chore(release): set APP_VERSION to v1.8.7 [skip ci]

.github/workflows/release-on-version.yml

@@ -3,12 +3,20 @@ name: Release on version.js update
 
 on:
   push:
-    branches: ["master"] # keep as-is; change to ["master","main"] if you use main too
+    branches: ["master"]
     paths:
       - public/js/version.js
   workflow_run:
     workflows: ["Bump version and sync Changelog to Docker Repo"]
     types: [completed]
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: "Ref (branch or SHA) to build from (default: origin/master)"
+        required: false
+      version:
+        description: "Explicit version tag to release (e.g., v1.8.6). If empty, auto-detect."
+        required: false
 
 permissions:
   contents: write
@@ -27,37 +35,94 @@ jobs:
     # Guard: Only run on trusted workflow_run events (pushes from this repo)
     if: >
       github.event_name == 'push' ||
+      github.event_name == 'workflow_dispatch' ||
       (github.event_name == 'workflow_run' &&
        github.event.workflow_run.event == 'push' &&
        github.event.workflow_run.head_repository.full_name == github.repository)
 
+    # Use run_id for a stable, unique key
     concurrency:
-      # Ensure concurrency key follows the actual source ref
+      group: release-${{ github.run_id }}
-      group: release-${{ github.event_name }}-${{ github.event.workflow_run.head_sha || github.sha }}
       cancel-in-progress: false
 
     steps:
-      - name: Resolve correct ref
+      - name: Checkout (fetch all)
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Ensure tags + master available
+        shell: bash
+        run: |
+          git fetch --tags --force --prune --quiet
+          git fetch origin master --quiet
+
+      - name: Resolve source ref + (maybe) version
         id: pickref
         shell: bash
         run: |
-          if [ "${{ github.event_name }}" = "workflow_run" ]; then
+          set -euo pipefail
-            echo "ref=${{ github.event.workflow_run.head_sha }}" >> "$GITHUB_OUTPUT"
-          else
-            echo "ref=${{ github.sha }}" >> "$GITHUB_OUTPUT"
-          fi
-          echo "Using ref: $(cat $GITHUB_OUTPUT)"
 
-      - name: Checkout
+          # Defaults
+          REF=""
+          VER=""
+          SRC=""
+
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            # manual run
+            REF_IN="${{ github.event.inputs.ref }}"
+            VER_IN="${{ github.event.inputs.version }}"
+            if [[ -n "$REF_IN" ]]; then
+              # Try branch/sha; fetch branch if needed
+              git fetch origin "$REF_IN" --quiet || true
+              if REF_SHA="$(git rev-parse --verify --quiet "$REF_IN")"; then
+                REF="$REF_SHA"
+              else
+                echo "Provided ref '$REF_IN' not found" >&2
+                exit 1
+              fi
+            else
+              REF="$(git rev-parse origin/master)"
+            fi
+            if [[ -n "$VER_IN" ]]; then
+              VER="$VER_IN"
+              SRC="manual-version"
+            fi
+          elif [[ "${{ github.event_name }}" == "workflow_run" ]]; then
+            REF="${{ github.event.workflow_run.head_sha }}"
+          else
+            REF="${{ github.sha }}"
+          fi
+
+          # If no explicit version, try to find the latest bot bump reachable from REF
+          if [[ -z "$VER" ]]; then
+            # Search recent history reachable from REF
+            BOT_SHA="$(git log "$REF" -n 200 --author='github-actions[bot]' --grep='set APP_VERSION to v' --pretty=%H | head -n1 || true)"
+            if [[ -n "$BOT_SHA" ]]; then
+              SUBJ="$(git log -n1 --pretty=%s "$BOT_SHA")"
+              BOT_VER="$(sed -n 's/.*set APP_VERSION to \(v[^ ]*\).*/\1/p' <<<"${SUBJ}")"
+              if [[ -n "$BOT_VER" ]]; then
+                VER="$BOT_VER"
+                REF="$BOT_SHA"   # build/tag from the bump commit
+                SRC="bot-commit"
+              fi
+            fi
+          fi
+
+          # Output
+          REF_SHA="$(git rev-parse "$REF")"
+          echo "ref=$REF_SHA"           >> "$GITHUB_OUTPUT"
+          echo "source=${SRC:-event-ref}" >> "$GITHUB_OUTPUT"
+          echo "preversion=${VER}"      >> "$GITHUB_OUTPUT"
+          echo "Using source=${SRC:-event-ref} ref=$REF_SHA"
+          if [[ -n "$VER" ]]; then echo "Pre-resolved version=$VER"; fi
+
+      - name: Checkout chosen ref
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
           ref: ${{ steps.pickref.outputs.ref }}
 
-      - name: Ensure tags available
-        run: git fetch --tags --force --prune --quiet
-
-      # Guard: refuse if the ref isn’t contained in master
       - name: Assert ref is on master
         shell: bash
         run: |
@@ -66,26 +131,35 @@ jobs:
           git fetch origin master --quiet
           if ! git merge-base --is-ancestor "$REF" origin/master; then
             echo "Ref $REF is not on master; refusing to release."
-            exit 78  # neutral exit
+            exit 78
           fi
 
-      - name: Debug version.js origin
+      - name: Debug version.js provenance
+        shell: bash
         run: |
-          echo "version.js at commit: $(git log -n1 --pretty=%h -- public/js/version.js)"
+          echo "version.js last-change commit: $(git log -n1 --pretty='%h %s' -- public/js/version.js || echo 'none')"
           sed -n '1,20p' public/js/version.js || true
 
-      - name: Read version from version.js
+      - name: Determine version
         id: ver
         shell: bash
         run: |
           set -euo pipefail
-          VER=$(grep -Eo "APP_VERSION\s*=\s*['\"]v[^'\"]+['\"]" public/js/version.js | sed -E "s/.*['\"](v[^'\"]+)['\"].*/\1/")
+          # Prefer pre-resolved version (manual input or bot commit)
+          if [[ -n "${{ steps.pickref.outputs.preversion }}" ]]; then
+            VER="${{ steps.pickref.outputs.preversion }}"
+            echo "version=$VER" >> "$GITHUB_OUTPUT"
+            echo "Parsed version (pre-resolved): $VER"
+            exit 0
+          fi
+          # Fallback to version.js
+          VER="$(grep -Eo "APP_VERSION\s*=\s*['\"]v[^'\"]+['\"]" public/js/version.js | sed -E "s/.*['\"](v[^'\"]+)['\"].*/\1/")"
           if [[ -z "$VER" ]]; then
             echo "Could not parse APP_VERSION from version.js" >&2
             exit 1
           fi
           echo "version=$VER" >> "$GITHUB_OUTPUT"
-          echo "Parsed version: $VER"
+          echo "Parsed version (file): $VER"
 
       - name: Skip if tag already exists
         id: tagcheck

CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## Changes 11/5/2025 (v1.8.7)
+
+release(v1.8.7): fix(zip-download): stream clean ZIP response and purge stale temp archives
+
+- FileController::downloadZip
+  - Remove _jsonStart/_jsonEnd and JSON wrappers; send a pure binary ZIP
+  - Close session locks, disable gzip/output buffering, set Content-Length when known
+  - Stream in 1MiB chunks; proper HTTP codes/messages on errors
+  - Unlink the temp ZIP after successful send
+  - Preserves all auth/ACL/ownership checks
+
+- FileModel::createZipArchive
+  - Purge META_DIR/ziptmp/download-*.zip older than 6h before creating a new ZIP
+
+Result: fixes “failed to fetch / load failed” with fetch>blob flow and reduces leftover tmp ZIPs.
+
+---
+
 ## Changes 11/4/2025 (v1.8.6)
 
 release(v1.8.6): fix large ZIP downloads + safer extract; close #60

public/js/version.js

@@ -1,2 +1,2 @@
 // generated by CI
-window.APP_VERSION = 'v1.8.5';
+window.APP_VERSION = 'v1.8.7';

src/controllers/FileController.php

@@ -667,75 +667,96 @@ public function deleteFiles()
 
     public function downloadZip()
     {
-        $this->_jsonStart();
         try {
-            if (!$this->_checkCsrf()) return;
+            
-            if (!$this->_requireAuth()) return;
+            if (!$this->_checkCsrf()) { http_response_code(400); echo "Bad CSRF"; return; }
-
+            if (!$this->_requireAuth()) { http_response_code(401); echo "Unauthorized"; return; }
+    
             $data = $this->_readJsonBody();
             if (!is_array($data) || !isset($data['folder'], $data['files']) || !is_array($data['files'])) {
-                $this->_jsonOut(["error" => "Invalid input."], 400); return;
+                http_response_code(400); echo "Invalid input."; return;
             }
-
+    
             $folder = $this->_normalizeFolder($data['folder']);
             $files  = $data['files'];
-            if (!$this->_validFolder($folder)) { $this->_jsonOut(["error"=>"Invalid folder name."], 400); return; }
+            if (!$this->_validFolder($folder)) { http_response_code(400); echo "Invalid folder name."; return; }
-
+    
             $username = $_SESSION['username'] ?? '';
             $perms    = $this->loadPerms($username);
-
+    
             // Optional zip gate by account flag
             if (!$this->isAdmin($perms) && !empty($perms['disableZip'])) {
-                $this->_jsonOut(["error" => "ZIP downloads are not allowed for your account."], 403); return;
+                http_response_code(403); echo "ZIP downloads are not allowed for your account."; return;
             }
-
+    
             $ignoreOwnership = $this->isAdmin($perms)
                 || ($perms['bypassOwnership'] ?? (defined('DEFAULT_BYPASS_OWNERSHIP') ? DEFAULT_BYPASS_OWNERSHIP : false));
-
+    
             // Ancestor-owner counts as full view
             $fullView = $ignoreOwnership
                 || ACL::canRead($username, $perms, $folder)
                 || $this->ownsFolderOrAncestor($folder, $username, $perms);
             $ownOnly  = !$fullView && ACL::hasGrant($username, $folder, 'read_own');
-
+    
-            if (!$fullView && !$ownOnly) {
+            if (!$fullView && !$ownOnly) { http_response_code(403); echo "Forbidden: no view access to this folder."; return; }
-                $this->_jsonOut(["error" => "Forbidden: no view access to this folder."], 403); return;
+    
-            }
-
-            // If own-only, ensure all files are owned by the user
             if ($ownOnly) {
                 $meta = $this->loadFolderMetadata($folder);
                 foreach ($files as $f) {
                     $bn = basename((string)$f);
                     if (!isset($meta[$bn]['uploader']) || strcasecmp((string)$meta[$bn]['uploader'], $username) !== 0) {
-                        $this->_jsonOut(["error" => "Forbidden: you are not the owner of '{$bn}'."], 403); return;
+                        http_response_code(403); echo "Forbidden: you are not the owner of '{$bn}'."; return;
                     }
                 }
             }
-
+    
             $result = FileModel::createZipArchive($folder, $files);
-            if (isset($result['error'])) {
+            if (isset($result['error'])) { http_response_code(400); echo $result['error']; return; }
-                $this->_jsonOut(["error" => $result['error']], 400); return;
+    
-            }
-
             $zipPath = $result['zipPath'] ?? null;
-            if (!$zipPath || !file_exists($zipPath)) { $this->_jsonOut(["error"=>"ZIP archive not found."], 500); return; }
+            if (!$zipPath || !is_file($zipPath)) { http_response_code(500); echo "ZIP archive not found."; return; }
-
+    
-            // switch to file streaming
+            // ---- Clean binary stream setup ----
+            @session_write_close();
+            @set_time_limit(0);
+            @ignore_user_abort(true);
+            if (function_exists('apache_setenv')) { @apache_setenv('no-gzip', '1'); }
+            @ini_set('zlib.output_compression', '0');
+            @ini_set('output_buffering', 'off');
+            while (ob_get_level() > 0) { @ob_end_clean(); }
+    
+            @clearstatcache(true, $zipPath);
+            $size = (int)@filesize($zipPath);
+    
+            header('X-Accel-Buffering: no');
             header_remove('Content-Type');
             header('Content-Type: application/zip');
+            // Client sets the final name via a.download in your JS; server can be generic
             header('Content-Disposition: attachment; filename="files.zip"');
-            header('Content-Length: ' . filesize($zipPath));
+            if ($size > 0) header('Content-Length: ' . $size);
             header('Cache-Control: no-store, no-cache, must-revalidate');
             header('Pragma: no-cache');
-
+    
-            readfile($zipPath);
+            $fp = fopen($zipPath, 'rb');
+            if ($fp === false) { http_response_code(500); echo "Failed to open ZIP."; return; }
+    
+            $chunk = 1048576; // 1 MiB
+            while (!feof($fp)) {
+                $buf = fread($fp, $chunk);
+                if ($buf === false) break;
+                echo $buf;
+                flush();
+            }
+            fclose($fp);
             @unlink($zipPath);
             exit;
+    
         } catch (Throwable $e) {
             error_log('FileController::downloadZip error: '.$e->getMessage().' @ '.$e->getFile().':'.$e->getLine());
-            $this->_jsonOut(['error' => 'Internal server error while preparing ZIP.'], 500);
+            if (!headers_sent()) http_response_code(500);
-        } finally { $this->_jsonEnd(); }
+            echo "Internal server error while preparing ZIP.";
+        }
+        
     }
 
     public function extractZip()

src/models/FileModel.php

@@ -557,6 +557,13 @@ class FileModel {
      * @return array An associative array with either an "error" key or a "zipPath" key.
      */
     public static function createZipArchive($folder, $files) {
+
+        // (optional) purge old temp zips > 6h
+        $zipRoot = rtrim((string)META_DIR, '/\\') . DIRECTORY_SEPARATOR . 'ziptmp';
+        $now = time();
+        foreach (glob($zipRoot . DIRECTORY_SEPARATOR . 'download-*.zip') ?: [] as $zp) {
+            if (is_file($zp) && ($now - @filemtime($zp)) > 21600) { @unlink($zp); }
+        }
         // Normalize and validate target folder
         $folder = trim((string)$folder) ?: 'root';
         $baseDir = realpath(UPLOAD_DIR);