update docs

organize imports
add rk3568
2025-03-15 00:12:07 -04:00 · 2025-03-15 00:11:21 -04:00 · 2025-03-15 00:07:00 -04:00 · 2025-03-14 23:37:39 -04:00 · 2025-03-14 17:01:23 -04:00 · 2025-03-14 16:49:40 -04:00
1396 changed files with 70913 additions and 91085 deletions
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,4 +1,4 @@
-ARG BASEIMAGE=mcr.microsoft.com/devcontainers/typescript-node:22@sha256:a20b8a3538313487ac9266875bbf733e544c1aa2091df2bb99ab592a6d4f7399
+ARG BASEIMAGE=mcr.microsoft.com/devcontainers/typescript-node:22@sha256:9791f4aa527774bc370c6bd2f6705ce5a686f1e6f204badd8dfaacce28c631ae
 FROM ${BASEIMAGE}

 # Flutter SDK
--- a/.gitattributes
+++ b/.gitattributes
@@ -6,9 +6,6 @@ mobile/openapi/**/*.dart linguist-generated=true
 mobile/lib/**/*.g.dart -diff -merge
 mobile/lib/**/*.g.dart linguist-generated=true

-mobile/lib/**/*.drift.dart -diff -merge
-mobile/lib/**/*.drift.dart linguist-generated=true
-
 open-api/typescript-sdk/fetch-client.ts -diff -merge
 open-api/typescript-sdk/fetch-client.ts linguist-generated=true

--- a/.github/.nvmrc
+++ b/.github/.nvmrc
@@ -1 +0,0 @@
-22.14.0
--- a/.github/DISCUSSION_TEMPLATE/feature-request.yaml
+++ b/.github/DISCUSSION_TEMPLATE/feature-request.yaml
@@ -1,5 +1,5 @@
-title: '[Feature] feature-name-goes-here'
-labels: ['feature']
+title: "[Feature] feature-name-goes-here"
+labels: ["feature"]

 body:
  - type: markdown
@@ -13,7 +13,7 @@ body:
    attributes:
      label: I have searched the existing feature requests, both open and closed, to make sure this is not a duplicate request.
      options:
-        - label: 'Yes'
+        - label: "Yes"
          required: true

  - type: textarea
--- a/.github/ISSUE_TEMPLATE/bug_report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yaml
@@ -5,7 +5,7 @@ body:
    attributes:
      label: I have searched the existing issues, both open and closed, to make sure this is not a duplicate report.
      options:
-        - label: 'Yes'
+        - label: "Yes"
          required: true

  - type: markdown
@@ -84,7 +84,7 @@ body:
    id: repro
    attributes:
      label: Reproduction steps
-      description: 'How do you trigger this bug? Please walk us through it step by step.'
+      description: "How do you trigger this bug? Please walk us through it step by step."
      value: |
        1.
        2.
@@ -97,13 +97,12 @@ body:
    id: logs
    attributes:
      label: Relevant log output
-      description:
-        Please copy and paste any relevant logs below. (code formatting is
+      description: Please copy and paste any relevant logs below. (code formatting is
        enabled, no need for backticks)
      render: shell
    validations:
      required: false
-
+      
  - type: textarea
    attributes:
      label: Additional information
--- a/.github/actions/image-build/action.yml
+++ b/.github/actions/image-build/action.yml
@@ -1,118 +0,0 @@
-name: 'Single arch image build'
-description: 'Build single-arch image on platform appropriate runner'
-inputs:
-  image:
-    description: 'Name of the image to build'
-    required: true
-  ghcr-token:
-    description: 'GitHub Container Registry token'
-    required: true
-  platform:
-    description: 'Platform to build for'
-    required: true
-  artifact-key-base:
-    description: 'Base key for artifact name'
-    required: true
-  context:
-    description: 'Path to build context'
-    required: true
-  dockerfile:
-    description: 'Path to Dockerfile'
-    required: true
-  build-args:
-    description: 'Docker build arguments'
-    required: false
-runs:
-  using: 'composite'
-  steps:
-    - name: Prepare
-      id: prepare
-      shell: bash
-      env:
-        PLATFORM: ${{ inputs.platform }}
-      run: |
-        echo "platform-pair=${PLATFORM//\//-}" >> $GITHUB_OUTPUT
-
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
-
-    - name: Login to GitHub Container Registry
-      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
-      if: ${{ !github.event.pull_request.head.repo.fork }}
-      with:
-        registry: ghcr.io
-        username: ${{ github.repository_owner }}
-        password: ${{ inputs.ghcr-token }}
-
-    - name: Generate cache key suffix
-      id: cache-key-suffix
-      shell: bash
-      env:
-        REF: ${{ github.ref_name }}
-      run: |
-        if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-          echo "cache-key-suffix=pr-${{ github.event.number }}" >> $GITHUB_OUTPUT
-        else
-          SUFFIX=$(echo "${REF}" | sed 's/[^a-zA-Z0-9]/-/g')
-          echo "suffix=${SUFFIX}" >> $GITHUB_OUTPUT
-        fi
-
-    - name: Generate cache target
-      id: cache-target
-      shell: bash
-      env:
-        BUILD_ARGS: ${{ inputs.build-args }}
-        IMAGE: ${{ inputs.image }}
-        SUFFIX: ${{ steps.cache-key-suffix.outputs.suffix }}
-        PLATFORM_PAIR: ${{ steps.prepare.outputs.platform-pair }}
-      run: |
-        HASH=$(sha256sum <<< "${BUILD_ARGS}" | cut -d' ' -f1)
-        CACHE_KEY="${PLATFORM_PAIR}-${HASH}"
-        echo "cache-key-base=${CACHE_KEY}" >> $GITHUB_OUTPUT
-        if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then
-          # Essentially just ignore the cache output (forks can't write to registry cache)
-          echo "cache-to=type=local,dest=/tmp/discard,ignore-error=true" >> $GITHUB_OUTPUT
-        else
-          echo "cache-to=type=registry,ref=${IMAGE}-build-cache:${CACHE_KEY}-${SUFFIX},mode=max,compression=zstd" >> $GITHUB_OUTPUT
-        fi
-
-    - name: Generate docker image tags
-      id: meta
-      uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
-      env:
-        DOCKER_METADATA_PR_HEAD_SHA: 'true'
-
-    - name: Build and push image
-      id: build
-      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
-      with:
-        context: ${{ inputs.context }}
-        file: ${{ inputs.dockerfile }}
-        platforms: ${{ inputs.platform }}
-        labels: ${{ steps.meta.outputs.labels }}
-        cache-to: ${{ steps.cache-target.outputs.cache-to }}
-        cache-from: |
-          type=registry,ref=${{ inputs.image }}-build-cache:${{ steps.cache-target.outputs.cache-key-base }}-${{ steps.cache-key-suffix.outputs.suffix }}
-          type=registry,ref=${{ inputs.image }}-build-cache:${{ steps.cache-target.outputs.cache-key-base }}-main
-        outputs: type=image,"name=${{ inputs.image }}",push-by-digest=true,name-canonical=true,push=${{ !github.event.pull_request.head.repo.fork }}
-        build-args: |
-          BUILD_ID=${{ github.run_id }}
-          BUILD_IMAGE=${{ github.event_name == 'release' && github.ref_name || steps.meta.outputs.tags }}
-          BUILD_SOURCE_REF=${{ github.ref_name }}
-          BUILD_SOURCE_COMMIT=${{ github.sha }}
-          ${{ inputs.build-args }}
-
-    - name: Export digest
-      shell: bash
-      run: | # zizmor: ignore[template-injection]
-        mkdir -p ${{ runner.temp }}/digests
-        digest="${{ steps.build.outputs.digest }}"
-        touch "${{ runner.temp }}/digests/${digest#sha256:}"
-
-    - name: Upload digest
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
-      with:
-        name: ${{ inputs.artifact-key-base }}-${{ steps.cache-target.outputs.cache-key-base }}
-        path: ${{ runner.temp }}/digests/*
-        if-no-files-found: error
-        retention-days: 1
--- a/.github/package-lock.json
+++ b/.github/package-lock.json
@@ -1,28 +0,0 @@
-{
-  "name": ".github",
-  "lockfileVersion": 3,
-  "requires": true,
-  "packages": {
-    "": {
-      "devDependencies": {
-        "prettier": "^3.5.3"
-      }
-    },
-    "node_modules/prettier": {
-      "version": "3.5.3",
-      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.5.3.tgz",
-      "integrity": "sha512-QQtaxnoDJeAkDvDKWCLiwIXkTgRhwYDEQCghU9Z6q03iyek/rxRh/2lC3HB7P8sWT2xC/y5JDctPLBIGzHKbhw==",
-      "dev": true,
-      "license": "MIT",
-      "bin": {
-        "prettier": "bin/prettier.cjs"
-      },
-      "engines": {
-        "node": ">=14"
-      },
-      "funding": {
-        "url": "https://github.com/prettier/prettier?sponsor=1"
-      }
-    }
-  }
-}
--- a/.github/package.json
+++ b/.github/package.json
@@ -1,9 +0,0 @@
-{
-  "scripts": {
-    "format": "prettier --check .",
-    "format:fix": "prettier --write ."
-  },
-  "devDependencies": {
-    "prettier": "^3.5.3"
-  }
-}
--- a/.github/release.yml
+++ b/.github/release.yml
@@ -1,33 +1,33 @@
-changelog:
-  categories:
-    - title: 🚨 Breaking Changes
-      labels:
-        - changelog:breaking-change
-
-    - title: 🫥 Deprecated Changes
-      labels:
-        - changelog:deprecated
-
-    - title: 🔒 Security
-      labels:
-        - changelog:security
-
-    - title: 🚀 Features
-      labels:
-        - changelog:feature
-
-    - title: 🌟 Enhancements
-      labels:
-        - changelog:enhancement
-
-    - title: 🐛 Bug fixes
-      labels:
-        - changelog:bugfix
-
-    - title: 📚 Documentation
-      labels:
-        - changelog:documentation
-
-    - title: 🌐 Translations
-      labels:
-        - changelog:translation
+changelog:
+  categories:
+    - title: 🚨 Breaking Changes
+      labels:
+        - changelog:breaking-change
+
+    - title: 🫥 Deprecated Changes
+      labels:
+        - changelog:deprecated
+
+    - title: 🔒 Security
+      labels:
+        - changelog:security
+
+    - title: 🚀 Features
+      labels:
+        - changelog:feature
+
+    - title: 🌟 Enhancements
+      labels:
+        - changelog:enhancement
+
+    - title: 🐛 Bug fixes
+      labels:
+        - changelog:bugfix
+
+    - title: 📚 Documentation
+      labels:
+        - changelog:documentation
+
+    - title: 🌐 Translations
+      labels:
+        - changelog:translation
--- a/.github/workflows/build-mobile.yml
+++ b/.github/workflows/build-mobile.yml
@@ -7,15 +7,6 @@ on:
      ref:
        required: false
        type: string
-    secrets:
-      KEY_JKS:
-        required: true
-      ALIAS:
-        required: true
-      ANDROID_KEY_PASSWORD:
-        required: true
-      ANDROID_STORE_PASSWORD:
-        required: true
  pull_request:
  push:
    branches: [main]
@@ -24,23 +15,16 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  pre-job:
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    outputs:
      should_run: ${{ steps.found_paths.outputs.mobile == 'true' || steps.should_force.outputs.should_force == 'true' }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-
+        uses: actions/checkout@v4
      - id: found_paths
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
+        uses: dorny/paths-filter@v3
        with:
          filters: |
            mobile:
@@ -54,26 +38,31 @@ jobs:
  build-sign-android:
    name: Build and sign Android
    needs: pre-job
-    permissions:
-      contents: read
    # Skip when PR from a fork
    if: ${{ !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.pre-job.outputs.should_run == 'true' }}
    runs-on: macos-14

    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          ref: ${{ inputs.ref || github.sha }}
-          persist-credentials: false
+      - name: Determine ref
+        id: get-ref
+        run: |
+          input_ref="${{ inputs.ref }}"
+          github_ref="${{ github.sha }}"
+          ref="${input_ref:-$github_ref}"
+          echo "ref=$ref" >> $GITHUB_OUTPUT

-      - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.get-ref.outputs.ref }}
+
+      - uses: actions/setup-java@v4
        with:
          distribution: 'zulu'
          java-version: '17'
          cache: 'gradle'

      - name: Setup Flutter SDK
-        uses: subosito/flutter-action@e938fdf56512cc96ef2f93601a5a40bde3801046 # v2
+        uses: subosito/flutter-action@v2
        with:
          channel: 'stable'
          flutter-version-file: ./mobile/pubspec.yaml
@@ -89,10 +78,6 @@ jobs:
        working-directory: ./mobile
        run: flutter pub get

-      - name: Generate translation file
-        run: make translation
-        working-directory: ./mobile
-
      - name: Build Android App Bundle
        working-directory: ./mobile
        env:
@@ -104,7 +89,7 @@ jobs:
          flutter build apk --release --split-per-abi --target-platform android-arm,android-arm64,android-x64

      - name: Publish Android Artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@v4
        with:
          name: release-apk-signed
          path: mobile/build/app/outputs/flutter-apk/*.apk
--- a/.github/workflows/cache-cleanup.yml
+++ b/.github/workflows/cache-cleanup.yml
@@ -8,38 +8,31 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  cleanup:
    name: Cleanup
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      actions: write
    steps:
      - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Cleanup
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          REF: ${{ github.ref }}
        run: |
          gh extension install actions/gh-actions-cache

          REPO=${{ github.repository }}
+          BRANCH=${{ github.ref }}

          echo "Fetching list of cache keys"
-          cacheKeysForPR=$(gh actions-cache list -R $REPO -B ${REF} -L 100 | cut -f 1 )
+          cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH -L 100 | cut -f 1 )

          ## Setting this to not fail the workflow while deleting cache keys.
          set +e
          echo "Deleting caches..."
          for cacheKey in $cacheKeysForPR
          do
-              gh actions-cache delete $cacheKey -R "$REPO" -B "${REF}" --confirm
+              gh actions-cache delete $cacheKey -R $REPO -B $BRANCH --confirm
          done
          echo "Done"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/cli.yml
+++ b/.github/workflows/cli.yml
@@ -6,6 +6,7 @@ on:
      - 'cli/**'
      - '.github/workflows/cli.yml'
  pull_request:
+    branches: [main]
    paths:
      - 'cli/**'
      - '.github/workflows/cli.yml'
@@ -16,25 +17,21 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: {}
+permissions:
+  packages: write

 jobs:
  publish:
    name: CLI Publish
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    defaults:
      run:
        working-directory: ./cli

    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-
+      - uses: actions/checkout@v4
      # Setup .npmrc file to publish to npm
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+      - uses: actions/setup-node@v4
        with:
          node-version-file: './cli/.nvmrc'
          registry-url: 'https://registry.npmjs.org'
@@ -52,25 +49,20 @@ jobs:
  docker:
    name: Docker
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
    needs: publish

    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@v3.6.0

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        uses: docker/setup-buildx-action@v3.10.0

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
+        uses: docker/login-action@v3
        if: ${{ !github.event.pull_request.head.repo.fork }}
        with:
          registry: ghcr.io
@@ -85,7 +77,7 @@ jobs:

      - name: Generate docker image tags
        id: metadata
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
+        uses: docker/metadata-action@v5
        with:
          flavor: |
            latest=false
@@ -96,7 +88,7 @@ jobs:
            type=raw,value=latest,enable=${{ github.event_name == 'release' }}

      - name: Build and push image
-        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+        uses: docker/build-push-action@v6.15.0
        with:
          file: cli/Dockerfile
          platforms: linux/amd64,linux/arm64
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -9,14 +9,14 @@
 # the `language` matrix defined below to confirm you have the correct set of
 # supported CodeQL languages.
 #
-name: 'CodeQL'
+name: "CodeQL"

 on:
  push:
-    branches: ['main']
+    branches: [ "main" ]
  pull_request:
    # The branches below must be a subset of the branches above
-    branches: ['main']
+    branches: [ "main" ]
  schedule:
    - cron: '20 13 * * 1'

@@ -24,8 +24,6 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  analyze:
    name: Analyze
@@ -38,44 +36,43 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        language: ['javascript', 'python']
+        language: [ 'javascript', 'python' ]
        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+    - name: Checkout repository
+      uses: actions/checkout@v4

-      # Initializes the CodeQL tools for scanning.
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3
-        with:
-          languages: ${{ matrix.language }}
-          # If you wish to specify custom queries, you can do so here or in a config file.
-          # By default, queries listed here will override any specified in a config file.
-          # Prefix the list here with "+" to use these queries and those in the config file.
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.

-          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-          # queries: security-extended,security-and-quality
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality

-      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-      # If this step fails, then you should remove it and run the build manually (see below)
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3

-      # ℹ️ Command-line programs to run using the OS shell.
-      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v3

-      #   If the Autobuild fails above, remove it and uncomment the following three lines.
-      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

-      # - run: |
-      #   echo "Run, Build Application using script"
-      #   ./location_of_script_within_repo/buildscript.sh
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.

-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3
-        with:
-          category: '/language:${{matrix.language}}'
+    # - run: |
+    #   echo "Run, Build Application using script"
+    #   ./location_of_script_within_repo/buildscript.sh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -12,23 +12,20 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: {}
+permissions:
+  packages: write

 jobs:
  pre-job:
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    outputs:
      should_run_server: ${{ steps.found_paths.outputs.server == 'true' || steps.should_force.outputs.should_force == 'true' }}
      should_run_ml: ${{ steps.found_paths.outputs.machine-learning == 'true' || steps.should_force.outputs.should_force == 'true' }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
      - id: found_paths
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
+        uses: dorny/paths-filter@v3
        with:
          filters: |
            server:
@@ -40,8 +37,6 @@ jobs:
              - 'machine-learning/**'
            workflow:
              - '.github/workflows/docker.yml'
-              - '.github/workflows/multi-runner-build.yml'
-              - '.github/actions/image-build'

      - name: Check if we should force jobs to run
        id: should_force
@@ -50,130 +45,397 @@ jobs:
  retag_ml:
    name: Re-Tag ML
    needs: pre-job
-    permissions:
-      contents: read
-      packages: write
    if: ${{ needs.pre-job.outputs.should_run_ml == 'false' && !github.event.pull_request.head.repo.fork }}
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        suffix: ['', '-cuda', '-rocm', '-openvino', '-armnn', '-rknn']
+        suffix: ["", "-cuda", "-openvino", "-armnn","-rknn"]
    steps:
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Re-tag image
-        env:
-          REGISTRY_NAME: 'ghcr.io'
-          REPOSITORY: ${{ github.repository_owner }}/immich-machine-learning
-          TAG_OLD: main${{ matrix.suffix }}
-          TAG_PR: ${{ github.event.number == 0 && github.ref_name || format('pr-{0}', github.event.number) }}${{ matrix.suffix }}
-          TAG_COMMIT: commit-${{ github.event_name != 'pull_request' && github.sha || github.event.pull_request.head.sha }}${{ matrix.suffix }}
-        run: |
-          docker buildx imagetools create -t "${REGISTRY_NAME}/${REPOSITORY}:${TAG_PR}" "${REGISTRY_NAME}/${REPOSITORY}:${TAG_OLD}"
-          docker buildx imagetools create -t "${REGISTRY_NAME}/${REPOSITORY}:${TAG_COMMIT}" "${REGISTRY_NAME}/${REPOSITORY}:${TAG_OLD}"
+        - name: Login to GitHub Container Registry
+          uses: docker/login-action@v3
+          with:
+            registry: ghcr.io
+            username: ${{ github.repository_owner }}
+            password: ${{ secrets.GITHUB_TOKEN }}
+        - name: Re-tag image
+          run: |
+              REGISTRY_NAME="ghcr.io"
+              REPOSITORY=${{ github.repository_owner }}/immich-machine-learning
+              TAG_OLD=main${{ matrix.suffix }}
+              TAG_PR=${{ github.event.number == 0 && github.ref_name ||  format('pr-{0}', github.event.number)  }}${{ matrix.suffix }}
+              TAG_COMMIT=commit-${{ github.event_name != 'pull_request' && github.sha || github.event.pull_request.head.sha }}${{ matrix.suffix }}
+              docker buildx imagetools create -t $REGISTRY_NAME/$REPOSITORY:$TAG_PR $REGISTRY_NAME/$REPOSITORY:$TAG_OLD
+              docker buildx imagetools create -t $REGISTRY_NAME/$REPOSITORY:$TAG_COMMIT $REGISTRY_NAME/$REPOSITORY:$TAG_OLD

  retag_server:
    name: Re-Tag Server
    needs: pre-job
-    permissions:
-      contents: read
-      packages: write
    if: ${{ needs.pre-job.outputs.should_run_server == 'false' && !github.event.pull_request.head.repo.fork }}
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        suffix: ['']
+        suffix: [""]
    steps:
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Re-tag image
-        env:
-          REGISTRY_NAME: 'ghcr.io'
-          REPOSITORY: ${{ github.repository_owner }}/immich-server
-          TAG_OLD: main${{ matrix.suffix }}
-          TAG_PR: ${{ github.event.number == 0 && github.ref_name || format('pr-{0}', github.event.number) }}${{ matrix.suffix }}
-          TAG_COMMIT: commit-${{ github.event_name != 'pull_request' && github.sha || github.event.pull_request.head.sha }}${{ matrix.suffix }}
        run: |
-          docker buildx imagetools create -t "${REGISTRY_NAME}/${REPOSITORY}:${TAG_PR}" "${REGISTRY_NAME}/${REPOSITORY}:${TAG_OLD}"
-          docker buildx imagetools create -t "${REGISTRY_NAME}/${REPOSITORY}:${TAG_COMMIT}" "${REGISTRY_NAME}/${REPOSITORY}:${TAG_OLD}"
+          REGISTRY_NAME="ghcr.io"
+          REPOSITORY=${{ github.repository_owner }}/immich-server
+          TAG_OLD=main${{ matrix.suffix }}
+          TAG_PR=${{ github.event.number == 0 && github.ref_name ||  format('pr-{0}', github.event.number)  }}${{ matrix.suffix }}
+          TAG_COMMIT=commit-${{ github.event_name != 'pull_request' && github.sha || github.event.pull_request.head.sha }}${{ matrix.suffix }}
+          docker buildx imagetools create -t $REGISTRY_NAME/$REPOSITORY:$TAG_PR $REGISTRY_NAME/$REPOSITORY:$TAG_OLD
+          docker buildx imagetools create -t $REGISTRY_NAME/$REPOSITORY:$TAG_COMMIT $REGISTRY_NAME/$REPOSITORY:$TAG_OLD

-  machine-learning:
+  build_and_push_ml:
    name: Build and Push ML
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_ml == 'true' }}
+    runs-on: ${{ matrix.runner }}
+    env:
+      image: immich-machine-learning
+      context: machine-learning
+      file: machine-learning/Dockerfile
+      GHCR_REPO: ghcr.io/${{ github.repository_owner }}/immich-machine-learning
+    strategy:
+      # Prevent a failure in one image from stopping the other builds
+      fail-fast: false
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-latest
+            device: cpu
+
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+            device: cpu
+
+          - platform: linux/amd64
+            runner: ubuntu-latest
+            device: cuda
+            suffix: -cuda
+
+          - platform: linux/amd64
+            runner: ubuntu-latest
+            device: openvino
+            suffix: -openvino
+
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+            device: armnn
+            suffix: -armnn
+          - platforms: linux/arm64
+            device: rknn
+            suffix: -rknn
+
+    steps:
+      - name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3.10.0
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        if: ${{ !github.event.pull_request.head.repo.fork }}
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate cache key suffix
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            echo "CACHE_KEY_SUFFIX=pr-${{ github.event.number }}" >> $GITHUB_ENV
+          else
+            echo "CACHE_KEY_SUFFIX=$(echo ${{ github.ref_name }} | sed 's/[^a-zA-Z0-9]/-/g')" >> $GITHUB_ENV
+          fi
+
+      - name: Generate cache target
+        id: cache-target
+        run: |
+          if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then
+            # Essentially just ignore the cache output (forks can't write to registry cache)
+            echo "cache-to=type=local,dest=/tmp/discard,ignore-error=true" >> $GITHUB_OUTPUT
+          else
+            echo "cache-to=type=registry,ref=${{ env.GHCR_REPO }}-build-cache:${{ env.PLATFORM_PAIR }}-${{ matrix.device }}-${{ env.CACHE_KEY_SUFFIX }},mode=max,compression=zstd" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Build and push image
+        id: build
+        uses: docker/build-push-action@v6.15.0
+        with:
+          context: ${{ env.context }}
+          file: ${{ env.file }}
+          platforms: ${{ matrix.platforms }}
+          labels: ${{ steps.metadata.outputs.labels }}
+          cache-to: ${{ steps.cache-target.outputs.cache-to }}
+          cache-from: |
+            type=registry,ref=${{ env.GHCR_REPO }}-build-cache:${{ env.PLATFORM_PAIR }}-${{ matrix.device }}-${{ env.CACHE_KEY_SUFFIX }}
+            type=registry,ref=${{ env.GHCR_REPO }}-build-cache:${{ env.PLATFORM_PAIR }}-${{ matrix.device }}-main
+          outputs: type=image,"name=${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=${{ !github.event.pull_request.head.repo.fork }}
+          build-args: |
+            DEVICE=${{ matrix.device }}
+            BUILD_ID=${{ github.run_id }}
+            BUILD_IMAGE=${{ github.event_name == 'release' && github.ref_name || steps.metadata.outputs.tags }}
+            BUILD_SOURCE_REF=${{ github.ref_name }}
+            BUILD_SOURCE_COMMIT=${{ github.sha }}
+
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: ml-digests-${{ matrix.device }}-${{ env.PLATFORM_PAIR }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge_ml:
+    name: Merge & Push ML
+    runs-on: ubuntu-latest
+    if: ${{ needs.pre-job.outputs.should_run_ml == 'true' && !github.event.pull_request.head.repo.fork }}
+    env:
+      GHCR_REPO: ghcr.io/${{ github.repository_owner }}/immich-machine-learning
+      DOCKER_REPO: altran1502/immich-machine-learning
+    strategy:
+      matrix:
+        include:
+          - device: cpu
+          - device: cuda
+            suffix: -cuda
+          - device: openvino
+            suffix: -openvino
+          - device: armnn
+            suffix: -armnn
+    needs:
+      - build_and_push_ml
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: ml-digests-${{ matrix.device }}-*
+          merge-multiple: true
+
+      - name: Login to Docker Hub
+        if: ${{ github.event_name == 'release' }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Generate docker image tags
+        id: meta
+        uses: docker/metadata-action@v5
+        env:
+          DOCKER_METADATA_PR_HEAD_SHA: "true"
+        with:
+          flavor: |
+            # Disable latest tag
+            latest=false
+            suffix=${{ matrix.suffix }}
+          images: |
+            name=${{ env.GHCR_REPO }}
+            name=${{ env.DOCKER_REPO }},enable=${{ github.event_name == 'release' }}
+          tags: |
+            # Tag with branch name
+            type=ref,event=branch
+            # Tag with pr-number
+            type=ref,event=pr
+            # Tag with long commit sha hash
+            type=sha,format=long,prefix=commit-
+            # Tag with git tag on release
+            type=ref,event=tag
+            type=raw,value=release,enable=${{ github.event_name == 'release' }}
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.GHCR_REPO }}@sha256:%s ' *)
+
+  build_and_push_server:
+    name: Build and Push Server
+    runs-on: ${{ matrix.runner }}
+    needs: pre-job
+    if: ${{ needs.pre-job.outputs.should_run_server == 'true' }}
+    env:
+      image: immich-server
+      context: .
+      file: server/Dockerfile
+      GHCR_REPO: ghcr.io/${{ github.repository_owner }}/immich-server
    strategy:
      fail-fast: false
      matrix:
        include:
-          - device: cpu
-            tag-suffix: ''
-          - device: cuda
-            tag-suffix: '-cuda'
-            platforms: linux/amd64
-          - device: openvino
-            tag-suffix: '-openvino'
-            platforms: linux/amd64
-          - device: armnn
-            tag-suffix: '-armnn'
-            platforms: linux/arm64
-          - device: rknn
-            tag-suffix: '-rknn'
-            platforms: linux/arm64
-          - device: rocm
-            tag-suffix: '-rocm'
-            platforms: linux/amd64
-            runner-mapping: '{"linux/amd64": "mich"}'
-    uses: ./.github/workflows/multi-runner-build.yml
-    permissions:
-      contents: read
-      actions: read
-      packages: write
-    secrets:
-      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
-    with:
-      image: immich-machine-learning
-      context: machine-learning
-      dockerfile: machine-learning/Dockerfile
-      platforms: ${{ matrix.platforms }}
-      runner-mapping: ${{ matrix.runner-mapping }}
-      tag-suffix: ${{ matrix.tag-suffix }}
-      dockerhub-push: ${{ github.event_name == 'release' }}
-      build-args: |
-        DEVICE=${{ matrix.device }}
+          - platform: linux/amd64
+            runner: ubuntu-latest
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+    steps:
+      - name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV

-  server:
-    name: Build and Push Server
-    needs: pre-job
-    if: ${{ needs.pre-job.outputs.should_run_server == 'true' }}
-    uses: ./.github/workflows/multi-runner-build.yml
-    permissions:
-      contents: read
-      actions: read
-      packages: write
-    secrets:
-      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
-    with:
-      image: immich-server
-      context: .
-      dockerfile: server/Dockerfile
-      dockerhub-push: ${{ github.event_name == 'release' }}
-      build-args: |
-        DEVICE=cpu
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        if: ${{ !github.event.pull_request.head.repo.fork }}
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate cache key suffix
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            echo "CACHE_KEY_SUFFIX=pr-${{ github.event.number }}" >> $GITHUB_ENV
+          else
+            echo "CACHE_KEY_SUFFIX=$(echo ${{ github.ref_name }} | sed 's/[^a-zA-Z0-9]/-/g')" >> $GITHUB_ENV
+          fi
+
+      - name: Generate cache target
+        id: cache-target
+        run: |
+          if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then
+            # Essentially just ignore the cache output (forks can't write to registry cache)
+            echo "cache-to=type=local,dest=/tmp/discard,ignore-error=true" >> $GITHUB_OUTPUT
+          else
+            echo "cache-to=type=registry,ref=${{ env.GHCR_REPO }}-build-cache:${{ env.PLATFORM_PAIR }}-${{ matrix.device }}-${{ env.CACHE_KEY_SUFFIX }},mode=max,compression=zstd" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Build and push image
+        id: build
+        uses: docker/build-push-action@v6.15.0
+        with:
+          context: ${{ env.context }}
+          file: ${{ env.file }}
+          platforms: ${{ matrix.platform }}
+          labels: ${{ steps.metadata.outputs.labels }}
+          cache-to: ${{ steps.cache-target.outputs.cache-to }}
+          cache-from: |
+            type=registry,ref=${{ env.GHCR_REPO }}-build-cache:${{ env.PLATFORM_PAIR }}-${{ env.CACHE_KEY_SUFFIX }}
+            type=registry,ref=${{ env.GHCR_REPO }}-build-cache:${{ env.PLATFORM_PAIR }}-main
+          outputs: type=image,"name=${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=${{ !github.event.pull_request.head.repo.fork }}
+          build-args: |
+            DEVICE=cpu
+            BUILD_ID=${{ github.run_id }}
+            BUILD_IMAGE=${{ github.event_name == 'release' && github.ref_name || steps.metadata.outputs.tags }}
+            BUILD_SOURCE_REF=${{ github.ref_name }}
+            BUILD_SOURCE_COMMIT=${{ github.sha }}
+
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: server-digests-${{ env.PLATFORM_PAIR }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge_server:
+    name: Merge & Push Server
+    runs-on: ubuntu-latest
+    if: ${{ needs.pre-job.outputs.should_run_server == 'true' && !github.event.pull_request.head.repo.fork }}
+    env:
+      GHCR_REPO: ghcr.io/${{ github.repository_owner }}/immich-server
+      DOCKER_REPO: altran1502/immich-server
+    needs:
+      - build_and_push_server
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: server-digests-*
+          merge-multiple: true
+
+      - name: Login to Docker Hub
+        if: ${{ github.event_name == 'release' }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Generate docker image tags
+        id: meta
+        uses: docker/metadata-action@v5
+        env:
+          DOCKER_METADATA_PR_HEAD_SHA: "true"
+        with:
+          flavor: |
+            # Disable latest tag
+            latest=false
+            suffix=${{ matrix.suffix }}
+          images: |
+            name=${{ env.GHCR_REPO }}
+            name=${{ env.DOCKER_REPO }},enable=${{ github.event_name == 'release' }}
+          tags: |
+            # Tag with branch name
+            type=ref,event=branch
+            # Tag with pr-number
+            type=ref,event=pr
+            # Tag with long commit sha hash
+            type=sha,format=long,prefix=commit-
+            # Tag with git tag on release
+            type=ref,event=tag
+            type=raw,value=release,enable=${{ github.event_name == 'release' }}
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.GHCR_REPO }}@sha256:%s ' *)

  success-check-server:
    name: Docker Build & Push Server Success
-    needs: [server, retag_server]
-    permissions: {}
+    needs: [merge_server, retag_server]
    runs-on: ubuntu-latest
    if: always()
    steps:
@@ -182,13 +444,11 @@ jobs:
        run: exit 1
      - name: All jobs passed or skipped
        if: ${{ !(contains(needs.*.result, 'failure')) }}
-        # zizmor: ignore[template-injection]
        run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}"

  success-check-ml:
    name: Docker Build & Push ML Success
-    needs: [machine-learning, retag_ml]
-    permissions: {}
+    needs: [merge_ml, retag_ml]
    runs-on: ubuntu-latest
    if: always()
    steps:
@@ -197,5 +457,4 @@ jobs:
        run: exit 1
      - name: All jobs passed or skipped
        if: ${{ !(contains(needs.*.result, 'failure')) }}
-        # zizmor: ignore[template-injection]
-        run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}"
+        run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}"
--- a/.github/workflows/docs-build.yml
+++ b/.github/workflows/docs-build.yml
@@ -3,6 +3,7 @@ on:
  push:
    branches: [main]
  pull_request:
+    branches: [main]
  release:
    types: [published]

@@ -10,22 +11,16 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  pre-job:
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    outputs:
      should_run: ${{ steps.found_paths.outputs.docs == 'true' ||  steps.should_force.outputs.should_force == 'true' }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
      - id: found_paths
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
+        uses: dorny/paths-filter@v3
        with:
          filters: |
            docs:
@@ -39,8 +34,6 @@ jobs:
  build:
    name: Docs Build
    needs: pre-job
-    permissions:
-      contents: read
    if: ${{ needs.pre-job.outputs.should_run == 'true' }}
    runs-on: ubuntu-latest
    defaults:
@@ -49,12 +42,10 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        uses: actions/setup-node@v4
        with:
          node-version-file: './docs/.nvmrc'

@@ -68,9 +59,8 @@ jobs:
        run: npm run build

      - name: Upload build output
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@v4
        with:
          name: docs-build-output
          path: docs/build/
-          include-hidden-files: true
          retention-days: 1
--- a/.github/workflows/docs-deploy.yml
+++ b/.github/workflows/docs-deploy.yml
@@ -1,7 +1,7 @@
 name: Docs deploy
 on:
-  workflow_run: # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
-    workflows: ['Docs build']
+  workflow_run:
+    workflows: ["Docs build"]
    types:
      - completed

@@ -9,9 +9,6 @@ jobs:
  checks:
    name: Docs Deploy Checks
    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      pull-requests: read
    outputs:
      parameters: ${{ steps.parameters.outputs.result }}
      artifact: ${{ steps.get-artifact.outputs.result }}
@@ -20,7 +17,7 @@ jobs:
        run: echo 'The triggering workflow did not succeed' && exit 1
      - name: Get artifact
        id: get-artifact
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
+        uses: actions/github-script@v7
        with:
          script: |
            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
@@ -38,9 +35,7 @@ jobs:
            return { found: true, id: matchArtifact.id };
      - name: Determine deploy parameters
        id: parameters
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
-        env:
-          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+        uses: actions/github-script@v7
        with:
          script: |
            const eventType = context.payload.workflow_run.event;
@@ -62,8 +57,7 @@ jobs:
            } else if (eventType == "pull_request") {
              let pull_number = context.payload.workflow_run.pull_requests[0]?.number;
              if(!pull_number) {
-                const {HEAD_SHA} = process.env;
-                const response = await github.rest.search.issuesAndPullRequests({q: `repo:${{ github.repository }} is:pr sha:${HEAD_SHA}`,per_page: 1,})
+                const response = await github.rest.search.issuesAndPullRequests({q: 'repo:${{ github.repository }} is:pr sha:${{ github.event.workflow_run.head_sha }}',per_page: 1,})
                const items = response.data.items
                if (items.length < 1) {
                  throw new Error("No pull request found for the commit")
@@ -101,36 +95,30 @@ jobs:
    name: Docs Deploy
    runs-on: ubuntu-latest
    needs: checks
-    permissions:
-      contents: read
-      actions: read
-      pull-requests: write
    if: ${{ fromJson(needs.checks.outputs.artifact).found && fromJson(needs.checks.outputs.parameters).shouldDeploy }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Load parameters
        id: parameters
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
-        env:
-          PARAM_JSON: ${{ needs.checks.outputs.parameters }}
+        uses: actions/github-script@v7
        with:
          script: |
-            const parameters = JSON.parse(process.env.PARAM_JSON);
+            const json = `${{ needs.checks.outputs.parameters }}`;
+            const parameters = JSON.parse(json);
            core.setOutput("event", parameters.event);
            core.setOutput("name", parameters.name);
            core.setOutput("shouldDeploy", parameters.shouldDeploy);

+      - run: |
+          echo "Starting docs deployment for ${{ steps.parameters.outputs.event }} ${{ steps.parameters.outputs.name }}"
+
      - name: Download artifact
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
-        env:
-          ARTIFACT_JSON: ${{ needs.checks.outputs.artifact }}
+        uses: actions/github-script@v7
        with:
          script: |
-            let artifact = JSON.parse(process.env.ARTIFACT_JSON);
+            let artifact = ${{ needs.checks.outputs.artifact }};
            let download = await github.rest.actions.downloadArtifact({
               owner: context.repo.owner,
               repo: context.repo.repo,
@@ -150,12 +138,12 @@ jobs:
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }}
-        uses: gruntwork-io/terragrunt-action@9559e51d05873b0ea467c42bbabcb5c067642ccc # v2
+        uses: gruntwork-io/terragrunt-action@v2
        with:
-          tg_version: '0.58.12'
-          tofu_version: '1.7.1'
-          tg_dir: 'deployment/modules/cloudflare/docs'
-          tg_command: 'apply'
+          tg_version: "0.58.12"
+          tofu_version: "1.7.1"
+          tg_dir: "deployment/modules/cloudflare/docs"
+          tg_command: "apply"

      - name: Deploy Docs Subdomain Output
        id: docs-output
@@ -165,29 +153,27 @@ jobs:
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }}
-        uses: gruntwork-io/terragrunt-action@9559e51d05873b0ea467c42bbabcb5c067642ccc # v2
+        uses: gruntwork-io/terragrunt-action@v2
        with:
-          tg_version: '0.58.12'
-          tofu_version: '1.7.1'
-          tg_dir: 'deployment/modules/cloudflare/docs'
-          tg_command: 'output -json'
+          tg_version: "0.58.12"
+          tofu_version: "1.7.1"
+          tg_dir: "deployment/modules/cloudflare/docs"
+          tg_command: "output -json"

      - name: Output Cleaning
        id: clean
-        env:
-          TG_OUTPUT: ${{ steps.docs-output.outputs.tg_action_output }}
        run: |
-          CLEANED=$(echo "$TG_OUTPUT" | sed 's|%0A|\n|g ; s|%3C|<|g' | jq -c .)
-          echo "output=$CLEANED" >> $GITHUB_OUTPUT
+          TG_OUT=$(echo '${{ steps.docs-output.outputs.tg_action_output }}' | sed 's|%0A|\n|g ; s|%3C|<|g' | jq -c .)
+          echo "output=$TG_OUT" >> $GITHUB_OUTPUT

      - name: Publish to Cloudflare Pages
-        uses: cloudflare/pages-action@f0a1cd58cd66095dee69bfa18fa5efd1dde93bca # v1
+        uses: cloudflare/pages-action@v1
        with:
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN_PAGES_UPLOAD }}
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          projectName: ${{ fromJson(steps.clean.outputs.output).pages_project_name.value }}
-          workingDirectory: 'docs'
-          directory: 'build'
+          workingDirectory: "docs"
+          directory: "build"
          branch: ${{ steps.parameters.outputs.name }}
          wranglerVersion: '3'

@@ -198,7 +184,7 @@ jobs:
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }}
-        uses: gruntwork-io/terragrunt-action@9559e51d05873b0ea467c42bbabcb5c067642ccc # v2
+        uses: gruntwork-io/terragrunt-action@v2
        with:
          tg_version: '0.58.12'
          tofu_version: '1.7.1'
@@ -206,7 +192,7 @@ jobs:
          tg_command: 'apply'

      - name: Comment
-        uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3
+        uses: actions-cool/maintain-one-comment@v3
        if: ${{ steps.parameters.outputs.event == 'pr' }}
        with:
          number: ${{ fromJson(needs.checks.outputs.parameters).pr_number }}
--- a/.github/workflows/docs-destroy.yml
+++ b/.github/workflows/docs-destroy.yml
@@ -1,39 +1,32 @@
 name: Docs destroy
 on:
-  pull_request_target: # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
+  pull_request_target:
    types: [closed]

-permissions: {}
-
 jobs:
  deploy:
    name: Docs Destroy
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Destroy Docs Subdomain
        env:
-          TF_VAR_prefix_name: 'pr-${{ github.event.number }}'
-          TF_VAR_prefix_event_type: 'pr'
+          TF_VAR_prefix_name: "pr-${{ github.event.number }}"
+          TF_VAR_prefix_event_type: "pr"
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }}
-        uses: gruntwork-io/terragrunt-action@9559e51d05873b0ea467c42bbabcb5c067642ccc # v2
+        uses: gruntwork-io/terragrunt-action@v2
        with:
-          tg_version: '0.58.12'
-          tofu_version: '1.7.1'
-          tg_dir: 'deployment/modules/cloudflare/docs'
-          tg_command: 'destroy -refresh=false'
+          tg_version: "0.58.12"
+          tofu_version: "1.7.1"
+          tg_dir: "deployment/modules/cloudflare/docs"
+          tg_command: "destroy -refresh=false"

      - name: Comment
-        uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3
+        uses: actions-cool/maintain-one-comment@v3
        with:
          number: ${{ github.event.number }}
          delete: true
--- a/.github/workflows/fix-format.yml
+++ b/.github/workflows/fix-format.yml
@@ -4,32 +4,28 @@ on:
  pull_request:
    types: [labeled]

-permissions: {}
-
 jobs:
  fix-formatting:
    runs-on: ubuntu-latest
    if: ${{ github.event.label.name == 'fix:formatting' }}
    permissions:
-      contents: write
      pull-requests: write
    steps:
      - name: Generate a token
        id: generate-token
-        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2
+        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: 'Checkout'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          token: ${{ steps.generate-token.outputs.token }}
-          persist-credentials: true

      - name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        uses: actions/setup-node@v4
        with:
          node-version-file: './server/.nvmrc'

@@ -37,13 +33,13 @@ jobs:
        run: make install-all && make format-all

      - name: Commit and push
-        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9
+        uses: EndBug/add-and-commit@v9
        with:
          default_author: github_actions
          message: 'chore: fix formatting'

      - name: Remove label
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
+        uses: actions/github-script@v7
        if: always()
        with:
          script: |
@@ -53,3 +49,4 @@ jobs:
              repo: context.repo.repo,
              name: 'fix:formatting'
            })
+
--- a/.github/workflows/multi-runner-build.yml
+++ b/.github/workflows/multi-runner-build.yml
@@ -1,185 +0,0 @@
-name: 'Multi-runner container image build'
-on:
-  workflow_call:
-    inputs:
-      image:
-        description: 'Name of the image'
-        type: string
-        required: true
-      context:
-        description: 'Path to build context'
-        type: string
-        required: true
-      dockerfile:
-        description: 'Path to Dockerfile'
-        type: string
-        required: true
-      tag-suffix:
-        description: 'Suffix to append to the image tag'
-        type: string
-        default: ''
-      dockerhub-push:
-        description: 'Push to Docker Hub'
-        type: boolean
-        default: false
-      build-args:
-        description: 'Docker build arguments'
-        type: string
-        required: false
-      platforms:
-        description: 'Platforms to build for'
-        type: string
-      runner-mapping:
-        description: 'Mapping from platforms to runners'
-        type: string
-    secrets:
-      DOCKERHUB_USERNAME:
-        required: false
-      DOCKERHUB_TOKEN:
-        required: false
-
-env:
-  GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ inputs.image }}
-  DOCKERHUB_IMAGE: altran1502/${{ inputs.image }}
-
-jobs:
-  matrix:
-    name: 'Generate matrix'
-    runs-on: ubuntu-latest
-    outputs:
-      matrix: ${{ steps.matrix.outputs.matrix }}
-      key: ${{ steps.artifact-key.outputs.base }}
-    steps:
-      - name: Generate build matrix
-        id: matrix
-        shell: bash
-        env:
-          PLATFORMS: ${{ inputs.platforms || 'linux/amd64,linux/arm64' }}
-          RUNNER_MAPPING: ${{ inputs.runner-mapping || '{"linux/amd64":"ubuntu-latest","linux/arm64":"ubuntu-24.04-arm"}' }}
-        run: |
-          matrix=$(jq -R -c \
-            --argjson runner_mapping "${RUNNER_MAPPING}" \
-            'split(",") | map({platform: ., runner: $runner_mapping[.]})' \
-            <<< "${PLATFORMS}")
-          echo "${matrix}"
-          echo "matrix=${matrix}" >> $GITHUB_OUTPUT
-
-      - name: Determine artifact key
-        id: artifact-key
-        shell: bash
-        env:
-          IMAGE: ${{ inputs.image }}
-          SUFFIX: ${{ inputs.tag-suffix }}
-        run: |
-          if [[ -n "${SUFFIX}" ]]; then
-              base="${IMAGE}${SUFFIX}-digests"
-          else
-              base="${IMAGE}-digests"
-          fi
-          echo "${base}"
-          echo "base=${base}" >> $GITHUB_OUTPUT
-
-  build:
-    needs: matrix
-    runs-on: ${{ matrix.runner }}
-    permissions:
-      contents: read
-      packages: write
-    strategy:
-      fail-fast: false
-      matrix:
-        include: ${{ fromJson(needs.matrix.outputs.matrix) }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-
-      - uses: ./.github/actions/image-build
-        with:
-          context: ${{ inputs.context }}
-          dockerfile: ${{ inputs.dockerfile }}
-          image: ${{ env.GHCR_IMAGE }}
-          ghcr-token: ${{ secrets.GITHUB_TOKEN }}
-          platform: ${{ matrix.platform }}
-          artifact-key-base: ${{ needs.matrix.outputs.key }}
-          build-args: ${{ inputs.build-args }}
-
-  merge:
-    needs: [matrix, build]
-    runs-on: ubuntu-latest
-    if: ${{ !github.event.pull_request.head.repo.fork }}
-    permissions:
-      contents: read
-      actions: read
-      packages: write
-    steps:
-      - name: Download digests
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
-        with:
-          path: ${{ runner.temp }}/digests
-          pattern: ${{ needs.matrix.outputs.key }}-*
-          merge-multiple: true
-
-      - name: Login to Docker Hub
-        if: ${{ inputs.dockerhub-push }}
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to GHCR
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
-
-      - name: Generate docker image tags
-        id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
-        env:
-          DOCKER_METADATA_PR_HEAD_SHA: 'true'
-        with:
-          flavor: |
-            # Disable latest tag
-            latest=false
-            suffix=${{ inputs.tag-suffix }}
-          images: |
-            name=${{ env.GHCR_IMAGE }}
-            name=${{ env.DOCKERHUB_IMAGE }},enable=${{ inputs.dockerhub-push }}
-          tags: |
-            # Tag with branch name
-            type=ref,event=branch
-            # Tag with pr-number
-            type=ref,event=pr
-            # Tag with long commit sha hash
-            type=sha,format=long,prefix=commit-
-            # Tag with git tag on release
-            type=ref,event=tag
-            type=raw,value=release,enable=${{ github.event_name == 'release' }}
-
-      - name: Create manifest list and push
-        working-directory: ${{ runner.temp }}/digests
-        run: |
-          # Process annotations
-          declare -a ANNOTATIONS=()
-          if [[ -n "$DOCKER_METADATA_OUTPUT_JSON" ]]; then
-            while IFS= read -r annotation; do
-              # Extract key and value by removing the manifest: prefix
-              if [[ "$annotation" =~ ^manifest:(.+)=(.+)$ ]]; then
-                key="${BASH_REMATCH[1]}"
-                value="${BASH_REMATCH[2]}"
-                # Use array to properly handle arguments with spaces
-                ANNOTATIONS+=(--annotation "index:$key=$value")
-              fi
-            done < <(jq -r '.annotations[]' <<< "$DOCKER_METADATA_OUTPUT_JSON")
-          fi
-
-          TAGS=$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-          SOURCE_ARGS=$(printf "${GHCR_IMAGE}@sha256:%s " *)
-
-          docker buildx imagetools create $TAGS "${ANNOTATIONS[@]}" $SOURCE_ARGS
--- a/.github/workflows/pr-label-validation.yml
+++ b/.github/workflows/pr-label-validation.yml
@@ -1,11 +1,9 @@
 name: PR Label Validation

 on:
-  pull_request_target: # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
+  pull_request_target:
    types: [opened, labeled, unlabeled, synchronize]

-permissions: {}
-
 jobs:
  validate-release-label:
    runs-on: ubuntu-latest
@@ -14,11 +12,11 @@ jobs:
      pull-requests: write
    steps:
      - name: Require PR to have a changelog label
-        uses: mheap/github-action-required-labels@388fd6af37b34cdfe5a23b37060e763217e58b03 # v5
+        uses: mheap/github-action-required-labels@v5
        with:
          mode: exactly
          count: 1
          use_regex: true
-          labels: 'changelog:.*'
+          labels: "changelog:.*"
          add_comment: true
-          message: 'Label error. Requires {{errorString}} {{count}} of: {{ provided }}. Found: {{ applied }}. A maintainer will add the required label.'
+          message: "Label error. Requires {{errorString}} {{count}} of: {{ provided }}. Found: {{ applied }}. A maintainer will add the required label."
--- a/.github/workflows/pr-labeler.yml
+++ b/.github/workflows/pr-labeler.yml
@@ -1,8 +1,6 @@
-name: 'Pull Request Labeler'
+name: "Pull Request Labeler"
 on:
-  - pull_request_target # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
-
-permissions: {}
+- pull_request_target

 jobs:
  labeler:
@@ -11,4 +9,4 @@ jobs:
      pull-requests: write
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5
+    - uses: actions/labeler@v5
--- a/.github/workflows/pr-require-conventional-commit.yml
+++ b/.github/workflows/pr-require-conventional-commit.yml
@@ -4,16 +4,12 @@ on:
  pull_request:
    types: [opened, synchronize, reopened, edited]

-permissions: {}
-
 jobs:
  validate-pr-title:
    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
    steps:
      - name: PR Conventional Commit Validation
-        uses: ytanikin/PRConventionalCommits@b628c5a234cc32513014b7bfdd1e47b532124d98 # 1.3.0
+        uses:  ytanikin/PRConventionalCommits@1.3.0
        with:
          task_types: '["feat","fix","docs","test","ci","refactor","perf","chore","revert"]'
          add_label: 'false'
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -21,40 +21,35 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-root
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  bump_version:
    runs-on: ubuntu-latest
+
    outputs:
      ref: ${{ steps.push-tag.outputs.commit_long_sha }}
-    permissions: {} # No job-level permissions are needed because it uses the app-token
+
    steps:
      - name: Generate a token
        id: generate-token
-        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2
+        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@v4
        with:
          token: ${{ steps.generate-token.outputs.token }}
-          persist-credentials: true

      - name: Install uv
-        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5
+        uses: astral-sh/setup-uv@v5

      - name: Bump version
-        env:
-          SERVER_BUMP: ${{ inputs.serverBump }}
-          MOBILE_BUMP: ${{ inputs.mobileBump }}
-        run: misc/release/pump-version.sh -s "${SERVER_BUMP}" -m "${MOBILE_BUMP}"
+        run: misc/release/pump-version.sh -s "${{ inputs.serverBump }}" -m "${{ inputs.mobileBump }}"

      - name: Commit and tag
        id: push-tag
-        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9
+        uses: EndBug/add-and-commit@v9
        with:
          default_author: github_actions
          message: 'chore: version ${{ env.IMMICH_VERSION }}'
@@ -64,47 +59,37 @@ jobs:
  build_mobile:
    uses: ./.github/workflows/build-mobile.yml
    needs: bump_version
-    permissions:
-      contents: read
-    secrets:
-      KEY_JKS: ${{ secrets.KEY_JKS }}
-      ALIAS: ${{ secrets.ALIAS }}
-      ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
-      ANDROID_STORE_PASSWORD: ${{ secrets.ANDROID_STORE_PASSWORD }}
+    secrets: inherit
    with:
      ref: ${{ needs.bump_version.outputs.ref }}

  prepare_release:
    runs-on: ubuntu-latest
    needs: build_mobile
-    permissions:
-      actions: read # To download the app artifact
-      # No content permissions are needed because it uses the app-token
+
    steps:
      - name: Generate a token
        id: generate-token
-        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2
+        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@v4
        with:
          token: ${{ steps.generate-token.outputs.token }}
-          persist-credentials: false

      - name: Download APK
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+        uses: actions/download-artifact@v4
        with:
          name: release-apk-signed

      - name: Create draft release
-        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2
+        uses: softprops/action-gh-release@v2
        with:
          draft: true
          tag_name: ${{ env.IMMICH_VERSION }}
-          token: ${{ steps.generate-token.outputs.token }}
          generate_release_notes: true
          body_path: misc/release/notes.tmpl
          files: |
--- a/.github/workflows/preview-label.yaml
+++ b/.github/workflows/preview-label.yaml
@@ -4,8 +4,6 @@ on:
  pull_request:
    types: [labeled, closed]

-permissions: {}
-
 jobs:
  comment-status:
    runs-on: ubuntu-latest
@@ -13,10 +11,10 @@ jobs:
    permissions:
      pull-requests: write
    steps:
-      - uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2
+      - uses: mshick/add-pr-comment@v2
        with:
-          message-id: 'preview-status'
-          message: 'Deploying preview environment to https://pr-${{ github.event.pull_request.number }}.preview.internal.immich.cloud/'
+          message-id: "preview-status"
+          message: "Deploying preview environment to https://pr-${{ github.event.pull_request.number }}.preview.internal.immich.cloud/"

  remove-label:
    runs-on: ubuntu-latest
@@ -24,7 +22,7 @@ jobs:
    permissions:
      pull-requests: write
    steps:
-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
+      - uses: actions/github-script@v7
        with:
          script: |
            github.rest.issues.removeLabel({
--- a/.github/workflows/sdk.yml
+++ b/.github/workflows/sdk.yml
@@ -4,24 +4,20 @@ on:
  release:
    types: [published]

-permissions: {}
+permissions:
+  packages: write

 jobs:
  publish:
    name: Publish `@immich/sdk`
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    defaults:
      run:
        working-directory: ./open-api/typescript-sdk
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-
+      - uses: actions/checkout@v4
      # Setup .npmrc file to publish to npm
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+      - uses: actions/setup-node@v4
        with:
          node-version-file: './open-api/typescript-sdk/.nvmrc'
          registry-url: 'https://registry.npmjs.org'
--- a/.github/workflows/static_analysis.yml
+++ b/.github/workflows/static_analysis.yml
@@ -9,22 +9,16 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  pre-job:
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    outputs:
      should_run: ${{ steps.found_paths.outputs.mobile == 'true' || steps.should_force.outputs.should_force == 'true' }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
      - id: found_paths
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
+        uses: dorny/paths-filter@v3
        with:
          filters: |
            mobile:
@@ -39,17 +33,15 @@ jobs:
    name: Run Dart Code Analysis
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run == 'true' }}
+
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
+
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Setup Flutter SDK
-        uses: subosito/flutter-action@e938fdf56512cc96ef2f93601a5a40bde3801046 # v2
+        uses: subosito/flutter-action@v2
        with:
          channel: 'stable'
          flutter-version-file: ./mobile/pubspec.yaml
@@ -58,16 +50,12 @@ jobs:
        run: dart pub get
        working-directory: ./mobile

-      - name: Generate translation file
-        run: make translation; dart format lib/generated/codegen_loader.g.dart
-        working-directory: ./mobile
-
      - name: Run Build Runner
        run: make build
        working-directory: ./mobile

      - name: Find file changes
-        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20
+        uses: tj-actions/verify-changed-files@v20
        id: verify-changed-files
        with:
          files: |
@@ -77,11 +65,9 @@ jobs:

      - name: Verify files have not changed
        if: steps.verify-changed-files.outputs.files_changed == 'true'
-        env:
-          CHANGED_FILES: ${{ steps.verify-changed-files.outputs.changed_files }}
        run: |
          echo "ERROR: Generated files not up to date! Run make_build inside the mobile directory"
-          echo "Changed files: ${CHANGED_FILES}"
+          echo "Changed files: ${{ steps.verify-changed-files.outputs.changed_files }}"
          exit 1

      - name: Run dart analyze
@@ -95,30 +81,3 @@ jobs:
      - name: Run dart custom_lint
        run: dart run custom_lint
        working-directory: ./mobile
-
-  zizmor:
-    name: zizmor
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-      contents: read
-      actions: read
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-
-      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5
-
-      - name: Run zizmor 🌈
-        run: uvx zizmor --format=sarif . > results.sarif
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3
-        with:
-          sarif_file: results.sarif
-          category: zizmor
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -9,13 +9,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: {}
-
 jobs:
  pre-job:
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    outputs:
      should_run_web: ${{ steps.found_paths.outputs.web == 'true' || steps.should_force.outputs.should_force == 'true' }}
      should_run_server: ${{ steps.found_paths.outputs.server == 'true' || steps.should_force.outputs.should_force == 'true' }}
@@ -25,15 +21,11 @@ jobs:
      should_run_ml: ${{ steps.found_paths.outputs.machine-learning == 'true' || steps.should_force.outputs.should_force == 'true' }}
      should_run_e2e_web: ${{ steps.found_paths.outputs.e2e == 'true' || steps.found_paths.outputs.web == 'true' || steps.should_force.outputs.should_force == 'true' }}
      should_run_e2e_server_cli: ${{ steps.found_paths.outputs.e2e == 'true' || steps.found_paths.outputs.server == 'true' || steps.found_paths.outputs.cli == 'true' || steps.should_force.outputs.should_force == 'true' }}
-      should_run_.github: ${{ steps.found_paths.outputs['.github'] == 'true' || steps.should_force.outputs.should_force == 'true' }} # redundant to have should_force but if someone changes the trigger then this won't have to be changed
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-
+        uses: actions/checkout@v4
      - id: found_paths
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
+        uses: dorny/paths-filter@v3
        with:
          filters: |
            web:
@@ -53,8 +45,6 @@ jobs:
              - 'machine-learning/**'
            workflow:
              - '.github/workflows/test.yml'
-            .github:
-              - '.github/**'

      - name: Check if we should force jobs to run
        id: should_force
@@ -65,20 +55,16 @@ jobs:
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_server == 'true' }}
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    defaults:
      run:
        working-directory: ./server

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        uses: actions/setup-node@v4
        with:
          node-version-file: './server/.nvmrc'

@@ -106,20 +92,16 @@ jobs:
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_cli == 'true' }}
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    defaults:
      run:
        working-directory: ./cli

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        uses: actions/setup-node@v4
        with:
          node-version-file: './cli/.nvmrc'

@@ -151,20 +133,16 @@ jobs:
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_cli == 'true' }}
    runs-on: windows-latest
-    permissions:
-      contents: read
    defaults:
      run:
        working-directory: ./cli

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        uses: actions/setup-node@v4
        with:
          node-version-file: './cli/.nvmrc'

@@ -184,25 +162,21 @@ jobs:
        run: npm run test:cov
        if: ${{ !cancelled() }}

-  web-lint:
-    name: Lint Web
+  web-unit-tests:
+    name: Test & Lint Web
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_web == 'true' }}
-    runs-on: mich
-    permissions:
-      contents: read
+    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./web

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        uses: actions/setup-node@v4
        with:
          node-version-file: './web/.nvmrc'

@@ -214,7 +188,7 @@ jobs:
        run: npm ci

      - name: Run linter
-        run: npm run lint:p
+        run: npm run lint
        if: ${{ !cancelled() }}

      - name: Run formatter
@@ -225,35 +199,6 @@ jobs:
        run: npm run check:svelte
        if: ${{ !cancelled() }}

-  web-unit-tests:
-    name: Test Web
-    needs: pre-job
-    if: ${{ needs.pre-job.outputs.should_run_web == 'true' }}
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    defaults:
-      run:
-        working-directory: ./web
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-
-      - name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
-        with:
-          node-version-file: './web/.nvmrc'
-
-      - name: Run setup typescript-sdk
-        run: npm ci && npm run build
-        working-directory: ./open-api/typescript-sdk
-
-      - name: Run npm install
-        run: npm ci
-
      - name: Run tsc
        run: npm run check:typescript
        if: ${{ !cancelled() }}
@@ -267,20 +212,16 @@ jobs:
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_e2e == 'true' }}
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    defaults:
      run:
        working-directory: ./e2e

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        uses: actions/setup-node@v4
        with:
          node-version-file: './e2e/.nvmrc'

@@ -310,20 +251,16 @@ jobs:
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_server == 'true' }}
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    defaults:
      run:
        working-directory: ./server

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        uses: actions/setup-node@v4
        with:
          node-version-file: './server/.nvmrc'

@@ -338,25 +275,19 @@ jobs:
    name: End-to-End Tests (Server & CLI)
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_e2e_server_cli == 'true' }}
-    runs-on: ${{ matrix.runner }}
-    permissions:
-      contents: read
+    runs-on: mich
    defaults:
      run:
        working-directory: ./e2e
-    strategy:
-      matrix:
-        runner: [ubuntu-latest, ubuntu-24.04-arm]

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@v4
        with:
-          persist-credentials: false
          submodules: 'recursive'

      - name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        uses: actions/setup-node@v4
        with:
          node-version-file: './e2e/.nvmrc'

@@ -386,25 +317,19 @@ jobs:
    name: End-to-End Tests (Web)
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_e2e_web == 'true' }}
-    runs-on: ${{ matrix.runner }}
-    permissions:
-      contents: read
+    runs-on: mich
    defaults:
      run:
        working-directory: ./e2e
-    strategy:
-      matrix:
-        runner: [ubuntu-latest, ubuntu-24.04-arm]

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@v4
        with:
-          persist-credentials: false
          submodules: 'recursive'

      - name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        uses: actions/setup-node@v4
        with:
          node-version-file: './e2e/.nvmrc'

@@ -429,35 +354,15 @@ jobs:
        run: npx playwright test
        if: ${{ !cancelled() }}

-  success-check-e2e:
-    name: End-to-End Tests Success
-    needs: [e2e-tests-server-cli, e2e-tests-web]
-    permissions: {}
-    runs-on: ubuntu-latest
-    if: always()
-    steps:
-      - name: Any jobs failed?
-        if: ${{ contains(needs.*.result, 'failure') }}
-        run: exit 1
-      - name: All jobs passed or skipped
-        if: ${{ !(contains(needs.*.result, 'failure')) }}
-        # zizmor: ignore[template-injection]
-        run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}"
-
  mobile-unit-tests:
    name: Unit Test Mobile
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_mobile == 'true' }}
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-
+      - uses: actions/checkout@v4
      - name: Setup Flutter SDK
-        uses: subosito/flutter-action@e938fdf56512cc96ef2f93601a5a40bde3801046 # v2
+        uses: subosito/flutter-action@v2
        with:
          channel: 'stable'
          flutter-version-file: ./mobile/pubspec.yaml
@@ -470,19 +375,14 @@ jobs:
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_ml == 'true' }}
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    defaults:
      run:
        working-directory: ./machine-learning
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-
+      - uses: actions/checkout@v4
      - name: Install uv
-        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        uses: astral-sh/setup-uv@v5
+      - uses: actions/setup-python@v5
        # TODO: add caching when supported (https://github.com/actions/setup-python/pull/818)
        # with:
        #   python-version: 3.11
@@ -492,77 +392,39 @@ jobs:
          uv sync --extra cpu
      - name: Lint with ruff
        run: |
-          uv run ruff check --output-format=github immich_ml
+          uv run ruff check --output-format=github app export
      - name: Check black formatting
        run: |
-          uv run black --check immich_ml
+          uv run black --check app export
      - name: Run mypy type checking
        run: |
-          uv run mypy --strict immich_ml/
+          uv run mypy --strict app/
      - name: Run tests and coverage
        run: |
-          uv run pytest --cov=immich_ml --cov-report term-missing
-
-  github-files-formatting:
-    name: .github Files Formatting
-    needs: pre-job
-    if: ${{ needs.pre-job.outputs['should_run_.github'] == 'true' }}
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    defaults:
-      run:
-        working-directory: ./.github
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-
-      - name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
-        with:
-          node-version-file: './.github/.nvmrc'
-
-      - name: Run npm install
-        run: npm ci
-
-      - name: Run formatter
-        run: npm run format
-        if: ${{ !cancelled() }}
+          uv run pytest app --cov=app --cov-report term-missing

  shellcheck:
    name: ShellCheck
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-
+      - uses: actions/checkout@v4
      - name: Run ShellCheck
        uses: ludeeus/action-shellcheck@master
        with:
          ignore_paths: >-
            **/open-api/**
-            **/openapi**
+            **/openapi/**
            **/node_modules/**

  generated-api-up-to-date:
    name: OpenAPI Clients
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        uses: actions/setup-node@v4
        with:
          node-version-file: './server/.nvmrc'

@@ -576,7 +438,7 @@ jobs:
        run: make open-api

      - name: Find file changes
-        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20
+        uses: tj-actions/verify-changed-files@v20
        id: verify-changed-files
        with:
          files: |
@@ -586,21 +448,17 @@ jobs:

      - name: Verify files have not changed
        if: steps.verify-changed-files.outputs.files_changed == 'true'
-        env:
-          CHANGED_FILES: ${{ steps.verify-changed-files.outputs.changed_files }}
        run: |
          echo "ERROR: Generated files not up to date!"
-          echo "Changed files: ${CHANGED_FILES}"
+          echo "Changed files: ${{ steps.verify-changed-files.outputs.changed_files }}"
          exit 1

-  sql-schema-up-to-date:
-    name: SQL Schema Checks
+  generated-typeorm-migrations-up-to-date:
+    name: TypeORM Checks
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    services:
      postgres:
-        image: tensorchord/vchord-postgres:pg14-v0.3.0
+        image: tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52
        env:
          POSTGRES_PASSWORD: postgres
          POSTGRES_USER: postgres
@@ -618,12 +476,10 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        uses: actions/setup-node@v4
        with:
          node-version-file: './server/.nvmrc'

@@ -634,29 +490,27 @@ jobs:
        run: npm run build

      - name: Run existing migrations
-        run: npm run migrations:run
+        run: npm run typeorm:migrations:run

      - name: Test npm run schema:reset command works
-        run: npm run schema:reset
+        run: npm run typeorm:schema:reset

      - name: Generate new migrations
        continue-on-error: true
-        run: npm run migrations:generate src/TestMigration
+        run: npm run typeorm:migrations:generate ./src/migrations/TestMigration

      - name: Find file changes
-        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20
+        uses: tj-actions/verify-changed-files@v20
        id: verify-changed-files
        with:
          files: |
-            server/src
+            server/src/migrations/
      - name: Verify migration files have not changed
        if: steps.verify-changed-files.outputs.files_changed == 'true'
-        env:
-          CHANGED_FILES: ${{ steps.verify-changed-files.outputs.changed_files }}
        run: |
          echo "ERROR: Generated migration files not up to date!"
-          echo "Changed files: ${CHANGED_FILES}"
-          cat ./src/*-TestMigration.ts
+          echo "Changed files: ${{ steps.verify-changed-files.outputs.changed_files }}"
+          cat ./src/migrations/*-TestMigration.ts
          exit 1

      - name: Run SQL generation
@@ -665,7 +519,7 @@ jobs:
          DB_URL: postgres://postgres:postgres@localhost:5432/immich

      - name: Find file changes
-        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20
+        uses: tj-actions/verify-changed-files@v20
        id: verify-changed-sql-files
        with:
          files: |
@@ -673,11 +527,9 @@ jobs:

      - name: Verify SQL files have not changed
        if: steps.verify-changed-sql-files.outputs.files_changed == 'true'
-        env:
-          CHANGED_FILES: ${{ steps.verify-changed-sql-files.outputs.changed_files }}
        run: |
          echo "ERROR: Generated SQL files not up to date!"
-          echo "Changed files: ${CHANGED_FILES}"
+          echo "Changed files: ${{ steps.verify-changed-sql-files.outputs.changed_files }}"
          exit 1

  # mobile-integration-tests:
--- a/.github/workflows/weblate-lock.yml
+++ b/.github/workflows/weblate-lock.yml
@@ -4,32 +4,30 @@ on:
  pull_request:
    branches: [main]

-permissions: {}
-
 jobs:
  pre-job:
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    outputs:
      should_run: ${{ steps.found_paths.outputs.i18n == 'true' && github.head_ref != 'chore/translations'}}
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
      - id: found_paths
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
+        uses: dorny/paths-filter@v3
        with:
          filters: |
            i18n:
              - 'i18n/!(en)**\.json'
+      - name: Debug
+        run: |
+            echo "Should run: ${{ steps.found_paths.outputs.i18n == 'true' && github.head_ref != 'chore/translations'}}"
+            echo "Found i18n paths: ${{ steps.found_paths.outputs.i18n }}"
+            echo "Head ref: ${{ github.head_ref }}"

  enforce-lock:
    name: Check Weblate Lock
-    needs: [pre-job]
+    needs: [ pre-job ]
    runs-on: ubuntu-latest
-    permissions: {}
    if: ${{ needs.pre-job.outputs.should_run == 'true' }}
    steps:
      - name: Check weblate lock
@@ -38,7 +36,7 @@ jobs:
            exit 1
          fi
      - name: Find Pull Request
-        uses: juliangruber/find-pull-request-action@48b6133aa6c826f267ebd33aa2d29470f9d9e7d0 # v1
+        uses: juliangruber/find-pull-request-action@v1
        id: find-pr
        with:
          branch: chore/translations
@@ -47,9 +45,8 @@ jobs:
        run: exit 1
  success-check-lock:
    name: Weblate Lock Check Success
-    needs: [enforce-lock]
+    needs: [ enforce-lock ]
    runs-on: ubuntu-latest
-    permissions: {}
    if: always()
    steps:
      - name: Any jobs failed?
@@ -57,5 +54,4 @@ jobs:
        run: exit 1
      - name: All jobs passed or skipped
        if: ${{ !(contains(needs.*.result, 'failure')) }}
-        # zizmor: ignore[template-injection]
        run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}"
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,63 +1,44 @@
 {
+  "editor.formatOnSave": true,
+  "[javascript]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode",
+    "editor.tabSize": 2,
+    "editor.formatOnSave": true
+  },
+  "[typescript]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode",
+    "editor.tabSize": 2,
+    "editor.formatOnSave": true
+  },
  "[css]": {
    "editor.defaultFormatter": "esbenp.prettier-vscode",
-    "editor.formatOnSave": true,
+    "editor.tabSize": 2,
+    "editor.formatOnSave": true
+  },
+  "[svelte]": {
+    "editor.defaultFormatter": "svelte.svelte-vscode",
    "editor.tabSize": 2
  },
+  "svelte.enable-ts-plugin": true,
+  "eslint.validate": [
+    "javascript",
+    "svelte"
+  ],
+  "typescript.preferences.importModuleSpecifier": "non-relative",
  "[dart]": {
-    "editor.defaultFormatter": "Dart-Code.dart-code",
    "editor.formatOnSave": true,
    "editor.selectionHighlight": false,
    "editor.suggest.snippetsPreventQuickSuggestions": false,
    "editor.suggestSelection": "first",
    "editor.tabCompletion": "onlySnippets",
-    "editor.wordBasedSuggestions": "off"
+    "editor.wordBasedSuggestions": "off",
+    "editor.defaultFormatter": "Dart-Code.dart-code"
  },
-  "[javascript]": {
-    "editor.codeActionsOnSave": {
-      "source.organizeImports": "explicit",
-      "source.removeUnusedImports": "explicit"
-    },
-    "editor.defaultFormatter": "esbenp.prettier-vscode",
-    "editor.formatOnSave": true,
-    "editor.tabSize": 2
-  },
-  "[json]": {
-    "editor.defaultFormatter": "esbenp.prettier-vscode",
-    "editor.formatOnSave": true,
-    "editor.tabSize": 2
-  },
-  "[jsonc]": {
-    "editor.defaultFormatter": "esbenp.prettier-vscode",
-    "editor.formatOnSave": true,
-    "editor.tabSize": 2
-  },
-  "[svelte]": {
-    "editor.codeActionsOnSave": {
-      "source.organizeImports": "explicit",
-      "source.removeUnusedImports": "explicit"
-    },
-    "editor.defaultFormatter": "svelte.svelte-vscode",
-    "editor.formatOnSave": true,
-    "editor.tabSize": 2
-  },
-  "[typescript]": {
-    "editor.codeActionsOnSave": {
-      "source.organizeImports": "explicit",
-      "source.removeUnusedImports": "explicit"
-    },
-    "editor.defaultFormatter": "esbenp.prettier-vscode",
-    "editor.formatOnSave": true,
-    "editor.tabSize": 2
-  },
-  "cSpell.words": ["immich"],
-  "editor.formatOnSave": true,
-  "eslint.validate": ["javascript", "svelte"],
+  "cSpell.words": [
+    "immich"
+  ],
  "explorer.fileNesting.enabled": true,
  "explorer.fileNesting.patterns": {
-    "*.dart": "${capture}.g.dart,${capture}.gr.dart,${capture}.drift.dart",
    "*.ts": "${capture}.spec.ts,${capture}.mock.ts"
-  },
-  "svelte.enable-ts-plugin": true,
-  "typescript.preferences.importModuleSpecifier": "non-relative"
-}
+  }
+}
--- a/13
+++ b/13
@@ -17,9 +17,6 @@ e2e:
 prod:
 	docker compose -f ./docker/docker-compose.prod.yml up --build -V --remove-orphans

-prod-down:
-	docker compose -f ./docker/docker-compose.prod.yml down --remove-orphans
-
 prod-scale:
 	docker compose -f ./docker/docker-compose.prod.yml up --build -V --scale immich-server=3 --scale immich-microservices=3 --remove-orphans

@@ -42,7 +39,7 @@ attach-server:
 renovate:
  LOG_LEVEL=debug npx renovate --platform=local --repository-cache=reset

-MODULES = e2e server web cli sdk docs .github
+MODULES = e2e server web cli sdk docs

 audit-%:
 	npm --prefix $(subst sdk,open-api/typescript-sdk,$*) audit fix
@@ -80,14 +77,14 @@ test-medium:
 test-medium-dev:
 	docker exec -it immich_server /bin/sh -c "npm run test:medium"

-build-all: $(foreach M,$(filter-out e2e .github,$(MODULES)),build-$M) ;
+build-all: $(foreach M,$(filter-out e2e,$(MODULES)),build-$M) ;
 install-all: $(foreach M,$(MODULES),install-$M) ;
-check-all: $(foreach M,$(filter-out sdk cli docs .github,$(MODULES)),check-$M) ;
-lint-all: $(foreach M,$(filter-out sdk docs .github,$(MODULES)),lint-$M) ;
+check-all: $(foreach M,$(filter-out sdk cli docs,$(MODULES)),check-$M) ;
+lint-all: $(foreach M,$(filter-out sdk docs,$(MODULES)),lint-$M) ;
 format-all: $(foreach M,$(filter-out sdk,$(MODULES)),format-$M) ;
 audit-all:  $(foreach M,$(MODULES),audit-$M) ;
 hygiene-all: lint-all format-all check-all sql audit-all;
-test-all: $(foreach M,$(filter-out sdk docs .github,$(MODULES)),test-$M) ;
+test-all: $(foreach M,$(filter-out sdk docs,$(MODULES)),test-$M) ;

 clean:
 	find . -name "node_modules" -type d -prune -exec rm -rf '{}' +
--- a/README.md
+++ b/README.md
@@ -61,7 +61,9 @@

 ## Demo

-Access the demo [here](https://demo.immich.app). For the mobile app, you can use `https://demo.immich.app` for the `Server Endpoint URL`.
+Access the demo [here](https://demo.immich.app). The demo is running on a Free-tier Oracle VM in Amsterdam with a 2.4Ghz quad-core ARM64 CPU and 24GB RAM.
+
+For the mobile app, you can use `https://demo.immich.app` for the `Server Endpoint URL`

 ### Login credentials

@@ -102,7 +104,7 @@ Access the demo [here](https://demo.immich.app). For the mobile app, you can use
 | Read-only gallery                            | Yes    | Yes |
 | Stacked Photos                               | Yes    | Yes |
 | Tags                                         | No     | Yes |
-| Folder View                                  | Yes    | Yes |
+| Folder View                                  | No     | Yes |

 ## Translations

--- a/cli/Dockerfile
+++ b/cli/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:22.15.0-alpine3.20@sha256:686b8892b69879ef5bfd6047589666933508f9a5451c67320df3070ba0e9807b AS core
+FROM node:22.14.0-alpine3.20@sha256:40be979442621049f40b1d51a26b55e281246b5de4e5f51a18da7beb6e17e3f9 AS core

 WORKDIR /usr/src/open-api/typescript-sdk
 COPY open-api/typescript-sdk/package*.json open-api/typescript-sdk/tsconfig*.json ./
--- a/cli/eslint.config.mjs
+++ b/cli/eslint.config.mjs
@@ -1,29 +1,39 @@
+import { FlatCompat } from '@eslint/eslintrc';
 import js from '@eslint/js';
-import eslintPluginPrettierRecommended from 'eslint-plugin-prettier/recommended';
-import eslintPluginUnicorn from 'eslint-plugin-unicorn';
+import typescriptEslint from '@typescript-eslint/eslint-plugin';
+import tsParser from '@typescript-eslint/parser';
 import globals from 'globals';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
-import typescriptEslint from 'typescript-eslint';

 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
+const compat = new FlatCompat({
+  baseDirectory: __dirname,
+  recommendedConfig: js.configs.recommended,
+  allConfig: js.configs.all,
+});

-export default typescriptEslint.config([
-  eslintPluginUnicorn.configs.recommended,
-  eslintPluginPrettierRecommended,
-  js.configs.recommended,
-  typescriptEslint.configs.recommended,
+export default [
  {
    ignores: ['eslint.config.mjs', 'dist'],
  },
+  ...compat.extends(
+    'plugin:@typescript-eslint/recommended',
+    'plugin:prettier/recommended',
+    'plugin:unicorn/recommended',
+  ),
  {
+    plugins: {
+      '@typescript-eslint': typescriptEslint,
+    },
+
    languageOptions: {
      globals: {
        ...globals.node,
      },

-      parser: typescriptEslint.parser,
+      parser: tsParser,
      ecmaVersion: 5,
      sourceType: 'module',

@@ -48,4 +58,4 @@ export default typescriptEslint.config([
      'object-shorthand': ['error', 'always'],
    },
  },
-]);
+];
--- a/cli/package-lock.json
+++ b/cli/package-lock.json
--- a/cli/package.json
+++ b/cli/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@immich/cli",
-  "version": "2.2.65",
+  "version": "2.2.53",
  "description": "Command Line Interface (CLI) for Immich",
  "type": "module",
  "exports": "./dist/index.js",
@@ -21,7 +21,9 @@
    "@types/lodash-es": "^4.17.12",
    "@types/micromatch": "^4.0.9",
    "@types/mock-fs": "^4.13.1",
-    "@types/node": "^22.14.1",
+    "@types/node": "^22.13.9",
+    "@typescript-eslint/eslint-plugin": "^8.15.0",
+    "@typescript-eslint/parser": "^8.15.0",
    "@vitest/coverage-v8": "^3.0.0",
    "byte-size": "^9.0.0",
    "cli-progress": "^3.12.0",
@@ -29,13 +31,12 @@
    "eslint": "^9.14.0",
    "eslint-config-prettier": "^10.0.0",
    "eslint-plugin-prettier": "^5.1.3",
-    "eslint-plugin-unicorn": "^57.0.0",
+    "eslint-plugin-unicorn": "^56.0.1",
    "globals": "^16.0.0",
    "mock-fs": "^5.2.0",
    "prettier": "^3.2.5",
    "prettier-plugin-organize-imports": "^4.0.0",
    "typescript": "^5.3.3",
-    "typescript-eslint": "^8.28.0",
    "vite": "^6.0.0",
    "vite-tsconfig-paths": "^5.0.0",
    "vitest": "^3.0.0",
--- a/docker/docker-compose.dev.yml
+++ b/docker/docker-compose.dev.yml
@@ -95,12 +95,12 @@ services:
    image: immich-machine-learning-dev:latest
    # extends:
    #   file: hwaccel.ml.yml
-    #   service: cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference
+    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl, rknn] for accelerated inference
    build:
      context: ../machine-learning
      dockerfile: Dockerfile
      args:
-        - DEVICE=cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference
+        - DEVICE=cpu # set to one of [armnn, cuda, openvino, openvino-wsl, rknn] for accelerated inference
    ports:
      - 3003:3003
    volumes:
@@ -116,13 +116,13 @@ services:

  redis:
    container_name: immich_redis
-    image: docker.io/valkey/valkey:8-bookworm@sha256:4a9f847af90037d59b34cd4d4ad14c6e055f46540cf4ff757aaafb266060fa28
+    image: redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8
    healthcheck:
      test: redis-cli ping || exit 1

  database:
    container_name: immich_postgres
-    image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
+    image: tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52
    env_file:
      - .env
    environment:
@@ -134,6 +134,24 @@ services:
      - ${UPLOAD_LOCATION}/postgres:/var/lib/postgresql/data
    ports:
      - 5432:5432
+    healthcheck:
+      test: >-
+        pg_isready --dbname="$${POSTGRES_DB}" --username="$${POSTGRES_USER}" || exit 1;
+        Chksum="$$(psql --dbname="$${POSTGRES_DB}" --username="$${POSTGRES_USER}" --tuples-only --no-align
+        --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')";
+        echo "checksum failure count is $$Chksum";
+        [ "$$Chksum" = '0' ] || exit 1
+      interval: 5m
+      start_interval: 30s
+      start_period: 5m
+    command: >-
+      postgres
+      -c shared_preload_libraries=vectors.so
+      -c 'search_path="$$user", public, vectors'
+      -c logging_collector=on
+      -c max_wal_size=2GB
+      -c shared_buffers=512MB
+      -c wal_compression=on

  # set IMMICH_TELEMETRY_INCLUDE=all in .env to enable metrics
  # immich-prometheus:
--- a/docker/docker-compose.prod.yml
+++ b/docker/docker-compose.prod.yml
@@ -38,12 +38,12 @@ services:
    image: immich-machine-learning:latest
    # extends:
    #   file: hwaccel.ml.yml
-    #   service: cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference
+    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl, rknn] for accelerated inference
    build:
      context: ../machine-learning
      dockerfile: Dockerfile
      args:
-        - DEVICE=cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference
+        - DEVICE=cpu # set to one of [armnn, cuda, openvino, openvino-wsl, rknn] for accelerated inference
    ports:
      - 3003:3003
    volumes:
@@ -56,14 +56,14 @@ services:

  redis:
    container_name: immich_redis
-    image: docker.io/valkey/valkey:8-bookworm@sha256:4a9f847af90037d59b34cd4d4ad14c6e055f46540cf4ff757aaafb266060fa28
+    image: redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always

  database:
    container_name: immich_postgres
-    image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
+    image: tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52
    env_file:
      - .env
    environment:
@@ -75,6 +75,14 @@ services:
      - ${UPLOAD_LOCATION}/postgres:/var/lib/postgresql/data
    ports:
      - 5432:5432
+    healthcheck:
+      test: >-
+        pg_isready --dbname="$${POSTGRES_DB}" --username="$${POSTGRES_USER}" || exit 1; Chksum="$$(psql --dbname="$${POSTGRES_DB}" --username="$${POSTGRES_USER}" --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ "$$Chksum" = '0' ] || exit 1
+      interval: 5m
+      start_interval: 30s
+      start_period: 5m
+    command: >-
+      postgres -c shared_preload_libraries=vectors.so -c 'search_path="$$user", public, vectors' -c logging_collector=on -c max_wal_size=2GB -c shared_buffers=512MB -c wal_compression=on
    restart: always

  # set IMMICH_TELEMETRY_INCLUDE=all in .env to enable metrics
@@ -82,7 +90,7 @@ services:
    container_name: immich_prometheus
    ports:
      - 9090:9090
-    image: prom/prometheus@sha256:e2b8aa62b64855956e3ec1e18b4f9387fb6203174a4471936f4662f437f04405
+    image: prom/prometheus@sha256:6927e0919a144aa7616fd0137d4816816d42f6b816de3af269ab065250859a62
    volumes:
      - ./prometheus.yml:/etc/prometheus/prometheus.yml
      - prometheus-data:/prometheus
@@ -94,7 +102,7 @@ services:
    command: [ './run.sh', '-disable-reporting' ]
    ports:
      - 3000:3000
-    image: grafana/grafana:11.6.1-ubuntu@sha256:6fc273288470ef499dd3c6b36aeade093170d4f608f864c5dd3a7fabeae77b50
+    image: grafana/grafana:11.5.2-ubuntu@sha256:8b5858c447e06fd7a89006b562ba7bba7c4d5813600c7982374c41852adefaeb
    volumes:
      - grafana-data:/var/lib/grafana

--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -33,12 +33,12 @@ services:

  immich-machine-learning:
    container_name: immich_machine_learning
-    # For hardware acceleration, add one of -[armnn, cuda, rocm, openvino, rknn] to the image tag.
+    # For hardware acceleration, add one of -[armnn, cuda, openvino, rknn] to the image tag.
    # Example tag: ${IMMICH_VERSION:-release}-cuda
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
    #   file: hwaccel.ml.yml
-    #   service: cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference - use the `-wsl` version for WSL2 where applicable
+    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl, rknn] for accelerated inference - use the `-wsl` version for WSL2 where applicable
    volumes:
      - model-cache:/cache
    env_file:
@@ -49,14 +49,14 @@ services:

  redis:
    container_name: immich_redis
-    image: docker.io/valkey/valkey:8-bookworm@sha256:4a9f847af90037d59b34cd4d4ad14c6e055f46540cf4ff757aaafb266060fa28
+    image: docker.io/redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always

  database:
    container_name: immich_postgres
-    image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
+    image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
@@ -65,8 +65,14 @@ services:
    volumes:
      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
-    # change ssd below to hdd if you are using a hard disk drive or other slow storage
-    command: postgres -c config_file=/etc/postgresql/postgresql.ssd.conf
+    healthcheck:
+      test: >-
+        pg_isready --dbname="$${POSTGRES_DB}" --username="$${POSTGRES_USER}" || exit 1; Chksum="$$(psql --dbname="$${POSTGRES_DB}" --username="$${POSTGRES_USER}" --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ "$$Chksum" = '0' ] || exit 1
+      interval: 5m
+      start_interval: 30s
+      start_period: 5m
+    command: >-
+      postgres -c shared_preload_libraries=vectors.so -c 'search_path="$$user", public, vectors' -c logging_collector=on -c max_wal_size=2GB -c shared_buffers=512MB -c wal_compression=on
    restart: always

 volumes:
--- a/docker/example.env
+++ b/docker/example.env
@@ -2,8 +2,7 @@

 # The location where your uploaded files are stored
 UPLOAD_LOCATION=./library
-
-# The location where your database files are stored. Network shares are not supported for the database
+# The location where your database files are stored
 DB_DATA_LOCATION=./postgres

 # To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
--- a/docker/hwaccel.ml.yml
+++ b/docker/hwaccel.ml.yml
@@ -33,13 +33,6 @@ services:
              capabilities:
                - gpu

-  rocm:
-    group_add:
-      - video
-    devices:
-      - /dev/dri:/dev/dri
-      - /dev/kfd:/dev/kfd
-
  openvino:
    device_cgroup_rules:
      - 'c 189:* rmw'
--- a/docs/docs/FAQ.mdx
+++ b/docs/docs/FAQ.mdx
@@ -262,7 +262,7 @@ No, this is not supported. Only models listed in the [Hugging Face][huggingface]

 ### I want to be able to search in other languages besides English. How can I do that?

-You can change to a multilingual CLIP model. See [here](/docs/features/searching#clip-models) for instructions.
+You can change to a multilingual CLIP model. See [here](/docs/features/searching#clip-model) for instructions.

 ### Does Immich support Facial Recognition for videos?

--- a/docs/docs/administration/backup-and-restore.md
+++ b/docs/docs/administration/backup-and-restore.md
@@ -23,32 +23,23 @@ Refer to the official [postgres documentation](https://www.postgresql.org/docs/c
 It is not recommended to directly backup the `DB_DATA_LOCATION` folder. Doing so while the database is running can lead to a corrupted backup that cannot be restored.
 :::

-### Automatic Database Dumps
+### Automatic Database Backups

-:::warning
-The automatic database dumps can be used to restore the database in the event of damage to the Postgres database files.
-There is no monitoring for these dumps and you will not be notified if they are unsuccessful.
-:::
+For convenience, Immich will automatically create database backups by default. The backups are stored in `UPLOAD_LOCATION/backups`.  
+As mentioned above, you should make your own backup of these together with the asset folders as noted below.  
+You can adjust the schedule and amount of kept backups in the [admin settings](http://my.immich.app/admin/system-settings?isOpen=backup).  
+By default, Immich will keep the last 14 backups and create a new backup every day at 2:00 AM.

-:::caution
-The database dumps do **NOT** contain any pictures or videos, only metadata. They are only usable with a copy of the other files in `UPLOAD_LOCATION` as outlined below.
-:::
+#### Trigger Backup

-For disaster-recovery purposes, Immich will automatically create database dumps. The dumps are stored in `UPLOAD_LOCATION/backups`.
-Please be sure to make your own, independent backup of the database together with the asset folders as noted below.
-You can adjust the schedule and amount of kept database dumps in the [admin settings](http://my.immich.app/admin/system-settings?isOpen=backup).
-By default, Immich will keep the last 14 database dumps and create a new dump every day at 2:00 AM.
-
-#### Trigger Dump
-
-You are able to trigger a database dump in the [admin job status page](http://my.immich.app/admin/jobs-status).
-Visit the page, open the "Create job" modal from the top right, select "Create Database Dump" and click "Confirm".
-A job will run and trigger a dump, you can verify this worked correctly by checking the logs or the `backups/` folder.
-This dumps will count towards the last `X` dumps that will be kept based on your settings.
+You are able to trigger a backup in the [admin job status page](http://my.immich.app/admin/jobs-status).
+Visit the page, open the "Create job" modal from the top right, select "Backup Database" and click "Confirm".
+A job will run and trigger a backup, you can verify this worked correctly by checking the logs or the backup folder.
+This backup will count towards the last X backups that will be kept based on your settings.

 #### Restoring

-We hope to make restoring simpler in future versions, for now you can find the database dumps in the `UPLOAD_LOCATION/backups` folder on your host.
+We hope to make restoring simpler in future versions, for now you can find the backups in the `UPLOAD_LOCATION/backups` folder on your host.  
 Then please follow the steps in the following section for restoring the database.

 ### Manual Backup and Restore
--- a/docs/docs/administration/img/user-quota-size.webp
+++ b/docs/docs/administration/img/user-quota-size.webp
--- a/docs/docs/administration/postgres-standalone.md
+++ b/docs/docs/administration/postgres-standalone.md
@@ -10,12 +10,12 @@ Running with a pre-existing Postgres server can unlock powerful administrative f

 ## Prerequisites

-You must install VectorChord into your instance of Postgres using their [instructions][vchord-install]. After installation, add `shared_preload_libraries = 'vchord.so'` to your `postgresql.conf`. If you already have some `shared_preload_libraries` set, you can separate each extension with a comma. For example, `shared_preload_libraries = 'pg_stat_statements, vchord.so'`.
+You must install pgvecto.rs into your instance of Postgres using their [instructions][vectors-install]. After installation, add `shared_preload_libraries = 'vectors.so'` to your `postgresql.conf`. If you already have some `shared_preload_libraries` set, you can separate each extension with a comma. For example, `shared_preload_libraries = 'pg_stat_statements, vectors.so'`.

 :::note
-Immich is known to work with Postgres versions 14, 15, 16 and 17. Earlier versions are unsupported.
+Immich is known to work with Postgres versions 14, 15, and 16. Earlier versions are unsupported. Postgres 17 is nominally compatible, but pgvecto.rs does not have prebuilt images or packages for it as of writing.

-Make sure the installed version of VectorChord is compatible with your version of Immich. The current accepted range for VectorChord is `>= 0.3.0, < 0.4.0`.
+Make sure the installed version of pgvecto.rs is compatible with your version of Immich. The current accepted range for pgvecto.rs is `>= 0.2.0, < 0.4.0`.
 :::

 ## Specifying the connection URL
@@ -53,75 +53,16 @@ CREATE DATABASE <immichdatabasename>;
 \c <immichdatabasename>
 BEGIN;
 ALTER DATABASE <immichdatabasename> OWNER TO <immichdbusername>;
-CREATE EXTENSION vchord CASCADE;
+CREATE EXTENSION vectors;
 CREATE EXTENSION earthdistance CASCADE;
+ALTER DATABASE <immichdatabasename> SET search_path TO "$user", public, vectors;
+ALTER SCHEMA vectors OWNER TO <immichdbusername>;
 COMMIT;
 ```

-### Updating VectorChord
+### Updating pgvecto.rs

-When installing a new version of VectorChord, you will need to manually update the extension by connecting to the Immich database and running `ALTER EXTENSION vchord UPDATE;`.
-
-## Migrating to VectorChord
-
-VectorChord is the successor extension to pgvecto.rs, allowing for higher performance, lower memory usage and higher quality results for smart search and facial recognition.
-
-### Migrating from pgvecto.rs
-
-Support for pgvecto.rs will be dropped in a later release, hence we recommend all users currently using pgvecto.rs to migrate to VectorChord at their convenience. There are two primary approaches to do so.
-
-The easiest option is to have both extensions installed during the migration:
-
-1. Ensure you still have pgvecto.rs installed
-2. [Install VectorChord][vchord-install]
-3. Add `shared_preload_libraries= 'vchord.so, vectors.so'` to your `postgresql.conf`, making sure to include _both_ `vchord.so` and `vectors.so`. You may include other libraries here as well if needed
-4. If Immich does not have superuser permissions, run the SQL command `CREATE EXTENSION vchord CASCADE;` using psql or your choice of database client
-5. Start Immich and wait for the logs `Reindexed face_index` and `Reindexed clip_index` to be output
-6. Remove the `vectors.so` entry from the `shared_preload_libraries` setting
-7. Uninstall pgvecto.rs (e.g. `apt-get purge vectors-pg14` on Debian-based environments, replacing `pg14` as appropriate)
-
-If it is not possible to have both VectorChord and pgvector.s installed at the same time, you can perform the migration with more manual steps:
-
-1. While pgvecto.rs is still installed, run the following SQL command using psql or your choice of database client. Take note of the number outputted by this command as you will need it later
-
-```sql
-SELECT atttypmod as dimsize
-    FROM pg_attribute f
-    JOIN pg_class c ON c.oid = f.attrelid
-    WHERE c.relkind = 'r'::char
-    AND f.attnum > 0
-    AND c.relname = 'smart_search'::text
-    AND f.attname = 'embedding'::text;
-```
-
-2. Remove references to pgvecto.rs using the below SQL commands
-
-```sql
-DROP INDEX IF EXISTS clip_index;
-DROP INDEX IF EXISTS face_index;
-ALTER TABLE smart_search ALTER COLUMN embedding SET DATA TYPE real[];
-ALTER TABLE face_search ALTER COLUMN embedding SET DATA TYPE real[];
-```
-
-3. [Install VectorChord][vchord-install]
-4. Change the columns back to the appropriate vector types, replacing `<number>` with the number from step 1
-
-```sql
-CREATE EXTENSION IF NOT EXISTS vchord CASCADE;
-ALTER TABLE smart_search ALTER COLUMN embedding SET DATA TYPE vector(<number>);
-ALTER TABLE face_search ALTER COLUMN embedding SET DATA TYPE vector(512);
-```
-
-5. Start Immich and let it create new indices using VectorChord
-
-### Migrating from pgvector
-
-1. Ensure you have at least 0.7.0 of pgvector installed. If it is below that, please upgrade it and run the SQL command `ALTER EXTENSION vector UPDATE;` using psql or your choice of database client
-2. Follow the Prerequisites to install VectorChord
-3. If Immich does not have superuser permissions, run the SQL command `CREATE EXTENSION vchord CASCADE;`
-4. Start Immich and let it create new indices using VectorChord
-
-Note that VectorChord itself uses pgvector types, so you should not uninstall pgvector after following these steps.
+When installing a new version of pgvecto.rs, you will need to manually update the extension by connecting to the Immich database and running `ALTER EXTENSION vectors UPDATE;`.

 ### Common errors

@@ -129,4 +70,4 @@ Note that VectorChord itself uses pgvector types, so you should not uninstall pg

 If you get the error `driverError: error: permission denied for view pg_vector_index_stat`, you can fix this by connecting to the Immich database and running `GRANT SELECT ON TABLE pg_vector_index_stat TO <immichdbusername>;`.

-[vchord-install]: https://docs.vectorchord.ai/vectorchord/getting-started/installation.html
+[vectors-install]: https://docs.vectorchord.ai/getting-started/installation.html
--- a/docs/docs/administration/reverse-proxy.md
+++ b/docs/docs/administration/reverse-proxy.md
@@ -22,7 +22,7 @@ server {
    client_max_body_size 50000M;

    # Set headers
-    proxy_set_header Host              $host;
+    proxy_set_header Host              $http_host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
--- a/docs/docs/administration/server-commands.md
+++ b/docs/docs/administration/server-commands.md
@@ -11,7 +11,6 @@ The `immich-server` docker image comes preinstalled with an administrative CLI (
 | `enable-oauth-login`     | Enable OAuth login                    |
 | `disable-oauth-login`    | Disable OAuth login                   |
 | `list-users`             | List Immich users                     |
-| `version`                | Print Immich version                  |

 ## How to run a command

@@ -81,10 +80,3 @@ immich-admin list-users
  }
 ]
 ```
-
-Print Immich Version
-
-```
-immich-admin version
-v1.129.0
-```
--- a/docs/docs/administration/user-management.mdx
+++ b/docs/docs/administration/user-management.mdx
@@ -31,7 +31,7 @@ Admin can send a welcome email if the Email option is set, you can learn here ho

 Admin can specify the storage quota for the user as the instance's admin; once the limit is reached, the user won't be able to upload to the instance anymore.

-In order to select a storage quota, click on the pencil icon and enter the storage quota in GiB. You can choose an unlimited quota by leaving it empty (default).
+In order to select a storage quota, click on the pencil icon and enter the storage quota in GiB. You can choose an unlimited quota using the value 0 (default).

 :::tip
 The system administrator can see the usage quota percentage of all users in Server Stats page.
--- a/docs/docs/developer/database-migrations.md
+++ b/docs/docs/developer/database-migrations.md
@@ -1,14 +1,14 @@
 # Database Migrations

-After making any changes in the `server/src/schema`, a database migration need to run in order to register the changes in the database. Follow the steps below to create a new migration.
+After making any changes in the `server/src/entities`, a database migration need to run in order to register the changes in the database. Follow the steps below to create a new migration.

 1. Run the command

 ```bash
-npm run migrations:generate <migration-name>
+npm run typeorm:migrations:generate <migration-name>
 ```

 2. Check if the migration file makes sense.
-3. Move the migration file to folder `./server/src/schema/migrations` in your code editor.
+3. Move the migration file to folder `./server/src/migrations` in your code editor.

 The server will automatically detect `*.ts` file changes and restart. Part of the server start-up process includes running any new migrations, so it will be applied immediately.
--- a/docs/docs/developer/setup.md
+++ b/docs/docs/developer/setup.md
@@ -63,13 +63,6 @@ If you only want to do web development connected to an existing, remote backend,
 IMMICH_SERVER_URL=https://demo.immich.app/ npm run dev
 ```

-If you're using PowerShell on Windows you may need to set the env var separately like so:
-
-```powershell
-$env:IMMICH_SERVER_URL = "https://demo.immich.app/"
-npm run dev
-```
-
 #### `@immich/ui`

 To see local changes to `@immich/ui` in Immich, do the following:
@@ -83,20 +76,9 @@ To see local changes to `@immich/ui` in Immich, do the following:

 ### Mobile app

-#### Setup
+The mobile app `(/mobile)` will required Flutter toolchain 3.13.x and FVM to be installed on your system.

-1. Setup Flutter toolchain using FVM.
-2. Run `flutter pub get` to install the dependencies.
-3. Run `make translation` to generate the translation file.
-4. Run `fvm flutter run` to start the app.
-
-#### Translation
-
-To add a new translation text, enter the key-value pair in the `i18n/en.json` in the root of the immich project. Then, from the `mobile/` directory, run
-
-```bash
-make translation
-```
+Please refer to the [Flutter's official documentation](https://flutter.dev/docs/get-started/install) for more information on setting up the toolchain on your machine.

 The mobile app asks you what backend to connect to. You can utilize the demo backend (https://demo.immich.app/) if you don't need to change server code or upload photos. Alternatively, you can run the server yourself per the instructions above.

--- a/docs/docs/features/command-line-interface.md
+++ b/docs/docs/features/command-line-interface.md
@@ -42,12 +42,6 @@ docker run -it -v "$(pwd)":/import:ro -e IMMICH_INSTANCE_URL=https://your-immich

 Please modify the `IMMICH_INSTANCE_URL` and `IMMICH_API_KEY` environment variables as suitable. You can also use a Docker env file to store your sensitive API key.

-This `docker run` command will directly run the command `immich` inside the container. You can directly append the desired parameters (see under "usage") to the commandline like this:
-
-```bash
-docker run -it -v "$(pwd)":/import:ro -e IMMICH_INSTANCE_URL=https://your-immich-instance/api -e IMMICH_API_KEY=your-api-key ghcr.io/immich-app/immich-cli:latest upload -a -c 5 --recursive directory/
-```
-
 ## Usage

 <details>
@@ -118,7 +112,7 @@ You begin by authenticating to your Immich server. For instance:
 immich login http://192.168.1.216:2283/api HFEJ38DNSDUEG
 ```

-This will store your credentials in a `auth.yml` file in the configuration directory which defaults to `~/.config/immich/`. The directory can be set with the `-d` option or the environment variable `IMMICH_CONFIG_DIR`. Please keep the file secure, either by performing the logout command after you are done, or deleting it manually.
+This will store your credentials in a `auth.yml` file in the configuration directory which defaults to `~/.config/`. The directory can be set with the `-d` option or the environment variable `IMMICH_CONFIG_DIR`. Please keep the file secure, either by performing the logout command after you are done, or deleting it manually.

 Once you are authenticated, you can upload assets to your Immich server.

--- a/docs/docs/features/img/moblie-smart-serach.webp
+++ b/docs/docs/features/img/moblie-smart-serach.webp
--- a/docs/docs/features/libraries.md
+++ b/docs/docs/features/libraries.md
@@ -72,7 +72,7 @@ In rare cases, the library watcher can hang, preventing Immich from starting up.

 ### Nightly job

-There is an automatic scan job that is scheduled to run once a day. This job also cleans up any libraries stuck in deletion. It is possible to trigger the cleanup by clicking "Scan all libraries" in the library management page.
+There is an automatic scan job that is scheduled to run once a day. This job also cleans up any libraries stuck in deletion. It is possible to trigger the cleanup by clicking "Scan all libraries" in the library managment page.

 ## Usage

@@ -95,7 +95,7 @@ The `immich-server` container will need access to the gallery. Modify your docke
 +     - /mnt/nas/christmas-trip:/mnt/media/christmas-trip:ro
 +     - /home/user/old-pics:/mnt/media/old-pics:ro
 +     - /mnt/media/videos:/mnt/media/videos:ro
-+     - /mnt/media/videos2:/mnt/media/videos2 # WARNING: Immich will be able to delete the files in this folder, as it does not end with :ro
+     - /mnt/media/videos2:/mnt/media/videos2 # the files in this folder can be deleted, as it does not end with :ro
 +     - "C:/Users/user_name/Desktop/my media:/mnt/media/my-media:ro" # import path in Windows system.
 ```

--- a/docs/docs/features/ml-hardware-acceleration.md
+++ b/docs/docs/features/ml-hardware-acceleration.md
@@ -11,7 +11,6 @@ You do not need to redo any machine learning jobs after enabling hardware accele

 - ARM NN (Mali)
 - CUDA (NVIDIA GPUs with [compute capability](https://developer.nvidia.com/cuda-gpus) 5.2 or higher)
- ROCm (AMD GPUs)
 - OpenVINO (Intel GPUs such as Iris Xe and Arc)
 - RKNN (Rockchip)

@@ -42,15 +41,9 @@ You do not need to redo any machine learning jobs after enabling hardware accele

 - The GPU must have compute capability 5.2 or greater.
 - The server must have the official NVIDIA driver installed.
- The installed driver must be >= 545 (it must support CUDA 12.3).
+- The installed driver must be >= 535 (it must support CUDA 12.2).
 - On Linux (except for WSL2), you also need to have [NVIDIA Container Toolkit][nvct] installed.

-#### ROCm
-
- The GPU must be supported by ROCm. If it isn't officially supported, you can attempt to use the `HSA_OVERRIDE_GFX_VERSION` environmental variable: `HSA_OVERRIDE_GFX_VERSION=<a supported version, e.g. 10.3.0>`. If this doesn't work, you might need to also set `HSA_USE_SVM=0`.
- The ROCm image is quite large and requires at least 35GiB of free disk space. However, pulling later updates to the service through Docker will generally only amount to a few hundred megabytes as the rest will be cached.
- This backend is new and may experience some issues. For example, GPU power consumption can be higher than usual after running inference, even if the machine learning service is idle. In this case, it will only go back to normal after being idle for 5 minutes (configurable with the [MACHINE_LEARNING_MODEL_TTL](/docs/install/environment-variables) setting).
-
 #### OpenVINO

 - Integrated GPUs are more likely to experience issues than discrete GPUs, especially for older processors or servers with low RAM.
@@ -71,12 +64,12 @@ You do not need to redo any machine learning jobs after enabling hardware accele

 1. If you do not already have it, download the latest [`hwaccel.ml.yml`][hw-file] file and ensure it's in the same folder as the `docker-compose.yml`.
 2. In the `docker-compose.yml` under `immich-machine-learning`, uncomment the `extends` section and change `cpu` to the appropriate backend.
-3. Still in `immich-machine-learning`, add one of -[armnn, cuda, rocm, openvino, rknn] to the `image` section's tag at the end of the line.
+3. Still in `immich-machine-learning`, add one of -[armnn, cuda, openvino] to the `image` section's tag at the end of the line.
 4. Redeploy the `immich-machine-learning` container with these updated settings.

 ### Confirming Device Usage

-You can confirm the device is being recognized and used by checking its utilization. There are many tools to display this, such as `nvtop` for NVIDIA or Intel, `intel_gpu_top` for Intel, and `radeontop` for AMD.
+You can confirm the device is being recognized and used by checking its utilization. There are many tools to display this, such as `nvtop` for NVIDIA or Intel and `intel_gpu_top` for Intel.

 You can also check the logs of the `immich-machine-learning` container. When a Smart Search or Face Detection job begins, or when you search with text in Immich, you should either see a log for `Available ORT providers` containing the relevant provider (e.g. `CUDAExecutionProvider` in the case of CUDA), or a `Loaded ANN model` log entry without errors in the case of ARM NN.

--- a/docs/docs/features/searching.md
+++ b/docs/docs/features/searching.md
--- a/docs/docs/guides/custom-map-styles.md
+++ b/docs/docs/guides/custom-map-styles.md
@@ -14,14 +14,14 @@ online generators you can use.
 2. Paste the link to your JSON style in either the **Light Style** or **Dark Style**. (You can add different styles which will help make the map style more appropriate depending on whether you set **Immich** to Light or Dark mode.)
 3. Save your selections. Reload the map, and enjoy your custom map style!

-## Use MapTiler to build a custom style
+## Use Maptiler to build a custom style

-Customizing the map style can be done easily using MapTiler, if you do not want to write an entire JSON document by hand.
+Customizing the map style can be done easily using Maptiler, if you do not want to write an entire JSON document by hand.

 1. Create a free account at https://cloud.maptiler.com
 2. Once logged in, you can either create a brand new map by clicking on **New Map**, selecting a starter map, and then clicking **Customize**, OR by selecting a **Standard Map** and customizing it from there.
 3. The **editor** interface is self-explanatory. You can change colors, remove visible layers, or add optional layers (e.g., administrative, topo, hydro, etc.) in the composer.
 4. Once you have your map composed, click on **Save** at the top right. Give it a unique name to save it to your account.
-5. Next, **Publish** your style using the **Publish** button at the top right. This will deploy it to production, which means it is able to be exposed over the Internet. MapTiler will present an interactive side-by-side map with the original and your changes prior to publication.<br/>![MapTiler Publication Settings](img/immich_map_styles_publish.webp)
-6. MapTiler will warn you that changing the map will change it across all apps using the map. Since no apps are using the map yet, this is okay.
-7. Clicking on the name of your new map at the top left will bring you to the item's **details** page. From here, copy the link to the JSON style under **Use vector style**. This link will automatically contain your personal API key to MapTiler.
+5. Next, **Publish** your style using the **Publish** button at the top right. This will deploy it to production, which means it is able to be exposed over the Internet. Maptiler will present an interactive side-by-side map with the original and your changes prior to publication.<br/>![Maptiler Publication Settings](img/immich_map_styles_publish.webp)
+6. Maptiler will warn you that changing the map will change it across all apps using the map. Since no apps are using the map yet, this is okay.
+7. Clicking on the name of your new map at the top left will bring you to the item's **details** page. From here, copy the link to the JSON style under **Use vector style**. This link will automatically contain your personal API key to Maptiler.
--- a/docs/docs/guides/database-queries.md
+++ b/docs/docs/guides/database-queries.md
@@ -1,7 +1,7 @@
 # Database Queries

 :::danger
-Keep in mind that mucking around in the database might set the Moon on fire. Avoid modifying the database directly when possible, and always have current backups.
+Keep in mind that mucking around in the database might set the moon on fire. Avoid modifying the database directly when possible, and always have current backups.
 :::

 :::tip
--- a/docs/docs/guides/remote-machine-learning.md
+++ b/docs/docs/guides/remote-machine-learning.md
@@ -23,12 +23,12 @@ name: immich_remote_ml
 services:
  immich-machine-learning:
    container_name: immich_machine_learning
-    # For hardware acceleration, add one of -[armnn, cuda, rocm, openvino, rknn] to the image tag.
+    # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
    # Example tag: ${IMMICH_VERSION:-release}-cuda
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    # extends:
    #   file: hwaccel.ml.yml
-    #   service: # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference - use the `-wsl` version for WSL2 where applicable
+    #   service: # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
    volumes:
      - model-cache:/cache
    restart: always
--- a/docs/docs/install/config-file.md
+++ b/docs/docs/install/config-file.md
@@ -1,7 +1,3 @@
---
-sidebar_position: 100
---
-
 # Config File

 A config file can be provided as an alternative to the UI configuration.
--- a/docs/docs/install/docker-compose.mdx
+++ b/docs/docs/install/docker-compose.mdx
@@ -2,13 +2,53 @@
 sidebar_position: 30
 ---

+import CodeBlock from '@theme/CodeBlock';
+import ExampleEnv from '!!raw-loader!../../../docker/example.env';
+
 # Docker Compose [Recommended]

 Docker Compose is the recommended method to run Immich in production. Below are the steps to deploy Immich with Docker Compose.

-import DockerComposeSteps from '/docs/partials/_docker-compose-install-steps.mdx';
+## Step 1 - Download the required files

-<DockerComposeSteps />
+Create a directory of your choice (e.g. `./immich-app`) to hold the `docker-compose.yml` and `.env` files.
+
+```bash title="Move to the directory you created"
+mkdir ./immich-app
+cd ./immich-app
+```
+
+Download [`docker-compose.yml`][compose-file] and [`example.env`][env-file] by running the following commands:
+
+```bash title="Get docker-compose.yml file"
+wget -O docker-compose.yml https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
+```
+
+```bash title="Get .env file"
+wget -O .env https://github.com/immich-app/immich/releases/latest/download/example.env
+```
+
+You can alternatively download these two files from your browser and move them to the directory that you created, in which case ensure that you rename `example.env` to `.env`.
+
+## Step 2 - Populate the .env file with custom values
+
+<CodeBlock language="bash" title="Default environmental variable content">
+  {ExampleEnv}
+</CodeBlock>
+
+- Populate `UPLOAD_LOCATION` with your preferred location for storing backup assets. It should be a new directory on the server with enough free space.
+- Consider changing `DB_PASSWORD` to a custom value. Postgres is not publicly exposed, so this password is only used for local authentication.
+  To avoid issues with Docker parsing this value, it is best to use only the characters `A-Za-z0-9`. `pwgen` is a handy utility for this.
+- Set your timezone by uncommenting the `TZ=` line.
+- Populate custom database information if necessary.
+
+## Step 3 - Start the containers
+
+From the directory you created in Step 1 (which should now contain your customized `docker-compose.yml` and `.env` files), run the following command to start Immich as a background service:
+
+```bash title="Start the containers"
+docker compose up -d
+```

 :::info Docker version
 If you get an error such as `unknown shorthand flag: 'd' in -d` or `open <location of your .env file>: permission denied`, you are probably running the wrong Docker version. (This happens, for example, with the docker.io package in Ubuntu 22.04.3 LTS.) You can correct the problem by following the complete [Docker Engine install](https://docs.docker.com/engine/install/) procedure for your distribution, crucially the "Uninstall old versions" and "Install using the apt/rpm repository" sections. These replace the distro's Docker packages with Docker's official ones.
@@ -29,4 +69,39 @@ If you get an error `can't set healthcheck.start_interval as feature require Doc

 ## Next Steps

-Read the [Post Installation](/docs/install/post-install.mdx) steps and [upgrade instructions](/docs/install/upgrading.md).
+Read the [Post Installation](/docs/install/post-install.mdx) steps or setup optional features below.
+
+### Setting up optional features
+
+- [External Libraries](/docs/features/libraries.md): Adding your existing photo library to Immich
+- [Hardware Transcoding](/docs/features/hardware-transcoding.md): Speeding up video transcoding
+- [Hardware-Accelerated Machine Learning](/docs/features/ml-hardware-acceleration.md): Speeding up various machine learning tasks in Immich
+
+### Upgrading
+
+:::danger Read the release notes
+Immich is currently under heavy development, which means you can expect [breaking changes][breaking] and bugs. Therefore, we recommend reading the release notes prior to updating and to take special care when using automated tools like [Watchtower][watchtower].
+
+You can see versions that had breaking changes [here][breaking].
+:::
+
+If `IMMICH_VERSION` is set, it will need to be updated to the latest or desired version.
+
+When a new version of Immich is [released][releases], the application can be upgraded and restarted with the following commands, run in the directory with the `docker-compose.yml` file:
+
+```bash title="Upgrade and restart Immich"
+docker compose pull && docker compose up -d
+```
+
+To clean up disk space, the old version's obsolete container images can be deleted with the following command:
+
+```bash title="Clean up unused Docker images"
+docker image prune
+```
+
+[compose-file]: https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
+[env-file]: https://github.com/immich-app/immich/releases/latest/download/example.env
+[watchtower]: https://containrrr.dev/watchtower/
+[breaking]: https://github.com/immich-app/immich/discussions?discussions_q=label%3Achangelog%3Abreaking-change+sort%3Adate_created
+[container-auth]: https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#authenticating-to-the-container-registry
+[releases]: https://github.com/immich-app/immich/releases
--- a/docs/docs/install/environment-variables.md
+++ b/docs/docs/install/environment-variables.md
@@ -72,21 +72,20 @@ Information on the current workers can be found [here](/docs/administration/jobs

 ## Database

-| Variable                            | Description                                                                  |  Default   | Containers                     |
-| :---------------------------------- | :--------------------------------------------------------------------------- | :--------: | :----------------------------- |
-| `DB_URL`                            | Database URL                                                                 |            | server                         |
-| `DB_HOSTNAME`                       | Database host                                                                | `database` | server                         |
-| `DB_PORT`                           | Database port                                                                |   `5432`   | server                         |
-| `DB_USERNAME`                       | Database user                                                                | `postgres` | server, database<sup>\*1</sup> |
-| `DB_PASSWORD`                       | Database password                                                            | `postgres` | server, database<sup>\*1</sup> |
-| `DB_DATABASE_NAME`                  | Database name                                                                |  `immich`  | server, database<sup>\*1</sup> |
-| `DB_SSL_MODE`                       | Database SSL mode                                                            |            | server                         |
-| `DB_VECTOR_EXTENSION`<sup>\*2</sup> | Database vector extension (one of [`vectorchord`, `pgvector`, `pgvecto.rs`]) |            | server                         |
-| `DB_SKIP_MIGRATIONS`                | Whether to skip running migrations on startup (one of [`true`, `false`])     |  `false`   | server                         |
+| Variable                            | Description                                                              |   Default    | Containers                     |
+| :---------------------------------- | :----------------------------------------------------------------------- | :----------: | :----------------------------- |
+| `DB_URL`                            | Database URL                                                             |              | server                         |
+| `DB_HOSTNAME`                       | Database host                                                            |  `database`  | server                         |
+| `DB_PORT`                           | Database port                                                            |    `5432`    | server                         |
+| `DB_USERNAME`                       | Database user                                                            |  `postgres`  | server, database<sup>\*1</sup> |
+| `DB_PASSWORD`                       | Database password                                                        |  `postgres`  | server, database<sup>\*1</sup> |
+| `DB_DATABASE_NAME`                  | Database name                                                            |   `immich`   | server, database<sup>\*1</sup> |
+| `DB_VECTOR_EXTENSION`<sup>\*2</sup> | Database vector extension (one of [`pgvector`, `pgvecto.rs`])            | `pgvecto.rs` | server                         |
+| `DB_SKIP_MIGRATIONS`                | Whether to skip running migrations on startup (one of [`true`, `false`]) |   `false`    | server                         |

 \*1: The values of `DB_USERNAME`, `DB_PASSWORD`, and `DB_DATABASE_NAME` are passed to the Postgres container as the variables `POSTGRES_USER`, `POSTGRES_PASSWORD`, and `POSTGRES_DB` in `docker-compose.yml`.

-\*2: If not provided, the appropriate extension to use is auto-detected at startup by introspecting the database. When multiple extensions are installed, the order of preference is VectorChord, pgvecto.rs, pgvector.
+\*2: This setting cannot be changed after the server has successfully started up.

 :::info

--- a/docs/docs/install/post-install.mdx
+++ b/docs/docs/install/post-install.mdx
@@ -41,9 +41,3 @@ A list of common steps to take after installing Immich include:
 ## Step 7 - Setup Server Backups

 <ServerBackup />
-
-## Setting up optional features
-
- [External Libraries](/docs/features/libraries.md): Adding your existing photo library to Immich
- [Hardware Transcoding](/docs/features/hardware-transcoding.md): Speeding up video transcoding
- [Hardware-Accelerated Machine Learning](/docs/features/ml-hardware-acceleration.md): Speeding up various machine learning tasks in Immich
--- a/docs/docs/install/synology.md
+++ b/docs/docs/install/synology.md
@@ -29,7 +29,7 @@ Download [`docker-compose.yml`](https://github.com/immich-app/immich/releases/la

 ## Step 2 - Populate the .env file with custom values

-Follow [Step 2 in Docker Compose](/docs/install/docker-compose#step-2---populate-the-env-file-with-custom-values) for instructions on customizing the `.env` file, and then return back to this guide to continue.
+Follow [Step 2 in Docker Compose](./docker-compose#step-2---populate-the-env-file-with-custom-values) for instructions on customizing the `.env` file, and then return back to this guide to continue.

 ## Step 3 - Create a new project in Container Manager

@@ -67,4 +67,10 @@ Click "**Edit Rules**" and add the following firewall rules:

 ## Next Steps

-Read the [Post Installation](/docs/install/post-install.mdx) steps and [upgrade instructions](/docs/install/upgrading.md).
+Read the [Post Installation](/docs/install/post-install.mdx) steps or setup optional features below.
+
+### Setting up optional features
+
+- [External Libraries](/docs/features/libraries.md): Adding your existing photo library to Immich
+- [Hardware Transcoding](/docs/features/hardware-transcoding.md): Speeding up video transcoding
+- [Hardware-Accelerated Machine Learning](/docs/features/ml-hardware-acceleration.md): Speeding up various machine learning tasks in Immich
--- a/docs/docs/install/truenas.md
+++ b/docs/docs/install/truenas.md
@@ -2,7 +2,7 @@
 sidebar_position: 80
 ---

-# TrueNAS [Community]
+# TrueNAS SCALE [Community]

 :::note
 This is a community contribution and not officially supported by the Immich team, but included here for convenience.
@@ -12,17 +12,17 @@ Community support can be found in the dedicated channel on the [Discord Server](
 **Please report app issues to the corresponding [Github Repository](https://github.com/truenas/charts/tree/master/community/immich).**
 :::

-Immich can easily be installed on TrueNAS Community Edition via the **Community** train application.
-Consider reviewing the TrueNAS [Apps resources](https://apps.truenas.com/getting-started/) if you have not previously configured applications on your system.
+Immich can easily be installed on TrueNAS SCALE via the **Community** train application.
+Consider reviewing the TrueNAS [Apps tutorial](https://www.truenas.com/docs/scale/scaletutorials/apps/) if you have not previously configured applications on your system.

-TrueNAS Community Edition makes installing and updating Immich easy, but you must use the Immich web portal and mobile app to configure accounts and access libraries.
+TrueNAS SCALE makes installing and updating Immich easy, but you must use the Immich web portal and mobile app to configure accounts and access libraries.

 ## First Steps

-The Immich app in TrueNAS Community Edition installs, completes the initial configuration, then starts the Immich web portal.
-When updates become available, TrueNAS alerts and provides easy updates.
+The Immich app in TrueNAS SCALE installs, completes the initial configuration, then starts the Immich web portal.
+When updates become available, SCALE alerts and provides easy updates.

-Before installing the Immich app in TrueNAS, review the [Environment Variables](#environment-variables) documentation to see if you want to configure any during installation.
+Before installing the Immich app in SCALE, review the [Environment Variables](#environment-variables) documentation to see if you want to configure any during installation.
 You may also configure environment variables at any time after deploying the application.

 ### Setting up Storage Datasets
@@ -126,9 +126,9 @@ className="border rounded-xl"

 Accept the default port `30041` in **WebUI Port** or enter a custom port number.
 :::info Allowed Port Numbers
-Only numbers within the range 9000-65535 may be used on TrueNAS versions below TrueNAS Community Edition 24.10 Electric Eel.
+Only numbers within the range 9000-65535 may be used on SCALE versions below TrueNAS Scale 24.10 Electric Eel.

-Regardless of version, to avoid port conflicts, don't use [ports on this list](https://www.truenas.com/docs/solutions/optimizations/security/#truenas-default-ports).
+Regardless of version, to avoid port conflicts, don't use [ports on this list](https://www.truenas.com/docs/references/defaultports/).
 :::

 ### Storage Configuration
@@ -173,7 +173,7 @@ className="border rounded-xl"

 You may configure [External Libraries](/docs/features/libraries) by mounting them using **Additional Storage**.
 The **Mount Path** is the location you will need to copy and paste into the External Library settings within Immich.
-The **Host Path** is the location on the TrueNAS Community Edition server where your external library is located.
+The **Host Path** is the location on the TrueNAS SCALE server where your external library is located.

 <!-- A section for Labels would go here but I don't know what they do. -->

@@ -188,17 +188,17 @@ className="border rounded-xl"

 Accept the default **CPU** limit of `2` threads or specify the number of threads (CPUs with Multi-/Hyper-threading have 2 threads per core).

-Specify the **Memory** limit in MB of RAM. Immich recommends at least 6000 MB (6GB). If you selected **Enable Machine Learning** in **Immich Configuration**, you should probably set this above 8000 MB.
+Accept the default **Memory** limit of `4096` MB or specify the number of MB of RAM. If you're using Machine Learning you should probably set this above 8000 MB.

-:::info Older TrueNAS Versions
-Before TrueNAS Community Edition version 24.10 Electric Eel:
+:::info Older SCALE Versions
+Before TrueNAS SCALE version 24.10 Electric Eel:

 The **CPU** value was specified in a different format with a default of `4000m` which is 4 threads.

 The **Memory** value was specified in a different format with a default of `8Gi` which is 8 GiB of RAM. The value was specified in bytes or a number with a measurement suffix. Examples: `129M`, `123Mi`, `1000000000`
 :::

-Enable **GPU Configuration** options if you have a GPU that you will use for [Hardware Transcoding](/docs/features/hardware-transcoding) and/or [Hardware-Accelerated Machine Learning](/docs/features/ml-hardware-acceleration.md). More info: [GPU Passthrough Docs for TrueNAS Apps](https://apps.truenas.com/managing-apps/installing-apps/#gpu-passthrough)
+Enable **GPU Configuration** options if you have a GPU that you will use for [Hardware Transcoding](/docs/features/hardware-transcoding) and/or [Hardware-Accelerated Machine Learning](/docs/features/ml-hardware-acceleration.md). More info: [GPU Passthrough Docs for TrueNAS Apps](https://www.truenas.com/docs/truenasapps/#gpu-passthrough)

 ### Install

@@ -240,18 +240,14 @@ className="border rounded-xl"
 />

 :::info
-Some Environment Variables are not available for the TrueNAS Community Edition app. This is mainly because they can be configured through GUI options in the [Edit Immich screen](#edit-app-settings).
+Some Environment Variables are not available for the TrueNAS SCALE app. This is mainly because they can be configured through GUI options in the [Edit Immich screen](#edit-app-settings).

 Some examples are: `IMMICH_VERSION`, `UPLOAD_LOCATION`, `DB_DATA_LOCATION`, `TZ`, `IMMICH_LOG_LEVEL`, `DB_PASSWORD`, `REDIS_PASSWORD`.
 :::

 ## Updating the App

-:::danger
-Make sure to read the general [upgrade instructions](/docs/install/upgrading.md).
-:::
-
-When updates become available, TrueNAS alerts and provides easy updates.
+When updates become available, SCALE alerts and provides easy updates.
 To update the app to the latest version:

 - Go to the **Installed Applications** screen and select Immich from the list of installed applications.
--- a/docs/docs/install/unraid.md
+++ b/docs/docs/install/unraid.md
@@ -131,10 +131,6 @@ For more information on how to use the application once installed, please refer

 ## Updating Steps

-:::danger
-Make sure to read the general [upgrade instructions](/docs/install/upgrading.md).
-:::
-
 Updating is extremely easy however it's important to be aware that containers managed via the Docker Compose Manager plugin do not integrate with Unraid's native dockerman UI, the label "_update ready_" will always be present on containers installed via the Docker Compose Manager.

 <img
--- a/docs/docs/install/upgrading.md
+++ b/docs/docs/install/upgrading.md
@@ -1,29 +0,0 @@
---
-sidebar_position: 95
---
-
-# Upgrading
-
-:::danger Read the release notes
-Immich is currently under heavy development, which means you can expect [breaking changes][breaking] and bugs. You should read the release notes prior to updating and take special care when using automated tools like [Watchtower][watchtower].
-
-You can see versions that had breaking changes [here][breaking].
-:::
-
-When a new version of Immich is [released][releases], you should read the release notes and account for any breaking changes noted (as mentioned above).
-If you use `IMMICH_VERSION` in your `.env` file, it will need to be updated to the latest or desired version.
-After that, the application can be upgraded and restarted with the following commands, run in the directory with the `docker-compose.yml` file:
-
-```bash title="Upgrade and restart Immich"
-docker compose pull && docker compose up -d
-```
-
-To clean up disk space, the old version's obsolete container images can be deleted with the following command:
-
-```bash title="Clean up unused Docker images"
-docker image prune
-```
-
-[watchtower]: https://containrrr.dev/watchtower/
-[breaking]: https://github.com/immich-app/immich/discussions?discussions_q=label%3Achangelog%3Abreaking-change+sort%3Adate_created
-[releases]: https://github.com/immich-app/immich/releases
--- a/docs/docs/overview/comparison.md
+++ b/docs/docs/overview/comparison.md
@@ -1,5 +1,5 @@
 ---
-sidebar_position: 3
+sidebar_position: 2
 ---

 # Comparison
--- a/docs/docs/overview/img/social-preview-light.webp
+++ b/docs/docs/overview/img/social-preview-light.webp
--- a/docs/docs/overview/introduction.mdx
+++ b/docs/docs/overview/introduction.mdx
@@ -2,13 +2,9 @@
 sidebar_position: 1
 ---

-# Welcome to Immich
+# Introduction

-<img
-  src={require('./img/social-preview-light.webp').default}
-  alt="Immich - Self-hosted photos and videos backup tool"
-  data-theme="light"
-/>
+<img src={require('./img/feature-panel.webp').default} alt="Immich - Self-hosted photos and videos backup tool" />

 ## Welcome!

--- a/docs/docs/overview/quick-start.mdx
+++ b/docs/docs/overview/quick-start.mdx
@@ -1,5 +1,5 @@
 ---
-sidebar_position: 2
+sidebar_position: 3
 ---

 # Quick start
@@ -10,20 +10,11 @@ to install and use it.

 ## Requirements

- A system with at least 4GB of RAM and 2 CPU cores.
- [Docker](https://docs.docker.com/engine/install/)
-
-> For a more detailed list of requirements, see the [requirements page](/docs/install/requirements).
-
---
+Check the [requirements page](/docs/install/requirements) to get started.

 ## Set up the server

-import DockerComposeSteps from '/docs/partials/_docker-compose-install-steps.mdx';
-
-<DockerComposeSteps />
-
---
+Follow the [Docker Compose (Recommended)](/docs/install/docker-compose) instructions to install the server.

 ## Try the web app

@@ -35,8 +26,6 @@ Try uploading a picture from your browser.

 <img src={require('./img/upload-button.webp').default} title="Upload button" />

---
-
 ## Try the mobile app

 ### Download the Mobile App
@@ -67,8 +56,6 @@ You can select the **Jobs** tab to see Immich processing your photos.

 <img src={require('/docs/guides/img/jobs-tab.webp').default} title="Jobs tab" width={300} />

---
-
 ## Review the database backup and restore process

 Immich has built-in database backups. You can refer to the
@@ -78,8 +65,6 @@ Immich has built-in database backups. You can refer to the
 The database only contains metadata and user information. You must setup manual backups of the images and videos stored in `UPLOAD_LOCATION`.
 :::

---
-
 ## Where to go from here?

 You may decide you'd like to install the server a different way; the Install category on the left menu provides many options.
--- a/docs/docs/partials/_docker-compose-install-steps.mdx
+++ b/docs/docs/partials/_docker-compose-install-steps.mdx
@@ -1,43 +0,0 @@
-import CodeBlock from '@theme/CodeBlock';
-import ExampleEnv from '!!raw-loader!../../../docker/example.env';
-
-### Step 1 - Download the required files
-
-Create a directory of your choice (e.g. `./immich-app`) to hold the `docker-compose.yml` and `.env` files.
-
-```bash title="Move to the directory you created"
-mkdir ./immich-app
-cd ./immich-app
-```
-
-Download [`docker-compose.yml`](https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml) and [`example.env`](https://github.com/immich-app/immich/releases/latest/download/example.env) by running the following commands:
-
-```bash title="Get docker-compose.yml file"
-wget -O docker-compose.yml https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
-```
-
-```bash title="Get .env file"
-wget -O .env https://github.com/immich-app/immich/releases/latest/download/example.env
-```
-
-You can alternatively download these two files from your browser and move them to the directory that you created, in which case ensure that you rename `example.env` to `.env`.
-
-### Step 2 - Populate the .env file with custom values
-
-<CodeBlock language="bash" title="Default environmental variable content">
-  {ExampleEnv}
-</CodeBlock>
-
- Populate `UPLOAD_LOCATION` with your preferred location for storing backup assets. It should be a new directory on the server with enough free space.
- Consider changing `DB_PASSWORD` to a custom value. Postgres is not publicly exposed, so this password is only used for local authentication.
-  To avoid issues with Docker parsing this value, it is best to use only the characters `A-Za-z0-9`. `pwgen` is a handy utility for this.
- Set your timezone by uncommenting the `TZ=` line.
- Populate custom database information if necessary.
-
-### Step 3 - Start the containers
-
-From the directory you created in Step 1 (which should now contain your customized `docker-compose.yml` and `.env` files), run the following command to start Immich as a background service:
-
-```bash title="Start the containers"
-docker compose up -d
-```
--- a/docs/docs/partials/_server-backup.md
+++ b/docs/docs/partials/_server-backup.md
@@ -1,7 +1,2 @@
 Now that you have imported some pictures, you should setup server backups to preserve your memories.
 You can do so by following our [backup guide](/docs/administration/backup-and-restore.md).
-
-:::danger
-Immich is still under heavy development _and_ handles very important data.
-It is essential that you set up good backups, and test them.
-:::
--- a/docs/docusaurus.config.js
+++ b/docs/docusaurus.config.js
@@ -95,7 +95,7 @@ const config = {
            position: 'right',
          },
          {
-            to: '/docs/overview/welcome',
+            to: '/docs/overview/introduction',
            position: 'right',
            label: 'Docs',
          },
@@ -124,12 +124,6 @@ const config = {
            label: 'Discord',
            position: 'right',
          },
-          {
-            type: 'html',
-            position: 'right',
-            value:
-              '<a href="https://buy.immich.app" target="_blank" class="no-underline hover:no-underline"><button class="buy-button bg-immich-primary dark:bg-immich-dark-primary text-white dark:text-black rounded-xl">Buy Immich</button></a>',
-          },
        ],
      },
      footer: {
@@ -140,7 +134,7 @@ const config = {
            items: [
              {
                label: 'Welcome',
-                to: '/docs/overview/welcome',
+                to: '/docs/overview/introduction',
              },
              {
                label: 'Installation',
--- a/docs/package-lock.json
+++ b/docs/package-lock.json
--- a/docs/src/components/community-projects.tsx
+++ b/docs/src/components/community-projects.tsx
@@ -40,9 +40,8 @@ const projects: CommunityProjectProps[] = [
  },
  {
    title: 'Lightroom Immich Plugin: lrc-immich-plugin',
-    description:
-      'Lightroom plugin to publish, export photos from Lightroom to Immich. Import from Immich to Lightroom is also supported.',
-    url: 'https://blog.fokuspunk.de/lrc-immich-plugin/',
+    description: 'Another Lightroom plugin to publish or export photos from Lightroom to Immich.',
+    url: 'https://github.com/bmachek/lrc-immich-plugin',
  },
  {
    title: 'Immich Duplicate Finder',
--- a/docs/src/css/custom.css
+++ b/docs/src/css/custom.css
@@ -7,22 +7,14 @@
@tailwind components;
@tailwind utilities;

-@font-face {
-  font-family: 'Overpass';
-  src: url('/fonts/overpass/Overpass.ttf') format('truetype-variations');
-  font-weight: 1 999;
-  font-style: normal;
-  ascent-override: 106.25%;
-  size-adjust: 106.25%;
-}
+@import url('https://fonts.googleapis.com/css2?family=Be+Vietnam+Pro:ital,wght@0,100;0,200;0,300;0,400;0,500;0,600;0,700;0,800;0,900;1,100;1,200;1,300;1,400;1,500;1,600;1,700;1,800;1,900&display=swap');

-@font-face {
-  font-family: 'Overpass Mono';
-  src: url('/fonts/overpass/OverpassMono.ttf') format('truetype-variations');
-  font-weight: 1 999;
-  font-style: normal;
+body {
+  font-family: 'Be Vietnam Pro', serif;
+  font-optical-sizing: auto;
+  /* font-size: 1.125rem;
  ascent-override: 106.25%;
-  size-adjust: 106.25%;
+  size-adjust: 106.25%; */
 }

 .breadcrumbs__link {
@@ -37,7 +29,6 @@ img {

 /* You can override the default Infima variables here. */
 :root {
-  font-family: 'Overpass', sans-serif;
  --ifm-color-primary: #4250af;
  --ifm-color-primary-dark: #4250af;
  --ifm-color-primary-darker: #4250af;
@@ -68,12 +59,14 @@ div[class^='announcementBar_'] {
 }

 .menu__link {
-  padding: 10px 10px 10px 16px;
+  padding: 10px;
+  padding-left: 16px;
  border-radius: 24px;
  margin-right: 16px;
 }

 .menu__list-item-collapsible {
+  border-radius: 10px;
  margin-right: 16px;
  border-radius: 24px;
 }
@@ -90,12 +83,3 @@ div[class*='navbar__items'] > li:has(a[class*='version-switcher-34ab39']) {
 code {
  font-weight: 600;
 }
-
-.buy-button {
-  padding: 8px 14px;
-  border: 1px solid transparent;
-  font-family: 'Overpass', sans-serif;
-  font-weight: 500;
-  cursor: pointer;
-  box-shadow: 0 0 5px 2px rgba(181, 206, 254, 0.4);
-}
--- a/docs/src/pages/cursed-knowledge.tsx
+++ b/docs/src/pages/cursed-knowledge.tsx
@@ -2,7 +2,6 @@ import {
  mdiBug,
  mdiCalendarToday,
  mdiCrosshairsOff,
-  mdiCrop,
  mdiDatabase,
  mdiLeadPencil,
  mdiLockOff,
@@ -23,18 +22,6 @@ const withLanguage = (date: Date) => (language: string) => date.toLocaleDateStri
 type Item = Omit<TimelineItem, 'done' | 'getDateLabel'> & { date: Date };

 const items: Item[] = [
-  {
-    icon: mdiCrop,
-    iconColor: 'tomato',
-    title: 'Image dimensions in EXIF metadata are cursed',
-    description:
-      'The dimensions in EXIF metadata can be different from the actual dimensions of the image, causing issues with cropping and resizing.',
-    link: {
-      url: 'https://github.com/immich-app/immich/pull/17974',
-      text: '#17974',
-    },
-    date: new Date(2025, 5, 5),
-  },
  {
    icon: mdiMicrosoftWindows,
    iconColor: '#357EC7',
--- a/docs/src/pages/errors.md
+++ b/docs/src/pages/errors.md
@@ -1,5 +0,0 @@
-# Errors
-
-## TypeORM Upgrade
-
-The upgrade to Immich `v2.x.x` has a required upgrade path to `v1.132.0+`. This means it is required to start up the application at least once on version `1.132.0` (or later). Doing so will complete database schema upgrades that are required for `v2.0.0`. After Immich has successfully booted on this version, shut the system down and try the `v2.x.x` upgrade again.
--- a/docs/src/pages/index.tsx
+++ b/docs/src/pages/index.tsx
@@ -1,11 +1,12 @@
 import React from 'react';
 import Link from '@docusaurus/Link';
 import Layout from '@theme/Layout';
+import { useColorMode } from '@docusaurus/theme-common';
 import { discordPath, discordViewBox } from '@site/src/components/svg-paths';
-import ThemedImage from '@theme/ThemedImage';
 import Icon from '@mdi/react';
-
 function HomepageHeader() {
+  const { isDarkTheme } = useColorMode();
+
  return (
    <header>
      <div className="top-[calc(12%)]  md:top-[calc(30%)] h-screen w-full absolute -z-10">
@@ -13,14 +14,11 @@ function HomepageHeader() {
        <div className="w-full h-[120vh] absolute left-0 top-0 backdrop-blur-3xl bg-immich-bg/40 dark:bg-transparent"></div>
      </div>
      <section className="text-center pt-12 sm:pt-24 bg-immich-bg/50 dark:bg-immich-dark-bg/80">
-        <a href="https://futo.org" target="_blank" rel="noopener noreferrer">
-          <ThemedImage
-            sources={{ dark: 'img/logomark-dark-with-futo.svg', light: 'img/logomark-light-with-futo.svg' }}
-            className="h-[125px] w-[125px] mb-2 antialiased rounded-none"
-            alt="Immich logo"
-          />
-        </a>
-
+        <img
+          src={isDarkTheme ? 'img/logomark-dark.svg' : 'img/logomark-light.svg'}
+          className="h-[115px] w-[115px] mb-2 antialiased rounded-none"
+          alt="Immich logo"
+        />
        <div className="mt-8">
          <p className="text-3xl md:text-5xl sm:leading-tight mb-1 font-extrabold text-black/90 dark:text-white px-4">
            Self-hosted{' '}
@@ -31,29 +29,37 @@ function HomepageHeader() {
            solution<span className="block"></span>
          </p>

-          <p className="max-w-1/4 m-auto mt-4 px-4 text-lg text-gray-700 dark:text-gray-100">
+          <p className="max-w-1/4 m-auto mt-4 px-4">
            Easily back up, organize, and manage your photos on your own server. Immich helps you
            <span className="sm:block"></span> browse, search and organize your photos and videos with ease, without
            sacrificing your privacy.
          </p>
        </div>
+
        <div className="flex flex-col sm:flex-row place-items-center place-content-center mt-9 gap-4 ">
          <Link
-            className="flex place-items-center place-content-center py-3 px-8 border bg-immich-primary dark:bg-immich-dark-primary rounded-xl no-underline hover:no-underline text-white hover:text-gray-50 dark:text-immich-dark-bg font-bold"
-            to="docs/overview/quick-start"
+            className="flex place-items-center place-content-center py-3 px-8 border bg-immich-primary dark:bg-immich-dark-primary rounded-xl no-underline hover:no-underline text-white hover:text-gray-50 dark:text-immich-dark-bg font-bold uppercase"
+            to="docs/overview/introduction"
          >
-            Get Started
+            Get started
          </Link>

          <Link
-            className="flex place-items-center place-content-center py-3 px-8 border bg-white/90 dark:bg-gray-300  rounded-xl hover:no-underline text-immich-primary dark:text-immich-dark-bg font-bold"
+            className="flex place-items-center place-content-center py-3 px-8 border bg-immich-primary/10 dark:bg-gray-300  rounded-xl hover:no-underline text-immich-primary dark:text-immich-dark-bg font-bold uppercase"
            to="https://demo.immich.app/"
          >
-            Open Demo
+            Demo
+          </Link>
+
+          <Link
+            className="flex place-items-center place-content-center py-3 px-8 border bg-immich-primary/10 dark:bg-gray-300  rounded-xl hover:no-underline text-immich-primary dark:text-immich-dark-bg font-bold uppercase"
+            to="https://immich.store"
+          >
+            Buy Merch
          </Link>
        </div>

-        <div className="my-8 flex gap-1 font-medium place-items-center place-content-center text-immich-primary dark:text-immich-dark-primary">
+        <div className="my-12 flex gap-1 font-medium place-items-center place-content-center text-immich-primary dark:text-immich-dark-primary">
          <Icon
            path={discordPath}
            viewBox={discordViewBox} /* viewBox may show an error in your IDE but it is normal. */
@@ -61,19 +67,22 @@ function HomepageHeader() {
          />
          <Link to="https://discord.immich.app/">Join our Discord</Link>
        </div>
-        <ThemedImage
-          sources={{ dark: '/img/screenshot-dark.webp', light: '/img/screenshot-light.webp' }}
+        <img
+          src={isDarkTheme ? '/img/screenshot-dark.webp' : '/img/screenshot-light.webp'}
          alt="screenshots"
          className="w-[95%] lg:w-[85%] xl:w-[70%] 2xl:w-[60%] "
        />
+
        <div className="mx-[25%] m-auto my-14 md:my-28">
          <hr className="border bg-gray-500 dark:bg-gray-400" />
        </div>
-        <ThemedImage
-          sources={{ dark: 'img/logomark-dark.svg', light: 'img/logomark-light.svg' }}
+
+        <img
+          src={isDarkTheme ? 'img/logomark-dark.svg' : 'img/logomark-light.svg'}
          className="h-[115px] w-[115px] mb-2 antialiased rounded-none"
          alt="Immich logo"
        />
+
        <div>
          <p className="font-bold text-2xl md:text-5xl ">Download the mobile app</p>
          <p className="text-lg">
@@ -86,21 +95,15 @@ function HomepageHeader() {
              <img className="h-24" alt="Get it on Google Play" src="/img/google-play-badge.png" />
            </a>
          </div>
-
          <div className="h-24">
            <a href="https://apps.apple.com/sg/app/immich/id1613945652">
              <img className="h-24 sm:p-3.5 p-3" alt="Download on the App Store" src="/img/ios-app-store-badge.svg" />
            </a>
          </div>
-
-          <div className="h-24">
-            <a href="https://github.com/immich-app/immich/releases/latest">
-              <img className="h-24 sm:p-3.5 p-3" alt="Download APK" src="/img/download-apk-github.svg" />
-            </a>
-          </div>
        </div>
-        <ThemedImage
-          sources={{ dark: '/img/app-qr-code-dark.svg', light: '/img/app-qr-code-light.svg' }}
+
+        <img
+          src={isDarkTheme ? '/img/app-qr-code-dark.svg' : '/img/app-qr-code-light.svg'}
          alt="app qr code"
          width={'150px'}
          className="shadow-lg p-3 my-8 dark:bg-immich-dark-bg "
@@ -116,7 +119,7 @@ export default function Home(): JSX.Element {
      <HomepageHeader />
      <div className="flex flex-col place-items-center text-center place-content-center dark:bg-immich-dark-bg py-8">
        <p>This project is available under GNU AGPL v3 license.</p>
-        <p className="text-sm">Privacy should not be a luxury</p>
+        <p className="text-xs">Privacy should not be a luxury</p>
      </div>
    </Layout>
  );
--- a/docs/src/pages/privacy-policy.tsx
+++ b/docs/src/pages/privacy-policy.tsx
@@ -1,6 +1,10 @@
 import React from 'react';
+import Link from '@docusaurus/Link';
 import Layout from '@theme/Layout';
+import { useColorMode } from '@docusaurus/theme-common';
 function HomepageHeader() {
+  const { isDarkTheme } = useColorMode();
+
  return (
    <header>
      <section className="max-w-[900px] m-4 p-4 md:p-6 md:m-auto md:my-12 border border-red-400 rounded-2xl  bg-slate-200 dark:bg-immich-dark-gray">
--- a/docs/src/pages/roadmap.tsx
+++ b/docs/src/pages/roadmap.tsx
@@ -76,7 +76,6 @@ import {
  mdiWeb,
  mdiDatabaseOutline,
  mdiLinkEdit,
-  mdiTagFaces,
  mdiMovieOpenPlayOutline,
 } from '@mdi/js';
 import Layout from '@theme/Layout';
@@ -84,8 +83,6 @@ import React from 'react';
 import { Item, Timeline } from '../components/timeline';

 const releases = {
-  'v1.130.0': new Date(2025, 2, 25),
-  'v1.127.0': new Date(2025, 1, 26),
  'v1.122.0': new Date(2024, 11, 5),
  'v1.120.0': new Date(2024, 10, 6),
  'v1.114.0': new Date(2024, 8, 6),
@@ -245,13 +242,6 @@ const roadmap: Item[] = [
 ];

 const milestones: Item[] = [
-  withRelease({
-    icon: mdiFolderMultiple,
-    iconColor: 'brown',
-    title: 'Folders view in the mobile app',
-    description: 'Browse your photos and videos in their folder structure inside the mobile app',
-    release: 'v1.130.0',
-  }),
  {
    icon: mdiStar,
    iconColor: 'gold',
@@ -259,14 +249,6 @@ const milestones: Item[] = [
    description: 'Reached 60K Stars on GitHub!',
    getDateLabel: withLanguage(new Date(2025, 2, 4)),
  },
-  withRelease({
-    icon: mdiTagFaces,
-    iconColor: 'teal',
-    title: 'Manual face tagging',
-    description:
-      'Manually tag or remove faces in photos and videos, even when automatic detection misses or misidentifies them.',
-    release: 'v1.127.0',
-  }),
  withRelease({
    icon: mdiLinkEdit,
    iconColor: 'crimson',
@@ -284,8 +266,8 @@ const milestones: Item[] = [
  withRelease({
    icon: mdiDatabaseOutline,
    iconColor: 'brown',
-    title: 'Automatic database dumps',
-    description: 'Database dumps are now integrated into the Immich server',
+    title: 'Automatic database backups',
+    description: 'Database backups are now integrated into the Immich server',
    release: 'v1.120.0',
  }),
  {
@@ -318,7 +300,7 @@ const milestones: Item[] = [
  withRelease({
    icon: mdiFolderMultiple,
    iconColor: 'brown',
-    title: 'Folders view',
+    title: 'Folders',
    description: 'Browse your photos and videos in their folder structure',
    release: 'v1.113.0',
  }),
--- a/docs/static/.well-known/security.txt
+++ b/docs/static/.well-known/security.txt
@@ -1,5 +0,0 @@
-Policy: https://github.com/immich-app/immich/blob/main/SECURITY.md
-Contact: mailto:security@immich.app
-Preferred-Languages: en
-Expires: 2026-05-01T23:59:00.000Z
-Canonical: https://immich.app/.well-known/security.txt
--- a/docs/static/_redirects
+++ b/docs/static/_redirects
@@ -30,4 +30,3 @@
 /docs/guides/api-album-sync /docs/community-projects 307
 /docs/guides/remove-offline-files /docs/community-projects 307
 /milestones /roadmap 307
-/docs/overview/introduction /docs/overview/welcome 307
--- a/docs/static/archived-versions.json
+++ b/docs/static/archived-versions.json
@@ -1,16 +1,4 @@
 [
-  {
-    "label": "v1.132.3",
-    "url": "https://v1.132.3.archive.immich.app"
-  },
-  {
-    "label": "v1.131.3",
-    "url": "https://v1.131.3.archive.immich.app"
-  },
-  {
-    "label": "v1.130.3",
-    "url": "https://v1.130.3.archive.immich.app"
-  },
  {
    "label": "v1.129.0",
    "url": "https://v1.129.0.archive.immich.app"
@@ -27,14 +15,46 @@
    "label": "v1.126.1",
    "url": "https://v1.126.1.archive.immich.app"
  },
+  {
+    "label": "v1.126.0",
+    "url": "https://v1.126.0.archive.immich.app"
+  },
  {
    "label": "v1.125.7",
    "url": "https://v1.125.7.archive.immich.app"
  },
+  {
+    "label": "v1.125.6",
+    "url": "https://v1.125.6.archive.immich.app"
+  },
+  {
+    "label": "v1.125.5",
+    "url": "https://v1.125.5.archive.immich.app"
+  },
+  {
+    "label": "v1.125.3",
+    "url": "https://v1.125.3.archive.immich.app"
+  },
+  {
+    "label": "v1.125.2",
+    "url": "https://v1.125.2.archive.immich.app"
+  },
+  {
+    "label": "v1.125.1",
+    "url": "https://v1.125.1.archive.immich.app"
+  },
  {
    "label": "v1.124.2",
    "url": "https://v1.124.2.archive.immich.app"
  },
+  {
+    "label": "v1.124.1",
+    "url": "https://v1.124.1.archive.immich.app"
+  },
+  {
+    "label": "v1.124.0",
+    "url": "https://v1.124.0.archive.immich.app"
+  },
  {
    "label": "v1.123.0",
    "url": "https://v1.123.0.archive.immich.app"
@@ -43,6 +63,18 @@
    "label": "v1.122.3",
    "url": "https://v1.122.3.archive.immich.app"
  },
+  {
+    "label": "v1.122.2",
+    "url": "https://v1.122.2.archive.immich.app"
+  },
+  {
+    "label": "v1.122.1",
+    "url": "https://v1.122.1.archive.immich.app"
+  },
+  {
+    "label": "v1.122.0",
+    "url": "https://v1.122.0.archive.immich.app"
+  },
  {
    "label": "v1.121.0",
    "url": "https://v1.121.0.archive.immich.app"
@@ -51,14 +83,34 @@
    "label": "v1.120.2",
    "url": "https://v1.120.2.archive.immich.app"
  },
+  {
+    "label": "v1.120.1",
+    "url": "https://v1.120.1.archive.immich.app"
+  },
+  {
+    "label": "v1.120.0",
+    "url": "https://v1.120.0.archive.immich.app"
+  },
  {
    "label": "v1.119.1",
    "url": "https://v1.119.1.archive.immich.app"
  },
+  {
+    "label": "v1.119.0",
+    "url": "https://v1.119.0.archive.immich.app"
+  },
  {
    "label": "v1.118.2",
    "url": "https://v1.118.2.archive.immich.app"
  },
+  {
+    "label": "v1.118.1",
+    "url": "https://v1.118.1.archive.immich.app"
+  },
+  {
+    "label": "v1.118.0",
+    "url": "https://v1.118.0.archive.immich.app"
+  },
  {
    "label": "v1.117.0",
    "url": "https://v1.117.0.archive.immich.app"
@@ -67,6 +119,14 @@
    "label": "v1.116.2",
    "url": "https://v1.116.2.archive.immich.app"
  },
+  {
+    "label": "v1.116.1",
+    "url": "https://v1.116.1.archive.immich.app"
+  },
+  {
+    "label": "v1.116.0",
+    "url": "https://v1.116.0.archive.immich.app"
+  },
  {
    "label": "v1.115.0",
    "url": "https://v1.115.0.archive.immich.app"
@@ -79,10 +139,18 @@
    "label": "v1.113.1",
    "url": "https://v1.113.1.archive.immich.app"
  },
+  {
+    "label": "v1.113.0",
+    "url": "https://v1.113.0.archive.immich.app"
+  },
  {
    "label": "v1.112.1",
    "url": "https://v1.112.1.archive.immich.app"
  },
+  {
+    "label": "v1.112.0",
+    "url": "https://v1.112.0.archive.immich.app"
+  },
  {
    "label": "v1.111.0",
    "url": "https://v1.111.0.archive.immich.app"
@@ -95,6 +163,14 @@
    "label": "v1.109.2",
    "url": "https://v1.109.2.archive.immich.app"
  },
+  {
+    "label": "v1.109.1",
+    "url": "https://v1.109.1.archive.immich.app"
+  },
+  {
+    "label": "v1.109.0",
+    "url": "https://v1.109.0.archive.immich.app"
+  },
  {
    "label": "v1.108.0",
    "url": "https://v1.108.0.archive.immich.app"
@@ -103,14 +179,38 @@
    "label": "v1.107.2",
    "url": "https://v1.107.2.archive.immich.app"
  },
+  {
+    "label": "v1.107.1",
+    "url": "https://v1.107.1.archive.immich.app"
+  },
+  {
+    "label": "v1.107.0",
+    "url": "https://v1.107.0.archive.immich.app"
+  },
  {
    "label": "v1.106.4",
    "url": "https://v1.106.4.archive.immich.app"
  },
+  {
+    "label": "v1.106.3",
+    "url": "https://v1.106.3.archive.immich.app"
+  },
+  {
+    "label": "v1.106.2",
+    "url": "https://v1.106.2.archive.immich.app"
+  },
+  {
+    "label": "v1.106.1",
+    "url": "https://v1.106.1.archive.immich.app"
+  },
  {
    "label": "v1.105.1",
    "url": "https://v1.105.1.archive.immich.app"
  },
+  {
+    "label": "v1.105.0",
+    "url": "https://v1.105.0.archive.immich.app"
+  },
  {
    "label": "v1.104.0",
    "url": "https://v1.104.0.archive.immich.app"
@@ -119,10 +219,26 @@
    "label": "v1.103.1",
    "url": "https://v1.103.1.archive.immich.app"
  },
+  {
+    "label": "v1.103.0",
+    "url": "https://v1.103.0.archive.immich.app"
+  },
  {
    "label": "v1.102.3",
    "url": "https://v1.102.3.archive.immich.app"
  },
+  {
+    "label": "v1.102.2",
+    "url": "https://v1.102.2.archive.immich.app"
+  },
+  {
+    "label": "v1.102.1",
+    "url": "https://v1.102.1.archive.immich.app"
+  },
+  {
+    "label": "v1.102.0",
+    "url": "https://v1.102.0.archive.immich.app"
+  },
  {
    "label": "v1.101.0",
    "url": "https://v1.101.0.archive.immich.app"
--- a/docs/static/fonts/overpass/Overpass-Italic.ttf
+++ b/docs/static/fonts/overpass/Overpass-Italic.ttf
--- a/docs/static/fonts/overpass/Overpass.ttf
+++ b/docs/static/fonts/overpass/Overpass.ttf
--- a/docs/static/fonts/overpass/OverpassMono.ttf
+++ b/docs/static/fonts/overpass/OverpassMono.ttf
--- a/docs/static/img/download-apk-github.svg
+++ b/docs/static/img/download-apk-github.svg
--- a/docs/static/img/logomark-dark-with-futo.svg
+++ b/docs/static/img/logomark-dark-with-futo.svg
--- a/docs/static/img/logomark-light-with-futo.svg
+++ b/docs/static/img/logomark-light-with-futo.svg
--- a/e2e/docker-compose.yml
+++ b/e2e/docker-compose.yml
@@ -34,11 +34,11 @@ services:
      - 2285:2285

  redis:
-    image: redis:6.2-alpine@sha256:3211c33a618c457e5d241922c975dbc4f446d0bdb2dc75694f5573ef8e2d01fa
+    image: redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8

  database:
-    image: tensorchord/vchord-postgres:pg14-v0.3.0
-    command: -c fsync=off -c shared_preload_libraries=vchord.so
+    image: tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52
+    command: -c fsync=off -c shared_preload_libraries=vectors.so
    environment:
      POSTGRES_PASSWORD: postgres
      POSTGRES_USER: postgres
--- a/e2e/eslint.config.mjs
+++ b/e2e/eslint.config.mjs
@@ -1,29 +1,39 @@
+import { FlatCompat } from '@eslint/eslintrc';
 import js from '@eslint/js';
-import eslintPluginPrettierRecommended from 'eslint-plugin-prettier/recommended';
-import eslintPluginUnicorn from 'eslint-plugin-unicorn';
+import typescriptEslint from '@typescript-eslint/eslint-plugin';
+import tsParser from '@typescript-eslint/parser';
 import globals from 'globals';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
-import typescriptEslint from 'typescript-eslint';

 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
+const compat = new FlatCompat({
+  baseDirectory: __dirname,
+  recommendedConfig: js.configs.recommended,
+  allConfig: js.configs.all,
+});

-export default typescriptEslint.config([
-  eslintPluginUnicorn.configs.recommended,
-  eslintPluginPrettierRecommended,
-  js.configs.recommended,
-  typescriptEslint.configs.recommended,
+export default [
  {
    ignores: ['eslint.config.mjs'],
  },
+  ...compat.extends(
+    'plugin:@typescript-eslint/recommended',
+    'plugin:prettier/recommended',
+    'plugin:unicorn/recommended',
+  ),
  {
+    plugins: {
+      '@typescript-eslint': typescriptEslint,
+    },
+
    languageOptions: {
      globals: {
        ...globals.node,
      },

-      parser: typescriptEslint.parser,
+      parser: tsParser,
      ecmaVersion: 5,
      sourceType: 'module',

@@ -52,4 +62,4 @@ export default typescriptEslint.config([
      'object-shorthand': ['error', 'always'],
    },
  },
-]);
+];
--- a/e2e/package-lock.json
+++ b/e2e/package-lock.json
--- a/e2e/package.json
+++ b/e2e/package.json
@@ -1,6 +1,6 @@
 {
  "name": "immich-e2e",
-  "version": "1.132.3",
+  "version": "1.129.0",
  "description": "",
  "main": "index.js",
  "type": "module",
@@ -25,16 +25,18 @@
    "@immich/sdk": "file:../open-api/typescript-sdk",
    "@playwright/test": "^1.44.1",
    "@types/luxon": "^3.4.2",
-    "@types/node": "^22.14.1",
+    "@types/node": "^22.13.9",
    "@types/oidc-provider": "^8.5.1",
    "@types/pg": "^8.11.0",
    "@types/pngjs": "^6.0.4",
    "@types/supertest": "^6.0.2",
+    "@typescript-eslint/eslint-plugin": "^8.15.0",
+    "@typescript-eslint/parser": "^8.15.0",
    "@vitest/coverage-v8": "^3.0.0",
    "eslint": "^9.14.0",
    "eslint-config-prettier": "^10.0.0",
    "eslint-plugin-prettier": "^5.1.3",
-    "eslint-plugin-unicorn": "^57.0.0",
+    "eslint-plugin-unicorn": "^56.0.1",
    "exiftool-vendored": "^28.3.1",
    "globals": "^16.0.0",
    "jose": "^5.6.3",
@@ -47,7 +49,6 @@
    "socket.io-client": "^4.7.4",
    "supertest": "^7.0.0",
    "typescript": "^5.3.3",
-    "typescript-eslint": "^8.28.0",
    "utimes": "^5.2.1",
    "vitest": "^3.0.0"
  },
--- a/e2e/src/api/specs/activity.e2e-spec.ts
+++ b/e2e/src/api/specs/activity.e2e-spec.ts
@@ -46,6 +46,38 @@ describe('/activities', () => {
  });

  describe('GET /activities', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).get('/activities');
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
+    it('should require an albumId', async () => {
+      const { status, body } = await request(app)
+        .get('/activities')
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+      expect(status).toEqual(400);
+      expect(body).toEqual(errorDto.badRequest(expect.arrayContaining(['albumId must be a UUID'])));
+    });
+
+    it('should reject an invalid albumId', async () => {
+      const { status, body } = await request(app)
+        .get('/activities')
+        .query({ albumId: uuidDto.invalid })
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+      expect(status).toEqual(400);
+      expect(body).toEqual(errorDto.badRequest(expect.arrayContaining(['albumId must be a UUID'])));
+    });
+
+    it('should reject an invalid assetId', async () => {
+      const { status, body } = await request(app)
+        .get('/activities')
+        .query({ albumId: uuidDto.notFound, assetId: uuidDto.invalid })
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+      expect(status).toEqual(400);
+      expect(body).toEqual(errorDto.badRequest(expect.arrayContaining(['assetId must be a UUID'])));
+    });
+
    it('should start off empty', async () => {
      const { status, body } = await request(app)
        .get('/activities')
@@ -160,6 +192,30 @@ describe('/activities', () => {
  });

  describe('POST /activities', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).post('/activities');
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
+    it('should require an albumId', async () => {
+      const { status, body } = await request(app)
+        .post('/activities')
+        .set('Authorization', `Bearer ${admin.accessToken}`)
+        .send({ albumId: uuidDto.invalid });
+      expect(status).toEqual(400);
+      expect(body).toEqual(errorDto.badRequest(expect.arrayContaining(['albumId must be a UUID'])));
+    });
+
+    it('should require a comment when type is comment', async () => {
+      const { status, body } = await request(app)
+        .post('/activities')
+        .set('Authorization', `Bearer ${admin.accessToken}`)
+        .send({ albumId: uuidDto.notFound, type: 'comment', comment: null });
+      expect(status).toEqual(400);
+      expect(body).toEqual(errorDto.badRequest(['comment must be a string', 'comment should not be empty']));
+    });
+
    it('should add a comment to an album', async () => {
      const { status, body } = await request(app)
        .post('/activities')
@@ -274,6 +330,20 @@ describe('/activities', () => {
  });

  describe('DELETE /activities/:id', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).delete(`/activities/${uuidDto.notFound}`);
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
+    it('should require a valid uuid', async () => {
+      const { status, body } = await request(app)
+        .delete(`/activities/${uuidDto.invalid}`)
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest(['id must be a UUID']));
+    });
+
    it('should remove a comment from an album', async () => {
      const reaction = await createActivity({
        albumId: album.id,
--- a/e2e/src/api/specs/album.e2e-spec.ts
+++ b/e2e/src/api/specs/album.e2e-spec.ts
@@ -9,7 +9,7 @@ import {
  LoginResponseDto,
  SharedLinkType,
 } from '@immich/sdk';
-import { createUserDto } from 'src/fixtures';
+import { createUserDto, uuidDto } from 'src/fixtures';
 import { errorDto } from 'src/responses';
 import { app, asBearerAuth, utils } from 'src/utils';
 import request from 'supertest';
@@ -128,6 +128,28 @@ describe('/albums', () => {
  });

  describe('GET /albums', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).get('/albums');
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
+    it('should reject an invalid shared param', async () => {
+      const { status, body } = await request(app)
+        .get('/albums?shared=invalid')
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+      expect(status).toEqual(400);
+      expect(body).toEqual(errorDto.badRequest(['shared must be a boolean value']));
+    });
+
+    it('should reject an invalid assetId param', async () => {
+      const { status, body } = await request(app)
+        .get('/albums?assetId=invalid')
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+      expect(status).toEqual(400);
+      expect(body).toEqual(errorDto.badRequest(['assetId must be a UUID']));
+    });
+
    it("should not show other users' favorites", async () => {
      const { status, body } = await request(app)
        .get(`/albums/${user1Albums[0].id}?withoutAssets=false`)
@@ -301,6 +323,12 @@ describe('/albums', () => {
  });

  describe('GET /albums/:id', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).get(`/albums/${user1Albums[0].id}`);
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should return album info for own album', async () => {
      const { status, body } = await request(app)
        .get(`/albums/${user1Albums[0].id}?withoutAssets=false`)
@@ -393,6 +421,12 @@ describe('/albums', () => {
  });

  describe('GET /albums/statistics', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).get('/albums/statistics');
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should return total count of albums the user has access to', async () => {
      const { status, body } = await request(app)
        .get('/albums/statistics')
@@ -404,6 +438,12 @@ describe('/albums', () => {
  });

  describe('POST /albums', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).post('/albums').send({ albumName: 'New album' });
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should create an album', async () => {
      const { status, body } = await request(app)
        .post('/albums')
@@ -431,6 +471,12 @@ describe('/albums', () => {
  });

  describe('PUT /albums/:id/assets', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).put(`/albums/${user1Albums[0].id}/assets`);
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should be able to add own asset to own album', async () => {
      const asset = await utils.createAsset(user1.accessToken);
      const { status, body } = await request(app)
@@ -480,6 +526,14 @@ describe('/albums', () => {
  });

  describe('PATCH /albums/:id', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app)
+        .patch(`/albums/${uuidDto.notFound}`)
+        .send({ albumName: 'New album name' });
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should update an album', async () => {
      const album = await utils.createAlbum(user1.accessToken, {
        albumName: 'New album',
@@ -522,6 +576,15 @@ describe('/albums', () => {
  });

  describe('DELETE /albums/:id/assets', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app)
+        .delete(`/albums/${user1Albums[0].id}/assets`)
+        .send({ ids: [user1Asset1.id] });
+
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should require authorization', async () => {
      const { status, body } = await request(app)
        .delete(`/albums/${user1Albums[1].id}/assets`)
@@ -616,6 +679,13 @@ describe('/albums', () => {
      });
    });

+    it('should require authentication', async () => {
+      const { status, body } = await request(app).put(`/albums/${user1Albums[0].id}/users`).send({ sharedUserIds: [] });
+
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should be able to add user to own album', async () => {
      const { status, body } = await request(app)
        .put(`/albums/${album.id}/users`)
--- a/e2e/src/api/specs/api-key.e2e-spec.ts
+++ b/e2e/src/api/specs/api-key.e2e-spec.ts
@@ -1,5 +1,5 @@
 import { LoginResponseDto, Permission, createApiKey } from '@immich/sdk';
-import { createUserDto } from 'src/fixtures';
+import { createUserDto, uuidDto } from 'src/fixtures';
 import { errorDto } from 'src/responses';
 import { app, asBearerAuth, utils } from 'src/utils';
 import request from 'supertest';
@@ -24,6 +24,12 @@ describe('/api-keys', () => {
  });

  describe('POST /api-keys', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).post('/api-keys').send({ name: 'API Key' });
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should not work without permission', async () => {
      const { secret } = await create(user.accessToken, [Permission.ApiKeyRead]);
      const { status, body } = await request(app).post('/api-keys').set('x-api-key', secret).send({ name: 'API Key' });
@@ -93,6 +99,12 @@ describe('/api-keys', () => {
  });

  describe('GET /api-keys', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).get('/api-keys');
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should start off empty', async () => {
      const { status, body } = await request(app).get('/api-keys').set('Authorization', `Bearer ${admin.accessToken}`);
      expect(body).toEqual([]);
@@ -113,6 +125,12 @@ describe('/api-keys', () => {
  });

  describe('GET /api-keys/:id', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).get(`/api-keys/${uuidDto.notFound}`);
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should require authorization', async () => {
      const { apiKey } = await create(user.accessToken, [Permission.All]);
      const { status, body } = await request(app)
@@ -122,6 +140,14 @@ describe('/api-keys', () => {
      expect(body).toEqual(errorDto.badRequest('API Key not found'));
    });

+    it('should require a valid uuid', async () => {
+      const { status, body } = await request(app)
+        .get(`/api-keys/${uuidDto.invalid}`)
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest(['id must be a UUID']));
+    });
+
    it('should get api key details', async () => {
      const { apiKey } = await create(user.accessToken, [Permission.All]);
      const { status, body } = await request(app)
@@ -139,6 +165,12 @@ describe('/api-keys', () => {
  });

  describe('PUT /api-keys/:id', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).put(`/api-keys/${uuidDto.notFound}`).send({ name: 'new name' });
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should require authorization', async () => {
      const { apiKey } = await create(user.accessToken, [Permission.All]);
      const { status, body } = await request(app)
@@ -149,6 +181,15 @@ describe('/api-keys', () => {
      expect(body).toEqual(errorDto.badRequest('API Key not found'));
    });

+    it('should require a valid uuid', async () => {
+      const { status, body } = await request(app)
+        .put(`/api-keys/${uuidDto.invalid}`)
+        .send({ name: 'new name' })
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest(['id must be a UUID']));
+    });
+
    it('should update api key details', async () => {
      const { apiKey } = await create(user.accessToken, [Permission.All]);
      const { status, body } = await request(app)
@@ -167,6 +208,12 @@ describe('/api-keys', () => {
  });

  describe('DELETE /api-keys/:id', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).delete(`/api-keys/${uuidDto.notFound}`);
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should require authorization', async () => {
      const { apiKey } = await create(user.accessToken, [Permission.All]);
      const { status, body } = await request(app)
@@ -176,6 +223,14 @@ describe('/api-keys', () => {
      expect(body).toEqual(errorDto.badRequest('API Key not found'));
    });

+    it('should require a valid uuid', async () => {
+      const { status, body } = await request(app)
+        .delete(`/api-keys/${uuidDto.invalid}`)
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest(['id must be a UUID']));
+    });
+
    it('should delete an api key', async () => {
      const { apiKey } = await create(user.accessToken, [Permission.All]);
      const { status } = await request(app)
--- a/e2e/src/api/specs/asset.e2e-spec.ts
+++ b/e2e/src/api/specs/asset.e2e-spec.ts
@@ -3,7 +3,6 @@ import {
  AssetMediaStatus,
  AssetResponseDto,
  AssetTypeEnum,
-  AssetVisibility,
  getAssetInfo,
  getMyUser,
  LoginResponseDto,
@@ -23,9 +22,27 @@ import { app, asBearerAuth, tempDir, TEN_TIMES, testAssetDir, utils } from 'src/
 import request from 'supertest';
 import { afterAll, beforeAll, describe, expect, it } from 'vitest';

+const makeUploadDto = (options?: { omit: string }): Record<string, any> => {
+  const dto: Record<string, any> = {
+    deviceAssetId: 'example-image',
+    deviceId: 'TEST',
+    fileCreatedAt: new Date().toISOString(),
+    fileModifiedAt: new Date().toISOString(),
+    isFavorite: 'testing',
+    duration: '0:00:00.000000',
+  };
+
+  const omit = options?.omit;
+  if (omit) {
+    delete dto[omit];
+  }
+
+  return dto;
+};
+
 const locationAssetFilepath = `${testAssetDir}/metadata/gps-position/thompson-springs.jpg`;
 const ratingAssetFilepath = `${testAssetDir}/metadata/rating/mongolels.jpg`;
-const facesAssetDir = `${testAssetDir}/metadata/faces`;
+const facesAssetFilepath = `${testAssetDir}/metadata/faces/portrait.jpg`;

 const readTags = async (bytes: Buffer, filename: string) => {
  const filepath = join(tempDir, filename);
@@ -120,9 +137,9 @@ describe('/asset', () => {
      // stats
      utils.createAsset(statsUser.accessToken),
      utils.createAsset(statsUser.accessToken, { isFavorite: true }),
-      utils.createAsset(statsUser.accessToken, { visibility: AssetVisibility.Archive }),
+      utils.createAsset(statsUser.accessToken, { isArchived: true }),
      utils.createAsset(statsUser.accessToken, {
-        visibility: AssetVisibility.Archive,
+        isArchived: true,
        isFavorite: true,
        assetData: { filename: 'example.mp4' },
      }),
@@ -143,6 +160,13 @@ describe('/asset', () => {
  });

  describe('GET /assets/:id/original', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).get(`/assets/${uuidDto.notFound}/original`);
+
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should download the file', async () => {
      const response = await request(app)
        .get(`/assets/${user1Assets[0].id}/original`)
@@ -154,6 +178,20 @@ describe('/asset', () => {
  });

  describe('GET /assets/:id', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).get(`/assets/${uuidDto.notFound}`);
+      expect(body).toEqual(errorDto.unauthorized);
+      expect(status).toBe(401);
+    });
+
+    it('should require a valid id', async () => {
+      const { status, body } = await request(app)
+        .get(`/assets/${uuidDto.invalid}`)
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest(['id must be a UUID']));
+    });
+
    it('should require access', async () => {
      const { status, body } = await request(app)
        .get(`/assets/${user2Assets[0].id}`)
@@ -186,19 +224,27 @@ describe('/asset', () => {
      });
    });

-    describe('faces', () => {
-      const metadataFaceTests = [
-        {
-          description: 'without orientation',
+    it('should get the asset faces', async () => {
+      const config = await utils.getSystemConfig(admin.accessToken);
+      config.metadata.faces.import = true;
+      await updateConfig({ systemConfigDto: config }, { headers: asBearerAuth(admin.accessToken) });
+
+      // asset faces
+      const facesAsset = await utils.createAsset(admin.accessToken, {
+        assetData: {
          filename: 'portrait.jpg',
+          bytes: await readFile(facesAssetFilepath),
        },
-        {
-          description: 'adjusting face regions to orientation',
-          filename: 'portrait-orientation-6.jpg',
-        },
-      ];
-      // should produce same resulting face region coordinates for any orientation
-      const expectedFaces = [
+      });
+
+      await utils.waitForWebsocketEvent({ event: 'assetUpload', id: facesAsset.id });
+
+      const { status, body } = await request(app)
+        .get(`/assets/${facesAsset.id}`)
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+      expect(status).toBe(200);
+      expect(body.id).toEqual(facesAsset.id);
+      expect(body.people).toMatchObject([
        {
          name: 'Marie Curie',
          birthDate: null,
@@ -233,30 +279,7 @@ describe('/asset', () => {
            },
          ],
        },
-      ];
-
-      it.each(metadataFaceTests)('should get the asset faces from $filename $description', async ({ filename }) => {
-        const config = await utils.getSystemConfig(admin.accessToken);
-        config.metadata.faces.import = true;
-        await updateConfig({ systemConfigDto: config }, { headers: asBearerAuth(admin.accessToken) });
-
-        const facesAsset = await utils.createAsset(admin.accessToken, {
-          assetData: {
-            filename,
-            bytes: await readFile(`${facesAssetDir}/${filename}`),
-          },
-        });
-
-        await utils.waitForWebsocketEvent({ event: 'assetUpload', id: facesAsset.id });
-
-        const { status, body } = await request(app)
-          .get(`/assets/${facesAsset.id}`)
-          .set('Authorization', `Bearer ${admin.accessToken}`);
-
-        expect(status).toBe(200);
-        expect(body.id).toEqual(facesAsset.id);
-        expect(body.people).toMatchObject(expectedFaces);
-      });
+      ]);
    });

    it('should work with a shared link', async () => {
@@ -310,7 +333,7 @@ describe('/asset', () => {
      });

      it('disallows viewing archived assets', async () => {
-        const asset = await utils.createAsset(user1.accessToken, { visibility: AssetVisibility.Archive });
+        const asset = await utils.createAsset(user1.accessToken, { isArchived: true });

        const { status } = await request(app)
          .get(`/assets/${asset.id}`)
@@ -331,6 +354,13 @@ describe('/asset', () => {
  });

  describe('GET /assets/statistics', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).get('/assets/statistics');
+
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should return stats of all assets', async () => {
      const { status, body } = await request(app)
        .get('/assets/statistics')
@@ -354,7 +384,7 @@ describe('/asset', () => {
      const { status, body } = await request(app)
        .get('/assets/statistics')
        .set('Authorization', `Bearer ${statsUser.accessToken}`)
-        .query({ visibility: AssetVisibility.Archive });
+        .query({ isArchived: true });

      expect(status).toBe(200);
      expect(body).toEqual({ images: 1, videos: 1, total: 2 });
@@ -364,7 +394,7 @@ describe('/asset', () => {
      const { status, body } = await request(app)
        .get('/assets/statistics')
        .set('Authorization', `Bearer ${statsUser.accessToken}`)
-        .query({ isFavorite: true, visibility: AssetVisibility.Archive });
+        .query({ isFavorite: true, isArchived: true });

      expect(status).toBe(200);
      expect(body).toEqual({ images: 0, videos: 1, total: 1 });
@@ -374,7 +404,7 @@ describe('/asset', () => {
      const { status, body } = await request(app)
        .get('/assets/statistics')
        .set('Authorization', `Bearer ${statsUser.accessToken}`)
-        .query({ isFavorite: false, visibility: AssetVisibility.Timeline });
+        .query({ isFavorite: false, isArchived: false });

      expect(status).toBe(200);
      expect(body).toEqual({ images: 1, videos: 0, total: 1 });
@@ -395,6 +425,13 @@ describe('/asset', () => {
      await utils.waitForQueueFinish(admin.accessToken, 'thumbnailGeneration');
    });

+    it('should require authentication', async () => {
+      const { status, body } = await request(app).get('/assets/random');
+
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it.each(TEN_TIMES)('should return 1 random assets', async () => {
      const { status, body } = await request(app)
        .get('/assets/random')
@@ -430,9 +467,31 @@ describe('/asset', () => {
      expect(status).toBe(200);
      expect(body).toEqual([expect.objectContaining({ id: user2Assets[0].id })]);
    });
+
+    it('should return error', async () => {
+      const { status } = await request(app)
+        .get('/assets/random?count=ABC')
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+
+      expect(status).toBe(400);
+    });
  });

  describe('PUT /assets/:id', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).put(`/assets/:${uuidDto.notFound}`);
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
+    it('should require a valid id', async () => {
+      const { status, body } = await request(app)
+        .put(`/assets/${uuidDto.invalid}`)
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest(['id must be a UUID']));
+    });
+
    it('should require access', async () => {
      const { status, body } = await request(app)
        .put(`/assets/${user2Assets[0].id}`)
@@ -460,7 +519,7 @@ describe('/asset', () => {
      const { status, body } = await request(app)
        .put(`/assets/${user1Assets[0].id}`)
        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({ visibility: AssetVisibility.Archive });
+        .send({ isArchived: true });
      expect(body).toMatchObject({ id: user1Assets[0].id, isArchived: true });
      expect(status).toEqual(200);
    });
@@ -560,6 +619,28 @@ describe('/asset', () => {
      expect(status).toEqual(200);
    });

+    it('should reject invalid gps coordinates', async () => {
+      for (const test of [
+        { latitude: 12 },
+        { longitude: 12 },
+        { latitude: 12, longitude: 'abc' },
+        { latitude: 'abc', longitude: 12 },
+        { latitude: null, longitude: 12 },
+        { latitude: 12, longitude: null },
+        { latitude: 91, longitude: 12 },
+        { latitude: -91, longitude: 12 },
+        { latitude: 12, longitude: -181 },
+        { latitude: 12, longitude: 181 },
+      ]) {
+        const { status, body } = await request(app)
+          .put(`/assets/${user1Assets[0].id}`)
+          .send(test)
+          .set('Authorization', `Bearer ${user1.accessToken}`);
+        expect(status).toBe(400);
+        expect(body).toEqual(errorDto.badRequest());
+      }
+    });
+
    it('should update gps data', async () => {
      const { status, body } = await request(app)
        .put(`/assets/${user1Assets[0].id}`)
@@ -631,6 +712,17 @@ describe('/asset', () => {
      expect(status).toEqual(200);
    });

+    it('should reject invalid rating', async () => {
+      for (const test of [{ rating: 7 }, { rating: 3.5 }, { rating: null }]) {
+        const { status, body } = await request(app)
+          .put(`/assets/${user1Assets[0].id}`)
+          .send(test)
+          .set('Authorization', `Bearer ${user1.accessToken}`);
+        expect(status).toBe(400);
+        expect(body).toEqual(errorDto.badRequest());
+      }
+    });
+
    it('should return tagged people', async () => {
      const { status, body } = await request(app)
        .put(`/assets/${user1Assets[0].id}`)
@@ -654,6 +746,25 @@ describe('/asset', () => {
  });

  describe('DELETE /assets', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app)
+        .delete(`/assets`)
+        .send({ ids: [uuidDto.notFound] });
+
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
+    it('should require a valid uuid', async () => {
+      const { status, body } = await request(app)
+        .delete(`/assets`)
+        .send({ ids: [uuidDto.invalid] })
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest(['each value in ids must be a UUID']));
+    });
+
    it('should throw an error when the id is not found', async () => {
      const { status, body } = await request(app)
        .delete(`/assets`)
@@ -766,6 +877,13 @@ describe('/asset', () => {
  });

  describe('GET /assets/:id/thumbnail', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).get(`/assets/${locationAsset.id}/thumbnail`);
+
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should not include gps data for webp thumbnails', async () => {
      await utils.waitForWebsocketEvent({
        event: 'assetUpload',
@@ -801,6 +919,13 @@ describe('/asset', () => {
  });

  describe('GET /assets/:id/original', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).get(`/assets/${locationAsset.id}/original`);
+
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should download the original', async () => {
      const { status, body, type } = await request(app)
        .get(`/assets/${locationAsset.id}/original`)
@@ -821,9 +946,43 @@ describe('/asset', () => {
    });
  });

+  describe('PUT /assets', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).put('/assets');
+
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+  });
+
  describe('POST /assets', () => {
    beforeAll(setupTests, 30_000);

+    it('should require authentication', async () => {
+      const { status, body } = await request(app).post(`/assets`);
+      expect(body).toEqual(errorDto.unauthorized);
+      expect(status).toBe(401);
+    });
+
+    it.each([
+      { should: 'require `deviceAssetId`', dto: { ...makeUploadDto({ omit: 'deviceAssetId' }) } },
+      { should: 'require `deviceId`', dto: { ...makeUploadDto({ omit: 'deviceId' }) } },
+      { should: 'require `fileCreatedAt`', dto: { ...makeUploadDto({ omit: 'fileCreatedAt' }) } },
+      { should: 'require `fileModifiedAt`', dto: { ...makeUploadDto({ omit: 'fileModifiedAt' }) } },
+      { should: 'require `duration`', dto: { ...makeUploadDto({ omit: 'duration' }) } },
+      { should: 'throw if `isFavorite` is not a boolean', dto: { ...makeUploadDto(), isFavorite: 'not-a-boolean' } },
+      { should: 'throw if `isVisible` is not a boolean', dto: { ...makeUploadDto(), isVisible: 'not-a-boolean' } },
+      { should: 'throw if `isArchived` is not a boolean', dto: { ...makeUploadDto(), isArchived: 'not-a-boolean' } },
+    ])('should $should', async ({ dto }) => {
+      const { status, body } = await request(app)
+        .post('/assets')
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .attach('assetData', makeRandomImage(), 'example.png')
+        .field(dto);
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest());
+    });
+
    const tests = [
      {
        input: 'formats/avif/8bit-sRGB.avif',
@@ -982,7 +1141,7 @@ describe('/asset', () => {
            fNumber: 8,
            focalLength: 97,
            iso: 100,
-            lensModel: 'Sony E PZ 18-105mm F4 G OSS',
+            lensModel: 'E PZ 18-105mm F4 G OSS',
            fileSizeInByte: 25_001_984,
            dateTimeOriginal: '2016-09-27T10:51:44+00:00',
            orientation: '1',
@@ -1004,7 +1163,7 @@ describe('/asset', () => {
            fNumber: 22,
            focalLength: 25,
            iso: 100,
-            lensModel: 'Zeiss Batis 25mm F2',
+            lensModel: 'E 25mm F2',
            fileSizeInByte: 49_512_448,
            dateTimeOriginal: '2016-01-08T14:08:01+00:00',
            orientation: '1',
@@ -1075,7 +1234,7 @@ describe('/asset', () => {
            focalLength: 18.3,
            iso: 100,
            latitude: 36.613_24,
-            lensModel: '18.3mm F2.8',
+            lensModel: 'GR LENS 18.3mm F2.8',
            longitude: -121.897_85,
            make: 'RICOH IMAGING COMPANY, LTD.',
            model: 'RICOH GR III',
@@ -1085,21 +1244,30 @@ describe('/asset', () => {
      },
    ];

-    it.each(tests)(`should upload and generate a thumbnail for different file types`, async ({ input, expected }) => {
-      const filepath = join(testAssetDir, input);
-      const response = await utils.createAsset(admin.accessToken, {
-        assetData: { bytes: await readFile(filepath), filename: basename(filepath) },
-      });
+    it(`should upload and generate a thumbnail for different file types`, async () => {
+      // upload in parallel
+      const assets = await Promise.all(
+        tests.map(async ({ input }) => {
+          const filepath = join(testAssetDir, input);
+          return utils.createAsset(admin.accessToken, {
+            assetData: { bytes: await readFile(filepath), filename: basename(filepath) },
+          });
+        }),
+      );

-      expect(response.status).toBe(AssetMediaStatus.Created);
-      const id = response.id;
-      // longer timeout as the thumbnail generation from full-size raw files can take a while
-      await utils.waitForWebsocketEvent({ event: 'assetUpload', id });
+      for (const { id, status } of assets) {
+        expect(status).toBe(AssetMediaStatus.Created);
+        await utils.waitForWebsocketEvent({ event: 'assetUpload', id });
+      }

-      const asset = await utils.getAssetInfo(admin.accessToken, id);
-      expect(asset.exifInfo).toBeDefined();
-      expect(asset.exifInfo).toMatchObject(expected.exifInfo);
-      expect(asset).toMatchObject(expected);
+      for (const [i, { id }] of assets.entries()) {
+        const { expected } = tests[i];
+        const asset = await utils.getAssetInfo(admin.accessToken, id);
+
+        expect(asset.exifInfo).toBeDefined();
+        expect(asset.exifInfo).toMatchObject(expected.exifInfo);
+        expect(asset).toMatchObject(expected);
+      }
    });

    it('should handle a duplicate', async () => {
--- a/e2e/src/api/specs/audit.e2e-spec.ts
+++ b/e2e/src/api/specs/audit.e2e-spec.ts
@@ -0,0 +1,43 @@
+import { deleteAssets, getAuditFiles, updateAsset, type LoginResponseDto } from '@immich/sdk';
+import { asBearerAuth, utils } from 'src/utils';
+import { beforeAll, describe, expect, it } from 'vitest';
+
+describe('/audits', () => {
+  let admin: LoginResponseDto;
+
+  beforeAll(async () => {
+    await utils.resetDatabase();
+    await utils.resetFilesystem();
+
+    admin = await utils.adminSetup();
+  });
+
+  // TODO: Enable these tests again once #7436 is resolved as these were flaky
+  describe.skip('GET :/file-report', () => {
+    it('excludes assets without issues from report', async () => {
+      const [trashedAsset, archivedAsset] = await Promise.all([
+        utils.createAsset(admin.accessToken),
+        utils.createAsset(admin.accessToken),
+        utils.createAsset(admin.accessToken),
+      ]);
+
+      await Promise.all([
+        deleteAssets({ assetBulkDeleteDto: { ids: [trashedAsset.id] } }, { headers: asBearerAuth(admin.accessToken) }),
+        updateAsset(
+          {
+            id: archivedAsset.id,
+            updateAssetDto: { isArchived: true },
+          },
+          { headers: asBearerAuth(admin.accessToken) },
+        ),
+      ]);
+
+      const body = await getAuditFiles({
+        headers: asBearerAuth(admin.accessToken),
+      });
+
+      expect(body.orphans).toHaveLength(0);
+      expect(body.extras).toHaveLength(0);
+    });
+  });
+});
--- a/e2e/src/api/specs/auth.e2e-spec.ts
+++ b/e2e/src/api/specs/auth.e2e-spec.ts
@@ -5,7 +5,7 @@ import { app, utils } from 'src/utils';
 import request from 'supertest';
 import { beforeEach, describe, expect, it } from 'vitest';

-const { email, password } = signupDto.admin;
+const { name, email, password } = signupDto.admin;

 describe(`/auth/admin-sign-up`, () => {
  beforeEach(async () => {
@@ -13,12 +13,58 @@ describe(`/auth/admin-sign-up`, () => {
  });

  describe('POST /auth/admin-sign-up', () => {
+    const invalid = [
+      {
+        should: 'require an email address',
+        data: { name, password },
+      },
+      {
+        should: 'require a password',
+        data: { name, email },
+      },
+      {
+        should: 'require a name',
+        data: { email, password },
+      },
+      {
+        should: 'require a valid email',
+        data: { name, email: 'immich', password },
+      },
+    ];
+
+    for (const { should, data } of invalid) {
+      it(`should ${should}`, async () => {
+        const { status, body } = await request(app).post('/auth/admin-sign-up').send(data);
+        expect(status).toEqual(400);
+        expect(body).toEqual(errorDto.badRequest());
+      });
+    }
+
    it(`should sign up the admin`, async () => {
      const { status, body } = await request(app).post('/auth/admin-sign-up').send(signupDto.admin);
      expect(status).toBe(201);
      expect(body).toEqual(signupResponseDto.admin);
    });

+    it('should sign up the admin with a local domain', async () => {
+      const { status, body } = await request(app)
+        .post('/auth/admin-sign-up')
+        .send({ ...signupDto.admin, email: 'admin@local' });
+      expect(status).toEqual(201);
+      expect(body).toEqual({
+        ...signupResponseDto.admin,
+        email: 'admin@local',
+      });
+    });
+
+    it('should transform email to lower case', async () => {
+      const { status, body } = await request(app)
+        .post('/auth/admin-sign-up')
+        .send({ ...signupDto.admin, email: 'aDmIn@IMMICH.cloud' });
+      expect(status).toEqual(201);
+      expect(body).toEqual(signupResponseDto.admin);
+    });
+
    it('should not allow a second admin to sign up', async () => {
      await signUpAdmin({ signUpDto: signupDto.admin });

@@ -46,6 +92,22 @@ describe('/auth/*', () => {
      expect(body).toEqual(errorDto.incorrectLogin);
    });

+    for (const key of Object.keys(loginDto.admin)) {
+      it(`should not allow null ${key}`, async () => {
+        const { status, body } = await request(app)
+          .post('/auth/login')
+          .send({ ...loginDto.admin, [key]: null });
+        expect(status).toBe(400);
+        expect(body).toEqual(errorDto.badRequest());
+      });
+
+      it('should reject an invalid email', async () => {
+        const { status, body } = await request(app).post('/auth/login').send({ email: [], password });
+        expect(status).toBe(400);
+        expect(body).toEqual(errorDto.invalidEmail);
+      });
+    }
+
    it('should accept a correct password', async () => {
      const { status, body, headers } = await request(app).post('/auth/login').send({ email, password });
      expect(status).toBe(201);
@@ -100,6 +162,14 @@ describe('/auth/*', () => {
  });

  describe('POST /auth/change-password', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app)
+        .post(`/auth/change-password`)
+        .send({ password, newPassword: 'Password1234' });
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should require the current password', async () => {
      const { status, body } = await request(app)
        .post(`/auth/change-password`)
--- a/e2e/src/api/specs/download.e2e-spec.ts
+++ b/e2e/src/api/specs/download.e2e-spec.ts
@@ -1,5 +1,6 @@
 import { AssetMediaResponseDto, LoginResponseDto } from '@immich/sdk';
 import { readFile, writeFile } from 'node:fs/promises';
+import { errorDto } from 'src/responses';
 import { app, tempDir, utils } from 'src/utils';
 import request from 'supertest';
 import { beforeAll, describe, expect, it } from 'vitest';
@@ -16,6 +17,15 @@ describe('/download', () => {
  });

  describe('POST /download/info', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app)
+        .post(`/download/info`)
+        .send({ assetIds: [asset1.id] });
+
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should download info', async () => {
      const { status, body } = await request(app)
        .post('/download/info')
@@ -32,6 +42,15 @@ describe('/download', () => {
  });

  describe('POST /download/archive', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app)
+        .post(`/download/archive`)
+        .send({ assetIds: [asset1.id, asset2.id] });
+
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
    it('should download an archive', async () => {
      const { status, body } = await request(app)
        .post('/download/archive')
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
mertalev	338f8dc233	update docs	2025-03-15 00:12:07 -04:00
mertalev	f2a98ab523	organize imports	2025-03-15 00:11:21 -04:00
mertalev	9e689e835e	add rk3568	2025-03-15 00:07:00 -04:00
mertalev	76eb285204	set log level	2025-03-14 23:37:39 -04:00
mertalev	bc9bec8673	formatting	2025-03-14 17:01:23 -04:00
mertalev	a9508fc5c8	clarify throughput vs latency	2025-03-14 16:49:40 -04:00
mertalev	678cb8938a	comparison with arm nn in docs	2025-03-14 16:42:01 -04:00
mertalev	1785d0916b	update tests	2025-03-14 16:07:35 -04:00
mertalev	fedbecc9f2	fix	2025-03-14 15:46:47 -04:00
mertalev	7fc47600f5	remove unused import	2025-03-14 15:35:14 -04:00
mertalev	4db85a8954	more linting	2025-03-14 15:30:11 -04:00
mertalev	bd9374e4a9	linting	2025-03-14 15:04:46 -04:00
mertalev	0f1a551842	fix retry	2025-03-14 14:29:07 -04:00
mertalev	323bcde733	add rk3576	2025-03-13 18:11:35 -04:00
mertalev	4b57fb5b37	add siglip2 models	2025-03-13 18:10:00 -04:00
mertalev	b959ae2570	handle facial recognition models	2025-03-13 17:53:41 -04:00
mertalev	e3d041e3c2	remove import	2025-03-13 17:34:07 -04:00
mertalev	2ba2c597e5	no flash attention for now	2025-03-13 17:32:19 -04:00
mertalev	9958ac9ec9	upload to hf	2025-03-13 17:31:41 -04:00
mertalev	c57c562166	export cli	2025-03-12 22:50:29 -04:00
mertalev	ce2a41826e	quoted type	2025-03-11 19:20:14 -04:00
mertalev	ec0fa4d52b	refactor	2025-03-11 18:43:25 -04:00
mertalev	f5e44f12e1	Merge remote-tracking branch 'origin/main' into rknn-toolkit-lite2	2025-03-11 12:42:25 -04:00
yoni13	6e08f1f371	dont stuck on core_0 on rk3588 but untested	2025-01-25 19:14:34 +08:00
Yoni Yang	3ed5d3dbac	Merge branch 'main' into rknn-toolkit-lite2	2025-01-24 16:49:10 +08:00
Yoni Yang	f9387d8478	Merge branch 'main' into rknn-toolkit-lite2	2025-01-24 12:20:29 +08:00
Yoni Yang	4bb98471f4	Merge branch 'main' into rknn-toolkit-lite2	2025-01-23 23:22:24 +08:00
Yoni Yang	794da29411	Merge branch 'main' into rknn-toolkit-lite2	2025-01-22 11:43:59 +08:00
yoni13	dd52c2d68c	Update permission	2025-01-19 23:19:44 +08:00
Yoni Yang	59e4b6598e	Merge branch 'main' into rknn-toolkit-lite2	2025-01-19 21:50:47 +08:00
yoni13	20ba9f97e9	update mapping	2025-01-19 13:15:38 +00:00
yoni13	ac4ce3ea9c	add input outputs	2025-01-19 12:10:01 +00:00
yoni13	2b967ca358	raise NotImplementedError for now	2025-01-19 12:02:08 +08:00
yoni13	1653cd9cd7	update supported SOCs	2025-01-18 17:38:44 +08:00
yoni13	32f3707e52	fix types and ignored pattern	2025-01-18 17:17:48 +08:00
yoni13	58f1cc92d7	prettier happy	2025-01-18 17:03:49 +08:00
yoni13	d2b7e10f55	shellcheck happy	2025-01-18 16:56:15 +08:00
yoni13	b3ae5d34cc	fix typo in tests	2025-01-18 16:54:18 +08:00
Yoni Yang	4e42fbc091	Merge branch 'main' into rknn-toolkit-lite2	2025-01-18 16:45:38 +08:00
yoni13	9926045d5e	add a simple script to notify user if some op is not supported	2025-01-18 16:32:08 +08:00
yoni13	d7381ab5c1	refactor ignore_patterns	2025-01-18 04:48:11 +00:00
yoni13	87a46dcc5e	remove unnecessary print	2025-01-18 11:30:49 +08:00
yoni13	be76857ae6	make these functions snake case.	2025-01-18 11:03:54 +08:00
yoni13	f5de3de163	fix typo and add a propper var name	2025-01-18 10:46:57 +08:00
yoni13	3634ae1f5b	fix granularity	2025-01-18 09:58:39 +08:00
yoni13	05675921be	remove unrequired devices	2025-01-17 20:09:50 +08:00
yoni13	f067212491	tpe	2025-01-17 19:56:23 +08:00
yoni13	bc48b67379	switch to sha256	2025-01-17 19:42:23 +08:00
yoni13	26d5fb0ac6	add checksum for libnnrt.so	2025-01-17 19:39:26 +08:00
yoni13	f32d991131	changes some cases	2025-01-17 19:25:01 +08:00
yoni13	9882b83cd4	Should FIx the quote that made mypy unhappy	2025-01-15 00:35:43 +08:00
yoni13	01eb09526e	trying to fix pytest	2025-01-15 00:28:48 +08:00
yoni13	b5a4ed5160	this duplicated?	2025-01-14 19:22:28 +08:00
yoni13	0f03f77e8e	remove non implemented tests	2025-01-14 19:02:16 +08:00
yoni13	c21ce40d9c	switch to Runtime error instead of exit()	2025-01-14 18:50:21 +08:00
Yoni Yang	cb01a11f19	Merge branch 'main' into rknn-toolkit-lite2	2025-01-14 18:44:31 +08:00
yoni13	5244ed6d4d	black app export	2025-01-14 18:40:28 +08:00
yoni13	8b80d034cb	fixed some bugs	2025-01-14 10:38:45 +00:00
yoni13	4b0f93cf6a	add test,founds bugs, fix it tomorrow	2025-01-14 01:08:44 +08:00
yoni13	6c4e6cb96f	reformat	2025-01-13 18:37:25 +08:00
yoni13	b6cc2054c5	ignore rknn model if not using it	2025-01-13 18:37:01 +08:00
Yoni Yang	f328104e84	Merge branch 'main' into rknn-toolkit-lite2	2025-01-13 18:33:05 +08:00
yoni13	2f7e44aa63	typing be happy.	2025-01-13 18:24:12 +08:00
yoni13	ebdfe1b7b6	Load model by SOC name	2025-01-13 17:08:16 +08:00
yoni13	daf886088a	Add export script	2025-01-13 05:44:22 +00:00
yoni13	4c7ac1438b	only load knnx model when required	2025-01-12 19:11:16 +00:00
Yoni Yang	8965a9fb16	Merge branch 'main' into rknn-toolkit-lite2	2025-01-13 01:41:55 +08:00
yoni13	7ae4b7129d	format be happy	2025-01-13 01:40:20 +08:00
yoni13	1775397a84	Sort them by alphablet	2025-01-13 01:38:14 +08:00
yoni13	68fccad462	Fix docs.	2025-01-13 01:11:32 +08:00
yoni13	bb67a9db6e	fix formatting	2025-01-13 00:50:49 +08:00
yoni13	c109e28686	DOCS	2025-01-13 00:44:22 +08:00
yoni13	e6ff21b345	set default thread num to 2, not everyone has 8 gigs of ram	2025-01-12 16:05:18 +08:00
yoni13	c665fd2625	Fix Please do not set this parameter on other platforms.	2025-01-12 01:29:24 +08:00
yoni13	c72cf61ed0	support core_mask for specfic socs	2025-01-12 01:24:24 +08:00
yoni13	19ee48f6f0	fix path	2025-01-12 01:09:36 +08:00
yoni13	efaf70eb9d	Set running threads from env	2025-01-12 01:02:16 +08:00
yoni13	665718b09e	add rknn to src	2025-01-11 21:11:30 +08:00
yoni13	807111e3b5	Should Fix No module named 'rknn'	2025-01-11 20:41:38 +08:00
yoni13	815ed1ae66	Install onnxruntime	2025-01-11 20:33:48 +08:00
yoni13	416211916d	Check if NPU drivers is loaded or not.	2025-01-11 17:59:16 +08:00
yoni13	23d0ea0e7b	ruff	2025-01-11 16:28:26 +08:00
yoni13	d5e453a773	ruff format	2025-01-11 16:26:17 +08:00
yoni13	7f2af6f819	Fix typo: rknnlite.api	2025-01-11 16:19:51 +08:00
yoni13	f4671f4886	Indentation issue	2025-01-11 16:16:26 +08:00
yoni13	7aaf3aa57b	Remove unused imports.	2025-01-11 16:03:33 +08:00
yoni13	506ca0d3a4	Dockerfile for rknn	2025-01-11 15:47:24 +08:00
yoni13	d5ef821b24	Set group RKNN to optional	2025-01-11 15:30:05 +08:00
yoni13	d10147f478	Handling Import and file not found Error for non-arm devices.	2025-01-11 15:19:53 +08:00
Yoni Yang	66004e3b83	Merge branch 'immich-app:main' into rknn-toolkit-lite2	2025-01-11 10:45:55 +08:00
yoni13	c20d110257	support for rknn.rknnpool.is_available	2025-01-11 10:39:45 +08:00
yoni13	a2722e16e7	Revert my changes to dockerfiles	2025-01-11 10:13:03 +08:00
yoni13	4d704e9f73	fix inf,-inf with 2 concurrency	2025-01-10 14:04:18 +00:00
Yoni Yang	9bc3e5b2e2	Update rknn.py	2025-01-10 20:20:21 +08:00
Yoni Yang	8608b9c6c5	Merge branch 'immich-app:main' into rknn-toolkit-lite2	2025-01-09 18:40:40 +08:00
yoni13	a94fad543b	all infrencing works with 1 max job concurrency	2025-01-09 10:38:40 +00:00
Yoni Yang	082c426e34	Merge branch 'immich-app:main' into rknn-toolkit-lite2	2024-12-25 20:24:17 +08:00
Yoni Yang	da152bd284	Merge branch 'immich-app:main' into rknn-toolkit-lite2	2024-12-13 13:46:24 +08:00
Yoni Yang	257cc6c963	Init commit for using rknn, RecognitionFormDataLoadTest doesnt work	2024-12-04 14:32:46 +00:00
Yoni Yang	4140e93aea	Merge branch 'immich-app:main' into rknn-toolkit-lite2	2024-12-04 13:15:14 +08:00
Yoni Yang	b6c4b37237	Merge branch 'immich-app:main' into rknn-toolkit2	2024-12-03 06:00:43 -08:00
Yoni Yang	bc849e2e9f	ViT-B-32__openai/textual/ Runs with emulator now.	2024-12-01 16:42:53 +00:00
Yoni Yang	7fddf282cf	lowercase	2024-11-30 14:24:38 +00:00
Yoni Yang	6ffc227330	test	2024-11-29 07:43:59 +00:00
Yoni Yang	8ef3e49f74	untested	2024-11-29 07:42:09 +00:00