fix(template): finalize CA metadata and upstream env coverage (#38)

JSONbored · web-flow · commit 880a0e2a9beb · 2026-04-15T03:35:50.000-06:00
* fix(template): expose upstream self-hosting controls

* fix(template): expose skylight controls with quiet defaults

* fix(template): correct CA category and expose remaining upstream envs

* chore(deps): refresh workflow and dockerfile pins
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -235,7 +235,7 @@ jobs:
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Build local test image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           platforms: linux/amd64
@@ -283,7 +283,7 @@ jobs:
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
       
       - name: Login to GHCR
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -312,7 +312,7 @@ jobs:
 
       - name: Build and push
         id: build
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           platforms: linux/amd64,linux/arm64
@@ -367,7 +367,7 @@ jobs:
 
       - name: Create sync pull request
         if: ${{ env.SYNC_ENABLED == 'true' }}
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
           token: ${{ secrets.SYNC_TOKEN }}
           path: target-repo
diff --git a/.github/workflows/check-upstream.yml b/.github/workflows/check-upstream.yml
@@ -36,37 +36,41 @@ jobs:
           chmod +x scripts/check-upstream.py
           ./scripts/check-upstream.py
 
-      - name: Stop if already current
-        if: ${{ steps.upstream.outputs.updates_available != 'true' }}
-        run: echo "Upstream is already current."
+      - name: Stop if no stable version bump is available
+        if: ${{ steps.upstream.outputs.version_update_available != 'true' }}
+        run: |
+          echo "No newer stable upstream Sure tag is available."
+          if [[ "${{ steps.upstream.outputs.digest_update_available }}" == "true" ]]; then
+            echo "Digest-only drift detected; leave that to Renovate or manual dependency refresh."
+          fi
 
       - name: Create update branch
-        if: ${{ steps.upstream.outputs.updates_available == 'true' && steps.upstream.outputs.strategy == 'pr' }}
-        run: git checkout -b "codex/upstream-${{ steps.upstream.outputs.latest_version }}"
+        if: ${{ steps.upstream.outputs.version_update_available == 'true' && steps.upstream.outputs.strategy == 'pr' }}
+        run: git checkout -B "codex/upstream-${{ steps.upstream.outputs.latest_version }}"
 
       - name: Apply upstream version bump
-        if: ${{ steps.upstream.outputs.updates_available == 'true' && steps.upstream.outputs.strategy == 'pr' }}
+        if: ${{ steps.upstream.outputs.version_update_available == 'true' && steps.upstream.outputs.strategy == 'pr' }}
         env:
           WRITE_UPSTREAM_VERSION: "true"
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: ./scripts/check-upstream.py
 
       - name: Commit upstream version bump
-        if: ${{ steps.upstream.outputs.updates_available == 'true' && steps.upstream.outputs.strategy == 'pr' }}
+        if: ${{ steps.upstream.outputs.version_update_available == 'true' && steps.upstream.outputs.strategy == 'pr' }}
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git add Dockerfile
-          git commit -m "chore: bump upstream Sure to ${{ steps.upstream.outputs.latest_version }}"
+          git commit -m "chore(sync): bump upstream sure to ${{ steps.upstream.outputs.latest_version }}"
 
       - name: Push update branch
-        if: ${{ steps.upstream.outputs.updates_available == 'true' && steps.upstream.outputs.strategy == 'pr' }}
+        if: ${{ steps.upstream.outputs.version_update_available == 'true' && steps.upstream.outputs.strategy == 'pr' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: git push --force --set-upstream origin "codex/upstream-${{ steps.upstream.outputs.latest_version }}"
 
       - name: Open or update pull request
-        if: ${{ steps.upstream.outputs.updates_available == 'true' && steps.upstream.outputs.strategy == 'pr' }}
+        if: ${{ steps.upstream.outputs.version_update_available == 'true' && steps.upstream.outputs.strategy == 'pr' }}
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
@@ -86,12 +90,12 @@ jobs:
           existing_pr="$(gh pr list --head "codex/upstream-${{ steps.upstream.outputs.latest_version }}" --base main --json number --jq '.[0].number')"
           if [[ -n "${existing_pr}" ]]; then
             gh pr edit "${existing_pr}" \
-              --title "chore: bump upstream Sure to ${{ steps.upstream.outputs.latest_version }}" \
+              --title "chore(sync): bump upstream sure to ${{ steps.upstream.outputs.latest_version }}" \
               --body-file "${body_file}"
           else
             gh pr create \
               --base main \
               --head "codex/upstream-${{ steps.upstream.outputs.latest_version }}" \
-              --title "chore: bump upstream Sure to ${{ steps.upstream.outputs.latest_version }}" \
+              --title "chore(sync): bump upstream sure to ${{ steps.upstream.outputs.latest_version }}" \
               --body-file "${body_file}"
           fi
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -69,7 +69,7 @@ jobs:
 
       - name: Create release PR
         if: steps.changes.outputs.has_changes == 'true'
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
           commit-message: "chore(release): ${{ steps.version.outputs.release_version }}"
           title: "chore(release): ${{ steps.version.outputs.release_version }}"
diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,7 @@
-# syntax=docker/dockerfile:1@sha256:4a43a54dd1fedceb30ba47e76cfcf2b47304f4161c0caeac2db1c61804ea3c91
+# syntax=docker/dockerfile:1@sha256:2780b5c3bab67f1f76c781860de469442999ed1a0d7992a5efdf2cffc0e3d769
 
 ARG UPSTREAM_VERSION=v0.6.9
-ARG UPSTREAM_IMAGE_DIGEST=sha256:3d899b3eced520d8d3166a3d53184cbb1356670fb52d050f94f8e62e59754d70
+ARG UPSTREAM_IMAGE_DIGEST=sha256:f415c4085489b4e154f2374786fd604b41ff11d3f56b6d1050fa28fa214f1130
 ARG PGVECTOR_VERSION=0.8.2
 FROM ghcr.io/we-promise/sure@${UPSTREAM_IMAGE_DIGEST}
 
@@ -53,6 +53,8 @@ RUN find /etc/s6-overlay/s6-rc.d -type f \( -name "run" -o -name "up" \) -exec c
 # 4. Expose the App Storage
 VOLUME ["/rails/storage", "/var/lib/postgresql/data", "/var/lib/redis"]
 
+ENV SKYLIGHT_ENABLED=false
+
 HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
   CMD curl -f http://localhost:3000/up || exit 1
 
diff --git a/README.md b/README.md
@@ -39,6 +39,9 @@ If you just want to track your finances and don't care about databases, this is
 
 While designed for absolute beginners, this container is intended to keep pace with upstream self-hosting features rather than stripping them out. The goal is straightforward: if upstream exposes a real self-hosting feature, the Unraid wrapper should either support it or document the gap plainly.
 
+Some advanced Sure settings are intentionally managed as container environment variables in the Unraid template instead of only through Sure's web UI. When upstream sees one of those env vars, it may disable the matching control in the app and treat the template value as the source of truth. That is expected for this wrapper.
+This wrapper also defaults `SKYLIGHT_ENABLED=false` at the image level (and exposes it in the template) so AIO users are not required to configure upstream Skylight APM.
+
 If you click **"Show more settings..."** in the Unraid template, you can customize the system deeply.
 
 Read the comprehensive [Power User Guide here](docs/power-user.md) for instructions on how to configure:
@@ -63,6 +66,7 @@ Just make sure `/mnt/user/appdata/sure-aio` is covered by your standard Unraid C
 
 - `Sure-AIO` now pins a specific upstream Sure version instead of following the floating `stable` tag.
 - The repo monitors stable upstream Sure tags and opens a PR when a newer stable version is released.
+- Upstream image digest drift is tracked separately so digest-only refreshes do not masquerade as version-bump PRs.
 - Every `main` package publish now ships the exact upstream version tag, an explicit AIO packaging line tag, `latest`, and `sha-<commit>`.
 - Formal wrapper releases follow the upstream version plus an AIO revision, such as `v0.6.8-aio.1`.
 - See the release workflow details in [docs/releases.md](docs/releases.md).
diff --git a/docs/power-user.md b/docs/power-user.md
@@ -65,6 +65,7 @@ Track LLM inference costs and app usage.
 2. **PostHog:** Fill in your `POSTHOG_KEY` and `HOST` to track user analytics.
 3. **Langfuse:** Fill in your `LANGFUSE_HOST`, `PUBLIC_KEY`, and `SECRET_KEY` to chart token usage, latency, and costs of your AI operations.
 4. If you use hosted Langfuse and prefer a region shortcut instead of a full host URL, set `LANGFUSE_REGION` to `us` or `eu`. If `LANGFUSE_HOST` is set, it wins over the region shortcut.
+5. **Skylight APM:** `SKYLIGHT_ENABLED` defaults to `false` in this AIO wrapper (image default + template field) so users do not need any extra external service for normal operation. If you explicitly want Skylight, set `SKYLIGHT_ENABLED=true` and provide `SKYLIGHT_AUTHENTICATION` from your Skylight app settings.
 
 ---
 
@@ -85,6 +86,8 @@ Sure relies on upstream providers for currency exchange rates and stock logos.
 *   **Paid API Keys (Optional):** If you prefer Twelve Data, add your API key and change **[API] Exchange Rate Provider** and **[API] Securities Provider** to `twelve_data`.
 *   **Logos:** Provide a **[API] Brandfetch Client ID** to automatically scrape high-res logos for your bank names and merchants.
 *   **High-res logos:** Set `BRAND_FETCH_HIGH_RES_LOGOS=true` if you want Sure to prefer larger Brandfetch logo assets where available.
+*   **Important override behavior:** If you set these provider and logo values in the Unraid template, upstream Sure treats them as env overrides and disables the matching controls in the self-hosting UI. In `sure-aio`, that is deliberate: the template is the power-user control plane.
+*   **Advanced provider tuning:** The template also exposes `TWELVE_DATA_URL`, `YAHOO_FINANCE_URL`, `YAHOO_FINANCE_MAX_RETRIES`, `YAHOO_FINANCE_RETRY_INTERVAL`, and `YAHOO_FINANCE_MIN_REQUEST_INTERVAL` if you need proxying or retry tuning.
 
 ---
 
@@ -100,8 +103,8 @@ To enable Single Sign-On (SSO):
    - `AUTH_JIT_MODE=link_only` if SSO should only link to existing users rather than auto-create them
    - `ALLOWED_OIDC_DOMAINS` to restrict which email domains may auto-create accounts through JIT SSO
 4. Optional button labels/icons are exposed too, along with dedicated Google and GitHub OAuth client fields if you want those providers separately.
-5. Upstream also supports additional named OIDC providers through env patterns like `OIDC_KEYCLOAK_*` or `OIDC_AUTHENTIK_*`. That is practical in raw compose files, but not cleanly representable in a static Unraid CA template. For this wrapper, the default generic OIDC path plus dedicated Google/GitHub options are exposed in the template; anything beyond that is a manual power-user customization.
-6. Upstream also uses `APP_URL` for some advanced SSO flows, especially SAML-style absolute callback and issuer generation. If you are doing advanced auth beyond the normal generic OIDC path, set `APP_URL` to your full external base URL such as `https://finance.example.com`.
+5. The template now also exposes `AUTH_PROVIDERS_SOURCE` plus named multi-provider envs like `OIDC_KEYCLOAK_*` and `OIDC_AUTHENTIK_*` if you want upstream's YAML-based or database-backed multi-provider SSO model.
+6. Upstream also uses `APP_URL` for advanced auth flows, especially absolute callback and issuer generation. If you are doing advanced auth beyond the normal generic OIDC path, set `APP_URL` to your full external base URL such as `https://finance.example.com`.
 
 ### SMTP Mail Relay (For Password Resets / Reports)
 1. Find the **[Email]** block.
@@ -179,6 +182,45 @@ For most Unraid installs, plain container logs are enough. If you want centraliz
 
 ---
 
+## 12. Sync, Plaid, and Runtime Tuning
+
+The template now exposes the main upstream runtime toggles that were previously only obvious in docs or code:
+
+1. **Sync scheduling**
+   - `AUTO_SYNC_ENABLED`
+   - `AUTO_SYNC_TIME`
+   - `AUTO_SYNC_TIMEZONE`
+2. **Pending transaction behavior**
+   - `SIMPLEFIN_INCLUDE_PENDING`
+   - `PLAID_INCLUDE_PENDING`
+   - Just like provider selection, these env overrides lock the matching Sync control in Sure's UI when set.
+3. **Plaid credentials**
+   - `PLAID_CLIENT_ID`
+   - `PLAID_SECRET`
+   - `PLAID_ENV`
+   - `PLAID_EU_CLIENT_ID`
+   - `PLAID_EU_SECRET`
+   - `PLAID_EU_ENV`
+4. **OpenAI compatibility tuning**
+   - `OPENAI_REQUEST_TIMEOUT`
+   - `LLM_JSON_MODE`
+   - `CATEGORIZATION_PROVIDER` / `CATEGORIZATION_MODEL`
+   - `CHAT_PROVIDER` / `CHAT_MODEL`
+5. **Auth and onboarding behavior**
+   - `REQUIRE_EMAIL_CONFIRMATION`
+   - `AUTH_PROVIDERS_SOURCE`
+6. **Database and SSL edge cases**
+   - `POSTGRES_DB`
+   - `SSL_CERT_FILE`
+7. **Advanced outbound networking**
+   - `HTTPS_PROXY`
+   - `HTTP_PROXY`
+   - `NO_PROXY`
+
+These are all legitimate upstream runtime knobs, but not all of them belong in a beginner walkthrough. They are here because `sure-aio` should expose the real self-hosting surface without forcing users to rebuild the image just to reach it.
+
+---
+
 ## Trial / Subscription Note
 
 Upstream `v0.6.9` is supposed to disable subscription and trial gating in self-hosted mode when `SELF_HOSTED=true`. The 45-day trial logic still exists in the codebase, but upstream guards it behind `app_mode != self_hosted`.
diff --git a/docs/releases.md b/docs/releases.md
@@ -2,6 +2,8 @@
 
 `sure-aio` uses upstream-version-plus-AIO-revision releases such as `v0.6.8-aio.1`.
 
+Stable upstream version monitoring and upstream image digest monitoring are separate concerns. Version bumps should open explicit upstream-update PRs, while digest-only refreshes should flow through normal dependency update automation.
+
 ## Version format
 
 - first wrapper release for upstream `v0.6.8`: `v0.6.8-aio.1`
diff --git a/rootfs/root/.skylight b/rootfs/root/.skylight
@@ -0,0 +1,2 @@
+---
+disable_env_warning: true
diff --git a/scripts/check-upstream.py b/scripts/check-upstream.py
@@ -251,9 +251,11 @@ def main() -> None:
     current_digest = read_local_digest(upstream)
     latest_version = latest_github_tag(str(upstream.get("repo", "")).strip(), stable_only)
     latest_digest = latest_ghcr_digest(str(upstream.get("image", "")).strip(), "latest")
-    updates_available = latest_version != current_version or latest_digest != current_digest
+    version_update_available = latest_version != current_version
+    digest_update_available = latest_digest != current_digest
+    updates_available = version_update_available
 
-    if os.environ.get("WRITE_UPSTREAM_VERSION") == "true" and updates_available:
+    if os.environ.get("WRITE_UPSTREAM_VERSION") == "true" and version_update_available:
         write_local_version(upstream, latest_version)
         write_local_digest(upstream, latest_digest)
 
@@ -270,6 +272,8 @@ def main() -> None:
             "current_digest": current_digest,
             "latest_digest": latest_digest,
             "updates_available": "true" if updates_available else "false",
+            "version_update_available": "true" if version_update_available else "false",
+            "digest_update_available": "true" if digest_update_available else "false",
             "strategy": str(upstream.get("strategy", "pr")).strip() or "pr",
             "upstream_name": str(upstream.get("name", "")).strip(),
             "release_notes_url": release_notes,
diff --git a/scripts/validate-template.py b/scripts/validate-template.py
@@ -24,10 +24,18 @@
     "AUTH_JIT_MODE",
     "AUTH_LOCAL_ADMIN_OVERRIDE_ENABLED",
     "AUTH_LOCAL_LOGIN_ENABLED",
+    "AUTH_PROVIDERS_SOURCE",
+    "AUTO_SYNC_ENABLED",
+    "AUTO_SYNC_TIME",
+    "AUTO_SYNC_TIMEZONE",
     "ALLOWED_OIDC_DOMAINS",
     "BRAND_FETCH_CLIENT_ID",
     "BRAND_FETCH_HIGH_RES_LOGOS",
     "BRAND_NAME",
+    "CATEGORIZATION_MODEL",
+    "CATEGORIZATION_PROVIDER",
+    "CHAT_MODEL",
+    "CHAT_PROVIDER",
     "CLOUDFLARE_ACCESS_KEY_ID",
     "CLOUDFLARE_ACCOUNT_ID",
     "CLOUDFLARE_BUCKET",
@@ -66,21 +74,42 @@
     "LANGFUSE_SECRET_KEY",
     "LEGAL_PRIVACY_URL",
     "LEGAL_TERMS_URL",
+    "LLM_JSON_MODE",
     "LOGTAIL_API_KEY",
     "LOGTAIL_INGESTING_HOST",
+    "HTTP_PROXY",
+    "HTTPS_PROXY",
     "MCP_API_TOKEN",
     "MCP_USER_EMAIL",
+    "NO_PROXY",
     "OIDC_BUTTON_ICON",
     "OIDC_BUTTON_LABEL",
+    "OIDC_AUTHENTIK_CLIENT_ID",
+    "OIDC_AUTHENTIK_CLIENT_SECRET",
+    "OIDC_AUTHENTIK_ISSUER",
+    "OIDC_AUTHENTIK_REDIRECT_URI",
     "OIDC_CLIENT_ID",
     "OIDC_CLIENT_SECRET",
     "OIDC_ISSUER",
+    "OIDC_KEYCLOAK_CLIENT_ID",
+    "OIDC_KEYCLOAK_CLIENT_SECRET",
+    "OIDC_KEYCLOAK_ISSUER",
+    "OIDC_KEYCLOAK_REDIRECT_URI",
     "OIDC_REDIRECT_URI",
     "ONBOARDING_STATE",
     "OPENAI_ACCESS_TOKEN",
     "OPENAI_MODEL",
+    "OPENAI_REQUEST_TIMEOUT",
     "OPENAI_SUPPORTS_PDF_PROCESSING",
     "OPENAI_URI_BASE",
+    "PLAID_CLIENT_ID",
+    "PLAID_ENV",
+    "PLAID_EU_CLIENT_ID",
+    "PLAID_EU_ENV",
+    "PLAID_EU_SECRET",
+    "PLAID_INCLUDE_PENDING",
+    "PLAID_SECRET",
+    "POSTGRES_DB",
     "POSTGRES_PASSWORD",
     "POSTGRES_USER",
     "POSTHOG_HOST",
@@ -96,22 +125,33 @@
     "REDIS_SENTINEL_MASTER",
     "REDIS_SENTINEL_USERNAME",
     "REDIS_URL",
+    "REQUIRE_EMAIL_CONFIRMATION",
     "S3_ACCESS_KEY_ID",
     "S3_BUCKET",
     "S3_REGION",
     "S3_SECRET_ACCESS_KEY",
     "SECRET_KEY_BASE",
     "SECURITIES_PROVIDER",
+    "SENTRY_DSN",
+    "SKYLIGHT_AUTHENTICATION",
+    "SKYLIGHT_ENABLED",
     "SMTP_ADDRESS",
     "SMTP_PASSWORD",
     "SMTP_PORT",
     "SMTP_TLS_ENABLED",
     "SMTP_USERNAME",
+    "SIMPLEFIN_INCLUDE_PENDING",
     "SSL_CA_FILE",
+    "SSL_CERT_FILE",
     "SSL_DEBUG",
     "SSL_VERIFY",
     "TWELVE_DATA_API_KEY",
+    "TWELVE_DATA_URL",
     "VECTOR_STORE_PROVIDER",
+    "YAHOO_FINANCE_MAX_RETRIES",
+    "YAHOO_FINANCE_MIN_REQUEST_INTERVAL",
+    "YAHOO_FINANCE_RETRY_INTERVAL",
+    "YAHOO_FINANCE_URL",
 }
 
 
diff --git a/sure-aio.xml b/sure-aio.xml
