v0.7.5 — Plugin install hotfix (CSP + bind-mount perms)
Hotfix
Two prod-blocking bugs uncovered while testing the 0.7.4 plugin install flow against a live self-hosted instance.
Fixes
-
Resolve plugin install URL server-side. 0.7.4 added a frontend
fetch()toapi.github.comto prefer a Release asset over the GitHub-generated source tarball. The prod CSP blocksapi.github.comfromconnect-src, so the fetch silently failed and the install fell back to the source tarball — same broken end state as 0.7.3 for plugins like kedaewyn/Leonarr that don't commitdist/to their repo. The resolution now lives backend-side (already trusted with GitHub calls for the update check), so the fix actually applies in prod. The/plugins/installendpoint accepts{ repository }from the registry path and a raw{ url }for manual installs. -
Auto-chown the plugins directory at boot. Self-hosters with a host bind-mount for
/app/packages/plugins(the docker-compose default) hitEACCESwhen Oscarr tried tomkdirthe staging dir for an install — the host directory wasn't owned by uid 1001 (the in-containeroscarruser). The entrypoint nowchowns +chmod 2775(setgid) the plugins dir at boot, the same way it already handles/data. Files dropped by the host maintainer keep the right group and both sides can write.
If GITHUB_TOKEN is set on the Oscarr container's env, the install resolution path uses it — useful if your registry's source is rate-limited.
Full changelog: v0.7.4...v0.7.5
Upgrading
```
docker pull ghcr.io/arediss/oscarr:0.7.5
```
or
```
docker pull ghcr.io/arediss/oscarr:latest
```