Release v3.3.18 — queue per-item cancel + GHCR engine image#136
Merged
Conversation
…nsole Adds a per-item Cancel control to the upload queue. Until now the actively- uploading row had move/remove disabled, so the only way to stop one item was Stop (which halts the whole console). New cancelItem(id): - pending/finished item → just dropped from the queue - running item → aborts its engine job (transfer bails at the next shard boundary, partial tx stays resumable), drops it, and resumes the console's remaining pending work — siblings on other consoles are untouched UI: the active row shows a Cancel (ban) button in place of the locked Remove. Stop-all already existed (the Stop button) and is unchanged. Adds queue_cancel_item to the en.ts catalog + allowlist, and 4 store tests.
Adds .github/workflows/docker-engine.yml — fires on v* tags and
workflow_dispatch. Three jobs:
verify – PR-only amd64 build (no push), keeps Dockerfile green
build – native amd64 (ubuntu-24.04) + arm64 (ubuntu-24.04-arm)
push by digest so arches can run independently
merge – stitches digests into a multi-arch manifest tagged
:<version>, :<major.minor>, and :latest
Image: ghcr.io/phantomptr/ps5upload-engine
Note in PR: after first publish, set the GHCR package to Public.
Also updates engine/Dockerfile header, README.md, and FAQ.md to
reference the published image.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Hardening of the GHCR publish workflow (#134): - Least privilege: workflow token now read-only by default; packages:write is granted only on the build + merge jobs that actually push. The PR verify job can no longer receive a write-capable token. - New resolve job validates the version tag with a strict regex ONCE and passes trusted outputs (tag, version, image) to build/merge — so the tag never reaches a checkout ref: unvalidated (ref-injection guard), and the lowercased image name is derived via the safe env pattern instead of interpolating github.repository_owner into a shell. - Quote untrusted interpolations through env vars; document the one intentional word-split (manifest create) with a shellcheck directive. actionlint clean. Makefile: add docker-engine / docker-engine-run targets (+ help entry) so the self-hosted image has first-class local build/run parity with what CI ships.
- Per-item upload cancel (queue) - Official multi-arch engine Docker image on GHCR (thanks @Twice6804) - Hardened the docker publish workflow; Makefile docker targets
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bundles three things into 3.3.18.
1. Upload queue: cancel a single in-flight item
New
cancelItem(id)store action + a per-row Cancel button on the actively-uploading item. It aborts just that transfer (engine job cancelled at the next shard boundary; partial tx stays resumable) and resumes the console's remaining pending work — siblings on other consoles untouched. "Stop" (stop-all) is unchanged. +4 store tests;queue_cancel_itemadded to en.ts + allowlist.2. Official engine Docker image (GHCR) — from #134 by @Twice6804
The contributor's
docker-engine.ymlworkflow (cherry-picked, authorship preserved) publishes a multi-archghcr.io/phantomptr/ps5upload-engineon each release tag. This release tag triggers the first publish.3. Hardening of that workflow + Makefile
packages: writeonly on the build/merge jobs that push. The PRverifyjob can't get a write token.resolvejob validates the tag with a strict regex once and passes trusted outputs to build/merge — the tag never reaches a checkoutref:unvalidated. Untrusted interpolations routed through env vars.actionlintclean.GITHUB_TOKENset to read/write (was read-only) so the publish can push.scratch+ static binary, builds from existing-CI-green engine source.docker-engine/docker-engine-runtargets for local parity.Closes #134.
Verification
actionlintclean on the new workflow; Makefile targets parse.Post-merge (one-time)
After the publish runs on the
v3.3.18tag: set the GHCR package visibility to Public so anonymousdocker pullworks.Release 3.3.18.