* main:
Remove semver-major-days from Dependabot on GH actions
Allow chromium unstable endpoint
Bump Rails to current ast-immediate-variants-process-locally branch
Rails seeded parallel tests (#2037)
Add blank slate to the main menu
Fixing Lexxy prompt menu spacing
Make SMTP config conditional on SMTP_ADDRESS
default to smtp
configurable actionmailer settings (ENV)
- If `SMTP_ADDRESS` is set, configure Action Mailer to use it, along
with additional optional SMTP-related settings.
- Otherwise, don't set config (for compatibility with engines like
fizzy-saas).
- Remove sendmail env setup, since by default there is no sendmail in
the container, and custom deployment can use whatever config the want
directly. If we end up needing this, we can bring it back via its
own env.
* main:
Stream response in webhook request manually to check size
Fix stale-read race when creating push subscriptions
Drop defunct Account upload attachments (#2030)
Process blob variants using local files
Allow configuring SSL in production with ENV vars
This addresses a DoS vulnerability where the response might be massive
leading to OOM errors, as the response is read in full in memory by
default.
To prevent this, we need to read the body in chunks, checking the
size of the chunks we've read and raising if we go over a certain limit.
I've set the limit to 100 KB because the responses to these requests
should be fairly small or even empty, and we only care about the status
code in the end.
(Caught one such uniqueness exception in the wild)
* 200 OK -> 204 No Content, default status
* No need to touch the subscription when found
* Drop superflous test
* main: (70 commits)
bin/ci: run OSS suite in SAAS mode for full coverage (#2029)
Fix flaky tests caused by leaky show_exceptions twiddling (#2028)
Fix ActiveStorage FileNotFoundError with immediate variant processing (#2022)
Immediate avatar and embed variants (#2002)
Should be in global gitignore
Account for browser button styled and adjust mobile padding for perma BG
Wrap the overflow menu
doc: update style doc reference for LLM agents
Fix Identity destruction callback ordering
Ensure user toggles on board edit page are cached properly
Adopt a cooldown period for dependency updates
Add lazy error context for Rails error reporter (#2014)
Disable board edit buttons for select all/none when not privileged
Autotuner: use structured logging instead of Sentry (#2011)
Add datetime to the search results
Fix involvement button label
Bump mittens to 0.3.1 (#2006)
No need to pass Currentl.user since it is the default value for the param
Validate email before creating identity during join code redemption
Ignore RubyMine project files in .gitignore
...
Rails memoizes `@app_env_config`, so running push subscriptions test
after join codes test will result in running with `show_exceptions:
:none`, causing RecordInvalid to raise instead of returning 422 status.
References #1996
When ActiveStorage::Record uses `connects_to` for read replica support,
it creates a separate connection pool from ApplicationRecord. This causes
`after_commit` callbacks to fire in non-deterministic order - the
Attachment's `create_variants` callback can fire before the User model's
upload callback completes, resulting in FileNotFoundError.
The fix removes replica connection configuration from ActiveStorage::Record
so it shares the same connection pool as application models, ensuring
proper callback ordering.
Also reverts test workarounds that were added to work around this issue,
since the root cause is now fixed.
See: https://github.com/rails/rails/issues/53694
As suggested by @flavorjones, and explained in:
https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
This applies:
- 7 days as default: from the article, a 7-day
cooldown would have prevented 8 out of 10 recent
supply chain attacks. It seems reasonably long
but not crazy long.
- 14 days for major versions, to give some time
to the community to find problems.
Register a middleware with Rails.error that adds identity_id and
account_id from Current attributes. Only evaluated when an error
is actually reported, avoiding the cost on successful requests.
Move thousands of info-level Sentry events to logs. Query Loki rather
than downsampling events: `event.action = "run.ruby-script",
script.name = "autotuner"`