feat(): clean up CI scripts and add PNA middleware (#393)

wizzomafizzo · web-flow · commit 01eb6ef09139 · 2025-12-05T19:44:05.000+08:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -6,20 +6,15 @@ on:
   workflow_dispatch:
     inputs:
       tag:
-        description: 'Tag/version to build (e.g. v2.7.0 or test-build)'
+        description: 'Tag/version to build (e.g. v2.7.0). Leave empty for commit-based version.'
         required: false
         type: string
-        default: 'dev'
+        default: ''
       test_build:
-        description: 'Test build only (no release created)'
+        description: 'Test build only (no release created, uses test-signing)'
         required: false
         type: boolean
         default: false
-      signing_policy:
-        description: 'SignPath signing policy'
-        required: false
-        type: string
-        default: 'release-signing'
   workflow_call:
     inputs:
       tag:
@@ -127,6 +122,10 @@ jobs:
       - name: Write release version
         run: |
           VERSION="${BUILD_TAG#v}"
+          # For test builds without a real version tag, use commit hash
+          if [[ ! "$VERSION" =~ ^[0-9] ]]; then
+            VERSION="$(git rev-parse --short HEAD)-dev"
+          fi
           echo "Version: $VERSION"
           echo "VERSION=$VERSION" >> "$GITHUB_ENV"
       - name: Set up Go
@@ -191,36 +190,36 @@ jobs:
           path: _build/windows_${{matrix.arch}}/Output/zaparoo-setup.exe
           retention-days: 30
       - name: Sign exe file
-        if: matrix.platform == 'windows' && !inputs.test_build
+        if: matrix.platform == 'windows'
         uses: signpath/github-action-submit-signing-request@v2
         with:
           api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
           organization-id: '${{ secrets.SIGNPATH_ORGANIZATION_ID }}'
           project-slug: 'zaparoo-core'
-          signing-policy-slug: '${{ inputs.signing_policy || ''release-signing'' }}'
+          signing-policy-slug: '${{ inputs.test_build && ''test-signing'' || ''release-signing'' }}'
           artifact-configuration-slug: 'windows-zip'
           github-artifact-id: '${{ steps.upload-unsigned-exe.outputs.artifact-id }}'
           wait-for-completion: true
           output-artifact-directory: '_build/signed/exe_${{matrix.arch}}'
       - name: Sign installer EXE
-        if: matrix.platform == 'windows' && !inputs.test_build
+        if: matrix.platform == 'windows'
         uses: signpath/github-action-submit-signing-request@v2
         with:
           api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
           organization-id: '${{ secrets.SIGNPATH_ORGANIZATION_ID }}'
           project-slug: 'zaparoo-core'
-          signing-policy-slug: '${{ inputs.signing_policy || ''release-signing'' }}'
+          signing-policy-slug: '${{ inputs.test_build && ''test-signing'' || ''release-signing'' }}'
           artifact-configuration-slug: 'windows-installer'
           github-artifact-id: '${{ steps.upload-unsigned-installer.outputs.artifact-id }}'
           wait-for-completion: true
           output-artifact-directory: '_build/signed/installer_${{matrix.arch}}'
       - name: Rename signed installer back to versioned name
-        if: matrix.platform == 'windows' && !inputs.test_build
+        if: matrix.platform == 'windows'
         run: |
           mv "_build/signed/installer_${{matrix.arch}}/zaparoo-setup.exe" \
              "_build/signed/installer_${{matrix.arch}}/zaparoo-${{matrix.arch}}-${VERSION}-setup.exe"
       - name: Repackage distribution ZIP with signed exe
-        if: matrix.platform == 'windows' && !inputs.test_build
+        if: matrix.platform == 'windows'
         run: |
           # Replace unsigned exe with signed exe in build directory
           cp "_build/signed/exe_${{matrix.arch}}/Zaparoo.exe" "_build/${{matrix.platform}}_${{matrix.arch}}/Zaparoo.exe"
@@ -300,6 +299,10 @@ jobs:
       - name: Write release version
         run: |
           VERSION="${BUILD_TAG#v}"
+          # For test builds without a real version tag, use commit hash
+          if [[ ! "$VERSION" =~ ^[0-9] ]]; then
+            VERSION="$(git rev-parse --short HEAD)-dev"
+          fi
           echo "Version: $VERSION"
           echo "VERSION=$VERSION" >> "$GITHUB_ENV"
       - name: Install dependencies
diff --git a/pkg/api/methods/media.go b/pkg/api/methods/media.go
@@ -223,7 +223,9 @@ func GenerateMediaDB(
 		Indexing: true,
 	})
 
+	db.MediaDB.TrackBackgroundOperation()
 	go func() {
+		defer db.MediaDB.BackgroundOperationDone()
 		total, err := mediascanner.NewNamesIndex(indexCtx, pl, cfg, systems, db, func(status mediascanner.IndexStatus) {
 			var desc string
 			switch status.Step {
diff --git a/pkg/api/methods/methods_test.go b/pkg/api/methods/methods_test.go
@@ -608,6 +608,8 @@ func TestHandleGenerateMedia_SystemFiltering(t *testing.T) {
 			mockMediaDB.On("UpdateLastGenerated").Return(nil).Maybe()
 			mockMediaDB.On("Truncate").Return(nil).Maybe()
 			mockMediaDB.On("RunBackgroundOptimization", mock.Anything).Return(nil).Maybe()
+			mockMediaDB.On("TrackBackgroundOperation").Return().Maybe()
+			mockMediaDB.On("BackgroundOperationDone").Return().Maybe()
 
 			// Mock total media count
 			mockMediaDB.On("GetTotalMediaCount").Return(0, nil).Maybe()
diff --git a/pkg/api/server.go b/pkg/api/server.go
@@ -502,6 +502,21 @@ func buildDynamicAllowedOrigins(baseOrigins, localIPs []string, port int, custom
 	return result
 }
 
+// privateNetworkAccessMiddleware adds the Access-Control-Allow-Private-Network
+// header for preflight requests. This allows HTTPS websites (like zaparoo.app)
+// to connect to Zaparoo Core running on local network IPs.
+// See: https://wicg.github.io/private-network-access/
+func privateNetworkAccessMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Check if this is a preflight request asking for private network access
+		if r.Method == http.MethodOptions &&
+			r.Header.Get("Access-Control-Request-Private-Network") == "true" {
+			w.Header().Set("Access-Control-Allow-Private-Network", "true")
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
 // broadcastNotifications consumes and broadcasts all incoming API
 // notifications to all connected clients.
 func broadcastNotifications(
@@ -790,6 +805,7 @@ func Start(
 		AllowedHeaders: []string{"Accept", "Content-Type"},
 		ExposedHeaders: []string{},
 	}))
+	r.Use(privateNetworkAccessMiddleware)
 
 	// Rate limiting only for API routes, not static assets
 	apiRateLimitMiddleware := apimiddleware.HTTPRateLimitMiddleware(rateLimiter)
diff --git a/pkg/api/server_pna_test.go b/pkg/api/server_pna_test.go
@@ -0,0 +1,100 @@
+// Zaparoo Core
+// Copyright (c) 2025 The Zaparoo Project Contributors.
+// SPDX-License-Identifier: GPL-3.0-or-later
+//
+// This file is part of Zaparoo Core.
+//
+// Zaparoo Core is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Zaparoo Core is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Zaparoo Core.  If not, see <http://www.gnu.org/licenses/>.
+
+package api
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// TestPrivateNetworkAccessMiddleware verifies that the middleware correctly
+// handles Private Network Access preflight requests as specified in:
+// https://wicg.github.io/private-network-access/
+func TestPrivateNetworkAccessMiddleware(t *testing.T) {
+	t.Parallel()
+
+	handler := privateNetworkAccessMiddleware(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	tests := []struct {
+		name                    string
+		method                  string
+		requestPNAHeader        string
+		expectPNAResponseHeader bool
+	}{
+		{
+			name:                    "OPTIONS_with_PNA_request_header",
+			method:                  http.MethodOptions,
+			requestPNAHeader:        "true",
+			expectPNAResponseHeader: true,
+		},
+		{
+			name:                    "OPTIONS_without_PNA_request_header",
+			method:                  http.MethodOptions,
+			requestPNAHeader:        "",
+			expectPNAResponseHeader: false,
+		},
+		{
+			name:                    "GET_with_PNA_request_header",
+			method:                  http.MethodGet,
+			requestPNAHeader:        "true",
+			expectPNAResponseHeader: false,
+		},
+		{
+			name:                    "POST_with_PNA_request_header",
+			method:                  http.MethodPost,
+			requestPNAHeader:        "true",
+			expectPNAResponseHeader: false,
+		},
+		{
+			name:                    "OPTIONS_with_PNA_false",
+			method:                  http.MethodOptions,
+			requestPNAHeader:        "false",
+			expectPNAResponseHeader: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			req := httptest.NewRequest(tt.method, "/api", http.NoBody)
+			if tt.requestPNAHeader != "" {
+				req.Header.Set("Access-Control-Request-Private-Network", tt.requestPNAHeader)
+			}
+
+			rec := httptest.NewRecorder()
+			handler.ServeHTTP(rec, req)
+
+			pnaResponse := rec.Header().Get("Access-Control-Allow-Private-Network")
+			if tt.expectPNAResponseHeader {
+				assert.Equal(t, "true", pnaResponse,
+					"expected Access-Control-Allow-Private-Network: true header")
+			} else {
+				assert.Empty(t, pnaResponse,
+					"expected no Access-Control-Allow-Private-Network header")
+			}
+		})
+	}
+}
diff --git a/pkg/database/database.go b/pkg/database/database.go
@@ -309,6 +309,8 @@ type MediaDBI interface {
 	GetOptimizationStep() (string, error)
 	RunBackgroundOptimization(statusCallback func(optimizing bool))
 	WaitForBackgroundOperations()
+	TrackBackgroundOperation()
+	BackgroundOperationDone()
 
 	InvalidateCountCache() error
 
diff --git a/pkg/database/mediadb/mediadb.go b/pkg/database/mediadb/mediadb.go
@@ -1775,6 +1775,19 @@ func (db *MediaDB) WaitForBackgroundOperations() {
 	db.backgroundOps.Wait()
 }
 
+// TrackBackgroundOperation increments the background operations counter.
+// Call BackgroundOperationDone when the operation completes.
+// This allows external code (like the indexing goroutine) to be tracked.
+func (db *MediaDB) TrackBackgroundOperation() {
+	db.backgroundOps.Add(1)
+}
+
+// BackgroundOperationDone decrements the background operations counter.
+// This should be called when an operation started with TrackBackgroundOperation completes.
+func (db *MediaDB) BackgroundOperationDone() {
+	db.backgroundOps.Done()
+}
+
 // GetLaunchCommandForMedia generates a title-based launch command for the given media.
 func (db *MediaDB) GetLaunchCommandForMedia(ctx context.Context, systemID, path string) (string, error) {
 	db.sqlMu.RLock()
diff --git a/pkg/readers/pn532/pn532.go b/pkg/readers/pn532/pn532.go
@@ -405,7 +405,6 @@ func (r *Reader) processNewTag(detectedTag *pn532.DetectedTag, iq chan<- readers
 
 func (r *Reader) Close() error {
 	r.mutex.Lock()
-	defer r.mutex.Unlock()
 
 	if r.cancel != nil {
 		r.cancel()
@@ -414,13 +413,20 @@ func (r *Reader) Close() error {
 	if r.session != nil {
 		err := r.session.Close()
 		if err != nil {
+			r.mutex.Unlock()
 			return fmt.Errorf("failed to close PN532 session: %w", err)
 		}
 	}
 
-	// Wait for session goroutine to complete
+	r.mutex.Unlock()
+
+	// Wait for session goroutine to complete outside of lock to avoid deadlock.
+	// The goroutines may need to acquire the mutex before they can exit.
 	r.wg.Wait()
 
+	r.mutex.Lock()
+	defer r.mutex.Unlock()
+
 	// Close the underlying device to release hardware resources
 	if r.device != nil {
 		err := r.device.Close()
diff --git a/pkg/testing/helpers/db_mocks.go b/pkg/testing/helpers/db_mocks.go
@@ -1021,6 +1021,14 @@ func (m *MockMediaDBI) WaitForBackgroundOperations() {
 	m.Called()
 }
 
+func (m *MockMediaDBI) TrackBackgroundOperation() {
+	m.Called()
+}
+
+func (m *MockMediaDBI) BackgroundOperationDone() {
+	m.Called()
+}
+
 func (m *MockMediaDBI) SetIndexingStatus(status string) error {
 	args := m.Called(status)
 	if err := args.Error(0); err != nil {
diff --git a/scripts/tasks/utils/windowsiss/main.go b/scripts/tasks/utils/windowsiss/main.go
@@ -49,7 +49,9 @@ func main() {
 	}
 
 	outputVersion := *version
-	if strings.Contains(*version, "-") {
+	// Inno Setup VersionInfoVersion requires a valid numeric version (e.g., 1.2.3)
+	// Fall back to 0.0.0 for non-semver versions like "dev" or pre-release versions
+	if strings.Contains(*version, "-") || !isValidSemver(*version) {
 		*version = "0.0.0"
 	}
 
@@ -111,3 +113,12 @@ func generateSetupFile(
 
 	return nil
 }
+
+// isValidSemver checks if a version string starts with a digit (basic semver check).
+// Returns false for versions like "dev", "latest", etc.
+func isValidSemver(version string) bool {
+	if version == "" {
+		return false
+	}
+	return version[0] >= '0' && version[0] <= '9'
+}
diff --git a/scripts/zigcc/VERSION b/scripts/zigcc/VERSION
@@ -1 +1 @@
-1.1.0
+1.2.0
