torrentclaw/unarr
1
0
Fork 0
Code Issues Pull requests Projects Releases 4 Packages Wiki Activity Actions
unarr/.goreleaser.yml

91 lines
2.7 KiB
YAML
Raw Permalink Normal View History

feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary.
2026-03-28 11:29:42 +01:00
version: 2
project_name: unarr
feat(release): bundle ffmpeg + ffprobe in tarballs and Docker image Operators no longer have to install ffmpeg manually. Both the release tarballs (5 platforms × 2 binaries) and the Docker image now ship a working ffmpeg + ffprobe pair adjacent to the unarr binary; ResolveFFmpeg / ResolveFFprobe pick them up via the "adjacent to executable" branch with zero configuration. Tarball bundle (scripts/download-ffmpeg-static.sh + .goreleaser.yml): - ffbinaries.com (johnvansickle / Zeranoe-style static GPL builds) for linux-amd64, linux-arm64, darwin-amd64, windows-amd64 - evermeet.cx universal Mach-O for darwin-arm64 (ffbinaries lacks it) - BtbN/FFmpeg-Builds for windows-arm64 (ffbinaries lacks it) - Idempotent fetch with curl --retry 5 so transient github.com SSL errors don't fail the goreleaser before-hook - New `before.hooks` runs the script automatically per release; archive files glob `dist-ffbinaries/{{ .Os }}-{{ .Arch }}/*` + strip_parent - Migrated to non-deprecated `formats: [tar.gz]` / `formats: [zip]` - Verified via `goreleaser release --snapshot --clean --skip=publish` — 6 archives all carry ffmpeg + ffprobe (~60-130MB each) Docker image (Dockerfile): - Replaced the failing BtbN static glibc binaries with Alpine's native musl `apk add ffmpeg`. The static GPL builds need glibc + libmvec / libgcc_s; gcompat alone is not enough (vector-math symbols unresolved). Alpine ships ffmpeg 6.1.2 which is fine for the WebRTC transcoder. - Image size 174MB, built + ffmpeg/ffprobe/unarr smoke OK. Targets the v0.8 unarr release (per user direction — new feature, not a patch). dist-ffbinaries/ added to .gitignore.
2026-05-06 11:26:01 +02:00
# Pre-build hook: fetch static ffmpeg + ffprobe per platform so each
# release tarball ships them adjacent to the unarr binary. ResolveFFmpeg /
# ResolveFFprobe pick them up via the "adjacent to executable" branch — no
# system install or runtime download needed.
before:
hooks:
- bash scripts/download-ffmpeg-static.sh
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary.
2026-03-28 11:29:42 +01:00
builds:
- main: ./cmd/unarr/
binary: unarr
env:
- CGO_ENABLED=0
goos:
- linux
- darwin
- windows
goarch:
- amd64
- arm64
ldflags:
- -s -w
chore: rename module from torrentclaw-cli to unarr - Rename Go module path github.com/torrentclaw/torrentclaw-cli → github.com/torrentclaw/unarr - Update all imports, ldflags, scripts, docs, and Docker config - Add GitHub Actions release workflow (goreleaser on tag push)
2026-03-30 13:06:07 +02:00
- -X github.com/torrentclaw/unarr/internal/cmd.Version={{.Version}}
- -X github.com/torrentclaw/unarr/internal/sentry.dsn={{ .Env.SENTRY_DSN }}
fix(security): UPnP opt-in, bounded SSE reader, signed self-update Phase 2 security audit follow-up. Three independent hardenings against the unauthenticated daemon surface, the long-lived agent SSE stream and the self-update channel. UPnP is now opt-in. The stream port + /hls endpoints have no auth, so publishing them on the WAN via the gateway was a default that exposed active downloads to anyone scanning the operator's external IP. New config downloads.enable_upnp (default false) gates the mapping; LAN and Tailscale clients continue to work unchanged. A startup log makes the new default visible. The agent SSE reader now uses a bounded bufio.Scanner instead of an unbounded ReadString. A hostile or buggy server can no longer grow daemon memory by streaming a single line forever or by emitting unbounded data: continuation lines — both are capped at 256 KiB and 1 MiB respectively, and an error is surfaced so SignalLoop reconnects. Self-update now verifies an ed25519 signature over checksums.txt when the binary was built with a release public key embedded (injected via goreleaser ldflags from RELEASE_SIGNING_PUBKEY). The companion scripts/sign-checksums runs in the release workflow when both the public-key variable and the private-key secret are present, uploading checksums.txt.sig next to the existing checksums file. Builds without the embedded key continue to update with SHA256-only verification; a --allow-unsigned flag is provided so users on a signed build can still install pre-signing releases or recover from an accidental unsigned release. A new scripts/gen-release-key helper documents the one-time keypair generation procedure required before flipping signing on.
2026-05-15 17:29:22 +02:00
# Release-signing public key — verified by the self-updater against
# checksums.txt.sig. Empty when not configured; in that case
# signature verification is skipped and a warning is logged.
- -X github.com/torrentclaw/unarr/internal/upgrade.releasePubKeyBase64={{ .Env.RELEASE_SIGNING_PUBKEY }}
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary.
2026-03-28 11:29:42 +01:00
archives:
feat(release): bundle ffmpeg + ffprobe in tarballs and Docker image Operators no longer have to install ffmpeg manually. Both the release tarballs (5 platforms × 2 binaries) and the Docker image now ship a working ffmpeg + ffprobe pair adjacent to the unarr binary; ResolveFFmpeg / ResolveFFprobe pick them up via the "adjacent to executable" branch with zero configuration. Tarball bundle (scripts/download-ffmpeg-static.sh + .goreleaser.yml): - ffbinaries.com (johnvansickle / Zeranoe-style static GPL builds) for linux-amd64, linux-arm64, darwin-amd64, windows-amd64 - evermeet.cx universal Mach-O for darwin-arm64 (ffbinaries lacks it) - BtbN/FFmpeg-Builds for windows-arm64 (ffbinaries lacks it) - Idempotent fetch with curl --retry 5 so transient github.com SSL errors don't fail the goreleaser before-hook - New `before.hooks` runs the script automatically per release; archive files glob `dist-ffbinaries/{{ .Os }}-{{ .Arch }}/*` + strip_parent - Migrated to non-deprecated `formats: [tar.gz]` / `formats: [zip]` - Verified via `goreleaser release --snapshot --clean --skip=publish` — 6 archives all carry ffmpeg + ffprobe (~60-130MB each) Docker image (Dockerfile): - Replaced the failing BtbN static glibc binaries with Alpine's native musl `apk add ffmpeg`. The static GPL builds need glibc + libmvec / libgcc_s; gcompat alone is not enough (vector-math symbols unresolved). Alpine ships ffmpeg 6.1.2 which is fine for the WebRTC transcoder. - Image size 174MB, built + ffmpeg/ffprobe/unarr smoke OK. Targets the v0.8 unarr release (per user direction — new feature, not a patch). dist-ffbinaries/ added to .gitignore.
2026-05-06 11:26:01 +02:00
- formats: [tar.gz]
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary.
2026-03-28 11:29:42 +01:00
name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
format_overrides:
- goos: windows
feat(release): bundle ffmpeg + ffprobe in tarballs and Docker image Operators no longer have to install ffmpeg manually. Both the release tarballs (5 platforms × 2 binaries) and the Docker image now ship a working ffmpeg + ffprobe pair adjacent to the unarr binary; ResolveFFmpeg / ResolveFFprobe pick them up via the "adjacent to executable" branch with zero configuration. Tarball bundle (scripts/download-ffmpeg-static.sh + .goreleaser.yml): - ffbinaries.com (johnvansickle / Zeranoe-style static GPL builds) for linux-amd64, linux-arm64, darwin-amd64, windows-amd64 - evermeet.cx universal Mach-O for darwin-arm64 (ffbinaries lacks it) - BtbN/FFmpeg-Builds for windows-arm64 (ffbinaries lacks it) - Idempotent fetch with curl --retry 5 so transient github.com SSL errors don't fail the goreleaser before-hook - New `before.hooks` runs the script automatically per release; archive files glob `dist-ffbinaries/{{ .Os }}-{{ .Arch }}/*` + strip_parent - Migrated to non-deprecated `formats: [tar.gz]` / `formats: [zip]` - Verified via `goreleaser release --snapshot --clean --skip=publish` — 6 archives all carry ffmpeg + ffprobe (~60-130MB each) Docker image (Dockerfile): - Replaced the failing BtbN static glibc binaries with Alpine's native musl `apk add ffmpeg`. The static GPL builds need glibc + libmvec / libgcc_s; gcompat alone is not enough (vector-math symbols unresolved). Alpine ships ffmpeg 6.1.2 which is fine for the WebRTC transcoder. - Image size 174MB, built + ffmpeg/ffprobe/unarr smoke OK. Targets the v0.8 unarr release (per user direction — new feature, not a patch). dist-ffbinaries/ added to .gitignore.
2026-05-06 11:26:01 +02:00
formats: [zip]
files:
- LICENSE*
- README*
# Bundle the matching ffmpeg + ffprobe (filename includes .exe on Windows
# because download-ffmpeg-static.sh writes ffmpeg.exe / ffprobe.exe there).
- src: "dist-ffbinaries/{{ .Os }}-{{ .Arch }}/*"
dst: .
strip_parent: true
info:
mode: 0o755
feat: initial commit — unarr CLI Search, inspect, stream, and download torrents from the terminal. Replaces the entire *arr stack with a single binary.
2026-03-28 11:29:42 +01:00
checksum:
name_template: "checksums.txt"
changelog:
sort: asc
filters:
exclude:
- "^docs:"
- "^test:"
- "^chore:"
ci: port workflows from .github/ to .forgejo/ (Forgejo Actions) GitHub torrentclaw org is shadow-banned and the CI lives at git.torrentclaw.com now. Forgejo Actions is enabled cluster-wide; this moves the workflows into the runner's natively-watched .forgejo/workflows/ tree and adapts each step so the existing Forgejo runner ('docker', 'ubuntu-latest' labels) can execute them without leaning on GitHub-only tooling. - ci.yml: drop actions/setup-go (use container: golang:1.25), replace golangci-lint-action with the upstream install.sh, drop codecov-action (third-party, can re-add later with a Forgejo-compatible variant). - release.yml: drop goreleaser-action (install via curl), wire GITEA_TOKEN + the new release.gitea_urls block in .goreleaser.yml so goreleaser publishes to Forgejo. Sign step swaps 'gh release upload' for curl against the Forgejo releases API (via the in-cluster forgejo:3000 hostname). VirusTotal job dropped — depended heavily on 'gh release' wiring; can be reimplemented against the Forgejo API later if we re-enable it. - docker-rebuild.yml: drop docker/login-action + docker/build-push-action, use raw 'docker' commands with manually-installed buildx + qemu. Same weekly schedule (Mon 04:17 UTC) and same 'latest' refresh behaviour. - pages.yml: deleted — install.sh / install.ps1 are already served from the Hetzner releases volume at torrentclaw.com/install.sh, so the GitHub Pages copy was redundant even before the shadow-ban. .goreleaser.yml: add release.gitea_urls (api=forgejo:3000, download via the public Forgejo URL) + prerelease:auto. ship.sh uses '--skip=publish' so local runs aren't affected by the new release block.
2026-05-27 15:44:48 +02:00
# Self-hosted Forgejo at git.torrentclaw.com. goreleaser detects GITEA_TOKEN +
# these URLs and publishes the release there instead of GitHub. Reachable via
# `forgejo` hostname inside the dokploy-network (the runner shares it); for
# local goreleaser runs outside the network, override via env GITEA_API_URL.
fix(release): move gitea_urls to top-level (goreleaser v2 schema) goreleaser v2 dropped `release.gitea_urls`; the key is now top-level on its own. With the old nested form `goreleaser release` failed with `yaml: unmarshal errors: line 67: field gitea_urls not found in type config.Release` before even starting the build. Re-anchor to v0.9.14 so the ship pipeline can produce binaries.
2026-05-27 15:55:21 +02:00
#
# In goreleaser v2 `gitea_urls` is a top-level key (was nested under `release`
# in v1).
gitea_urls:
api: http://forgejo:3000/api/v1
download: https://git.torrentclaw.com
skip_tls_verify: false
ci: port workflows from .github/ to .forgejo/ (Forgejo Actions) GitHub torrentclaw org is shadow-banned and the CI lives at git.torrentclaw.com now. Forgejo Actions is enabled cluster-wide; this moves the workflows into the runner's natively-watched .forgejo/workflows/ tree and adapts each step so the existing Forgejo runner ('docker', 'ubuntu-latest' labels) can execute them without leaning on GitHub-only tooling. - ci.yml: drop actions/setup-go (use container: golang:1.25), replace golangci-lint-action with the upstream install.sh, drop codecov-action (third-party, can re-add later with a Forgejo-compatible variant). - release.yml: drop goreleaser-action (install via curl), wire GITEA_TOKEN + the new release.gitea_urls block in .goreleaser.yml so goreleaser publishes to Forgejo. Sign step swaps 'gh release upload' for curl against the Forgejo releases API (via the in-cluster forgejo:3000 hostname). VirusTotal job dropped — depended heavily on 'gh release' wiring; can be reimplemented against the Forgejo API later if we re-enable it. - docker-rebuild.yml: drop docker/login-action + docker/build-push-action, use raw 'docker' commands with manually-installed buildx + qemu. Same weekly schedule (Mon 04:17 UTC) and same 'latest' refresh behaviour. - pages.yml: deleted — install.sh / install.ps1 are already served from the Hetzner releases volume at torrentclaw.com/install.sh, so the GitHub Pages copy was redundant even before the shadow-ban. .goreleaser.yml: add release.gitea_urls (api=forgejo:3000, download via the public Forgejo URL) + prerelease:auto. ship.sh uses '--skip=publish' so local runs aren't affected by the new release block.
2026-05-27 15:44:48 +02:00
release:
draft: false
prerelease: auto
fix(release): disable homebrew tap (needs PAT, not GITHUB_TOKEN)
2026-03-30 14:38:36 +02:00
# Homebrew tap — requires PAT with repo scope (not GITHUB_TOKEN)
# Enable when torrentclaw/homebrew-tap PAT is configured as HOMEBREW_TAP_TOKEN
# brews:
# - repository:
# owner: torrentclaw
# name: homebrew-tap
# token: "{{ .Env.HOMEBREW_TAP_TOKEN }}"
# name: unarr
# homepage: https://github.com/torrentclaw/unarr
# description: "unarr — replaces the entire *arr stack"
# license: MIT
# install: |
# bin.install "unarr"
Reference in a new issue Copy permalink