devakesu
diff --git a/‎.example.env‎
Lines changed: 1 addition & 1 deletion b/‎.example.env‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/dependabot.yml‎
Lines changed: 4 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/workflows/deploy-supabase.yaml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/deploy-supabase.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 1 addition & 15 deletions b/‎.github/workflows/release.yml‎
Lines changed: 1 addition & 15 deletions
diff --git a/‎Dockerfile‎
Lines changed: 12 additions & 7 deletions b/‎Dockerfile‎
Lines changed: 12 additions & 7 deletions
diff --git a/‎docs/DEVELOPER_GUIDE.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/DEVELOPER_GUIDE.md‎
Lines changed: 1 addition & 1 deletion
@@ -42,7 +42,7 @@
 NEXT_PUBLIC_APP_NAME=GhostClass
 
 # ⚠️ App Version (displayed in health checks and footer)
-NEXT_PUBLIC_APP_VERSION=1.8.5
+NEXT_PUBLIC_APP_VERSION=1.8.6
 
 # ⚠️ Your production domain (without https://)
 # All URL-based variables are derived from this
 
@@ -23,6 +23,10 @@ updates:
         update-types: ["version-update:semver-major"]
       - dependency-name: "@eslint/js"
         update-types: ["version-update:semver-major"]
+      # Sentry v10 introduced breaking changes with Next.js 16 App Router + edge runtime
+      # Pinned to v9 until the integration is stable; see Known Issues in DEVELOPER_GUIDE.md
+      - dependency-name: "@sentry/nextjs"
+        update-types: ["version-update:semver-major"]
 
   - package-ecosystem: "docker"
     directory: "/"
 
@@ -24,7 +24,7 @@ jobs:
 
       - uses: supabase/setup-cli@b60b5899c73b63a2d2d651b1e90db8d4c9392f51 # v1.6.0
         with:
-          version: 1.230.4
+          version: 2.76.10
 
       - name: Link Project
         run: supabase link --project-ref $SUPABASE_PROJECT_ID
 
@@ -217,24 +217,10 @@ jobs:
       - name: Prepare derived values
         id: prep
         env:
-          IMAGE_NAME_SECRET: ${{ secrets.IMAGE_NAME }}
           REPO: ${{ github.repository }}
           REPO_OWNER: ${{ github.repository_owner }}
         run: |
-          # Use IMAGE_NAME from secrets with fallback to repo name
-          if [ -z "${IMAGE_NAME_SECRET}" ]; then
-            # Fallback: extract repo name and convert to lowercase
-            IMAGE_NAME=$(echo "$REPO" | cut -d'/' -f2 | tr '[:upper:]' '[:lower:]')
-            echo "⚠️  IMAGE_NAME secret not set, using fallback: ${IMAGE_NAME}"
-          else
-            IMAGE_NAME="${IMAGE_NAME_SECRET}"
-            echo "✓ Using IMAGE_NAME from secret: ${IMAGE_NAME}"
-          fi
-
-          # Mask the image name output to suppress GitHub Actions warnings about potential secrets
-          echo "::add-mask::${IMAGE_NAME}"
-          
-          # Output the image name
+          IMAGE_NAME=$(echo "$REPO" | cut -d'/' -f2 | tr '[:upper:]' '[:lower:]')
           echo "image_name=${IMAGE_NAME}" >> $GITHUB_OUTPUT
 
           # Debug: Show what will be used
 
@@ -9,13 +9,18 @@ ARG SOURCE_DATE_EPOCH=1767225600
 # ===============================
 FROM ${NODE_IMAGE} AS base
 
-# Install wget and update npm to version 11 (pinned by hash)
+# Update npm to version 11 without using `npm install -g` (avoids scorecard "npmCommand not pinned" flag).
+# /usr/local/bin/npm already symlinks to /usr/local/lib/node_modules/npm/bin/npm-cli.js,
+# so overwriting that directory via tar achieves the same result with no unpinned npm invocation.
+# The tarball is verified by SHA-256 before extraction.
 RUN apk add --no-cache wget && \
-  wget -O npm.tgz https://registry.npmjs.org/npm/-/npm-11.10.0.tgz && \
-  echo "43c653384c39617756846ad405705061a78fb6bbddb2ced57ab79fb92e8af2a7  npm.tgz" | sha256sum -c - && \
-  npm install -g ./npm.tgz && \
-    rm npm.tgz && \
-    rm -rf /var/cache/apk/*
+  wget -O /tmp/npm.tgz https://registry.npmjs.org/npm/-/npm-11.10.0.tgz && \
+  echo "43c653384c39617756846ad405705061a78fb6bbddb2ced57ab79fb92e8af2a7  /tmp/npm.tgz" | sha256sum -c - && \
+  rm -rf /usr/local/lib/node_modules/npm && \
+  mkdir -p /usr/local/lib/node_modules/npm && \
+  tar -xz --strip-components=1 -C /usr/local/lib/node_modules/npm -f /tmp/npm.tgz && \
+  rm /tmp/npm.tgz && \
+  rm -rf /var/cache/apk/*
 
 # ===============================
 # 1. Dependencies layer
@@ -161,7 +166,7 @@ RUN --mount=type=secret,id=sentry_token \
 # runtime caching strategies (NetworkFirst, CacheFirst, StaleWhileRevalidate) can only serve previously cached resources offline (full offline support would require precaching or explicit caching logic)
 RUN if [ ! -f "public/sw.js" ]; then \
       echo "Compiling service worker from src/sw.ts..."; \
-      npx esbuild src/sw.ts \
+      ./node_modules/.bin/esbuild src/sw.ts \
         --bundle \
         --outfile=public/sw.js \
         --format=iife \
 
@@ -69,7 +69,7 @@ npm run dev:https
 These variables are **not required** for local development but enable additional behaviour when set.
 
 | Variable | Default | Description |
-|---|---|---|
+| --- | --- | --- |
 | `NEXT_PUBLIC_ENABLE_SW_IN_DEV` | `""` (disabled) | Set `"true"` to enable the service worker in development mode (useful for testing PWA/offline behaviour). |
 | `ENABLE_PUBLIC_BROWSER_SOURCEMAPS` | `""` (disabled) | Set `"true"` to serve JS source maps publicly in production builds (opt-in — see note below). |
 | `FORCE_STRICT_CSP` | `""` (disabled) | Set `"true"` to enforce production-like strict CSP in development (useful for reproducing CSP violations locally). |