merge: Release/2025.4.5 (!1258)

View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/1258

Approved-by: Hazelnoot <acomputerdog@gmail.com>
Approved-by: Marie <github@yuugi.dev>
Approved-by: Julia <julia@insertdomain.name>

12 files changed, 298 insertions, 73 deletions

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 256cb08fe9..31be935c47 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,46 +1,196 @@
 stages:
+  - build
   - test
   - deploy
 
-testCommit:
-  stage: test
-  image: node:jod
-  services:
-    - postgres:15
-    - redis
+variables:
+  # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast
+  GITLAB_ADVANCED_SAST_ENABLED: 'true'
+
+  # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters
+  # https://stackoverflow.com/a/71111784
+  SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt'
+  DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories
+
+  # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/
+  DS_ENFORCE_NEW_ANALYZER: 'true'
+  DS_MAX_DEPTH: -1
+  # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/
+  DS_STATIC_REACHABILITY_ENABLED: true
+
+  # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines
+  AST_ENABLE_MR_PIPELINES: 'true'
+
+.common: &common
+  # "only" has been removed, so we use rules.
+  # This runs in MR pipelines *or* push to develop/stable
+  rules: &common-rules
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+    - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable')
+
+.deploy_common: &deploy_common
+  stage: deploy
+  # Only run when pushing to stable, develop, or tags
+  rules: &deploy-rules
+    - if: $CI_PIPELINE_SOURCE != 'push'
+      when: never
+    - if: $CI_COMMIT_BRANCH == 'develop'
+    - if: $CI_COMMIT_BRANCH == 'stable'
+    - if: $CI_COMMIT_TAG
+
+# https://docs.gitlab.com/user/application_security/sast/
+include:
+  - local: '.gitlab/ci_templates/dependency_scanning.yml'
+    rules: *common-rules
+  - local: '.gitlab/ci_templates/container_scanning.yml'
+    rules: *deploy-rules
+  - local: '.gitlab/ci_templates/sast.yml'
+    rules: *common-rules
+  - local: '.gitlab/ci_templates/secret_detection.yml'
+    rules: *common-rules
+  - local: '.gitlab/ci_templates/lib_behave.yml'
+    rules: *common-rules
+
+# Cache node_modules and share build artifacts for the pipeline.
+# This shares the same cache definition, but it's the only place that actually *pushes* to the cache.
+# https://docs.gitlab.com/ci/caching/
+# https://github.com/pnpm/pnpm/issues/1174#issuecomment-996719439
+# https://github.com/pnpm/pnpm/issues/1174#issuecomment-1641267133
+build: &build
+  <<: *common
+  stage: build
+  image:
+    name: docker.io/node:22
+    pull_policy: if-not-present
   variables:
-    POSTGRES_PASSWORD: ci
-    COREPACK_DEFAULT_TO_LATEST: 0
-  script:
-    - apt-get update && apt-get install -y git wget curl build-essential python3 ffmpeg
+    POSTGRES_PASSWORD: 'ci'
+    COREPACK_DEFAULT_TO_LATEST: '0'
+  # Arm64 is recommended for CI
+  tags:
+    - arm64
+  before_script:
+    - apt-get update && apt-get install -y git wget curl build-essential python3 ffmpeg libcairo2-dev libpango1.0-dev libpangocairo-1.0
+    - 'echo "clusterLimit: $(nproc)" >> .config/ci.yml'
     - cp .config/ci.yml .config/default.yml
     - cp .config/ci.yml .config/test.yml
     - corepack enable
     - corepack install
     - git submodule update --init
+    - pnpm config set store-dir .pnpm-store
     - pnpm install --frozen-lockfile
+  script:
     - pnpm run build
-    - pnpm run migrate
-    - pnpm run test
-    - pnpm run --filter=backend --filter=misskey-js --filter=frontend-shared lint
-    - pnpm run --filter=frontend --filter=frontend-embed eslint
   cache:
-    key: test
-    policy: pull-push
-    when: on_success
-    paths:
-     - node_modules/
-     - packages/*/node_modules/
-  only:
-    - develop
-    - merge_requests
-    - stable
+    - &cache-pnpm
+      key:
+        files:
+          - 'pnpm-lock.yaml'
+          - 'pnpm-workspace.yaml'
+      paths:
+        - '.pnpm-store/'
+        - 'node_modules/'
+        - 'packages/*/node_modules/'
+        - 'packages/misskey-js/generator/node_modules/'
+      policy: pull-push
+      when: on_success
+    - &cache-build
+      key: "$CI_COMMIT_REF_SLUG"
+      paths:
+        - 'built/'
+        - 'packages/*/built/'
+        - 'packages/megalodon/lib/'
+      policy: pull-push
+      when: on_success
 
-getImageTag:
-  stage: deploy
-  image: ubuntu:latest
+.test_common: &test_common
+  <<: *common
+  <<: *build
+  stage: test
+  cache:
+    -
+      <<: *cache-pnpm
+      policy: pull
+    -
+      <<: *cache-build
+      policy: pull
+
+lint:
+  <<: *test_common
   script:
-    - apt-get update && apt-get install -y jq
+    - pnpm run build-assets
+    - pnpm run eslint
+
+backend_tests:
+  <<: *test_common
+  services:
+    - name: postgres:15
+      pull_policy: if-not-present
+    - name: redis
+      pull_policy: if-not-present
+  script:
+    - pnpm run --filter backend build:pre
+    - pnpm run --filter backend build
+    - pnpm run --filter backend migrate
+    - pnpm run --filter backend test
+  # Same as common, but MRs are only run if they modify the backend.
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable')
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      changes:
+        - 'packages/backend/**/*'
+        - 'packages/megalodon/**/*'
+        - 'packages/misskey-js/**/*'
+        - 'packages/*' # single-star is intention - we don't want to recurse!
+        - 'scripts/**/*'
+        - 'eslint/**/*'
+        - 'chart/**/*'
+        - '.config/**/*'
+
+frontend_tests:
+  <<: *test_common
+  script:
+    - pnpm run --filter frontend build:pre
+    - pnpm run --filter frontend build
+    - pnpm run --filter frontend test
+  # Same as common, but MRs are only run if they modify the frontend.
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable')
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      changes:
+        - 'packages/frontend/**/*'
+        - 'packages/frontend-embed/**/*'
+        - 'packages/frontend-shared/**/*'
+        - 'packages/misskey-js/**/*'
+        - 'packages/misskey-bubble-game/**/*'
+        - 'packages/misskey-reversi/**/*'
+        - 'packages/sw/**/*'
+        - 'packages/*' # single-star is intention - we don't want to recurse!
+        - 'scripts/**/*'
+        - 'eslint/**/*'
+        - 'locales/**/*'
+        - 'sharkey-locales/**/*'
+        - 'cypress/**/*'
+        - 'assets/**/*'
+
+misskey-js_tests:
+  <<: *test_common
+  script:
+    - pnpm run --filter misskey-js build
+    - pnpm run --filter misskey-js test
+
+megalodon_tests:
+  <<: *test_common
+  script:
+    - pnpm run --filter megalodon build
+    - pnpm run --filter megalodon test
+
+get_image_tag:
+  <<: *deploy_common
+  image:
+    name: docker.io/alpine:latest
+    pull_policy: if-not-present
+  script:
+    - apk add jq
     - |
       if test -n "$CI_COMMIT_TAG"; then
         tag="$CI_COMMIT_TAG"
@@ -57,15 +207,11 @@ getImageTag:
   artifacts:
     reports:
       dotenv: build.env
-  only:
-    - stable
-    - develop
-    - tags
 
-buildDocker:
-  stage: deploy
+build_image:
+  <<: *deploy_common
   needs:
-    - job: getImageTag
+    - job: get_image_tag
       artifacts: true
   parallel:
     matrix:
@@ -75,41 +221,34 @@ buildDocker:
     - ${ARCH}
   image:
     name: gcr.io/kaniko-project/executor:debug
+    pull_policy: if-not-present
     entrypoint: [""]
   script:
     - >-
-      /kaniko/executor
-      --context "${CI_PROJECT_DIR}"
-      --dockerfile "${CI_PROJECT_DIR}/Dockerfile"
-      --destination "${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-${ARCH}"
-  only:
-    - stable
-    - develop
-    - tags
+      /kaniko/executor \
+        --context "${CI_PROJECT_DIR}" \
+        --dockerfile "${CI_PROJECT_DIR}/Dockerfile" \
+        --single-snapshot \
+        --destination "${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-${ARCH}"
 
-mergeManifests:
-  stage: deploy
+merge_image_manifests:
+  <<: *deploy_common
   needs:
-    - job: buildDocker
+    - job: build_image
       artifacts: false
-    - job: getImageTag
+    - job: get_image_tag
       artifacts: true
-  tags:
-    - docker
   image:
-      name: mplatform/manifest-tool:alpine
-      entrypoint: [""]
+    name: mplatform/manifest-tool:alpine
+    pull_policy: if-not-present
+    entrypoint: [""]
   script:
     - >-
-      manifest-tool
-      --username=${CI_REGISTRY_USER}
-      --password=${CI_REGISTRY_PASSWORD}
-      push from-args
-      --platforms linux/amd64,linux/arm64
-      --tags ${REGISTRY_PUSH_VERSION}
-      --template ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-ARCH
-      --target ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG}
-  only:
-    - stable
-    - develop
-    - tags
+      manifest-tool \
+        --username=${CI_REGISTRY_USER} \
+        --password=${CI_REGISTRY_PASSWORD} \
+        push from-args \
+        --platforms linux/amd64,linux/arm64 \
+        --tags ${REGISTRY_PUSH_VERSION} \
+        --template ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-ARCH \
+        --target ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG}
diff --git a/.gitlab/ci_templates/container_scanning.yml b/.gitlab/ci_templates/container_scanning.yml
new file mode 100644
index 0000000000..19231ba4dc
--- /dev/null
+++ b/.gitlab/ci_templates/container_scanning.yml
@@ -0,0 +1,20 @@
+# https://docs.gitlab.com/user/application_security/sast/
+include:
+  - template: Jobs/Container-Scanning.latest.gitlab-ci.yml
+
+# https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job
+# https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist
+container_scanning:
+  stage: deploy
+
+  # SAST tools only support x64
+  tags:
+    - amd64
+
+  variables:
+    AST_ENABLE_MR_PIPELINES: 'false'
+    CS_IMAGE: "${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG}"
+
+  needs:
+    - job: merge_image_manifests
+      artifacts: true
diff --git a/.gitlab/ci_templates/dependency_scanning.yml b/.gitlab/ci_templates/dependency_scanning.yml
new file mode 100644
index 0000000000..5f9deaab6b
--- /dev/null
+++ b/.gitlab/ci_templates/dependency_scanning.yml
@@ -0,0 +1,14 @@
+# https://docs.gitlab.com/user/application_security/sast/
+include:
+  - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml
+
+dependency-scanning:
+  stage: test
+
+  # SAST tools only support x64
+  tags:
+    - amd64
+
+  # Don't wait, since this has no dependencies.
+  # https://docs.gitlab.com/ci/yaml/#needs
+  needs: []
diff --git a/.gitlab/ci_templates/lib_behave.yml b/.gitlab/ci_templates/lib_behave.yml
new file mode 100644
index 0000000000..ecec0a4586
--- /dev/null
+++ b/.gitlab/ci_templates/lib_behave.yml
@@ -0,0 +1,20 @@
+# https://docs.gitlab.com/user/application_security/sast/
+include:
+  # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/
+  - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.4.0
+    inputs:
+      include-lang: 'js'
+      stage: test
+
+
+.libbehave-experiment:
+  # SAST tools only support x64
+  tags:
+    - amd64
+
+  # Don't wait, since this has no dependencies.
+  # https://docs.gitlab.com/ci/yaml/#needs
+  needs: []
+
+  # Gitlab issue currently causes error when upload final artifacts
+  allow_failure: true
diff --git a/.gitlab/ci_templates/sast.yml b/.gitlab/ci_templates/sast.yml
new file mode 100644
index 0000000000..204df7183c
--- /dev/null
+++ b/.gitlab/ci_templates/sast.yml
@@ -0,0 +1,17 @@
+# https://docs.gitlab.com/user/application_security/sast/
+include:
+  - template: Jobs/SAST.latest.gitlab-ci.yml
+
+sast: &sast
+  stage: test
+
+  # SAST tools only support x64
+  tags:
+    - amd64
+
+  # Don't wait, since this has no dependencies.
+  # https://docs.gitlab.com/ci/yaml/#needs
+  needs: []
+
+gitlab-advanced-sast:
+  <<: *sast
diff --git a/.gitlab/ci_templates/secret_detection.yml b/.gitlab/ci_templates/secret_detection.yml
new file mode 100644
index 0000000000..f78e092bf6
--- /dev/null
+++ b/.gitlab/ci_templates/secret_detection.yml
@@ -0,0 +1,14 @@
+# https://docs.gitlab.com/user/application_security/sast/
+include:
+  - template: Jobs/Secret-Detection.latest.gitlab-ci.yml
+
+secret_detection:
+  stage: test
+
+  # SAST tools only support x64
+  tags:
+    - amd64
+
+  # Don't wait, since this has no dependencies.
+  # https://docs.gitlab.com/ci/yaml/#needs
+  needs: []
diff --git a/.gitlab/issue_templates/bug.md b/.gitlab/issue_templates/bug.md
index a909067269..32631619bc 100644
--- a/.gitlab/issue_templates/bug.md
+++ b/.gitlab/issue_templates/bug.md
@@ -30,6 +30,6 @@
 <!-- Please copy and paste any relevant log output. You can find your log by inspecting the page, and going to the "console" tab. This will be automatically formatted into code, so no need for backticks. -->
 
 # **Contribution Guidelines**
-By submitting this issue, you agree to follow our [Contribution Guidelines](https://activitypub.software/TransFem-org/Sharkey/-/blob/develop/CONTRIBUTING.md)
+By submitting this issue, you agree to follow our [Contribution Guidelines](https://activitypub.software/TransFem-org/Sharkey/-/blob/develop/CONTRIBUTING.Sharkey.md)
 - [ ] I agree to follow this project's Contribution Guidelines
 - [ ] I have searched the issue tracker for similar issues, and this is not a duplicate.
diff --git a/.gitlab/issue_templates/feature.md b/.gitlab/issue_templates/feature.md
index a77f9335fe..989ba23ba7 100644
--- a/.gitlab/issue_templates/feature.md
+++ b/.gitlab/issue_templates/feature.md
@@ -16,6 +16,6 @@
 <!-- What instance of Sharkey are you using? -->
 
 # **Contribution Guidelines**
-By submitting this issue, you agree to follow our [Contribution Guidelines](https://activitypub.software/TransFem-org/Sharkey/-/blob/develop/CONTRIBUTING.md)
+By submitting this issue, you agree to follow our [Contribution Guidelines](https://activitypub.software/TransFem-org/Sharkey/-/blob/develop/CONTRIBUTING.Sharkey.md)
 - [ ] I agree to follow this project's Contribution Guidelines
 - [ ] I have searched the issue tracker for similar requests, and this is not a duplicate.
diff --git a/.gitlab/merge_request_templates/default.md b/.gitlab/merge_request_templates/default.md
index 389b2c8cbe..a2ef2dc235 100644
--- a/.gitlab/merge_request_templates/default.md
+++ b/.gitlab/merge_request_templates/default.md
@@ -6,7 +6,7 @@
 %{all_commits}
 
 # **Contribution Guidelines**
-By submitting this merge request, you agree to follow our [Contribution Guidelines](https://activitypub.software/TransFem-org/Sharkey/-/blob/develop/CONTRIBUTING.md)
+By submitting this merge request, you agree to follow our [Contribution Guidelines](https://activitypub.software/TransFem-org/Sharkey/-/blob/develop/CONTRIBUTING.Sharkey.md)
 - [ ] I agree to follow this project's Contribution Guidelines
 - [ ] I have made sure to test this merge request
 
diff --git a/package.json b/package.json
index 5055eff10f..03b59123dc 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "sharkey",
-	"version": "2025.4.4",
+	"version": "2025.4.5",
 	"codename": "shonk",
 	"repository": {
 		"type": "git",
diff --git a/packages/backend/src/server/api/endpoints/notes/translate.ts b/packages/backend/src/server/api/endpoints/notes/translate.ts
index 5ebd5ef362..1bacfa0600 100644
--- a/packages/backend/src/server/api/endpoints/notes/translate.ts
+++ b/packages/backend/src/server/api/endpoints/notes/translate.ts
@@ -130,17 +130,18 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			// DeepL/DeepLX handling
 			if (this.serverSettings.deeplAuthKey || deeplFreeInstance) {
 				const params = new URLSearchParams();
-				if (this.serverSettings.deeplAuthKey) params.append('auth_key', this.serverSettings.deeplAuthKey);
 				params.append('text', note.text);
 				params.append('target_lang', targetLang);
+				const headers: Record<string, string> = {
+					'Content-Type': 'application/x-www-form-urlencoded',
+					Accept: 'application/json, */*',
+				};
+				if (this.serverSettings.deeplAuthKey) headers['Authorization'] = `DeepL-Auth-Key ${this.serverSettings.deeplAuthKey}`;
 				const endpoint = deeplFreeInstance ?? ( this.serverSettings.deeplIsPro ? 'https://api.deepl.com/v2/translate' : 'https://api-free.deepl.com/v2/translate' );
 
 				const res = await this.httpRequestService.send(endpoint, {
 					method: 'POST',
-					headers: {
-						'Content-Type': 'application/x-www-form-urlencoded',
-						Accept: 'application/json, */*',
-					},
+					headers,
 					body: params.toString(),
 					timeout: this.serverSettings.translationTimeout,
 				});
diff --git a/packages/misskey-js/package.json b/packages/misskey-js/package.json
index 059c7c2eae..1bb6ae6b7c 100644
--- a/packages/misskey-js/package.json
+++ b/packages/misskey-js/package.json
@@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "misskey-js",
-	"version": "2025.4.4",
+	"version": "2025.4.5",
 	"description": "Misskey SDK for JavaScript",
 	"license": "MIT",
 	"main": "./built/index.js",