famedly · nico-famedly · Aug 12, 2025 · Aug 19, 2025 · Aug 12, 2025 · Aug 22, 2025
@@ -21,5 +21,5 @@ for BRANCH_NAME in "$GITHUB_HEAD_REF" "$GITHUB_BASE_REF" "${GITHUB_REF#refs/head
     continue
   fi
 
-  (wget -O - "https://github.com/matrix-org/complement/archive/$BRANCH_NAME.tar.gz" | tar -xz --strip-components=1 -C complement) && break
+  (wget -O - "https://github.com/famedly/complement/archive/$BRANCH_NAME.tar.gz" | tar -xz --strip-components=1 -C complement) && break
 done
@@ -7,6 +7,13 @@ name: Docker
 on:
   push:
     tags: ["v*.*.*_*"]
+  workflow_dispatch:
+    # Manually trigger to build and push docker image with modules to nightly Harbor registry.
+    inputs:
+      tag:
+        description: 'Provide tag name with work package. Tag must only contain ASCII letters, digits, underscores, periods, or dashes.'
+        required: true
+        type: string
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -59,6 +66,18 @@ jobs:
     outputs:
       build_matrix: ${{ steps.get-matrix.outputs.build_matrix }}
 
+  validate_image_tag:
+    # Validate the tag input for workflow_dispatch.
+    if: ${{ github.event_name == 'workflow_dispatch' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Validate Image Tag
+        run: |
+          if ! [[ "${{ github.event.inputs.tag }}" =~ ^[a-zA-Z0-9._-]+$ ]]; then
+            echo "Error: tag must only contain ASCII letters, digits, underscores, periods, or dashes."
+            exit 1
+          fi
+
   production-build:
     if: ${{ !cancelled() && !failure() }} # Allow for stopping the build job
     needs:
@@ -70,7 +89,7 @@ jobs:
     with:
       push: ${{ github.event_name != 'pull_request' }} # Always build, don't publish on pull requests
       registry_user: ${{ vars.REGISTRY_USER }}
-      registry:  registry.famedly.net/docker-oss
+      registry: ${{ github.event_name == 'workflow_dispatch' && 'registry.famedly.net/docker-nightly' || 'registry.famedly.net/docker-oss' }}
       image_name: synapse
       file: docker/Dockerfile-famedly
       # Notice that there is a leading 'sha-' in front of the actual sha, as that is
@@ -82,5 +101,6 @@ jobs:
       # Tag the production image used for famedly deployments.
       tags: |
         type=ref,event=tag,suffix=-${{ matrix.job.mod_pack_name }}
+        type=raw,enable=${{ github.event_name == 'workflow_dispatch' }},value=${{ matrix.job.mod_pack_name }}-${{ github.event.inputs.tag }}
       flavor: latest=false
     secrets: inherit
@@ -25,7 +25,7 @@ jobs:
       - uses: Swatinem/rust-cache@68b3cb7503c78e67dae8373749990a220eb65352
       - uses: matrix-org/setup-python-poetry@v2
         with:
-          python-version: "3.x"
+          python-version: "3.13"
           poetry-version: "2.1.1"
           extras: "all"
       - run: poetry run scripts-dev/generate_sample_config.sh --check
@@ -49,7 +49,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
-          python-version: "3.x"
+          python-version: "3.13"
       - run: .ci/scripts/check_lockfile.py
 
   lint:
@@ -63,6 +63,7 @@ jobs:
         uses: matrix-org/setup-python-poetry@v2
         with:
           poetry-version: "2.1.1"
+          python-version: "3.13"
           install-project: "false"
 
       - name: Run ruff check
@@ -91,6 +92,7 @@ jobs:
           # https://github.com/matrix-org/synapse/pull/15376#issuecomment-1498983775
           # To make CI green, err towards caution and install the project.
           install-project: "true"
+          python-version: "3.13"
           poetry-version: "2.1.1"
 
       # Cribbed from
@@ -124,6 +126,7 @@ jobs:
       - uses: matrix-org/setup-python-poetry@v2
         with:
           poetry-version: "2.1.1"
+          python-version: "3.13"
           extras: "all"
       - run: poetry run scripts-dev/check_pydantic_models.py
 
@@ -161,7 +164,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
-          python-version: "3.x"
+          python-version: "3.13"
       - run: "pip install rstcheck"
       - run: "rstcheck --report-level=WARNING README.rst"
 

@@ -129,6 +129,12 @@ experimental_features:
   msc3984_appservice_key_query: true
   # Invite filtering
   msc4155_enabled: true
+  # Media Attachment
+  msc3911:
+    enabled: true
+    block_unrestricted_media_upload: false
+    purge_pending_unattached_media: true
+    pending_media_cleanup_interval_ms: 86400000 # 1 day
 
 server_notices:
   system_mxid_localpart: _server

@@ -117,15 +117,15 @@
     },
     "media_repository": {
         "app": "synapse.app.generic_worker",
-        "listener_resources": ["media", "client"],
+        "listener_resources": ["media", "client", "replication"],
         "endpoint_patterns": [
             "^/_matrix/media/",
             "^/_synapse/admin/v1/purge_media_cache$",
             "^/_synapse/admin/v1/room/.*/media.*$",
             "^/_synapse/admin/v1/user/.*/media.*$",
             "^/_synapse/admin/v1/media/.*$",
             "^/_synapse/admin/v1/quarantine_media/.*$",
-            "^/_matrix/client/v1/media/.*$",
+            "^/_matrix/client/(v1|unstable/.*)/media/.*$",
             "^/_matrix/federation/v1/media/.*$",
         ],
         # The first configured media worker will run the media background jobs
@@ -448,6 +448,9 @@ def add_worker_roles_to_shared_config(
     if "federation_sender" in worker_types_set:
         shared_config.setdefault("federation_sender_instances", []).append(worker_name)
 
+    if "media_repository" in worker_types_set:
+        shared_config.setdefault("media_repo_instances", []).append(worker_name)
+
     # Update the list of stream writers. It's convenient that the name of the worker
     # type is the same as the stream to write. Iterate over the whole list in case there
     # is more than one.
@@ -468,6 +471,17 @@ def add_worker_roles_to_shared_config(
                     "host": "localhost",
                     "port": worker_port,
                 }
+        if worker == "media_repository":
+            # Just like for stream_writers, media workers now need to be on the instance_map
+            if os.environ.get("SYNAPSE_USE_UNIX_SOCKET", False):
+                instance_map[worker_name] = {
+                    "path": f"/run/worker.{worker_port}",
+                }
+            else:
+                instance_map[worker_name] = {
+                    "host": "localhost",
+                    "port": worker_port,
+                }
 
 
 def merge_worker_template_configs(

@@ -58,12 +58,17 @@ enum EventInternalMetadataData {
     TxnId(Box<str>),
     TokenId(i64),
     DeviceId(Box<str>),
+    MediaReferences(Vec<String>),
 }
 
 impl EventInternalMetadataData {
     /// Convert the field to its name and python object.
     fn to_python_pair<'a>(&self, py: Python<'a>) -> (&'a Bound<'a, PyString>, Bound<'a, PyAny>) {
         match self {
+            EventInternalMetadataData::MediaReferences(o) => (
+                pyo3::intern!(py, "media_references"),
+                o.into_pyobject(py).unwrap().into_any(),
+            ),
             EventInternalMetadataData::OutOfBandMembership(o) => (
                 pyo3::intern!(py, "out_of_band_membership"),
                 o.into_pyobject(py)
@@ -128,6 +133,11 @@ impl EventInternalMetadataData {
         let key_str: PyBackedStr = key.extract()?;
 
         let e = match &*key_str {
+            "media_references" => EventInternalMetadataData::MediaReferences(
+                value
+                    .extract()
+                    .with_context(|| format!("'{key_str}' has invalid type"))?,
+            ),
             "out_of_band_membership" => EventInternalMetadataData::OutOfBandMembership(
                 value
                     .extract()
@@ -469,4 +479,14 @@ impl EventInternalMetadata {
     fn set_device_id(&mut self, obj: String) {
         set_property!(self, DeviceId, obj.into_boxed_str());
     }
+
+    /// The media references for the restrictions being set for this event, if any.
+    #[getter]
+    fn get_media_references(&self) -> Option<&Vec<String>> {
+        get_property_opt!(self, MediaReferences)
+    }
+    #[setter]
+    fn set_media_references(&mut self, obj: Vec<String>) {
+        set_property!(self, MediaReferences, obj);
+    }
 }
@@ -230,6 +230,7 @@ test_packages=(
     ./tests/msc3967
     ./tests/msc4140
     ./tests/msc4155
+    ./tests/msc3911
 )
 
 # Enable dirty runs, so tests will reuse the same container where possible.

@@ -245,6 +245,13 @@ def __init__(self, msg: str):
         super().__init__(HTTPStatus.BAD_REQUEST, msg, Codes.BAD_JSON)
 
 
+class UnauthorizedRequestAPICallError(SynapseError):
+    """Error raised when a request was not allowed due to authorization"""
+
+    def __init__(self, msg: str):
+        super().__init__(HTTPStatus.FORBIDDEN, msg, Codes.UNAUTHORIZED)
+
+
 class InvalidProxyCredentialsError(SynapseError):
     """Error raised when the proxy credentials are invalid."""
 

@@ -365,6 +365,22 @@ class MSC3866Config:
     require_approval_for_new_accounts: bool = False
 
 
+@attr.s(auto_attribs=True, frozen=True, slots=True)
+class MSC3911Config:
+    """Configuration for MSC3911 (Linking Media to Events)"""
+
+    # MSC3911 is enabled
+    enabled: bool = False
+
+    # Disable the current media create and upload endpoints
+    block_unrestricted_media_upload: bool = False
+
+    # Delete pending media that is older than certain interval and not attached to any events.
+    purge_pending_unattached_media: bool = False
+    # This configures how often the cleanup loop run in milliseconds
+    pending_media_cleanup_interval_ms: int = 24 * 60 * 60 * 1000  # 1 day
+
+
 class ExperimentalConfig(Config):
     """Config section for enabling experimental features"""
 
@@ -588,3 +604,7 @@ def read_config(
         # MSC4306: Thread Subscriptions
         # (and MSC4308: sliding sync extension for thread subscriptions)
         self.msc4306_enabled: bool = experimental.get("msc4306_enabled", False)
+
+        # MSC3911: Linking Media to Events
+        raw_msc3911_config = experimental.get("msc3911", {})
+        self.msc3911 = MSC3911Config(**raw_msc3911_config)
@@ -75,6 +75,7 @@ class HomeServerConfig(RootConfig):
         DatabaseConfig,
         LoggingConfig,
         RatelimitConfig,
+        WorkerConfig,
         ContentRepositoryConfig,
         OembedConfig,
         CaptchaConfig,
@@ -103,7 +104,6 @@ class HomeServerConfig(RootConfig):
         RoomDirectoryConfig,
         ThirdPartyRulesConfig,
         TracerConfig,
-        WorkerConfig,
         RedisConfig,
         ExperimentalConfig,
         BackgroundUpdateConfig,

@@ -134,19 +134,46 @@ class ContentRepositoryConfig(Config):
     def read_config(self, config: JsonDict, **kwargs: Any) -> None:
         # Only enable the media repo if either the media repo is enabled or the
         # current worker app is the media repo.
-        if (
-            config.get("enable_media_repo", True) is False
-            and config.get("worker_app") != "synapse.app.media_repository"
-        ):
-            self.can_load_media_repo = False
-            return
+
+        workers_doing_media_duty = self.root.worker.workers_doing_media_duty
+        # It is expected by many places in Synapse and its unit tests that either there
+        # are no media repos, or only one, or every worker is one. If we have our new
+        # proper list, use that to decide if we are supposed to be handling these duties
+        if not workers_doing_media_duty:
+            if (
+                config.get("enable_media_repo", True) is False
+                and config.get("worker_app") != "synapse.app.media_repository"
+            ):
+                self.can_load_media_repo = False
+                return
+            self.can_load_media_repo = True
+
         else:
+            if self.root.worker.instance_name not in workers_doing_media_duty:
+                self.can_load_media_repo = False
+                return
             self.can_load_media_repo = True
 
         # Whether this instance should be the one to run the background jobs to
         # e.g clean up old URL previews.
-        self.media_instance_running_background_jobs = config.get(
-            "media_instance_running_background_jobs",
+        # We prefer the first worker that is on the list to be responsible. However,
+        # backwards compatible the old setting and allow it to override the list.
+        #
+        # The URLPreviewer is the only thing that cares about this. Refactoring this to
+        # not stomp all over it's own feet doing the same work twice(maybe a mod on
+        # sha256?) and then it would not matter which media worker does the job.
+        media_instance_running_background_jobs_from_list = None
+        if self.root.worker.workers_doing_media_duty:
+            media_instance_running_background_jobs_from_list = (
+                self.root.worker.workers_doing_media_duty[0]
+            )
+        media_instance_running_background_jobs = config.get(
+            "media_instance_running_background_jobs"
+        )
+
+        self.media_instance_running_background_jobs = (
+            media_instance_running_background_jobs
+            or media_instance_running_background_jobs_from_list
         )
 
         self.max_upload_size = self.parse_size(config.get("max_upload_size", "50M"))

@@ -479,6 +479,16 @@ def read_config(
                     self.instance_map[instance]
                 )
 
+        self.workers_doing_media_duty = config.get("media_repo_instances", [])
+        # I would rather do this bit below, but the behavior of Synapse is rather lax.
+        # Documented what I mean in config/repository.py
+        # self.workers_doing_media_duty = self._worker_names_performing_this_duty(
+        #     config,
+        #     "enable_media_repo",
+        #     "synapse.app.media_repository",
+        #     "media_repo_instances",
+        # )
+
     def _should_this_worker_perform_duty(
         self,
         config: Dict[str, Any],

@@ -51,6 +51,7 @@
 )
 from synapse.http.site import SynapseRequest
 from synapse.media._base import DEFAULT_MAX_TIMEOUT_MS, MAXIMUM_ALLOWED_MAX_TIMEOUT_MS
+from synapse.media.media_repository import MediaRepository
 from synapse.media.thumbnailer import ThumbnailProvider
 from synapse.types import JsonDict
 from synapse.util import SYNAPSE_VERSION
@@ -78,6 +79,7 @@ def __init__(
     ):
         super().__init__(hs, authenticator, ratelimiter, server_name)
         self.handler = hs.get_federation_server()
+        self.enable_restricted_media = hs.config.experimental.msc3911.enabled
 
 
 class FederationSendServlet(BaseFederationServerServlet):
@@ -850,6 +852,7 @@ def __init__(
         super().__init__(hs, authenticator, ratelimiter, server_name)
         self.media_repo = self.hs.get_media_repository()
         self.dynamic_thumbnails = hs.config.media.dynamic_thumbnails
+        assert isinstance(self.media_repo, MediaRepository)
         self.thumbnail_provider = ThumbnailProvider(
             hs, self.media_repo, self.media_repo.media_storage
         )
@@ -879,6 +882,7 @@ async def on_GET(
             await self.thumbnail_provider.respond_local_thumbnail(
                 request, media_id, width, height, method, m_type, max_timeout_ms, True
             )
+        assert isinstance(self.media_repo, MediaRepository)
         self.media_repo.mark_recently_accessed(None, media_id)