Commit Graph

9955 Commits

Author SHA1 Message Date
Mike Dalessio 7fec94449f Merge pull request #2721 from basecamp/flavorjones/dep-update-sqlite3-2.9.2
dep: update sqlite3 to 2.9.2
2026-03-17 22:02:24 -04:00
Mike Dalessio 806f5ca0dd Merge pull request #2704 from basecamp/dependabot/bundler/thruster-0.1.19
Bump thruster from 0.1.18 to 0.1.19
2026-03-17 22:01:03 -04:00
Mike Dalessio 801b10eb05 Merge pull request #2705 from basecamp/dependabot/bundler/aws-sdk-s3-1.215.0
Bump aws-sdk-s3 from 1.213.0 to 1.215.0
2026-03-17 22:00:29 -04:00
Mike Dalessio c62be7afde dep: update sqlite3 to 2.9.2 2026-03-17 21:59:09 -04:00
Mike Dalessio 50d067fec9 Merge pull request #2702 from basecamp/dependabot/bundler/development-dependencies-aa185b57ca
Bump faker from 3.6.0 to 3.6.1 in the development-dependencies group
2026-03-17 21:55:16 -04:00
Mike Dalessio 4cf7ad5e3e Merge pull request #2697 from basecamp/dependabot/bundler/action_text-trix-2.1.17
Bump action_text-trix from 2.1.16 to 2.1.17
2026-03-17 21:54:05 -04:00
Mike Dalessio 3bf2f17e2b Merge pull request #2720 from basecamp/dependabot/github_actions/github-actions-ce779b418e
Bump the github-actions group with 4 updates
2026-03-17 21:51:45 -04:00
dependabot[bot] 66c22f4636 Bump the github-actions group with 4 updates
Bumps the github-actions group with 4 updates: [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action), [docker/login-action](https://github.com/docker/login-action), [docker/metadata-action](https://github.com/docker/metadata-action) and [docker/build-push-action](https://github.com/docker/build-push-action).


Updates `docker/setup-buildx-action` from 3.12.0 to 4.0.0
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/8d2750c68a42422c14e847fe6c8ac0403b4cbd6f...4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd)

Updates `docker/login-action` from 3.7.0 to 4.0.0
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/c94ce9fb468520275223c153574b00df6fe4bcc9...b45d80f862d83dbcd57f89517bcf500b2ab88fb2)

Updates `docker/metadata-action` from 5.10.0 to 6.0.0
- [Release notes](https://github.com/docker/metadata-action/releases)
- [Commits](https://github.com/docker/metadata-action/compare/c299e40c65443455700f0fdfc63efafe5b349051...030e881283bb7a6894de51c315a6bfe6a94e05cf)

Updates `docker/build-push-action` from 6.19.2 to 7.0.0
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/10e90e3645eae34f1e60eeb005ba3a3d33f178e8...d08e5c354a6adb9ed34480a06d141179aa583294)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: docker/login-action
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: docker/metadata-action
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: docker/build-push-action
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-03-18 01:45:09 +00:00
Mike Dalessio 01d1af9f9c Merge pull request #2645 from basecamp/flavorjones/harden-github-actions
ci: harden GitHub Actions workflows
2026-03-17 21:43:28 -04:00
Mike Dalessio e518d638f2 ci: suppress dependabot-execution warning in dependabot config 2026-03-17 18:27:45 -04:00
Mike Dalessio fa12aca387 ci: update pinned github versions (minor bump) 2026-03-17 18:08:11 -04:00
Mike Dalessio 58f94b0cc1 ci: add job to lint github actions
using zizmor
2026-03-17 18:08:09 -04:00
Mike Dalessio dd7f7005b2 ci: fix template injection by passing tags through env vars 2026-03-17 17:57:34 -04:00
Mike Dalessio bc6703b0df ci: disable credential persistence after checkout
suppress artipacked warning in dependabot lockfile sync workflow
2026-03-17 17:57:34 -04:00
Mike Dalessio 310e271908 ci: suppress zizmor secrets-outside-env in test workflow 2026-03-17 17:57:34 -04:00
Mike Dalessio b6e00b77e3 ci: scope permissions to jobs in publish-image workflow 2026-03-17 17:57:32 -04:00
Mike Dalessio 99e683125b ci: batch github actions dependabot updates into a single PR 2026-03-17 17:39:54 -04:00
Mike Dalessio 463f289072 ci: pin github actions
using `pinact`
2026-03-17 17:19:37 -04:00
Mike Dalessio 3e1b22632b Merge pull request #2719 from basecamp/fix-card-view-m-hotkey
Fix card view M hotkey using stale user from fragment cache
2026-03-17 14:54:23 -04:00
Mike Dalessio 7f65f4aabd Fix card view "M" hotkey using stale user from fragment cache
The hidden "Assign to me" button on the card detail view baked
Current.user.id into the form action at render time. When served from
fragment cache, a stale user ID could be embedded, assigning cards to
the wrong person.

Switch to card_self_assignment_path which resolves the current user at
request time via SelfAssignmentsController, matching the fix already
applied to the board view in 2527f073.

ref: https://app.fizzy.do/5986089/cards/3722
2026-03-17 14:43:05 -04:00
Jorge Manrubia 22f46e73c9 Merge pull request #2715 from basecamp/revert-2713-add-storage-limit-notice
Revert "Add 1GB storage cap with self-host notice"
2026-03-17 17:51:21 +01:00
Jorge Manrubia 0be8041953 Revert "Add 1GB storage cap with self-host notice" 2026-03-17 17:51:07 +01:00
Jorge Manrubia 0b0f1c4891 Merge pull request #2713 from basecamp/add-storage-limit-notice
Add 1GB storage cap with self-host notice
2026-03-17 17:45:20 +01:00
Mike Dalessio c29e785fc1 Merge pull request #2708 from basecamp/dep-lexxy-082
Configure Lexxy to add extra spacing between block elements
2026-03-17 12:42:17 -04:00
Andy Smith b5b3d1cd37 Style messages for account limits 2026-03-17 11:33:49 -05:00
Jay Ohms 096af59f8f Merge pull request #2714 from basecamp/mobile/application-bridge-components
Apply Hotwire Native bridge attributes to the `<body>` element from the user-agent
2026-03-17 12:26:23 -04:00
Jay Ohms f029fbfbeb Merge pull request #2683 from basecamp/mobile/bridge-button-slot
Mobile / Bridge button slot
2026-03-17 12:25:36 -04:00
Jay Ohms e65db1897c Merge pull request #2676 from basecamp/mobile/bridge-done-stamp
Mobile / Bridge "Done" stamp
2026-03-17 12:24:49 -04:00
Jay Ohms 2a19bb94a0 Merge branch 'main' into mobile/bridge-button-slot
* main: (33 commits)
  Remove payment/subscription system and card/storage limits
  Conditionally disable peer verification for ZIP streaming
  Prevent HTML injection through filenames
  Revert "Configure Lexxy to add extra spacing between block elements"
  Configure Lexxy to add extra spacing between block elements
  SaaS usage reporting (#2690)
  Update app/models/user/named.rb
  Prevent line breaks in the middle of familiar_name
  Tweak the layout
  Set the list of importable models based on the record sets in the manifest
  Validate polymorphic types against importable models allowlist
  Fix that the "maybe" stream wouldn't be replaced after triaging a card
  Use x_user_agent cookie for platform detection in Hotwire Native
  Add JSON response format to entropy endpoints (#2673)
  Fix path traversal vulnerability in ActiveStorage blob key import
  Enable CORS fetch mode for storage requests
  Revert CORS fetch mode for Active Storage
  Use CORS fetch mode for Active Storage to enable `maxEntrySize` checks
  Only start offline mode when signed in
  Exclude service worker and edit/pin/watch/new pages from main cache
  ...
2026-03-17 11:24:39 -04:00
Jay Ohms 4d2866dec6 Update additional tests to ensure that the body element contains the correct bridge attributes 2026-03-17 11:04:39 -04:00
Jay Ohms 8920946cb2 Update regex and add test coverage for empty/multiple lists 2026-03-17 10:45:37 -04:00
Zoltan Hosszu 1f24ed662b Increase max width for mention prompts 2026-03-17 10:31:53 -04:00
Zoltan Hosszu ea871757f2 Mention delete button fix 2026-03-17 10:31:53 -04:00
Zoltan Hosszu 24446afba7 Image gallery size fixes 2026-03-17 10:31:53 -04:00
Mike Dalessio fc18ba8e07 Add system tests for markdown paste in Lexxy editor
Test that pasting markdown with block separators produces extra spacing
between blocks, and that single line breaks are preserved.
2026-03-17 10:31:53 -04:00
Mike Dalessio 29a29094bd Configure Lexxy to add extra spacing between block elements
Updating Lexxy to v0.8.5 for the insert-markdown event.
2026-03-17 10:31:46 -04:00
Adrien Maston 780607dddc Merge branch 'main' into mobile/bridge-done-stamp
* main: (43 commits)
  Remove payment/subscription system and card/storage limits
  Conditionally disable peer verification for ZIP streaming
  Prevent HTML injection through filenames
  Revert "Configure Lexxy to add extra spacing between block elements"
  Configure Lexxy to add extra spacing between block elements
  SaaS usage reporting (#2690)
  Update app/models/user/named.rb
  Prevent line breaks in the middle of familiar_name
  Tweak the layout
  Set the list of importable models based on the record sets in the manifest
  Validate polymorphic types against importable models allowlist
  Fix that the "maybe" stream wouldn't be replaced after triaging a card
  Use x_user_agent cookie for platform detection in Hotwire Native
  Add JSON response format to entropy endpoints (#2673)
  Fix path traversal vulnerability in ActiveStorage blob key import
  Enable CORS fetch mode for storage requests
  Revert CORS fetch mode for Active Storage
  Use CORS fetch mode for Active Storage to enable `maxEntrySize` checks
  Only start offline mode when signed in
  Exclude service worker and edit/pin/watch/new pages from main cache
  ...
2026-03-17 15:27:29 +01:00
Jay Ohms 139f4cb869 Add test coverage for native bridge user agents 2026-03-17 10:12:56 -04:00
Jay Ohms 09e4bb13d3 Preset the data-bridge-platform and data-bridge-components on the body element from the user-agent. This prevents css flashes before the native bridge is registered in the app. 2026-03-17 09:59:45 -04:00
Jay Ohms 5c1f3a1f4f Refactor stamp component and observe element changes so subsequent "connect" messages will be sent 2026-03-17 08:12:57 -04:00
Jay Ohms 00b588fcef Don't display the "Mark done" bridge component button when the card has been marked as "Not Now" 2026-03-17 07:43:13 -04:00
Jorge Manrubia a761d809ae Add 1GB storage limit with self-host notice for SaaS
Limit free storage to 1GB on the SaaS version. When exceeded, card
publishing, comment creation, and JSON card creation are blocked,
and the card footer shows a "self-host Fizzy for unlimited storage"
notice instead of the create buttons. A nearing-limit warning
appears when usage exceeds 500MB.

Uses the same SaaS engine patterns as the removed billing system:
model concern on Account, controller concerns included via
config.to_prepare, view partials in saas/ with Fizzy.saas? guards
in the main app.
2026-03-17 12:21:32 +01:00
Adrien Maston 768e7a3a6e Merge pull request #2689 from basecamp/mobile/tweak-card-perma-footer
Mobile / Tweak card perma footer
2026-03-17 12:05:47 +01:00
Adrien Maston 2d1e201946 Add scope selector value 2026-03-17 11:57:59 +01:00
Jorge Manrubia 19dbdc6109 Merge pull request #2712 from basecamp/remove-billing-and-limits
Remove payment/subscription system and card/storage limits
2026-03-17 11:15:38 +01:00
Adrien Maston 0b29a67e17 Change date and closedBy properties for a more generic description 2026-03-17 11:09:37 +01:00
Jorge Manrubia 964915bc66 Remove payment/subscription system and card/storage limits
Fizzy is now free. Remove the entire Stripe billing system,
subscription management, and card/storage limit enforcement.

Removes from saas/: Plan model, Account::Billing, Account::Subscription,
Account::Limited, Account::OverriddenLimits, Account::BillingWaiver,
all subscription/billing controllers and views, Stripe webhook handler,
card creation/publishing limit enforcement, admin account override UI,
usage report rake task, and all related tests.

Removes from main app: Fizzy.saas? guards for subscription panel,
SaaS card footer override, near-limit notices, and saas.css stylesheet.

Adds migration to drop billing tables from the SaaS database.

Non-billing SaaS features (push notifications, signup, authorization,
telemetry, console1984/audits1984) are preserved.
2026-03-17 09:22:04 +01:00
Stanko Krtalić bead275d27 Merge pull request #2710 from basecamp/conditionally_disable_peer_verification_for_zip_streaming
Conditionally disable peer verification for ZIP streaming
2026-03-16 18:16:31 +01:00
Stanko Krtalić eb3797b72c Merge pull request #2709 from basecamp/fix-html-injecton-through-import-filenames
Prevent HTML injection through filenames
2026-03-16 17:57:38 +01:00
Stanko K.R. ddc6ce020e Conditionally disable peer verification for ZIP streaming 2026-03-16 17:57:26 +01:00