Bot Updating Package Versions

Bot Updating Templated Files
2026-03-02 00:02:52 +08:00 · 2026-02-28 22:17:29 +00:00 · 2026-02-21 22:12:58 +00:00 · 2026-02-21 22:02:26 +00:00 · 2026-02-14 22:23:37 +00:00 · 2026-02-14 22:13:05 +00:00
22 changed files with 2271 additions and 1899 deletions
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@ -6,7 +6,7 @@
 * Read, and fill the Pull Request template
  * If this is a fix for a typo (in code, documentation, or the README) please file an issue and let us sort it out. We do not need a PR
  * If the PR is addressing an existing issue include, closes #\<issue number>, in the body of the PR commit message
-* If you want to discuss changes, you can also bring it up in [#dev-talk](https://discordapp.com/channels/354974912613449730/757585807061155840) in our [Discord server](https://discord.gg/YWrKVTn)
+* If you want to discuss changes, you can also bring it up in [#dev-talk](https://discordapp.com/channels/354974912613449730/757585807061155840) in our [Discord server](https://linuxserver.io/discord)
 ## Common files
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -1,7 +1,7 @@
 blank_issues_enabled: false
 contact_links:
  - name: Discord chat support
-    url: https://discord.gg/YWrKVTn
+    url: https://linuxserver.io/discord
    about: Realtime support / chat with the community and the team.
  - name: Discourse discussion forum
--- a/.github/workflows/call_issue_pr_tracker.yml
+++ b/.github/workflows/call_issue_pr_tracker.yml
@ -8,6 +8,9 @@ on:
  pull_request_review:
    types: [submitted,edited,dismissed]
 permissions:
  contents: read
 jobs:
  manage-project:
    permissions:
--- a/.github/workflows/call_issues_cron.yml
+++ b/.github/workflows/call_issues_cron.yml
@ -4,6 +4,9 @@ on:
    - cron:  '11 10 * * *'
  workflow_dispatch:
 permissions:
  contents: read
 jobs:
  stale:
    permissions:
--- a/.github/workflows/external_trigger.yml
+++ b/.github/workflows/external_trigger.yml
@ -3,6 +3,9 @@ name: External Trigger Main
 on:
  workflow_dispatch:
 permissions:
  contents: read
 jobs:
  external-trigger-master:
    runs-on: ubuntu-latest
@ -15,7 +18,10 @@ jobs:
          SKIP_EXTERNAL_TRIGGER: ${{ vars.SKIP_EXTERNAL_TRIGGER }}
        run: |
          printf "# External trigger for docker-github-desktop\n\n" >> $GITHUB_STEP_SUMMARY
-          if grep -q "^github-desktop_master" <<< "${SKIP_EXTERNAL_TRIGGER}"; then
+          if grep -q "^github-desktop_master_" <<< "${SKIP_EXTERNAL_TRIGGER}"; then
            echo "> [!NOTE]" >> $GITHUB_STEP_SUMMARY
            echo "> Github organizational variable \`SKIP_EXTERNAL_TRIGGER\` contains \`github-desktop_master_\`; will skip trigger if version matches." >> $GITHUB_STEP_SUMMARY
          elif grep -q "^github-desktop_master" <<< "${SKIP_EXTERNAL_TRIGGER}"; then
            echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
            echo "> Github organizational variable \`SKIP_EXTERNAL_TRIGGER\` contains \`github-desktop_master\`; skipping trigger." >> $GITHUB_STEP_SUMMARY
            exit 0
@ -25,6 +31,11 @@ jobs:
          printf "\n## Retrieving external version\n\n" >> $GITHUB_STEP_SUMMARY
          EXT_RELEASE=$(curl -u "${{ secrets.CR_USER }}:${{ secrets.CR_PAT }}" -sX GET "https://api.github.com/repos/shiftkey/desktop/releases/latest" | jq -r '. | .tag_name')
          echo "Type is \`github_stable\`" >> $GITHUB_STEP_SUMMARY
          if grep -q "^github-desktop_master_${EXT_RELEASE}" <<< "${SKIP_EXTERNAL_TRIGGER}"; then
            echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
            echo "> Github organizational variable \`SKIP_EXTERNAL_TRIGGER\` matches current external release; skipping trigger." >> $GITHUB_STEP_SUMMARY
            exit 0
          fi
          if [ -z "${EXT_RELEASE}" ] || [ "${EXT_RELEASE}" == "null" ]; then
            echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
            echo "> Can't retrieve external version, exiting" >> $GITHUB_STEP_SUMMARY
@ -35,24 +46,43 @@ jobs:
              "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
            exit 1
          fi
-          EXT_RELEASE=$(echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g')
+          EXT_RELEASE_SANITIZED=$(echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g')
-          echo "External version: \`${EXT_RELEASE}\`" >> $GITHUB_STEP_SUMMARY
+          echo "Sanitized external version: \`${EXT_RELEASE_SANITIZED}\`" >> $GITHUB_STEP_SUMMARY
          echo "Retrieving last pushed version" >> $GITHUB_STEP_SUMMARY
          image="linuxserver/github-desktop"
          tag="latest"
          token=$(curl -sX GET \
            "https://ghcr.io/token?scope=repository%3Alinuxserver%2Fgithub-desktop%3Apull" \
            | jq -r '.token')
-            multidigest=$(curl -s \
+          multidigest=$(curl -s \
            --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
            --header "Accept: application/vnd.oci.image.index.v1+json" \
            --header "Authorization: Bearer ${token}" \
            "https://ghcr.io/v2/${image}/manifests/${tag}")
          if jq -e '.layers // empty' <<< "${multidigest}" >/dev/null 2>&1; then
            # If there's a layer element it's a single-arch manifest so just get that digest
            digest=$(jq -r '.config.digest' <<< "${multidigest}")
          else
            # Otherwise it's multi-arch or has manifest annotations
            if jq -e '.manifests[]?.annotations // empty' <<< "${multidigest}" >/dev/null 2>&1; then
              # Check for manifest annotations and delete if found
              multidigest=$(jq 'del(.manifests[] | select(.annotations))' <<< "${multidigest}")
            fi
            if [[ $(jq '.manifests | length' <<< "${multidigest}") -gt 1 ]]; then
              # If there's still more than one digest, it's multi-arch
              multidigest=$(jq -r ".manifests[] | select(.platform.architecture == \"amd64\").digest?" <<< "${multidigest}")
            else
              # Otherwise it's single arch
              multidigest=$(jq -r ".manifests[].digest?" <<< "${multidigest}")
            fi
            if digest=$(curl -s \
              --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
              --header "Accept: application/vnd.oci.image.manifest.v1+json" \
              --header "Authorization: Bearer ${token}" \
-              "https://ghcr.io/v2/${image}/manifests/${tag}" \
+              "https://ghcr.io/v2/${image}/manifests/${multidigest}"); then
-              | jq -r 'first(.manifests[].digest)')
+              digest=$(jq -r '.config.digest' <<< "${digest}");
-            digest=$(curl -s \
+            fi
-              --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
+          fi
              --header "Authorization: Bearer ${token}" \
              "https://ghcr.io/v2/${image}/manifests/${multidigest}" \
              | jq -r '.config.digest')
          image_info=$(curl -sL \
            --header "Authorization: Bearer ${token}" \
            "https://ghcr.io/v2/${image}/blobs/${digest}")
@ -73,8 +103,8 @@ jobs:
            exit 1
          fi
          echo "Last pushed version: \`${IMAGE_VERSION}\`" >> $GITHUB_STEP_SUMMARY
-          if [ "${EXT_RELEASE}" == "${IMAGE_VERSION}" ]; then
+          if [ "${EXT_RELEASE_SANITIZED}" == "${IMAGE_VERSION}" ]; then
-            echo "Version \`${EXT_RELEASE}\` already pushed, exiting" >> $GITHUB_STEP_SUMMARY
+            echo "Sanitized version \`${EXT_RELEASE_SANITIZED}\` already pushed, exiting" >> $GITHUB_STEP_SUMMARY
            exit 0
          elif [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-github-desktop/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then
            echo "New version \`${EXT_RELEASE}\` found; but there already seems to be an active build on Jenkins; exiting" >> $GITHUB_STEP_SUMMARY
@ -89,8 +119,8 @@ jobs:
                "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
            else
              printf "\n## Trigger new build\n\n" >> $GITHUB_STEP_SUMMARY
-              echo "New version \`${EXT_RELEASE}\` found; old version was \`${IMAGE_VERSION}\`. Triggering new build" >> $GITHUB_STEP_SUMMARY
+              echo "New sanitized version \`${EXT_RELEASE_SANITIZED}\` found; old version was \`${IMAGE_VERSION}\`. Triggering new build" >> $GITHUB_STEP_SUMMARY
-              if "${artifacts_found}" == "true" ]]; then
+              if [[ "${artifacts_found}" == "true" ]]; then
                echo "All artifacts seem to be uploaded." >> $GITHUB_STEP_SUMMARY
              fi
              response=$(curl -iX POST \
@ -109,7 +139,7 @@ jobs:
                --data-urlencode "description=GHA external trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
                --data-urlencode "Submit=Submit"
              echo "**** Notifying Discord ****"
-              TRIGGER_REASON="A version change was detected for github-desktop tag latest. Old version:${IMAGE_VERSION} New version:${EXT_RELEASE}"
+              TRIGGER_REASON="A version change was detected for github-desktop tag latest. Old version:${IMAGE_VERSION} New version:${EXT_RELEASE_SANITIZED}"
              curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903,
                "description": "**Build Triggered** \n**Reason:** '"${TRIGGER_REASON}"' \n**Build URL:** '"${buildurl}display/redirect"' \n"}],
                "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
--- a/.github/workflows/external_trigger_scheduler.yml
+++ b/.github/workflows/external_trigger_scheduler.yml
@ -5,6 +5,9 @@ on:
    - cron:  '28 * * * *'
  workflow_dispatch:
 permissions:
  contents: read
 jobs:
  external-trigger-scheduler:
    runs-on: ubuntu-latest
--- a/.github/workflows/greetings.yml
+++ b/.github/workflows/greetings.yml
@ -2,8 +2,14 @@ name: Greetings
 on: [pull_request_target, issues]
 permissions:
  contents: read
 jobs:
  greeting:
    permissions:
      issues: write
      pull-requests: write
    runs-on: ubuntu-latest
    steps:
    - uses: actions/first-interaction@v1
--- a/.github/workflows/package_trigger_scheduler.yml
+++ b/.github/workflows/package_trigger_scheduler.yml
@ -5,6 +5,9 @@ on:
    - cron:  '55 21 * * 6'
  workflow_dispatch:
 permissions:
  contents: read
 jobs:
  package-trigger-scheduler:
    runs-on: ubuntu-latest
@ -27,9 +30,18 @@ jobs:
            fi
            printf "\n## Evaluating \`%s\`\n\n" ${br} >> $GITHUB_STEP_SUMMARY
            JENKINS_VARS=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-github-desktop/${br}/jenkins-vars.yml)
-            if [[ "${br}" == $(yq -r '.ls_branch' <<< "${JENKINS_VARS}") ]]; then
+            if ! curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-github-desktop/${br}/Jenkinsfile >/dev/null 2>&1; then
              echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
              echo "> No Jenkinsfile found. Branch is either deprecated or is an early dev branch." >> $GITHUB_STEP_SUMMARY
              skipped_branches="${skipped_branches}${br} "
            elif [[ "${br}" == $(yq -r '.ls_branch' <<< "${JENKINS_VARS}") ]]; then
              echo "Branch appears to be live; checking workflow." >> $GITHUB_STEP_SUMMARY
-              if [[ $(yq -r '.skip_package_check' <<< "${JENKINS_VARS}") == "true" ]]; then
+              README_VARS=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-github-desktop/${br}/readme-vars.yml)
              if [[ $(yq -r '.project_deprecation_status' <<< "${README_VARS}") == "true" ]]; then
                echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
                echo "> Branch appears to be deprecated; skipping trigger." >> $GITHUB_STEP_SUMMARY
                skipped_branches="${skipped_branches}${br} "
              elif [[ $(yq -r '.skip_package_check' <<< "${JENKINS_VARS}") == "true" ]]; then
                echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
                echo "> Skipping branch ${br} due to \`skip_package_check\` being set in \`jenkins-vars.yml\`." >> $GITHUB_STEP_SUMMARY
                skipped_branches="${skipped_branches}${br} "
@ -37,7 +49,7 @@ jobs:
                echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
                echo "> Github organizational variable \`SKIP_PACKAGE_TRIGGER\` contains \`github-desktop_${br}\`; skipping trigger." >> $GITHUB_STEP_SUMMARY
                skipped_branches="${skipped_branches}${br} "
-              elif [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-github-desktop/job/${br}/lastBuild/api/json | jq -r '.building') == "true" ]; then
+              elif [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-github-desktop/job/${br}/lastBuild/api/json | jq -r '.building' 2>/dev/null) == "true" ]; then
                echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
                echo "> There already seems to be an active build on Jenkins; skipping package trigger for ${br}" >> $GITHUB_STEP_SUMMARY
                skipped_branches="${skipped_branches}${br} "
@ -49,6 +61,11 @@ jobs:
                response=$(curl -iX POST \
                  https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-github-desktop/job/${br}/buildWithParameters?PACKAGE_CHECK=true \
                  --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|")
                if [[ -z "${response}" ]]; then
                  echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
                  echo "> Jenkins build could not be triggered. Skipping branch."
                  continue
                fi
                echo "Jenkins [job queue url](${response%$'\r'})" >> $GITHUB_STEP_SUMMARY
                echo "Sleeping 10 seconds until job starts" >> $GITHUB_STEP_SUMMARY
                sleep 10
@ -56,11 +73,14 @@ jobs:
                buildurl="${buildurl%$'\r'}"
                echo "Jenkins job [build url](${buildurl})" >> $GITHUB_STEP_SUMMARY
                echo "Attempting to change the Jenkins job description" >> $GITHUB_STEP_SUMMARY
-                curl -iX POST \
+                if ! curl -ifX POST \
                  "${buildurl}submitDescription" \
                  --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \
                  --data-urlencode "description=GHA package trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
-                  --data-urlencode "Submit=Submit"
+                  --data-urlencode "Submit=Submit"; then
                  echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY
                  echo "> Unable to change the Jenkins job description."
                fi
                sleep 20
              fi
            else
--- a/8
+++ b/8
@ -1,4 +1,6 @@
-FROM ghcr.io/linuxserver/baseimage-kasmvnc:debianbookworm
+# syntax=docker/dockerfile:1
 FROM ghcr.io/linuxserver/baseimage-selkies:debiantrixie
 # set version label
 ARG BUILD_DATE
@ -13,16 +15,16 @@ ENV TITLE=Github-Desktop
 RUN \
  echo "**** add icon ****" && \
  curl -o \
-    /kclient/public/icon.png \
+    /usr/share/selkies/www/icon.png \
    https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/github-desktop-icon.png && \
  echo "**** install packages ****" && \
  apt-get update && \
  apt-get install --no-install-recommends -y \
    caja \
    chromium \
    chromium-l10n \
    git \
    ssh-askpass \
    thunar \
    xfce4-terminal && \
  echo "**** install github-desktop ****" && \
  if [ -z ${GHDESKTOP_VERSION+x} ]; then \
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@ -1,4 +1,6 @@
-FROM ghcr.io/linuxserver/baseimage-kasmvnc:arm64v8-debianbookworm
+# syntax=docker/dockerfile:1
 FROM ghcr.io/linuxserver/baseimage-selkies:arm64v8-debiantrixie
 # set version label
 ARG BUILD_DATE
@ -13,16 +15,16 @@ ENV TITLE=Github-Desktop
 RUN \
  echo "**** add icon ****" && \
  curl -o \
-    /kclient/public/icon.png \
+    /usr/share/selkies/www/icon.png \
    https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/github-desktop-icon.png && \
  echo "**** install packages ****" && \
  apt-get update && \
  apt-get install --no-install-recommends -y \
    caja \
    chromium \
    chromium-l10n \
    git \
    ssh-askpass \
    thunar \
    xfce4-terminal && \
  echo "**** install github-desktop ****" && \
  if [ -z ${GHDESKTOP_VERSION+x} ]; then \
--- a/400
+++ b/400
@ -8,7 +8,7 @@ pipeline {
  }
  // Input to determine if this is a package check
  parameters {
-     string(defaultValue: 'false', description: 'package check run', name: 'PACKAGE_CHECK')
+    string(defaultValue: 'false', description: 'package check run', name: 'PACKAGE_CHECK')
  }
  // Configuration for the variables used for this specific repo
  environment {
@ -33,8 +33,8 @@ pipeline {
    MULTIARCH = 'true'
    CI = 'true'
    CI_WEB = 'true'
-    CI_PORT = '3000'
+    CI_PORT = '3001'
-    CI_SSL = 'false'
+    CI_SSL = 'true'
    CI_DELAY = '120'
    CI_DOCKERENV = 'TZ=US/Pacific'
    CI_AUTH = 'user:password'
@ -59,11 +59,23 @@ pipeline {
      steps{
        echo "Running on node: ${NODE_NAME}"
        sh '''#! /bin/bash
-              containers=$(docker ps -aq)
+              echo "Pruning builder"
              docker builder prune -f --builder container || :
              containers=$(docker ps -q)
              if [[ -n "${containers}" ]]; then
-                docker stop ${containers}
+                BUILDX_CONTAINER_ID=$(docker ps -qf 'name=buildx_buildkit')
                for container in ${containers}; do
                  if [[ "${container}" == "${BUILDX_CONTAINER_ID}" ]]; then
                    echo "skipping buildx container in docker stop"
                  else
                    echo "Stopping container ${container}"
                    docker stop ${container}
                  fi
                done
              fi
-              docker system prune -af --volumes || : '''
+              docker system prune -f --volumes || :
              docker image prune -af || :
           '''
        script{
          env.EXIT_STATUS = ''
          env.LS_RELEASE = sh(
@ -85,7 +97,11 @@ pipeline {
          env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.DOCKERHUB_IMAGE + '/tags/'
          env.PULL_REQUEST = env.CHANGE_ID
          env.TEMPLATED_FILES = 'Jenkinsfile README.md LICENSE .editorconfig ./.github/CONTRIBUTING.md ./.github/FUNDING.yml ./.github/ISSUE_TEMPLATE/config.yml ./.github/ISSUE_TEMPLATE/issue.bug.yml ./.github/ISSUE_TEMPLATE/issue.feature.yml ./.github/PULL_REQUEST_TEMPLATE.md ./.github/workflows/external_trigger_scheduler.yml ./.github/workflows/greetings.yml ./.github/workflows/package_trigger_scheduler.yml ./.github/workflows/call_issue_pr_tracker.yml ./.github/workflows/call_issues_cron.yml ./.github/workflows/permissions.yml ./.github/workflows/external_trigger.yml'
          if ( env.SYFT_IMAGE_TAG == null ) {
            env.SYFT_IMAGE_TAG = 'latest'
          }
        }
        echo "Using syft image tag ${SYFT_IMAGE_TAG}"
        sh '''#! /bin/bash
              echo "The default github branch detected as ${GH_DEFAULT_BRANCH}" '''
        script{
@ -201,6 +217,8 @@ pipeline {
          env.VERSION_TAG = env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER
          env.META_TAG = env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER
          env.EXT_RELEASE_TAG = 'version-' + env.EXT_RELEASE_CLEAN
          env.BUILDCACHE = 'docker.io/lsiodev/buildcache,registry.gitlab.com/linuxserver.io/docker-jenkins-builder/lsiodev-buildcache,ghcr.io/linuxserver/lsiodev-buildcache,quay.io/linuxserver.io/lsiodev-buildcache'
          env.CITEST_IMAGETAG = 'latest'
        }
      }
    }
@ -225,6 +243,8 @@ pipeline {
          env.META_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA
          env.EXT_RELEASE_TAG = 'version-' + env.EXT_RELEASE_CLEAN
          env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.DEV_DOCKERHUB_IMAGE + '/tags/'
          env.BUILDCACHE = 'docker.io/lsiodev/buildcache,registry.gitlab.com/linuxserver.io/docker-jenkins-builder/lsiodev-buildcache,ghcr.io/linuxserver/lsiodev-buildcache,quay.io/linuxserver.io/lsiodev-buildcache'
          env.CITEST_IMAGETAG = 'develop'
        }
      }
    }
@ -249,6 +269,8 @@ pipeline {
          env.EXT_RELEASE_TAG = 'version-' + env.EXT_RELEASE_CLEAN
          env.CODE_URL = 'https://github.com/' + env.LS_USER + '/' + env.LS_REPO + '/pull/' + env.PULL_REQUEST
          env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.PR_DOCKERHUB_IMAGE + '/tags/'
          env.BUILDCACHE = 'docker.io/lsiodev/buildcache,registry.gitlab.com/linuxserver.io/docker-jenkins-builder/lsiodev-buildcache,ghcr.io/linuxserver/lsiodev-buildcache,quay.io/linuxserver.io/lsiodev-buildcache'
          env.CITEST_IMAGETAG = 'develop'
        }
      }
    }
@ -271,7 +293,7 @@ pipeline {
                  -v ${WORKSPACE}:/mnt \
                  -e AWS_ACCESS_KEY_ID=\"${S3_KEY}\" \
                  -e AWS_SECRET_ACCESS_KEY=\"${S3_SECRET}\" \
-                  ghcr.io/linuxserver/baseimage-alpine:3.20 s6-envdir -fn -- /var/run/s6/container_environment /bin/bash -c "\
+                  ghcr.io/linuxserver/baseimage-alpine:3.23 s6-envdir -fn -- /var/run/s6/container_environment /bin/bash -c "\
                    apk add --no-cache python3 && \
                    python3 -m venv /lsiopy && \
                    pip install --no-cache-dir -U pip && \
@ -345,6 +367,35 @@ pipeline {
              else
                echo "No templates to delete"
              fi
              echo "Starting Stage 2.5 - Update init diagram"
              if ! grep -q 'init_diagram:' readme-vars.yml; then
                echo "Adding the key 'init_diagram' to readme-vars.yml"
                sed -i '\\|^#.*changelog.*$|d' readme-vars.yml
                sed -i 's|^changelogs:|# init diagram\\ninit_diagram:\\n\\n# changelog\\nchangelogs:|' readme-vars.yml
              fi
              mkdir -p ${TEMPDIR}/d2
              docker run --rm -v ${TEMPDIR}/d2:/output -e PUID=$(id -u) -e PGID=$(id -g) -e RAW="true" ghcr.io/linuxserver/d2-builder:latest ${CONTAINER_NAME}:latest
              ls -al ${TEMPDIR}/d2
              yq -ei ".init_diagram |= load_str(\\"${TEMPDIR}/d2/${CONTAINER_NAME}-latest.d2\\")" readme-vars.yml
              if [[ $(md5sum readme-vars.yml | cut -c1-8) != $(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/readme-vars.yml | cut -c1-8) ]]; then
                echo "'init_diagram' has been updated. Updating repo and exiting build, new one will trigger based on commit."
                mkdir -p ${TEMPDIR}/repo
                git clone https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/repo/${LS_REPO}
                cd ${TEMPDIR}/repo/${LS_REPO}
                git checkout -f master
                cp ${WORKSPACE}/readme-vars.yml ${TEMPDIR}/repo/${LS_REPO}/readme-vars.yml
                git add readme-vars.yml
                git commit -m 'Bot Updating Templated Files'
                git pull https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git master
                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git master
                echo "true" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER}
                echo "Updating templates and exiting build, new one will trigger based on commit"
                rm -Rf ${TEMPDIR}
                exit 0
              else
                echo "false" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER}
                echo "Init diagram is unchanged"
              fi
              echo "Starting Stage 3 - Update templates"
              CURRENTHASH=$(grep -hs ^ ${TEMPLATED_FILES} | md5sum | cut -c1-8)
              cd ${TEMPDIR}/docker-${CONTAINER_NAME}
@ -553,8 +604,45 @@ pipeline {
          --label \"org.opencontainers.image.title=Github-desktop\" \
          --label \"org.opencontainers.image.description=[Github Desktop](https://desktop.github.com/) is an open source Electron-based GitHub app. It is written in TypeScript and uses React.\" \
          --no-cache --pull -t ${IMAGE}:${META_TAG} --platform=linux/amd64 \
-          --provenance=false --sbom=false \
+          --provenance=true --sbom=true --builder=container --load \
          --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
        sh '''#! /bin/bash
              set -e
              IFS=',' read -ra CACHE <<< "$BUILDCACHE"
              for i in "${CACHE[@]}"; do
                docker tag ${IMAGE}:${META_TAG} ${i}:amd64-${COMMIT_SHA}-${BUILD_NUMBER}
              done
           '''
        withCredentials([
          [
            $class: 'UsernamePasswordMultiBinding',
            credentialsId: 'Quay.io-Robot',
            usernameVariable: 'QUAYUSER',
            passwordVariable: 'QUAYPASS'
          ]
        ]) {
          retry_backoff(5,5) {
              sh '''#! /bin/bash
                    set -e
                    echo $DOCKERHUB_TOKEN | docker login -u linuxserverci --password-stdin
                    echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
                    echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin
                    echo $QUAYPASS | docker login quay.io -u $QUAYUSER --password-stdin
                    if [[ "${PACKAGE_CHECK}" != "true" ]]; then
                      declare -A pids
                      IFS=',' read -ra CACHE <<< "$BUILDCACHE"
                      for i in "${CACHE[@]}"; do
                        docker push ${i}:amd64-${COMMIT_SHA}-${BUILD_NUMBER} &
                        pids[$!]="$i"
                      done
                      for p in "${!pids[@]}"; do
                        wait "$p" || { [[ "${pids[$p]}" != *"quay.io"* ]] && exit 1; }
                      done
                    fi
                '''
          }
        }
      }
    }
    // Build MultiArch Docker containers for push to LS Repo
@ -585,8 +673,45 @@ pipeline {
              --label \"org.opencontainers.image.title=Github-desktop\" \
              --label \"org.opencontainers.image.description=[Github Desktop](https://desktop.github.com/) is an open source Electron-based GitHub app. It is written in TypeScript and uses React.\" \
              --no-cache --pull -t ${IMAGE}:amd64-${META_TAG} --platform=linux/amd64 \
-              --provenance=false --sbom=false \
+              --provenance=true --sbom=true --builder=container --load \
              --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
            sh '''#! /bin/bash
                  set -e
                  IFS=',' read -ra CACHE <<< "$BUILDCACHE"
                  for i in "${CACHE[@]}"; do
                    docker tag ${IMAGE}:amd64-${META_TAG} ${i}:amd64-${COMMIT_SHA}-${BUILD_NUMBER}
                  done
               '''
            withCredentials([
              [
                $class: 'UsernamePasswordMultiBinding',
                credentialsId: 'Quay.io-Robot',
                usernameVariable: 'QUAYUSER',
                passwordVariable: 'QUAYPASS'
              ]
            ]) {
              retry_backoff(5,5) {
                  sh '''#! /bin/bash
                        set -e
                        echo $DOCKERHUB_TOKEN | docker login -u linuxserverci --password-stdin
                        echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
                        echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin
                        echo $QUAYPASS | docker login quay.io -u $QUAYUSER --password-stdin
                        if [[ "${PACKAGE_CHECK}" != "true" ]]; then
                          declare -A pids
                          IFS=',' read -ra CACHE <<< "$BUILDCACHE"
                          for i in "${CACHE[@]}"; do
                            docker push ${i}:amd64-${COMMIT_SHA}-${BUILD_NUMBER} &
                            pids[$!]="$i"
                          done
                          for p in "${!pids[@]}"; do
                            wait "$p" || { [[ "${pids[$p]}" != *"quay.io"* ]] && exit 1; }
                          done
                        fi
                    '''
              }
            }
          }
        }
        stage('Build ARM64') {
@ -595,10 +720,6 @@ pipeline {
          }
          steps {
            echo "Running on node: ${NODE_NAME}"
            echo 'Logging into Github'
            sh '''#! /bin/bash
                  echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
               '''
            sh "sed -r -i 's|(^FROM .*)|\\1\\n\\nENV LSIO_FIRST_PARTY=true|g' Dockerfile.aarch64"
            sh "docker buildx build \
              --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \
@ -614,18 +735,52 @@ pipeline {
              --label \"org.opencontainers.image.title=Github-desktop\" \
              --label \"org.opencontainers.image.description=[Github Desktop](https://desktop.github.com/) is an open source Electron-based GitHub app. It is written in TypeScript and uses React.\" \
              --no-cache --pull -f Dockerfile.aarch64 -t ${IMAGE}:arm64v8-${META_TAG} --platform=linux/arm64 \
-              --provenance=false --sbom=false \
+              --provenance=true --sbom=true --builder=container --load \
              --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
-            sh "docker tag ${IMAGE}:arm64v8-${META_TAG} ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}"
+            sh '''#! /bin/bash
-            retry_backoff(5,5) {
+                  set -e
-              sh "docker push ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}"
+                  IFS=',' read -ra CACHE <<< "$BUILDCACHE"
                  for i in "${CACHE[@]}"; do
                    docker tag ${IMAGE}:arm64v8-${META_TAG} ${i}:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}
                  done
               '''
            withCredentials([
              [
                $class: 'UsernamePasswordMultiBinding',
                credentialsId: 'Quay.io-Robot',
                usernameVariable: 'QUAYUSER',
                passwordVariable: 'QUAYPASS'
              ]
            ]) {
              retry_backoff(5,5) {
                  sh '''#! /bin/bash
                        set -e
                        echo $DOCKERHUB_TOKEN | docker login -u linuxserverci --password-stdin
                        echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
                        echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin
                        echo $QUAYPASS | docker login quay.io -u $QUAYUSER --password-stdin
                        if [[ "${PACKAGE_CHECK}" != "true" ]]; then
                          declare -A pids
                          IFS=',' read -ra CACHE <<< "$BUILDCACHE"
                          for i in "${CACHE[@]}"; do
                            docker push ${i}:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} &
                            pids[$!]="$i"
                          done
                          for p in "${!pids[@]}"; do
                            wait "$p" || { [[ "${pids[$p]}" != *"quay.io"* ]] && exit 1; }
                          done
                        fi
                    '''
              }
            }
            sh '''#! /bin/bash
                  containers=$(docker ps -aq)
                  if [[ -n "${containers}" ]]; then
                    docker stop ${containers}
                  fi
-                  docker system prune -af --volumes || : '''
+                  docker system prune -f --volumes || :
                  docker image prune -af || :
               '''
          }
        }
      }
@ -650,7 +805,7 @@ pipeline {
              docker run --rm \
                -v /var/run/docker.sock:/var/run/docker.sock:ro \
                -v ${TEMPDIR}:/tmp \
-                ghcr.io/anchore/syft:latest \
+                ghcr.io/anchore/syft:${SYFT_IMAGE_TAG} \
                ${LOCAL_CONTAINER} -o table=/tmp/package_versions.txt
              NEW_PACKAGE_TAG=$(md5sum ${TEMPDIR}/package_versions.txt | cut -c1-8 )
              echo "Package tag sha from current packages in buit container is ${NEW_PACKAGE_TAG} comparing to old ${PACKAGE_TAG} from github"
@ -737,7 +892,7 @@ pipeline {
                    CI_DOCKERENV="LSIO_FIRST_PARTY=true"
                  fi
                fi
-                docker pull ghcr.io/linuxserver/ci:latest
+                docker pull ghcr.io/linuxserver/ci:${CITEST_IMAGETAG}
                if [ "${MULTIARCH}" == "true" ]; then
                  docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} --platform=arm64
                  docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm64v8-${META_TAG}
@ -760,7 +915,10 @@ pipeline {
                -e WEB_AUTH=\"${CI_AUTH}\" \
                -e WEB_PATH=\"${CI_WEBPATH}\" \
                -e NODE_NAME=\"${NODE_NAME}\" \
-                -t ghcr.io/linuxserver/ci:latest \
+                -e SYFT_IMAGE_TAG=\"${CI_SYFT_IMAGE_TAG:-${SYFT_IMAGE_TAG}}\" \
                -e COMMIT_SHA=\"${COMMIT_SHA}\" \
                -e BUILD_NUMBER=\"${BUILD_NUMBER}\" \
                -t ghcr.io/linuxserver/ci:${CITEST_IMAGETAG} \
                python3 test_build.py'''
        }
      }
@ -775,37 +933,25 @@ pipeline {
        environment name: 'EXIT_STATUS', value: ''
      }
      steps {
-        withCredentials([
+        retry_backoff(5,5) {
-          [
+          sh '''#! /bin/bash
-            $class: 'UsernamePasswordMultiBinding',
+                set -e
-            credentialsId: 'Quay.io-Robot',
+                for PUSHIMAGE in "${IMAGE}" "${GITLABIMAGE}" "${GITHUBIMAGE}" "${QUAYIMAGE}"; do
-            usernameVariable: 'QUAYUSER',
+                  [[ ${PUSHIMAGE%%/*} =~ \\. ]] && PUSHIMAGEPLUS="${PUSHIMAGE}" || PUSHIMAGEPLUS="docker.io/${PUSHIMAGE}"
-            passwordVariable: 'QUAYPASS'
+                  IFS=',' read -ra CACHE <<< "$BUILDCACHE"
-          ]
+                  for i in "${CACHE[@]}"; do
-        ]) {
+                      if [[ "${PUSHIMAGEPLUS}" == "$(cut -d "/" -f1 <<< ${i})"* ]]; then
-          retry_backoff(5,5) {
+                          CACHEIMAGE=${i}
-            sh '''#! /bin/bash
+                      fi
                  set -e
                  echo $DOCKERHUB_TOKEN | docker login -u linuxserverci --password-stdin
                  echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
                  echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin
                  echo $QUAYPASS | docker login quay.io -u $QUAYUSER --password-stdin
                  for PUSHIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${QUAYIMAGE}" "${IMAGE}"; do
                    docker tag ${IMAGE}:${META_TAG} ${PUSHIMAGE}:${META_TAG}
                    docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:latest
                    docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${EXT_RELEASE_TAG}
                    if [ -n "${SEMVER}" ]; then
                      docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${SEMVER}
                    fi
                    docker push ${PUSHIMAGE}:latest
                    docker push ${PUSHIMAGE}:${META_TAG}
                    docker push ${PUSHIMAGE}:${EXT_RELEASE_TAG}
                    if [ -n "${SEMVER}" ]; then
                      docker push ${PUSHIMAGE}:${SEMVER}
                    fi
                  done
-               '''
+                  docker buildx imagetools create --prefer-index=false -t ${PUSHIMAGE}:${META_TAG} -t ${PUSHIMAGE}:latest -t ${PUSHIMAGE}:${EXT_RELEASE_TAG} ${CACHEIMAGE}:amd64-${COMMIT_SHA}-${BUILD_NUMBER} || \
-          }
+                    { if [[ "${PUSHIMAGE}" != "${QUAYIMAGE}" ]]; then exit 1; fi; }
                  if [ -n "${SEMVER}" ]; then
                    docker buildx imagetools create --prefer-index=false -t ${PUSHIMAGE}:${SEMVER} ${CACHEIMAGE}:amd64-${COMMIT_SHA}-${BUILD_NUMBER} || \
                      { if [[ "${PUSHIMAGE}" != "${QUAYIMAGE}" ]]; then exit 1; fi; }
                  fi
                done
              '''
        }
      }
    }
@ -816,57 +962,41 @@ pipeline {
        environment name: 'EXIT_STATUS', value: ''
      }
      steps {
-        withCredentials([
+        retry_backoff(5,5) {
-          [
+          sh '''#! /bin/bash
-            $class: 'UsernamePasswordMultiBinding',
+                set -e
-            credentialsId: 'Quay.io-Robot',
+                for MANIFESTIMAGE in "${IMAGE}" "${GITLABIMAGE}" "${GITHUBIMAGE}" "${QUAYIMAGE}"; do
-            usernameVariable: 'QUAYUSER',
+                  [[ ${MANIFESTIMAGE%%/*} =~ \\. ]] && MANIFESTIMAGEPLUS="${MANIFESTIMAGE}" || MANIFESTIMAGEPLUS="docker.io/${MANIFESTIMAGE}"
-            passwordVariable: 'QUAYPASS'
+                  IFS=',' read -ra CACHE <<< "$BUILDCACHE"
-          ]
+                  for i in "${CACHE[@]}"; do
-        ]) {
+                      if [[ "${MANIFESTIMAGEPLUS}" == "$(cut -d "/" -f1 <<< ${i})"* ]]; then
-          retry_backoff(5,5) {
+                          CACHEIMAGE=${i}
-            sh '''#! /bin/bash
+                      fi
-                  set -e
+                  done
-                  echo $DOCKERHUB_TOKEN | docker login -u linuxserverci --password-stdin
+                  docker buildx imagetools create --prefer-index=false -t ${MANIFESTIMAGE}:amd64-${META_TAG} -t ${MANIFESTIMAGE}:amd64-latest -t ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} ${CACHEIMAGE}:amd64-${COMMIT_SHA}-${BUILD_NUMBER} || \
-                  echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
+                    { if [[ "${MANIFESTIMAGE}" != "${QUAYIMAGE}" ]]; then exit 1; fi; }
-                  echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin
+                  docker buildx imagetools create --prefer-index=false -t ${MANIFESTIMAGE}:arm64v8-${META_TAG} -t ${MANIFESTIMAGE}:arm64v8-latest -t ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} ${CACHEIMAGE}:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} || \
-                  echo $QUAYPASS | docker login quay.io -u $QUAYUSER --password-stdin
+                    { if [[ "${MANIFESTIMAGE}" != "${QUAYIMAGE}" ]]; then exit 1; fi; }
-                  if [ "${CI}" == "false" ]; then
+                  if [ -n "${SEMVER}" ]; then
-                    docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} --platform=arm64
+                    docker buildx imagetools create --prefer-index=false -t ${MANIFESTIMAGE}:amd64-${SEMVER} ${CACHEIMAGE}:amd64-${COMMIT_SHA}-${BUILD_NUMBER} || \
-                    docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm64v8-${META_TAG}
+                      { if [[ "${MANIFESTIMAGE}" != "${QUAYIMAGE}" ]]; then exit 1; fi; }
                    docker buildx imagetools create --prefer-index=false -t ${MANIFESTIMAGE}:arm64v8-${SEMVER} ${CACHEIMAGE}:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} || \
                      { if [[ "${MANIFESTIMAGE}" != "${QUAYIMAGE}" ]]; then exit 1; fi; }
                  fi
-                  for MANIFESTIMAGE in "${IMAGE}" "${GITLABIMAGE}" "${GITHUBIMAGE}" "${QUAYIMAGE}"; do
+                done
-                    docker tag ${IMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${META_TAG}
+                for MANIFESTIMAGE in "${IMAGE}" "${GITLABIMAGE}" "${GITHUBIMAGE}" "${QUAYIMAGE}"; do
-                    docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-latest
+                  docker buildx imagetools create -t ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:amd64-latest ${MANIFESTIMAGE}:arm64v8-latest || \
-                    docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG}
+                    { if [[ "${MANIFESTIMAGE}" != "${QUAYIMAGE}" ]]; then exit 1; fi; }
-                    docker tag ${IMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG}
+                  docker buildx imagetools create -t ${MANIFESTIMAGE}:${META_TAG} ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG} || \
-                    docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-latest
+                    { if [[ "${MANIFESTIMAGE}" != "${QUAYIMAGE}" ]]; then exit 1; fi; }
-                    docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG}
+                  docker buildx imagetools create -t ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} || \
-                    if [ -n "${SEMVER}" ]; then
+                    { if [[ "${MANIFESTIMAGE}" != "${QUAYIMAGE}" ]]; then exit 1; fi; }
-                      docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${SEMVER}
+                  if [ -n "${SEMVER}" ]; then
-                      docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${SEMVER}
+                    docker buildx imagetools create -t ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:amd64-${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} || \
-                    fi
+                      { if [[ "${MANIFESTIMAGE}" != "${QUAYIMAGE}" ]]; then exit 1; fi; }
-                    docker push ${MANIFESTIMAGE}:amd64-${META_TAG}
+                  fi
-                    docker push ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG}
+                done
-                    docker push ${MANIFESTIMAGE}:amd64-latest
+              '''
                    docker push ${MANIFESTIMAGE}:arm64v8-${META_TAG}
                    docker push ${MANIFESTIMAGE}:arm64v8-latest
                    docker push ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG}
                    if [ -n "${SEMVER}" ]; then
                      docker push ${MANIFESTIMAGE}:amd64-${SEMVER}
                      docker push ${MANIFESTIMAGE}:arm64v8-${SEMVER}
                    fi
                  done
                  for MANIFESTIMAGE in "${IMAGE}" "${GITLABIMAGE}" "${GITHUBIMAGE}" "${QUAYIMAGE}"; do
                    docker buildx imagetools create -t ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:amd64-latest ${MANIFESTIMAGE}:arm64v8-latest
                    docker buildx imagetools create -t ${MANIFESTIMAGE}:${META_TAG} ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG}
                    docker buildx imagetools create -t ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG}
                    if [ -n "${SEMVER}" ]; then
                      docker buildx imagetools create -t ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:amd64-${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER}
                    fi
                  done
               '''
          }
        }
      }
    }
@ -881,23 +1011,41 @@ pipeline {
        environment name: 'EXIT_STATUS', value: ''
      }
      steps {
        echo "Pushing New tag for current commit ${META_TAG}"
        sh '''curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/git/tags \
        -d '{"tag":"'${META_TAG}'",\
             "object": "'${COMMIT_SHA}'",\
             "message": "Tagging Release '${EXT_RELEASE_CLEAN}'-ls'${LS_TAG_NUMBER}' to master",\
             "type": "commit",\
             "tagger": {"name": "LinuxServer-CI","email": "ci@linuxserver.io","date": "'${GITHUB_DATE}'"}}' '''
        echo "Pushing New release for Tag"
        sh '''#! /bin/bash
-              curl -H "Authorization: token ${GITHUB_TOKEN}" -s https://api.github.com/repos/${EXT_USER}/${EXT_REPO}/releases/latest | jq '. |.body' | sed 's:^.\\(.*\\).$:\\1:' > releasebody.json
+              echo "Auto-generating release notes"
-              echo '{"tag_name":"'${META_TAG}'",\
+              if [ "$(git tag --points-at HEAD)" != "" ]; then
-                     "target_commitish": "master",\
+                echo "Existing tag points to current commit, suggesting no new LS changes"
-                     "name": "'${META_TAG}'",\
+                AUTO_RELEASE_NOTES="No changes"
-                     "body": "**CI Report:**\\n\\n'${CI_URL:-N/A}'\\n\\n**LinuxServer Changes:**\\n\\n'${LS_RELEASE_NOTES}'\\n\\n**'${EXT_REPO}' Changes:**\\n\\n' > start
+              else
-              printf '","draft": false,"prerelease": false}' >> releasebody.json
+                AUTO_RELEASE_NOTES=$(curl -fsL -H "Authorization: token ${GITHUB_TOKEN}" -H "Accept: application/vnd.github+json" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/releases/generate-notes  \
-              paste -d'\\0' start releasebody.json > releasebody.json.done
+                  -d '{"tag_name":"'${META_TAG}'",\
-              curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/releases -d @releasebody.json.done'''
+                      "target_commitish": "master"}' \
                  | jq -r '.body' | sed 's|## What.s Changed||')
              fi
              echo "Pushing New tag for current commit ${META_TAG}"
              curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/git/tags \
                -d '{"tag":"'${META_TAG}'",\
                  "object": "'${COMMIT_SHA}'",\
                  "message": "Tagging Release '${EXT_RELEASE_CLEAN}'-ls'${LS_TAG_NUMBER}' to master",\
                  "type": "commit",\
                  "tagger": {"name": "LinuxServer-CI","email": "ci@linuxserver.io","date": "'${GITHUB_DATE}'"}}'
              echo "Pushing New release for Tag"
              curl -H "Authorization: token ${GITHUB_TOKEN}" -s https://api.github.com/repos/${EXT_USER}/${EXT_REPO}/releases/latest | jq -r '. |.body' > releasebody.json
              jq -n \
                --arg tag_name "$META_TAG" \
                --arg target_commitish "master" \
                --arg ci_url "${CI_URL:-N/A}" \
                --arg ls_notes "$AUTO_RELEASE_NOTES" \
                --arg remote_notes "$(cat releasebody.json)" \
                '{
                  "tag_name": $tag_name,
                  "target_commitish": $target_commitish,
                  "name": $tag_name,
                  "body": ("**CI Report:**\\n\\n" + $ci_url + "\\n\\n**LinuxServer Changes:**\\n\\n" + $ls_notes + "\\n\\n**Remote Changes:**\\n\\n" + $remote_notes),
                  "draft": false,
                  "prerelease": false                }' > releasebody.json.done
              curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/releases -d @releasebody.json.done
        '''
      }
    }
    // Add protection to the release branch
@ -1072,12 +1220,22 @@ EOF
    }
    cleanup {
      sh '''#! /bin/bash
-            echo "Performing docker system prune!!"
+            echo "Pruning builder!!"
-            containers=$(docker ps -aq)
+            docker builder prune -f --builder container || :
            containers=$(docker ps -q)
            if [[ -n "${containers}" ]]; then
-              docker stop ${containers}
+              BUILDX_CONTAINER_ID=$(docker ps -qf 'name=buildx_buildkit')
              for container in ${containers}; do
                if [[ "${container}" == "${BUILDX_CONTAINER_ID}" ]]; then
                  echo "skipping buildx container in docker stop"
                else
                  echo "Stopping container ${container}"
                  docker stop ${container}
                fi
              done
            fi
-            docker system prune -af --volumes || :
+            docker system prune -f --volumes || :
            docker image prune -af || :
         '''
      cleanWs()
    }
--- a/README.md
+++ b/README.md
@ -3,9 +3,8 @@
 [![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)](https://linuxserver.io)
 [![Blog](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=Blog)](https://blog.linuxserver.io "all the things you can do with our containers including How-To guides, opinions and much more!")
-[![Discord](https://img.shields.io/discord/354974912613449730.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=Discord&logo=discord)](https://discord.gg/YWrKVTn "realtime support / chat with the community and the team.")
+[![Discord](https://img.shields.io/discord/354974912613449730.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=Discord&logo=discord)](https://linuxserver.io/discord "realtime support / chat with the community and the team.")
 [![Discourse](https://img.shields.io/discourse/https/discourse.linuxserver.io/topics.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=discourse)](https://discourse.linuxserver.io "post on our community forum.")
 [![Fleet](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=Fleet)](https://fleet.linuxserver.io "an online web interface which displays all of our maintained images.")
 [![GitHub](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitHub&logo=github)](https://github.com/linuxserver "view the source for all of our repositories.")
 [![Open Collective](https://img.shields.io/opencollective/all/linuxserver.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=Supporters&logo=open%20collective)](https://opencollective.com/linuxserver "please consider helping us by either donating or contributing to our budget")
@ -20,9 +19,8 @@ The [LinuxServer.io](https://linuxserver.io) team brings you another container r
 Find us at:
 * [Blog](https://blog.linuxserver.io) - all the things you can do with our containers including How-To guides, opinions and much more!
-* [Discord](https://discord.gg/YWrKVTn) - realtime support / chat with the community and the team.
+* [Discord](https://linuxserver.io/discord) - realtime support / chat with the community and the team.
 * [Discourse](https://discourse.linuxserver.io) - post on our community forum.
 * [Fleet](https://fleet.linuxserver.io) - an online web interface which displays all of our maintained images.
 * [GitHub](https://github.com/linuxserver) - view the source for all of our repositories.
 * [Open Collective](https://opencollective.com/linuxserver) - please consider helping us by either donating or contributing to our budget
@ -55,108 +53,101 @@ The architectures supported by this image are:
 | :----: | :----: | ---- |
 | x86-64 | ✅ | amd64-\<version tag\> |
 | arm64 | ✅ | arm64v8-\<version tag\> |
 | armhf | ❌ | |
 ## Application Setup
 The application can be accessed at:
 * http://yourhost:3000/
 * https://yourhost:3001/
-**Modern GUI desktop apps have issues with the latest Docker and syscall compatibility, you can use Docker with the `--security-opt seccomp=unconfined` setting to allow these syscalls on hosts with older Kernels or libseccomp**
+### Strict reverse proxies
 This image uses a self-signed certificate by default. This naturally means the scheme is `https`.
 If you are using a reverse proxy which validates certificates, you need to [disable this check for the container](https://docs.linuxserver.io/faq#strict-proxy).
 **Modern GUI desktop apps may have compatibility issues with the latest Docker syscall restrictions. You can use Docker with the `--security-opt seccomp=unconfined` setting to allow these syscalls on hosts with older Kernels or libseccomp versions.**
 ### Security
 >[!WARNING]
->Do not put this on the Internet if you do not know what you are doing.
+>This container provides privileged access to the host system. Do not expose it to the Internet unless you have secured it properly.
-By default this container has no authentication and the optional environment variables `CUSTOM_USER` and `PASSWORD` to enable basic http auth via the embedded NGINX server should only be used to locally secure the container from unwanted access on a local network. If exposing this to the Internet we recommend putting it behind a reverse proxy, such as [SWAG](https://github.com/linuxserver/docker-swag), and ensuring a secure authentication solution is in place. From the web interface a terminal can be launched and it is configured for passwordless sudo, so anyone with access to it can install and run whatever they want along with probing your local network.
+**HTTPS is required for full functionality.** Modern browser features such as WebCodecs, used for video and audio, will not function over an insecure HTTP connection.
-### Options in all KasmVNC based GUI containers
+By default, this container has no authentication. The optional `CUSTOM_USER` and `PASSWORD` environment variables enable basic HTTP auth, which is suitable only for securing the container on a trusted local network. For internet exposure, we strongly recommend placing the container behind a reverse proxy, such as [SWAG](https://github.com/linuxserver/docker-swag), with a robust authentication mechanism.
-This container is based on [Docker Baseimage KasmVNC](https://github.com/linuxserver/docker-baseimage-kasmvnc) which means there are additional environment variables and run configurations to enable or disable specific functionality.
+The web interface includes a terminal with passwordless `sudo` access. Any user with access to the GUI can gain root control within the container, install arbitrary software, and probe your local network.
-#### Optional environment variables
+While not generally recommended, certain legacy environments specifically those with older hardware or outdated Linux distributions may require the deactivation of the standard seccomp profile to get containerized desktop software to run. This can be achieved by utilizing the `--security-opt seccomp=unconfined` parameter. It is critical to use this option only when absolutely necessary as it disables a key security layer of Docker, elevating the potential for container escape vulnerabilities.
-| Variable | Description |
+### Hardware Acceleration & The Move to Wayland
 | :----: | --- |
 | CUSTOM_PORT | Internal port the container listens on for http if it needs to be swapped from the default 3000. |
 | CUSTOM_HTTPS_PORT | Internal port the container listens on for https if it needs to be swapped from the default 3001. |
 | CUSTOM_USER | HTTP Basic auth username, abc is default. |
 | PASSWORD | HTTP Basic auth password, abc is default. If unset there will be no auth |
 | SUBFOLDER | Subfolder for the application if running a subfolder reverse proxy, need both slashes IE `/subfolder/` |
 | TITLE | The page title displayed on the web browser, default "KasmVNC Client". |
 | FM_HOME | This is the home directory (landing) for the file manager, default "/config". |
 | START_DOCKER | If set to false a container with privilege will not automatically start the DinD Docker setup. |
 | DRINODE | If mounting in /dev/dri for [DRI3 GPU Acceleration](https://www.kasmweb.com/kasmvnc/docs/master/gpu_acceleration.html) allows you to specify the device to use IE `/dev/dri/renderD128` |
 | DISABLE_IPV6 | If set to true or any value this will disable IPv6 | 
 | LC_ALL | Set the Language for the container to run as IE `fr_FR.UTF-8` `ar_AE.UTF-8` |
 | NO_DECOR | If set the application will run without window borders in openbox for use as a PWA. |
 | NO_FULL | Do not autmatically fullscreen applications when using openbox. |
-#### Optional run configurations
+We are currently transitioning our desktop containers from X11 to Wayland. While X11 is still the default, we strongly encourage users to test the new Wayland mode.
-| Variable | Description |
+**Important:** GPU acceleration support for X11 is being deprecated. Future development for hardware acceleration will focus entirely on the Wayland stack.
 | :----: | --- |
 | `--privileged` | Will start a Docker in Docker (DinD) setup inside the container to use docker in an isolated environment. For increased performance mount the Docker directory inside the container to the host IE `-v /home/user/docker-data:/var/lib/docker`. |
 | `-v /var/run/docker.sock:/var/run/docker.sock` | Mount in the host level Docker socket to either interact with it via CLI or use Docker enabled applications. |
 | `--device /dev/dri:/dev/dri` | Mount a GPU into the container, this can be used in conjunction with the `DRINODE` environment variable to leverage a host video card for GPU accelerated applications. Only **Open Source** drivers are supported IE (Intel,AMDGPU,Radeon,ATI,Nouveau) |
-### Language Support - Internationalization
+To enable Wayland mode, set the following environment variable:
-The environment variable `LC_ALL` can be used to start this container in a different language than English simply pass for example to launch the Desktop session in French `LC_ALL=fr_FR.UTF-8`. Some languages like Chinese, Japanese, or Korean will be missing fonts needed to render properly known as cjk fonts, but others may exist and not be installed inside the container depending on what underlying distribution you are running. We only ensure fonts for Latin characters are present. Fonts can be installed with a mod on startup.
+* `-e PIXELFLUX_WAYLAND=true`
-To install cjk fonts on startup as an example pass the environment variables (Alpine base):
+**Why use Wayland?**
-```
+* **Zero Copy Encoding:** When configured correctly with a GPU, the frame is rendered and encoded on the video card without ever being copied to the system RAM. This drastically lowers CPU usage and latency.
-e DOCKER_MODS=linuxserver/mods:universal-package-install 
+* **Modern Stack:** Single-application containers utilize **Labwc** (replacing Openbox) and full desktop containers use **KDE Plasma Wayland**, providing a more modern and secure compositing environment while retaining the same user experience.
-e INSTALL_PACKAGES=fonts-noto-cjk-e LC_ALL=zh_CN.UTF-8
+
 #### GPU Configuration
 To use hardware acceleration in Wayland mode, we distinguish between the card used for **Rendering** (3D apps/Desktops) and **Encoding** (Video Stream).
 **Configuration Variables:**
 * `DRINODE`: The path to the GPU used for **Rendering** (EGL).
 * `DRI_NODE`: The path to the GPU used for **Encoding** (VAAPI/NVENC).
 If both variables point to the same device, the container will automatically enable **Zero Copy** encoding, significantly reducing CPU usage and latency.
 ##### Intel & AMD (Open Source Drivers)
 For Intel and AMD GPUs.
 ```yaml
    devices:
      - /dev/dri:/dev/dri
    environment:
      - PIXELFLUX_WAYLAND=true
      # Optional: Specify device if multiple exist (IE: /dev/dri/renderD129)
      - DRINODE=/dev/dri/renderD128
      - DRI_NODE=/dev/dri/renderD128
 ```
-The web interface has the option for "IME Input Mode" in Settings which will allow non english characters to be used from a non en_US keyboard on the client. Once enabled it will perform the same as a local Linux installation set to your locale.
+##### Nvidia (Proprietary Drivers)
-### DRI3 GPU Acceleration
+**Note: Nvidia support is not available for Alpine-based images.**
-For accelerated apps or games, render devices can be mounted into the container and leveraged by applications using:
+**Prerequisites:**
-`--device /dev/dri:/dev/dri`
+1. **Driver:** Proprietary drivers **580 or higher** are required.
 2. **Kernel Parameter:** Set `nvidia-drm.modeset=1` in your host bootloader (GRUB/systemd-boot).
 3. **Initialization:** On headless systems, run `nvidia-modprobe --modeset` on the host (once per boot) to initialize the card.
 4. **Docker Runtime:** Configure the host docker daemon to use the Nvidia runtime:
-This feature only supports **Open Source** GPU drivers:
+    ```bash
    sudo nvidia-ctk runtime configure --runtime=docker
    sudo systemctl restart docker
    ```
-| Driver | Description |
+**Compose Configuration:**
 | :----: | --- |
 | Intel | i965 and i915 drivers for Intel iGPU chipsets |
 | AMD | AMDGPU, Radeon, and ATI drivers for AMD dedicated or APU chipsets |
 | NVIDIA | nouveau2 drivers only, closed source NVIDIA drivers lack DRI3 support |
-The `DRINODE` environment variable can be used to point to a specific GPU.
+```yaml
-Up to date information can be found [here](https://www.kasmweb.com/kasmvnc/docs/master/gpu_acceleration.html)
+---
 ### Nvidia GPU Support
 **Nvidia support is not compatible with Alpine based images as Alpine lacks Nvidia drivers**
 Nvidia support is available by leveraging Zink for OpenGL support. This can be enabled with the following run flags:
 | Variable | Description |
 | :----: | --- |
 | --gpus all | This can be filtered down but for most setups this will pass the one Nvidia GPU on the system |
 | --runtime nvidia | Specify the Nvidia runtime which mounts drivers and tools in from the host |
 The compose syntax is slightly different for this as you will need to set nvidia as the default runtime:
 ```
 sudo nvidia-ctk runtime configure --runtime=docker --set-as-default
 sudo service docker restart
 ```
 And to assign the GPU in compose:
 ```
 services:
  github-desktop:
    image: lscr.io/linuxserver/github-desktop:latest
    environment:
      - PIXELFLUX_WAYLAND=true
      # Ensure these point to the rendered node injected by the runtime (usually renderD128)
      - DRINODE=/dev/dri/renderD128
      - DRI_NODE=/dev/dri/renderD128
    deploy:
      resources:
        reservations:
@ -166,21 +157,124 @@ services:
              capabilities: [compute,video,graphics,utility]
 ```
-### Application management
+### SealSkin Compatibility
-#### PRoot Apps
+This container is compatible with [SealSkin](https://sealskin.app).
-If you run system native installations of software IE `sudo apt-get install filezilla` and then upgrade or destroy/re-create the container that software will be removed and the container will be at a clean state. For some users that will be acceptable and they can update their system packages as well using system native commands like `apt-get upgrade`. If you want Docker to handle upgrading the container and retain your applications and settings we have created [proot-apps](https://github.com/linuxserver/proot-apps) which allow portable applications to be installed to persistent storage in the user's `$HOME` directory and they will work in a confined Docker environment out of the box. These applications and their settings will persist upgrades of the base container and can be mounted into different flavors of KasmVNC based containers on the fly. This can be achieved from the command line with:
+SealSkin is a self-hosted, client-server platform that provides secure authentication and collaboration features while using a browser extension to intercept user actions such as clicking a link or downloading a file and redirect them to a secure, isolated application environment running on a remote server.
 * **SealSkin Server:** [Get it Here](https://github.com/linuxserver/docker-sealskin)
 * **Browser Extension:** [Chrome](https://chromewebstore.google.com/detail/sealskin-isolation/lclgfmnljgacfdpmmmjmfpdelndbbfhk) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/sealskin-isolation/).
 * **Mobile App:** [iOS](https://apps.apple.com/us/app/sealskin/id6758210210) and [Android](https://play.google.com/store/apps/details?id=io.linuxserver.sealskin)
 ### Options in all Selkies-based GUI containers
 This container is based on [Docker Baseimage Selkies](https://github.com/linuxserver/docker-baseimage-selkies).
 <details>
 <summary>Click to expand: Optional Environment Variables</summary>
 | Variable | Description |
 | :----: | --- |
 | PIXELFLUX_WAYLAND | **Experimental** If set to true the container will initialize in Wayland mode running [Smithay](https://github.com/Smithay/smithay) and Labwc while enabling zero copy encoding with a GPU |
 | CUSTOM_PORT | Internal port the container listens on for http if it needs to be swapped from the default `3000` |
 | CUSTOM_HTTPS_PORT | Internal port the container listens on for https if it needs to be swapped from the default `3001` |
 | CUSTOM_WS_PORT | Internal port the container listens on for websockets if it needs to be swapped from the default 8082 |
 | CUSTOM_USER | HTTP Basic auth username, abc is default. |
 | DRI_NODE | **Encoding GPU**: Enable VAAPI/NVENC stream encoding and use the specified device IE `/dev/dri/renderD128` |
 | DRINODE | **Rendering GPU**: Specify which GPU to use for EGL/3D acceleration IE `/dev/dri/renderD129` |
 | PASSWORD | HTTP Basic auth password, abc is default. If unset there will be no auth |
 | SUBFOLDER | Subfolder for the application if running a subfolder reverse proxy, need both slashes IE `/subfolder/` |
 | TITLE | The page title displayed on the web browser, default "Selkies" |
 | DASHBOARD | Allows the user to set their dashboard. Options: `selkies-dashboard`, `selkies-dashboard-zinc`, `selkies-dashboard-wish` |
 | FILE_MANAGER_PATH | Modifies the default upload/download file path, path must have proper permissions for abc user |
 | START_DOCKER | If set to false a container with privilege will not automatically start the DinD Docker setup |
 | DISABLE_IPV6 | If set to true or any value this will disable IPv6 |
 | LC_ALL | Set the Language for the container to run as IE `fr_FR.UTF-8` `ar_AE.UTF-8` |
 | NO_DECOR | If set the application will run without window borders for use as a PWA. (Decor can be enabled and disabled with Ctrl+Shift+d) |
 | NO_FULL | Do not autmatically fullscreen applications when using openbox. |
 | NO_GAMEPAD | Disable userspace gamepad interposer injection. |
 | DISABLE_ZINK | Do not set the Zink environment variables if a video card is detected (userspace applications will use CPU rendering) |
 | DISABLE_DRI3 | Do not use DRI3 acceleration if a video card is detected (userspace applications will use CPU rendering) |
 | MAX_RES | Pass a larger maximum resolution for the container default is 16k `15360x8640` |
 | WATERMARK_PNG | Full path inside the container to a watermark png IE `/usr/share/selkies/www/icon.png` |
 | WATERMARK_LOCATION | Where to paint the image over the stream integer options below |
 **`WATERMARK_LOCATION` Options:**
 * **1**: Top Left
 * **2**: Top Right
 * **3**: Bottom Left
 * **4**: Bottom Right
 * **5**: Centered
 * **6**: Animated
 </details>
 <details>
 <summary>Click to expand: Optional Run Configurations (DinD & GPU Mounts)</summary>
 | Argument | Description |
 | :----: | --- |
 | `--privileged` | Starts a Docker-in-Docker (DinD) environment. For better performance, mount the Docker data directory from the host, e.g., `-v /path/to/docker-data:/var/lib/docker`. |
 | `-v /var/run/docker.sock:/var/run/docker.sock` | Mounts the host's Docker socket to manage host containers from within this container. |
 | `--device /dev/dri:/dev/dri` | Mount a GPU into the container, this can be used in conjunction with the `DRINODE` environment variable to leverage a host video card for GPU accelerated applications. |
 </details>
 <details>
 <summary>Click to expand: Legacy X11 Resolution & Acceleration</summary>
 **Note:** This section applies only if you are **NOT** using `PIXELFLUX_WAYLAND=true`.
 When using 3d acceleration via Nvidia DRM or DRI3 in X11 mode, it is important to clamp the virtual display to a reasonable max resolution to avoid memory exhaustion or poor performance.
 * `-e MAX_RESOLUTION=3840x2160`
 This will set the total virtual framebuffer to 4K. By default, the virtual monitor is 16K. If you have performance issues in an accelerated X11 session, try clamping the resolution to 1080p and work up from there:
 ```bash
 -e SELKIES_MANUAL_WIDTH=1920
 -e SELKIES_MANUAL_HEIGHT=1080
 -e MAX_RESOLUTION=1920x1080
 ```
 </details>
 ### Language Support - Internationalization
 To launch the desktop session in a different language, set the `LC_ALL` environment variable. For example:
 * `-e LC_ALL=zh_CN.UTF-8` - Chinese
 * `-e LC_ALL=ja_JP.UTF-8` - Japanese
 * `-e LC_ALL=ko_KR.UTF-8` - Korean
 * `-e LC_ALL=ar_AE.UTF-8` - Arabic
 * `-e LC_ALL=ru_RU.UTF-8` - Russian
 * `-e LC_ALL=es_MX.UTF-8` - Spanish (Latin America)
 * `-e LC_ALL=de_DE.UTF-8` - German
 * `-e LC_ALL=fr_FR.UTF-8` - French
 * `-e LC_ALL=nl_NL.UTF-8` - Netherlands
 * `-e LC_ALL=it_IT.UTF-8` - Italian
 ### Application Management
 There are two methods for installing applications inside the container: PRoot Apps (recommended for persistence) and Native Apps.
 #### PRoot Apps (Persistent)
 Natively installed packages (e.g., via `apt-get install`) will not persist if the container is recreated. To retain applications and their settings across container updates, we recommend using [proot-apps](https://github.com/linuxserver/proot-apps). These are portable applications installed to the user's persistent `$HOME` directory.
 To install an application, use the command line inside the container:
 ```bash
 proot-apps install filezilla
 ```
-PRoot Apps is included in all KasmVNC based containers, a list of linuxserver.io supported applications is located [HERE](https://github.com/linuxserver/proot-apps?tab=readme-ov-file#supported-apps).
+A list of supported applications is available [here](https://github.com/linuxserver/proot-apps?tab=readme-ov-file#supported-apps).
-#### Native Apps
+#### Native Apps (Non-Persistent)
-It is possible to install extra packages during container start using [universal-package-install](https://github.com/linuxserver/docker-mods/tree/universal-package-install). It might increase starting time significantly. PRoot is preferred.
+You can install packages from the system's native repository using the [universal-package-install](https://github.com/linuxserver/docker-mods/tree/universal-package-install) mod. This method will increase the container's start time and is not persistent. Add the following to your `compose.yaml`:
 ```yaml
  environment:
@ -188,15 +282,123 @@ It is possible to install extra packages during container start using [universal
    - INSTALL_PACKAGES=libfuse2|git|gdb
 ```
-### Lossless mode
+### Advanced Configuration
-This container is capable of delivering a true lossless image at a high framerate to your web browser by changing the Stream Quality preset to "Lossless", more information [here](https://www.kasmweb.com/docs/latest/how_to/lossless.html#technical-background). In order to use this mode from a non localhost endpoint the HTTPS port on 3001 needs to be used. If using a reverse proxy to port 3000 specific headers will need to be set as outlined [here](https://github.com/linuxserver/docker-baseimage-kasmvnc#lossless).
+<details>
 <summary>Click to expand: Hardening Options</summary>
 These variables can be used to lock down the desktop environment for single-application use cases or to restrict user capabilities.
 | Variable | Description |
 | :----: | --- |
 | **`HARDEN_DESKTOP`** | Enables `DISABLE_OPEN_TOOLS`, `DISABLE_SUDO`, and `DISABLE_TERMINALS`. Also sets related Selkies UI settings (`SELKIES_FILE_TRANSFERS`, `SELKIES_COMMAND_ENABLED`, `SELKIES_UI_SIDEBAR_SHOW_FILES`, `SELKIES_UI_SIDEBAR_SHOW_APPS`) if they are not explicitly set by the user. |
 | **`HARDEN_OPENBOX`** | Enables `DISABLE_CLOSE_BUTTON`, `DISABLE_MOUSE_BUTTONS`, and `HARDEN_KEYBINDS`. It also flags `RESTART_APP` if not set by the user, ensuring the primary application is automatically restarted if closed. |
 **Individual Hardening Variables:**
 | Variable | Description |
 | :--- | --- |
 | **`DISABLE_OPEN_TOOLS`** | If true, disables `xdg-open` and `exo-open` binaries by removing their execute permissions. |
 | **`DISABLE_SUDO`** | If true, disables the `sudo` command by removing its execute permissions and invalidating the passwordless sudo configuration. |
 | **`DISABLE_TERMINALS`** | If true, disables common terminal emulators by removing their execute permissions and hiding them from the Openbox right-click menu. |
 | **`DISABLE_CLOSE_BUTTON`** | If true, removes the close button from window title bars in the Openbox window manager. |
 | **`DISABLE_MOUSE_BUTTONS`** | If true, disables the right-click and middle-click context menus and actions within the Openbox window manager. |
 | **`HARDEN_KEYBINDS`** | If true, disables default Openbox keybinds that can bypass other hardening options (e.g., `Alt+F4` to close windows, `Alt+Escape` to show the root menu). |
 | **`RESTART_APP`** | If true, enables a watchdog service that automatically restarts the main application if it is closed. The user's autostart script is made read-only and root owned to prevent tampering. |
 </details>
 <details>
 <summary>Click to expand: Selkies Application Settings</summary>
 Using environment variables every facet of the application can be configured.
 **Booleans and Locking:**
 Boolean settings accept `true` or `false`. You can also prevent the user from changing a boolean setting in the UI by appending `|locked`.
 * Example: `-e SELKIES_USE_CPU="true|locked"`
 **Enums and Lists:**
 These settings accept a comma-separated list of values. The first item becomes default. If only one item is provided, the UI dropdown is hidden.
 * Example: `-e SELKIES_ENCODER="jpeg"`
 **Ranges:**
 Use a hyphen-separated `min-max` format for a slider, or a single number to lock the value.
 * Example: `-e SELKIES_FRAMERATE="60"`
 **Manual Resolution Mode:**
 If `SELKIES_MANUAL_WIDTH` or `SELKIES_MANUAL_HEIGHT` are set, the resolution is locked to those values.
 | Environment Variable | Default Value | Description |
 | --- | --- | --- |
 | `SELKIES_UI_TITLE` | `'Selkies'` | Title in top left corner of sidebar. |
 | `SELKIES_UI_SHOW_LOGO` | `True` | Show the Selkies logo in the sidebar. |
 | `SELKIES_UI_SHOW_SIDEBAR` | `True` | Show the main sidebar UI. |
 | `SELKIES_UI_SHOW_CORE_BUTTONS` | `True` | Show the core components buttons display, audio, microphone, and gamepad. |
 | `SELKIES_UI_SIDEBAR_SHOW_VIDEO_SETTINGS` | `True` | Show the video settings section in the sidebar. |
 | `SELKIES_UI_SIDEBAR_SHOW_SCREEN_SETTINGS` | `True` | Show the screen settings section in the sidebar. |
 | `SELKIES_UI_SIDEBAR_SHOW_AUDIO_SETTINGS` | `True` | Show the audio settings section in the sidebar. |
 | `SELKIES_UI_SIDEBAR_SHOW_STATS` | `True` | Show the stats section in the sidebar. |
 | `SELKIES_UI_SIDEBAR_SHOW_CLIPBOARD` | `True` | Show the clipboard section in the sidebar. |
 | `SELKIES_UI_SIDEBAR_SHOW_FILES` | `True` | Show the file transfer section in the sidebar. |
 | `SELKIES_UI_SIDEBAR_SHOW_APPS` | `True` | Show the applications section in the sidebar. |
 | `SELKIES_UI_SIDEBAR_SHOW_SHARING` | `True` | Show the sharing section in the sidebar. |
 | `SELKIES_UI_SIDEBAR_SHOW_GAMEPADS` | `True` | Show the gamepads section in the sidebar. |
 | `SELKIES_UI_SIDEBAR_SHOW_FULLSCREEN` | `True` | Show the fullscreen button in the sidebar. |
 | `SELKIES_UI_SIDEBAR_SHOW_GAMING_MODE` | `True` | Show the gaming mode button in the sidebar. |
 | `SELKIES_UI_SIDEBAR_SHOW_TRACKPAD` | `True` | Show the virtual trackpad button in the sidebar. |
 | `SELKIES_UI_SIDEBAR_SHOW_KEYBOARD_BUTTON` | `True` | Show the on-screen keyboard button in the display area. |
 | `SELKIES_UI_SIDEBAR_SHOW_SOFT_BUTTONS` | `True` | Show the soft buttons section in the sidebar. |
 | `SELKIES_AUDIO_ENABLED` | `True` | Enable server-to-client audio streaming. |
 | `SELKIES_MICROPHONE_ENABLED` | `True` | Enable client-to-server microphone forwarding. |
 | `SELKIES_GAMEPAD_ENABLED` | `True` | Enable gamepad support. |
 | `SELKIES_CLIPBOARD_ENABLED` | `True` | Enable clipboard synchronization. |
 | `SELKIES_COMMAND_ENABLED` | `True` | Enable parsing of command websocket messages. |
 | `SELKIES_FILE_TRANSFERS` | `'upload,download'` | Allowed file transfer directions (comma-separated: "upload,download"). Set to "" or "none" to disable. |
 | `SELKIES_ENCODER` | `'x264enc,x264enc-striped,jpeg'` | The default video encoders. |
 | `SELKIES_FRAMERATE` | `'8-120'` | Allowed framerate range or a fixed value. |
 | `SELKIES_H264_CRF` | `'5-50'` | Allowed H.264 CRF range or a fixed value. |
 | `SELKIES_JPEG_QUALITY` | `'1-100'` | Allowed JPEG quality range or a fixed value. |
 | `SELKIES_H264_FULLCOLOR` | `False` | Enable H.264 full color range for pixelflux encoders. |
 | `SELKIES_H264_STREAMING_MODE` | `False` | Enable H.264 streaming mode for pixelflux encoders. |
 | `SELKIES_USE_CPU` | `False` | Force CPU-based encoding for pixelflux. |
 | `SELKIES_USE_PAINT_OVER_QUALITY` | `True` | Enable high-quality paint-over for static scenes. |
 | `SELKIES_PAINT_OVER_JPEG_QUALITY` | `'1-100'` | Allowed JPEG paint-over quality range or a fixed value. |
 | `SELKIES_H264_PAINTOVER_CRF` | `'5-50'` | Allowed H.264 paint-over CRF range or a fixed value. |
 | `SELKIES_H264_PAINTOVER_BURST_FRAMES` | `'1-30'` | Allowed H.264 paint-over burst frames range or a fixed value. |
 | `SELKIES_SECOND_SCREEN` | `True` | Enable support for a second monitor/display. |
 | `SELKIES_AUDIO_BITRATE` | `'320000'` | The default audio bitrate. |
 | `SELKIES_IS_MANUAL_RESOLUTION_MODE` | `False` | Lock the resolution to the manual width/height values. |
 | `SELKIES_MANUAL_WIDTH` | `0` | Lock width to a fixed value. Setting this forces manual resolution mode. |
 | `SELKIES_MANUAL_HEIGHT` | `0` | Lock height to a fixed value. Setting this forces manual resolution mode. |
 | `SELKIES_SCALING_DPI` | `'96'` | The default DPI for UI scaling. |
 | `SELKIES_ENABLE_BINARY_CLIPBOARD` | `False` | Allow binary data on the clipboard. |
 | `SELKIES_USE_BROWSER_CURSORS` | `False` | Use browser CSS cursors instead of rendering to canvas. |
 | `SELKIES_USE_CSS_SCALING` | `False` | HiDPI when false, if true a lower resolution is sent from the client and the canvas is stretched. |
 | `SELKIES_PORT` (or `CUSTOM_WS_PORT`) | `8082` | Port for the data websocket server. |
 | `SELKIES_DRI_NODE` (or `DRI_NODE`) | `''` | Path to the DRI render node for VA-API. |
 | `SELKIES_AUDIO_DEVICE_NAME` | `'output.monitor'` | Audio device name for pcmflux capture. |
 | `SELKIES_WATERMARK_PATH` (or `WATERMARK_PNG`) | `''` | Absolute path to the watermark PNG file. |
 | `SELKIES_WATERMARK_LOCATION` (or `WATERMARK_LOCATION`) | `-1` | Watermark location enum (0-6). |
 | `SELKIES_DEBUG` | `False` | Enable debug logging. |
 | `SELKIES_ENABLE_SHARING` | `True` | Master toggle for all sharing features. |
 | `SELKIES_ENABLE_COLLAB` | `True` | Enable collaborative (read-write) sharing link. |
 | `SELKIES_ENABLE_SHARED` | `True` | Enable view-only sharing links. |
 | `SELKIES_ENABLE_PLAYER2` | `True` | Enable sharing link for gamepad player 2. |
 | `SELKIES_ENABLE_PLAYER3` | `True` | Enable sharing link for gamepad player 3. |
 | `SELKIES_ENABLE_PLAYER4` | `True` | Enable sharing link for gamepad player 4. |
 </details>
 ## Usage
 To help you get started creating a container from this image you can either use docker-compose or the docker cli.
 >[!NOTE]
 >Unless a parameter is flagged as 'optional', it is *mandatory* and a value must be provided.
 ### docker-compose (recommended, [click here for more info](https://docs.linuxserver.io/general/docker-compose))
 ```yaml
@ -207,14 +409,12 @@ services:
    container_name: github-desktop
    cap_add:
      - IPC_LOCK
    security_opt:
      - seccomp:unconfined #optional
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
    volumes:
-      - /path/to/config:/config
+      - /path/to/github-desktop/config:/config
    ports:
      - 3000:3000
      - 3001:3001
@ -228,13 +428,12 @@ services:
 docker run -d \
  --name=github-desktop \
  --cap-add=IPC_LOCK \
  --security-opt seccomp=unconfined `#optional` \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Etc/UTC \
  -p 3000:3000 \
  -p 3001:3001 \
-  -v /path/to/config:/config \
+  -v /path/to/github-desktop/config:/config \
  --shm-size="1gb" \
  --restart unless-stopped \
  lscr.io/linuxserver/github-desktop:latest
@ -246,14 +445,14 @@ Containers are configured using parameters passed at runtime (such as those abov
 | Parameter | Function |
 | :----: | --- |
-| `-p 3000` | Github Desktop gui. |
+| `-p 3000:3000` | HTTP Github Desktop gui, must be proxied. |
-| `-p 3001` | HTTPS Github Desktop gui. |
+| `-p 3001:3001` | HTTPS Github Desktop gui. |
 | `-e PUID=1000` | for UserID - see below for explanation |
 | `-e PGID=1000` | for GroupID - see below for explanation |
 | `-e TZ=Etc/UTC` | specify a timezone to use, see this [list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List). |
 | `-v /config` | Users home directory in the container, stores local files and settings |
 | `--shm-size=` | This is needed for electron applications to function properly. |
-| `--security-opt seccomp=unconfined` | For Docker Engine only, many modern gui apps need this to function on older hosts as syscalls are unknown to Docker. Github Desktop runs in no-sandbox mode without it. |
+| `--cap-add=IPC_LOCK` | Required for keyring functionality. |
 ### Portainer notice
@ -421,6 +620,9 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 ## Versions
 * **28.12.25:** - Add Wayland init logic.
 * **22.09.25:** - Rebase to Debian Trixie.
 * **12.07.25:** - Rebase to Selkies, HTTPS IS NOW REQUIRED.
 * **10.02.24:** - Update Readme with new env vars and ingest proper PWA icon.
 * **03.08.23:** - Rebase to Bookworm and multi arch.
 * **01.04.23:** - Initial release.
--- a/jenkins-vars.yml
+++ b/jenkins-vars.yml
@ -21,8 +21,8 @@ repo_vars:
  - MULTIARCH = 'true'
  - CI = 'true'
  - CI_WEB = 'true'
-  - CI_PORT = '3000'
+  - CI_PORT = '3001'
-  - CI_SSL = 'false'
+  - CI_SSL = 'true'
  - CI_DELAY = '120'
  - CI_DOCKERENV = 'TZ=US/Pacific'
  - CI_AUTH = 'user:password'
--- a/package_versions.txt
+++ b/package_versions.txt
--- a/readme-vars.yml
+++ b/readme-vars.yml
@ -6,55 +6,110 @@ project_url: "https://desktop.github.com/"
 project_logo: "https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/github-desktop-icon.png"
 project_blurb: "[Github Desktop]({{ project_url }}) is an open source Electron-based GitHub app. It is written in TypeScript and uses React."
 project_lsio_github_repo_url: "https://github.com/linuxserver/docker-{{ project_name }}"
-project_blurb_optional_extras_enabled: false
+project_categories: "Programming"
 # supported architectures
 available_architectures:
-  - { arch: "{{ arch_x86_64 }}", tag: "amd64-latest"}
+  - {arch: "{{ arch_x86_64 }}", tag: "amd64-latest"}
-  - { arch: "{{ arch_arm64 }}", tag: "arm64v8-latest"}
+  - {arch: "{{ arch_arm64 }}", tag: "arm64v8-latest"}
 # development version
 development_versions: false
 # container parameters
 common_param_env_vars_enabled: true
 param_container_name: "{{ project_name }}"
 param_usage_include_env: true
 param_env_vars:
  - { env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London." }
 param_usage_include_vols: true
 param_volumes:
-  - { vol_path: "/config", vol_host_path: "/path/to/config", desc: "Users home directory in the container, stores local files and settings" }
+  - {vol_path: "/config", vol_host_path: "/path/to/{{ project_name }}/config", desc: "Users home directory in the container, stores local files and settings"}
 param_usage_include_ports: true
 param_ports:
-  - { external_port: "3000", internal_port: "3000", port_desc: "Github Desktop gui." }
+  - {external_port: "3000", internal_port: "3000", port_desc: "HTTP Github Desktop gui, must be proxied."}
-  - { external_port: "3001", internal_port: "3001", port_desc: "HTTPS Github Desktop gui." }
+  - {external_port: "3001", internal_port: "3001", port_desc: "HTTPS Github Desktop gui."}
 custom_params:
-  - { name: "shm-size", name_compose: "shm_size", value: "1gb",desc: "This is needed for electron applications to function properly." }
+  - {name: "shm-size", name_compose: "shm_size", value: "1gb", desc: "This is needed for electron applications to function properly."}
 cap_add_param: true
 cap_add_param_vars:
-  - { cap_add_var: "IPC_LOCK" }
+  - {cap_add_var: "IPC_LOCK", desc: "Required for keyring functionality."}
-opt_security_opt_param: true
+# Selkies blurb settings
-opt_security_opt_param_vars:
+selkies_blurb: true
  - { run_var: "seccomp=unconfined", compose_var: "seccomp:unconfined", desc: "For Docker Engine only, many modern gui apps need this to function on older hosts as syscalls are unknown to Docker. Github Desktop runs in no-sandbox mode without it." }
 # Kasm blurb settings
 kasm_blurb: true
 show_nvidia: true
 external_http_port: "3000"
 external_https_port: "3001"
 noto_fonts: "fonts-noto-cjk"
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
  The application can be accessed at:
  * http://yourhost:3000/
  * https://yourhost:3001/
-
+# init diagram
 init_diagram: |
  "github-desktop:latest": {
    docker-mods
    base {
      fix-attr +\nlegacy cont-init
    }
    docker-mods -> base
    legacy-services
    custom services
    init-services -> legacy-services
    init-services -> custom services
    custom services -> legacy-services
    legacy-services -> ci-service-check
    init-migrations -> init-adduser
    init-os-end -> init-config
    init-selkies-end -> init-config
    init-config -> init-config-end
    init-crontab-config -> init-config-end
    init-config -> init-crontab-config
    init-mods-end -> init-custom-files
    init-adduser -> init-device-perms
    base -> init-envfile
    base -> init-migrations
    init-config-end -> init-mods
    init-mods-package-install -> init-mods-end
    init-mods -> init-mods-package-install
    init-selkies -> init-nginx
    init-adduser -> init-os-end
    init-device-perms -> init-os-end
    init-envfile -> init-os-end
    init-os-end -> init-selkies
    init-nginx -> init-selkies-config
    init-video -> init-selkies-end
    init-custom-files -> init-services
    init-selkies-config -> init-video
    init-services -> svc-cron
    svc-cron -> legacy-services
    init-services -> svc-dbus
    svc-xorg -> svc-dbus
    svc-dbus -> legacy-services
    init-services -> svc-de
    svc-nginx -> svc-de
    svc-xorg -> svc-de
    svc-de -> legacy-services
    init-services -> svc-docker
    svc-docker -> legacy-services
    init-services -> svc-nginx
    svc-nginx -> legacy-services
    init-services -> svc-pulseaudio
    svc-pulseaudio -> legacy-services
    init-services -> svc-selkies
    svc-dbus -> svc-selkies
    svc-nginx -> svc-selkies
    svc-pulseaudio -> svc-selkies
    svc-xorg -> svc-selkies
    svc-selkies -> legacy-services
    init-services -> svc-watchdog
    svc-watchdog -> legacy-services
    init-services -> svc-xorg
    svc-xorg -> legacy-services
    init-services -> svc-xsettingsd
    svc-nginx -> svc-xsettingsd
    svc-xorg -> svc-xsettingsd
    svc-xsettingsd -> legacy-services
  }
  Base Images: {
    "baseimage-selkies:debiantrixie" <- "baseimage-debian:trixie"
  }
  "github-desktop:latest" <- Base Images
 # changelog
 changelogs:
-  - { date: "10.02.24:", desc: "Update Readme with new env vars and ingest proper PWA icon." }
+  - {date: "28.12.25:", desc: "Add Wayland init logic."}
-  - { date: "03.08.23:", desc: "Rebase to Bookworm and multi arch." }
+  - {date: "22.09.25:", desc: "Rebase to Debian Trixie."}
-  - { date: "01.04.23:", desc: "Initial release." }
+  - {date: "12.07.25:", desc: "Rebase to Selkies, HTTPS IS NOW REQUIRED."}
  - {date: "10.02.24:", desc: "Update Readme with new env vars and ingest proper PWA icon."}
  - {date: "03.08.23:", desc: "Rebase to Bookworm and multi arch."}
  - {date: "01.04.23:", desc: "Initial release."}
--- a/root/defaults/autostart
+++ b/root/defaults/autostart
@ -1,3 +1,3 @@
 #! /bin/bash
-xdg-mime default thunar.desktop inode/directory
+xdg-mime default caja.desktop inode/directory
 dbus-launch github-desktop
--- a/root/defaults/autostart_wayland
+++ b/root/defaults/autostart_wayland
@ -0,0 +1,3 @@
 #! /bin/bash
 xdg-mime default caja.desktop inode/directory
 dbus-launch github-desktop
--- a/root/defaults/menu.xml
+++ b/root/defaults/menu.xml
@ -5,6 +5,6 @@
 <item label="Github Desktop" icon="/usr/share/icons/hicolor/64x64/apps/github-desktop.png"><action name="Execute"><command>/usr/bin/github-desktop</command></action></item>
 <item label="Chromium" icon="/usr/share/icons/hicolor/48x48/apps/chromium.png"><action name="Execute"><command>/usr/bin/chromium</command></action></item>
 <item label="VSCodium" icon="/usr/share/pixmaps/vscodium.png"><action name="Execute"><command>/usr/bin/codium</command></action></item>
-<item label="File Manager" icon="/usr/share/icons/hicolor/scalable/apps/org.xfce.thunar.svg"><action name="Execute"><command>/usr/bin/thunar</command></action></item>
+<item label="File Manager" icon="/usr/share/icons/Adwaita/symbolic/legacy/system-file-manager-symbolic.svg"><action name="Execute"><command>/usr/bin/caja</command></action></item>
 </menu>
 </openbox_menu>
--- a/root/defaults/menu_wayland.xml
+++ b/root/defaults/menu_wayland.xml
@ -0,0 +1,10 @@
 <?xml version="1.0" encoding="utf-8"?>
 <openbox_menu xmlns="http://openbox.org/3.4/menu">
 <menu id="root-menu" label="MENU">
 <item label="Terminal Emulator" icon="/usr/share/pixmaps/xterm-color_48x48.xpm"><action name="Execute"><command>/usr/bin/xfce4-terminal</command></action></item>
 <item label="Github Desktop" icon="/usr/share/icons/hicolor/64x64/apps/github-desktop.png"><action name="Execute"><command>/usr/bin/github-desktop</command></action></item>
 <item label="Chromium" icon="/usr/share/icons/hicolor/48x48/apps/chromium.png"><action name="Execute"><command>/usr/bin/chromium</command></action></item>
 <item label="VSCodium" icon="/usr/share/pixmaps/vscodium.png"><action name="Execute"><command>/usr/bin/codium</command></action></item>
 <item label="File Manager" icon="/usr/share/icons/Adwaita/symbolic/legacy/system-file-manager-symbolic.svg"><action name="Execute"><command>/usr/bin/caja</command></action></item>
 </menu>
 </openbox_menu>
--- a/root/usr/bin/chromium
+++ b/root/usr/bin/chromium
@ -7,9 +7,4 @@ if ! pgrep chromium > /dev/null;then
  rm -f $HOME/.config/chromium/Singleton*
 fi
-# Run normally on privved containers or modified un non priv
+${BIN} --password-store=basic --no-sandbox --test-type "$@"
 if grep -q 'Seccomp:.0' /proc/1/status; then
  ${BIN} --password-store=basic "$@"
 else
  ${BIN} --password-store=basic --no-sandbox --test-type "$@"
 fi
--- a/root/usr/bin/codium
+++ b/root/usr/bin/codium
@ -2,12 +2,6 @@
 BIN=/usr/share/codium/bin/codium
-# Run normally on privved containers or modified un non priv
+${BIN} \
 if grep -q 'Seccomp:.0' /proc/1/status; then
  ${BIN} \
   "$@"
 else
  ${BIN} \
  --no-sandbox \
   "$@"
 fi
--- a/root/usr/bin/github-desktop
+++ b/root/usr/bin/github-desktop
@ -2,9 +2,4 @@
 BIN=/usr/lib/github-desktop/github-desktop
-# Run normally on privved containers or modified un non priv
+dbus-launch ${BIN} --password-store=basic --no-sandbox --test-type "$@"
 if grep -q 'Seccomp:.0' /proc/1/status; then
  dbus-launch ${BIN} --password-store=basic "$@"
 else
  dbus-launch ${BIN} --password-store=basic --no-sandbox --test-type "$@"
 fi
Author	SHA1	Message	Date
LinuxServer-CI	f04ccd9951	Bot Updating Package Versions	2026-02-28 22:17:29 +00:00
LinuxServer-CI	3d6e072a5a	Bot Updating Package Versions	2026-02-21 22:12:58 +00:00
LinuxServer-CI	9f652e43dc	Bot Updating Templated Files	2026-02-21 22:02:26 +00:00
LinuxServer-CI	3104a78a97	Bot Updating Package Versions	2026-02-14 22:23:37 +00:00
LinuxServer-CI	34fa44b058	Bot Updating Templated Files	2026-02-14 22:13:05 +00:00
LinuxServer-CI	07a2c93186	Bot Updating Templated Files	2026-02-14 22:11:08 +00:00
LinuxServer-CI	1fa94613ae	Bot Updating Package Versions	2026-02-07 22:19:14 +00:00
LinuxServer-CI	9334da288b	Bot Updating Package Versions	2026-01-31 22:08:50 +00:00
LinuxServer-CI	43f9d2c428	Bot Updating Package Versions	2026-01-24 22:16:28 +00:00
LinuxServer-CI	d0c5269cc1	Bot Updating Package Versions	2026-01-17 22:08:28 +00:00
LinuxServer-CI	b04a9a742b	Bot Updating Package Versions	2026-01-10 22:08:42 +00:00
LinuxServer-CI	35156e06f6	Bot Updating Package Versions	2026-01-03 22:08:50 +00:00
LinuxServer-CI	2e62950dc2	Bot Updating Package Versions	2026-01-02 17:08:54 +00:00
LinuxServer-CI	9e6385c514	Bot Updating Package Versions	2025-12-28 18:00:31 +00:00
thelamer	99d295a9bf	add wayland init	2025-12-28 12:51:15 -05:00
LinuxServer-CI	052ae4e038	Bot Updating Templated Files	2025-12-27 22:10:04 +00:00
LinuxServer-CI	6e1bc8a97e	Bot Updating Package Versions	2025-12-27 22:08:30 +00:00
LinuxServer-CI	e72f958dc0	Bot Updating Package Versions	2025-12-20 22:08:49 +00:00
LinuxServer-CI	cbb3e8a0a5	Bot Updating Package Versions	2025-12-13 22:08:40 +00:00
LinuxServer-CI	2632bb95d8	Bot Updating Package Versions	2025-12-06 22:08:32 +00:00
LinuxServer-CI	bdac2825ec	Bot Updating Package Versions	2025-11-29 22:08:47 +00:00
LinuxServer-CI	ae2b3428d5	Bot Updating Package Versions	2025-11-22 22:08:31 +00:00
LinuxServer-CI	ae69242493	Bot Updating Package Versions	2025-11-21 14:25:46 +00:00
LinuxServer-CI	5fbad7b3d8	Bot Updating Templated Files	2025-11-21 14:08:40 +00:00
LinuxServer-CI	05d72303b3	Bot Updating Package Versions	2025-11-15 22:08:43 +00:00
LinuxServer-CI	d796233c06	Bot Updating Package Versions	2025-11-08 22:08:34 +00:00
LinuxServer-CI	394be05bb2	Bot Updating Package Versions	2025-11-01 22:08:47 +00:00
LinuxServer-CI	10255d9f1b	Bot Updating Package Versions	2025-10-25 22:12:41 +00:00
LinuxServer-CI	cfadf13db7	Bot Updating Templated Files	2025-10-25 22:04:02 +00:00
LinuxServer-CI	d5725e31b7	Bot Updating Templated Files	2025-10-25 22:02:29 +00:00
LinuxServer-CI	d084e9a921	Bot Updating Package Versions	2025-10-18 22:09:02 +00:00
LinuxServer-CI	42dbcc9880	Bot Updating Package Versions	2025-10-11 22:09:19 +00:00
LinuxServer-CI	ce94819633	Bot Updating Package Versions	2025-10-04 22:15:11 +00:00
LinuxServer-CI	ac802378c1	Bot Updating Package Versions	2025-10-03 23:27:20 +00:00
LinuxServer-CI	c61c69aabd	Bot Updating Templated Files	2025-10-03 23:07:28 +00:00
LinuxServer-CI	367a771b84	Bot Updating Package Versions	2025-09-27 22:09:35 +00:00
LinuxServer-CI	f6705be8d1	Bot Updating Package Versions	2025-09-23 12:55:06 +00:00
LinuxServer-CI	65514463f2	Bot Updating Templated Files	2025-09-23 12:42:39 +00:00
LinuxServer-CI	3a1405357e	Bot Updating Templated Files	2025-09-23 12:39:36 +00:00
Ryan Kuba	0d88fc2646	Merge pull request #12 from linuxserver/trixie rebase to trixie	2025-09-23 08:36:38 -04:00
thelamer	11a8e922c6	rebase to trixie	2025-09-22 15:23:55 -04:00
LinuxServer-CI	fc10dd1707	Bot Updating Package Versions	2025-09-20 22:10:22 +00:00
LinuxServer-CI	cc603adf2f	Bot Updating Package Versions	2025-09-13 22:10:40 +00:00
LinuxServer-CI	21c71e088b	Bot Updating Package Versions	2025-09-06 22:11:18 +00:00
LinuxServer-CI	d152f9b641	Bot Updating Package Versions	2025-08-30 22:10:09 +00:00
LinuxServer-CI	9fcf1b02b9	Bot Updating Package Versions	2025-08-23 02:11:04 +00:00
LinuxServer-CI	a13acbdfad	Bot Updating Templated Files	2025-08-23 01:57:25 +00:00
LinuxServer-CI	076dc1852f	Bot Updating Templated Files	2025-08-23 01:55:16 +00:00
LinuxServer-CI	a2c3a947e2	Bot Updating Package Versions	2025-08-14 20:04:02 +00:00
LinuxServer-CI	1cf605b58e	Bot Updating Package Versions	2025-08-09 22:16:27 +00:00
LinuxServer-CI	eb43fbee7c	Bot Updating Package Versions	2025-08-08 15:55:23 +00:00
LinuxServer-CI	83ad5dd35f	Bot Updating Package Versions	2025-08-02 22:15:44 +00:00
LinuxServer-CI	a4220a2793	Bot Updating Package Versions	2025-07-24 22:34:57 +00:00
LinuxServer-CI	7fe2b621f7	Bot Updating Templated Files	2025-07-24 22:20:28 +00:00
Ryan Kuba	02ae24808e	Merge pull request #11 from linuxserver/selkies selkies branch	2025-07-24 22:14:43 +00:00
thelamer	fb7a8eaaca	selkies branch	2025-07-20 15:33:23 -04:00
LinuxServer-CI	5e2deece4f	Bot Updating Package Versions	2025-07-19 22:15:11 +00:00
LinuxServer-CI	5c4e8cbedd	Bot Updating Package Versions	2025-07-12 22:16:03 +00:00
LinuxServer-CI	2a7cebe49a	Bot Updating Package Versions	2025-07-05 22:21:36 +00:00
LinuxServer-CI	edfe597ce2	Bot Updating Templated Files	2025-07-05 22:10:26 +00:00
LinuxServer-CI	b870103611	Bot Updating Templated Files	2025-07-05 22:08:42 +00:00
LinuxServer-CI	4cbc8f91fa	Bot Updating Package Versions	2025-06-28 22:14:49 +00:00
LinuxServer-CI	c3f8dc9af1	Bot Updating Package Versions	2025-06-21 22:14:56 +00:00
LinuxServer-CI	7302eee2f0	Bot Updating Package Versions	2025-06-14 22:11:42 +00:00
LinuxServer-CI	5bc0321cbd	Bot Updating Templated Files	2025-06-14 22:02:31 +00:00
LinuxServer-CI	19978ef253	Bot Updating Package Versions	2025-06-07 22:14:44 +00:00
LinuxServer-CI	f89a41daee	Bot Updating Package Versions	2025-05-31 22:12:57 +00:00
LinuxServer-CI	820ccb70c6	Bot Updating Package Versions	2025-05-24 22:12:50 +00:00
LinuxServer-CI	35f546b1df	Bot Updating Package Versions	2025-05-17 22:10:45 +00:00
LinuxServer-CI	d8b235a405	Bot Updating Templated Files	2025-05-17 22:01:51 +00:00
LinuxServer-CI	30d6e8f68d	Bot Updating Package Versions	2025-05-10 22:14:06 +00:00
LinuxServer-CI	7ca9b4ec3c	Bot Updating Package Versions	2025-05-03 22:12:38 +00:00
LinuxServer-CI	ab468c839a	Bot Updating Package Versions	2025-04-26 22:12:19 +00:00
LinuxServer-CI	ff0f57186d	Bot Updating Package Versions	2025-04-19 22:13:54 +00:00
LinuxServer-CI	150ba78cd8	Bot Updating Package Versions	2025-04-12 22:11:20 +00:00
LinuxServer-CI	a4a00349c9	Bot Updating Package Versions	2025-04-05 22:17:00 +00:00
LinuxServer-CI	8485dcb90b	Bot Updating Package Versions	2025-03-29 22:10:30 +00:00
LinuxServer-CI	f355fe3720	Bot Updating Package Versions	2025-03-22 22:08:34 +00:00
LinuxServer-CI	8ab9709f2c	Bot Updating Package Versions	2025-03-15 22:06:46 +00:00
LinuxServer-CI	c701c64eaf	Bot Updating Package Versions	2025-03-08 22:08:27 +00:00
LinuxServer-CI	9da539174c	Bot Updating Package Versions	2025-03-01 22:09:14 +00:00
LinuxServer-CI	adc0f97a15	Bot Updating Package Versions	2025-02-22 22:17:00 +00:00
LinuxServer-CI	adeb4e0668	Bot Updating Package Versions	2025-02-15 22:11:10 +00:00
LinuxServer-CI	dc68514a36	Bot Updating Templated Files	2025-02-15 22:02:15 +00:00
LinuxServer-CI	2bebc47c92	Bot Updating Package Versions	2025-02-09 18:47:30 +00:00
LinuxServer-CI	3cce6913e0	Bot Updating Package Versions	2025-02-09 16:45:52 +00:00
LinuxServer-CI	fb87213d65	Bot Updating Package Versions	2025-02-08 22:07:03 +00:00
LinuxServer-CI	cd2c97ef7e	Bot Updating Package Versions	2025-02-01 22:18:33 +00:00
LinuxServer-CI	86c45c312f	Bot Updating Templated Files	2025-02-01 22:05:01 +00:00
LinuxServer-CI	b82e1cf5fe	Bot Updating Templated Files	2025-02-01 22:03:28 +00:00
LinuxServer-CI	1b54b82a16	Bot Updating Package Versions	2025-01-25 22:08:04 +00:00
quietsy	85862653c5	Merge pull request #10 from linuxserver/add-project-categories Add categories to readme-vars.yml	2025-01-22 19:53:36 +02:00
quietsy	3874a7dfde	Add categories to readme-vars.yml	2025-01-22 14:52:15 +02:00
LinuxServer-CI	661d952b7d	Bot Updating Package Versions	2025-01-18 22:07:56 +00:00
LinuxServer-CI	2740ed67b9	Bot Updating Package Versions	2025-01-11 22:08:24 +00:00
LinuxServer-CI	0fd2de9ae0	Bot Updating Package Versions	2025-01-04 22:07:28 +00:00
LinuxServer-CI	0088529a2f	Bot Updating Package Versions	2024-12-21 22:25:03 +00:00
LinuxServer-CI	85617d801a	Bot Updating Templated Files	2024-12-21 22:04:42 +00:00
LinuxServer-CI	1e2354a965	Bot Updating Templated Files	2024-12-21 22:03:04 +00:00
LinuxServer-CI	845dbd5e86	Bot Updating Package Versions	2024-12-14 22:08:47 +00:00
LinuxServer-CI	151014b3cd	Bot Updating Package Versions	2024-12-07 22:10:38 +00:00
LinuxServer-CI	fde2b0889e	Bot Updating Templated Files	2024-12-07 22:03:04 +00:00
LinuxServer-CI	a62b58a6ab	Bot Updating Templated Files	2024-12-07 22:01:43 +00:00
LinuxServer-CI	abc1cdab3b	Bot Updating Templated Files	2024-12-02 09:24:07 +00:00
LinuxServer-CI	88221d1476	Bot Updating Templated Files	2024-12-02 09:22:33 +00:00
LinuxServer-CI	4ebdd2deb5	Bot Updating Templated Files	2024-12-02 09:20:04 +00:00
Adam	613360bc59	Merge pull request #9 from linuxserver/cap-desc	2024-12-02 09:18:32 +00:00
thespad	ec7cc24e5a	Add cap descriptions	2024-12-01 22:28:48 +00:00
LinuxServer-CI	6f58aeae4e	Bot Updating Package Versions	2024-11-23 22:07:31 +00:00
LinuxServer-CI	165e871dc7	Bot Updating Package Versions	2024-11-16 22:10:51 +00:00
LinuxServer-CI	6fc00cdad5	Bot Updating Package Versions	2024-11-11 21:41:52 +00:00
LinuxServer-CI	8bbd723217	Bot Updating Package Versions	2024-11-11 16:55:56 +00:00
LinuxServer-CI	aeae2358c2	Bot Updating Templated Files	2024-11-11 16:43:21 +00:00