Bump version to v3.5.18

Merge pull request from GHSA-vm39-j3vx-pch3
* Prevent different identities from a same SSO provider from accessing a same account * Lock auth provider changes behind `ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true` * Rename methods to avoid confusion between OAuth and OmniAuth
2025-07-10 14:33:16 +00:00 · 2024-02-14 15:17:48 +01:00 · 2024-02-14 15:16:07 +01:00 · 2024-02-14 15:15:34 +01:00 · 2024-02-14 13:18:08 +01:00 · 2024-02-14 12:13:33 +01:00
6030 changed files with 168957 additions and 363003 deletions
--- a/.annotaterb.yml
+++ b/.annotaterb.yml
@ -1,59 +0,0 @@
 ---
 :position: before
 :position_in_additional_file_patterns: before
 :position_in_class: before
 :position_in_factory: before
 :position_in_fixture: before
 :position_in_routes: before
 :position_in_serializer: before
 :position_in_test: before
 :classified_sort: true
 :exclude_controllers: true
 :exclude_factories: true
 :exclude_fixtures: true
 :exclude_helpers: true
 :exclude_scaffolds: true
 :exclude_serializers: true
 :exclude_sti_subclasses: true
 :exclude_tests: true
 :force: false
 :format_markdown: false
 :format_rdoc: false
 :format_yard: false
 :frozen: false
 :ignore_model_sub_dir: false
 :ignore_unknown_models: false
 :include_version: false
 :show_complete_foreign_keys: false
 :show_foreign_keys: false
 :show_indexes: false
 :simple_indexes: false
 :sort: false
 :timestamp: false
 :trace: false
 :with_comment: true
 :with_column_comments: true
 :with_table_comments: true
 :active_admin: false
 :command:
 :debug: false
 :hide_default_column_types: ''
 :hide_limit_column_types: 'integer,boolean'
 :ignore_columns:
 :ignore_routes:
 :models: true
 :routes: false
 :skip_on_db_migrate: false
 :target_action: :do_annotations
 :wrapper:
 :wrapper_close:
 :wrapper_open:
 :classes_default_to_s: []
 :additional_file_patterns: []
 :model_dir:
  - app/models
 :require: []
 :root_dir:
  - ''
 :show_check_constraints: false
--- a/.browserslistrc
+++ b/.browserslistrc
@ -1,6 +1,7 @@
 [production]
 defaults
-> 0.2%
+not IE 11
 firefox >= 78
 ios >= 15.6
 not dead
-not OperaMini all
+
 [development]
 supports es6-module
--- a/.codeclimate.yml
+++ b/.codeclimate.yml
@ -0,0 +1,41 @@
 version: '2'
 checks:
  argument-count:
    enabled: false
  complex-logic:
    enabled: false
  file-lines:
    enabled: false
  method-complexity:
    enabled: false
  method-count:
    enabled: false
  method-lines:
    enabled: false
  nested-control-flow:
    enabled: false
  return-statements:
    enabled: false
  similar-code:
    enabled: false
  identical-code:
    enabled: false
 plugins:
  brakeman:
    enabled: true
  bundler-audit:
    enabled: true
  eslint:
    enabled: true
    channel: eslint-7
  rubocop:
    enabled: true
    channel: rubocop-1-9-1
  sass-lint:
    enabled: true
 exclude_patterns:
  - spec/
  - vendor/asset/
  - app/javascript/mastodon/locales/**/*.json
  - config/locales/**/*.yml
--- a/.deepsource.toml
+++ b/.deepsource.toml
@ -0,0 +1,23 @@
 version = 1
 test_patterns = ["app/javascript/mastodon/**/__tests__/**"]
 exclude_patterns = [
    "db/migrate/**",
    "db/post_migrate/**"
 ]
 [[analyzers]]
 name = "ruby"
 enabled = true
 [[analyzers]]
 name = "javascript"
 enabled = true
  [analyzers.meta]
  environment = [
    "browser",
    "jest",
    "nodejs"
  ]
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@ -1,18 +1,24 @@
-# For details, see https://github.com/devcontainers/images/tree/main/src/ruby
+# [Choice] Ruby version (use -bullseye variants on local arm64/Apple Silicon): 3, 3.1, 3.0, 2, 2.7, 2.6, 3-bullseye, 3.1-bullseye, 3.0-bullseye, 2-bullseye, 2.7-bullseye, 2.6-bullseye, 3-buster, 3.1-buster, 3.0-buster, 2-buster, 2.7-buster, 2.6-buster
-FROM mcr.microsoft.com/devcontainers/ruby:1-3.3-bookworm
+ARG VARIANT=3.1-bullseye
 FROM mcr.microsoft.com/vscode/devcontainers/ruby:${VARIANT}
-# Install node version from .nvmrc
+# Install Rails
-WORKDIR /app
+# RUN gem install rails webdrivers
 COPY .nvmrc .
 RUN /bin/bash --login -i -c "nvm install"
-# Install additional OS packages
+# Default value to allow debug server to serve content over GitHub Codespace's port forwarding service
-RUN apt-get update && \
+# The value is a comma-separated list of allowed domains
-    export DEBIAN_FRONTEND=noninteractive && \
+ENV RAILS_DEVELOPMENT_HOSTS=".githubpreview.dev"
    apt-get -y install --no-install-recommends libicu-dev libidn11-dev ffmpeg imagemagick libvips42 libpam-dev
-# Disable download prompt for Corepack
+# [Choice] Node.js version: lts/*, 16, 14, 12, 10
-ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0
+ARG NODE_VERSION="lts/*"
 RUN su vscode -c "source /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"
-# Move welcome message to where VS Code expects it
+# [Optional] Uncomment this section to install additional OS packages.
-COPY .devcontainer/welcome-message.txt /usr/local/etc/vscode-dev-containers/first-run-notice.txt
+RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
    && apt-get -y install --no-install-recommends libicu-dev libidn11-dev ffmpeg imagemagick libpam-dev
 # [Optional] Uncomment this line to install additional gems.
 RUN gem install foreman
 # [Optional] Uncomment this line to install global node packages.
 RUN su vscode -c "source /usr/local/share/nvm/nvm.sh && npm install -g yarn" 2>&1
--- a/.devcontainer/codespaces/devcontainer.json
+++ b/.devcontainer/codespaces/devcontainer.json
@ -1,51 +0,0 @@
 {
  "name": "Mastodon on GitHub Codespaces",
  "dockerComposeFile": "../compose.yaml",
  "service": "app",
  "workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}",
  "features": {
    "ghcr.io/devcontainers/features/sshd:1": {}
  },
  "runServices": ["app", "db", "redis"],
  "forwardPorts": [3000, 4000],
  "portsAttributes": {
    "3000": {
      "label": "web",
      "onAutoForward": "notify"
    },
    "4000": {
      "label": "stream",
      "onAutoForward": "silent"
    }
  },
  "remoteUser": "root",
  "otherPortsAttributes": {
    "onAutoForward": "silent"
  },
  "remoteEnv": {
    "LOCAL_DOMAIN": "${localEnv:CODESPACE_NAME}-3000.app.github.dev",
    "LOCAL_HTTPS": "true",
    "STREAMING_API_BASE_URL": "https://${localEnv:CODESPACE_NAME}-4000.app.github.dev",
    "DISABLE_FORGERY_REQUEST_PROTECTION": "true",
    "ES_ENABLED": "",
    "LIBRE_TRANSLATE_ENDPOINT": ""
  },
  "onCreateCommand": "git config --global --add safe.directory ${containerWorkspaceFolder}",
  "postCreateCommand": "bin/setup",
  "waitFor": "postCreateCommand",
  "customizations": {
    "vscode": {
      "settings": {},
      "extensions": ["EditorConfig.EditorConfig", "webben.browserslist"]
    }
  }
 }
--- a/.devcontainer/compose.yaml
+++ b/.devcontainer/compose.yaml
@ -1,93 +0,0 @@
 services:
  app:
    working_dir: /workspaces/mastodon/
    build:
      context: ..
      dockerfile: .devcontainer/Dockerfile
    volumes:
      - ..:/workspaces/mastodon:cached
    environment:
      RAILS_ENV: development
      NODE_ENV: development
      VITE_RUBY_HOST: 0.0.0.0
      BIND: 0.0.0.0
      BOOTSNAP_CACHE_DIR: /tmp
      REDIS_HOST: redis
      REDIS_PORT: '6379'
      DB_HOST: db
      DB_USER: postgres
      DB_PASS: postgres
      DB_PORT: '5432'
      ES_ENABLED: 'true'
      ES_HOST: es
      ES_PORT: '9200'
      LIBRE_TRANSLATE_ENDPOINT: http://libretranslate:5000
      LOCAL_DOMAIN: ${LOCAL_DOMAIN:-localhost:3000}
      VITE_DEV_SERVER_PUBLIC: ${VITE_DEV_SERVER_PUBLIC:-localhost:3036}
    # Overrides default command so things don't shut down after the process ends.
    command: sleep infinity
    ports:
      - '3000:3000'
      - '3036:3036'
      - '4000:4000'
    networks:
      - external_network
      - internal_network
  db:
    image: postgres:14-alpine
    restart: unless-stopped
    volumes:
      - postgres-data:/var/lib/postgresql/data
    environment:
      POSTGRES_USER: postgres
      POSTGRES_DB: postgres
      POSTGRES_PASSWORD: postgres
      POSTGRES_HOST_AUTH_METHOD: trust
    networks:
      - internal_network
  redis:
    image: redis:7-alpine
    restart: unless-stopped
    volumes:
      - redis-data:/data
    networks:
      - internal_network
  es:
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
    restart: unless-stopped
    environment:
      ES_JAVA_OPTS: -Xms512m -Xmx512m
      cluster.name: es-mastodon
      discovery.type: single-node
      bootstrap.memory_lock: 'true'
    volumes:
      - es-data:/usr/share/elasticsearch/data
    networks:
      - internal_network
    ulimits:
      memlock:
        soft: -1
        hard: -1
  libretranslate:
    image: libretranslate/libretranslate:v1.6.2
    restart: unless-stopped
    volumes:
      - lt-data:/home/libretranslate/.local
    networks:
      - external_network
      - internal_network
 volumes:
  postgres-data:
  redis-data:
  es-data:
  lt-data:
 networks:
  external_network:
  internal_network:
    internal: true
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@ -1,42 +1,27 @@
 {
-  "name": "Mastodon on local machine",
+  "name": "Mastodon",
-  "dockerComposeFile": "compose.yaml",
+  "dockerComposeFile": "docker-compose.yml",
  "service": "app",
-  "workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}",
+  "workspaceFolder": "/workspaces/mastodon",
-  "features": {
+  // Set *default* container specific settings.json values on container create.
-    "ghcr.io/devcontainers/features/sshd:1": {}
+  "settings": {},
  },
  // Add the IDs of extensions you want installed when the container is created.
  "extensions": [
    "EditorConfig.EditorConfig",
    "dbaeumer.vscode-eslint",
    "rebornix.Ruby",
    "webben.browserslist"
  ],
  // Use 'forwardPorts' to make a list of ports inside the container available locally.
  // This can be used to network with other containers or the host.
  "forwardPorts": [3000, 4000],
-  "portsAttributes": {
+  // Use 'postCreateCommand' to run commands after the container is created.
-    "3000": {
+  "postCreateCommand": "bundle install --path vendor/bundle && yarn install && ./bin/rails db:setup",
      "label": "web",
      "onAutoForward": "notify",
      "requireLocalPort": true
    },
    "4000": {
      "label": "stream",
      "onAutoForward": "silent",
      "requireLocalPort": true
    }
  },
-  "remoteUser": "root",
+  // Comment out to connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
-
+  "remoteUser": "vscode"
  "otherPortsAttributes": {
    "onAutoForward": "silent"
  },
  "onCreateCommand": "git config --global --add safe.directory ${containerWorkspaceFolder}",
  "postCreateCommand": "bin/setup",
  "waitFor": "postCreateCommand",
  "customizations": {
    "vscode": {
      "settings": {},
      "extensions": ["EditorConfig.EditorConfig", "webben.browserslist"]
    }
  }
 }
--- a/.devcontainer/docker-compose.yml
+++ b/.devcontainer/docker-compose.yml
@ -0,0 +1,83 @@
 version: '3'
 services:
  app:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        # Update 'VARIANT' to pick a version of Ruby: 3, 3.1, 3.0, 2, 2.7, 2.6
        # Append -bullseye or -buster to pin to an OS version.
        # Use -bullseye variants on local arm64/Apple Silicon.
        VARIANT: '3.0-bullseye'
        # Optional Node.js version to install
        NODE_VERSION: '14'
    volumes:
      - ..:/workspaces/mastodon:cached
    environment:
      RAILS_ENV: development
      NODE_ENV: development
      REDIS_HOST: redis
      REDIS_PORT: '6379'
      DB_HOST: db
      DB_USER: postgres
      DB_PASS: postgres
      DB_PORT: '5432'
      ES_ENABLED: 'true'
      ES_HOST: es
      ES_PORT: '9200'
    # Overrides default command so things don't shut down after the process ends.
    command: sleep infinity
    networks:
      - external_network
      - internal_network
    user: vscode
  db:
    image: postgres:14-alpine
    restart: unless-stopped
    volumes:
      - postgres-data:/var/lib/postgresql/data
    environment:
      POSTGRES_USER: postgres
      POSTGRES_DB: postgres
      POSTGRES_PASSWORD: postgres
      POSTGRES_HOST_AUTH_METHOD: trust
    networks:
      - internal_network
  redis:
    image: redis:6-alpine
    restart: unless-stopped
    volumes:
      - redis-data:/data
    networks:
      - internal_network
  es:
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
    restart: unless-stopped
    environment:
      ES_JAVA_OPTS: -Xms512m -Xmx512m
      cluster.name: es-mastodon
      discovery.type: single-node
      bootstrap.memory_lock: 'true'
    volumes:
      - es-data:/usr/share/elasticsearch/data
    networks:
      - internal_network
    ulimits:
      memlock:
        soft: -1
        hard: -1
 volumes:
  postgres-data:
  redis-data:
  es-data:
 networks:
  external_network:
  internal_network:
    internal: true
--- a/.devcontainer/welcome-message.txt
+++ b/.devcontainer/welcome-message.txt
@ -1,7 +0,0 @@
 👋 Welcome to your Mastodon Dev Container!
 🛠️ Your environment is fully setup with all the required software.
 💥 Run `bin/dev` to start the application processes.
 🥼 Run `RAILS_ENV=test bin/rails assets:precompile && RAILS_ENV=test bin/rspec` to run the test suite.
--- a/.dockerignore
+++ b/.dockerignore
@ -8,7 +8,6 @@
 public/system
 public/assets
 public/packs
 public/packs-test
 node_modules
 neo4j
 vendor/bundle
@ -20,9 +19,3 @@ postgres14
 redis
 elasticsearch
 chart
 .yarn/
 !.yarn/patches
 !.yarn/plugins
 !.yarn/releases
 !.yarn/sdks
 !.yarn/versions
--- a/.editorconfig
+++ b/.editorconfig
@ -10,4 +10,3 @@ insert_final_newline = true
 charset = utf-8
 indent_style = space
 indent_size = 2
 trim_trailing_whitespace = true
--- a/.env.development
+++ b/.env.development
@ -1,4 +0,0 @@
 # Required by ActiveRecord encryption feature
 ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=fkSxKD2bF396kdQbrP1EJ7WbU7ZgNokR
 ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=r0hvVmzBVsjxC7AMlwhOzmtc36ZCOS1E
 ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=PhdFyyfy5xJ7WVd2lWBpcPScRQHzRTNr
--- a/.env.nanobox
+++ b/.env.nanobox
@ -0,0 +1,254 @@
 # Service dependencies
 # You may set REDIS_URL instead for more advanced options
 REDIS_HOST=$DATA_REDIS_HOST
 REDIS_PORT=6379
 # REDIS_DB=0
 # You may set DATABASE_URL instead for more advanced options
 DB_HOST=$DATA_DB_HOST
 DB_USER=$DATA_DB_USER
 DB_NAME=gonano
 DB_PASS=$DATA_DB_PASS
 DB_PORT=5432
 # DATABASE_URL=postgresql://$DATA_DB_USER:$DATA_DB_PASS@$DATA_DB_HOST/gonano
 # Optional Elasticsearch configuration
 ES_ENABLED=true
 ES_HOST=$DATA_ELASTIC_HOST
 ES_PORT=9200
 BIND=0.0.0.0
 # Federation
 # Note: Changing LOCAL_DOMAIN at a later time will cause unwanted side effects, including breaking all existing federation.
 # LOCAL_DOMAIN should *NOT* contain the protocol part of the domain e.g https://example.com.
 LOCAL_DOMAIN=${APP_NAME}.nanoapp.io
 # Changing LOCAL_HTTPS in production is no longer supported. (Mastodon will always serve https:// links)
 # Use this only if you need to run mastodon on a different domain than the one used for federation.
 # You can read more about this option on https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Serving_a_different_domain.md
 # DO *NOT* USE THIS UNLESS YOU KNOW *EXACTLY* WHAT YOU ARE DOING.
 # WEB_DOMAIN=mastodon.example.com
 # Use this if you want to have several aliases handler@example1.com
 # handler@example2.com etc. for the same user. LOCAL_DOMAIN should not
 # be added. Comma separated values
 # ALTERNATE_DOMAINS=example1.com,example2.com
 # Application secrets
 # Generate each with the `rake secret` task (`nanobox run bundle exec rake secret`)
 SECRET_KEY_BASE=$SECRET_KEY_BASE
 OTP_SECRET=$OTP_SECRET
 # VAPID keys (used for push notifications)
 # You can generate the keys using the following command (first is the private key, second is the public one)
 # You should only generate this once per instance. If you later decide to change it, all push subscription will
 # be invalidated, requiring the users to access the website again to resubscribe.
 #
 # Generate with `rake mastodon:webpush:generate_vapid_key` task (`nanobox run bundle exec rake mastodon:webpush:generate_vapid_key`)
 #
 # For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html
 VAPID_PRIVATE_KEY=$VAPID_PRIVATE_KEY
 VAPID_PUBLIC_KEY=$VAPID_PUBLIC_KEY
 # Registrations
 # Single user mode will disable registrations and redirect frontpage to the first profile
 # SINGLE_USER_MODE=true
 # Prevent registrations with following e-mail domains
 # EMAIL_DOMAIN_BLACKLIST=example1.com|example2.de|etc
 # Only allow registrations with the following e-mail domains
 # EMAIL_DOMAIN_WHITELIST=example1.com|example2.de|etc
 # Optionally change default language
 # DEFAULT_LOCALE=de
 # E-mail configuration
 # Note: Mailgun and SparkPost (https://sparkpo.st/smtp) each have good free tiers
 # If you want to use an SMTP server without authentication (e.g local Postfix relay)
 # then set SMTP_AUTH_METHOD and SMTP_OPENSSL_VERIFY_MODE to 'none' and
 # *comment* SMTP_LOGIN and SMTP_PASSWORD (leaving them blank is not enough).
 SMTP_SERVER=$SMTP_SERVER
 SMTP_PORT=587
 SMTP_LOGIN=$SMTP_LOGIN
 SMTP_PASSWORD=$SMTP_PASSWORD
 SMTP_FROM_ADDRESS=notifications@${APP_NAME}.nanoapp.io
 #SMTP_REPLY_TO=
 #SMTP_DOMAIN= # defaults to LOCAL_DOMAIN
 #SMTP_DELIVERY_METHOD=smtp # delivery method can also be sendmail
 #SMTP_AUTH_METHOD=plain
 #SMTP_CA_FILE=/etc/ssl/certs/ca-certificates.crt
 #SMTP_OPENSSL_VERIFY_MODE=peer
 #SMTP_ENABLE_STARTTLS_AUTO=true
 #SMTP_TLS=true
 # Optional user upload path and URL (images, avatars). Default is :rails_root/public/system. If you set this variable, you are responsible for making your HTTP server (eg. nginx) serve these files.
 # PAPERCLIP_ROOT_PATH=/var/lib/mastodon/public-system
 # PAPERCLIP_ROOT_URL=/system
 # Optional asset host for multi-server setups
 # The asset host must allow cross origin request from WEB_DOMAIN or LOCAL_DOMAIN
 # if WEB_DOMAIN is not set. For example, the server may have the
 # following header field:
 # Access-Control-Allow-Origin: https://example.com/
 # CDN_HOST=https://assets.example.com
 # S3 (optional)
 # The attachment host must allow cross origin request from WEB_DOMAIN or
 # LOCAL_DOMAIN if WEB_DOMAIN is not set. For example, the server may have the
 # following header field:
 # Access-Control-Allow-Origin: https://192.168.1.123:9000/
 # S3_ENABLED=true
 # S3_BUCKET=
 # AWS_ACCESS_KEY_ID=
 # AWS_SECRET_ACCESS_KEY=
 # S3_REGION=
 # S3_PROTOCOL=http
 # S3_HOSTNAME=192.168.1.123:9000
 # S3 (Minio Config (optional) Please check Minio instance for details)
 # The attachment host must allow cross origin request - see the description
 # above.
 # S3_ENABLED=true
 # S3_BUCKET=
 # AWS_ACCESS_KEY_ID=
 # AWS_SECRET_ACCESS_KEY=
 # S3_REGION=
 # S3_PROTOCOL=https
 # S3_HOSTNAME=
 # S3_ENDPOINT=
 # S3_SIGNATURE_VERSION=
 # Google Cloud Storage (optional)
 # Use S3 compatible API. Since GCS does not support Multipart Upload,
 # increase the value of S3_MULTIPART_THRESHOLD to disable Multipart Upload.
 # The attachment host must allow cross origin request - see the description
 # above.
 # S3_ENABLED=true
 # AWS_ACCESS_KEY_ID=
 # AWS_SECRET_ACCESS_KEY=
 # S3_REGION=
 # S3_PROTOCOL=https
 # S3_HOSTNAME=storage.googleapis.com
 # S3_ENDPOINT=https://storage.googleapis.com
 # S3_MULTIPART_THRESHOLD=52428801 # 50.megabytes
 # Swift (optional)
 # The attachment host must allow cross origin request - see the description
 # above.
 # SWIFT_ENABLED=true
 # SWIFT_USERNAME=
 # For Keystone V3, the value for SWIFT_TENANT should be the project name
 # SWIFT_TENANT=
 # SWIFT_PASSWORD=
 # Some OpenStack V3 providers require PROJECT_ID (optional)
 # SWIFT_PROJECT_ID=
 # Keystone V2 and V3 URLs are supported. Use a V3 URL if possible to avoid
 # issues with token rate-limiting during high load.
 # SWIFT_AUTH_URL=
 # SWIFT_CONTAINER=
 # SWIFT_OBJECT_URL=
 # SWIFT_REGION=
 # Defaults to 'default'
 # SWIFT_DOMAIN_NAME=
 # Defaults to 60 seconds. Set to 0 to disable
 # SWIFT_CACHE_TTL=
 # Optional alias for S3 (e.g. to serve files on a custom domain, possibly using Cloudfront or Cloudflare)
 # S3_ALIAS_HOST=
 # Streaming API integration
 # STREAMING_API_BASE_URL=
 # Advanced settings
 # If you need to use pgBouncer, you need to disable prepared statements:
 # PREPARED_STATEMENTS=false
 # Cluster number setting for streaming API server.
 # If you comment out following line, cluster number will be `numOfCpuCores - 1`.
 # STREAMING_CLUSTER_NUM=1
 # Docker mastodon user
 # If you use Docker, you may want to assign UID/GID manually.
 # UID=1000
 # GID=1000
 # LDAP authentication (optional)
 # LDAP_ENABLED=true
 # LDAP_HOST=localhost
 # LDAP_PORT=389
 # LDAP_METHOD=simple_tls
 # LDAP_BASE=
 # LDAP_BIND_DN=
 # LDAP_PASSWORD=
 # LDAP_UID=cn
 # LDAP_MAIL=mail
 # LDAP_SEARCH_FILTER=(|(%{uid}=%{email})(%{mail}=%{email}))
 # LDAP_UID_CONVERSION_ENABLED=true
 # LDAP_UID_CONVERSION_SEARCH=., -
 # LDAP_UID_CONVERSION_REPLACE=_
 # PAM authentication (optional)
 # PAM authentication uses for the email generation the "email" pam variable
 # and optional as fallback PAM_DEFAULT_SUFFIX
 # The pam environment variable "email" is provided by:
 # https://github.com/devkral/pam_email_extractor
 # PAM_ENABLED=true
 # Fallback email domain for email address generation (LOCAL_DOMAIN by default)
 # PAM_EMAIL_DOMAIN=example.com
 # Name of the pam service (pam "auth" section is evaluated)
 # PAM_DEFAULT_SERVICE=rpam
 # Name of the pam service used for checking if an user can register (pam "account" section is evaluated) (nil (disabled) by default)
 # PAM_CONTROLLED_SERVICE=rpam
 # Optional CAS authentication (cf. omniauth-cas) :
 # CAS_ENABLED=true
 # CAS_URL=https://sso.myserver.com/
 # CAS_HOST=sso.myserver.com/
 # CAS_PORT=443
 # CAS_SSL=true
 # CAS_VALIDATE_URL=
 # CAS_CALLBACK_URL=
 # CAS_LOGOUT_URL=
 # CAS_LOGIN_URL=
 # CAS_UID_FIELD='user'
 # CAS_CA_PATH=
 # CAS_DISABLE_SSL_VERIFICATION=false
 # CAS_UID_KEY='user'
 # CAS_NAME_KEY='name'
 # CAS_EMAIL_KEY='email'
 # CAS_NICKNAME_KEY='nickname'
 # CAS_FIRST_NAME_KEY='firstname'
 # CAS_LAST_NAME_KEY='lastname'
 # CAS_LOCATION_KEY='location'
 # CAS_IMAGE_KEY='image'
 # CAS_PHONE_KEY='phone'
 # CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
 # Optional SAML authentication (cf. omniauth-saml)
 # SAML_ENABLED=true
 # SAML_ACS_URL=http://localhost:3000/auth/auth/saml/callback
 # SAML_ISSUER=https://example.com
 # SAML_IDP_SSO_TARGET_URL=https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
 # SAML_IDP_CERT=
 # SAML_IDP_CERT_FINGERPRINT=
 # SAML_NAME_IDENTIFIER_FORMAT=
 # SAML_CERT=
 # SAML_PRIVATE_KEY=
 # SAML_SECURITY_WANT_ASSERTION_SIGNED=true
 # SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true
 # SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
 # SAML_ATTRIBUTES_STATEMENTS_UID="urn:oid:0.9.2342.19200300.100.1.1"
 # SAML_ATTRIBUTES_STATEMENTS_EMAIL="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
 # SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.16.840.1.113730.3.1.241"
 # SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME="urn:oid:2.5.4.42"
 # SAML_ATTRIBUTES_STATEMENTS_LAST_NAME="urn:oid:2.5.4.4"
 # SAML_UID_ATTRIBUTE="urn:oid:0.9.2342.19200300.100.1.1"
 # SAML_ATTRIBUTES_STATEMENTS_VERIFIED=
 # SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL=
 # Use HTTP proxy for outgoing request (optional)
 # http_proxy=http://gateway.local:8118
 # Access control for hidden service.
 # ALLOW_ACCESS_TO_HIDDEN_SERVICE=true
--- a/.env.production.sample
+++ b/.env.production.sample
@ -1,5 +1,5 @@
 # This is a sample configuration file. You can generate your configuration
-# with the `bundle exec rails mastodon:setup` interactive setup wizard, but to customize
+# with the `rake mastodon:setup` interactive setup wizard, but to customize
 # your setup even further, you'll need to edit it manually. This sample does
 # not demonstrate all available configuration options. Please look at
 # https://docs.joinmastodon.org/admin/config/ for the full documentation.
@ -40,31 +40,21 @@ ES_PASS=password
 # Secrets
 # -------
-# Make sure to use `bundle exec rails secret` to generate secrets
+# Make sure to use `rake secret` to generate secrets
 # -------
 SECRET_KEY_BASE=
-
+OTP_SECRET=
 # Encryption secrets
 # ------------------
 # Must be available (and set to same values) for all server processes
 # These are private/secret values, do not share outside hosting environment
 # Use `bin/rails db:encryption:init` to generate fresh secrets
 # Do NOT change these secrets once in use, as this would cause data loss and other issues
 # ------------------
 # ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=
 # ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=
 # ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=
 # Web Push
 # --------
-# Generate with `bundle exec rails mastodon:webpush:generate_vapid_key`
+# Generate with `rake mastodon:webpush:generate_vapid_key`
 # --------
 VAPID_PRIVATE_KEY=
 VAPID_PUBLIC_KEY=
 # Sending mail
 # ------------
-SMTP_SERVER=
+SMTP_SERVER=smtp.mailgun.org
 SMTP_PORT=587
 SMTP_LOGIN=
 SMTP_PASSWORD=
@ -77,35 +67,3 @@ S3_BUCKET=files.example.com
 AWS_ACCESS_KEY_ID=
 AWS_SECRET_ACCESS_KEY=
 S3_ALIAS_HOST=files.example.com
 # Optional list of hosts that are allowed to serve media for your instance
 # EXTRA_MEDIA_HOSTS=https://data.example1.com,https://data.example2.com
 # IP and session retention
 # -----------------------
 # Make sure to modify the scheduling of ip_cleanup_scheduler in config/sidekiq.yml
 # to be less than daily if you lower IP_RETENTION_PERIOD below two days (172800).
 # -----------------------
 IP_RETENTION_PERIOD=31556952
 SESSION_RETENTION_PERIOD=31556952
 # Fetch All Replies Behavior
 # --------------------------
 # When a user expands a post (DetailedStatus view), fetch all of its replies
 # (default: false)
 FETCH_REPLIES_ENABLED=false
 # Period to wait between fetching replies (in minutes)
 FETCH_REPLIES_COOLDOWN_MINUTES=15
 # Period to wait after a post is first created before fetching its replies (in minutes)
 FETCH_REPLIES_INITIAL_WAIT_MINUTES=5
 # Max number of replies to fetch - total, recursively through a whole reply tree
 FETCH_REPLIES_MAX_GLOBAL=1000
 # Max number of replies to fetch - for a single post
 FETCH_REPLIES_MAX_SINGLE=500
 # Max number of replies Collection pages to fetch - total
 FETCH_REPLIES_MAX_PAGES=500
--- a/.env.test
+++ b/.env.test
@ -1,11 +1,5 @@
-# In test, compile the NodeJS code as if we are in production
+# Node.js
-NODE_ENV=production
+NODE_ENV=tests
 # Federation
 LOCAL_DOMAIN=cb6e6126.ngrok.io
 LOCAL_HTTPS=true
 # Secret values required by ActiveRecord encryption feature
 # Use `bin/rails db:encryption:init` to generate fresh secrets
 ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=test_determinist_key_DO_NOT_USE_IN_PRODUCTION
 ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=test_salt_DO_NOT_USE_IN_PRODUCTION
 ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=test_primary_key_DO_NOT_USE_IN_PRODUCTION
--- a/.env.vagrant
+++ b/.env.vagrant
@ -2,7 +2,3 @@ VAGRANT=true
 LOCAL_DOMAIN=mastodon.local
 BIND=0.0.0.0
 DB_HOST=/var/run/postgresql/
 ES_ENABLED=true
 ES_HOST=localhost
 ES_PORT=9200
--- a/.eslintignore
+++ b/.eslintignore
@ -0,0 +1,13 @@
 /build/**
 /coverage/**
 /db/**
 /lib/**
 /log/**
 /node_modules/**
 /nonobox/**
 /public/**
 !/public/embed.js
 /spec/**
 /tmp/**
 /vendor/**
 !.eslintrc.js
--- a/.eslintrc.js
+++ b/.eslintrc.js
@ -0,0 +1,214 @@
 module.exports = {
  root: true,
  env: {
    browser: true,
    node: true,
    es6: true,
    jest: true,
  },
  globals: {
    ATTACHMENT_HOST: false,
  },
  parser: 'babel-eslint',
  plugins: [
    'react',
    'jsx-a11y',
    'import',
    'promise',
  ],
  parserOptions: {
    sourceType: 'module',
    ecmaFeatures: {
      experimentalObjectRestSpread: true,
      jsx: true,
    },
    ecmaVersion: 2018,
  },
  settings: {
    react: {
      version: 'detect',
    },
    'import/extensions': [
      '.js',
    ],
    'import/ignore': [
      'node_modules',
      '\\.(css|scss|json)$',
    ],
    'import/resolver': {
      node: {
        paths: ['app/javascript'],
      },
    },
  },
  rules: {
    'brace-style': 'warn',
    'comma-dangle': ['error', 'always-multiline'],
    'comma-spacing': [
      'warn',
      {
        before: false,
        after: true,
      },
    ],
    'comma-style': ['warn', 'last'],
    'consistent-return': 'error',
    'dot-notation': 'error',
    eqeqeq: 'error',
    indent: ['warn', 2],
    'jsx-quotes': ['error', 'prefer-single'],
    'no-catch-shadow': 'error',
    'no-cond-assign': 'error',
    'no-console': [
      'warn',
      {
        allow: [
          'error',
          'warn',
        ],
      },
    ],
    'no-fallthrough': 'error',
    'no-irregular-whitespace': 'error',
    'no-mixed-spaces-and-tabs': 'warn',
    'no-nested-ternary': 'warn',
    'no-restricted-properties': [
      'error',
      { property: 'substring', message: 'Use .slice instead of .substring.' },
      { property: 'substr', message: 'Use .slice instead of .substr.' },
    ],
    'no-trailing-spaces': 'warn',
    'no-undef': 'error',
    'no-unreachable': 'error',
    'no-unused-expressions': 'error',
    'no-unused-vars': [
      'error',
      {
        vars: 'all',
        args: 'after-used',
        ignoreRestSiblings: true,
      },
    ],
    'object-curly-spacing': ['error', 'always'],
    'padded-blocks': [
      'error',
      {
        classes: 'always',
      },
    ],
    quotes: ['error', 'single'],
    semi: 'error',
    strict: 'off',
    'valid-typeof': 'error',
    'react/jsx-boolean-value': 'error',
    'react/jsx-closing-bracket-location': ['error', 'line-aligned'],
    'react/jsx-curly-spacing': 'error',
    'react/jsx-equals-spacing': 'error',
    'react/jsx-first-prop-new-line': ['error', 'multiline-multiprop'],
    'react/jsx-indent': ['error', 2],
    'react/jsx-no-bind': 'error',
    'react/jsx-no-duplicate-props': 'error',
    'react/jsx-no-undef': 'error',
    'react/jsx-tag-spacing': 'error',
    'react/jsx-uses-react': 'error',
    'react/jsx-uses-vars': 'error',
    'react/jsx-wrap-multilines': 'error',
    'react/no-multi-comp': 'off',
    'react/no-string-refs': 'error',
    'react/prop-types': 'error',
    'react/self-closing-comp': 'error',
    'jsx-a11y/accessible-emoji': 'warn',
    'jsx-a11y/alt-text': 'warn',
    'jsx-a11y/anchor-has-content': 'warn',
    'jsx-a11y/anchor-is-valid': [
      'warn',
      {
        components: [
          'Link',
          'NavLink',
        ],
        specialLink: [
          'to',
        ],
        aspect: [
          'noHref',
          'invalidHref',
          'preferButton',
        ],
      },
    ],
    'jsx-a11y/aria-activedescendant-has-tabindex': 'warn',
    'jsx-a11y/aria-props': 'warn',
    'jsx-a11y/aria-proptypes': 'warn',
    'jsx-a11y/aria-role': 'warn',
    'jsx-a11y/aria-unsupported-elements': 'warn',
    'jsx-a11y/heading-has-content': 'warn',
    'jsx-a11y/html-has-lang': 'warn',
    'jsx-a11y/iframe-has-title': 'warn',
    'jsx-a11y/img-redundant-alt': 'warn',
    'jsx-a11y/interactive-supports-focus': 'warn',
    'jsx-a11y/label-has-for': 'off',
    'jsx-a11y/mouse-events-have-key-events': 'warn',
    'jsx-a11y/no-access-key': 'warn',
    'jsx-a11y/no-distracting-elements': 'warn',
    'jsx-a11y/no-noninteractive-element-interactions': [
      'warn',
      {
        handlers: [
          'onClick',
        ],
      },
    ],
    'jsx-a11y/no-onchange': 'warn',
    'jsx-a11y/no-redundant-roles': 'warn',
    'jsx-a11y/no-static-element-interactions': [
      'warn',
      {
        handlers: [
          'onClick',
        ],
      },
    ],
    'jsx-a11y/role-has-required-aria-props': 'warn',
    'jsx-a11y/role-supports-aria-props': 'off',
    'jsx-a11y/scope': 'warn',
    'jsx-a11y/tabindex-no-positive': 'warn',
    'import/extensions': [
      'error',
      'always',
      {
        js: 'never',
      },
    ],
    'import/newline-after-import': 'error',
    'import/no-extraneous-dependencies': [
      'error',
      {
        devDependencies: [
          'config/webpack/**',
          'app/javascript/mastodon/test_setup.js',
          'app/javascript/**/__tests__/**',
        ],
      },
    ],
    'import/no-unresolved': 'error',
    'import/no-webpack-loader-syntax': 'error',
    'promise/catch-or-return': [
      'error',
      {
        allowFinally: true,
      },
    ],
  },
 };
--- a/.github/.well-known/funding-manifest-urls
+++ b/.github/.well-known/funding-manifest-urls
@ -1 +0,0 @@
 https://joinmastodon.org/funding.json
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -0,0 +1,3 @@
 patreon: mastodon
 open_collective: mastodon
 custom: https://sponsor.joinmastodon.org
--- a/.github/ISSUE_TEMPLATE/1.bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/1.bug_report.yml
@ -0,0 +1,42 @@
 name: Bug Report
 description: If something isn't working as expected
 labels: bug
 body:
  - type: markdown
    attributes:
      value: |
        Make sure that you are submitting a new bug that was not previously reported or already fixed.
        Please use a concise and distinct title for the issue.
  - type: textarea
    attributes:
      label: Steps to reproduce the problem
      description: What were you trying to do?
      value: |
        1.
        2.
        3.
        ...
    validations:
      required: true
  - type: input
    attributes:
      label: Expected behaviour
      description: What should have happened?
    validations:
      required: true
  - type: input
    attributes:
      label: Actual behaviour
      description: What happened?
    validations:
      required: true
  - type: textarea
    attributes:
      label: Specifications
      description: |
        What version or commit hash of Mastodon did you find this bug in?
        If a front-end issue, what browser and operating systems were you using?
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/1.web_bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/1.web_bug_report.yml
@ -1,77 +0,0 @@
 name: Bug Report (Web Interface)
 description: There is a problem using Mastodon's web interface.
 labels: ['status/to triage', 'area/web interface']
 type: Bug
 body:
  - type: markdown
    attributes:
      value: |
        Make sure that you are submitting a new bug that was not previously reported or already fixed.
        Please use a concise and distinct title for the issue.
  - type: textarea
    attributes:
      label: Steps to reproduce the problem
      description: What were you trying to do?
      value: |
        1.
        2.
        3.
        ...
    validations:
      required: true
  - type: input
    attributes:
      label: Expected behaviour
      description: What should have happened?
    validations:
      required: true
  - type: input
    attributes:
      label: Actual behaviour
      description: What happened?
    validations:
      required: true
  - type: textarea
    attributes:
      label: Detailed description
    validations:
      required: false
  - type: input
    attributes:
      label: Mastodon instance
      description: The address of the Mastodon instance where you experienced the issue
      placeholder: mastodon.social
    validations:
      required: true
  - type: input
    attributes:
      label: Mastodon version
      description: |
        This is displayed at the bottom of the About page, eg. `v4.4.0-beta.1`
      placeholder: v4.4.0-beta.1
    validations:
      required: true
  - type: input
    attributes:
      label: Browser name and version
      description: |
        What browser are you using when getting this bug? Please specify the version as well.
      placeholder: Firefox 139.0.0
    validations:
      required: true
  - type: input
    attributes:
      label: Operating system
      description: |
        What OS are you running? Please specify the version as well.
      placeholder: macOS 15.5
    validations:
      required: true
  - type: textarea
    attributes:
      label: Technical details
      description: |
        Any additional technical details you may have. This can include the full error log, inspector's output…
    validations:
      required: false
--- a/.github/ISSUE_TEMPLATE/2.feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/2.feature_request.yml
@ -0,0 +1,22 @@
 name: Feature Request
 description: I have a suggestion
 labels: suggestion
 body:
  - type: markdown
    attributes:
      value: |
        Please use a concise and distinct title for the issue.
        Consider: Could it be implemented as a 3rd party app using the REST API instead?
  - type: textarea
    attributes:
      label: Pitch
      description: Describe your idea for a feature. Make sure it has not already been suggested/implemented/turned down before.
    validations:
      required: true
  - type: textarea
    attributes:
      label: Motivation
      description: Why do you think this feature is needed? Who would benefit from it?
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/2.server_bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/2.server_bug_report.yml
@ -1,66 +0,0 @@
 name: Bug Report (server / API)
 description: |
  There is a problem with the HTTP server, REST API, ActivityPub interaction, etc.
 labels: ['status/to triage']
 type: 'Bug'
 body:
  - type: markdown
    attributes:
      value: |
        Make sure that you are submitting a new bug that was not previously reported or already fixed.
        Please use a concise and distinct title for the issue.
  - type: textarea
    attributes:
      label: Steps to reproduce the problem
      description: What were you trying to do?
      value: |
        1.
        2.
        3.
        ...
    validations:
      required: true
  - type: input
    attributes:
      label: Expected behaviour
      description: What should have happened?
    validations:
      required: true
  - type: input
    attributes:
      label: Actual behaviour
      description: What happened?
    validations:
      required: true
  - type: textarea
    attributes:
      label: Detailed description
    validations:
      required: false
  - type: input
    attributes:
      label: Mastodon instance
      description: The address of the Mastodon instance where you experienced the issue
      placeholder: mastodon.social
    validations:
      required: false
  - type: input
    attributes:
      label: Mastodon version
      description: |
        This is displayed at the bottom of the About page, eg. `v4.4.0-beta.1`
      placeholder: v4.4.0-beta.1
    validations:
      required: false
  - type: textarea
    attributes:
      label: Technical details
      description: |
        Any additional technical details you may have, like logs or error traces
      value: |
        If this is happening on your own Mastodon server, please fill out those:
        - Ruby version: (from `ruby --version`, eg. v3.4.4)
        - Node.js version: (from `node --version`, eg. v22.16.0)
    validations:
      required: false
--- a/.github/ISSUE_TEMPLATE/3.troubleshooting.yml
+++ b/.github/ISSUE_TEMPLATE/3.troubleshooting.yml
@ -1,74 +0,0 @@
 name: Deployment troubleshooting
 description: |
  You are a server administrator and you are encountering a technical issue during installation, upgrade or operations of Mastodon.
 labels: ['status/to triage']
 type: 'Troubleshooting'
 body:
  - type: markdown
    attributes:
      value: |
        Make sure that you are submitting a new bug that was not previously reported or already fixed.
        Please use a concise and distinct title for the issue.
  - type: textarea
    attributes:
      label: Steps to reproduce the problem
      description: What were you trying to do?
      value: |
        1.
        2.
        3.
        ...
    validations:
      required: true
  - type: input
    attributes:
      label: Expected behaviour
      description: What should have happened?
    validations:
      required: true
  - type: input
    attributes:
      label: Actual behaviour
      description: What happened?
    validations:
      required: true
  - type: textarea
    attributes:
      label: Detailed description
    validations:
      required: false
  - type: input
    attributes:
      label: Mastodon instance
      description: The address of the Mastodon instance where you experienced the issue
      placeholder: mastodon.social
    validations:
      required: true
  - type: input
    attributes:
      label: Mastodon version
      description: |
        This is displayed at the bottom of the About page, eg. `v4.4.0-alpha.1`
      placeholder: v4.4.0-beta.1
    validations:
      required: false
  - type: textarea
    attributes:
      label: Environment
      description: |
        Details about your environment, like how Mastodon is deployed, if containers are used, version numbers, etc.
      value: |
        Please at least include those informations:
        - Operating system: (eg. Ubuntu 24.04.2)
        - Ruby version: (from `ruby --version`, eg. v3.4.4)
        - Node.js version: (from `node --version`, eg. v22.16.0)
    validations:
      required: false
  - type: textarea
    attributes:
      label: Technical details
      description: |
        Any additional technical details you may have, like logs or error traces
    validations:
      required: false
--- a/.github/ISSUE_TEMPLATE/4.feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/4.feature_request.yml
@ -1,22 +0,0 @@
 name: Feature Request
 description: I have a suggestion
 type: Suggestion
 body:
  - type: markdown
    attributes:
      value: |
        Please use a concise and distinct title for the issue.
        Consider: Could it be implemented as a 3rd party app using the REST API instead?
  - type: textarea
    attributes:
      label: Pitch
      description: Describe your idea for a feature. Make sure it has not already been suggested/implemented/turned down before.
    validations:
      required: true
  - type: textarea
    attributes:
      label: Motivation
      description: Why do you think this feature is needed? Who would benefit from it?
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -3,3 +3,6 @@ contact_links:
  - name: GitHub Discussions
    url: https://github.com/mastodon/mastodon/discussions
    about: Please ask and answer questions here.
  - name: Bug Bounty Program
    url: https://app.intigriti.com/programs/mastodon/mastodonio/detail
    about: Please report security vulnerabilities here.
--- a/.github/actions/setup-javascript/action.yml
+++ b/.github/actions/setup-javascript/action.yml
@ -1,42 +0,0 @@
 name: 'Setup Javascript'
 description: 'Setup a Javascript environment ready to run the Mastodon code'
 inputs:
  onlyProduction:
    description: Only install production dependencies
    default: 'false'
 runs:
  using: 'composite'
  steps:
    - name: Set up Node.js
      uses: actions/setup-node@v4
      with:
        node-version-file: '.nvmrc'
    # The following is needed because we can not use `cache: true` for `setup-node`, as it does not support Corepack yet and mess up with the cache location if ran after Node is installed
    - name: Enable corepack
      shell: bash
      run: corepack enable
    - name: Get yarn cache directory path
      id: yarn-cache-dir-path
      shell: bash
      run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
    - uses: actions/cache@v4
      id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
      with:
        path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
        key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
        restore-keys: |
          ${{ runner.os }}-yarn-
    - name: Install all yarn packages
      shell: bash
      run: yarn install --immutable
      if: inputs.onlyProduction == 'false'
    - name: Install all production yarn packages
      shell: bash
      run: yarn workspaces focus --production
      if: inputs.onlyProduction != 'false'
--- a/.github/actions/setup-ruby/action.yml
+++ b/.github/actions/setup-ruby/action.yml
@ -1,23 +0,0 @@
 name: 'Setup RUby'
 description: 'Setup a Ruby environment ready to run the Mastodon code'
 inputs:
  ruby-version:
    description: The Ruby version to install
    default: '.ruby-version'
  additional-system-dependencies:
    description: 'Additional packages to install'
 runs:
  using: 'composite'
  steps:
    - name: Install system dependencies
      shell: bash
      run: |
        sudo apt-get update
        sudo apt-get install -y libicu-dev libidn11-dev libvips42 ${{ inputs.additional-system-dependencies }}
    - name: Set up Ruby
      uses: ruby/setup-ruby@v1
      with:
        ruby-version: ${{ inputs.ruby-version }}
        bundler-cache: true
--- a/.github/codecov.yml
+++ b/.github/codecov.yml
@ -1,13 +0,0 @@
 comment: false # Do not leave PR comments
 coverage:
  status:
    project:
      default:
        # GitHub status check is not blocking
        informational: true
    patch:
      default:
        # GitHub status check is not blocking
        informational: true
 github_checks:
  annotations: false
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,22 @@
 # To get started with Dependabot version updates, you'll need to specify which
 # package ecosystems to update and where the package manifests are located.
 # Please see the documentation for all configuration options:
 # https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
 version: 2
 updates:
  - package-ecosystem: npm
    directory: '/'
    schedule:
      interval: weekly
    open-pull-requests-limit: 99
    allow:
      - dependency-type: direct
  - package-ecosystem: bundler
    directory: '/'
    schedule:
      interval: weekly
    open-pull-requests-limit: 99
    allow:
      - dependency-type: direct
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@ -1,151 +0,0 @@
 {
  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
  extends: [
    'config:recommended',
    'customManagers:dockerfileVersions',
    ':labels(dependencies)',
    ':prConcurrentLimitNone', // Remove limit for open PRs at any time.
    ':prHourlyLimit2', // Rate limit PR creation to a maximum of two per hour.
  ],
  rebaseWhen: 'conflicted',
  minimumReleaseAge: '3', // Wait 3 days after the package has been published before upgrading it
  // packageRules order is important, they are applied from top to bottom and are merged,
  // meaning the most important ones must be at the bottom, for example grouping rules
  // If we do not want a package to be grouped with others, we need to set its groupName
  // to `null` after any other rule set it to something.
  dependencyDashboardHeader: 'This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more. Before approving any upgrade: read the description and comments in the [`renovate.json5` file](https://github.com/mastodon/mastodon/blob/main/.github/renovate.json5).',
  postUpdateOptions: ['yarnDedupeHighest'],
  // The types are now included in recent versions,we ignore them here until we upgrade and remove the dependency
  ignoreDeps: ['@types/emoji-mart'],
  packageRules: [
    {
      // Require Dependency Dashboard Approval for major version bumps of these node packages
      matchManagers: ['npm'],
      matchPackageNames: [
        'tesseract.js', // Requires code changes
        'react-hotkeys', // Requires code changes
        // react-router: Requires manual upgrade
        'history',
        'react-router-dom',
        // react-spring: Requires manual upgrade when upgrading react
        '@react-spring/web',
      ],
      matchUpdateTypes: ['major'],
      dependencyDashboardApproval: true,
    },
    {
      // Require Dependency Dashboard Approval for major version bumps of these Ruby packages
      matchManagers: ['bundler'],
      matchPackageNames: [
        'strong_migrations', // Requires manual upgrade
        'sidekiq', // Requires manual upgrade
        'sidekiq-unique-jobs', // Requires manual upgrades and sync with Sidekiq version
        'redis', // Requires manual upgrade and sync with Sidekiq version
      ],
      matchUpdateTypes: ['major'],
      dependencyDashboardApproval: true,
    },
    {
      // Update GitHub Actions and Docker images weekly
      matchManagers: ['github-actions', 'dockerfile', 'docker-compose'],
      extends: ['schedule:weekly'],
    },
    {
      // Require Dependency Dashboard Approval for major & minor bumps for the ruby image, this needs to be synced with .ruby-version
      matchManagers: ['dockerfile'],
      matchPackageNames: ['moritzheiber/ruby-jemalloc'],
      matchUpdateTypes: ['minor', 'major'],
      dependencyDashboardApproval: true,
    },
    {
      // Require Dependency Dashboard Approval for major bumps for the node image, this needs to be synced with .nvmrc
      matchManagers: ['dockerfile'],
      matchPackageNames: ['node'],
      matchUpdateTypes: ['major'],
      dependencyDashboardApproval: true,
    },
    {
      // Require Dependency Dashboard Approval for major postgres bumps in the docker-compose file, as those break dev environments
      matchManagers: ['docker-compose'],
      matchPackageNames: ['postgres'],
      matchUpdateTypes: ['major'],
      dependencyDashboardApproval: true,
    },
    {
      // Update devDependencies every week, with one grouped PR
      matchManagers: ['npm'],
      matchDepTypes: 'devDependencies',
      matchUpdateTypes: ['patch', 'minor'],
      groupName: 'devDependencies (non-major)',
      extends: ['schedule:weekly'],
    },
    {
      // Group all eslint-related packages with `eslint` in the same PR
      matchManagers: ['npm'],
      matchPackageNames: [
        'eslint',
        'eslint-*',
        'typescript-eslint',
        '@eslint/*',
        'globals',
      ],
      matchUpdateTypes: ['patch', 'minor'],
      groupName: 'eslint (non-major)',
    },
    {
      // Group actions/*-artifact in the same PR
      matchManagers: ['github-actions'],
      matchPackageNames: [
        'actions/download-artifact',
        'actions/upload-artifact',
      ],
      matchUpdateTypes: ['major'],
      groupName: 'artifact actions (major)',
    },
    {
      // Update @types/* packages every week, with one grouped PR
      matchManagers: ['npm'],
      matchPackageNames: '@types/*',
      matchUpdateTypes: ['patch', 'minor'],
      groupName: 'DefinitelyTyped types (non-major)',
      extends: ['schedule:weekly'],
      addLabels: ['typescript'],
    },
    {
      // We want those packages to always have their own PR
      matchManagers: ['npm'],
      matchPackageNames: [
        'typescript', // Typescript has code-impacting changes in minor versions
      ],
      groupName: null, // We dont want them to belong to any group
    },
    {
      // Group all RuboCop packages with `rubocop` in the same PR
      matchManagers: ['bundler'],
      matchPackageNames: ['rubocop', 'rubocop-*'],
      matchUpdateTypes: ['patch', 'minor'],
      groupName: 'RuboCop (non-major)',
    },
    {
      // Group all RSpec packages with `rspec` in the same PR
      matchManagers: ['bundler'],
      matchPackageNames: ['rspec', 'rspec-*'],
      matchUpdateTypes: ['patch', 'minor'],
      groupName: 'RSpec (non-major)',
    },
    {
      // Group all opentelemetry-ruby packages in the same PR
      matchManagers: ['bundler'],
      matchPackageNames: ['opentelemetry-*'],
      matchUpdateTypes: ['patch', 'minor'],
      groupName: 'opentelemetry-ruby (non-major)',
    },
    // Add labels depending on package manager
    { matchManagers: ['npm', 'nvm'], addLabels: ['javascript'] },
    { matchManagers: ['bundler', 'ruby-version'], addLabels: ['ruby'] },
    { matchManagers: ['docker-compose', 'dockerfile'], addLabels: ['docker'] },
    { matchManagers: ['github-actions'], addLabels: ['github_actions'] },
  ],
 }
--- a/.github/workflows/build-container-image.yml
+++ b/.github/workflows/build-container-image.yml
@ -1,155 +1,77 @@
 on:
  workflow_call:
    inputs:
      platforms:
        required: true
        type: string
      cache:
        type: boolean
        default: true
      use_native_arm64_builder:
        type: boolean
      push_to_images:
        type: string
      version_prerelease:
        type: string
      version_metadata:
        type: string
      flavor:
        type: string
      tags:
        type: string
      labels:
        type: string
      file_to_build:
        type: string
 # This builds multiple images with one runner each, allowing us to build for multiple architectures
 # using Github's runners.
 # The two-step process is adapted form:
 # https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners
 jobs:
  # Build each (amd64 and arm64) image separately
  build-image:
-    runs-on: ${{ startsWith(matrix.platform, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
+    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        platform:
          - linux/amd64
          - linux/arm64
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
-      - name: Prepare
+      - uses: docker/setup-qemu-action@v2
-        env:
+        if: contains(inputs.platforms, 'linux/arm64') && !inputs.use_native_arm64_builder
          PUSH_TO_IMAGES: ${{ inputs.push_to_images }}
        run: |
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
          # Transform multi-line variable into comma-separated variable
          image_names=${PUSH_TO_IMAGES//$'\n'/,}
          echo "IMAGE_NAMES=${image_names%,}" >> $GITHUB_ENV
-      - uses: docker/setup-buildx-action@v3
+      - uses: docker/setup-buildx-action@v2
        id: buildx
        if: ${{ !(inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')) }}
-      - name: Log in to Docker Hub
+      - name: Start a local Docker Builder
-        if: contains(inputs.push_to_images, 'tootsuite')
+        if: inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Log in to the GitHub Container registry
        if: contains(inputs.push_to_images, 'ghcr.io')
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        if: ${{ inputs.push_to_images != '' }}
        with:
          images: ${{ inputs.push_to_images }}
          flavor: ${{ inputs.flavor }}
          labels: ${{ inputs.labels }}
      - name: Build and push by digest
        id: build
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ${{ inputs.file_to_build }}
          build-args: |
            MASTODON_VERSION_PRERELEASE=${{ inputs.version_prerelease }}
            MASTODON_VERSION_METADATA=${{ inputs.version_metadata }}
            SOURCE_COMMIT=${{ github.sha }}
          platforms: ${{ matrix.platform }}
          provenance: false
          push: ${{ inputs.push_to_images != '' }}
          cache-from: ${{ inputs.cache && 'type=gha' || '' }}
          cache-to: ${{ inputs.cache && 'type=gha,mode=max' || '' }}
          outputs: type=image,"name=${{ env.IMAGE_NAMES }}",push-by-digest=true,name-canonical=true,push=${{ inputs.push_to_images != '' }}
      - name: Export digest
        if: ${{ inputs.push_to_images != '' }}
        run: |
-          mkdir -p "${{ runner.temp }}/digests"
+          docker run --rm -d --name buildkitd -p 1234:1234 --privileged moby/buildkit:latest --addr tcp://0.0.0.0:1234
          digest="${{ steps.build.outputs.digest }}"
          touch "${{ runner.temp }}/digests/${digest#sha256:}"
-      - name: Upload digest
+      - uses: docker/setup-buildx-action@v2
-        if: ${{ inputs.push_to_images != '' }}
+        id: buildx-native
-        uses: actions/upload-artifact@v4
+        if: inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')
        with:
-          # `hashFiles` is used to disambiguate between streaming and non-streaming images
+          driver: remote
-          name: digests-${{ hashFiles(inputs.file_to_build) }}-${{ env.PLATFORM_PAIR }}
+          endpoint: tcp://localhost:1234
-          path: ${{ runner.temp }}/digests/*
+          platforms: linux/amd64
-          if-no-files-found: error
+          append: |
-          retention-days: 1
+            - endpoint: tcp://${{ vars.DOCKER_BUILDER_HETZNER_ARM64_01_HOST }}:13865
-
+              platforms: linux/arm64
-  # Then merge the docker images into a single one
+              name: mastodon-docker-builder-arm64-01
-  merge-images:
+              driver-opts:
-    if: ${{ inputs.push_to_images != '' }}
+                - servername=mastodon-docker-builder-arm64-01
-    runs-on: ubuntu-24.04
+        env:
-    needs:
+          BUILDER_NODE_1_AUTH_TLS_CACERT: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_CACERT }}
-      - build-image
+          BUILDER_NODE_1_AUTH_TLS_CERT: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_CERT }}
-
+          BUILDER_NODE_1_AUTH_TLS_KEY: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_KEY }}
    env:
      PUSH_TO_IMAGES: ${{ inputs.push_to_images }}
    steps:
      - uses: actions/checkout@v4
      - name: Download digests
        uses: actions/download-artifact@v4
        with:
          path: ${{ runner.temp }}/digests
          # `hashFiles` is used to disambiguate between streaming and non-streaming images
          pattern: digests-${{ hashFiles(inputs.file_to_build) }}-*
          merge-multiple: true
      - name: Log in to Docker Hub
        if: contains(inputs.push_to_images, 'tootsuite')
-        uses: docker/login-action@v3
+        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Log in to the GitHub Container registry
+      - name: Log in to the Github Container registry
        if: contains(inputs.push_to_images, 'ghcr.io')
-        uses: docker/login-action@v3
+        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set up Docker Buildx
+      - uses: docker/metadata-action@v4
        uses: docker/setup-buildx-action@v3
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        if: ${{ inputs.push_to_images != '' }}
        with:
          images: ${{ inputs.push_to_images }}
@ -157,14 +79,14 @@ jobs:
          tags: ${{ inputs.tags }}
          labels: ${{ inputs.labels }}
-      - name: Create manifest list and push
+      - uses: docker/build-push-action@v4
-        working-directory: ${{ runner.temp }}/digests
+        with:
-        run: |
+          context: .
-          echo "$PUSH_TO_IMAGES" | xargs -I{} \
+          platforms: ${{ inputs.platforms }}
-            docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+          provenance: false
-              $(printf '{}@sha256:%s ' *)
+          builder: ${{ steps.buildx.outputs.name || steps.buildx-native.outputs.name }}
-
+          push: ${{ inputs.push_to_images != '' }}
-      - name: Inspect image
+          tags: ${{ steps.meta.outputs.tags }}
-        run: |
+          labels: ${{ steps.meta.outputs.labels }}
-          echo "$PUSH_TO_IMAGES" | xargs -i{} \
+          cache-from: ${{ inputs.cache && 'type=gha' || '' }}
-            docker buildx imagetools inspect {}:${{ steps.meta.outputs.version }}
+          cache-to: ${{ inputs.cache && 'type=gha,mode=max' || '' }}
--- a/.github/workflows/build-nightly.yml
+++ b/.github/workflows/build-nightly.yml
@ -1,62 +0,0 @@
 name: Build nightly container image
 on:
  workflow_dispatch:
  schedule:
    - cron: '0 2 * * *' # run at 2 AM UTC
 permissions:
  contents: read
  packages: write
 jobs:
  compute-suffix:
    runs-on: ubuntu-latest
    if: github.repository == 'mastodon/mastodon'
    steps:
      - id: version_vars
        env:
          TZ: Etc/UTC
        run: |
          echo mastodon_version_prerelease=nightly.$(date +'%Y-%m-%d')>> $GITHUB_OUTPUT
    outputs:
      prerelease: ${{ steps.version_vars.outputs.mastodon_version_prerelease }}
  build-image:
    needs: compute-suffix
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: Dockerfile
      cache: false
      push_to_images: |
        tootsuite/mastodon
        ghcr.io/mastodon/mastodon
      version_prerelease: ${{ needs.compute-suffix.outputs.prerelease }}
      labels: |
        org.opencontainers.image.description=Nightly build image used for testing purposes
      flavor: |
        latest=auto
      tags: |
        type=raw,value=edge
        type=raw,value=nightly
        type=schedule,pattern=${{ needs.compute-suffix.outputs.prerelease }}
    secrets: inherit
  build-image-streaming:
    needs: compute-suffix
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: streaming/Dockerfile
      cache: false
      push_to_images: |
        tootsuite/mastodon-streaming
        ghcr.io/mastodon/mastodon-streaming
      version_prerelease: ${{ needs.compute-suffix.outputs.prerelease }}
      labels: |
        org.opencontainers.image.description=Nightly build image used for testing purposes
      flavor: |
        latest=auto
      tags: |
        type=raw,value=edge
        type=raw,value=nightly
        type=schedule,pattern=${{ needs.compute-suffix.outputs.prerelease }}
    secrets: inherit
--- a/.github/workflows/build-push-pr.yml
+++ b/.github/workflows/build-push-pr.yml
@ -1,58 +0,0 @@
 name: Build container image for PR
 on:
  pull_request:
    types: [labeled, synchronize, reopened, ready_for_review, opened]
 permissions:
  contents: read
  packages: write
 jobs:
  compute-suffix:
    runs-on: ubuntu-latest
    # This is only allowed to run if:
    # - the PR branch is in the `mastodon/mastodon` repository
    # - the PR is not a draft
    # - the PR has the "build-image" label
    if: ${{ github.event.pull_request.head.repo.full_name == github.repository && !github.event.pull_request.draft && contains(github.event.pull_request.labels.*.name, 'build-image') }}
    steps:
      # Repository needs to be cloned so `git rev-parse` below works
      - name: Clone repository
        uses: actions/checkout@v4
      - id: version_vars
        run: |
          echo mastodon_version_metadata=pr-${{ github.event.pull_request.number }}-$(git rev-parse --short ${{github.event.pull_request.head.sha}}) >> $GITHUB_OUTPUT
          echo mastodon_short_sha=$(git rev-parse --short ${{github.event.pull_request.head.sha}}) >> $GITHUB_OUTPUT
    outputs:
      metadata: ${{ steps.version_vars.outputs.mastodon_version_metadata }}
      short_sha: ${{ steps.version_vars.outputs.mastodon_short_sha }}
  build-image:
    needs: compute-suffix
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: Dockerfile
      push_to_images: |
        ghcr.io/mastodon/mastodon
      version_metadata: ${{ needs.compute-suffix.outputs.metadata }}
      flavor: |
        latest=auto
      tags: |
        type=ref,event=pr
        type=ref,event=pr,suffix=-${{ needs.compute-suffix.outputs.short_sha }}
    secrets: inherit
  build-image-streaming:
    needs: compute-suffix
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: streaming/Dockerfile
      push_to_images: |
        ghcr.io/mastodon/mastodon-streaming
      version_metadata: ${{ needs.compute-suffix.outputs.metadata }}
      flavor: |
        latest=auto
      tags: |
        type=ref,event=pr
        type=ref,event=pr,suffix=-${{ needs.compute-suffix.outputs.short_sha }}
    secrets: inherit
--- a/.github/workflows/build-releases.yml
+++ b/.github/workflows/build-releases.yml
@ -12,34 +12,15 @@ jobs:
  build-image:
    uses: ./.github/workflows/build-container-image.yml
    with:
-      file_to_build: Dockerfile
+      platforms: linux/amd64,linux/arm64
      use_native_arm64_builder: true
      push_to_images: |
        tootsuite/mastodon
        ghcr.io/mastodon/mastodon
      # Do not use cache when building releases, so apt update is always ran and the release always contain the latest packages
      cache: false
      # Only tag with latest when ran against the latest stable branch
      # This needs to be updated after each minor version release
      flavor: |
-        latest=${{ startsWith(github.ref, 'refs/tags/v4.3.') }}
+        latest=false
      tags: |
        type=pep440,pattern={{raw}}
        type=pep440,pattern=v{{major}}.{{minor}}
    secrets: inherit
  build-image-streaming:
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: streaming/Dockerfile
      push_to_images: |
        tootsuite/mastodon-streaming
        ghcr.io/mastodon/mastodon-streaming
      # Do not use cache when building releases, so apt update is always ran and the release always contain the latest packages
      cache: false
      # Only tag with latest when ran against the latest stable branch
      # This needs to be updated after each minor version release
      flavor: |
        latest=${{ startsWith(github.ref, 'refs/tags/v4.3.') }}
      tags: |
        type=pep440,pattern={{raw}}
        type=pep440,pattern=v{{major}}.{{minor}}
--- a/.github/workflows/build-security.yml
+++ b/.github/workflows/build-security.yml
@ -1,60 +0,0 @@
 name: Build security nightly container image
 on:
  workflow_dispatch:
 permissions:
  contents: read
  packages: write
 jobs:
  compute-suffix:
    runs-on: ubuntu-latest
    if: github.repository == 'mastodon/mastodon'
    steps:
      - id: version_vars
        env:
          TZ: Etc/UTC
        run: |
          echo mastodon_version_prerelease=nightly.$(date --date='next day' +'%Y-%m-%d')-security>> $GITHUB_OUTPUT
    outputs:
      prerelease: ${{ steps.version_vars.outputs.mastodon_version_prerelease }}
  build-image:
    needs: compute-suffix
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: Dockerfile
      cache: false
      push_to_images: |
        tootsuite/mastodon
        ghcr.io/mastodon/mastodon
      version_prerelease: ${{ needs.compute-suffix.outputs.prerelease }}
      labels: |
        org.opencontainers.image.description=Nightly build image used for testing purposes
      flavor: |
        latest=auto
      tags: |
        type=raw,value=edge
        type=raw,value=nightly
        type=raw,value=${{ needs.compute-suffix.outputs.prerelease }}
    secrets: inherit
  build-image-streaming:
    needs: compute-suffix
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: streaming/Dockerfile
      cache: false
      push_to_images: |
        tootsuite/mastodon-streaming
        ghcr.io/mastodon/mastodon-streaming
      version_prerelease: ${{ needs.compute-suffix.outputs.prerelease }}
      labels: |
        org.opencontainers.image.description=Nightly build image used for testing purposes
      flavor: |
        latest=auto
      tags: |
        type=raw,value=edge
        type=raw,value=nightly
        type=raw,value=${{ needs.compute-suffix.outputs.prerelease }}
    secrets: inherit
--- a/.github/workflows/bundler-audit.yml
+++ b/.github/workflows/bundler-audit.yml
@ -1,39 +0,0 @@
 name: Bundler Audit
 on:
  merge_group:
  push:
    branches:
      - 'main'
      - 'stable-*'
    paths:
      - 'Gemfile*'
      - '.ruby-version'
      - '.github/workflows/bundler-audit.yml'
  pull_request:
    paths:
      - 'Gemfile*'
      - '.ruby-version'
      - '.github/workflows/bundler-audit.yml'
  schedule:
    - cron: '0 5 * * 1'
 jobs:
  security:
    runs-on: ubuntu-latest
    env:
      BUNDLE_ONLY: development
    steps:
      - name: Clone repository
        uses: actions/checkout@v4
      - name: Set up Ruby
        uses: ruby/setup-ruby@v1
        with:
          bundler-cache: true
      - name: Run bundler-audit
        run: bin/bundler-audit check --update
--- a/.github/workflows/check-i18n.yml
+++ b/.github/workflows/check-i18n.yml
@ -2,51 +2,33 @@ name: Check i18n
 on:
  push:
-    branches:
+    branches: [main]
      - 'main'
      - 'stable-*'
  pull_request:
-    branches:
+    branches: [main]
      - 'main'
      - 'stable-*'
 env:
  RAILS_ENV: test
 permissions:
  contents: read
 jobs:
  check-i18n:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v2
-
+      - name: Install system dependencies
      - name: Set up Ruby environment
        uses: ./.github/actions/setup-ruby
      - name: Set up Javascript environment
        uses: ./.github/actions/setup-javascript
      - name: Check for missing strings in English JSON
        run: |
-          yarn i18n:extract --throws
+          sudo apt-get update
-          git diff --exit-code
+          sudo apt-get install -y libicu-dev libidn11-dev
-
+      - name: Set up Ruby
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: '3.0'
          bundler-cache: true
      - name: Check locale file normalization
-        run: bin/i18n-tasks check-normalized
+        run: bundle exec i18n-tasks check-normalized
      - name: Check for unused strings
-        run: bin/i18n-tasks unused
+        run: bundle exec i18n-tasks unused -l en
      - name: Check for missing strings in English YML
        run: |
          bin/i18n-tasks add-missing -l en
          git diff --exit-code
      - name: Check for wrong string interpolations
-        run: bin/i18n-tasks check-consistent-interpolations
+        run: bundle exec i18n-tasks check-consistent-interpolations
      - name: Check that all required locale files exist
-        run: bin/rake repo:check_locales_files
+        run: bundle exec rake repo:check_locales_files
--- a/.github/workflows/chromatic.yml
+++ b/.github/workflows/chromatic.yml
@ -1,41 +0,0 @@
 name: 'Chromatic'
 on:
  push:
    branches-ignore:
      - renovate/*
      - stable-*
    paths:
      - 'package.json'
      - 'yarn.lock'
      - '**/*.js'
      - '**/*.jsx'
      - '**/*.ts'
      - '**/*.tsx'
      - '**/*.css'
      - '**/*.scss'
      - '.github/workflows/chromatic.yml'
 jobs:
  chromatic:
    name: Run Chromatic
    runs-on: ubuntu-latest
    if: github.repository == 'mastodon/mastodon'
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up Javascript environment
        uses: ./.github/actions/setup-javascript
      - name: Build Storybook
        run: yarn build-storybook
      - name: Run Chromatic
        uses: chromaui/action@v12
        with:
          # ⚠️ Make sure to configure a `CHROMATIC_PROJECT_TOKEN` repository secret
          projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}
          zip: true
          storybookBuildDir: 'storybook-static'
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -1,66 +0,0 @@
 name: 'CodeQL'
 on:
  merge_group:
  push:
    branches:
      - 'main'
      - 'stable-*'
  pull_request:
    branches:
      - 'main'
      - 'stable-*'
  schedule:
    - cron: '22 6 * * 1'
 jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        language: ['javascript', 'ruby']
        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
          # By default, queries listed here will override any specified in a config file.
          # Prefix the list here with "+" to use these queries and those in the config file.
          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
          # queries: security-extended,security-and-quality
      # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
      # If this step fails, then you should remove it and run the build manually (see below)
      - name: Autobuild
        uses: github/codeql-action/autobuild@v3
      # ℹ️ Command-line programs to run using the OS shell.
      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
      #   If the Autobuild fails above, remove it and uncomment the following three lines.
      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
      # - run: |
      #   echo "Run, Build Application using script"
      #   ./location_of_script_within_repo/buildscript.sh
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: '/language:${{matrix.language}}'
--- a/.github/workflows/crowdin-download-stable.yml
+++ b/.github/workflows/crowdin-download-stable.yml
@ -1,69 +0,0 @@
 name: Crowdin / Download translations (stable branches)
 on:
  workflow_dispatch:
 permissions:
  contents: write
  pull-requests: write
 jobs:
  download-translations-stable:
    runs-on: ubuntu-latest
    if: github.repository == 'mastodon/mastodon'
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Increase Git http.postBuffer
        # This is needed due to a bug in Ubuntu's cURL version?
        # See https://github.com/orgs/community/discussions/55820
        run: |
          git config --global http.version HTTP/1.1
          git config --global http.postBuffer 157286400
      # Download the translation files from Crowdin
      - name: crowdin action
        uses: crowdin/github-action@v2
        with:
          upload_sources: false
          upload_translations: false
          download_translations: true
          crowdin_branch_name: ${{ github.base_ref || github.ref_name }}
          push_translations: false
          create_pull_request: false
        env:
          CROWDIN_PROJECT_ID: ${{ vars.CROWDIN_PROJECT_ID }}
          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
      # As the files are extracted from a Docker container, they belong to root:root
      # We need to fix this before the next steps
      - name: Fix file permissions
        run: sudo chown -R runner:docker .
      # This is needed to run the normalize step
      - name: Set up Ruby environment
        uses: ./.github/actions/setup-ruby
      - name: Run i18n normalize task
        run: bin/i18n-tasks normalize
      # Create or update the pull request
      - name: Create Pull Request
        uses: peter-evans/create-pull-request@v7.0.6
        with:
          commit-message: 'New Crowdin translations'
          title: 'New Crowdin Translations for ${{ github.base_ref || github.ref_name }} (automated)'
          author: 'GitHub Actions <noreply@github.com>'
          body: |
            New Crowdin translations, automated with GitHub Actions
            See `.github/workflows/crowdin-download.yml`
            This PR will be updated every day with new translations.
            Due to a limitation in GitHub Actions, checks are not running on this PR without manual action.
            If you want to run the checks, then close and re-open it.
          branch: i18n/crowdin/translations-${{ github.base_ref || github.ref_name }}
          base: ${{ github.base_ref || github.ref_name }}
          labels: i18n
--- a/.github/workflows/crowdin-download.yml
+++ b/.github/workflows/crowdin-download.yml
@ -1,71 +0,0 @@
 name: Crowdin / Download translations
 on:
  schedule:
    - cron: '17 4 * * *' # Every day
  workflow_dispatch:
 permissions:
  contents: write
  pull-requests: write
 jobs:
  download-translations:
    runs-on: ubuntu-latest
    if: github.repository == 'mastodon/mastodon'
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Increase Git http.postBuffer
        # This is needed due to a bug in Ubuntu's cURL version?
        # See https://github.com/orgs/community/discussions/55820
        run: |
          git config --global http.version HTTP/1.1
          git config --global http.postBuffer 157286400
      # Download the translation files from Crowdin
      - name: crowdin action
        uses: crowdin/github-action@v2
        with:
          upload_sources: false
          upload_translations: false
          download_translations: true
          crowdin_branch_name: main
          push_translations: false
          create_pull_request: false
        env:
          CROWDIN_PROJECT_ID: ${{ vars.CROWDIN_PROJECT_ID }}
          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
      # As the files are extracted from a Docker container, they belong to root:root
      # We need to fix this before the next steps
      - name: Fix file permissions
        run: sudo chown -R runner:docker .
      # This is needed to run the normalize step
      - name: Set up Ruby environment
        uses: ./.github/actions/setup-ruby
      - name: Run i18n normalize task
        run: bin/i18n-tasks normalize
      # Create or update the pull request
      - name: Create Pull Request
        uses: peter-evans/create-pull-request@v7
        with:
          commit-message: 'New Crowdin translations'
          title: 'New Crowdin Translations (automated)'
          author: 'GitHub Actions <noreply@github.com>'
          body: |
            New Crowdin translations, automated with GitHub Actions
            See `.github/workflows/crowdin-download.yml`
            This PR will be updated every day with new translations.
            Due to a limitation in GitHub Actions, checks are not running on this PR without manual action.
            If you want to run the checks, then close and re-open it.
          branch: i18n/crowdin/translations
          base: main
          labels: i18n
--- a/.github/workflows/crowdin-upload.yml
+++ b/.github/workflows/crowdin-upload.yml
@ -1,38 +0,0 @@
 name: Crowdin / Upload translations
 on:
  push:
    branches:
      - 'main'
      - 'stable-*'
    paths:
      - crowdin.yml
      - app/javascript/mastodon/locales/en.json
      - config/locales/en.yml
      - config/locales/simple_form.en.yml
      - config/locales/activerecord.en.yml
      - config/locales/devise.en.yml
      - config/locales/doorkeeper.en.yml
      - .github/workflows/crowdin-upload.yml
  workflow_dispatch:
 jobs:
  upload-translations:
    runs-on: ubuntu-latest
    if: github.repository == 'mastodon/mastodon'
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: crowdin action
        uses: crowdin/github-action@v2
        with:
          upload_sources: true
          upload_translations: false
          download_translations: false
          crowdin_branch_name: ${{ github.base_ref || github.ref_name }}
        env:
          CROWDIN_PROJECT_ID: ${{ vars.CROWDIN_PROJECT_ID }}
          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
--- a/.github/workflows/format-check.yml
+++ b/.github/workflows/format-check.yml
@ -1,22 +0,0 @@
 name: Check formatting
 on:
  merge_group:
  push:
    branches:
      - 'main'
      - 'stable-*'
  pull_request:
 jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - name: Clone repository
        uses: actions/checkout@v4
      - name: Set up Javascript environment
        uses: ./.github/actions/setup-javascript
      - name: Check formatting with Prettier
        run: yarn format:check
--- a/.github/workflows/haml-lint-problem-matcher.json
+++ b/.github/workflows/haml-lint-problem-matcher.json
@ -1,17 +0,0 @@
 {
  "problemMatcher": [
    {
      "owner": "haml-lint",
      "severity": "warning",
      "pattern": [
        {
          "regexp": "^(.*):(\\d+)\\s\\[W]\\s(.*):\\s(.*)$",
          "file": 1,
          "line": 2,
          "code": 3,
          "message": 4
        }
      ]
    }
  ]
 }
--- a/.github/workflows/lint-css.yml
+++ b/.github/workflows/lint-css.yml
@ -1,43 +0,0 @@
 name: CSS Linting
 on:
  merge_group:
  push:
    branches:
      - 'main'
      - 'stable-*'
    paths:
      - 'package.json'
      - 'yarn.lock'
      - '.nvmrc'
      - '.prettier*'
      - 'stylelint.config.js'
      - '**/*.css'
      - '**/*.scss'
      - '.github/workflows/lint-css.yml'
      - '.github/stylelint-matcher.json'
  pull_request:
    paths:
      - 'package.json'
      - 'yarn.lock'
      - '.nvmrc'
      - '.prettier*'
      - 'stylelint.config.js'
      - '**/*.css'
      - '**/*.scss'
      - '.github/workflows/lint-css.yml'
      - '.github/stylelint-matcher.json'
 jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - name: Clone repository
        uses: actions/checkout@v4
      - name: Set up Javascript environment
        uses: ./.github/actions/setup-javascript
      - name: Stylelint
        run: yarn lint:css --custom-formatter @csstools/stylelint-formatter-github
--- a/.github/workflows/lint-haml.yml
+++ b/.github/workflows/lint-haml.yml
@ -1,46 +0,0 @@
 name: Haml Linting
 on:
  merge_group:
  push:
    branches:
      - 'main'
      - 'stable-*'
    paths:
      - '.github/workflows/haml-lint-problem-matcher.json'
      - '.github/workflows/lint-haml.yml'
      - '.haml-lint*.yml'
      - '.rubocop*.yml'
      - '.ruby-version'
      - '**/*.haml'
      - 'Gemfile*'
  pull_request:
    paths:
      - '.github/workflows/haml-lint-problem-matcher.json'
      - '.github/workflows/lint-haml.yml'
      - '.haml-lint*.yml'
      - '.rubocop*.yml'
      - '.ruby-version'
      - '**/*.haml'
      - 'Gemfile*'
 jobs:
  lint:
    runs-on: ubuntu-latest
    env:
      BUNDLE_ONLY: development
    steps:
      - name: Clone repository
        uses: actions/checkout@v4
      - name: Set up Ruby
        uses: ruby/setup-ruby@v1
        with:
          bundler-cache: true
      - name: Run haml-lint
        run: |
          echo "::add-matcher::.github/workflows/haml-lint-problem-matcher.json"
          bin/haml-lint --reporter github
--- a/.github/workflows/lint-js.yml
+++ b/.github/workflows/lint-js.yml
@ -1,50 +0,0 @@
 name: JavaScript Linting
 on:
  merge_group:
  push:
    branches:
      - 'main'
      - 'stable-*'
    paths:
      - 'package.json'
      - 'yarn.lock'
      - 'tsconfig.json'
      - '.nvmrc'
      - '.prettier*'
      - 'eslint.config.mjs'
      - '**/*.js'
      - '**/*.jsx'
      - '**/*.ts'
      - '**/*.tsx'
      - '.github/workflows/lint-js.yml'
  pull_request:
    paths:
      - 'package.json'
      - 'yarn.lock'
      - 'tsconfig.json'
      - '.nvmrc'
      - '.prettier*'
      - 'eslint.config.mjs'
      - '**/*.js'
      - '**/*.jsx'
      - '**/*.ts'
      - '**/*.tsx'
      - '.github/workflows/lint-js.yml'
 jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - name: Clone repository
        uses: actions/checkout@v4
      - name: Set up Javascript environment
        uses: ./.github/actions/setup-javascript
      - name: ESLint
        run: yarn workspaces foreach --all --parallel run lint:js --max-warnings 0
      - name: Typecheck
        run: yarn typecheck
--- a/.github/workflows/lint-ruby.yml
+++ b/.github/workflows/lint-ruby.yml
@ -1,53 +0,0 @@
 name: Ruby Linting
 on:
  merge_group:
  push:
    branches:
      - 'main'
      - 'stable-*'
    paths:
      - 'Gemfile*'
      - '.rubocop*.yml'
      - '.ruby-version'
      - 'bin/rubocop'
      - 'config/brakeman.ignore'
      - '**/*.rb'
      - '**/*.rake'
      - '.github/workflows/lint-ruby.yml'
  pull_request:
    paths:
      - 'Gemfile*'
      - '.rubocop*.yml'
      - '.ruby-version'
      - 'bin/rubocop'
      - 'config/brakeman.ignore'
      - '**/*.rb'
      - '**/*.rake'
      - '.github/workflows/lint-ruby.yml'
 jobs:
  lint:
    runs-on: ubuntu-latest
    env:
      BUNDLE_ONLY: development
    steps:
      - name: Clone repository
        uses: actions/checkout@v4
      - name: Set up Ruby
        uses: ruby/setup-ruby@v1
        with:
          bundler-cache: true
      - name: Set-up RuboCop Problem Matcher
        uses: r7kamura/rubocop-problem-matchers-action@v1
      - name: Run rubocop
        run: bin/rubocop
      - name: Run brakeman
        if: always() # Run both checks, even if the first failed
        run: bin/brakeman
--- a/.github/workflows/rebase-needed.yml
+++ b/.github/workflows/rebase-needed.yml
@ -1,28 +0,0 @@
 name: PR Needs Rebase
 on:
  schedule:
    - cron: '0 * * * *'
 permissions:
  pull-requests: write
 jobs:
  label-rebase-needed:
    runs-on: ubuntu-latest
    if: github.repository == 'mastodon/mastodon'
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}
      cancel-in-progress: true
    steps:
      - name: Check for merge conflicts
        uses: eps1lon/actions-label-merge-conflict@v3
        with:
          dirtyLabel: 'rebase needed :construction:'
          repoToken: '${{ secrets.GITHUB_TOKEN }}'
          commentOnClean: This pull request has resolved merge conflicts and is ready for review.
          commentOnDirty: This pull request has merge conflicts that must be resolved before it can be merged.
          retryMax: 30
          continueOnMissingPermissions: false
--- a/.github/workflows/test-image-build.yml
+++ b/.github/workflows/test-image-build.yml
@ -1,14 +1,6 @@
 name: Test container image build
 on:
  pull_request:
    paths:
      - .github/workflows/build-nightly.yml
      - .github/workflows/build-push-pr.yml
      - .github/workflows/build-releases.yml
      - .github/workflows/test-image-build.yml
      - Dockerfile
      - streaming/Dockerfile
      - .dockerignore
 permissions:
  contents: read
@ -20,15 +12,4 @@ jobs:
    uses: ./.github/workflows/build-container-image.yml
    with:
-      file_to_build: Dockerfile
+      platforms: linux/amd64 # Testing only on native platform so it is performant
      cache: true
  build-image-streaming:
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}-streaming
      cancel-in-progress: true
    uses: ./.github/workflows/build-container-image.yml
    with:
      file_to_build: streaming/Dockerfile
      cache: true
--- a/.github/workflows/test-js.yml
+++ b/.github/workflows/test-js.yml
@ -1,43 +0,0 @@
 name: JavaScript Testing
 on:
  merge_group:
  push:
    branches:
      - 'main'
      - 'stable-*'
    paths:
      - 'package.json'
      - 'yarn.lock'
      - '.nvmrc'
      - '**/*.js'
      - '**/*.jsx'
      - '**/*.ts'
      - '**/*.tsx'
      - '**/*.snap'
      - '.github/workflows/test-js.yml'
  pull_request:
    paths:
      - 'package.json'
      - 'yarn.lock'
      - '.nvmrc'
      - '**/*.js'
      - '**/*.jsx'
      - '**/*.ts'
      - '**/*.tsx'
      - '**/*.snap'
      - '.github/workflows/test-js.yml'
 jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Clone repository
        uses: actions/checkout@v4
      - name: Set up Javascript environment
        uses: ./.github/actions/setup-javascript
      - name: JavaScript testing
        run: yarn test:js
--- a/.github/workflows/test-migrations.yml
+++ b/.github/workflows/test-migrations.yml
@ -1,112 +0,0 @@
 name: Historical data migration test
 on:
  merge_group:
  push:
    branches:
      - 'main'
      - 'stable-*'
    paths:
      - 'Gemfile*'
      - '.ruby-version'
      - '**/*.rb'
      - '.github/workflows/test-migrations.yml'
      - 'lib/tasks/tests.rake'
      - 'lib/tasks/db.rake'
  pull_request:
    paths:
      - 'Gemfile*'
      - '.ruby-version'
      - '**/*.rb'
      - '.github/workflows/test-migrations.yml'
      - 'lib/tasks/tests.rake'
 jobs:
  test:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        postgres:
          - 14-alpine
          - 15-alpine
          - 16-alpine
          - 17-alpine
    services:
      postgres:
        image: postgres:${{ matrix.postgres}}
        env:
          POSTGRES_PASSWORD: postgres
          POSTGRES_USER: postgres
        options: >-
          --health-cmd pg_isready
          --health-interval 10ms
          --health-timeout 3s
          --health-retries 50
        ports:
          - 5432:5432
      redis:
        image: redis:7-alpine
        options: >-
          --health-cmd "redis-cli ping"
          --health-interval 10ms
          --health-timeout 3s
          --health-retries 50
        ports:
          - 6379:6379
    env:
      DB_HOST: localhost
      DB_USER: postgres
      DB_PASS: postgres
      RAILS_ENV: test
      BUNDLE_CLEAN: true
      BUNDLE_FROZEN: true
      BUNDLE_WITHOUT: 'development:production'
      BUNDLE_JOBS: 3
      BUNDLE_RETRY: 3
    steps:
      - uses: actions/checkout@v4
      - name: Set up Ruby environment
        uses: ./.github/actions/setup-ruby
      - name: Ensure no errors with `db:prepare`
        run: |
          bin/rails db:drop
          bin/rails db:prepare
          bin/rails db:migrate
      - name: Ensure no errors with `db:prepare` and SKIP_POST_DEPLOYMENT_MIGRATIONS
        run: |
          bin/rails db:drop
          SKIP_POST_DEPLOYMENT_MIGRATIONS=true bin/rails db:prepare
          bin/rails db:migrate
      - name: Test "one step migration" flow
        run: |
          bin/rails db:drop
          bin/rails db:create
          bin/rails tests:migrations:prepare_database
          bin/rails db:migrate
          bin/rails tests:migrations:check_database
      - name: Test "two step migration" flow
        run: |
          bin/rails db:drop
          bin/rails db:create
          SKIP_POST_DEPLOYMENT_MIGRATIONS=true bin/rails tests:migrations:prepare_database
          # Migrate up to v4.2.0 breakpoint
          bin/rails db:migrate VERSION=20230907150100
          # Migrate the rest
          SKIP_POST_DEPLOYMENT_MIGRATIONS=true bin/rails db:migrate
          bin/rails db:migrate
          bin/rails tests:migrations:check_database
--- a/.github/workflows/test-ruby.yml
+++ b/.github/workflows/test-ruby.yml
@ -1,483 +0,0 @@
 name: Ruby Testing
 on:
  merge_group:
  push:
    branches:
      - 'main'
      - 'stable-*'
  pull_request:
 env:
  BUNDLE_CLEAN: true
  BUNDLE_FROZEN: true
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: true
      matrix:
        mode:
          - production
          - test
    env:
      RAILS_ENV: ${{ matrix.mode }}
      BUNDLE_WITH: ${{ matrix.mode }}
      SECRET_KEY_BASE_DUMMY: 1
    steps:
      - uses: actions/checkout@v4
      - name: Set up Ruby environment
        uses: ./.github/actions/setup-ruby
      - name: Set up Javascript environment
        uses: ./.github/actions/setup-javascript
        with:
          onlyProduction: 'true'
      - name: Cache assets from compilation
        uses: actions/cache@v4
        with:
          path: |
            public/assets
            public/packs
            public/packs-test
            tmp/cache/vite
          key: ${{ matrix.mode }}-assets-${{ github.head_ref || github.ref_name }}-${{ github.sha }}
          restore-keys: |
            ${{ matrix.mode }}-assets-${{ github.head_ref || github.ref_name }}-${{ github.sha }}
            ${{ matrix.mode }}-assets-${{ github.head_ref || github.ref_name }}
            ${{ matrix.mode }}-assets-main
            ${{ matrix.mode }}-assets
      - name: Precompile assets
        run: |-
          bin/rails assets:precompile
      - name: Archive asset artifacts
        run: |
          tar --exclude={"*.br","*.gz"} -zcf artifacts.tar.gz public/assets public/packs* tmp/cache/vite/last-build*.json
      - uses: actions/upload-artifact@v4
        if: matrix.mode == 'test'
        with:
          path: |-
            ./artifacts.tar.gz
          name: ${{ github.sha }}
          retention-days: 0
  test:
    runs-on: ubuntu-latest
    needs:
      - build
    services:
      postgres:
        image: postgres:14-alpine
        env:
          POSTGRES_PASSWORD: postgres
          POSTGRES_USER: postgres
        options: >-
          --health-cmd pg_isready
          --health-interval 10ms
          --health-timeout 3s
          --health-retries 50
        ports:
          - 5432:5432
      redis:
        image: redis:7-alpine
        options: >-
          --health-cmd "redis-cli ping"
          --health-interval 10ms
          --health-timeout 3s
          --health-retries 50
        ports:
          - 6379:6379
    env:
      DB_HOST: localhost
      DB_USER: postgres
      DB_PASS: postgres
      COVERAGE: ${{ matrix.ruby-version == '.ruby-version' }}
      RAILS_ENV: test
      ALLOW_NOPAM: true
      PAM_ENABLED: true
      PAM_DEFAULT_SERVICE: pam_test
      PAM_CONTROLLED_SERVICE: pam_test_controlled
      OIDC_ENABLED: true
      OIDC_SCOPE: read
      SAML_ENABLED: true
      CAS_ENABLED: true
      BUNDLE_WITH: 'pam_authentication test'
      GITHUB_RSPEC: ${{ matrix.ruby-version == '.ruby-version' && github.event.pull_request && 'true' }}
    strategy:
      fail-fast: false
      matrix:
        ruby-version:
          - '3.2'
          - '3.3'
          - '.ruby-version'
    steps:
      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        with:
          path: './'
          name: ${{ github.sha }}
      - name: Expand archived asset artifacts
        run: |
          tar xvzf artifacts.tar.gz
      - name: Set up Ruby environment
        uses: ./.github/actions/setup-ruby
        with:
          ruby-version: ${{ matrix.ruby-version}}
          additional-system-dependencies: ffmpeg libpam-dev
      - name: Load database schema
        run: |
          bin/rails db:setup
          bin/flatware fan bin/rails db:test:prepare
      - name: Cache RSpec persistence file
        uses: actions/cache@v4
        with:
          path: |
            tmp/rspec/examples.txt
          key: rspec-persistence-${{ github.head_ref || github.ref_name }}-${{ github.sha }}
          restore-keys: |
            rspec-persistence-${{ github.head_ref || github.ref_name }}-${{ github.sha }}-${{ matrix.ruby-version }}
            rspec-persistence-${{ github.head_ref || github.ref_name }}-${{ github.sha }}
            rspec-persistence-${{ github.head_ref || github.ref_name }}
            rspec-persistence-main
            rspec-persistence
      - run: bin/flatware rspec -r ./spec/flatware_helper.rb
      - name: Upload coverage reports to Codecov
        if: matrix.ruby-version == '.ruby-version'
        uses: codecov/codecov-action@v5
        with:
          files: coverage/lcov/*.lcov
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
  test-imagemagick:
    name: ImageMagick tests
    runs-on: ubuntu-latest
    needs:
      - build
    services:
      postgres:
        image: postgres:14-alpine
        env:
          POSTGRES_PASSWORD: postgres
          POSTGRES_USER: postgres
        options: >-
          --health-cmd pg_isready
          --health-interval 10ms
          --health-timeout 3s
          --health-retries 50
        ports:
          - 5432:5432
      redis:
        image: redis:7-alpine
        options: >-
          --health-cmd "redis-cli ping"
          --health-interval 10ms
          --health-timeout 3s
          --health-retries 50
        ports:
          - 6379:6379
    env:
      DB_HOST: localhost
      DB_USER: postgres
      DB_PASS: postgres
      COVERAGE: ${{ matrix.ruby-version == '.ruby-version' }}
      RAILS_ENV: test
      ALLOW_NOPAM: true
      PAM_ENABLED: true
      PAM_DEFAULT_SERVICE: pam_test
      PAM_CONTROLLED_SERVICE: pam_test_controlled
      OIDC_ENABLED: true
      OIDC_SCOPE: read
      SAML_ENABLED: true
      CAS_ENABLED: true
      BUNDLE_WITH: 'pam_authentication test'
      GITHUB_RSPEC: ${{ matrix.ruby-version == '.ruby-version' && github.event.pull_request && 'true' }}
      MASTODON_USE_LIBVIPS: false
    strategy:
      fail-fast: false
      matrix:
        ruby-version:
          - '3.2'
          - '3.3'
          - '.ruby-version'
    steps:
      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        with:
          path: './'
          name: ${{ github.sha }}
      - name: Expand archived asset artifacts
        run: |
          tar xvzf artifacts.tar.gz
      - name: Set up Ruby environment
        uses: ./.github/actions/setup-ruby
        with:
          ruby-version: ${{ matrix.ruby-version}}
          additional-system-dependencies: ffmpeg imagemagick libpam-dev
      - name: Load database schema
        run: './bin/rails db:create db:schema:load db:seed'
      - run: bin/rspec --tag attachment_processing
      - name: Upload coverage reports to Codecov
        if: matrix.ruby-version == '.ruby-version'
        uses: codecov/codecov-action@v5
        with:
          files: coverage/lcov/mastodon.lcov
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
  test-e2e:
    name: End to End testing
    runs-on: ubuntu-latest
    needs:
      - build
    services:
      postgres:
        image: postgres:14-alpine
        env:
          POSTGRES_PASSWORD: postgres
          POSTGRES_USER: postgres
        options: >-
          --health-cmd pg_isready
          --health-interval 10ms
          --health-timeout 3s
          --health-retries 50
        ports:
          - 5432:5432
      redis:
        image: redis:7-alpine
        options: >-
          --health-cmd "redis-cli ping"
          --health-interval 10ms
          --health-timeout 3s
          --health-retries 50
        ports:
          - 6379:6379
    env:
      DB_HOST: localhost
      DB_USER: postgres
      DB_PASS: postgres
      RAILS_ENV: test
      BUNDLE_WITH: test
      LOCAL_DOMAIN: localhost:3000
      LOCAL_HTTPS: false
    strategy:
      fail-fast: false
      matrix:
        ruby-version:
          - '3.2'
          - '3.3'
          - '.ruby-version'
    steps:
      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        with:
          path: './'
          name: ${{ github.sha }}
      - name: Expand archived asset artifacts
        run: |
          tar xvzf artifacts.tar.gz
      - name: Set up Ruby environment
        uses: ./.github/actions/setup-ruby
        with:
          ruby-version: ${{ matrix.ruby-version}}
          additional-system-dependencies: ffmpeg
      - name: Set up Javascript environment
        uses: ./.github/actions/setup-javascript
      - name: Load database schema
        run: './bin/rails db:create db:schema:load db:seed'
      - name: Cache Playwright Chromium browser
        id: playwright-cache
        uses: actions/cache@v4
        with:
          path: ~/.cache/ms-playwright
          key: playwright-browsers-${{ runner.os }}-${{ hashFiles('yarn.lock') }}
      - name: Install Playwright Chromium browser (with deps)
        if: steps.playwright-cache.outputs.cache-hit != 'true'
        run: yarn run playwright install --with-deps chromium
      - name: Install Playwright Chromium browser deps
        if: steps.playwright-cache.outputs.cache-hit == 'true'
        run: yarn run playwright install-deps chromium
      - run: bin/rspec spec/system --tag streaming --tag js
      - name: Archive logs
        uses: actions/upload-artifact@v4
        if: failure()
        with:
          name: e2e-logs-${{ matrix.ruby-version }}
          path: log/
      - name: Archive test screenshots
        uses: actions/upload-artifact@v4
        if: failure()
        with:
          name: e2e-screenshots-${{ matrix.ruby-version }}
          path: tmp/capybara/
  test-search:
    name: Elastic Search integration testing
    runs-on: ubuntu-latest
    needs:
      - build
    services:
      postgres:
        image: postgres:14-alpine
        env:
          POSTGRES_PASSWORD: postgres
          POSTGRES_USER: postgres
        options: >-
          --health-cmd pg_isready
          --health-interval 10ms
          --health-timeout 3s
          --health-retries 50
        ports:
          - 5432:5432
      redis:
        image: redis:7-alpine
        options: >-
          --health-cmd "redis-cli ping"
          --health-interval 10ms
          --health-timeout 3s
          --health-retries 50
        ports:
          - 6379:6379
      elasticsearch:
        image: ${{ contains(matrix.search-image, 'elasticsearch') && matrix.search-image || '' }}
        env:
          discovery.type: single-node
          xpack.security.enabled: false
        options: >-
          --health-cmd "curl http://localhost:9200/_cluster/health"
          --health-interval 2s
          --health-timeout 3s
          --health-retries 50
        ports:
          - 9200:9200
      opensearch:
        image: ${{ contains(matrix.search-image, 'opensearch') && matrix.search-image || '' }}
        env:
          discovery.type: single-node
          DISABLE_INSTALL_DEMO_CONFIG: true
          DISABLE_SECURITY_PLUGIN: true
        options: >-
          --health-cmd "curl http://localhost:9200/_cluster/health"
          --health-interval 2s
          --health-timeout 3s
          --health-retries 50
        ports:
          - 9200:9200
    env:
      DB_HOST: localhost
      DB_USER: postgres
      DB_PASS: postgres
      RAILS_ENV: test
      BUNDLE_WITH: test
      ES_ENABLED: true
      ES_HOST: localhost
      ES_PORT: 9200
    strategy:
      fail-fast: false
      matrix:
        ruby-version:
          - '3.2'
          - '3.3'
          - '.ruby-version'
        search-image:
          - docker.elastic.co/elasticsearch/elasticsearch:7.17.13
        include:
          - ruby-version: '.ruby-version'
            search-image: docker.elastic.co/elasticsearch/elasticsearch:8.10.2
          - ruby-version: '.ruby-version'
            search-image: opensearchproject/opensearch:2
    steps:
      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        with:
          path: './'
          name: ${{ github.sha }}
      - name: Set up Ruby environment
        uses: ./.github/actions/setup-ruby
        with:
          ruby-version: ${{ matrix.ruby-version}}
          additional-system-dependencies: ffmpeg
      - name: Set up Javascript environment
        uses: ./.github/actions/setup-javascript
      - name: Load database schema
        run: './bin/rails db:create db:schema:load db:seed'
      - run: bin/rspec --tag search
      - name: Archive logs
        uses: actions/upload-artifact@v4
        if: failure()
        with:
          name: test-search-logs-${{ matrix.ruby-version }}
          path: log/
      - name: Archive test screenshots
        uses: actions/upload-artifact@v4
        if: failure()
        with:
          name: test-search-screenshots
          path: tmp/capybara/
--- a/.gitignore
+++ b/.gitignore
@ -21,16 +21,19 @@
 /public/system
 /public/assets
 /public/packs
 /public/packs-dev
 /public/packs-test
 .env
 .env.production
-node_modules/
+.env.development
 /node_modules/
 /build/
 # Ignore Vagrant files
 .vagrant/
 # Ignore Capistrano customizations
 /config/deploy/*
 # Ignore IDE files
 .vscode/
 .idea/
@ -41,6 +44,9 @@ node_modules/
 /redis
 /elasticsearch
 # ignore Helm dependency charts
 /chart/charts/*.tgz
 # Ignore Apple files
 .DS_Store
@ -55,26 +61,8 @@ npm-debug.log
 yarn-error.log
 yarn-debug.log
 # From https://yarnpkg.com/getting-started/qa#which-files-should-be-gitignored
 .pnp.*
 .yarn/*
 !.yarn/patches
 !.yarn/plugins
 !.yarn/releases
 !.yarn/sdks
 !.yarn/versions
 # Ignore vagrant log files
 *-cloudimg-console.log
 # Ignore Docker option files
 docker-compose.override.yml
 # Ignore dotenv .local files
 .env*.local
 # Ignore local-only rspec configuration
 .rspec-local
 *storybook.log
 storybook-static
--- a/.haml-lint.yml
+++ b/.haml-lint.yml
@ -1,15 +1,108 @@
 # Whether to ignore frontmatter at the beginning of HAML documents for
 # frameworks such as Jekyll/Middleman
 skip_frontmatter: false
 exclude:
  - 'vendor/**/*'
-
+  - 'spec/**/*'
-require:
+  - 'lib/templates/**/*'
-  - ./lib/linter/haml_middle_dot.rb
+  - 'app/views/kaminari/**/*'
 linters:
  AltText:
    enabled: false
  ClassAttributeWithStaticValue:
    enabled: true
-  MiddleDot:
+
  ClassesBeforeIds:
    enabled: true
  ConsecutiveComments:
    enabled: true
  ConsecutiveSilentScripts:
    enabled: true
    max_consecutive: 2
  EmptyObjectReference:
    enabled: true
  EmptyScript:
    enabled: true
  FinalNewline:
    enabled: true
    present: true
  HtmlAttributes:
    enabled: true
  ImplicitDiv:
    enabled: true
  LeadingCommentSpace:
    enabled: true
  LineLength:
-    max: 300
+    enabled: false
-  ViewLength:
+    max: 80
-    max: 200 # Override default value of 100 inherited from rubocop
+
  MultilinePipe:
    enabled: true
  MultilineScript:
    enabled: true
  ObjectReferenceAttributes:
    enabled: true
  RuboCop:
    enabled: true
    # These cops are incredibly noisy when it comes to HAML templates, so we
    # ignore them.
    ignored_cops:
      - Lint/BlockAlignment
      - Lint/EndAlignment
      - Lint/Void
      - Metrics/BlockLength
      - Metrics/LineLength
      - Style/AlignParameters
      - Style/BlockNesting
      - Style/ElseAlignment
      - Style/EndOfLine
      - Style/FileName
      - Style/FinalNewline
      - Style/FrozenStringLiteralComment
      - Style/IfUnlessModifier
      - Style/IndentationWidth
      - Style/Next
      - Style/TrailingBlankLines
      - Style/TrailingWhitespace
      - Style/WhileUntilModifier
  RubyComments:
    enabled: true
  SpaceBeforeScript:
    enabled: true
  SpaceInsideHashAttributes:
    enabled: true
    style: space
  Indentation:
    enabled: true
    character: space # or tab
  TagName:
    enabled: true
  TrailingWhitespace:
    enabled: true
  UnnecessaryInterpolation:
    enabled: true
  UnnecessaryStringOutput:
    enabled: true
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@ -1 +0,0 @@
 yarn lint-staged
--- a/.nanoignore
+++ b/.nanoignore
@ -0,0 +1,19 @@
 .DS_Store
 .git/
 .gitignore
 .bundle/
 .cache/
 config/deploy/*
 coverage
 docs/
 .env
 log/*.log
 neo4j/
 node_modules/
 public/assets/
 public/system/
 spec/
 tmp/
 .vagrant/
 vendor/bundle/
--- a/.nvmrc
+++ b/.nvmrc
@ -1 +1 @@
-22.17
+14
--- a/.prettierignore
+++ b/.prettierignore
@ -18,6 +18,10 @@
 !/log/.keep
 /tmp
 /coverage
 /public/system
 /public/assets
 /public/packs
 /public/packs-test
 .env
 .env.production
 .env.development
@ -27,6 +31,9 @@
 # Ignore Vagrant files
 .vagrant/
 # Ignore Capistrano customizations
 /config/deploy/*
 # Ignore IDE files
 .vscode/
 .idea/
@ -37,6 +44,9 @@
 /redis
 /elasticsearch
 # ignore Helm dependency charts
 /chart/charts/*.tgz
 # Ignore Apple files
 .DS_Store
@ -44,43 +54,25 @@
 *~
 *.swp
-# Ignore log files
+# Ignore npm debug log
-*.log
+npm-debug.log
 # Ignore yarn log files
 yarn-error.log
 yarn-debug.log
 # Ignore vagrant log files
 *-cloudimg-console.log
 # Ignore Docker option files
 docker-compose.override.yml
-# Ignore public
+# Ignore Helm files
-/public/assets
+/chart
 /public/emoji
 /public/packs
 /public/packs-test
 /public/system
 /public/vite*
 # Ignore emoji map file
 /app/javascript/mastodon/features/emoji/emoji_map.json
 /app/javascript/mastodon/features/emoji/emoji_data.json
 # Ignore locale files
-/app/javascript/mastodon/locales/*.json
+/app/javascript/mastodon/locales
 /config/locales
 # Ignore vendored CSS reset
 app/javascript/styles/mastodon/reset.scss
 # Ignore Javascript pending https://github.com/mastodon/mastodon/pull/23631
 *.js
 *.jsx
 # Ignore HTML till cleaned and included in CI
 *.html
 # Ignore the generated AUTHORS.md
 AUTHORS.md
 # Process a few selected JS files
 !lint-staged.config.js
 # Ignore config YAML files that include ERB/ruby code prettier does not understand
 /config/email.yml
--- a/.prettierrc.js
+++ b/.prettierrc.js
@ -1,4 +1,3 @@
 module.exports = {
-  singleQuote: true,
+  singleQuote: true
-  jsxSingleQuote: true
+}
 };
--- a/.profile
+++ b/.profile
@ -0,0 +1 @@
 LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/app/.apt/lib/x86_64-linux-gnu:/app/.apt/usr/lib/x86_64-linux-gnu/mesa:/app/.apt/usr/lib/x86_64-linux-gnu/pulseaudio
--- a/.rspec
+++ b/.rspec
@ -1,2 +1,3 @@
 --color
 --require spec_helper
 --format Fuubar
--- a/.rubocop.yml
+++ b/.rubocop.yml
@ -1,36 +1,306 @@
---
+require:
 AllCops:
  CacheRootDirectory: tmp
  DisplayStyleGuide: true
  Exclude:
    - Vagrantfile
    - config/initializers/json_ld*
    - lib/mastodon/migration_helpers.rb
  ExtraDetails: true
  NewCops: enable
  TargetRubyVersion: 3.2 # Oldest supported ruby version
 inherit_from:
  - .rubocop/layout.yml
  - .rubocop/metrics.yml
  - .rubocop/naming.yml
  - .rubocop/rails.yml
  - .rubocop/rspec_rails.yml
  - .rubocop/rspec.yml
  - .rubocop/style.yml
  - .rubocop/i18n.yml
  - .rubocop/custom.yml
  - .rubocop_todo.yml
  - .rubocop/strict.yml
 inherit_mode:
  merge:
    - Exclude
 plugins:
  - rubocop-capybara
  - rubocop-i18n
  - rubocop-performance
  - rubocop-rails
-  - rubocop-rspec
+
-  - rubocop-rspec_rails
+AllCops:
  TargetRubyVersion: 2.5
  NewCops: disable
  Exclude:
    - 'spec/**/*'
    - 'db/**/*'
    - 'app/views/**/*'
    - 'config/**/*'
    - 'bin/*'
    - 'Rakefile'
    - 'node_modules/**/*'
    - 'Vagrantfile'
    - 'vendor/**/*'
    - 'lib/json_ld/*'
    - 'lib/templates/**/*'
 Bundler/OrderedGems:
  Enabled: false
 Layout/AccessModifierIndentation:
  EnforcedStyle: indent
 Layout/EmptyLineAfterMagicComment:
  Enabled: false
 Layout/EmptyLineAfterGuardClause:
  Enabled: false
 Layout/EmptyLineBetweenDefs:
  AllowAdjacentOneLineDefs: true
 Layout/EmptyLinesAroundAttributeAccessor:
  Enabled: true
 Layout/FirstHashElementIndentation:
  EnforcedStyle: consistent
 Layout/HashAlignment:
  Enabled: false
 Layout/SpaceAroundMethodCallOperator:
  Enabled: true
 Layout/SpaceInsideHashLiteralBraces:
  EnforcedStyle: space
 Lint/DeprecatedOpenSSLConstant:
  Enabled: true
 Lint/DuplicateElsifCondition:
  Enabled: true
 Lint/MixedRegexpCaptureTypes:
  Enabled: true
 Lint/RaiseException:
  Enabled: true
 Lint/StructNewOverride:
  Enabled: true
 Lint/UselessAccessModifier:
  ContextCreatingMethods:
    - class_methods
 Metrics/AbcSize:
  Max: 100
  Exclude:
    - 'lib/mastodon/*_cli.rb'
 Metrics/BlockLength:
  Max: 55
  Exclude:
    - 'lib/tasks/**/*'
    - 'lib/mastodon/*_cli.rb'
 Metrics/BlockNesting:
  Max: 3
  Exclude:
    - 'lib/mastodon/*_cli.rb'
 Metrics/ClassLength:
  CountComments: false
  Max: 400
  Exclude:
    - 'lib/mastodon/*_cli.rb'
 Metrics/CyclomaticComplexity:
  Max: 25
  Exclude:
    - 'lib/mastodon/*_cli.rb'
 Layout/LineLength:
  AllowURI: true
  Enabled: false
 Metrics/MethodLength:
  CountComments: false
  Max: 65
  Exclude:
    - 'lib/mastodon/*_cli.rb'
 Metrics/ModuleLength:
  CountComments: false
  Max: 200
 Metrics/ParameterLists:
  Max: 5
  CountKeywordArgs: true
 Metrics/PerceivedComplexity:
  Max: 25
 Naming/MemoizedInstanceVariableName:
  Enabled: false
 Naming/MethodParameterName:
  Enabled: true
 Rails:
  Enabled: true
 Rails/ApplicationController:
  Enabled: false
  Exclude:
    - 'app/controllers/well_known/**/*.rb'
 Rails/BelongsTo:
  Enabled: false
 Rails/ContentTag:
  Enabled: false
 Rails/EnumHash:
  Enabled: false
 Rails/Exit:
  Exclude:
    - 'lib/mastodon/*'
    - 'lib/cli.rb'
 Rails/FilePath:
  Enabled: false
 Rails/HasAndBelongsToMany:
  Enabled: false
 Rails/HasManyOrHasOneDependent:
  Enabled: false
 Rails/HelperInstanceVariable:
  Enabled: false
 Rails/HttpStatus:
  Enabled: false
 Rails/IndexBy:
  Enabled: false
 Rails/InverseOf:
  Enabled: false
 Rails/LexicallyScopedActionFilter:
  Enabled: false
 Rails/OutputSafety:
  Enabled: true
 Rails/RakeEnvironment:
  Enabled: false
 Rails/RedundantForeignKey:
  Enabled: false
 Rails/SkipsModelValidations:
  Enabled: false
 Rails/UniqueValidationWithoutIndex:
  Enabled: false
 Style/AccessorGrouping:
  Enabled: true
 Style/AccessModifierDeclarations:
  Enabled: false
 Style/ArrayCoercion:
  Enabled: true
 Style/BisectedAttrAccessor:
  Enabled: true
 Style/CaseLikeIf:
  Enabled: false
 Style/ClassAndModuleChildren:
  Enabled: false
 Style/CollectionMethods:
  Enabled: true
  PreferredMethods:
    find_all: 'select'
 Style/Documentation:
  Enabled: false
 Style/DoubleNegation:
  Enabled: true
 Style/ExpandPathArguments:
  Enabled: false
 Style/ExponentialNotation:
  Enabled: true
 Style/FormatString:
  Enabled: false
 Style/FormatStringToken:
  Enabled: false
 Style/FrozenStringLiteralComment:
  Enabled: true
 Style/GuardClause:
  Enabled: false
 Style/HashAsLastArrayItem:
  Enabled: false
 Style/HashEachMethods:
  Enabled: true
 Style/HashLikeCase:
  Enabled: true
 Style/HashTransformKeys:
  Enabled: true
 Style/HashTransformValues:
  Enabled: false
 Style/IfUnlessModifier:
  Enabled: false
 Style/InverseMethods:
  Enabled: false
 Style/Lambda:
  Enabled: false
 Style/MutableConstant:
  Enabled: false
 Style/PercentLiteralDelimiters:
  PreferredDelimiters:
    '%i': '()'
    '%w': '()'
 Style/PerlBackrefs:
  AutoCorrect: false
 Style/RedundantAssignment:
  Enabled: false
 Style/RedundantFetchBlock:
  Enabled: true
 Style/RedundantFileExtensionInRequire:
  Enabled: true
 Style/RedundantRegexpCharacterClass:
  Enabled: false
 Style/RedundantRegexpEscape:
  Enabled: false
 Style/RedundantReturn:
  Enabled: true
 Style/RegexpLiteral:
  Enabled: false
 Style/RescueStandardError:
  Enabled: false
 Style/SignalException:
  Enabled: false
 Style/SlicingWithRange:
  Enabled: true
 Style/SymbolArray:
  Enabled: false
 Style/TrailingCommaInArrayLiteral:
  EnforcedStyleForMultiline: 'comma'
 Style/TrailingCommaInHashLiteral:
  EnforcedStyleForMultiline: 'comma'
 Style/UnpackFirst:
  Enabled: false
--- a/.rubocop/custom.yml
+++ b/.rubocop/custom.yml
@ -1,6 +0,0 @@
 ---
 require:
  - ../lib/linter/rubocop_middle_dot
 Style/MiddleDot:
  Enabled: true
--- a/.rubocop/i18n.yml
+++ b/.rubocop/i18n.yml
@ -1,12 +0,0 @@
 I18n/RailsI18n:
  Enabled: true
  Exclude:
    - 'config/**/*'
    - 'db/**/*'
    - 'lib/**/*'
    - 'spec/**/*'
 I18n/GetText:
  Enabled: false
 I18n/RailsI18n/DecorateStringFormattingUsingInterpolation:
  Enabled: false
--- a/.rubocop/layout.yml
+++ b/.rubocop/layout.yml
@ -1,6 +0,0 @@
 ---
 Layout/FirstHashElementIndentation:
  EnforcedStyle: consistent
 Layout/LineLength:
  Max: 300 # Default of 120 causes a duplicate entry in generated todo file
--- a/.rubocop/metrics.yml
+++ b/.rubocop/metrics.yml
@ -1,23 +0,0 @@
 ---
 Metrics/AbcSize:
  Exclude:
    - lib/mastodon/cli/*.rb
 Metrics/BlockLength:
  Enabled: false
 Metrics/ClassLength:
  Enabled: false
 Metrics/CyclomaticComplexity:
  Exclude:
    - lib/mastodon/cli/*.rb
 Metrics/MethodLength:
  Enabled: false
 Metrics/ModuleLength:
  Enabled: false
 Metrics/ParameterLists:
  CountKeywordArgs: false
--- a/.rubocop/naming.yml
+++ b/.rubocop/naming.yml
@ -1,6 +0,0 @@
 ---
 Naming/BlockForwarding:
  EnforcedStyle: explicit
 Naming/PredicateMethod:
  Enabled: false
--- a/.rubocop/rails.yml
+++ b/.rubocop/rails.yml
@ -1,26 +0,0 @@
 ---
 Rails/BulkChangeTable:
  Enabled: false # Conflicts with strong_migrations features
 Rails/Delegate:
  Enabled: false
 Rails/FilePath:
  EnforcedStyle: arguments
 Rails/HttpStatus:
  EnforcedStyle: numeric
 Rails/NegateInclude:
  Enabled: false
 Rails/RakeEnvironment:
  Exclude: # Tasks are doing local work which do not need full env loaded
    - lib/tasks/auto_annotate_models.rake
    - lib/tasks/emojis.rake
    - lib/tasks/mastodon.rake
    - lib/tasks/repo.rake
    - lib/tasks/statistics.rake
 Rails/SkipsModelValidations:
  Enabled: false
--- a/.rubocop/rspec.yml
+++ b/.rubocop/rspec.yml
@ -1,28 +0,0 @@
 ---
 RSpec/ExampleLength:
  CountAsOne: ['array', 'heredoc', 'method_call']
  Max: 20 # Override default of 5
 RSpec/MultipleExpectations:
  Max: 10 # Overrides default of 1
 RSpec/MultipleMemoizedHelpers:
  Max: 20 # Overrides default of 5
 RSpec/NamedSubject:
  EnforcedStyle: named_only
 RSpec/NestedGroups:
  Max: 10 # Overrides default of 3
 RSpec/NotToNot:
  EnforcedStyle: to_not
 RSpec/SpecFilePathFormat:
  CustomTransform:
    ActivityPub: activitypub
    DeepL: deepl
    FetchOEmbedService: fetch_oembed_service
    OAuth: oauth
    OEmbedController: oembed_controller
    OStatus: ostatus
--- a/.rubocop/rspec_rails.yml
+++ b/.rubocop/rspec_rails.yml
@ -1,3 +0,0 @@
 ---
 RSpecRails/HttpStatus:
  EnforcedStyle: numeric
--- a/.rubocop/strict.yml
+++ b/.rubocop/strict.yml
@ -1,24 +0,0 @@
 Lint/Debugger: # Remove any `binding.pry`
  Enabled: true
  Exclude: []
 RSpec/Focus: # Require full spec run on CI
  Enabled: true
  Exclude: []
 Rails/Output: # Remove any `puts` debugging
  inherit_mode:
    merge:
      - Include
  Enabled: true
  Exclude: []
  Include:
    - spec/**/*.rb
 Rails/FindEach: # Using `each` could impact performance, use `find_each`
  Enabled: true
  Exclude: []
 Rails/UniqBeforePluck: # Require `uniq.pluck` and not `pluck.uniq`
  Enabled: true
  Exclude: []
--- a/.rubocop/style.yml
+++ b/.rubocop/style.yml
@ -1,63 +0,0 @@
 ---
 Style/ArrayIntersect:
  Enabled: false
 Style/ClassAndModuleChildren:
  Enabled: false
 Style/Documentation:
  Enabled: false
 Style/FormatStringToken:
  AllowedMethods:
    - redirect_with_vary # Route redirects are not token-formatted
  inherit_mode:
    merge:
      - AllowedMethods
 Style/HashAsLastArrayItem:
  Enabled: false
 Style/HashSyntax:
  EnforcedShorthandSyntax: either
  EnforcedStyle: ruby19_no_mixed_keys
 Style/IfUnlessModifier:
  Exclude:
    - '**/*.haml'
 Style/KeywordArgumentsMerging:
  Enabled: false
 Style/NumericLiterals:
  AllowedPatterns:
    - \d{4}_\d{2}_\d{2}_\d{6}
 Style/PercentLiteralDelimiters:
  PreferredDelimiters:
    '%i': ()
    '%w': ()
 Style/RedundantBegin:
  Enabled: false
 Style/RedundantFetchBlock:
  Enabled: false
 Style/RescueStandardError:
  EnforcedStyle: implicit
 Style/SafeNavigationChainLength:
  Enabled: false
 Style/SymbolArray:
  Enabled: false
 Style/TrailingCommaInArrayLiteral:
  EnforcedStyleForMultiline: comma
 Style/TrailingCommaInHashLiteral:
  EnforcedStyleForMultiline: comma
 Style/WordArray:
  MinSize: 3 # Override default of 2
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
@ -1,39 +0,0 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config --auto-gen-only-exclude --no-offense-counts --no-auto-gen-timestamp`
 # using RuboCop version 1.77.0.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 Lint/NonLocalExitFromIterator:
  Exclude:
    - 'app/helpers/json_ld_helper.rb'
 # Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes.
 Metrics/AbcSize:
  Max: 82
 # Configuration parameters: CountBlocks, CountModifierForms, Max.
 Metrics/BlockNesting:
  Exclude:
    - 'lib/tasks/mastodon.rake'
 # Configuration parameters: AllowedMethods, AllowedPatterns.
 Metrics/CyclomaticComplexity:
  Max: 25
 # Configuration parameters: AllowedMethods, AllowedPatterns.
 Metrics/PerceivedComplexity:
  Max: 27
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: AllowedVars, DefaultToNil.
 Style/FetchEnvVar:
  Exclude:
    - 'config/initializers/paperclip.rb'
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: MinBodyLength, AllowConsecutiveConditionals.
 Style/GuardClause:
  Enabled: false
--- a/.ruby-gemset
+++ b/.ruby-gemset
@ -1 +0,0 @@
 mastodon
--- a/.ruby-version
+++ b/.ruby-version
@ -1 +1 @@
-3.4.4
+3.0.6
--- a/.sass-lint.yml
+++ b/.sass-lint.yml
@ -0,0 +1,37 @@
 # Linter Documentation:
 # https://github.com/sasstools/sass-lint/tree/v1.13.1/docs/options
 files:
  include: app/javascript/styles/**/*.scss
  ignore:
    - app/javascript/styles/mastodon/reset.scss
 rules:
  # Disallows
  no-color-literals: 0
  no-css-comments: 0
  no-duplicate-properties: 0
  no-ids: 0
  no-important: 0
  no-mergeable-selectors: 0
  no-misspelled-properties: 0
  no-qualifying-elements: 0
  no-transition-all: 0
  no-vendor-prefixes: 0
  # Nesting
  force-element-nesting: 0
  force-attribute-nesting: 0
  force-pseudo-nesting: 0
  # Name Formats
  class-name-format: 0
  leading-zero: 0
  # Style Guide
  attribute-quotes: 0
  hex-length: 0
  indentation: 0
  nesting-depth: 0
  property-sort-order: 0
  quotes: 0
--- a/.storybook/main.ts
+++ b/.storybook/main.ts
@ -1,31 +0,0 @@
 import type { StorybookConfig } from '@storybook/react-vite';
 const config: StorybookConfig = {
  stories: ['../app/javascript/**/*.stories.@(js|jsx|mjs|ts|tsx)'],
  addons: [
    '@storybook/addon-docs',
    '@storybook/addon-a11y',
    '@storybook/addon-vitest',
  ],
  framework: {
    name: '@storybook/react-vite',
    options: {},
  },
  staticDirs: [
    './static',
    // We need to manually specify the assets because of the symlink in public/sw.js
    ...[
      'avatars',
      'emoji',
      'headers',
      'sounds',
      'badge.png',
      'loading.gif',
      'loading.png',
      'oops.gif',
      'oops.png',
    ].map((path) => ({ from: `../public/${path}`, to: `/${path}` })),
  ],
 };
 export default config;
--- a/.storybook/manager.ts
+++ b/.storybook/manager.ts
@ -1,7 +0,0 @@
 import { addons } from 'storybook/manager-api';
 import theme from './storybook-theme';
 addons.setConfig({
  theme,
 });
--- a/.storybook/preview-head.html
+++ b/.storybook/preview-head.html
@ -1,18 +0,0 @@
 <style>
 	/* Increase docs font size */
 	.sbdocs.sbdocs-content :where(p:not(.sb-anchor, .sb-unstyled, .sb-unstyled p)),
 	.sbdocs.sbdocs-content :where(li:not(.sb-anchor, .sb-unstyled, .sb-unstyled li)) {
 		font-size: 1.0666rem; /* 17px */
 		line-height: 1.585; /* 27px */
 	}
 	.sbdocs.sbdocs-content :where(p:not(.sb-anchor, .sb-unstyled, .sb-unstyled p)) code,
 	.sbdocs.sbdocs-content :where(li:not(.sb-anchor, .sb-unstyled, .sb-unstyled li)) code {
 		font-size: 0.875rem; /* ~15px */
 	}
 	/* Bring numbers back for ordered lists */
 	ol {
 		list-style: revert !important;
 	}
 </style>
--- a/.storybook/preview.tsx
+++ b/.storybook/preview.tsx
@ -1,146 +0,0 @@
 import { useEffect, useState } from 'react';
 import { IntlProvider } from 'react-intl';
 import { MemoryRouter, Route } from 'react-router';
 import { configureStore } from '@reduxjs/toolkit';
 import { Provider } from 'react-redux';
 import type { Preview } from '@storybook/react-vite';
 import { initialize, mswLoader } from 'msw-storybook-addon';
 import { action } from 'storybook/actions';
 import type { LocaleData } from '@/mastodon/locales';
 import { reducerWithInitialState, rootReducer } from '@/mastodon/reducers';
 import { defaultMiddleware } from '@/mastodon/store/store';
 import { mockHandlers, unhandledRequestHandler } from '@/testing/api';
 // If you want to run the dark theme during development,
 // you can change the below to `/application.scss`
 import '../app/javascript/styles/mastodon-light.scss';
 const localeFiles = import.meta.glob('@/mastodon/locales/*.json', {
  query: { as: 'json' },
 });
 // Initialize MSW
 initialize({
  onUnhandledRequest: unhandledRequestHandler,
 });
 const preview: Preview = {
  // Auto-generate docs: https://storybook.js.org/docs/writing-docs/autodocs
  tags: ['autodocs'],
  globalTypes: {
    locale: {
      description: 'Locale for the story',
      toolbar: {
        title: 'Locale',
        icon: 'globe',
        items: Object.keys(localeFiles).map((path) =>
          path.replace('/mastodon/locales/', '').replace('.json', ''),
        ),
        dynamicTitle: true,
      },
    },
  },
  initialGlobals: {
    locale: 'en',
  },
  decorators: [
    (Story, { parameters }) => {
      const { state = {} } = parameters;
      let reducer = rootReducer;
      if (typeof state === 'object' && state) {
        reducer = reducerWithInitialState(state as Record<string, unknown>);
      }
      const store = configureStore({
        reducer,
        middleware(getDefaultMiddleware) {
          return getDefaultMiddleware(defaultMiddleware);
        },
      });
      return (
        <Provider store={store}>
          <Story />
        </Provider>
      );
    },
    (Story, { globals }) => {
      const currentLocale = (globals.locale as string) || 'en';
      const [messages, setMessages] = useState<
        Record<string, Record<string, string>>
      >({});
      const currentLocaleData = messages[currentLocale];
      useEffect(() => {
        async function loadLocaleData() {
          const { default: localeFile } = (await import(
            `@/mastodon/locales/${currentLocale}.json`
          )) as { default: LocaleData['messages'] };
          setMessages((prevLocales) => ({
            ...prevLocales,
            [currentLocale]: localeFile,
          }));
        }
        if (!currentLocaleData) {
          void loadLocaleData();
        }
      }, [currentLocale, currentLocaleData]);
      return (
        <IntlProvider
          locale={currentLocale}
          messages={currentLocaleData}
          textComponent='span'
        >
          <Story />
        </IntlProvider>
      );
    },
    (Story) => (
      <MemoryRouter>
        <Story />
        <Route
          path='*'
          // eslint-disable-next-line react/jsx-no-bind
          render={({ location }) => {
            if (location.pathname !== '/') {
              action(`route change to ${location.pathname}`)(location);
            }
            return null;
          }}
        />
      </MemoryRouter>
    ),
  ],
  loaders: [mswLoader],
  parameters: {
    layout: 'centered',
    controls: {
      matchers: {
        color: /(background|color)$/i,
        date: /Date$/i,
      },
    },
    a11y: {
      // 'todo' - show a11y violations in the test UI only
      // 'error' - fail CI on a11y violations
      // 'off' - skip a11y checks entirely
      test: 'todo',
    },
    state: {},
    docs: {},
    msw: {
      handlers: mockHandlers,
    },
  },
 };
 export default preview;
--- a/.storybook/static/mockServiceWorker.js
+++ b/.storybook/static/mockServiceWorker.js
@ -1,344 +0,0 @@
 /* eslint-disable */
 /* tslint:disable */
 /**
 * Mock Service Worker.
 * @see https://github.com/mswjs/msw
 * - Please do NOT modify this file.
 */
 const PACKAGE_VERSION = '2.10.2'
 const INTEGRITY_CHECKSUM = 'f5825c521429caf22a4dd13b66e243af'
 const IS_MOCKED_RESPONSE = Symbol('isMockedResponse')
 const activeClientIds = new Set()
 addEventListener('install', function () {
  self.skipWaiting()
 })
 addEventListener('activate', function (event) {
  event.waitUntil(self.clients.claim())
 })
 addEventListener('message', async function (event) {
  const clientId = Reflect.get(event.source || {}, 'id')
  if (!clientId || !self.clients) {
    return
  }
  const client = await self.clients.get(clientId)
  if (!client) {
    return
  }
  const allClients = await self.clients.matchAll({
    type: 'window',
  })
  switch (event.data) {
    case 'KEEPALIVE_REQUEST': {
      sendToClient(client, {
        type: 'KEEPALIVE_RESPONSE',
      })
      break
    }
    case 'INTEGRITY_CHECK_REQUEST': {
      sendToClient(client, {
        type: 'INTEGRITY_CHECK_RESPONSE',
        payload: {
          packageVersion: PACKAGE_VERSION,
          checksum: INTEGRITY_CHECKSUM,
        },
      })
      break
    }
    case 'MOCK_ACTIVATE': {
      activeClientIds.add(clientId)
      sendToClient(client, {
        type: 'MOCKING_ENABLED',
        payload: {
          client: {
            id: client.id,
            frameType: client.frameType,
          },
        },
      })
      break
    }
    case 'MOCK_DEACTIVATE': {
      activeClientIds.delete(clientId)
      break
    }
    case 'CLIENT_CLOSED': {
      activeClientIds.delete(clientId)
      const remainingClients = allClients.filter((client) => {
        return client.id !== clientId
      })
      // Unregister itself when there are no more clients
      if (remainingClients.length === 0) {
        self.registration.unregister()
      }
      break
    }
  }
 })
 addEventListener('fetch', function (event) {
  // Bypass navigation requests.
  if (event.request.mode === 'navigate') {
    return
  }
  // Opening the DevTools triggers the "only-if-cached" request
  // that cannot be handled by the worker. Bypass such requests.
  if (
    event.request.cache === 'only-if-cached' &&
    event.request.mode !== 'same-origin'
  ) {
    return
  }
  // Bypass all requests when there are no active clients.
  // Prevents the self-unregistered worked from handling requests
  // after it's been deleted (still remains active until the next reload).
  if (activeClientIds.size === 0) {
    return
  }
  const requestId = crypto.randomUUID()
  event.respondWith(handleRequest(event, requestId))
 })
 /**
 * @param {FetchEvent} event
 * @param {string} requestId
 */
 async function handleRequest(event, requestId) {
  const client = await resolveMainClient(event)
  const requestCloneForEvents = event.request.clone()
  const response = await getResponse(event, client, requestId)
  // Send back the response clone for the "response:*" life-cycle events.
  // Ensure MSW is active and ready to handle the message, otherwise
  // this message will pend indefinitely.
  if (client && activeClientIds.has(client.id)) {
    const serializedRequest = await serializeRequest(requestCloneForEvents)
    // Clone the response so both the client and the library could consume it.
    const responseClone = response.clone()
    sendToClient(
      client,
      {
        type: 'RESPONSE',
        payload: {
          isMockedResponse: IS_MOCKED_RESPONSE in response,
          request: {
            id: requestId,
            ...serializedRequest,
          },
          response: {
            type: responseClone.type,
            status: responseClone.status,
            statusText: responseClone.statusText,
            headers: Object.fromEntries(responseClone.headers.entries()),
            body: responseClone.body,
          },
        },
      },
      responseClone.body ? [serializedRequest.body, responseClone.body] : [],
    )
  }
  return response
 }
 /**
 * Resolve the main client for the given event.
 * Client that issues a request doesn't necessarily equal the client
 * that registered the worker. It's with the latter the worker should
 * communicate with during the response resolving phase.
 * @param {FetchEvent} event
 * @returns {Promise<Client | undefined>}
 */
 async function resolveMainClient(event) {
  const client = await self.clients.get(event.clientId)
  if (activeClientIds.has(event.clientId)) {
    return client
  }
  if (client?.frameType === 'top-level') {
    return client
  }
  const allClients = await self.clients.matchAll({
    type: 'window',
  })
  return allClients
    .filter((client) => {
      // Get only those clients that are currently visible.
      return client.visibilityState === 'visible'
    })
    .find((client) => {
      // Find the client ID that's recorded in the
      // set of clients that have registered the worker.
      return activeClientIds.has(client.id)
    })
 }
 /**
 * @param {FetchEvent} event
 * @param {Client | undefined} client
 * @param {string} requestId
 * @returns {Promise<Response>}
 */
 async function getResponse(event, client, requestId) {
  // Clone the request because it might've been already used
  // (i.e. its body has been read and sent to the client).
  const requestClone = event.request.clone()
  function passthrough() {
    // Cast the request headers to a new Headers instance
    // so the headers can be manipulated with.
    const headers = new Headers(requestClone.headers)
    // Remove the "accept" header value that marked this request as passthrough.
    // This prevents request alteration and also keeps it compliant with the
    // user-defined CORS policies.
    const acceptHeader = headers.get('accept')
    if (acceptHeader) {
      const values = acceptHeader.split(',').map((value) => value.trim())
      const filteredValues = values.filter(
        (value) => value !== 'msw/passthrough',
      )
      if (filteredValues.length > 0) {
        headers.set('accept', filteredValues.join(', '))
      } else {
        headers.delete('accept')
      }
    }
    return fetch(requestClone, { headers })
  }
  // Bypass mocking when the client is not active.
  if (!client) {
    return passthrough()
  }
  // Bypass initial page load requests (i.e. static assets).
  // The absence of the immediate/parent client in the map of the active clients
  // means that MSW hasn't dispatched the "MOCK_ACTIVATE" event yet
  // and is not ready to handle requests.
  if (!activeClientIds.has(client.id)) {
    return passthrough()
  }
  // Notify the client that a request has been intercepted.
  const serializedRequest = await serializeRequest(event.request)
  const clientMessage = await sendToClient(
    client,
    {
      type: 'REQUEST',
      payload: {
        id: requestId,
        ...serializedRequest,
      },
    },
    [serializedRequest.body],
  )
  switch (clientMessage.type) {
    case 'MOCK_RESPONSE': {
      return respondWithMock(clientMessage.data)
    }
    case 'PASSTHROUGH': {
      return passthrough()
    }
  }
  return passthrough()
 }
 /**
 * @param {Client} client
 * @param {any} message
 * @param {Array<Transferable>} transferrables
 * @returns {Promise<any>}
 */
 function sendToClient(client, message, transferrables = []) {
  return new Promise((resolve, reject) => {
    const channel = new MessageChannel()
    channel.port1.onmessage = (event) => {
      if (event.data && event.data.error) {
        return reject(event.data.error)
      }
      resolve(event.data)
    }
    client.postMessage(message, [
      channel.port2,
      ...transferrables.filter(Boolean),
    ])
  })
 }
 /**
 * @param {Response} response
 * @returns {Response}
 */
 function respondWithMock(response) {
  // Setting response status code to 0 is a no-op.
  // However, when responding with a "Response.error()", the produced Response
  // instance will have status code set to 0. Since it's not possible to create
  // a Response instance with status code 0, handle that use-case separately.
  if (response.status === 0) {
    return Response.error()
  }
  const mockedResponse = new Response(response.body, response)
  Reflect.defineProperty(mockedResponse, IS_MOCKED_RESPONSE, {
    value: true,
    enumerable: true,
  })
  return mockedResponse
 }
 /**
 * @param {Request} request
 */
 async function serializeRequest(request) {
  return {
    url: request.url,
    mode: request.mode,
    method: request.method,
    headers: Object.fromEntries(request.headers.entries()),
    cache: request.cache,
    credentials: request.credentials,
    destination: request.destination,
    integrity: request.integrity,
    redirect: request.redirect,
    referrer: request.referrer,
    referrerPolicy: request.referrerPolicy,
    body: await request.arrayBuffer(),
    keepalive: request.keepalive,
  }
 }
--- a/.storybook/storybook-addon-vitest.d.ts
+++ b/.storybook/storybook-addon-vitest.d.ts
@ -1,7 +0,0 @@
 // The addon package.json incorrectly exports types, so we need to override them here.
 // See: https://github.com/storybookjs/storybook/blob/v9.0.4/code/addons/vitest/package.json#L70-L76
 declare module '@storybook/addon-vitest/vitest-plugin' {
  export * from '@storybook/addon-vitest/dist/vitest-plugin/index';
 }
 export {};
--- a/.storybook/storybook-theme.ts
+++ b/.storybook/storybook-theme.ts
@ -1,7 +0,0 @@
 import { create } from 'storybook/theming';
 export default create({
  base: 'light',
  brandTitle: 'Mastodon Storybook',
  brandImage: 'https://joinmastodon.org/logos/wordmark-black-text.svg',
 });
--- a/.storybook/vitest.setup.ts
+++ b/.storybook/vitest.setup.ts
@ -1,8 +0,0 @@
 import * as a11yAddonAnnotations from '@storybook/addon-a11y/preview';
 import { setProjectAnnotations } from '@storybook/react-vite';
 import * as projectAnnotations from './preview';
 // This is an important step to apply the right configuration when testing your stories.
 // More info at: https://storybook.js.org/docs/api/portable-stories/portable-stories-vitest#setprojectannotations
 setProjectAnnotations([a11yAddonAnnotations, projectAnnotations]);
--- a/.watchmanconfig
+++ b/.watchmanconfig
@ -1,3 +0,0 @@
 {
  "ignore_dirs": ["node_modules/", "public/"]
 }
--- a/.yarn/patches/babel-plugin-lodash-npm-3.3.4-c7161075b6.patch
+++ b/.yarn/patches/babel-plugin-lodash-npm-3.3.4-c7161075b6.patch
@ -1,13 +0,0 @@
 diff --git a/lib/index.js b/lib/index.js
 index 16ed6be8be8f555cc99096c2ff60954b42dc313d..d009c069770d066ad0db7ad02de1ea473a29334e 100644
 --- a/lib/index.js
 +++ b/lib/index.js
@@ -99,7 +99,7 @@ function lodash(_ref) {
         var node = _ref3;
 -        if ((0, _types.isModuleDeclaration)(node)) {
 +        if ((0, _types.isImportDeclaration)(node)  || (0, _types.isExportDeclaration)(node)) {
           isModule = true;
           break;
         }
--- a/.yarnclean
+++ b/.yarnclean
@ -0,0 +1,46 @@
 # test directories
 __tests__
 test
 tests
 powered-test
 # asset directories
 docs
 doc
 website
 images
 # assets
 # examples
 example
 examples
 # code coverage directories
 coverage
 .nyc_output
 # build scripts
 Makefile
 Gulpfile.js
 Gruntfile.js
 # configs
 .tern-project
 .gitattributes
 .editorconfig
 .*ignore
 .eslintrc
 .jshintrc
 .flowconfig
 .documentup.json
 .yarn-metadata.json
 .*.yml
 *.yml
 # misc
 *.gz
 *.md
 # for specific ignore
 !.svgo.yml
 !sass-lint/**/*.yml
--- a/.yarnrc.yml
+++ b/.yarnrc.yml
@ -1 +0,0 @@
 nodeLinker: node-modules
--- a/AUTHORS.md
+++ b/AUTHORS.md
--- a/31
+++ b/31
@ -1,5 +1,26 @@
-libidn12
+ffmpeg
-# for idn-ruby on heroku-24 stack
+libicu[0-9][0-9]
-
+libicu-dev
-# use https://github.com/heroku/heroku-buildpack-activestorage-preview
+libidn11
-# in place for ffmpeg and its dependent packages to reduce slag size
+libidn11-dev
 libpq-dev
 libxdamage1
 libxfixes3
 zlib1g-dev
 libcairo2
 libcroco3
 libdatrie1
 libgdk-pixbuf2.0-0
 libgraphite2-3
 libharfbuzz0b
 libpango-1.0-0
 libpangocairo-1.0-0
 libpangoft2-1.0-0
 libpixman-1-0
 librsvg2-2
 libthai-data
 libthai0
 libvpx[5-9]
 libxcb-render0
 libxcb-shm0
 libxrender1
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@ -2,131 +2,45 @@
 ## Our Pledge
-We as members, contributors, and leaders pledge to make participation in our
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
 identity and expression, level of experience, education, socio-economic status,
 nationality, personal appearance, race, caste, color, religion, or sexual
 identity and orientation.
 We pledge to act and interact in ways that contribute to an open, welcoming,
 diverse, inclusive, and healthy community.
 ## Our Standards
-Examples of behavior that contributes to a positive environment for our
+Examples of behavior that contributes to creating a positive environment include:
 community include:
- Demonstrating empathy and kindness toward other people
+* Using welcoming and inclusive language
- Being respectful of differing opinions, viewpoints, and experiences
+* Being respectful of differing viewpoints and experiences
- Giving and gracefully accepting constructive feedback
+* Gracefully accepting constructive criticism
- Accepting responsibility and apologizing to those affected by our mistakes,
+* Focusing on what is best for the community
-  and learning from the experience
+* Showing empathy towards other community members
 - Focusing on what is best not just for us as individuals, but for the overall
  community
-Examples of unacceptable behavior include:
+Examples of unacceptable behavior by participants include:
- The use of sexualized language or imagery, and sexual attention or advances of
+* The use of sexualized language or imagery and unwelcome sexual attention or advances
-  any kind
+* Trolling, insulting/derogatory comments, and personal or political attacks
- Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
- Public or private harassment
+* Publishing others' private information, such as a physical or electronic address, without explicit permission
- Publishing others' private information, such as a physical or email address,
+* Other conduct which could reasonably be considered inappropriate in a professional setting
  without their explicit permission
 - Other conduct which could reasonably be considered inappropriate in a
  professional setting
-## Enforcement Responsibilities
+## Our Responsibilities
-Community leaders are responsible for clarifying and enforcing our standards of
+Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
 acceptable behavior and will take appropriate and fair corrective action in
 response to any behavior that they deem inappropriate, threatening, offensive,
 or harmful.
-Community leaders have the right and responsibility to remove, edit, or reject
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
 comments, commits, code, wiki edits, issues, and other contributions that are
 not aligned to this Code of Conduct, and will communicate reasons for moderation
 decisions when appropriate.
 ## Scope
-This Code of Conduct applies within all community spaces, and also applies when
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
 an individual is officially representing the community in public spaces.
 Examples of representing our community include using an official e-mail address,
 posting via an official social media account, or acting as an appointed
 representative at an online or offline event.
 ## Enforcement
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at eugen@zeonfederated.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
 reported to the community leaders responsible for enforcement at
 [hello@joinmastodon.org](mailto:hello@joinmastodon.org).
 All complaints will be reviewed and investigated promptly and fairly.
-All community leaders are obligated to respect the privacy and security of the
+Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
 reporter of any incident.
 ## Enforcement Guidelines
 Community leaders will follow these Community Impact Guidelines in determining
 the consequences for any action they deem in violation of this Code of Conduct:
 ### 1. Correction
 **Community Impact**: Use of inappropriate language or other behavior deemed
 unprofessional or unwelcome in the community.
 **Consequence**: A private, written warning from community leaders, providing
 clarity around the nature of the violation and an explanation of why the
 behavior was inappropriate. A public apology may be requested.
 ### 2. Warning
 **Community Impact**: A violation through a single incident or series of
 actions.
 **Consequence**: A warning with consequences for continued behavior. No
 interaction with the people involved, including unsolicited interaction with
 those enforcing the Code of Conduct, for a specified period of time. This
 includes avoiding interactions in community spaces as well as external channels
 like social media. Violating these terms may lead to a temporary or permanent
 ban.
 ### 3. Temporary Ban
 **Community Impact**: A serious violation of community standards, including
 sustained inappropriate behavior.
 **Consequence**: A temporary ban from any sort of interaction or public
 communication with the community for a specified period of time. No public or
 private interaction with the people involved, including unsolicited interaction
 with those enforcing the Code of Conduct, is allowed during this period.
 Violating these terms may lead to a permanent ban.
 ### 4. Permanent Ban
 **Community Impact**: Demonstrating a pattern of violation of community
 standards, including sustained inappropriate behavior, harassment of an
 individual, or aggression toward or disparagement of classes of individuals.
 **Consequence**: A permanent ban from any sort of public interaction within the
 community.
 ## Attribution
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
 version 2.1, available at
 [https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
-Community Impact Guidelines were inspired by
+[homepage]: http://contributor-covenant.org
-[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
+[version]: http://contributor-covenant.org/version/1/4/
 For answers to common questions about this code of conduct, see the FAQ at
 [https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
 [https://www.contributor-covenant.org/translations][translations].
 [homepage]: https://www.contributor-covenant.org
 [v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
 [Mozilla CoC]: https://github.com/mozilla/diversity
 [FAQ]: https://www.contributor-covenant.org/faq
 [translations]: https://www.contributor-covenant.org/translations
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,4 +1,5 @@
-# Contributing
+Contributing
 ============
 Thank you for considering contributing to Mastodon 🐘
@ -9,83 +10,38 @@ You can contribute in the following ways:
 - Contributing code to Mastodon by fixing bugs or implementing features
 - Improving the documentation
-Please review the org-level [contribution guidelines] for high-level acceptance
+If your contributions are accepted into Mastodon, you can request to be paid through [our OpenCollective](https://opencollective.com/mastodon).
 criteria guidance and the [DEVELOPMENT] guide for environment-specific details.
-## API Changes and Additions
+## Bug reports
-Any changes or additions made to the API should have an accompanying pull
+Bug reports and feature suggestions must use descriptive and concise titles and be submitted to [GitHub Issues](https://github.com/mastodon/mastodon/issues). Please use the search function to make sure that you are not submitting duplicates, and that a similar report or request has not already been resolved or rejected.
 request on our [documentation repository].
 ## Bug Reports
 Bug reports and feature suggestions must use descriptive and concise titles and
 be submitted to [GitHub Issues]. Please use the search function to make sure
 there are not duplicate bug reports or feature requests.
 ## Security Issues
 If you believe you have identified a security issue in Mastodon or our own apps,
 check [SECURITY].
 ## Translations
-Translations are community contributed via [Crowdin]. They are periodically
+You can submit translations via [Crowdin](https://crowdin.com/project/mastodon). They are periodically merged into the codebase.
 reviewed and merged into the codebase.
 [![Crowdin](https://d322cqt584bo4o.cloudfront.net/mastodon/localized.svg)](https://crowdin.com/project/mastodon)
-## Pull Requests
+## Pull requests
-### Size and Scope
+**Please use clean, concise titles for your pull requests.** Unless the pull request is about refactoring code, updating dependencies or other internal tasks, assume that the person reading the pull request title is not a programmer or Mastodon developer, but instead a Mastodon user or server administrator, and **try to describe your change or fix from their perspective**. We use commit squashing, so the final commit in the main branch will carry the title of the pull request, and commits from the main branch are fed into the changelog. The changelog is separated into [keepachangelog.com categories](https://keepachangelog.com/en/1.0.0/), and while that spec does not prescribe how the entries ought to be named, for easier sorting, start your pull request titles using one of the verbs "Add", "Change", "Deprecate", "Remove", or "Fix" (present tense).
 Our time is limited and PRs making large, unsolicited changes are unlikely to
 get a response. Changes which link to an existing confirmed issue, or which come
 from a "help wanted" issue or other request are more likely to be reviewed.
 The smaller and more narrowly focused the changes in a PR are, the easier they
 are to review and potentially merge. If the change only makes sense in some
 larger context of future ongoing work, note that in the description, but still
 aim to keep each distinct PR to a "smallest viable change" chunk of work.
 ### Description of Changes
 Unless the Pull Request is about refactoring code, updating dependencies or
 other internal tasks, assume that the audience are not developers, but a
 Mastodon user or server admin, and try to describe it from their perspective.
 The final commit in the main branch will carry the title from the PR. The main
 branch is then fed into the changelog and ultimately into release notes. We try
 to follow the [keepachangelog] spec, and while that does not prescribe how
 exactly the entries ought to be named, starting titles using one of the verbs
 "Add", "Change", "Deprecate", "Remove", or "Fix" (present tense) is helpful.
 Example:
-| Not ideal                            | Better                                                        |
+|Not ideal|Better|
-| ------------------------------------ | ------------------------------------------------------------- |
+|---|----|
-| Fixed NoMethodError in RemovalWorker | Fix nil error when removing statuses caused by race condition |
+|Fixed NoMethodError in RemovalWorker|Fix nil error when removing statuses caused by race condition|
-### Technical Requirements
+It is not always possible to phrase every change in such a manner, but it is desired.
-Pull requests that do not pass automated checks on CI may not be reviewed. In
+**The smaller the set of changes in the pull request is, the quicker it can be reviewed and merged.** Splitting tasks into multiple smaller pull requests is often preferable.
 particular, please keep in mind:
- Unit and integration tests (rspec, vitest)
+**Pull requests that do not pass automated checks may not be reviewed**. In particular, you need to keep in mind:
 - Unit and integration tests (rspec, jest)
 - Code style rules (rubocop, eslint)
 - Normalization of locale files (i18n-tasks)
 - Relevant accessibility or performance concerns
 ## Documentation
-The [Mastodon documentation] is a statically generated site that contains guides
+The [Mastodon documentation](https://docs.joinmastodon.org) is a statically generated site. You can [submit merge requests to mastodon/documentation](https://github.com/mastodon/documentation).
 and API docs. Improvements are made via PRs to the [documentation repository].
 [contribution guidelines]: https://github.com/mastodon/.github/blob/main/CONTRIBUTING.md
 [Crowdin]: https://crowdin.com/project/mastodon
 [DEVELOPMENT]: docs/DEVELOPMENT.md
 [documentation repository]: https://github.com/mastodon/documentation
 [GitHub Issues]: https://github.com/mastodon/mastodon/issues
 [keepachangelog]: https://keepachangelog.com/en/1.0.0/
 [Mastodon documentation]: https://docs.joinmastodon.org
 [SECURITY]: SECURITY.md
--- a/14
+++ b/14
@ -0,0 +1,14 @@
 # frozen_string_literal: true
 require 'capistrano/setup'
 require 'capistrano/deploy'
 require 'capistrano/scm/git'
 install_plugin Capistrano::SCM::Git
 require 'capistrano/rbenv'
 require 'capistrano/bundler'
 require 'capistrano/yarn'
 require 'capistrano/rails/assets'
 require 'capistrano/rails/migrations'
 Dir.glob('lib/capistrano/tasks/*.rake').each { |r| import r }
--- a/490
+++ b/490
@ -1,404 +1,122 @@
-# syntax=docker/dockerfile:1.12
+FROM ubuntu:20.04 as build-dep
-# This file is designed for production server deployment, not local development work
+# Use bash for the shell
-# For a containerized local dev environment, see: https://github.com/mastodon/mastodon/blob/main/docs/DEVELOPMENT.md#docker
+SHELL ["/bin/bash", "-c"]
 RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections
-# Please see https://docs.docker.com/engine/reference/builder for information about
+# Install Node v16 (LTS)
-# the extended buildx capabilities used in this file.
+ENV NODE_VER="16.14.2"
-# Make sure multiarch TARGETPLATFORM is available for interpolation
+RUN ARCH= && \
-# See: https://docs.docker.com/build/building/multi-platform/
+    dpkgArch="$(dpkg --print-architecture)" && \
-ARG TARGETPLATFORM=${TARGETPLATFORM}
+  case "${dpkgArch##*-}" in \
-ARG BUILDPLATFORM=${BUILDPLATFORM}
+    amd64) ARCH='x64';; \
-ARG BASE_REGISTRY="docker.io"
+    ppc64el) ARCH='ppc64le';; \
    s390x) ARCH='s390x';; \
    arm64) ARCH='arm64';; \
    armhf) ARCH='armv7l';; \
    i386) ARCH='x86';; \
    *) echo "unsupported architecture"; exit 1 ;; \
  esac && \
    echo "Etc/UTC" > /etc/localtime && \
 	apt-get update && \
 	apt-get -yq dist-upgrade && \
 	apt-get install -y --no-install-recommends ca-certificates wget python apt-utils && \
 	cd ~ && \
 	wget -q https://nodejs.org/download/release/v$NODE_VER/node-v$NODE_VER-linux-$ARCH.tar.gz && \
 	tar xf node-v$NODE_VER-linux-$ARCH.tar.gz && \
 	rm node-v$NODE_VER-linux-$ARCH.tar.gz && \
 	mv node-v$NODE_VER-linux-$ARCH /opt/node
-# Ruby image to use for base image, change with [--build-arg RUBY_VERSION="3.4.x"]
+# Install Ruby 3.0
-# renovate: datasource=docker depName=docker.io/ruby
+ENV RUBY_VER="3.0.6"
-ARG RUBY_VERSION="3.4.4"
+RUN apt-get update && \
-# # Node.js version to use in base image, change with [--build-arg NODE_MAJOR_VERSION="20"]
+  apt-get install -y --no-install-recommends build-essential \
-# renovate: datasource=node-version depName=node
+    bison libyaml-dev libgdbm-dev libreadline-dev libjemalloc-dev \
-ARG NODE_MAJOR_VERSION="22"
+		libncurses5-dev libffi-dev zlib1g-dev libssl-dev && \
-# Debian image to use for base image, change with [--build-arg DEBIAN_VERSION="bookworm"]
+	cd ~ && \
-ARG DEBIAN_VERSION="bookworm"
+	wget https://cache.ruby-lang.org/pub/ruby/${RUBY_VER%.*}/ruby-$RUBY_VER.tar.gz && \
-# Node.js image to use for base image based on combined variables (ex: 20-bookworm-slim)
+	tar xf ruby-$RUBY_VER.tar.gz && \
-FROM ${BASE_REGISTRY}/node:${NODE_MAJOR_VERSION}-${DEBIAN_VERSION}-slim AS node
+	cd ruby-$RUBY_VER && \
-# Ruby image to use for base image based on combined variables (ex: 3.4.x-slim-bookworm)
+	./configure --prefix=/opt/ruby \
-FROM ${BASE_REGISTRY}/ruby:${RUBY_VERSION}-slim-${DEBIAN_VERSION} AS ruby
+	  --with-jemalloc \
 	  --with-shared \
 	  --disable-install-doc && \
 	make -j"$(nproc)" > /dev/null && \
 	make install && \
 	rm -rf ../ruby-$RUBY_VER.tar.gz ../ruby-$RUBY_VER
-# Resulting version string is vX.X.X-MASTODON_VERSION_PRERELEASE+MASTODON_VERSION_METADATA
+ENV PATH="${PATH}:/opt/ruby/bin:/opt/node/bin"
 # Example: v4.3.0-nightly.2023.11.09+pr-123456
 # Overwrite existence of 'alpha.X' in version.rb [--build-arg MASTODON_VERSION_PRERELEASE="nightly.2023.11.09"]
 ARG MASTODON_VERSION_PRERELEASE=""
 # Append build metadata or fork information to version.rb [--build-arg MASTODON_VERSION_METADATA="pr-123456"]
 ARG MASTODON_VERSION_METADATA=""
 # Will be available as Mastodon::Version.source_commit
 ARG SOURCE_COMMIT=""
-# Allow Ruby on Rails to serve static files
+RUN npm install -g npm@9 && \
-# See: https://docs.joinmastodon.org/admin/config/#rails_serve_static_files
+	npm install -g yarn && \
-ARG RAILS_SERVE_STATIC_FILES="true"
+	gem install bundler && \
-# Allow to use YJIT compiler
+	apt-get update && \
-# See: https://github.com/ruby/ruby/blob/v3_2_4/doc/yjit/yjit.md
+	apt-get install -y --no-install-recommends git libicu-dev libidn11-dev \
-ARG RUBY_YJIT_ENABLE="1"
+	libpq-dev shared-mime-info
 # Timezone used by the Docker container and runtime, change with [--build-arg TZ=Europe/Berlin]
 ARG TZ="Etc/UTC"
 # Linux UID (user id) for the mastodon user, change with [--build-arg UID=1234]
 ARG UID="991"
 # Linux GID (group id) for the mastodon user, change with [--build-arg GID=1234]
 ARG GID="991"
-# Apply Mastodon build options based on options above
+COPY Gemfile* package.json yarn.lock /opt/mastodon/
 ENV \
  # Apply Mastodon version information
  MASTODON_VERSION_PRERELEASE="${MASTODON_VERSION_PRERELEASE}" \
  MASTODON_VERSION_METADATA="${MASTODON_VERSION_METADATA}" \
  SOURCE_COMMIT="${SOURCE_COMMIT}" \
  # Apply Mastodon static files and YJIT options
  RAILS_SERVE_STATIC_FILES=${RAILS_SERVE_STATIC_FILES} \
  RUBY_YJIT_ENABLE=${RUBY_YJIT_ENABLE} \
  # Apply timezone
  TZ=${TZ}
-ENV \
+RUN cd /opt/mastodon && \
-  # Configure the IP to bind Mastodon to when serving traffic
+  bundle config set --local deployment 'true' && \
-  BIND="0.0.0.0" \
+  bundle config set --local without 'development test' && \
-  # Use production settings for Yarn, Node.js and related tools
+  bundle config set silence_root_warning true && \
-  NODE_ENV="production" \
+	bundle install -j"$(nproc)" && \
-  # Use production settings for Ruby on Rails
+	yarn install --pure-lockfile
  RAILS_ENV="production" \
  # Add Ruby and Mastodon installation to the PATH
  DEBIAN_FRONTEND="noninteractive" \
  PATH="${PATH}:/opt/ruby/bin:/opt/mastodon/bin" \
  # Optimize jemalloc 5.x performance
  MALLOC_CONF="narenas:2,background_thread:true,thp:never,dirty_decay_ms:1000,muzzy_decay_ms:0" \
  # Enable libvips, should not be changed
  MASTODON_USE_LIBVIPS=true \
  # Sidekiq will touch tmp/sidekiq_process_has_started_and_will_begin_processing_jobs to indicate it is ready. This can be used for a readiness check in Kubernetes
  MASTODON_SIDEKIQ_READY_FILENAME=sidekiq_process_has_started_and_will_begin_processing_jobs
-# Set default shell used for running commands
+FROM ubuntu:20.04
 SHELL ["/bin/bash", "-o", "pipefail", "-o", "errexit", "-c"]
-ARG TARGETPLATFORM
+# Copy over all the langs needed for runtime
 COPY --from=build-dep /opt/node /opt/node
 COPY --from=build-dep /opt/ruby /opt/ruby
-RUN echo "Target platform is $TARGETPLATFORM"
+# Add more PATHs to the PATH
 ENV PATH="${PATH}:/opt/ruby/bin:/opt/node/bin:/opt/mastodon/bin"
-RUN \
+# Create the mastodon user
-  # Remove automatic apt cache Docker cleanup scripts
+ARG UID=991
-  rm -f /etc/apt/apt.conf.d/docker-clean; \
+ARG GID=991
-  # Sets timezone
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
-  echo "${TZ}" > /etc/localtime; \
+RUN apt-get update && \
-  # Creates mastodon user/group and sets home directory
+	echo "Etc/UTC" > /etc/localtime && \
-  groupadd -g "${GID}" mastodon; \
+	apt-get install -y --no-install-recommends whois wget && \
-  useradd -l -u "${UID}" -g "${GID}" -m -d /opt/mastodon mastodon; \
+	addgroup --gid $GID mastodon && \
-  # Creates /mastodon symlink to /opt/mastodon
+	useradd -m -u $UID -g $GID -d /opt/mastodon mastodon && \
-  ln -s /opt/mastodon /mastodon;
+	echo "mastodon:$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 | mkpasswd -s -m sha-256)" | chpasswd && \
 	rm -rf /var/lib/apt/lists/*
-# Set /opt/mastodon as working directory
+# Install mastodon runtime deps
-WORKDIR /opt/mastodon
+RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections
 RUN apt-get update && \
  apt-get -y --no-install-recommends install \
 	  libssl1.1 libpq5 imagemagick ffmpeg libjemalloc2 \
 	  libicu66 libidn11 libyaml-0-2 \
 	  file ca-certificates tzdata libreadline8 gcc tini apt-utils && \
 	ln -s /opt/mastodon /mastodon && \
 	gem install bundler && \
 	rm -rf /var/cache && \
 	rm -rf /var/lib/apt/lists/*
-# Add backport repository for some specific packages where we need the latest version
+# Copy over mastodon source, and dependencies from building, and set permissions
-RUN echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list
+COPY --chown=mastodon:mastodon . /opt/mastodon
 COPY --from=build-dep --chown=mastodon:mastodon /opt/mastodon /opt/mastodon
-# hadolint ignore=DL3008,DL3005
+# Run mastodon services in prod mode
-RUN \
+ENV RAILS_ENV="production"
-  # Mount Apt cache and lib directories from Docker buildx caches
+ENV NODE_ENV="production"
  --mount=type=cache,id=apt-cache-${TARGETPLATFORM},target=/var/cache/apt,sharing=locked \
  --mount=type=cache,id=apt-lib-${TARGETPLATFORM},target=/var/lib/apt,sharing=locked \
  # Apt update & upgrade to check for security updates to Debian image
  apt-get update; \
  apt-get dist-upgrade -yq; \
  # Install jemalloc, curl and other necessary components
  apt-get install -y --no-install-recommends \
  curl \
  file \
  libjemalloc2 \
  patchelf \
  procps \
  tini \
  tzdata \
  wget \
  ; \
  # Patch Ruby to use jemalloc
  patchelf --add-needed libjemalloc.so.2 /usr/local/bin/ruby; \
  # Discard patchelf after use
  apt-get purge -y \
  patchelf \
  ;
-# Create temporary build layer from base image
+# Tell rails to serve static files
-FROM ruby AS build
+ENV RAILS_SERVE_STATIC_FILES="true"
 ENV BIND="0.0.0.0"
-ARG TARGETPLATFORM
+# Set the run user
 # hadolint ignore=DL3008
 RUN \
  # Mount Apt cache and lib directories from Docker buildx caches
  --mount=type=cache,id=apt-cache-${TARGETPLATFORM},target=/var/cache/apt,sharing=locked \
  --mount=type=cache,id=apt-lib-${TARGETPLATFORM},target=/var/lib/apt,sharing=locked \
  # Install build tools and bundler dependencies from APT
  apt-get install -y --no-install-recommends \
  autoconf \
  automake \
  build-essential \
  cmake \
  git \
  libgdbm-dev \
  libglib2.0-dev \
  libgmp-dev \
  libicu-dev \
  libidn-dev \
  libpq-dev \
  libssl-dev \
  libtool \
  libyaml-dev \
  meson \
  nasm \
  pkg-config \
  shared-mime-info \
  xz-utils \
  # libvips components
  libcgif-dev \
  libexif-dev \
  libexpat1-dev \
  libgirepository1.0-dev \
  libheif-dev/bookworm-backports \
  libimagequant-dev \
  libjpeg62-turbo-dev \
  liblcms2-dev \
  liborc-dev \
  libspng-dev \
  libtiff-dev \
  libwebp-dev \
  # ffmpeg components
  libdav1d-dev \
  liblzma-dev \
  libmp3lame-dev \
  libopus-dev \
  libsnappy-dev \
  libvorbis-dev \
  libvpx-dev \
  libx264-dev \
  libx265-dev \
  ;
 # Create temporary libvips specific build layer from build layer
 FROM build AS libvips
 # libvips version to compile, change with [--build-arg VIPS_VERSION="8.15.2"]
 # renovate: datasource=github-releases depName=libvips packageName=libvips/libvips
 ARG VIPS_VERSION=8.17.1
 # libvips download URL, change with [--build-arg VIPS_URL="https://github.com/libvips/libvips/releases/download"]
 ARG VIPS_URL=https://github.com/libvips/libvips/releases/download
 WORKDIR /usr/local/libvips/src
 # Download and extract libvips source code
 ADD ${VIPS_URL}/v${VIPS_VERSION}/vips-${VIPS_VERSION}.tar.xz /usr/local/libvips/src/
 RUN tar xf vips-${VIPS_VERSION}.tar.xz;
 WORKDIR /usr/local/libvips/src/vips-${VIPS_VERSION}
 # Configure and compile libvips
 RUN \
  meson setup build --prefix /usr/local/libvips --libdir=lib -Ddeprecated=false -Dintrospection=disabled -Dmodules=disabled -Dexamples=false; \
  cd build; \
  ninja; \
  ninja install;
 # Create temporary ffmpeg specific build layer from build layer
 FROM build AS ffmpeg
 # ffmpeg version to compile, change with [--build-arg FFMPEG_VERSION="7.0.x"]
 # renovate: datasource=repology depName=ffmpeg packageName=openpkg_current/ffmpeg
 ARG FFMPEG_VERSION=7.1
 # ffmpeg download URL, change with [--build-arg FFMPEG_URL="https://ffmpeg.org/releases"]
 ARG FFMPEG_URL=https://ffmpeg.org/releases
 WORKDIR /usr/local/ffmpeg/src
 # Download and extract ffmpeg source code
 ADD ${FFMPEG_URL}/ffmpeg-${FFMPEG_VERSION}.tar.xz /usr/local/ffmpeg/src/
 RUN tar xf ffmpeg-${FFMPEG_VERSION}.tar.xz;
 WORKDIR /usr/local/ffmpeg/src/ffmpeg-${FFMPEG_VERSION}
 # Configure and compile ffmpeg
 RUN \
  ./configure \
  --prefix=/usr/local/ffmpeg \
  --toolchain=hardened \
  --disable-debug \
  --disable-devices \
  --disable-doc \
  --disable-ffplay \
  --disable-network \
  --disable-static \
  --enable-ffmpeg \
  --enable-ffprobe \
  --enable-gpl \
  --enable-libdav1d \
  --enable-libmp3lame \
  --enable-libopus \
  --enable-libsnappy \
  --enable-libvorbis \
  --enable-libvpx \
  --enable-libwebp \
  --enable-libx264 \
  --enable-libx265 \
  --enable-shared \
  --enable-version3 \
  ; \
  make -j$(nproc); \
  make install;
 # Create temporary bundler specific build layer from build layer
 FROM build AS bundler
 ARG TARGETPLATFORM
 # Copy Gemfile config into working directory
 COPY Gemfile* /opt/mastodon/
 RUN \
  # Mount Ruby Gem caches
  --mount=type=cache,id=gem-cache-${TARGETPLATFORM},target=/usr/local/bundle/cache/,sharing=locked \
  # Configure bundle to prevent changes to Gemfile and Gemfile.lock
  bundle config set --global frozen "true"; \
  # Configure bundle to not cache downloaded Gems
  bundle config set --global cache_all "false"; \
  # Configure bundle to only process production Gems
  bundle config set --local without "development test"; \
  # Configure bundle to not warn about root user
  bundle config set silence_root_warning "true"; \
  # Download and install required Gems
  bundle install -j"$(nproc)";
 # Create temporary assets build layer from build layer
 FROM build AS precompiler
 ARG TARGETPLATFORM
 # Copy Mastodon sources into layer
 COPY . /opt/mastodon/
 # Copy Node.js binaries/libraries into layer
 COPY --from=node /usr/local/bin /usr/local/bin
 COPY --from=node /usr/local/lib /usr/local/lib
 RUN \
  # Configure Corepack
  rm /usr/local/bin/yarn*; \
  corepack enable; \
  corepack prepare --activate;
 # hadolint ignore=DL3008
 RUN \
  --mount=type=cache,id=corepack-cache-${TARGETPLATFORM},target=/usr/local/share/.cache/corepack,sharing=locked \
  --mount=type=cache,id=yarn-cache-${TARGETPLATFORM},target=/usr/local/share/.cache/yarn,sharing=locked \
  # Install Node.js packages
  yarn workspaces focus --production @mastodon/mastodon;
 # Copy libvips components into layer for precompiler
 COPY --from=libvips /usr/local/libvips/bin /usr/local/bin
 COPY --from=libvips /usr/local/libvips/lib /usr/local/lib
 # Copy bundler packages into layer for precompiler
 COPY --from=bundler /opt/mastodon /opt/mastodon/
 COPY --from=bundler /usr/local/bundle/ /usr/local/bundle/
 RUN \
  ldconfig; \
  # Use Ruby on Rails to create Mastodon assets
  SECRET_KEY_BASE_DUMMY=1 \
  bundle exec rails assets:precompile; \
  # Cleanup temporary files
  rm -fr /opt/mastodon/tmp;
 # Prep final Mastodon Ruby layer
 FROM ruby AS mastodon
 ARG TARGETPLATFORM
 # hadolint ignore=DL3008
 RUN \
  # Mount Apt cache and lib directories from Docker buildx caches
  --mount=type=cache,id=apt-cache-${TARGETPLATFORM},target=/var/cache/apt,sharing=locked \
  --mount=type=cache,id=apt-lib-${TARGETPLATFORM},target=/var/lib/apt,sharing=locked \
  # Mount Corepack and Yarn caches from Docker buildx caches
  --mount=type=cache,id=corepack-cache-${TARGETPLATFORM},target=/usr/local/share/.cache/corepack,sharing=locked \
  --mount=type=cache,id=yarn-cache-${TARGETPLATFORM},target=/usr/local/share/.cache/yarn,sharing=locked \
  # Apt update install non-dev versions of necessary components
  apt-get install -y --no-install-recommends \
  libexpat1 \
  libglib2.0-0 \
  libicu72 \
  libidn12 \
  libpq5 \
  libreadline8 \
  libssl3 \
  libyaml-0-2 \
  # libvips components
  libcgif0 \
  libexif12 \
  libheif1/bookworm-backports \
  libimagequant0 \
  libjpeg62-turbo \
  liblcms2-2 \
  liborc-0.4-0 \
  libspng0 \
  libtiff6 \
  libwebp7 \
  libwebpdemux2 \
  libwebpmux3 \
  # ffmpeg components
  libdav1d6 \
  libmp3lame0 \
  libopencore-amrnb0 \
  libopencore-amrwb0 \
  libopus0 \
  libsnappy1v5 \
  libtheora0 \
  libvorbis0a \
  libvorbisenc2 \
  libvorbisfile3 \
  libvpx7 \
  libx264-164 \
  libx265-199 \
  ;
 # Copy Mastodon sources into final layer
 COPY . /opt/mastodon/
 # Copy compiled assets to layer
 COPY --from=precompiler /opt/mastodon/public/packs /opt/mastodon/public/packs
 COPY --from=precompiler /opt/mastodon/public/assets /opt/mastodon/public/assets
 # Copy bundler components to layer
 COPY --from=bundler /usr/local/bundle/ /usr/local/bundle/
 # Copy libvips components to layer
 COPY --from=libvips /usr/local/libvips/bin /usr/local/bin
 COPY --from=libvips /usr/local/libvips/lib /usr/local/lib
 # Copy ffpmeg components to layer
 COPY --from=ffmpeg /usr/local/ffmpeg/bin /usr/local/bin
 COPY --from=ffmpeg /usr/local/ffmpeg/lib /usr/local/lib
 RUN \
  ldconfig; \
  # Smoketest media processors
  vips -v; \
  ffmpeg -version; \
  ffprobe -version;
 RUN \
  # Precompile bootsnap code for faster Rails startup
  bundle exec bootsnap precompile --gemfile app/ lib/;
 RUN \
  # Pre-create and chown system volume to Mastodon user
  mkdir -p /opt/mastodon/public/system; \
  chown mastodon:mastodon /opt/mastodon/public/system; \
  # Set Mastodon user as owner of tmp folder
  chown -R mastodon:mastodon /opt/mastodon/tmp;
 # Set the running user for resulting container
 USER mastodon
-# Expose default Puma ports
+
-EXPOSE 3000
+# Precompile assets
-# Set container tini as default entry point
+RUN cd ~ && \
 	OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder rails assets:precompile && \
 	yarn cache clean
 # Set the work dir and the container entry point
 WORKDIR /opt/mastodon
 ENTRYPOINT ["/usr/bin/tini", "--"]
 EXPOSE 3000 4000
--- a/FEDERATION.md
+++ b/FEDERATION.md
@ -1,36 +1,19 @@
-# Federation
+## ActivityPub federation in Mastodon
 ## Supported federation protocols and standards
 - [ActivityPub](https://www.w3.org/TR/activitypub/) (Server-to-Server)
 - [WebFinger](https://webfinger.net/)
 - [Http Signatures](https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures)
 - [NodeInfo](https://nodeinfo.diaspora.software/)
 ## Supported FEPs
 - [FEP-67ff: FEDERATION.md](https://codeberg.org/fediverse/fep/src/branch/main/fep/67ff/fep-67ff.md)
 - [FEP-f1d5: NodeInfo in Fediverse Software](https://codeberg.org/fediverse/fep/src/branch/main/fep/f1d5/fep-f1d5.md)
 - [FEP-8fcf: Followers collection synchronization across servers](https://codeberg.org/fediverse/fep/src/branch/main/fep/8fcf/fep-8fcf.md)
 - [FEP-5feb: Search indexing consent for actors](https://codeberg.org/fediverse/fep/src/branch/main/fep/5feb/fep-5feb.md)
 - [FEP-044f: Consent-respecting quote posts](https://codeberg.org/fediverse/fep/src/branch/main/fep/044f/fep-044f.md): partial support for incoming quote-posts
 ## ActivityPub in Mastodon
 Mastodon largely follows the ActivityPub server-to-server specification but it makes uses of some non-standard extensions, some of which are required for interacting with Mastodon at all.
- [Supported ActivityPub vocabulary](https://docs.joinmastodon.org/spec/activitypub/)
+Supported vocabulary: https://docs.joinmastodon.org/spec/activitypub/
 ### Required extensions
-#### WebFinger
+#### Webfinger
 In Mastodon, users are identified by a `username` and `domain` pair (e.g., `Gargron@mastodon.social`).
 This is used both for discovery and for unambiguously mentioning users across the fediverse. Furthermore, this is part of Mastodon's database design from its very beginnings.
 As a result, Mastodon requires that each ActivityPub actor uniquely maps back to an `acct:` URI that can be resolved via WebFinger.
- [WebFinger information and examples](https://docs.joinmastodon.org/spec/webfinger/)
+More information and examples are available at: https://docs.joinmastodon.org/spec/webfinger/
 #### HTTP Signatures
@ -38,13 +21,10 @@ In order to authenticate activities, Mastodon relies on HTTP Signatures, signing
 Mastodon requires all `POST` requests to be signed, and MAY require `GET` requests to be signed, depending on the configuration of the Mastodon server.
- [HTTP Signatures information and examples](https://docs.joinmastodon.org/spec/security/#http)
+More information on HTTP Signatures, as well as examples, can be found here: https://docs.joinmastodon.org/spec/security/#http
 ### Optional extensions
- [Linked-Data Signatures](https://docs.joinmastodon.org/spec/security/#ld)
+- Linked-Data Signatures: https://docs.joinmastodon.org/spec/security/#ld
- [Bearcaps](https://docs.joinmastodon.org/spec/bearcaps/)
+- Bearcaps: https://docs.joinmastodon.org/spec/bearcaps/
-
+- Followers collection synchronization: https://git.activitypub.dev/ActivityPubDev/Fediverse-Enhancement-Proposals/src/branch/main/feps/fep-8fcf.md
 ### Additional documentation
 - [Mastodon documentation](https://docs.joinmastodon.org/)
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Claire	44c265e4c7	Bump version to v3.5.18	2024-02-14 15:17:48 +01:00
Claire	4a57e44809	Merge pull request from GHSA-vm39-j3vx-pch3 * Prevent different identities from a same SSO provider from accessing a same account * Lock auth provider changes behind `ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true` * Rename methods to avoid confusion between OAuth and OmniAuth	2024-02-14 15:16:07 +01:00
Claire	47c6079d8d	Merge pull request from GHSA-7w3c-p9j8-mq3x * Ensure destruction of OAuth Applications notifies streaming Due to doorkeeper using a dependent: delete_all relationship, the destroy of an OAuth Application bypassed the existing AccessTokenExtension callbacks for announcing destructing of access tokens. * Ensure password resets revoke access to Streaming API * Improve performance of deleting OAuth tokens --------- Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com>	2024-02-14 15:15:34 +01:00
Claire	69205dff9a	Add `sidekiq_unique_jobs:delete_all_locks` task and disable `sidekiq-unique-jobs` UI by default (#29199 )	2024-02-14 13:18:08 +01:00
Emelia Smith	d187195f2c	Disable administrative doorkeeper routes (#29187 )	2024-02-14 12:13:33 +01:00
blah	3387868dd9	Update dependency sidekiq-unique-jobs to 7.1.33	2024-02-14 12:13:33 +01:00
blah	3ba6ed76ea	Update dependency nokogiri to 1.16.2	2024-02-14 12:13:33 +01:00
Claire	b1ed009c65	Merge pull request from GHSA-3fjr-858r-92rw * Fix insufficient origin validation * Bump version to v3.5.17	2024-02-01 15:56:46 +01:00
Claire	35f21191ee	Bump version to v3.5.16	2023-12-04 15:27:44 +01:00
Claire	2ffce0d5f7	Fix processing LDSigned activities from actors with unknown public keys (#27474 )	2023-12-04 15:27:44 +01:00
Claire	688defd60d	Change GIF max matrix size error to explicitly mention GIF files (#27927 )	2023-12-04 15:27:44 +01:00
Jonathan de Jong	d9b05f6860	Have `Follow` activities bypass availability (#27586 ) Co-authored-by: Claire <claire.github-309c@sitedethib.com>	2023-12-04 15:27:44 +01:00
Claire	f3fd8d8695	Clamp dates when serializing to Elasticsearch API (#28081 )	2023-12-04 15:27:44 +01:00
Claire	49693fe42f	Fix incoming status creation date not being restricted to standard ISO8601 (#27655 )	2023-12-04 15:27:44 +01:00
Claire	16262f815d	Fix posts from force-sensitized accounts being able to trend (#27620 )	2023-12-04 15:27:44 +01:00
Claire	d4e0a12b27	Change Content-Security-Policy to be tighter on media paths (#26889 )	2023-12-04 15:27:44 +01:00
Claire	db59d8486b	Bump version to v3.5.15	2023-10-10 13:50:10 +02:00
Matt Jankowski	7fb3ee0bc6	Dont match mention in url query string (#25656 ) Co-authored-by: Claire <claire.github-309c@sitedethib.com>	2023-10-10 13:50:10 +02:00
David Aaron	9bd027823d	Change min age of backup policy from 1 week to 6 days (#27200 )	2023-10-10 13:50:10 +02:00
Jakob Gillich	57d4d46050	Fix importer returning negative row estimates (#27258 )	2023-10-10 13:50:10 +02:00
Claire	c91116f780	Fix filtering audit log for entries about disabling 2FA (#27186 )	2023-10-10 13:50:10 +02:00
Essem	f45b5f5006	Properly remove tIME chunk from PNG uploads (#27111 )	2023-10-10 13:50:10 +02:00
Claire	47441e51f3	Fix crash when filtering for “dormant” relationships (#27306 )	2023-10-10 13:50:10 +02:00
Claire	af02650322	Fix inefficient queries in “Follows and followers” as well as several admin pages (#27116 )	2023-10-10 13:50:10 +02:00
Claire	75346a71f7	Bump version to v3.5.14	2023-09-19 17:01:17 +02:00
Claire	49af3e26dc	Fix moderator rights inconsistencies (#26729 )	2023-09-19 17:01:17 +02:00
Claire	412c3e13ec	Fix crash when encountering invalid URL (#26814 )	2023-09-19 17:01:17 +02:00
Claire	31c5e63a58	Fix cached posts including stale stats (#26409 )	2023-09-19 17:01:17 +02:00
Nicolai Søborg	e8eeb746ac	Fix `frame_rate` for videos where `ffprobe` reports 0/0 (#26500 )	2023-09-19 17:01:17 +02:00
yufushiro	0158c31c02	Fix unexpected audio stream transcoding when uploaded video is eligible to passthrough (#26608 ) Co-authored-by: Claire <claire.github-309c@sitedethib.com>	2023-09-19 17:01:17 +02:00
Claire	9deb178126	Merge pull request from GHSA-v3xf-c9qf-j667	2023-09-19 16:53:58 +02:00
Claire	8e6fe19225	Change Dockerfile to upgrade packages when building (#26931 ) Co-authored-by: Renaud Chaput <renchap@gmail.com>	2023-09-18 08:31:53 +02:00
Claire	4eb709ea7e	Update actions for stable-3.5 (#26804 ) Co-authored-by: Renaud Chaput <renchap@gmail.com>	2023-09-06 09:18:28 +02:00
Claire	86a31fc019	Fix Dockerfile installing incompatible npm version (#26803 )	2023-09-05 17:46:39 +02:00
Claire	16e47e1aae	Bump version to v3.5.13	2023-09-05 17:22:43 +02:00
Emelia Smith	dcffd6b3d7	Allow reports with long comments from remote instances, but truncate (#25028 )	2023-09-05 17:22:43 +02:00
Daniel M Brasil	8de0f7e198	Fix `/api/v1/timelines/tag/:hashtag` allowing for unauthenticated access when public preview is disabled (#26237 )	2023-09-05 17:22:43 +02:00
Claire	e37551421e	Fix blocking subdomains of an already-blocked domain (#26392 )	2023-09-05 17:22:43 +02:00
Claire	2e0eab9d18	Change text extraction in `PlainTextFormatter` to be faster (#26727 )	2023-09-05 17:22:43 +02:00
Claire	ce75c175cd	Backport container build changes to the stable-3.5 branch (#26742 ) Co-authored-by: Renaud Chaput <renchap@gmail.com>	2023-08-31 19:54:17 +02:00
Claire	a3d31ffc1e	Bump version to v3.5.12	2023-07-31 14:33:27 +02:00
Emelia Smith	50f4af28b0	Fix: Streaming server memory leak in HTTP EventSource cleanup (#26228 )	2023-07-31 14:33:27 +02:00
Claire	e655b35d7e	Fix incorrect connect timeout in outgoing requests (#26116 )	2023-07-31 14:33:27 +02:00
Claire	80c00f4aa5	Bump version to v3.5.11	2023-07-21 16:07:24 +02:00
Claire	1a0192537d	Add check preventing Sidekiq workers from running with Makara configured (#25850 ) Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>	2023-07-21 16:07:24 +02:00
Claire	668cd00e13	Fix testsuite failure introduced in last release	2023-07-21 16:07:24 +02:00
Claire	0bd52de492	Fix CSP headers being unintendedly wide (#26105 )	2023-07-21 16:07:24 +02:00
Claire	ced65ffbb4	Change request timeout handling to use a longer deadline (#26055 )	2023-07-21 16:07:24 +02:00
Claire	6398fc0b66	Fix moderation interface for remote instances with a .zip TLD (#25885 )	2023-07-21 16:07:24 +02:00
Claire	7709bbba65	Fix remote accounts being possibly persisted to database with incomplete protocol values (#25886 )	2023-07-21 16:07:24 +02:00
Michael Stanclift	4f6d121b24	Fix trending publishers table not rendering correctly on narrow screens (#25945 )	2023-07-21 16:07:24 +02:00
Claire	687421ebbe	Bump version to v3.5.10	2023-07-07 19:35:24 +02:00
Claire	517c4a8a7a	Fix processing of media files with unusual names (#25788 )	2023-07-07 19:35:24 +02:00
Claire	dca0d8427e	Fix crash in admin interface when viewing a remote user with verified links (#25796 )	2023-07-07 19:35:24 +02:00
Claire	b10c974ba1	Bump version to v3.5.9	2023-07-06 15:08:10 +02:00
Claire	ca4b23bf0d	Merge pull request from GHSA-55j9-c3mp-6fcq	2023-07-06 15:06:49 +02:00
Claire	32e5a9f053	Merge pull request from GHSA-9pxv-6qvf-pjwc * Fix timeout handling of outbound HTTP requests * Use CLOCK_MONOTONIC instead of Time.now	2023-07-06 15:06:24 +02:00
Claire	987f909994	Merge pull request from GHSA-9928-3cp5-93fm * Fix attachments getting processed despite failing content-type validation * Add a restrictive ImageMagick security policy tailored for Mastodon * Fix misdetection of MP3 files with large cover art * Reject unprocessable audio/video files instead of keeping them unchanged	2023-07-06 15:05:05 +02:00
Claire	c02fa93c57	Merge pull request from GHSA-ccm4-vgcc-73hp * Tighten allowed HTML in oEmbed-based preview cards * Sanitize preview cards at render time * Add `sandbox` attribute to preview card iframes	2023-07-06 15:03:33 +02:00
Claire	c309011346	Add hardened headers to user-uploaded files	2023-07-06 14:34:59 +02:00
Claire	6b538225af	Update rack, rails, nokogiri, omniauth, sanitize and doorkeeper gems	2023-07-06 13:46:21 +02:00
Renaud Chaput	3c72c7b34e	Allow carets in URL search params (#25216 )	2023-07-06 13:46:21 +02:00
Vyr Cossont	07f60ffcbb	Fix Redis client and type errors introduced in #24285 (#24342 )	2023-07-06 13:46:21 +02:00
Vyr Cossont	c1467453f6	IndexingScheduler: fetch and import in batches (#24285 ) Co-authored-by: Claire <claire.github-309c@sitedethib.com>	2023-07-06 13:46:21 +02:00
Emelia Smith	00e65a77df	Prevent UserCleanupScheduler from overwhelming streaming (#25519 )	2023-07-06 13:46:21 +02:00
Daniel M Brasil	f9521bc2b5	Fix incorrect pagination headers in `/api/v2/admin/accounts` (#25477 )	2023-07-06 13:46:21 +02:00
Emelia Smith	e4bff6cd76	Fix logging of messages that are binary before closing their connection (#25361 )	2023-07-06 13:46:21 +02:00
Emelia Smith	6f819c7071	Fix performance of streaming by parsing message JSON once (#25278 )	2023-07-06 13:46:21 +02:00
Claire	4aa1c4e2ad	Fix CSP headers when S3_ALIAS_HOST includes a path component (#25273 )	2023-07-06 13:46:21 +02:00
Daniel M Brasil	176ae71fd4	Fix `tootctl accounts approve --number N` not aproving N earliest registrations (#24605 )	2023-07-06 13:46:21 +02:00
Claire	feac95333f	Change profile updates to be sent to recently-mentioned servers (#24852 )	2023-07-06 13:46:21 +02:00
Claire	bb1e7e112e	Fix being able to vote on your own polls (#25015 )	2023-07-06 13:46:21 +02:00
Claire	e233060ea5	Fix race condition when reblogging a status (#25016 )	2023-07-06 13:46:21 +02:00
Claire	3faebae2d1	Change OpenGraph-based embeds to allow fullscreen (#25058 )	2023-07-06 13:46:21 +02:00
Claire	95f59da157	Fix “Authorized applications” inefficiently and incorrectly getting last use date (#25060 )	2023-07-06 13:46:21 +02:00
Claire	6f94b4ae19	Remove invalid X-Frame-Options: ALLOWALL (#25070 )	2023-07-06 13:46:21 +02:00
Claire	283184b390	Change Identity to not destroy associated User on destroy (#25098 )	2023-07-06 13:46:21 +02:00
Claire	d54980ef2d	Fix /api/v1/conversations sometimes returning empty accounts (#25499 )	2023-07-06 13:46:21 +02:00
Claire	08579976e0	Fix ArgumentError when loading newer Private Mentions (#25399 )	2023-07-06 13:46:21 +02:00
Claire	ff3f40a675	Fix multiple N+1s in ConversationsController (#25134 )	2023-07-06 13:46:21 +02:00
Claire	0dce749192	Fix user archive takeouts when using OpenStack Swift (#24431 )	2023-07-06 13:46:21 +02:00
Claire	1bd831b9a9	Bump version to v3.5.8	2023-04-04 12:38:58 +02:00
Claire	55144262d0	Fix unescaped user input in LDAP query (#24379 ) Fix CVE-2023-28853	2023-04-04 12:38:58 +02:00
Claire	40438675f8	Change root Chewy strategy to emit a warning instead of erroring out in production mode (#24327 )	2023-04-04 12:38:58 +02:00
Claire	0f4c908b64	Fix invalid/expired invites being processed on sign-up (#24337 )	2023-04-04 12:38:58 +02:00
Sai	3eb5b47768	Upgrade Ruby to 3.0.6 (#24332 )	2023-04-04 12:38:58 +02:00
Robert R George	520e9cc765	Wrap db:setup with Chewy.strategy(:mastodon) (#24302 )	2023-04-04 12:38:58 +02:00
Claire	d25493e262	Fix user archive takeout when using OpenStack Swift or S3 providers with no ACL support (#24200 )	2023-04-04 12:38:58 +02:00
Claire	3d67a9329e	Fix crash in `tootctl` commands making use of parallelization when Elasticsearch is enabled (#24182 )	2023-04-04 12:38:58 +02:00
Claire	547634dfa6	Bump version to v3.5.7	2023-03-16 22:50:15 +01:00
Claire	f90daf58db	Add warning for object storage misconfiguration (#24137 )	2023-03-16 22:50:15 +01:00
Eugen Rochko	a42b48ea4e	Change user backups to use expiring URLs for download when possible (#24136 )	2023-03-16 22:50:15 +01:00
Claire	251dd0b72b	Update changelog	2023-03-16 22:05:39 +01:00
Nick Schonning	18840cbc6e	Skip pushing containers on forks (#24106 )	2023-03-16 13:40:56 +01:00
Renaud Chaput	727126255a	Use Github Container Registry as the official container image source (#24113 )	2023-03-16 13:40:55 +01:00
Nick Schonning	98d654b8bb	Skip Docker CI Login/Push on forks (#23564 )	2023-03-16 13:39:59 +01:00
Renaud Chaput	25c517144c	Push Docker images to Github Container Registry as well (#24101 )	2023-03-16 13:39:58 +01:00
Claire	f036546c22	Fix misleading error code when receiving invalid WebAuthn credentials (#23568 )	2023-03-16 12:34:43 +01:00
Claire	9256d653a5	Fix incorrect post links in strikes when the account is remote (#23611 )	2023-03-16 12:34:37 +01:00
Jeremy Kescher	d0c0808ad4	Add null check on application in dispute viewer (#19851 )	2023-03-16 12:33:09 +01:00
Claire	cb622b23b1	Fix dashboard crash on ElasticSearch server error (#23751 )	2023-03-16 12:31:20 +01:00
Claire	fe866f8afb	Update changelog	2023-03-14 11:46:12 +01:00
Claire	a1e765991e	Add mail headers to avoid auto-replies (#23597 )	2023-03-14 11:46:12 +01:00
Claire	76b9f42712	Add `lang` tag to native language names in language picker (#23749 )	2023-03-14 11:46:12 +01:00
Claire	708e590117	Fix sidekiq jobs not triggering Elasticsearch index updates (#24046 )	2023-03-14 11:46:12 +01:00
Rodion Borisov	a717aa929c	Center the text itself in upload area (#24029 )	2023-03-14 11:46:12 +01:00
Claire	bbb7c54367	Fix `/api/v1/streaming` sub-paths not being redirected (#23988 )	2023-03-14 11:46:12 +01:00
Eugen Rochko	282596a66e	Fix pgBouncer resetting application name on every transaction (#23958 )	2023-03-14 11:46:12 +01:00
Claire	e6f6fe6106	Fix original account being unfollowed on migration before the follow request could be sent (#21957 )	2023-03-14 11:46:12 +01:00
Claire	86b1adf7d7	Fix unconfirmed accounts being registered as active users (#23803 )	2023-03-14 10:26:38 +01:00
Claire	4beeec4e50	Fix server error when failing to follow back followers from `/relationships` (#23787 )	2023-03-14 10:26:23 +01:00
Claire	3c44ba0411	Fix inefficiency when searching accounts per username in admin interface (#23801 )	2023-03-14 10:26:14 +01:00
Dean Bassett	339d4fa61c	Fix case-sensitive check for previously used hashtags (#23526 )	2023-03-14 10:25:48 +01:00
Claire	62f0eab635	Fix “Remove all followers from the selected domains” being more destructive than it claims (#23805 )	2023-03-14 10:25:38 +01:00
Claire	8c8d578e38	Bump version to 3.5.6 (#23493 )	2023-02-10 22:18:15 +01:00
Claire	a8a3e86216	Fix unbounded recursion in post discovery (#23507 ) * Add a limit to how many posts can get fetched as a result of a single request * Add tests * Always pass `request_id` when processing `Announce` activities --------- Co-authored-by: nametoolong <nametoolong@users.noreply.github.com>	2023-02-10 22:16:47 +01:00
Claire	be1caad933	Fix REST API serializer for Account not including `moved` when the moved account has itself moved (#22483 ) (#23492 ) Instead of cutting immediately, cut after one recursion.	2023-02-09 21:02:09 +01:00
Claire	84a40824ad	Fix sanitizer parsing link text as HTML when stripping unsupported links (#22558 ) (#23491 )	2023-02-09 21:02:01 +01:00
Claire	533bf92d21	Don't delivery a reply to domains which are blocked by author (#22117 ) (#23490 ) Co-authored-by: Jeong Arm <kjwonmail@gmail.com>	2023-02-09 21:01:53 +01:00
Claire	6a2b48190c	Log admin approve and reject account (#22088 ) (#23488 ) * Log admin approve and reject account * Add unit tests for approve and reject logging Co-authored-by: Francis Murillo <evacuee.overlap.vs3op@aleeas.com>	2023-02-09 21:01:45 +01:00
Claire	6cbc589990	Fix `UserCleanupScheduler` crash when an unconfirmed account has a moderation note (#23318 ) (#23487 ) * Fix `UserCleanupScheduler` crash when an unconfirmed account has a moderation note * Add tests	2023-02-09 21:01:38 +01:00
Claire	a2bfb16cb8	Fix crash when marking statuses as sensitive while some statuses are deleted (#22134 ) (#23486 ) * Do not offer to mark statuses as sensitive if there is no undeleted status with media attachments * Fix crash when marking statuses as sensitive while some statuses are deleted Fixes #21910 * Fix multiple strikes being created for a single report when selecting “Mark as sensitive” * Add tests	2023-02-09 21:01:21 +01:00
Claire	cfc0507010	Fix attachments of edited statuses not being fetched (#21565 ) (#23485 ) * Fix attachments of edited statuses not being fetched * Fix tests	2023-02-09 20:57:31 +01:00
Claire	eade64097c	Clear voter count when poll is reset (#21700 ) (#23484 ) When a poll is edited, we reset the poll and remove all previous votes. However, prior to this commit, the voter count on the poll was not reset. This leads to incorrect percentages being shown in poll results. Fixes #21696 Co-authored-by: afontenot <adam.m.fontenot@gmail.com>	2023-02-09 20:57:24 +01:00
Claire	1f0be21317	Fix some performance issues with /admin/instances (#21907 ) (#23483 ) /admin/instances?availability=failing remains wholly unefficient	2023-02-09 20:57:14 +01:00
Claire	0ca877f084	Fix possible race conditions when suspending/unsuspending accounts (#22363 ) (#23482 ) * Fix possible race conditions when suspending/unsuspending accounts * Fix tests Tests were assuming SuspensionWorker and UnsuspensionWorker would do the suspending/unsuspending themselves, but this has changed.	2023-02-09 20:57:06 +01:00
Claire	cc233af129	Fix suspension worker crashing on S3-compatible setups without ACL support (#22487 ) (#23481 )	2023-02-09 20:56:58 +01:00
Claire	83f1c6460a	Fix changing domain block severity not undoing individual account effects (#22135 ) (#23480 ) * Fix changing domain block severity not undoing individual account effects Fixes #22133 * Add tests	2023-02-09 20:56:49 +01:00
Claire	e26dd2ea8f	Add `form-action` CSP directive (#23478 ) * Add form-action CSP directive (#20781) * Fix OAuth flow being broken by recent CSP change (#20958) * Fix form-action CSP directive for external login (#20962)	2023-02-09 20:56:37 +01:00
Claire	da5d81c90d	Fix CircleCI issues caused by Node and OpenSSL versions (#23489 ) Co-authored-by: mhkhung <mhkhung@gmail.com>	2023-02-09 18:34:19 +01:00
Claire	ee66f5790f	Fix unbounded recursion in account discovery (v3.5 backport) (#22026 ) * Fix trying to fetch posts from other users when fetching featured posts * Rate-limit discovery of new subdomains * Put a limit on recursively discovering new accounts	2022-12-15 19:21:17 +01:00
Claire	696f7b3608	Bump version to 3.5.5	2022-11-14 22:26:24 +01:00
Claire	b22e1476ca	Fix nodes order being sometimes mangled when rewriting emoji (#20677 ) * Fix front-end emoji tests * Fix nodes order being sometimes mangled when rewriting emoji	2022-11-14 22:20:29 +01:00
Claire	105ab82425	Bump version to 3.5.4	2022-11-14 20:09:16 +01:00
Claire	2dd8f977e8	Fix emoji substitution not applying only to text nodes in backend code Signed-off-by: Claire <claire.github-309c@sitedethib.com>	2022-11-14 11:20:41 +01:00
Claire	2db06e1d08	Fix emoji substitution not applying only to text nodes in Web UI Signed-off-by: Claire <claire.github-309c@sitedethib.com>	2022-11-14 11:20:41 +01:00
Eugen Rochko	063579373e	Fix rate limiting for paths with formats	2022-11-14 11:20:41 +01:00
Pierre Bourdon	1659788de4	blurhash_transcoder: prevent out-of-bound reads with <8bpp images (#20388 ) The Blurhash library used by Mastodon requires an input encoded as 24 bits raw RGB data. The conversion to raw RGB using Imagemagick did not previously specify the desired bit depth. In some situations, this leads Imagemagick to output in a pixel format using less bpp than expected. This then manifested as segfaults of the Sidekiq process due to out-of-bounds read, or potentially a (highly noisy) memory infoleak. Fixes #19235.	2022-11-14 11:20:41 +01:00
Claire	47eaf85f02	Fix crash when a remote Flag activity mentions a private post (#18760 ) * Add tests * Fix crash when a remote Flag activity mentions a private post	2022-11-14 11:20:41 +01:00
		`@ -0,0 +1 @@`
							`LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/app/.apt/lib/x86_64-linux-gnu:/app/.apt/usr/lib/x86_64-linux-gnu/mesa:/app/.apt/usr/lib/x86_64-linux-gnu/pulseaudio`