The build-rpm-packages workflows deploy with easingthemes/ssh-deploy using
rsync args -rltgoDzvO, which does not create missing parent directories on
the remote. When the zmrepo directory tree was deleted the deploy step
failed.
--mkpath is not a viable fix: it is parsed by the local rsync in the build
container, and Rocky 8 ships rsync 3.1.3 which predates the flag (3.2.3+).
Add a pre-deploy step that creates rpm/master/<family>/<releasever>/<arch>/
over ssh with mkdir -p, which has no rsync version dependency. Also add
utils/zmrepo_mkdirs.sh to recreate the full tree manually.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
CodeQL's open alerts are dominated by findings inside bundled third-party
libraries (jQuery UI, Bootstrap 4, bootstrap-table, the jQuery UI
timepicker addon, hls.js). These flag coding patterns internal to those
libraries -- js/unsafe-jquery-plugin, js/insecure-randomness, etc. -- that
are not ZoneMinder bugs and cannot be fixed without forking the
dependencies. They drown out findings in ZoneMinder-authored code.
Add the vendored library directories/files to paths-ignore in the CodeQL
config. ZoneMinder-authored files in these trees (skin.js,
MonitorStream.js, views/js/*.js, ...) are not listed and remain analysed.
moment.js is intentionally left out: it is scheduled for removal once its
remaining call sites migrate to luxon, so its alert will be resolved by
deletion rather than suppression.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
GitHub's auto-generated 'Source code' release assets are plain git
archive output without submodules, so cmake fails immediately on the
submodule check and the release cannot be built standalone.
On every published release (or manual dispatch with a tag, to backfill
existing releases) build zoneminder-<tag>.tar.gz from a recursive
checkout and attach it plus a sha256 to the release. The tarball is
reproducible (commit mtime, sorted entries, no owner, no gzip
timestamp) and is sanity-checked for the same file CMakeLists.txt
requires before upload.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Adds paths-ignore for db/, docs/, distros/, misc/, onvif/, scripts/
and *.md/*.sql/*.in files. CodeQL analyses cpp and javascript only,
so changes confined to these paths produce no new findings and don't
need to spend Actions minutes or generate ~610 MB of cache.
Verified the ignored directories contain no .c/.cpp/.h/.js files.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Runs daily at 03:00 UTC and via workflow_dispatch. Groups caches by
key prefix (stripping trailing run/sha suffixes) and keeps the N
newest per prefix, deleting the rest. Defaults to keeping 2.
Without this, CodeQL builds left ~10 GB of per-commit caches behind,
exhausting the org Actions storage quota.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two changes that together stop the .orig.tar.gz from landing in
mini-dinstall's incoming dir and causing cross-distro filename
collisions:
- do_debian_package.sh: quote DEBUILD assignment so the -b flag is
actually passed to debuild. Without quotes, bash parsed it as
"run -b with DEBUILD=debuild as one-shot env", dropping the binary
flag and falling back to a full source build that included the orig
tarball in .changes.
- build-deb-packages{,-aarch64}.yml: drop *.dsc, *.tar.xz, *.tar.gz
from the artifact collection mv. Only .deb, .buildinfo, and .changes
are needed for binary uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ESLint 9 ignores the --ext flag, so the old --ext .js.php,.js had no
effect. The flat config's **/*.*php glob matched all .php files, not
just .js.php. Add explicit files pattern to the main config block and
narrow the PHP override from **/*.*php to **/*.js.php. Remove the
now-ignored --ext flag from CI and docs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@eslint/js@10.0.1 requires eslint@^10.0.0 as a peer dependency,
which conflicts with the pinned eslint@9. Pinning @eslint/js to <10
keeps it on the 9.x line.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Complete the migration from .eslintrc.js to eslint.config.js flat
config format for ESLint 9 compatibility. Add valid-jsdoc: off
(removed in ESLint 9 but enabled by eslint-config-google) and the
missing operator-linebreak: off override. Update the HLS ignore path
to match current version. Update CI workflow to install ESLint 9 and
its flat config dependencies.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace hardcoded release-1.38 references with GITHUB_REF_NAME so the
workflows use the branch they are running on for the -b parameter, curl
source URL, and rsync deploy targets. Non-tag pushes deploy to
proposed-<version>, tag pushes deploy to release-<version>.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When triggered by a tag push, pass the release tag to
do_debian_package.sh via -r= flag. Branch pushes continue
to use -s=CURRENT.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Change curl URL from refs/heads/master to refs/heads/release-1.38
in both x86 and aarch64 workflows
- Uncomment safe.directory config in x86 workflow to fix dubious
ownership error
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Trigger on release-1.38 instead of master, rsync builds to proposed
directory, and rsync tagged releases to release-1.38 directory.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Trigger on release-1.38 instead of master, rsync builds to proposed
directory, and rsync tagged releases to release-1.38 directory.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The monitorStatus HTML was conditionally omitted based on
ZM_WEB_COMPACT_MONTAGE, leaving the status position dropdown
with no elements to operate on. Always render the HTML and
use the dropdown's hidden option to handle compact montage
instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
On Fedora 43, net-tools pulls in systemd which conflicts with
systemd-standalone-tmpfiles in container build environments.
Pre-define ZM_PATH_ARP, ZM_PATH_ARP_SCAN, ZM_PATH_IP, and
ZM_PATH_IFCONFIG in the cmake call instead of relying on
find_program() at build time.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
On Fedora 43, net-tools pulls in systemd which conflicts with
systemd-standalone-tmpfiles in container build environments.
Pre-define ZM_PATH_ARP, ZM_PATH_ARP_SCAN, ZM_PATH_IP, and
ZM_PATH_IFCONFIG in the cmake call instead of relying on
find_program() at build time.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fedora 43 container images ship systemd-standalone-tmpfiles which
conflicts with the full systemd package. Packages like mosquitto
and net-tools depend on systemd, causing dnf builddep to fail.
Install systemd with --allowerasing before builddep to resolve.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
