Screenly/Anthias v2026.05.1

on GitHub

Highlights ✨

• Pi 4 / per-board HW decode overhaul — embedded QtMultimedia inside AnthiasWebview, eliminating the two-process DRM contention that caused Pi 4 frame drops; added per-board HW decode dispatch and upload-time codec gating (#2905, #2885)
• 1 GB SBC enablement — low-RAM degradation gates so 1 GB boards (e.g. 1 GB Rock Pi 4) don't wedge under heavy assets (#2915)
• Remote video URLs in the asset pipeline — server auto-downloads remote URLs and pushes them through the normalisation pipeline (#2912)
• HDMI-CEC display on/off (experimental) — turn the connected TV on/off via CEC from settings (#2886)
• Migrate-to-Screenly wizard — opt-in UI flow that pushes an existing Anthias playlist into Screenly via the v4.1 API (#2876)
• Generic arm64 (Armbian) best-effort installer support (#2879)
• UI-driven screen rotation — portrait / landscape toggle without editing config.txt (#2882)
• x86 video playback under cage — dmabuf-wayland output with VAAPI HW decode (#2861)
• Anthias outbound traffic now identifies via a User-Agent (#2897)
• Release-flow split: master is testing, tagged releases are stable (#2854)

Security 🔒

• CodeQL alert sweep — path-injection, URL-redirection, stack-trace-exposure (#2884)
• CSRF: CSRF_TRUSTED_ORIGINS env var for host-rewriting proxies (#2901) + accept same-host Origin regardless of scheme (#2868)

Upgrade Notes 🧭

• Existing Pi 5 / mainline-KMS hosts: the upgrader now bind-mounts /dev/cec0 so HDMI-CEC works after upgrade (#2938).
• Legacy srly-ose-redis container is removed on upgrade (#2936).

What's Changed

Other Changes 🔧

• docs(compat): clean up supported hardware references by @nicomiguelino in #2858
• refactor(webview): inline build into viewer image as multi-stage by @vpetersson in #2855
• refactor(ci): release flow per #2769 (master = testing, releases = stable) by @vpetersson in #2854
• docs(website): link Screenly in footer and add tagline by @vpetersson in #2864
• fix(ci): symlink bunx alongside bun in install script by @vpetersson in #2865
• chore(deps-dev): bump urllib3 from 2.6.3 to 2.7.0 by @dependabot[bot] in #2866
• fix(csrf): accept same-host Origin regardless of scheme (#2867) by @vpetersson in #2868
• chore(deps): bump github/codeql-action from 4.35.2 to 4.35.4 in the github-actions group across 1 directory by @dependabot[bot] in #2860
• fix(viewer): x86 video playback under cage (dmabuf-wayland + VAAPI) by @vpetersson in #2861
• chore: drop MY_IP env-var IP injection (#2869) by @vpetersson in #2872
• fix(splash): cover 4K displays — ship 4K master and upscale-fit by @vpetersson in #2874
• fix(api): v1/v1.1 normalize dispatch + stuck-row reconciler (#2870) by @vpetersson in #2873
• fix(viewer): skip deleted/deactivated asset immediately by @vpetersson in #2875
• refactor(ansible): boot.yml as authoritative templates (incl. silent boot) by @vpetersson in #2810
• Fix HDMI audio detection on Pi4 with dual HDMI ports by @vpetersson in #2811
• chore(deps): bump Django to 5.2.14 and Pillow to 12.2.0 by @vpetersson in #2877
• feat(ui): migrate-to-Screenly wizard with v4.1 API by @vpetersson in #2876
• fix(viewer): send Accept-Language from system locale by @vpetersson in #2878
• chore(install): replace gum with whiptail by @vpetersson in #2880
• fix: e2e-test findings (host-agent venv, celery beat, asset GET 404) by @vpetersson in #2881
• fix(security): address open CodeQL alerts (path-injection, url-redirection, stack-trace-exposure) by @vpetersson in #2884
• feat(viewer): UI-driven screen rotation for portrait/landscape by @vpetersson in #2882
• feat(install): generic-arm64 best-effort support (Armbian SBCs) by @vpetersson in #2879
• feat(settings): experimental HDMI-CEC display on/off by @vpetersson in #2886
• chore(deps): bump the bun group with 3 updates by @dependabot[bot] in #2893
• chore(deps-dev): bump ansible-core from 2.19.9 to 2.20.5 by @dependabot[bot] in #2892
• chore(deps-dev): bump pillow-heif from 1.2.1 to 1.3.0 by @dependabot[bot] in #2891
• chore(deps-dev): bump pytz from 2025.2 to 2026.2 by @dependabot[bot] in #2890
• chore(deps-dev): bump types-pytz from 2026.1.1.20260408 to 2026.2.0.20260506 by @dependabot[bot] in #2889
• chore(deps-dev): bump djangorestframework from 3.16.1 to 3.17.1 by @dependabot[bot] in #2888
• refactor: move webview/ into src/anthias_webview by @vpetersson in #2896
• chore(cec): tidy up follow-ups from #2886 by @vpetersson in #2887
• feat(tests): marketing screenshot testbed via integration suite by @vpetersson in #2895
• chore(ci): replace nick-fields/retry with inline bash loop by @vpetersson in #2898
• feat(http): identify Anthias outbound traffic with a User-Agent by @vpetersson in #2897
• fix(csrf): CSRF_TRUSTED_ORIGINS env var for host-rewriting proxies by @vpetersson in #2901
• feat(website): home-page screenshot slider fed from CI captures by @vpetersson in #2899
• feat(website): deep-linkable anchors on FAQ entries by @vpetersson in #2903
• feat(viewer,server): per-board HW decode dispatch + codec gate on upload by @vpetersson in #2885
• feat(viewer,webview): embed QtMultimedia in AnthiasWebview, eliminate two-process DRM contention + Pi 4 drops by @vpetersson in #2905
• fix(api,app): UI asset delete must remove the on-disk file by @vpetersson in #2909
• fix(installer): keep dtoverlay and max_framebuffers on separate lines in config.txt by @vpetersson in #2911
• feat(api,viewer): viewer REST shim + rename AnthiasWebview → AnthiasViewer by @vpetersson in #2907
• feat(server,api): auto-download remote video URLs into the asset pipeline by @vpetersson in #2912
• fix(remote_video): reject empty Content-Type on GET by @vpetersson in #2913
• fix(rpi-imager): repair broken Anthias icon URL by @vpetersson in #2918
• fix(ci): fetch install-bun.sh from workflow ref, not tag workspace by @vpetersson in #2921
• fix(ci): trust @balena/compose-parser so balena deploy can parse compose by @vpetersson in #2922
• fix(ci): use --version latest for balena os download (was: default) by @vpetersson in #2924
• fix(ci): install balena-cli via npm so native postinstalls run by @vpetersson in #2925
• fix(ci): x86 fleet uses generic-amd64, not genericx86-64-ext by @vpetersson in #2926
• feat(viewer,server): 1 GB SBC enablement — low-RAM degradation gates by @vpetersson in #2915
• chore(deps): bump idna from 3.13 to 3.15 by @dependabot[bot] in #2920
• chore(deps-dev): bump certifi from 2026.4.22 to 2026.5.20 by @dependabot[bot] in #2931
• chore(deps-dev): bump types-requests from 2.33.0.20260408 to 2.33.0.20260518 by @dependabot[bot] in #2929
• chore(deps-dev): bump packaging from 26.1 to 26.2 by @dependabot[bot] in #2932
• chore(deps-dev): bump time-machine from 2.15.0 to 3.2.0 by @dependabot[bot] in #2933
• chore(deps-dev): bump mypy from 1.18.2 to 2.1.0 by @dependabot[bot] in #2930
• chore(deps-dev): bump types-gunicorn from 25.3.0.20260408 to 26.0.0.20260518 by @dependabot[bot] in #2934
• chore(deps): bump the github-actions group with 2 updates by @dependabot[bot] in #2935
• fix(upgrade): remove legacy srly-ose-redis container by @vpetersson in #2936
• fix(upgrade): bind-mount /dev/cec0 on Pi 5 / mainline-KMS hosts by @vpetersson in #2938
• chore(deps-dev): bump pygit2 from 1.19.1 to 1.19.2 by @dependabot[bot] in #2939
• chore(deps-dev): bump pytest-playwright from 0.7.2 to 0.8.0 by @dependabot[bot] in #2940
• chore(deps-dev): bump channels from 4.3.1 to 4.3.2 by @dependabot[bot] in #2941
• chore(deps-dev): bump psutil from 7.2.1 to 7.2.2 by @dependabot[bot] in #2943
• chore(deps): bump the github-actions group with 4 updates by @dependabot[bot] in #2944
• chore(deps-dev): bump pytest-xdist from 3.6.1 to 3.8.0 by @dependabot[bot] in #2942
• chore(deps-dev): bump sass from 1.99.0 to 1.100.0 in the bun group by @dependabot[bot] in #2945
• fix(webview): gate VideoView/QtMultimedia behind Qt6 so Qt5 boards build by @vpetersson in #2946

Full Changelog: v2026.05.0...v2026.05.1