Merge remote-tracking branch 'hugo/master' into wt-cspell

.github/ISSUE_TEMPLATE/bug_report.md

@@ -78,4 +78,4 @@ assignees: ''
 <!-- If applicable, you may add screenshots to help explain your problem. -->
 
 
-**Are you planning send a PR to fix it?**
+**Are you planning to send a PR to fix it?**

.github/ISSUE_TEMPLATE/feature_request.md

@@ -26,4 +26,4 @@ assignees: ''
 <!-- Add any other context or screenshots about the feature request here. -->
 
 
-**Are you planning send a PR to add it?**
+**Are you planning to send a PR to add it?**

.github/workflows/appspot.yaml

@@ -23,7 +23,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 16
+          node-version: 22
           registry-url: 'https://registry.npmjs.org'
 
       - uses: ./.github/workflows/custom-actions/prep-for-appspot

.github/workflows/build-and-test.yaml

@@ -31,6 +31,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ inputs.ref || github.ref }}
+          persist-credentials: false
 
       - name: Lint
         run: python build/check.py
@@ -104,6 +105,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ inputs.ref || github.ref }}
+          persist-credentials: false
 
       # Older versions of Safari can be installed, but not to the root, and it
       # can't replace the standard version, at least not on GitHub's VMs.  If
@@ -256,6 +258,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ inputs.ref || github.ref }}
+          persist-credentials: false
 
       - name: Docker
         run: |

.github/workflows/demo-version-index.yaml

@@ -30,6 +30,7 @@ jobs:
         with:
           # We need a list of all tags for this, so fetch the entire history.
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: google-github-actions/auth@v2
         with:

.github/workflows/nightly-demo.yaml

@@ -22,7 +22,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 16
+          node-version: 22
           registry-url: 'https://registry.npmjs.org'
 
       # The nightly demo has its own receiver app ID that points to the nightly

.github/workflows/release-please.yaml

@@ -40,6 +40,10 @@ jobs:
           ref: main
           # Use a special shaka-bot access token for releases.
           token: ${{ secrets.RELEASE_PLEASE_TOKEN }}
+          # We want to explicitly use these credentials to push a tag.
+          # The job is only one more step, so they don't leak.
+          persist-credentials: true
+
       - name: Tag the main branch
         run: |
           # Set missing git config for the tag.
@@ -63,7 +67,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 16
+          node-version: 22
           registry-url: 'https://registry.npmjs.org'
 
       - name: Compute NPM tags
@@ -136,7 +140,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 16
+          node-version: 22
           registry-url: 'https://registry.npmjs.org'
 
       - name: Compute appspot subdomain and promotion
@@ -189,6 +193,9 @@ jobs:
           fetch-depth: 0
           # Use a special shaka-bot access token for releases.
           token: ${{ secrets.RELEASE_PLEASE_TOKEN }}
+          # We want to explicitly use these credentials to create the branch.
+          # The job is only one more step, so they don't leak.
+          persist-credentials: true
 
       - name: Create release branch
         run: |

.github/workflows/report-incremental-coverage.yaml

@@ -16,6 +16,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Compute incremental code coverage
         id: compute

.github/workflows/selenium-lab-tests.yaml

@@ -84,6 +84,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ needs.compute-sha.outputs.SHA }}
+          persist-credentials: false
 
       - name: Install dependencies
         run: npm ci
@@ -154,6 +155,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ needs.compute-sha.outputs.SHA }}
+          persist-credentials: false
 
       - name: Set commit status to pending
         if: ${{ inputs.skip_test_status == false }}
@@ -235,6 +237,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ needs.compute-sha.outputs.SHA }}
+          persist-credentials: false
 
       - name: Set commit status to pending
         if: ${{ inputs.skip_commit_status == false }}
@@ -247,7 +250,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 16
+          node-version: 22
           registry-url: 'https://registry.npmjs.org'
 
       # The Docker image for this self-hosted runner doesn't contain java.

.github/workflows/sync-labels.yaml

@@ -26,6 +26,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: shaka-project/shaka-github-tools
+          persist-credentials: false
 
       # TODO: revert to micnncim and new release after landing
       #       https://github.com/micnncim/action-label-syncer/pull/68

.github/workflows/talk-to-shaka-bot.yaml

@@ -24,6 +24,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Handle command
         shell: bash

.github/workflows/update-issues.yaml

@@ -23,6 +23,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: shaka-project/shaka-github-tools
+          persist-credentials: false
 
       - name: Update Issues
         env:

.github/workflows/update-screenshots.yaml

@@ -8,7 +8,7 @@ on:
     # avoid malicious code executing in the lab.
     inputs:
       pr:
-        description: "A PR number to build and test in the lab.  Required even if \"pr\" is given."
+        description: "A PR number to build and test in the lab."
         required: true
 
 jobs:
@@ -29,10 +29,16 @@ jobs:
     name: Set Pending Status
     needs: compute-sha
     runs-on: ubuntu-latest
+
+    permissions:
+      # "Write" to statuses to update commit status
+      statuses: write
+
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ needs.compute-sha.outputs.SHA }}
+          persist-credentials: false
 
       - name: Set commit status to pending
         uses: shaka-project/shaka-github-tools/set-commit-status@main
@@ -45,6 +51,11 @@ jobs:
     name: Get Selenium Lab Screenshots
     needs: [set-pending-status]
     uses: ./.github/workflows/selenium-lab-tests.yaml
+
+    permissions:
+      # "Write" to statuses to update commit status, needed by nested jobs.
+      statuses: write
+
     with:
       # Pass the pre-computed SHA directly to the nested workflow.
       # Do NOT pass "pr" and reinterpret it into a SHA in the nested workflow.
@@ -53,14 +64,19 @@ jobs:
       ignore_test_status: true
       job_name_prefix: "Get Selenium Lab Screenshots / "
 
-  update-pr:
-    name: Update PR
+  commit-new-screenshots:
+    name: Commit New Screenshots
     runs-on: ubuntu-latest
     needs: [compute-sha, run-lab-tests]
+    # NOTE: NO PERMISSIONS ON THIS JOB.  It runs PR-author-controlled code from
+    # the PR, and so must be untrusted!
+
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ needs.compute-sha.outputs.SHA }}
+          fetch-depth: 0
+          persist-credentials: false
 
       - name: Get artifacts
         uses: actions/download-artifact@v4
@@ -71,30 +87,82 @@ jobs:
 
       - name: Update screenshots
         run: |
+          # NOTE: Steps of this could be influenced by the PR author, which is
+          # why we run this job without any accessible tokens or special
+          # permissions.
+
           # Install prerequisites.
           npm ci
 
           # Update the official screenshots for any that have visibly changed.
           # This is not a byte-for-byte comparison, but based on pixel diffs.
           ./build/updateScreenshots.py
 
-          # Emulate the actions bot.
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          # Act as Shaka Bot.
+          git config user.name "shaka-bot"
+          git config user.email "shaka-[email protected]"
 
-          # Commit the changes.  Ignore failure, in case there are no changes.
+          # Commit the changes to the screenshots only.  Ignore failure, in
+          # case there are no changes.
           git add test/test/assets/screenshots/*/*.png || true
           git commit -m ':robot: Update all screenshots' || true
 
+      - name: Cache Commits
+        # Here we cache commits, made above in an untrusted job, to pull into a
+        # separate, trusted job with permission to push to the repo.  The
+        # untrusted job can't pollute the environment of the trusted job by,
+        # say, modifying /usr/bin/gh.
+        uses: actions/cache/save@v4
+        with:
+          path: .git/
+          key: screenshot-commits-${{ needs.compute-sha.outputs.SHA }}
+
+      - name: Debug
+        uses: mxschmitt/[email protected]
+        with:
+          limit-access-to-actor: true
+        if: failure()
+
+  update-pr:
+    name: Update PR
+    runs-on: ubuntu-latest
+    needs: [compute-sha, commit-new-screenshots]
+
+    # NOTE: No granular permissions here, because we use SHAKA_BOT_TOKEN
+    # instead of the default token.  The action to push to the PR must be done
+    # by an actor with permission, and the default GitHub token doesn't work.
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.compute-sha.outputs.SHA }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Restore Commits
+        # Here we restore commits, made above in the above untrusted job, to
+        # pull into this trusted job.  See comments above on "Cache Commits".
+        uses: actions/cache/restore@v4
+        with:
+          path: .git/
+          key: screenshot-commits-${{ needs.compute-sha.outputs.SHA }}
+
       - name: Update PR
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ secrets.SHAKA_BOT_TOKEN }}
         run: |
           # Update the PR.
+
+          # Compute the destination for the push.  This uses the GitHub API
+          # because this workflow is not triggered directly by a PR, so there
+          # is no context variable that supplies these details.
           PR_API_URL="/repos/${{ github.repository }}/pulls/${{ inputs.pr }}"
           REMOTE=$(gh api $PR_API_URL | jq -r .head.repo.html_url)
           BRANCH=$(gh api $PR_API_URL | jq -r .head.ref)
 
+          # Lean on $GH_TOKEN to authenticate the push.
+          gh auth setup-git
+
           # If there were no changes, this will do nothing, but succeed.
           git push "$REMOTE" HEAD:"$BRANCH"
 
@@ -107,13 +175,19 @@ jobs:
   set-final-status:
     name: Set Final Status
     runs-on: ubuntu-latest
+
+    permissions:
+      # "Write" to statuses to update commit status
+      statuses: write
+
     needs: [compute-sha, run-lab-tests, update-pr]
     # Will run on success or failure, but not if the workflow is cancelled.
     if: ${{ success() || failure() }}
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ needs.compute-sha.outputs.SHA }}
+          persist-credentials: false
 
       - name: Compute final status
         id: compute

demo/config.js

@@ -483,7 +483,6 @@ shakaDemo.Config = class {
             'streaming.inaccurateManifestTolerance',
             /* canBeDecimal= */ true)
         .addBoolInput_('Low Latency Mode', 'streaming.lowLatencyMode')
-        .addBoolInput_('Auto Low Latency Mode', 'streaming.autoLowLatencyMode')
         .addBoolInput_('Force HTTP', 'streaming.forceHTTP')
         .addBoolInput_('Force HTTPS', 'streaming.forceHTTPS')
         .addNumberInput_('Min bytes for progress events',

docs/tutorials/config.md

@@ -122,7 +122,8 @@ buffering settings) while some will not have any effect until the next call to
 
 #### Low latency streaming
 
-With `.streaming.lowLatencyMode` set to true,
+With `.streaming.lowLatencyMode` set to true and the manifest is Low Latency,
+Shaka uses a Low Latency config:
 `.streaming.inaccurateManifestTolerance` is set to 0 by default,
 `.streaming.segmentPrefetchLimit` is set to 2 by default,
 `.streaming.updateIntervalSeconds` is set to 0.1 by default,
@@ -134,11 +135,10 @@ With `.streaming.lowLatencyMode` set to true,
 
 To customize the values of inaccurateManifestTolerance, rebufferingGoal,
 segmentPrefetchLimit, updateIntervalSeconds and baseDelay with low latency
-mode, you can set the fields in the same or subsequent call to configure().
+mode, you can set the fields in the call to configurationForLowLatency().
 ```js
-player.configure({
+player.configurationForLowLatency({
   streaming: {
-    lowLatencyMode: true,
     inaccurateManifestTolerance: 0,
     segmentPrefetchLimit: 2,
     updateIntervalSeconds: 0.1,

externs/shaka/manifest_parser.js

@@ -132,8 +132,6 @@ shaka.extern.ManifestParser = class {
  *   onEvent: function(!Event),
  *   onError: function(!shaka.util.Error),
  *   isLowLatencyMode: function():boolean,
- *   isAutoLowLatencyMode: function():boolean,
- *   enableLowLatencyMode: function(),
  *   updateDuration: function(),
  *   newDrmInfo: function(shaka.extern.Stream),
  *   onManifestUpdated: function(),
@@ -167,10 +165,6 @@ shaka.extern.ManifestParser = class {
  *   Should be called when an error occurs.
  * @property {function():boolean} isLowLatencyMode
  *   Return true if low latency streaming mode is enabled.
- * @property {function():boolean} isAutoLowLatencyMode
- *   Return true if auto low latency streaming mode is enabled.
- * @property {function()} enableLowLatencyMode
- *   Enable low latency streaming mode.
  * @property {function()} updateDuration
  *   Update the presentation duration based on PresentationTimeline.
  * @property {function(shaka.extern.Stream)} newDrmInfo