}
      run: |
        sudo apt-get update && sudo apt-get install rpm flatpak-builder elfutils
        flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
        FLATPAK_ARCH=$(if [[ ${{ inputs.arch }} = 'arm64' ]]; then echo 'aarch64'; else echo 'x86_64'; fi)
        FLATPAK_VERSION='24.08'
        flatpak install --user --no-deps --arch $FLATPAK_ARCH --assumeyes runtime/org.freedesktop.Platform/$FLATPAK_ARCH/$FLATPAK_VERSION runtime/org.freedesktop.Sdk/$FLATPAK_ARCH/$FLATPAK_VERSION org.electronjs.Electron2.BaseApp/$FLATPAK_ARCH/$FLATPAK_VERSION
-  # Critical debugging configuration
+    # Build setup
-  - name: Run electron-forge build with enhanced logging
+    - name: Install dependencies
-    shell: ${{ inputs.shell }}
+      shell: ${{ inputs.shell }}
-    env:
+      run: npm ci
      # Pass through required environment variables for signing and notarization
      APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }}
      APPLE_ID: ${{ env.APPLE_ID }}
      APPLE_ID_PASSWORD: ${{ env.APPLE_ID_PASSWORD }}
      WINDOWS_SIGN_EXECUTABLE: ${{ env.WINDOWS_SIGN_EXECUTABLE }}
      TRILIUM_ARTIFACT_NAME_HINT: TriliumNextNotes-${{ github.ref_name }}-${{ inputs.os }}-${{ inputs.arch }}
    run: npm run electron-forge:make -- --arch=${{ inputs.arch }} --platform=${{ inputs.forge_platform }}
-  # Add DMG signing step
+    - name: Update build info
-  - name: Sign DMG
+      shell: ${{ inputs.shell }}
-    if: inputs.os == 'macos'
+      run: npm run chore:update-build-info
-    shell: ${{ inputs.shell }}
+
-    run: |
+    # Critical debugging configuration
-      echo "Signing DMG file..."
+    - name: Run electron-forge build with enhanced logging
-      dmg_file=$(find ./dist -name "*.dmg" -print -quit)
+      shell: ${{ inputs.shell }}
-      if [ -n "$dmg_file" ]; then
+      env:
-        echo "Found DMG: $dmg_file"
+        # Pass through required environment variables for signing and notarization
-        # Get the first valid signing identity from the keychain
+        APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }}
-        SIGNING_IDENTITY=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application" | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
+        APPLE_ID: ${{ env.APPLE_ID }}
-        if [ -z "$SIGNING_IDENTITY" ]; then
+        APPLE_ID_PASSWORD: ${{ env.APPLE_ID_PASSWORD }}
-          echo "Error: No valid Developer ID Application certificate found in keychain"
+        WINDOWS_SIGN_EXECUTABLE: ${{ env.WINDOWS_SIGN_EXECUTABLE }}
-          exit 1
+        TRILIUM_ARTIFACT_NAME_HINT: TriliumNextNotes-${{ github.ref_name }}-${{ inputs.os }}-${{ inputs.arch }}
      run: npm run electron-forge:make -- --arch=${{ inputs.arch }} --platform=${{ inputs.forge_platform }}
    # Add DMG signing step
    - name: Sign DMG
      if: inputs.os == 'macos'
      shell: ${{ inputs.shell }}
      run: |
        echo "Signing DMG file..."
        dmg_file=$(find ./dist -name "*.dmg" -print -quit)
        if [ -n "$dmg_file" ]; then
          echo "Found DMG: $dmg_file"
          # Get the first valid signing identity from the keychain
          SIGNING_IDENTITY=$(security find-identity -v -p codesigning build-app-${{ github.run_id }}.keychain | grep "Developer ID Application" | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
          if [ -z "$SIGNING_IDENTITY" ]; then
            echo "Error: No valid Developer ID Application certificate found in keychain"
            exit 1
          fi
          echo "Using signing identity: $SIGNING_IDENTITY"
          # Sign the DMG
          codesign --force --sign "$SIGNING_IDENTITY" --options runtime --timestamp "$dmg_file"
          # Notarize the DMG
          xcrun notarytool submit "$dmg_file" --apple-id "$APPLE_ID" --password "$APPLE_ID_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait
          # Staple the notarization ticket
          xcrun stapler staple "$dmg_file"
        else
          echo "No DMG found to sign"
        fi
        echo "Using signing identity: $SIGNING_IDENTITY"
        # Sign the DMG
        codesign --force --sign "$SIGNING_IDENTITY" --options runtime --timestamp "$dmg_file"
        # Notarize the DMG
        xcrun notarytool submit "$dmg_file" --apple-id "$APPLE_ID" --password "$APPLE_ID_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait
        # Staple the notarization ticket
        xcrun stapler staple "$dmg_file"
      else
        echo "No DMG found to sign"
      fi
-  - name: Verify code signing
+    - name: Verify code signing
-    if: inputs.os == 'macos'
+      if: inputs.os == 'macos'
-    shell: ${{ inputs.shell }}
+      shell: ${{ inputs.shell }}
-    run: |
+      run: |
-      echo "Verifying code signing for all artifacts..."
+        echo "Verifying code signing for all artifacts..."
-      # First check the .app bundle
+        # First check the .app bundle
-      echo "Looking for .app bundle..."
+        echo "Looking for .app bundle..."
-      app_bundle=$(find ./dist -name "*.app" -print -quit)
+        app_bundle=$(find ./dist -name "*.app" -print -quit)
-      if [ -n "$app_bundle" ]; then
+        if [ -n "$app_bundle" ]; then
-        echo "Found app bundle: $app_bundle"
+          echo "Found app bundle: $app_bundle"
-        echo "Verifying app bundle signing..."
+          echo "Verifying app bundle signing..."
-        codesign --verify --deep --strict --verbose=2 "$app_bundle"
+          codesign --verify --deep --strict --verbose=2 "$app_bundle"
-        echo "Displaying app bundle signing info..."
+          echo "Displaying app bundle signing info..."
-        codesign --display --verbose=2 "$app_bundle"
+          codesign --display --verbose=2 "$app_bundle"
-        echo "Checking entitlements..."
+          echo "Checking entitlements..."
-        codesign --display --entitlements :- "$app_bundle"
+          codesign --display --entitlements :- "$app_bundle"
-        echo "Checking notarization status..."
+          echo "Checking notarization status..."
-        xcrun stapler validate "$app_bundle" || echo "Warning: App bundle not notarized yet"
+          xcrun stapler validate "$app_bundle" || echo "Warning: App bundle not notarized yet"
-      else
+        else
-        echo "No .app bundle found to verify"
+          echo "No .app bundle found to verify"
-      fi
+        fi
-      # Then check DMG if it exists
+        # Then check DMG if it exists
-      echo "Looking for DMG..."
+        echo "Looking for DMG..."
-      dmg_file=$(find ./dist -name "*.dmg" -print -quit)
+        dmg_file=$(find ./dist -name "*.dmg" -print -quit)
-      if [ -n "$dmg_file" ]; then
+        if [ -n "$dmg_file" ]; then
-        echo "Found DMG: $dmg_file"
+          echo "Found DMG: $dmg_file"
-        echo "Verifying DMG signing..."
+          echo "Verifying DMG signing..."
-        codesign --verify --deep --strict --verbose=2 "$dmg_file"
+          codesign --verify --deep --strict --verbose=2 "$dmg_file"
-        echo "Displaying DMG signing info..."
+          echo "Displaying DMG signing info..."
-        codesign --display --verbose=2 "$dmg_file"
+          codesign --display --verbose=2 "$dmg_file"
-        echo "Checking DMG notarization..."
+          echo "Checking DMG notarization..."
-        xcrun stapler validate "$dmg_file" || echo "Warning: DMG not notarized yet"
+          xcrun stapler validate "$dmg_file" || echo "Warning: DMG not notarized yet"
-      else
+        else
-        echo "No DMG found to verify"
+          echo "No DMG found to verify"
-      fi
+        fi
-      # Finally check ZIP if it exists
+        # Finally check ZIP if it exists
-      echo "Looking for ZIP..."
+        echo "Looking for ZIP..."
-      zip_file=$(find ./dist -name "*.zip" -print -quit)
+        zip_file=$(find ./dist -name "*.zip" -print -quit)
-      if [ -n "$zip_file" ]; then
+        if [ -n "$zip_file" ]; then
-        echo "Found ZIP: $zip_file"
+          echo "Found ZIP: $zip_file"
-        echo "Note: ZIP files are not code signed, but their contents should be"
+          echo "Note: ZIP files are not code signed, but their contents should be"
-      fi
+        fi
--- a/.github/workflows_old/codeql-analysis.yml
+++ b/.github/workflows_old/codeql-analysis.yml
@@ -1,71 +0,0 @@
 # For most projects, this workflow file will not need changing; you simply need
 # to commit it to your repository.
 #
 # You may wish to alter this file to override the set of languages analyzed,
 # or to provide custom queries or build logic.
 #
 # ******** NOTE ********
 # We have attempted to detect the languages in your repository. Please check
 # the `language` matrix defined below to confirm you have the correct set of
 # supported CodeQL languages.
 #
 name: "CodeQL"
 on:
  push:
    branches: [ master ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ master ]
  schedule:
    - cron: '37 4 * * 1'
 jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        language: [ 'javascript' ]
        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
        # Learn more:
        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
    steps:
    - name: Checkout repository
      uses: actions/checkout@v2
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v1
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
        # By default, queries listed here will override any specified in a config file.
        # Prefix the list here with "+" to use these queries and those in the config file.
        # queries: ./path/to/local/query, your-org/your-repo/queries@main
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
      uses: github/codeql-action/autobuild@v1
    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
    #    and modify them (or add more) to build your code if your project
    #    uses a compiled language
    #- run: |
    #   make bootstrap
    #   make release
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v1
--- a/.github/workflows_old/docker.yaml
+++ b/.github/workflows_old/docker.yaml
@@ -1,53 +0,0 @@
 name: Publish Docker image
 on:
    push:
        tags: [v*]
 jobs:
    push_to_registries:
        name: Push Docker image to multiple registries
        runs-on: ubuntu-latest
        permissions:
            packages: write
            contents: read
        steps:
            - name: Checkout
              uses: actions/checkout@v2
            - name: Set up QEMU
              uses: docker/setup-qemu-action@v1
            - name: Docker meta
              id: meta
              uses: docker/metadata-action@v3
              with:
                  images: |
                      zadam/trilium
                      ghcr.io/zadam/trilium
                  tags: |
                      type=semver,pattern={{version}}
                      type=semver,pattern={{major}}.{{minor}}-latest
                      type=match,pattern=(\d+.\d+).\d+\-beta,enable=${{ endsWith(github.ref, 'beta') }},group=1,suffix=-latest
            - name: Set up Docker Buildx
              uses: docker/setup-buildx-action@v1
              with:
                  install: true
            - name: Log in to Docker Hub
              uses: docker/login-action@v1
              with:
                  username: ${{ secrets.DOCKER_USERNAME }}
                  password: ${{ secrets.DOCKER_PASSWORD }}
            - name: Log in to GitHub Docker Registry
              uses: docker/login-action@v1
              with:
                  registry: ghcr.io
                  username: ${{ github.repository_owner }}
                  password: ${{ secrets.GITHUB_TOKEN }}
            - name: Create server-package.json
              run: cat package.json | grep -v electron > server-package.json
            - name: Build and Push
              uses: docker/build-push-action@v2.7.0
              with:
                  context: .
                  platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6
                  push: true
                  cache-from: type=registry,ref=zadam/trilium:buildcache
                  cache-to: type=registry,ref=zadam/trilium:buildcache,mode=max
                  tags: ${{ steps.meta.outputs.tags }}
--- a/src/public/stylesheets/style.css
+++ b/src/public/stylesheets/style.css
@@ -1992,7 +1992,12 @@ footer.file-footer button {
    background: var(--card-background-color);
    border-radius: 0.5em;
    padding: 1em;
    margin: 1.25em 0;
    position: relative;
    padding-left: 2.5em;
    overflow: hidden;
 }
 .admonition p:last-child {
    margin-bottom: 0;
 }
@@ -2011,11 +2016,11 @@ footer.file-footer button {
 .admonition.caution { --accent-color: #ff2e2e; }
 .admonition.warning { --accent-color: #e2aa03; }
-.ck-content .admonition.note::before { content: "\eb21"; }
+.admonition.note::before { content: "\eb21"; }
-.ck-content .admonition.tip::before { content: "\ea0d"; }
+.admonition.tip::before { content: "\ea0d"; }
-.ck-content .admonition.important::before { content: "\ea7c"; }
+.admonition.important::before { content: "\ea7c"; }
-.ck-content .admonition.caution::before { content: "\eac7"; }
+.admonition.caution::before { content: "\eac7"; }
-.ck-content .admonition.warning::before { content: "\eac5"; }
+.admonition.warning::before { content: "\eac5"; }
 .chat-options-container {
    display: flex;
@@ -2066,11 +2071,6 @@ footer.file-footer button {
    border-left: 2px solid #e2aa03;
    font-weight: bold;
 }
 .admonition.note::before { content: "\eb21"; }
 .admonition.tip::before { content: "\ea0d"; }
 .admonition.important::before { content: "\ea7c"; }
 .admonition.caution::before { content: "\eac7"; }
 .admonition.warning::before { content: "\eac5"; }
 /*
 * In-content floating buttons
--- a/src/routes/api/options.ts
+++ b/src/routes/api/options.ts
@@ -82,6 +82,7 @@ const ALLOWED_OPTIONS = new Set<OptionNames>([
    "allowedHtmlTags",
    "redirectBareDomain",
    "showLoginInShareTheme",
    "splitEditorOrientation",
    // AI/LLM integration options
    "aiEnabled",
--- a/src/services/auth.ts
+++ b/src/services/auth.ts
@@ -15,7 +15,7 @@ const noAuthentication = config.General && config.General.noAuthentication === t
 function checkAuth(req: Request, res: Response, next: NextFunction) {
    if (!sqlInit.isDbInitialized()) {
-        res.redirect('setup');
+        return res.redirect('setup');
    }
    const currentTotpStatus = totp.isTotpEnabled();