d76d7d3204
* [AI] Harden GitHub Actions workflows against low-severity security issues - generate-release-pr.yml: replace `eval` with an associative array for per-package version tracking. The version input was already moved to an env var in #7433, so this removes the remaining defense-in-depth concern of `eval`ing subshell output. - create-release-notes-file.js: validate the OpenAI-returned category against the known allow-list (Features, Bugfixes, Enhancements, Maintenance), validate the author against the GitHub username regex, and collapse the summary to a single line before embedding it in the markdown body. Prevents indirect prompt-injection via CodeRabbit comments from producing malformed YAML frontmatter. - generate-summary.js: stop logging the full CodeRabbit comment body to CI logs. - netlify-release.yml, i18n-string-extract-master.yml: pass secrets via `env:` blocks rather than as CLI arguments, so they do not appear in argv / process listings. https://claude.ai/code/session_012pZSkUBbabmmuaxbwysW33 * Add release notes for PR #7448 * [AI] Address review feedback on security hardening - create-release-notes-file.js: stop logging the full fileContent body. Only log the target filename plus the (already-validated) category and author metadata, so the model-generated release-note text doesn't end up in CI logs. - create-release-notes-file.js: validate summaryData.prNumber as a positive integer before using it in the file path or commit message, and switch both usages to the validated numeric value. - i18n-string-extract-master.yml: write the Weblate API key into ~/.config/weblate under a [keys] section in a new "Configure Weblate API credentials" step, then drop the per-step env blocks and the --key CLI flag from every wlc invocation so the secret is no longer visible in process listings at all. https://claude.ai/code/session_012pZSkUBbabmmuaxbwysW33 * [AI] Remove debug console.log statements for category in release notes script Remove the four "Debug - ..." console.log calls that printed the raw category env var (value/type/JSON-stringified form) plus the cleanCategory value. They were clutter in CI logs; the existing info-level "Creating release notes file: ... (category: ..., author: ...)" log already surfaces the sanitized category. https://claude.ai/code/session_012pZSkUBbabmmuaxbwysW33 --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Getting Started
Actual is a local-first personal finance tool. It is 100% free and open-source, written in NodeJS, it has a synchronization element so that all your changes can move between devices without any heavy lifting.
If you are interested in contributing, or want to know how development works, see our contributing document we would love to have you.
Want to say thanks? Click the ⭐ at the top of the page.
Key Links
- Actual discord community.
- Actual Community Documentation
- Frequently asked questions
Installation
There are four ways to deploy Actual:
- One-click deployment via PikaPods (~1.40 $/month) - recommended for non-technical users
- Managed hosting via Fly.io (~1.50 $/month)
- Self-hosted by using a Docker image
- Local-only apps - downloadable Windows, Mac and Linux apps you can run on your device
Learn more in the installation instructions docs.
Ready to Start Budgeting?
Read about Envelope budgeting to know more about the idea behind Actual Budget.
Are you new to budgeting or want to start fresh?
Check out the community's Starting Fresh guide so you can quickly get up and running!
Are you migrating from other budgeting apps?
Check out the community's Migration guide to start jumping on the Actual Budget train!
Documentation
We have a wide range of documentation on how to use Actual, this is all available in our Community Documentation, this includes topics on Budgeting, Account Management, Tips & Tricks and some documentation for developers.
Contributing
Actual is a community driven product. Learn more about contributing to Actual.
Code structure
The Actual app is split up into a few packages:
- loot-core - The core application that runs on any platform
- desktop-client - The desktop UI
- desktop-electron - The desktop app
More information on the project structure is available in our community documentation.
Feature Requests
Current feature requests can be seen here. Vote for your favorite requests by reacting 👍 to the top comment of the request.
To add new feature requests, open a new Issue of the "Feature Request" type.
Translation
Make Actual Budget accessible to more people by helping with the Internationalization of Actual. We are using a crowd sourcing tool to manage the translations, see our Weblate Project. Weblate proudly supports open-source software projects through their Libre plan.
Repo Activity
Sponsors
Thanks to our wonderful sponsors who make Actual Budget possible!
