The plugin_marketplaces + plugins config triggered an OIDC token exchange
that consistently fails with 401. Replace with a direct prompt, matching
the pattern used in claude.yml which works reliably.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
pull_request_target statt pull_request: GitHub stellt ACTIONS_ID_TOKEN_REQUEST_URL
nur im Basis-Repo-Kontext bereit. pull-requests: write ergänzt, damit die Aktion
Review-Kommentare posten kann.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add QEMU and multi-platform build (linux/amd64 + linux/arm64) to
GitHub Actions workflow, enabling self-hosting on Raspberry Pi and
other ARM64 devices.
Builds and pushes to ghcr.io/ulsklyc/oikos on every push to main
and on version tags. Tags: branch name, semver, short SHA.
Uses Docker layer caching via GitHub Actions cache.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Node 24 is not yet LTS and native dependencies (bcrypt, better-sqlite3,
sharp) fail to compile on it, causing CI failures.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Rate-limit SPA fallback route (missing rate limiting on fs access)
- Add csrfMiddleware to all state-changing auth routes (logout, create
user, change password, delete user) — previously bypassed global CSRF
middleware due to router registration order
- Fix incomplete vCard escaping: escape backslashes before other special
characters to prevent injection via contact fields
- Restrict CI GITHUB_TOKEN to contents: read (least privilege)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ulsklyc