fix(media): restore broken IPFS media and route images through Next.js optimizer (#1032)

## Summary

Fixes #1031

- **Backend**: adds a one-time CLI subcommand `pin-ipfs-cids` to re-pin
all IPFS CIDs stored in the database to the current Pinata account,
restoring access to media that was pinned to a previous account. Also
includes the hardcoded default avatar CID (not stored in DB).
- **Frontend**: removes the custom Pinata image-transform loader from
`Web3Image`; IPFS URIs are now resolved to HTTPS gateway URLs before
being handed to Next.js `Image`, so all media flows through the standard
`_next/image` optimizer
- Deletes the now-unused `lib/web3-img-loader.ts`
- Adds `.github/workflows/run-ipfs-migration.yml` -- a manual
`workflow_dispatch` to run the migration against staging or prod via
Turso (libsql), using per-environment Pinata JWT secrets
(`STAGING_PINATA_JWT` / `PROD_PINATA_JWT`)

## How to run the migration

The migration is triggered manually via GitHub Actions after deploying:

**GitHub Actions (staging or prod):**
Go to Actions -> "Run IPFS Migration" -> Run workflow -> pick
environment + dry_run.

> Requires `STAGING_PINATA_JWT` and `PROD_PINATA_JWT` to be added as
GitHub secrets.

**Local (dev.db or any SQLite file):**
```sh
# Preview CIDs without pinning
PINATA_JWT=<jwt> go run ./backend pin-ipfs-cids -dry-run -db <path-to.db>

# Pin all CIDs
PINATA_JWT=<jwt> go run ./backend pin-ipfs-cids -db <path-to.db>
```

The `-db` flag also accepts a libsql DSN:
`libsql://<host>?authToken=<token>`. `ZENAO_DB` env var is accepted as a
fallback.

## Affected files

| File | Change |
|---|---|
| `backend/pin_ipfs_cids.go` | New -- migration subcommand (supports
SQLite + libsql/Turso) |
| `backend/main.go` | Register new subcommand |
| `components/widgets/images/web3-image.tsx` | Remove custom Pinata
loader, resolve IPFS URI via `web2URL` |
| `lib/web3-img-loader.ts` | Deleted -- no longer used |
| `.github/workflows/run-ipfs-migration.yml` | New -- manual workflow to
run the migration against staging/prod |

## Test plan

**Pre-merge (local):**
- [x] Run `pin-ipfs-cids -dry-run -db dev.db` and verify the expected
CIDs are listed (includes the default avatar CID)
- [x] Run `pin-ipfs-cids -db dev.db` and confirm all CIDs are queued on
Pinata
- [x] Verify images display on `/discover`, event pages, community
pages, and profile pages
- [ ] Verify audio posts play in social feeds
- [x] Verify "Open image in new tab" displays inline instead of
downloading

**Post-merge (staging then prod):**
- [ ] Add `STAGING_PINATA_JWT` and `PROD_PINATA_JWT` secrets to GitHub
- [ ] Trigger "Run IPFS Migration" workflow on staging with `dry_run:
true` -- verify expected CIDs are listed
- [ ] Trigger "Run IPFS Migration" workflow on staging with `dry_run:
false` -- confirm all CIDs are queued on Pinata
- [ ] Verify images display correctly on staging
- [ ] Repeat on prod

Author: WaDadidou

.github/workflows/run-ipfs-migration.yml

@@ -0,0 +1,61 @@
+name: Run IPFS Migration
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: "Target environment"
+        required: true
+        type: choice
+        options:
+          - staging
+          - prod
+      dry_run:
+        description: "Dry run (list CIDs without pinning)"
+        required: false
+        type: boolean
+        default: true
+
+jobs:
+  pin-ipfs-cids:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Golang with cache
+        uses: magnetikonline/action-golang-cache@v5
+        with:
+          go-version-file: go.mod
+          cache-key-suffix: ipfs-migration
+
+      - name: Set DB URL (staging)
+        if: inputs.environment == 'staging'
+        env:
+          TOKEN: ${{ secrets.STAGING_TURSO_TOKEN }}
+        run: echo "ZENAO_DB=libsql://zenao-staging-3-samourai-coop.turso.io?authToken=${TOKEN}" >> $GITHUB_ENV
+
+      - name: Set DB URL (prod)
+        if: inputs.environment == 'prod'
+        env:
+          TOKEN: ${{ secrets.PROD_TURSO_TOKEN }}
+        run: echo "ZENAO_DB=libsql://zenao-prod-samourai-coop.turso.io?authToken=${TOKEN}" >> $GITHUB_ENV
+
+      - name: Set Pinata JWT (staging)
+        if: inputs.environment == 'staging'
+        env:
+          TOKEN: ${{ secrets.STAGING_PINATA_JWT }}
+        run: echo "PINATA_JWT=${TOKEN}" >> $GITHUB_ENV
+
+      - name: Set Pinata JWT (prod)
+        if: inputs.environment == 'prod'
+        env:
+          TOKEN: ${{ secrets.PROD_PINATA_JWT }}
+        run: echo "PINATA_JWT=${TOKEN}" >> $GITHUB_ENV
+
+      - name: Run pin-ipfs-cids (dry run)
+        if: inputs.dry_run == true
+        run: go run ./backend pin-ipfs-cids -dry-run
+
+      - name: Run pin-ipfs-cids
+        if: inputs.dry_run == false
+        run: go run ./backend pin-ipfs-cids

backend/main.go

@@ -47,6 +47,7 @@ func main() {
 		newGenticketCmd(),
 		newGenPdfTicketCmd(),
 		newConvertEvtToComCmd(),
+		newPinIPFSCIDsCmd(),
 	)
 
 	cmd.Execute(context.Background(), os.Args[1:])

backend/pin_ipfs_cids.go

@@ -0,0 +1,190 @@
+package main
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/gnolang/gno/tm2/pkg/commands"
+	"go.uber.org/zap"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+)
+
+func newPinIPFSCIDsCmd() *commands.Command {
+	return commands.NewCommand(
+		commands.Metadata{
+			Name:       "pin-ipfs-cids",
+			ShortUsage: "pin-ipfs-cids [flags]",
+			ShortHelp:  "pin all IPFS CIDs stored in the database to the current Pinata account",
+		},
+		&pinIPFSCIDsConf,
+		func(ctx context.Context, args []string) error {
+			return pinIPFSCIDs()
+		},
+	)
+}
+
+var pinIPFSCIDsConf = pinIPFSCIDsConfig{}
+
+type pinIPFSCIDsConfig struct {
+	dbPath    string
+	pinataJWT string
+	dryRun    bool
+}
+
+func (conf *pinIPFSCIDsConfig) RegisterFlags(flset *flag.FlagSet) {
+	flset.StringVar(&conf.dbPath, "db", "dev.db", "path to the SQLite database or a libsql DSN (libsql://...?authToken=...)")
+	flset.StringVar(&conf.pinataJWT, "pinata-jwt", "", "Pinata API JWT token (or set PINATA_JWT env var)")
+	flset.BoolVar(&conf.dryRun, "dry-run", false, "list CIDs without actually pinning them")
+}
+
+func pinIPFSCIDs() error {
+	if val := os.Getenv("ZENAO_DB"); val != "" && pinIPFSCIDsConf.dbPath == "dev.db" {
+		pinIPFSCIDsConf.dbPath = val
+	}
+	if val := os.Getenv("PINATA_JWT"); val != "" {
+		pinIPFSCIDsConf.pinataJWT = val
+	}
+	if !pinIPFSCIDsConf.dryRun && pinIPFSCIDsConf.pinataJWT == "" {
+		return fmt.Errorf("-pinata-jwt or PINATA_JWT env var is required")
+	}
+
+	logger, err := zap.NewDevelopment()
+	if err != nil {
+		return err
+	}
+
+	var db *gorm.DB
+	if strings.HasPrefix(pinIPFSCIDsConf.dbPath, "libsql") {
+		db, err = gorm.Open(sqlite.New(sqlite.Config{
+			DriverName: "libsql",
+			DSN:        pinIPFSCIDsConf.dbPath,
+		}), &gorm.Config{})
+	} else {
+		db, err = gorm.Open(sqlite.Open(pinIPFSCIDsConf.dbPath), &gorm.Config{})
+	}
+	if err != nil {
+		return fmt.Errorf("open database: %w", err)
+	}
+
+	cids, err := collectAllIPFSCIDs(db)
+	if err != nil {
+		return fmt.Errorf("collect CIDs: %w", err)
+	}
+	logger.Info("collected unique IPFS CIDs", zap.Int("count", len(cids)))
+
+	if pinIPFSCIDsConf.dryRun {
+		for _, cid := range cids {
+			fmt.Println(cid)
+		}
+		return nil
+	}
+
+	client := &http.Client{Timeout: 30 * time.Second}
+	pinned, failed := 0, 0
+	for _, cid := range cids {
+		logger.Info("pinning", zap.String("cid", cid))
+		if err := callPinByHash(client, pinIPFSCIDsConf.pinataJWT, cid); err != nil {
+			logger.Error("failed to pin", zap.String("cid", cid), zap.Error(err))
+			failed++
+		} else {
+			pinned++
+		}
+	}
+
+	logger.Info("done", zap.Int("pinned", pinned), zap.Int("failed", failed))
+	if failed > 0 {
+		return fmt.Errorf("%d CID(s) failed to pin", failed)
+	}
+	return nil
+}
+
+// allIPFSCIDsQuery collects every distinct ipfs:// URI across all tables that store
+// user-uploaded media, so we can pin them all to the current Pinata account.
+const allIPFSCIDsQuery = `
+SELECT DISTINCT uri FROM (
+	SELECT avatar_uri          AS uri FROM users        WHERE avatar_uri          LIKE 'ipfs://%'
+	UNION
+	SELECT image_uri                   FROM events       WHERE image_uri           LIKE 'ipfs://%'
+	UNION
+	SELECT avatar_uri                  FROM communities  WHERE avatar_uri          LIKE 'ipfs://%'
+	UNION
+	SELECT banner_uri                  FROM communities  WHERE banner_uri          LIKE 'ipfs://%'
+	UNION
+	SELECT preview_image_uri           FROM posts        WHERE preview_image_uri   LIKE 'ipfs://%'
+	UNION
+	SELECT image_uri                   FROM posts        WHERE image_uri           LIKE 'ipfs://%'
+	UNION
+	SELECT audio_uri                   FROM posts        WHERE audio_uri           LIKE 'ipfs://%'
+	UNION
+	SELECT video_uri                   FROM posts        WHERE video_uri           LIKE 'ipfs://%'
+	UNION
+	SELECT thumbnail_image_uri         FROM posts        WHERE thumbnail_image_uri LIKE 'ipfs://%'
+)`
+
+func collectAllIPFSCIDs(db *gorm.DB) ([]string, error) {
+	rows, err := db.Raw(allIPFSCIDsQuery).Rows()
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var cids []string
+	for rows.Next() {
+		var uri string
+		if err := rows.Scan(&uri); err != nil {
+			return nil, err
+		}
+		cids = append(cids, strings.TrimPrefix(uri, "ipfs://"))
+	}
+	return cids, rows.Err()
+}
+
+type pinByHashBody struct {
+	HashToPin     string     `json:"hashToPin"`
+	PinataOptions pinataOpts `json:"pinataOptions"`
+}
+
+type pinataOpts struct {
+	CIDVersion int `json:"cidVersion"`
+}
+
+// callPinByHash queues a CID to be pinned to the Pinata account associated with
+// jwt. The operation is asynchronous: Pinata fetches the content from the IPFS
+// network in the background after this call returns.
+func callPinByHash(client *http.Client, jwt, cid string) error {
+	body, err := json.Marshal(pinByHashBody{
+		HashToPin:     cid,
+		PinataOptions: pinataOpts{CIDVersion: 1},
+	})
+	if err != nil {
+		return err
+	}
+
+	req, err := http.NewRequest(http.MethodPost, "https://api.pinata.cloud/pinning/pinByHash", bytes.NewReader(body))
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", "Bearer "+jwt)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode >= 400 {
+		respBody, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("pinata returned status %d: %s", resp.StatusCode, string(respBody))
+	}
+	return nil
+}

components/widgets/images/web3-image.tsx

@@ -2,23 +2,21 @@
 
 import React from "react";
 import Image, { ImageProps } from "next/image";
-import withWeb3ImgLoader from "@/lib/web3-img-loader";
+import { web2URL } from "@/lib/uris";
 import { cn } from "@/lib/tailwind";
 
 export const Web3Image = React.forwardRef<
   HTMLImageElement,
-  Omit<ImageProps, "loader"> & {
-    imgFit?: "scale-down" | "contain" | "cover" | "crop" | "pad";
-  }
->(({ alt, src, className, imgFit, ...props }, ref) => {
-  const isWeb3 = typeof src === "string" && src.startsWith("ipfs://");
+  Omit<ImageProps, "loader">
+>(({ alt, src, className, ...props }, ref) => {
+  const resolvedSrc =
+    typeof src === "string" && src.startsWith("ipfs://") ? web2URL(src) : src;
 
   return (
     <Image
       ref={ref}
-      src={src}
+      src={resolvedSrc}
       alt={alt}
-      loader={isWeb3 ? withWeb3ImgLoader({ imgFit }) : undefined}
       className={cn("bg-primary/10", className)}
       {...props}
     />

lib/web3-img-loader.ts

@@ -73,6 +73,15 @@ const nextConfig: NextConfig = {
     ].join("; ");
 
     return [
+      {
+        source: "/_next/image",
+        headers: [
+          {
+            key: "Content-Disposition",
+            value: "inline",
+          },
+        ],
+      },
       {
         source: "/(.*)",
         headers: [