Fix path subfolder and inject more env

[ildyria]

Summary by CodeRabbit

• New Features

  • Added environment toggles to disable Basic Auth and WebAuthn.
  • Optional ASSET_URL support for subfolder deployments.

• Documentation

  • Expanded environment example with guidance for subfolder setups (APP_URL/APP_DIR/ASSET_URL) and authentication toggles.

• Chores

  • Removed deprecated flags/wiring (VUEJS, LEGACY_API, LIVEWIRE, PHOTO_PIPES).
  • CI workflow simplified (fewer upload steps) and added download logging.
  • Minor formatting/EOF updates; no runtime behavior changes.

[coderabbitai]

Note

Reviews paused

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

📝 Walkthrough

Walkthrough

Documentation in .env.example was expanded for subfolder deployments and two commented auth toggles were added. docker-compose.yml adds DISABLE_BASIC_AUTH/WEBAUTHN, removes VUEJS_ENABLED and LEGACY_API_ENABLED, and surfaces an ASSET_URL comment. inject.sh injects ASSET_URL and the DISABLE_* vars and drops several legacy toggles. The CI workflow logging was slightly adjusted and multiple upload steps were removed.

Changes

Cohort / File(s)	Summary of changes
Environment docs ./.env.example	Added subfolder deployment guidance and examples (APP_URL, APP_DIR, ASSET_URL), added commented sections and guidance for DISABLE_BASIC_AUTH and DISABLE_WEBAUTHN, and minor EOF/newline formatting.
Docker Compose service ./docker-compose.yml	Added DISABLE_BASIC_AUTH=${DISABLE_BASIC_AUTH:-false} and DISABLE_WEBAUTHN=${DISABLE_WEBAUTHN:-false}; removed VUEJS_ENABLED and LEGACY_API_ENABLED; replaced/annotated APP_DIR with a commented ASSET_URL placeholder and explanatory comments about subfolder usage.
Injection script ./inject.sh	Adds injection of ASSET_URL when set; adds handling to inject DISABLE_BASIC_AUTH and DISABLE_WEBAUTHN; removed handling for LIVEWIRE_ENABLED, VUEJS_ENABLED, and PHOTO_PIPES; small ordering/formatting adjustments around VITE_HTTP_PROXY_ENABLED.
CI workflow .github/workflows/test_pull.yml	Added an echo logging line when downloading artifacts and removed several subsequent upload-related steps (Unzip, get PR/sha, create check, debug, import image, DockerHub login/push).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

I thump and nibble at the env,
New flags tucked where defaults blend.
Compose pruned old leaves away,
Injectors learn a gentler way.
A happy hop — subfolders, hooray! 🥕🐇

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-path-subfolder

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

inject.sh (1)

28-30: ASSET_URL injection added — looks good; consider escaping edge cases.

LGTM to support subfolder setups. Minor: replace_or_insert uses sed replacement where unescaped & or backslashes in values can misbehave. ASSET_URL usually won’t include &, but it’s easy to make this robust.

You could harden replace_or_insert to escape sed replacement chars:

# Example helper for robust escaping (outside current hunk)
escape_sed_replacement() {
  printf '%s' "$1" | sed -e 's/[\/&]/\\&/g'
}

Then call with:

val_escaped="$(escape_sed_replacement "$ASSET_URL")"
replace_or_insert "ASSET_URL" "$val_escaped"

docker-compose.yml (1)

80-84: Comment updates for subfolder usage are helpful; trim trailing spaces on ASSET_URL line.

Good clarification about APP_DIR/ASSET_URL. YAMLlint flagged trailing spaces on Line 83.

Apply:

-      #- ASSET_URL=      
+      #- ASSET_URL=

.env.example (1)

21-29: Subfolder guidance is clear; minor consistency tweaks suggested.

Small copy edits can improve clarity and consistency:

• Capitalize TLD.
• Use https consistently in examples (you already do above).
• Add a note to avoid a trailing slash in APP_DIR.

-# If using Lychee in a sub folder, specify the path after the tld here.
+# If using Lychee in a sub folder, specify the path after the TLD here.
@@
-# and APP_DIR=/path/to/lychee
+# and APP_DIR=/path/to/lychee   # no trailing slash
@@
-# ASSET_URL=http://example.com/path/to/lychee
+# ASSET_URL=https://example.com/path/to/lychee

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled
• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 6a149cb and 34a91b5.

📒 Files selected for processing (3)

• .env.example (2 hunks)
• docker-compose.yml (2 hunks)
• inject.sh (2 hunks)

🧰 Additional context used

🪛 dotenv-linter (3.3.0)

.env.example

[warning] 51-51: [EndingBlankLine] No blank line at the end of the file

(EndingBlankLine)

🪛 YAMLlint (1.37.1)

docker-compose.yml

[error] 83-83: trailing spaces

(trailing-spaces)

🔇 Additional comments (2)

inject.sh (1)

331-337: New auth toggles injection is consistent with docker-compose and docs.

DISABLE_BASIC_AUTH and DISABLE_WEBAUTHN are correctly passed through to /conf/.env when set. Placement near VITE_HTTP_PROXY_ENABLED keeps related toggles grouped.

docker-compose.yml (1)

128-129: Expose DISABLE_ toggles — LGTM and consistent with inject.sh/.env.example.*

Both variables default to false and are injected by inject.sh when set.

[ildyria]

@coderabbitai ignore

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/test_pull.yml (2)

35-48: Use github.rest. namespace for Octokit REST calls in github-script*

actions/github-script v7 exposes REST methods under github.rest.actions., not github.actions.. Using the old namespace can break on version bumps or in stricter runtimes.

Apply this diff within the script block:

-            var artifacts = await github.actions.listWorkflowRunArtifacts({
+            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
                owner: context.repo.owner,
                repo: context.repo.repo,
                run_id: ${{ github.event.workflow_run.id }},
             });
             var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
               return artifact.name == "artifact"
             })[0];
-            var download = await github.actions.downloadArtifact({
+            var download = await github.rest.actions.downloadArtifact({
                owner: context.repo.owner,
                repo: context.repo.repo,
                artifact_id: matchArtifact.id,
                archive_format: 'zip',
             });

Optionally, harden the script to fail fast if the artifact is missing:

             var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
               return artifact.name == "artifact"
             })[0];
+            if (!matchArtifact) {
+              core.setFailed('No artifact named "artifact" found for the triggering run.');
+              return;
+            }

---

201-203: YAML bug: invalid run block; use a scalar block or inline shell

As written, this is not valid YAML for a run step and will be ignored/parsed incorrectly by Actions.

Apply one of these minimal fixes:

-        run: 
-          echo "DB_PASSWORD=password" >> .env
+        run: echo "DB_PASSWORD=password" >> .env

or, if you plan to add more lines later:

-        run: 
-          echo "DB_PASSWORD=password" >> .env
+        run: |
+          echo "DB_PASSWORD=password" >> .env

🧹 Nitpick comments (3)

.github/workflows/test_pull.yml (3)

213-215: Pin the crane image to a version or digest instead of the floating debug tag

Using a floating tag can yield non-reproducible builds and supply-chain risk.

For example:

-    container:
-      image: gcr.io/go-containerregistry/crane:debug
+    container:
+      image: gcr.io/go-containerregistry/crane:v0.19.1

Even better, pin to a digest if possible.

---

80-91: Double-check that the imported image carries the expected tag before push

The push assumes the tar contains lycheeorg/lychee:testing-${{ github.event.workflow_run.id }}. If tags differ, the push will fail. Consider retagging after load to be explicit.

       - name: "Import image"
         run: docker image load -i ./lychee.tar
+      - name: "Ensure expected tag"
+        run: |
+          IMG_ID=$(docker images --format '{{.Repository}}:{{.Tag}} {{.ID}}' | awk '$1 ~ /lycheeorg\/lychee/ {print $2}' | head -n1)
+          docker tag "$IMG_ID" "lycheeorg/lychee:testing-${{ github.event.workflow_run.id }}"

---

92-186: Optional: add timeouts to curl checks to avoid long hangs

A short --max-time/--connect-timeout helps jobs fail fast when services don’t come up.

For example:

-        run: 'curl -sSw "%{stderr}%{http_code}" http://localhost/ > /dev/null && curl -f http://localhost/'
+        run: 'curl --connect-timeout 5 --max-time 20 -sSw "%{stderr}%{http_code}" http://localhost/ > /dev/null && curl --connect-timeout 5 --max-time 20 -f http://localhost/'

Apply similarly to other GET steps.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled
• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between fec873e and 39f4aca.

📒 Files selected for processing (1)

• .github/workflows/test_pull.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 180000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

🔇 Additional comments (2)

.github/workflows/test_pull.yml (2)

34-34: Nice touch: added explicit artifact download log

This improves traceability when debugging cross-workflow artifact transfers.

---

52-90: Summary mismatch: steps appear present here but were described as removed

The AI summary mentions removal of Unzip/Get PR/Create check/debug/Import/Login/Push steps, but they are present in this file (Lines 52–90). Confirm whether they should remain, particularly the Docker Hub push on PR-triggered runs.

If the intent was to drop these, remove the steps and adjust downstream jobs (which rely on the pushed tag) accordingly, or keep them intentionally. I can propose a consistent cut if you confirm the desired behavior.

[coderabbitai]

✅ Actions performed

Reviews paused.