Releases: ill-yes/steam-bee
Release list
SteamBee 1.0.3
Security
- Enforce 16-byte AES-GCM authentication tags and strict encrypted-payload validation.
- Make setup-token creation race-free and keep data directories, database files, instance secrets, and setup tokens private by default.
- Bound correlation IDs, redact credentials from errors and events, disable API response caching, and apply instance-wide admin authentication throttling.
- Cancel expired QR login polling and reject stale authentication events.
- Validate proxy trust as an exact hop count or trusted IP/CIDR list; use
TRUST_PROXY=1for one reverse proxy.
Container and supply chain
- Pin Node.js 22.23.1 by multi-architecture digest and remove npm, Corepack, and Yarn from the runtime image.
- Run with UID/GID 10001, a read-only root filesystem, all capabilities dropped, and a 256-process limit.
- Gate releases with dependency audit, Trivy HIGH/CRITICAL scanning, amd64 smoke tests, and SHA-pinned GitHub Actions.
- Publish linux/amd64 and linux/arm64 images with SBOM, provenance, and GitHub artifact attestations.
Deployment
- GHCR tags:
1.0.3,1.0, andlatest. - The included Compose files are updated for VPS and Unraid deployments, including safer backups and a Community Apps template.
- Existing clones must rebase or clone again because historical commit metadata and earlier release tags were rewritten to remove a private author email. File contents of the rewritten commits are unchanged.
Verify the image with:
gh attestation verify oci://ghcr.io/ill-yes/steam-bee:1.0.3 --repo ill-yes/steam-beeSteamBee 1.0.2
SteamBee 1.0.2 improves the public Docker deployment path without changing the application API or database schema.
Changes
- Pin the runtime identity to UID/GID
10001:10001for predictable VPS, NAS, and Unraid bind-mount permissions. - Make
compose.image.ymldirectly usable with the pinnedghcr.io/ill-yes/steam-bee:1.0.2image while preservingSTEAM_BEE_IMAGEoverrides. - Keep local backup archives out of Git and the Docker build context.
- Make restore operations remove stale visible files and dotfiles before extracting a backup.
- Put the prebuilt-image quick start first and clarify host-based versus container-based reverse proxy setups.
- Verify the runtime identity in the CI read-only container smoke test.
Install
git clone https://github.com/ill-yes/steam-bee.git
cd steam-bee
docker compose -f compose.image.yml up -dOpen http://127.0.0.1:3000 by default. See the README for remote access, reverse proxy, Unraid, backup, restore, and update instructions.
Container images
ghcr.io/ill-yes/steam-bee:1.0.2- immutable patch releaseghcr.io/ill-yes/steam-bee:1.0- latest 1.0 patchghcr.io/ill-yes/steam-bee:latest- latest stable release
All stable tags currently resolve to the same OCI manifest digest and support linux/amd64 and linux/arm64. BuildKit provenance attestations are published alongside both platform images.
SteamBee 1.0.1
SteamBee 1.0.1 is a release-hardening patch with no application API or database changes.
Changes
- Updates Vite and Vitest to patched versions, removing all open Dependabot security alerts from the default branch
- Corrects OCI image metadata to use the
SteamBeeproduct name andAGPL-3.0-or-laterlicense identifier - Updates prebuilt-image examples to the current stable tag
Install
Use ghcr.io/ill-yes/steam-bee:1.0.1 for repeatable deployments. The 1.0 and latest tags point to the same multi-architecture image for linux/amd64 and linux/arm64.
See the deployment guide for Compose, reverse-proxy, backup, restore, and update instructions.
SteamBee 1.0.0
SteamBee 1.0.0 is the first public release.
Highlights
- Self-hosted management UI for boosting playtime on your own Steam accounts
- Account, game library, preset, schedule, QR login, event, and admin workflows
- English fallback with lazy-loaded community translations, including RTL support
- Hardened single-container deployment with SQLite persistence, setup-token protection, readiness checks, and a read-only root filesystem
- Multi-architecture images for
linux/amd64andlinux/arm64, published with OCI metadata, provenance, and an SBOM
Install
Use the prebuilt image with compose.image.yml, or build locally with compose.yml. See the deployment guide for setup, reverse-proxy configuration, updates, backup, and restore instructions.
Image: ghcr.io/ill-yes/steam-bee:1.0.0
Security
A fresh instance requires its one-time setup token before the administrator account can be created. Keep .env, /data, backups, and setup tokens outside version control. Please report vulnerabilities privately through GitHub Security Advisories.