new-usemame/Calibre-Web-NextGen v4.0.55

v4.0.55 — Nightly backup ownership fix + CI hygiene

on GitHub

What this release fixes

Nightly backups now respect PUID:PGID

If you run with a non-root PUID:PGID (the linuxserver.io default), the nightly .zip files in /config/processed_books/fixed_originals/ used to be created as root:root while the .epub files in the same directory were correctly owned by your PUID:PGID. The mismatch broke host-side cleanup, rsync, and backup workflows.

The auto-zipper service now drops privileges to abc before running, matching what every other periodic service in the container already does. New .zip archives will land as ${PUID}:${PGID}. Existing archives already owned by root can be chown-ed manually if you want.

Closes #162 — reported by @magdalar.

Install

docker pull ghcr.io/new-usemame/calibre-web-nextgen:latest
# or pin to this release:
docker pull ghcr.io/new-usemame/calibre-web-nextgen:v4.0.55

Under the hood (CI / infrastructure)

Five workflow + test changes that don't change user-visible behaviour but make the project safer to drain on:

• Tier-based auto-merge streamlining — replaced the brittle workflow_run discovery branch with gh pr merge --auto, extracted the policy regex set into a shared Python module (scripts/lib/tier_policy.py, 22 unit tests), added a tier-label-guard workflow that strips safe-tier-* labels applied by untrusted accounts, and pinned 6 load-bearing safety invariants as Fast Tests so a future weakening of the gates goes red immediately. (#170, #171, #172, #173)
• DockerHub-optional dispatch workflows — dockerhub-description.yml and discord-release-bot.yml now no-op cleanly when their secrets aren't configured, instead of red-failing on the missing-cred step. Backports the intent of CWA #1254 to the remaining dispatch surfaces. Closes #152 — requested by @jgoguen. (#175)
• Auto-merge case-pattern fix — CHANGES-vs-upstream.md was getting swallowed by the *.md wildcard in the tier-2 file classifier, so PRs that correctly updated CHANGES still got demoted. New tests/unit/test_auto_merge_changes_file_classifier.py extracts the live bash case-block at test time and exercises it under real bash so this can't regress. (#176)
• Cover-enforcer chown contract pin — metadata-change-detector runs cover_enforcer.py as root by design (calibredb / ebook-polish need root); the script chowns its outputs back to PUID:PGID before exiting. Audit-pin tests verify the chown helper exists, reads the env vars, walks the directory, and is wired up. (#177)

Full diff: v4.0.54...v4.0.55