What's new
feat: Change password and Change email from the UI (#292)
Resolves discussion #291. Better Auth's change-password / change-email endpoints have always been exposed server-side, but there was no way to reach them from the web UI.
The avatar dropdown in the header now shows:
- Change password — opens a dialog with current/new/confirm fields and a "Sign out other devices" checkbox (defaults on, calls Better Auth's `revokeOtherSessions: true` — verified end-to-end that other sessions are invalidated immediately).
- Change email — opens a dialog with the new email field. The dropdown updates to show the new address as soon as the change succeeds.
SSO-only users (no local password) have the Change password item hidden. The check uses `GET /api/auth/list-accounts` to look for a `credential` provider; if the probe errors it fails open rather than locking anyone out.
This required enabling `user.changeEmail` in Better Auth with `updateEmailWithoutVerification: true` — safe in this app because email verification isn't on and there's no email sender wired up.
ci: pin third-party GitHub Actions to commit SHAs (#293)
In response to the supply-chain attack pattern that recently hit `actions-cool/issues-helper` and `actions-cool/maintain-one-comment`, and `tj-actions/changed-files` before that.
Tags are mutable. A compromised maintainer can force-move `@v3` to point at malicious code, and every workflow using the tag picks it up on the next run. Pinning to a 40-char commit SHA makes the reference immutable.
This release pins the highest-risk subset:
- `nix-build.yml` — two `@main` branch refs (worse than tags, since they move on every push) → pinned to release SHAs for `v22` / `v13`.
- `docker-build.yml` — every third-party action (`docker/setup-buildx`, `docker/login`, `docker/metadata`, `docker/build-push`, `docker/scout`) now references a SHA with a trailing `# vX.Y.Z` comment for readability.
This is the workflow that holds the GHCR push token, Docker Hub login, and Scout API token — so it's the one with the largest blast radius if compromised.
First-party `actions/*` and `github/codeql-action` are left on tags for now; they're a separate, lower-risk follow-up. Dependabot for the `github-actions` ecosystem is recommended next so SHA pins still get auto-bumped.
`chore`: bump and digest-pin Bun base image to 1.3.14 (#295)
Same hardening principle, applied to the Dockerfile:
- Bun `1.3.13-debian` → `1.3.14-debian` (released 2026-05-13)
- Pinned to digest: `@sha256:9dba1a1b...db6f` (multi-arch — `linux/amd64` and `linux/arm64`)
- Applies to both the `base` and `runner` stages in the Dockerfile
A tag on Docker Hub is just as mutable as a tag on GitHub; pinning to the digest closes the same class of attack at the container layer.