feat: UI redesign, GitHub Actions CI, security hardening, beta branch support

- Redesign settings page with card-based layout and full Unraid theme support
- Add GitHub Actions CI workflow with JSON-driven build matrix (build-matrix.json),
  replacing the need for Jenkins — supports branches and extra pin versions
- Add beta branch support to download.sh, update-check.sh, and exec.sh
- Add open-source kernel module builds for all branches (not just production)
- Add Blackwell GPU detection with warning when using proprietary modules
- Add GPU architecture and CUDA version display in system info
- Security: input validation in update_version() and change_update_check()
  to prevent command injection via sed
- Security: function whitelist replacing unrestricted $@ dispatcher in exec.sh
- Security: safe file cleanup in download.sh and update-check.sh to prevent
  accidental mass deletion when variables are empty
- Fix: extract FETCH_VERSIONS() to eliminate redundant API call
- Fix: $DRIVERS variable scope bug in legacy 580 driver check

Author: mricharz

.github/workflows/build-nvidia.yml

@@ -0,0 +1,193 @@
+name: Build NVIDIA Driver Packages
+
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - 'build-matrix.json'
+
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+      gcc_tag: ${{ steps.set-matrix.outputs.gcc_tag }}
+    steps:
+      - uses: actions/checkout@v4
+      - id: set-matrix
+        run: |
+          MATRIX=$(jq -c '
+            # Builds from branch definitions
+            [
+              .kernel_versions[] as $k |
+              .branches | to_entries[] |
+              .value.module_types[] as $m |
+              {
+                driver_version: .value.driver_version,
+                module_type: $m,
+                kernel_version: $k,
+                branch: .key
+              }
+            ]
+            +
+            # Extra builds for pin-to-specific-version (outside branch structure)
+            [
+              .kernel_versions[] as $k |
+              (.extra_builds // [])[] |
+              .module_types[] as $m |
+              {
+                driver_version: .driver_version,
+                module_type: $m,
+                kernel_version: $k,
+                branch: "extra"
+              }
+            ]
+          ' build-matrix.json)
+          echo "matrix=${MATRIX}" >> "$GITHUB_OUTPUT"
+          echo "gcc_tag=$(jq -r '.gcc_tag' build-matrix.json)" >> "$GITHUB_OUTPUT"
+
+  build:
+    needs: prepare
+    runs-on: ubuntu-latest
+    timeout-minutes: 120
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJson(needs.prepare.outputs.matrix) }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Free up disk space
+        run: |
+          sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc
+          df -h /
+
+      - name: Create output directory
+        run: mkdir -p output
+
+      - name: Build package in container
+        run: |
+          docker pull ghcr.io/ich777/unraid_kernel:${{ needs.prepare.outputs.gcc_tag }}
+          docker run --rm \
+            --entrypoint bash \
+            -v "$GITHUB_WORKSPACE":/workspace \
+            -v "$GITHUB_WORKSPACE/output":/output \
+            ghcr.io/ich777/unraid_kernel:${{ needs.prepare.outputs.gcc_tag }} \
+            -c '
+              set -euo pipefail
+
+              DRIVER_VERSION="${{ matrix.driver_version }}"
+              KERNEL_VERSION="${{ matrix.kernel_version }}"
+              MODULE_TYPE="${{ matrix.module_type }}"
+
+              if [ "${MODULE_TYPE}" == "opensource" ]; then
+                PKG_PREFIX="nvos"
+                BUILD_ARG="opensource"
+              else
+                PKG_PREFIX="nvidia"
+                BUILD_ARG=""
+              fi
+
+              echo "=== Building ${PKG_PREFIX}-${DRIVER_VERSION} (${MODULE_TYPE}) for kernel ${KERNEL_VERSION} ==="
+
+              export UNAME="${KERNEL_VERSION}"
+              export CPU_COUNT="$(nproc)"
+              export DATA_DIR="/tmp/nvidia-build"
+              mkdir -p "${DATA_DIR}"
+
+              # ---------------------------------------------------------------
+              # Step 1: Prepare kernel sources
+              # ---------------------------------------------------------------
+              echo "=== Downloading kernel sources ==="
+              KERNEL_TAR="linux-${KERNEL_VERSION}.tar.xz"
+              KERNEL_URL="https://github.com/ich777/unraid_kernel/releases/download/${KERNEL_VERSION}/${KERNEL_TAR}"
+              wget -q -O "/tmp/${KERNEL_TAR}" "${KERNEL_URL}"
+              mkdir -p "/usr/src/linux-${KERNEL_VERSION}"
+              tar xf "/tmp/${KERNEL_TAR}" -C "/usr/src/linux-${KERNEL_VERSION}"
+              cd "/usr/src/linux-${KERNEL_VERSION}"
+
+              echo "=== Preparing kernel headers ==="
+              make oldconfig </dev/null 2>&1 | tail -5
+              make modules_prepare -j${CPU_COUNT} 2>&1 | tail -5
+
+              mkdir -p "/lib/modules/${UNAME}"
+              ln -sf "/usr/src/linux-${KERNEL_VERSION}" "/lib/modules/${UNAME}/build"
+              ln -sf "/usr/src/linux-${KERNEL_VERSION}" "/lib/modules/${UNAME}/source"
+              cd /
+
+              # ---------------------------------------------------------------
+              # Step 2: Create makepkg shim
+              # ---------------------------------------------------------------
+              mkdir -p "${DATA_DIR}/bzroot-extracted-${UNAME}/sbin"
+              printf "#!/bin/bash\n# Grab last argument as output file\nfor PKG; do true; done\ntar cJf \"\${PKG}\" . 2>/dev/null; exit 0\n" > "${DATA_DIR}/bzroot-extracted-${UNAME}/sbin/makepkg"
+              chmod +x "${DATA_DIR}/bzroot-extracted-${UNAME}/sbin/makepkg"
+
+              # ---------------------------------------------------------------
+              # Step 3: Build using compile.sh
+              # ---------------------------------------------------------------
+              echo "=== Loading compile.sh and building ==="
+              cd /workspace
+
+              real_wget="$(which wget)"
+              mkdir -p /usr/local/bin
+              printf "#!/bin/bash\nexec ${real_wget} \"\${@/--show-progress/}\"" > /usr/local/bin/wget
+              chmod +x /usr/local/bin/wget
+
+              source source/compile.sh "${DRIVER_VERSION}" ${BUILD_ARG:-"dummy"}
+              nvidia_driver "${DRIVER_VERSION}" ${BUILD_ARG}
+
+              # ---------------------------------------------------------------
+              # Step 4: Copy output artifacts
+              # ---------------------------------------------------------------
+              echo "=== Copying build artifacts ==="
+              find /tmp -name "${PKG_PREFIX}-*.txz" -exec cp {} /output/ \;
+              find /tmp -name "${PKG_PREFIX}-*.txz.md5" -exec cp {} /output/ \;
+
+              echo "=== Build artifacts ==="
+              ls -la /output/
+            '
+
+      - name: Verify build output
+        run: |
+          ls -la output/
+          if [ -z "$(ls output/*.txz 2>/dev/null)" ]; then
+            echo "ERROR: No .txz package found in output!"
+            exit 1
+          fi
+          cd output
+          for f in *.txz; do
+            if [ -f "${f}.md5" ]; then
+              EXPECTED="$(cat "${f}.md5")"
+              ACTUAL="$(md5sum "${f}" | awk '{print $1}')"
+              echo "${f}: expected=${EXPECTED} actual=${ACTUAL}"
+              if [ "${EXPECTED}" != "${ACTUAL}" ]; then
+                echo "CHECKSUM MISMATCH!"
+                exit 1
+              fi
+              echo "Checksum OK"
+            fi
+          done
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.module_type == 'opensource' && 'nvos' || 'nvidia' }}-${{ matrix.driver_version }}-${{ matrix.kernel_version }}
+          path: output/*
+          retention-days: 90
+
+      - name: Create or update GitHub Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          TAG="${{ matrix.kernel_version }}"
+          gh release view "${TAG}" --repo ${{ github.repository }} >/dev/null 2>&1 || \
+            gh release create "${TAG}" --repo ${{ github.repository }} \
+              --title "Drivers for kernel ${TAG}" \
+              --notes "NVIDIA driver packages for Unraid kernel ${TAG}"
+          for f in output/*; do
+            gh release upload "${TAG}" "${f}" --repo ${{ github.repository }} --clobber
+          done
+          echo "=== Release ${TAG} updated ==="
+          gh release view "${TAG}" --repo ${{ github.repository }}

build-matrix.json

@@ -0,0 +1,23 @@
+{
+  "gcc_tag": "gcc_14.2.0",
+  "kernel_versions": ["6.12.54-Unraid"],
+  "branches": {
+    "production": {
+      "driver_version": "580.142",
+      "module_types": ["proprietary", "opensource"]
+    },
+    "newfeature": {
+      "driver_version": "590.48.01",
+      "module_types": ["proprietary", "opensource"]
+    },
+    "beta": {
+      "driver_version": "595.45.04",
+      "module_types": ["proprietary", "opensource"]
+    }
+  },
+  "extra_builds": [
+    { "driver_version": "575.64.05", "module_types": ["proprietary", "opensource"] },
+    { "driver_version": "580.126.18", "module_types": ["proprietary", "opensource"] },
+    { "driver_version": "590.44.01", "module_types": ["proprietary", "opensource"] }
+  ]
+}

source/usr/local/emhttp/plugins/nvidia-driver/include/download.sh

@@ -193,6 +193,49 @@ elif [ "${SET_DRV_V}" == "latest_nfb" ]; then
       LAT_PACKAGE="$(echo "$DRIVER_AVAIL" | grep "$LAT_NFB_V")"
     fi
   fi
+elif [ "${SET_DRV_V}" == "latest_beta" ]; then
+  LAT_BETA_AVAIL="$(echo "$BRANCHES" | jq -r '.beta.current')"
+  if [ -z "$LAT_BETA_AVAIL" ]; then
+    if [ -z "${CUR_V}" ]; then
+      echo
+      echo "-----ERROR - ERROR - ERROR - ERROR - ERROR - ERROR - ERROR - ERROR - ERROR------"
+      echo "------Can't get Beta Branch version and found no installed local driver---------"
+      echo "-----Please wait for an hour and try it again, if it then also fails please-----"
+      echo "------go to the Support Thread on the Unraid forums and make a post there!------"
+      exit 1
+    else
+      LAT_PACKAGE=$PACKAGE-$CUR_V-$KERNEL_V-1.txz
+    fi
+  elif [ -z "$DRIVER_AVAIL" ]; then
+    if [ -z "${CUR_V}" ]; then
+      echo
+      echo "-----ERROR - ERROR - ERROR - ERROR - ERROR - ERROR - ERROR - ERROR - ERROR------"
+      echo "------Can't get Nvidia driver versions and found no installed local driver------"
+      echo "-----Please wait for an hour and try it again, if it then also fails please-----"
+      echo "------go to the Support Thread on the Unraid forums and make a post there!------"
+      exit 1
+    else
+      LAT_PACKAGE=$PACKAGE-$CUR_V-$KERNEL_V-1.txz
+    fi
+  else
+    LAT_BETA_V="$(comm -12 <(echo "$DRIVER_AVAIL" | cut -d '-' -f2 | awk -F '.' '{printf "%d.%03d.%d\n", $1,$2,$3}' | awk -F '.' '{printf "%d.%03d.%02d\n", $1,$2,$3}') <(echo "$LAT_BETA_AVAIL" | awk -F '.' '{printf "%d.%03d.%d\n", $1,$2,$3}' | awk -F '.' '{printf "%d.%03d.%02d\n", $1,$2,$3}') | sort -V | tail -1 | awk -F '.' '{printf "%d.%02d.%02d\n", $1,$2,$3}' | awk '{sub(/\.0+$/,"")}1')"
+    if [ -z "${LAT_BETA_V}" ]; then
+      if [ -z "${CUR_V}" ]; then
+        echo
+        echo "-----ERROR - ERROR - ERROR - ERROR - ERROR - ERROR - ERROR - ERROR - ERROR------"
+        echo "------Can't get Nvidia driver versions and found no installed local driver------"
+        echo "-----Please wait for an hour and try it again, if it then also fails please-----"
+        echo "------go to the Support Thread on the Unraid forums and make a post there!------"
+        exit 1
+      else
+        LAT_PACKAGE="$(echo "$DRIVER_AVAIL" | tail -1)"
+        echo "---Can't find latest Beta Branch Nvidia Driver for your Kernel v${KERNEL_V%%-*} falling back to latest Nvidia Driver v$(echo $LAT_PACKAGE | cut -d '-' -f2)---"
+        sed -i '/driver_version=/c\driver_version=latest' "/boot/config/plugins/nvidia-driver/settings.cfg"
+      fi
+    else
+      LAT_PACKAGE="$(echo "$DRIVER_AVAIL" | grep "$LAT_BETA_V")"
+    fi
+  fi
 elif [ "${SET_DRV_V}" == "latest_nos" ]; then
   if [ -z "$LAT_NOS_AVAIL" ]; then
     if [ -z "${CUR_V}" ]; then
@@ -235,9 +278,22 @@ fi
 #Begin Check
 check
 
-#Check for old packages that are not suitable for this Kernel and not suitable for the current Nvidia driver version
-rm -rf $(ls -d /boot/config/plugins/nvidia-driver/packages/* 2>/dev/null | grep -v "${KERNEL_V%%-*}")
-rm -f $(ls /boot/config/plugins/nvidia-driver/packages/${KERNEL_V%%-*}/* 2>/dev/null | grep -v "$LAT_PACKAGE")
+# SEC: Safe cleanup of old kernel directories.
+# Original used unquoted command substitution with rm -rf, which could
+# delete everything if variables were empty (grep -v "" matches all lines).
+# Using a loop with explicit checks prevents accidental mass deletion.
+while IFS= read -r dir; do
+  [[ "$(basename "$dir")" != "${KERNEL_V%%-*}" ]] && rm -rf "$dir"
+done < <(find /boot/config/plugins/nvidia-driver/packages -mindepth 1 -maxdepth 1 -type d 2>/dev/null)
+
+# SEC: Only clean up old packages if we know the current package name.
+# Without this guard, an empty $LAT_PACKAGE would cause grep -v "" to
+# match nothing, and all files would be deleted from the packages dir.
+if [ -n "$LAT_PACKAGE" ]; then
+  while IFS= read -r file; do
+    [[ "$(basename "$file")" != "$LAT_PACKAGE" && "$(basename "$file")" != "${LAT_PACKAGE}.md5" ]] && rm -f "$file"
+  done < <(find "/boot/config/plugins/nvidia-driver/packages/${KERNEL_V%%-*}" -mindepth 1 -maxdepth 1 -type f 2>/dev/null)
+fi
 
 #Display message to reboot server both in Plugin and WebUI
 echo