[2.x] Bound retry and unique-lock lifetimes on UpdateApps and ProcessApps

[JoshSalway]

Problem

Both UpdateApps and ProcessApps implement ShouldBeUnique but do not set $uniqueFor, which on Redis and database cache drivers produces a lock with no TTL. If the worker is killed mid-handle() (OOM, SIGKILL, server crash, container restart), the lock persists and blocks every future dispatch of that job class until the cache entry is manually cleared.

For Heimdall specifically: one low-memory container restart during an UpdateApps run silently disables background app-update checks. The symptom visible to the user is "my dashboard stopped noticing app updates", with no obvious connection to the queue lock.

Neither job sets $tries, so they inherit whatever the worker command was started with. On queue:work that is 1 attempt (safe). Homelab supervisors vary widely; relying on the inherited default is fragile.

Proposed change

Add three lines on each job:

 class UpdateApps implements ShouldQueue, ShouldBeUnique
 {
     use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;

+    public int $tries = 1;
+    public int $uniqueFor = 600;

     public function handle(): void { /* unchanged */ }

     public function failed(Throwable $exception): void
     {
         Cache::lock('updateApps')->forceRelease();
+        Log::error(static::class . ' permanently failed', [
+            'exception_class' => $exception::class,
+            'exception_message' => $exception->getMessage(),
+            'file' => $exception->getFile() . ':' . $exception->getLine(),
+        ]);
     }
 }

Identical shape on ProcessApps, plus a new failed() method (it doesn't have one).

Why these values

• $tries = 1: Most failures here are GitHub API rate-limit responses; retries inside the same window do not help. One attempt is enough. ($backoff would have nothing to pace.)
• No $timeout: handle() is intentionally throttled at 1 second per app (sleep(1) in the loop). A 60-app user takes 60+ seconds. Setting $timeout = 60 would clip mid-loop. Setting it higher than 90 conflicts with the default retry_after. The original code left $timeout unset and that is correct for this design. UpdateApps is also dispatched via dispatchAfterResponse() which doesn't go through queue:work at all, so the queue $timeout is irrelevant in that path.
• $uniqueFor = 600 (10 minutes): Long enough that the lock outlives any plausible single attempt, short enough that a dead-worker scenario self-heals in 10 minutes without operator intervention. With $tries = 1 there is no retry chain to cover.
• failed(): Logs the permanent failure event with the exception class, message, and file:line so an operator can distinguish a Guzzle ClientException from a ConnectException at a glance. For UpdateApps the existing Cache::lock('updateApps')->forceRelease() is preserved; the log call is added on top.

The log does not capture which specific app was being processed at the moment of failure, since handle() iterates over all apps in a single call and the spec for this PR avoids touching handle(). The Guzzle exception message often contains the GitHub API URL, which encodes the appid, so the appid is usually recoverable from the message itself. If maintainers want explicit per-app context that is a small follow-up: track the current app on the instance in the loop, reference it in failed().

Test plan

• Existing phpunit suite passes unchanged on Laravel 11.45 against PHP 8.4.19.
• No new tests added: the change is property additions and a failed() method extension. Behaviour around $uniqueFor, $tries, and the failed() lifecycle is already covered by Laravel framework's own tests.

Context

This fix comes from a queue-safety audit of public Laravel projects: https://joshsalway.com/articles/improving-queue-safety-in-laravel. Laravel releases the ShouldBeUnique lock when the job completes or finally fails. If neither happens (worker killed mid-fire), the lock has no TTL fallback unless $uniqueFor is set.