JSPaste · inetol · May 12, 2026 · May 13, 2026 · May 13, 2026 · May 13, 2026
diff --git a/.dockerignore b/.dockerignore
@@ -1,5 +1,6 @@
 *
 
+!/.mise/**
 !/src/**
 !/deno.json
 !/deno.lock

diff --git a/.env.example b/.env.example
@@ -1,71 +1,75 @@
-#?
-#? Rename this file to ".env" and edit the values as needed.
-#?
-#?####################
-#? VARIABLE STRUCTURE:
-#?####################
-#? [ default ] : type < min - max >
-#?      ^         ^         ^
-#?      |         |         |
-#?      |         |         +---- RANGE between two values (inclusive)
-#?      |         +-------------- TYPE of the variable
-#?      +------------------------ DEFAULT value if not set
-#?
-#?###################
-#? COMMENT STRUCTURE:
-#?###################
-#? "#?#...", "###..." for section headers
-#? "#?" for help
-#? "##" for description
-#? "#" for variable definitions
-#?
-
-## Log level: [3]:integer<0-4>
-#? 0=none, 1=error, 2=warn, 3=info, 4=debug
-#JSPB_LOG_VERBOSITY=3
-
-## Include timestamps in logs?: [true]:boolean
-#JSPB_LOG_TIME=true
-
-## Hostname to bind: [::]:string
-#JSPB_HOSTNAME=::
-
-## Port to bind: [4000]:integer<0-65535>
-#JSPB_PORT=4000
-
-############
-## DOCUMENT:
-############
-## Maximum size per document: [1mb]:string
-#? 0=disabled, units: b/k(i)b/m(i)b/g(i)b/t(i)b
-#JSPB_DOCUMENT_SIZE=1mb
-
-## Compress document?: [true]:boolean
-#? It doesn't apply retroactively to existing documents.
-#JSPB_DOCUMENT_COMPRESSION=true
-
-## Delete documents older than: [0]:string
-#? 0=disabled, units: s/m/h/d/w/M/y
-#JSPB_DOCUMENT_AGE=0
-
-## Delete anonymous documents older than: [7d]:string
-#? 0=disabled, units: s/m/h/d/w/M/y
-#JSPB_DOCUMENT_ANONYMOUS_AGE=7d
-
-########
-## USER:
-########
-## Allow user registration?: [true]:boolean
-#? Root user can always create new users.
-#JSPB_USER_REGISTER=true
-
-## Restore the root user?: [false]:boolean
-#? Make sure to disable this again after successful recovery.
-#JSPB_USER_ROOT_RECOVERY=false
-
-########
-## TASK:
-########
-## Cleanup task cron schedule: [0 1 * * *]:string
-#? https://crontab.guru/#0_1_*_*_*
-#JSPB_TASK_SWEEPER=0 1 * * *
+#?
+#? Rename this file to ".env" and edit the values as needed.
+#?
+#?####################
+#? VARIABLE STRUCTURE:
+#?####################
+#? [ default ] : type < min - max >
+#?      ^         ^         ^
+#?      |         |         |
+#?      |         |         +---- RANGE between two values (inclusive)
+#?      |         +-------------- TYPE of the variable
+#?      +------------------------ DEFAULT value if not set
+#?
+#?###################
+#? COMMENT STRUCTURE:
+#?###################
+#? "#?#...", "###..." for section headers
+#? "#?" for help
+#? "##" for description
+#? "#" for variable definitions
+#?
+
+## Log level: [3]:integer<0-4>
+#? 0=none, 1=error, 2=warn, 3=info, 4=debug
+#JSPB_LOG_VERBOSITY=3
+
+## Include timestamps in logs?: [true]:boolean
+#JSPB_LOG_TIME=true
+
+## Hostname to bind: [::]:string
+#JSPB_HOSTNAME=::
+
+## Port to bind: [8080]:integer<0-65535>
+#JSPB_PORT=8080
+
+## API path prefix: [/api/]:string
+#? Can be queried from "/.well-known/jspaste".
+#JSPB_API=/api/
+
+############
+## DOCUMENT:
+############
+## Maximum size per document: [1mb]:string
+#? 0=disabled, units: b/k(i)b/m(i)b/g(i)b/t(i)b
+#JSPB_DOCUMENT_SIZE=1mb
+
+## Compress document?: [true]:boolean
+#? It doesn't apply retroactively to existing documents.
+#JSPB_DOCUMENT_COMPRESSION=true
+
+## Delete documents older than: [0]:string
+#? 0=disabled, units: s/m/h/d/w/M/y
+#JSPB_DOCUMENT_AGE=0
+
+## Delete anonymous documents older than: [7d]:string
+#? 0=disabled, units: s/m/h/d/w/M/y
+#JSPB_DOCUMENT_ANONYMOUS_AGE=7d
+
+########
+## USER:
+########
+## Allow user registration?: [true]:boolean
+#? Root user can always create new users.
+#JSPB_USER_REGISTER=true
+
+## Restore the root user?: [false]:boolean
+#? Make sure to disable this again after successful recovery.
+#JSPB_USER_ROOT_RECOVERY=false
+
+########
+## TASK:
+########
+## Cleanup task cron schedule: [0 1 * * *]:string
+#? https://crontab.guru/#0_1_*_*_*
+#JSPB_TASK_SWEEPER=0 1 * * *
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -41,12 +41,12 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           egress-policy: "audit"
 
       - name: Setup mise-en-place
-        uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
+        uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0
 
       - name: Save context
         id: ctx
@@ -76,7 +76,7 @@ jobs:
           echo "extended=${TIMESTAMP}-${SHA_SHORT}" >>"$GITHUB_OUTPUT"
 
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: "false"
 
@@ -102,6 +102,12 @@ jobs:
           zip -j -X -9 -l -o ./dist/backend-${{ steps.tags.outputs.tag }}_windows-amd64.zip .env.example LICENSE README.md ./dist/backend.windows-amd64.exe
           zip -T ./dist/backend-${{ steps.tags.outputs.tag }}_windows-amd64.zip
 
+          # FIXME: Deno still doesn't expose arm64 target
+          #mise run build:standalone:windows-arm64
+          #chmod 755 ./dist/backend.windows-arm64.exe
+          #zip -j -X -9 -l -o ./dist/backend-${{ steps.tags.outputs.tag }}_windows-arm64.zip .env.example LICENSE README.md ./dist/backend.windows-arm64.exe
+          #zip -T ./dist/backend-${{ steps.tags.outputs.tag }}_windows-arm64.zip
+
       - if: inputs.artifact-action == 'build-release'
         name: Release artifact
         uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
@@ -125,97 +131,62 @@ jobs:
     if: github.repository_owner == 'jspaste' && inputs.image-action != 'none'
     name: Release container image
     runs-on: ubuntu-latest
-    env:
-      REGISTRY: ghcr.io
-
     permissions:
       attestations: write
       id-token: write
       packages: write
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           egress-policy: "audit"
 
-      - name: Save context
-        id: ctx
-        env:
-          CTX_BRANCH: "${{ github.head_ref || github.ref_name }}"
-          CTX_SHA: "${{ github.event.pull_request.head.sha || github.sha }}"
-        run: |
-          echo "branch=${CTX_BRANCH}" >>"$GITHUB_OUTPUT"
-          echo "sha=${CTX_SHA}" >>"$GITHUB_OUTPUT"
-          echo "sha_short=${CTX_SHA::7}" >>"$GITHUB_OUTPUT"
+      - name: Setup mise-en-place
+        uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0
 
-      - name: Save tags
-        id: tags
+      - name: Setup podman
         env:
-          BRANCH: "${{ steps.ctx.outputs.branch }}"
-          SHA: "${{ steps.ctx.outputs.sha }}"
-          SHA_SHORT: "${{ steps.ctx.outputs.sha_short }}"
+          PODMAN_VERSION: "v5.8.2"
         run: |
-          TIMESTAMP="$(date +%Y.%m.%d)"
-          TIMESTAMP_ISO="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+          sudo apt-get purge -y podman runc crun conmon
 
-          if [[ "${BRANCH}" == "stable" ]]; then
-            TAGS+=("latest")
-          else
-            TAGS+=("snapshot")
-          fi
-
-          TAGS+=("${SHA}")
-          TAGS+=("${TIMESTAMP}-${SHA_SHORT}")
+          curl -fsSLO "https://github.com/mgoltzsche/podman-static/releases/download/${{ env.PODMAN_VERSION }}/podman-linux-amd64.tar.gz"
+          curl -fsSLO "https://github.com/mgoltzsche/podman-static/releases/download/${{ env.PODMAN_VERSION }}/podman-linux-amd64.tar.gz.asc"
+          gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 0CCF102C4F95D89E583FF1D4F8B5AF50344BB503
+          gpg --batch --verify "podman-linux-amd64.tar.gz.asc" "podman-linux-amd64.tar.gz"
 
-          echo "timestamp=${TIMESTAMP}" >>"$GITHUB_OUTPUT"
-          echo "timestamp_iso=${TIMESTAMP_ISO}" >>"$GITHUB_OUTPUT"
-          echo "version=${TIMESTAMP}-${SHA_SHORT}" >>"$GITHUB_OUTPUT"
-          echo "list=${TAGS[*]}" >>"$GITHUB_OUTPUT"
-
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: "false"
+          tar -xzf "podman-linux-amd64.tar.gz"
+          sudo cp -rfv ./podman-linux-amd64/etc/. /etc/
+          sudo cp -rfv ./podman-linux-amd64/usr/. /usr/
 
-      - name: Build image
-        id: build-image
-        uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
-        with:
-          containerfiles: "Dockerfile"
-          platforms: "linux/amd64,linux/arm64"
-          image: "${{ github.repository }}"
-          layers: "true"
-          oci: "true"
-          tags: "${{ steps.tags.outputs.list }}"
-          extra-args: |
-            --squash
-            --identity-label=false
-            --label=org.opencontainers.image.created=${{ steps.tags.outputs.timestamp_iso }}
-            --label=org.opencontainers.image.revision=${{ steps.ctx.outputs.sha }}
-            --label=org.opencontainers.image.version=${{ steps.tags.outputs.version }}
+          sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
 
       - if: inputs.image-action == 'build-release'
         name: Login to GHCR
-        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           username: "${{ github.repository_owner }}"
           password: "${{ secrets.GITHUB_TOKEN }}"
-          registry: "${{ env.REGISTRY }}"
+          registry: "ghcr.io"
 
       - if: inputs.image-action == 'build-release'
-        name: Push to GHCR
-        id: push-image
-        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
+        name: Login to Docker Hub
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
-          image: "${{ steps.build-image.outputs.image }}"
-          tags: "${{ steps.build-image.outputs.tags }}"
-          registry: "${{ env.REGISTRY }}"
+          username: "${{ secrets.DOCKER_USER }}"
+          password: "${{ secrets.DOCKER_TOKEN }}"
+          registry: "docker.io"
 
-      - if: inputs.image-action == 'build-release'
-        name: Attest image
-        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+      - name: Checkout
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
-          subject-name: "${{ env.REGISTRY }}/${{ steps.build-image.outputs.image }}"
-          subject-digest: "${{ steps.push-image.outputs.digest }}"
-          push-to-registry: "false"
+          persist-credentials: "false"
+
+      - name: Build container image
+        run: |
+          if [ "${{ inputs.image-action }}" = "build-release" ]; then
+            mise run build:container --release
+          else
+            mise run build:container
+          fi
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,7 +6,7 @@ on:
     branches:
       - dev
     paths-ignore:
-      - '*.md'
+      - "*.md"
 
 concurrency:
   group: ${{ github.workflow }}
@@ -26,7 +26,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           egress-policy: "audit"
 
@@ -41,12 +41,12 @@ jobs:
           echo "sha_short=${CTX_SHA::7}" >>"$GITHUB_OUTPUT"
 
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: "false"
 
       - name: Setup mise-en-place
-        uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
+        uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0
 
       - name: Run lint
         run: mise run lint
@@ -62,4 +62,4 @@ jobs:
           mise run start:server &
           SERVER_PID=$!
           sleep 5
-          kill $SERVER_PID
+          kill $SERVER_PID
diff --git a/.gitignore b/.gitignore
@@ -3,6 +3,8 @@
 !/.github/
 !/.github/renovate.json
 !/.github/workflows/*.yml
+!/.mise/
+!/.mise/**
 !/.zed/
 !/.zed/settings.json
 !/src/

diff --git a/.mise/snippets/condition_ci.sh b/.mise/snippets/condition_ci.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env sh
+# shellcheck shell=dash
+set -eu
+
+set +u
+if [ "$GITHUB_ACTIONS" != "true" ]; then
+    echo >&2 "This task is intended to be run in GHA"
+    exit 1
+fi
+set -u
diff --git a/.mise/snippets/condition_cmd.sh b/.mise/snippets/condition_cmd.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env sh
+# shellcheck shell=dash
+set -eu
+
+if ! command -v -- "$1" >/dev/null 2>&1; then
+    echo >&2 "$1 isn't available on PATH"
+    exit 1
+fi