Sanitize github.ref to be safely used as docker tag

Consolidate config files for both local dev and docker
Consolidate data into separate mapped volume for docker and local
2025-11-13 19:22:59 +10:30 · 2025-11-13 18:54:57 +10:30
9 changed files with 28 additions and 169 deletions
@@ -25,30 +25,6 @@ jobs:
          # echo "MY_LOWER=$lower_value" >> $GITHUB_ENV
          # If you want to use it as an output of this step:
          echo "lowercase=$lower_value" >> $GITHUB_OUTPUT
-      - name: Convert ref to buildx safe value
-        id: docker_tag_from_ref
-        shell: bash
-        run: |
-          # Grab the raw ref
-          REF="${{ github.ref }}"
-
-          # Strip the "refs/*/" prefix (refs/heads/, refs/tags/…)
-          TAG=${REF#refs/*/}
-
-          # Replace characters that Docker tags disallow
-          #   * "/"  → "-"
-          #   * ":"  → "-"
-          #   * Any other non‑alphanumeric / . / _ / - → "-"
-          TAG=${TAG//\//-}
-          TAG=${TAG//:/-}
-          TAG=${TAG//[^a-zA-Z0-9._-]/-}
-
-          # (Optional) force lower‑case – Docker tags are case‑sensitive,
-          #   but many people prefer lower‑case
-          TAG=${TAG,,}
-
-          # Export to the action's output
-          echo "docker-tag=${TAG}" >> $GITHUB_OUTPUT
      # ------------------------------------------------------------------
      # 1. Checkout repository
      # ------------------------------------------------------------------
@@ -94,7 +70,7 @@ jobs:
          push: false
          tags: |
            ${{ vars.REGISTRY_HOST }}/${{ steps.github_repository_to_lowercase.outputs.lowercase }}:${{ github.sha }}
-            ${{ vars.REGISTRY_HOST }}/${{ steps.github_repository_to_lowercase.outputs.lowercase }}:${{ steps.docker_tag_from_ref.outputs.docker-tag }}
+            ${{ vars.REGISTRY_HOST }}/${{ steps.github_repository_to_lowercase.outputs.lowercase }}:${{ github.ref_name }}
            ${{ vars.REGISTRY_HOST }}/${{ steps.github_repository_to_lowercase.outputs.lowercase }}:latest
          build-args: |
            # Add any build args here
@@ -113,7 +89,7 @@ jobs:
          push: true
          tags: |
            ${{ vars.REGISTRY_HOST }}/${{ steps.github_repository_to_lowercase.outputs.lowercase }}:${{ github.sha }}
-            ${{ vars.REGISTRY_HOST }}/${{ steps.github_repository_to_lowercase.outputs.lowercase }}:${{ steps.docker_tag_from_ref.outputs.docker-tag }}
+            ${{ vars.REGISTRY_HOST }}/${{ steps.github_repository_to_lowercase.outputs.lowercase }}:${{ github.ref_name }}
            ${{ vars.REGISTRY_HOST }}/${{ steps.github_repository_to_lowercase.outputs.lowercase }}:latest
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache
@@ -132,5 +108,5 @@ jobs:
        run: |
          echo "Pushed image tags:"
          echo "- ${{ vars.REGISTRY_HOST }}/${{ steps.github_repository_to_lowercase.outputs.lowercase }}:${{ github.sha }}"
-          echo "- ${{ vars.REGISTRY_HOST }}/${{ steps.github_repository_to_lowercase.outputs.lowercase }}:${{ steps.docker_tag_from_ref.outputs.docker-tag }}"
+          echo "- ${{ vars.REGISTRY_HOST }}/${{ steps.github_repository_to_lowercase.outputs.lowercase }}:${{ github.ref_name }}"
          echo "- ${{ vars.REGISTRY_HOST }}/${{ steps.github_repository_to_lowercase.outputs.lowercase }}:latest"
@@ -61,7 +61,7 @@ public class AuthStore : IDisposable, IAuthStore
    private static string DetermineCredentialsPath(string? settingsCredentialsFile, IHostEnvironment env)
    {
        if (settingsCredentialsFile == null) return Path.Combine("app","data","credentials.json");
-        return Path.IsPathRooted(settingsCredentialsFile) ? settingsCredentialsFile : Path.Combine(env.ContentRootPath,"data",settingsCredentialsFile);
+        return Path.IsPathRooted(settingsCredentialsFile) ? settingsCredentialsFile : Path.Combine(env.ContentRootPath,"app","data",settingsCredentialsFile);
    }

    public void Dispose()
@@ -1,4 +1,3 @@
-using System.Text.Json;
 using Microsoft.Extensions.Caching.Memory;
 using Microsoft.Extensions.Options;
 using TinfoilVibeServer.Authentication;
@@ -13,31 +12,6 @@ builder.Logging.AddDebug();

 builder.Services.AddMemoryCache();
 var dataRoot = builder.Configuration["CONFIG_ROOT"] ?? "/app/config/";
-// 1️⃣ Load the embedded default
-var defaultResource = typeof(Program).Assembly
-    .GetManifestResourceStream("TinfoilVibeServer.appsettings.default.json")!; // adjust namespace
-var defaultConfig = JsonDocument.Parse(defaultResource).RootElement;
-
-// 2️⃣ Try to write the file if it doesn't exist
-var configPath = Path.Combine(dataRoot, "appsettings.json");
-if (!File.Exists(configPath))
-{
-    // write the embedded JSON straight to disk
-    try
-    {
-        File.WriteAllText(configPath, defaultConfig.GetRawText());
-    }
-    catch (Exception e)
-    {
-        var tempFactory = LoggerFactory.Create(loggingBuilder =>
-        {
-            loggingBuilder.AddConsole();
-            loggingBuilder.AddDebug();
-        });
-        var logger = tempFactory.CreateLogger<Program>();
-        logger.LogError(e, "Failed to write default config file");
-    }
-}

 var config = new ConfigurationBuilder()
    .AddJsonFile(Path.Combine(dataRoot,"appsettings.json"), optional: false, reloadOnChange: true)
@@ -19,7 +19,7 @@ public class ConfigManager

    public ConfigManager()
    {
-        _configPath = Path.Combine(AppContext.BaseDirectory, "config", "appsettings.json");
+        _configPath = Path.Combine(AppContext.BaseDirectory, "appsettings.json");
        Load();

        _watcher = new FileSystemWatcher
@@ -1,5 +1,4 @@
-using System.ComponentModel.DataAnnotations;
-using System.Security.Cryptography;
+using System.Security.Cryptography;
 using LibHac.Common;
 using LibHac.Fs;
 using LibHac.Fs.Fsa;
@@ -35,49 +34,21 @@ namespace TinfoilVibeServer.Services
    /// </summary>
    public sealed class NSPExtractor : INSPExtractor
    {
-        private KeySet? _keySet;
+        private readonly KeySet _keySet;
+        private readonly ILogger<INSPExtractor> _logger;

-        public KeySet? KeySet
+        public NSPExtractor(IOptions<NSPExtractorOptions> options, ILogger<INSPExtractor> logger, IHostEnvironment environment)
        {
-            get
+            var dataRoot = environment.ContentRootPath ?? "/app/config";
+            if (Path.IsPathRooted(options.Value.keyFile))
            {
-                if (_keySet != null) return _keySet;
-                if (_options.CurrentValue.KeyFile == null) return null;
-                var dataRoot = _environment.ContentRootPath ?? "/app/config";
-                if (Path.IsPathRooted(_options.CurrentValue.KeyFile))
-                {
-                    _keySet = ExternalKeyReader.ReadKeyFile(_options.CurrentValue.KeyFile);
+                _keySet = ExternalKeyReader.ReadKeyFile(options.Value.keyFile);
            }
            else
            {
-                    _keySet = ExternalKeyReader.ReadKeyFile(Path.Combine(dataRoot, "config", _options.CurrentValue.KeyFile));
+                _keySet = ExternalKeyReader.ReadKeyFile(Path.Combine(dataRoot, "config", options.Value.keyFile));
            }
-
-                return _keySet;
-            }
-        }
-
-        private readonly IOptionsMonitor<NSPExtractorOptions> _options;
-        private readonly ILogger<INSPExtractor> _logger;
-        private readonly IHostEnvironment _environment;
-
-        public NSPExtractor(IOptionsMonitor<NSPExtractorOptions> options, ILogger<INSPExtractor> logger, IHostEnvironment environment)
-        {
-            _options = options;
-            _options.OnChange(o =>
-            {
-                if (o.KeyFile == null)
-                {
-                    _logger?.LogInformation("No KeySet specified, skipping key validation");
-                }
-
-                if (!File.Exists(o.KeyFile))
-                {
-                    _logger?.LogWarning("KeySet file {KeyFile} does not exist", o.KeyFile);
-                }
-            });
            _logger = logger;
-            _environment = environment;
        }

        /// <summary>
@@ -94,8 +65,6 @@ namespace TinfoilVibeServer.Services
        /// </summary>
        public NcaMetadataWithHash? ExtractFromStream(Stream stream)
        {
-            if (KeySet == null) return null;
-            
            if (!stream.CanSeek) return null;
            stream.Seek(0, SeekOrigin.Begin);
            
@@ -108,7 +77,7 @@ namespace TinfoilVibeServer.Services

            if (IsXciFileSystem(stream))
            {
-                var xci = new Xci(KeySet, storage);
+                var xci = new Xci(_keySet, storage);
                List<DirectoryEntryEx> ncaEntries;
                if (xci.HasPartition(XciPartitionType.Secure))
                {
@@ -126,7 +95,7 @@ namespace TinfoilVibeServer.Services
                        using var ncaFile = fileRef.Release();
                        using var ncaFileStorage = new FileStorage(ncaFile);

-                        var nca = new Nca(KeySet, ncaFileStorage);
+                        var nca = new Nca(_keySet, ncaFileStorage);
                        if (hash == null)
                        {
                            // Hash the *first* NCA stream – the stream we just opened
@@ -153,8 +122,6 @@ namespace TinfoilVibeServer.Services

        private NcaMetadataWithHash? ExtractNSPFromStream(StreamStorage storage)
        {
-            if (KeySet == null) return null;
-            
            List<DirectoryEntryEx> ncaEntries;
            _logger.LogInformation("Processing as NSP");
            var partition = new PartitionFileSystem();
@@ -172,7 +139,7 @@ namespace TinfoilVibeServer.Services
                using var ncaFile = fileRef.Release();
                using var ncaFileStorage = new FileStorage(ncaFile);

-                var nca = new Nca(KeySet, ncaFileStorage);
+                var nca = new Nca(_keySet, ncaFileStorage);
                if (hash == null)
                {
                    // Hash the *first* NCA stream – the stream we just opened
@@ -241,8 +208,6 @@ namespace TinfoilVibeServer.Services
        }
        private bool IsXciFileSystem(Stream stream)
        {
-            if (KeySet == null) return false;
-            
            try
            {
                if (!stream.CanSeek) return false;
@@ -251,7 +216,7 @@ namespace TinfoilVibeServer.Services
                var storage = new StreamStorage(stream, true);
                try
                {
-                    var xciBlock = new Xci(KeySet, storage);
+                    var xciBlock = new Xci(_keySet, storage);
                    _logger.LogInformation("XCI found");
                    return xciBlock.HasPartition(XciPartitionType.Secure);
                }
@@ -270,8 +235,6 @@ namespace TinfoilVibeServer.Services

        public string ExtractHashFromStream(Stream nspStream)
        {
-            if (KeySet == null) return string.Empty;
-            
            if (!IsPfs0FileSystem(nspStream))
                return string.Empty;

@@ -296,7 +259,7 @@ namespace TinfoilVibeServer.Services

                try
                {
-                    var nca = new Nca(KeySet, ncaFileStorage);
+                    var nca = new Nca(_keySet, ncaFileStorage);
                    if (nca.Header.ContentType != NcaContentType.Meta)
                        continue; // only the meta NCA contains title metadata

@@ -320,7 +283,7 @@ namespace TinfoilVibeServer.Services

    public class NSPExtractorOptions    
    {
-        public string? KeyFile { get; set; }
+        public string keyFile { get; set; }
    }

    /// <summary>
@@ -529,22 +529,6 @@ public sealed class SnapshotService : IDisposable, ISnapshotService, IHostedServ
                    continue;
                }

-                var fileContainedInRootDirectories = false;
-                foreach (var optionsRootDirectory in _options.RootDirectories)
-                {
-                    if (fileEntry.Path.StartsWith(optionsRootDirectory))
-                    {
-                        fileContainedInRootDirectories = true;
-                        break;
-                    }
-                }
-
-                if (!fileContainedInRootDirectories)
-                {
-                    _logger.LogInformation("Entry {Path} is not contained in any root directory", fileEntry.Path);
-                    continue;
-                };
-                
                if (_options.RomExtensions.Contains(Path.GetExtension(fileEntry.Path)))
                {
                    if (fileEntry.Path.Contains(ArchivePathSeparator))
@@ -24,7 +24,9 @@ public sealed class TitleDatabaseService : IHostedService
    private readonly IOptionsMonitor<TitleDbOptions> _options;
    private readonly ILogger<TitleDatabaseService> _logger;
    private readonly IHttpClientFactory _httpFactory;
+    private readonly INSPExtractor _nspExtractor;
    private readonly string _cacheFolder;           // Where the JSON is cached.
+    private readonly List<string> _rootDirectories;   // directories that contain game files

    private readonly IMemoryCache           _cache;
    private readonly ISnapshotService       _snapshotService;
@@ -48,6 +50,7 @@ public sealed class TitleDatabaseService : IHostedService
    /// directories that contain the NSP files.
    /// </summary>
    public TitleDatabaseService(
+        IConfiguration configuration,
        IOptionsMonitor<TitleDbOptions> options,
        ILogger<TitleDatabaseService> logger,
        ISnapshotService snapshotService,
@@ -59,10 +62,11 @@ public sealed class TitleDatabaseService : IHostedService
        _logger      = logger;
        _snapshotService = snapshotService;
        _httpFactory = httpFactory;
+        _nspExtractor = nspExtractor;
        _cache = cache;

-        _cacheFolder      = Path.Combine(AppContext.BaseDirectory, "data", "titledb-cache");
-        new List<string>
+        _cacheFolder      = Path.Combine(AppContext.BaseDirectory, "titledb-cache");
+        _rootDirectories  = new List<string>
        {
            // You can extend this list – it is the set of directories that
            // are scanned when the service starts up.
@@ -58,8 +58,5 @@

    <ItemGroup>
      <EmbeddedResource Remove="obj\**" />
-      <EmbeddedResource Include="appsettings.default.json">
-        <CopyToOutputDirectory>Always</CopyToOutputDirectory>
-      </EmbeddedResource>
    </ItemGroup>
 </Project>
@@ -1,39 +0,0 @@
-{
-  "Logging": {
-    "LogLevel": {
-      "Default": "Information",
-      "Microsoft.AspNetCore": "Warning"
-    }
-  },
-  "AllowedHosts": "*",
-
-  "CredentialsFile": "/app/data/credentials.json",
-  "FingerprintsFile": "/app/data/fingerprints.json",
-  "BlacklistFile": "/app/data/blacklist.json",
-  "MaxFailedAttempts": 5,
-  "Snapshot" : {
-    "RootDirectories": [ ],
-    "ArchiveExtensions": [ ".zip", ".rar", ".7z" ],
-    "RomExtensions": [ ".xci", ".nsp", ".xcz" ],
-    "CacheTtl": 60,
-    "SnapshotFile": "/app/data/snapshot.json",
-    "SnapshotBackupFile": "/app/data/snapshot.bak"
-  },
-  "NSPExtractor": {
-    "KeyFile": "/app/config/prod.keys"
-  },
-  "IndexBuilder": {
-    "ApiBaseUrl": "http://tinfoil.localhost:8080",
-    "IndexDirectories": [
-      "https://url1",
-      "sdmc:/url2",
-      "http://url3"
-    ],
-    "Success" : "Welcome to Tinfoil Vibe Server!"
-  },
-  "TitleDb": {
-    "CountryCode": "AU",
-    "Language": "en",
-    "TtlSeconds" : 90
-   }
-}
Author	SHA1	Message	Date
ecenshu	6e741552e7	Sanitize github.ref to be safely used as docker tag ci / build_linux (push) Successful in 9m59s Details ci / build_linux (pull_request) Successful in 5m13s Details	2025-11-13 19:22:59 +10:30
ecenshu	33a724a796	Consolidate config files for both local dev and docker ci / build_linux (push) Failing after 1m49s Details Consolidate data into separate mapped volume for docker and local	2025-11-13 18:54:57 +10:30