This is a backwards-incompatible feature and bugfix release.
From a user perspective, the main change in this release is that secrets.json
is no longer generated, and no longer used by Buildarr.
When Buildarr was originally designed, it was normal for Sonarr and Radarr to expose their API keys on their initialize.js[on]
endpoints, allowing them to be dynamically fetched. To avoid doing this every time, the secrets.json
file was used to cache them.
However, since then, a few issues have become glaringly obvious:
- The
secrets.json
file is difficult to manage from a security standpoint, as it is unencrypted and is not created using a secureumask
by Buildarr by default at the moment. - Whenever plugins have a major update and have no means of migrating older secrets model objects, older
secrets.json
files will cause validation errors when running the updated versions. - With new versions of Arr suite applications moving to a forced-authentication model, where the API key must be provided by the client, there is simply no need to cache these credentials in a separate file anymore.
After upgrading Buildarr, it is recommended to:
- Remove any existing copies of
secrets.json
from your Buildarr deployment. - If using Buildarr in Docker, change your
/config
bind mount to be read-only for better security.
A couple of other issues have also been addressed in this release.
- When an error occurs during update runs in daemon mode, instead of quitting Buildarr, catch the error, log it and schedule following update runs as normal.
- This makes it easier to troubleshoot issues, as Buildarr will not continually try to execute update runs when configured to re-run after it quits unexpectedly.
- Fix a bug where after the first scheduled update run finishes in daemon mode, the "next update run" as reported by Buildarr is the same run that just executed.
The plugin API has been updated with the following changes.
- Add the following commonly used constrained string types to Buildarr Core:
LowerCaseNonEmptyStr
LowerCaseStr
UpperCaseNonEmptyStr
UpperCaseStr
- Add the new
ConfigBase.log_delete_remote_attrs
method, for more verbose logging of deleted resources. - Reimplement the
Password
attribute type as a subclass ofSecretStr
(instead of usingAnnotated
), to allow it to be subclassed and used itself inAnnotated
statements. - Remove
json5
as a dependency of Buildarr Core. If a plugin requires this dependency, it should specify it explicitly.
Added
Changed
- Log errors during daemon update runs without exiting (#151)
- Fix the next run time after scheduled runs (#152)
- Change
Password
to be an actual subclass ofSecretStr
(#156) - Update dependencies (#159)
Removed
- Remove
secrets.json
(#155)