Commit Graph

8172 Commits

Author SHA1 Message Date
Mike Dalessio 2716368769 Remove the rails credentials from .gitattributes
because they make historical diffs very slow when searching history
with git pickaxe et al
2025-12-11 17:28:22 -05:00
Mike Dalessio cd487a7409 Merge pull request #2091 from basecamp/flavorjones/fix-redirect-from-active-storage-controllers
Explicitly use main_app for URL helpers
2025-12-11 13:07:44 -05:00
Mike Dalessio 679a073c6b Add test coverage for the require_unauthenticated_access redirect 2025-12-11 13:02:54 -05:00
Mike Dalessio 3d523b84fc Explicitly use main_app for URL helpers
in controller concerns that are mixed into other engines' controllers. This prevents errors like:

> NoMethodError: undefined method 'session_menu_url' for an instance of ActiveStorage::DirectUploadsController

See also 912bb8a8 and 5ee10800
2025-12-11 12:55:32 -05:00
Fernando Álvarez ef3c49d9ad Bump fizzy-saas
Related to updating URL on staging environment.
2025-12-11 18:26:01 +01:00
Zoltan Hosszu 761fd8ccfb Make list style same for every indentation
Adds 'list-style: disc' to ordered and unordered lists in rich-text-content.css to ensure consistent bullet styling.
2025-12-11 18:11:50 +01:00
Jason Zimdars 2a17976f9c Merge pull request #1972 from viniciussoares/fix/auto-close-knob-bug-ios-safari
Fix auto-close knob showing range thumb on iOS Safari
2025-12-11 11:05:25 -06:00
Kevin McConnell ddf4d2454d Merge pull request #2085 from basecamp/gemfile-lock-fix
Update Gemfile.saas.lock
2025-12-11 16:10:54 +00:00
Andy Smith 00d870c502 Merge pull request #2061 from nqst/blank-slates-updates
Blank slate adjustments
2025-12-11 10:08:56 -06:00
Kevin McConnell 4edd49374a Update Gemfile.saas.lock
To bring in line with change in [36419c3600]
2025-12-11 16:04:55 +00:00
Jason Zimdars 1e59bc9f6f Merge pull request #2023 from basecamp/theme-switcher-revised
Theme switcher revised
2025-12-11 09:46:11 -06:00
Jason Zimdars 941ce1f775 Need to use has*Target to check for optional static targets to prevent console errors 2025-12-11 09:38:34 -06:00
Jason Zimdars 2a0cf4efe9 Turn #theme into a proper setter 2025-12-11 09:31:12 -06:00
Jason Zimdars 21586291fa Prefer normal if/else conditional 2025-12-11 08:59:13 -06:00
Thiago Youssef 36419c3600 Bump rails version to remove svg renderer patch (#2081) 2025-12-11 15:15:54 +01:00
Kevin McConnell 193a28f6c8 Merge pull request #2035 from harisadam/single_tenant
Add env-configurable option to disable public signups
2025-12-11 13:08:19 +00:00
Kevin McConnell 05d176cc31 Test that sign in respects single tenant state 2025-12-11 12:49:03 +00:00
Kevin McConnell 3f2938dd8e Bump fizzy-saas to set config option 2025-12-11 12:24:59 +00:00
Stanko Krtalić f89838ba96 Merge pull request #2079 from basecamp/fix-direct-uploads-via-api
Fix direct uploads via API
2025-12-11 13:04:58 +01:00
Kevin McConnell 06bfe2c982 Scope the config option
Also use a `configure` block to set it up.
2025-12-11 11:28:32 +00:00
Kevin McConnell dece2d08d1 Update namespacing & naming 2025-12-11 11:21:09 +00:00
Kevin McConnell 5d2ca6759d Naming 2025-12-11 11:20:43 +00:00
Kevin McConnell cad1e97e8a Don't need to call this out 2025-12-11 11:20:43 +00:00
Kevin McConnell 0e443d3602 Use initializer to configure tenant mode 2025-12-11 11:20:43 +00:00
Kevin McConnell a5580666a7 Single tenant by default & update tests 2025-12-11 11:20:43 +00:00
Stanko K.R. fb77d85b0d Explain that the upload URL is account-scope 2025-12-11 12:00:51 +01:00
Stanko K.R. 5ee10800a2 Allow direct uploads via API 2025-12-11 11:52:38 +01:00
Jorge Manrubia dcdd8537af Merge pull request #2066 from basecamp/text-change-for-golden-tickets
Update tip text for turning a card into a Golden Ticket
2025-12-11 07:36:22 +01:00
Adam Haris f76309d116 Merge branch 'main' into single_tenant 2025-12-11 06:08:01 +01:00
Jeremy Daer 5d181af391 Storage: ignore jobs for now-deleted targets 2025-12-10 20:13:19 -08:00
Jankees van Woezik 477b4d65f2 API: Support created_at for API card and comment creation (#2056)
* Add support to set `created_at`

Discussed in
https://github.com/basecamp/fizzy/pull/1766#issuecomment-3637846074,
this allows users to import cards from another system with entries from
the past. For instance I'm importing all our Github issues (including
the closed onces) to Fizzy.

* Iron out published state tracking

---------

Co-authored-by: Jeremy Daer <jeremy@37signals.com>
2025-12-10 19:57:38 -08:00
Jeremy Daer 90452a4236 Enforce CSP (#2070) 2025-12-10 17:55:02 -08:00
Jeremy Daer 22da6dc19d CSP: full config with env vars per source (#2069)
* Configure all sources with CSP_* vars. Space separated source list.
* Fall back to `config.x.content_security_policy.*`
* Move our sources to fizzy-saas

References https://github.com/basecamp/fizzy-saas/pull/24
2025-12-10 17:21:09 -08:00
Jeremy Daer 761d0b4a76 Speedy, auditable, deadlock-resistant storage tracking (#2026)
An append-only storage ledger replaces deadlock-prone synchronous
counter updates and drift-prone async updates.

All content storage (card images, card/comment/board description embeds)
is tracked. Account exports (which expire) and avatars are not tracked.

Storage is accounted for by Account and Board. Both consume the same
event stream independently: no bubble-up storage bumps triggering
deadlocks due to lock sequencing. Each calculates its own total from
the underlying ledger with independent cursors and materialization.

* Storage::Entry: Append-only ledger recording attach/detach/transfer
  events with delta bytes. Single event stream indexed for both
  Account and Board cursor queries.

* Storage::Total: Polymorphic snapshot cache with cursor (last_entry_id)
  tracking which entries have been materialized.

* Storage::Totaled concern: Provides bytes_used (fast snapshot) and
  bytes_used_exact (snapshot + pending) query modes, plus
  materialize_storage! to roll up pending entries.

* Storage::Tracked concern: For models owning attachments (Card,
  Comment, Board). Provides board_for_storage_tracking for models
  where board is determined differently (Board returns self).
  Handles board transfers by recording transfer_out/transfer_in entries.

* Storage::AttachmentTracking: Hooks ActiveStorage::Attachment lifecycle
  to record attach/detach entries. Handles ActionText::RichText embeds
  by traversing to the actual model. Snapshots context in before_destroy
  to handle cascading deletes where parent record may be gone by
  after_destroy_commit.

* MaterializeJob: Rolls up pending entries into snapshot. Concurrency
  limited per owner to prevent duplicate work.

* ReconcileJob: On-demand reconciliation against actual attachment
  storage for support/debugging. Compares ledger total to real bytes
  from card images, card embeds, comment embeds, and board embeds.

Usage:
* account.bytes_used / board.bytes_used: fast, slightly stale bytesize
* account.bytes_used_exact / board.bytes_used_exact: real-time bytesize
* Storage::Entry: audit trail for debugging and point-in-time queries
2025-12-10 16:04:30 -08:00
Jason Zimdars 04d3ac50b2 Clean-up post merge and rework layout to accomodate API and Appearance blocks 2025-12-10 16:46:58 -06:00
Jason Zimdars 6f25b70b7f Merge branch 'main' into theme-switcher-revised 2025-12-10 16:30:36 -06:00
Jeremy Daer 94e991df07 Gitleaks: ignore legit non-sensitive API keys and tokens in docs/ and test/ (#2068) 2025-12-10 14:23:55 -08:00
Jason Zimdars 2d359fa230 Clean-up styles and JS controller, use radios 2025-12-10 16:15:45 -06:00
Mike Dalessio d750c9e5f2 Merge pull request #2067 from basecamp/flavorjones/gitleaks-20251210
Get gitleaks-audit green again
2025-12-10 17:14:40 -05:00
Mike Dalessio 3191c4ec1e Get gitleaks-audit green again 2025-12-10 17:05:19 -05:00
dependabot[bot] ef538abb4f Bump actions/checkout from 4 to 6 (#2047)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-10 13:25:42 -08:00
dependabot[bot] 19cd7bfeec Bump docker/login-action from 3.5.0 to 3.6.0 (#2046)
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.5.0 to 3.6.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v3.5.0...v3.6.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 3.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-10 13:25:17 -08:00
dependabot[bot] 9ee8b131c5 Bump docker/metadata-action from 5.8.0 to 5.10.0 (#2045)
Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5.8.0 to 5.10.0.
- [Release notes](https://github.com/docker/metadata-action/releases)
- [Commits](https://github.com/docker/metadata-action/compare/v5.8.0...v5.10.0)

---
updated-dependencies:
- dependency-name: docker/metadata-action
  dependency-version: 5.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-10 13:25:02 -08:00
dependabot[bot] a90ad88bab Bump sigstore/cosign-installer from 3.9.2 to 4.0.0 (#2044)
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.9.2 to 4.0.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/v3.9.2...v4.0.0)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-10 13:24:47 -08:00
Hosmel Quintana df9a4b255c make MySQL SSL mode configurable via env var (#2036) 2025-12-10 13:22:38 -08:00
Brian Bailey aad3d51e15 Update tip text for turning a card into a Golden Ticket
Clarified with JF after noticing language like "turning it into a Golden card" in the help content. We're okay with using "ticket" in this case.
2025-12-10 15:48:14 -05:00
Andy Smith bed0e4bd9e Merge pull request #2009 from nqst/clickable-checkbox-labels
Make toggle switch labels clickable
2025-12-10 14:47:51 -06:00
Andy Smith 0e9350d637 Revert "Fix Lexxy prompt list padding by lowering rich-text specificity"
This reverts commit 31fec69822.
2025-12-10 14:12:34 -06:00
Andy Smith 31fec69822 Fix Lexxy prompt list padding by lowering rich-text specificity 2025-12-10 14:12:14 -06:00
Stanko Krtalić 96b6c6e9dc Merge pull request #2060 from basecamp/improve-api-docs-phrasing
Improve phrasing
2025-12-10 20:54:34 +01:00