chore(ci): add unified test report PR comment

Change-Id: I1cee5c74dcff06215bf8f75b307a2d296a6a6964
chore(ci): deduplicate e2e server image cache with docker.yml
2026-05-14 03:22:13 -04:00 · 2026-03-25 03:15:32 +00:00 · 2026-03-24 18:17:37 +00:00 · 2026-03-24 18:17:37 +00:00
1913 changed files with 94394 additions and 84286 deletions
@@ -6,12 +6,6 @@ mobile/openapi/**/*.dart linguist-generated=true
 mobile/lib/**/*.g.dart -diff -merge
 mobile/lib/**/*.g.dart linguist-generated=true

-mobile/android/**/*.g.kt -diff -merge
-mobile/android/**/*.g.kt linguist-generated=true
-
-mobile/ios/**/*.g.swift -diff -merge
-mobile/ios/**/*.g.swift linguist-generated=true
-
 mobile/lib/**/*.drift.dart -diff -merge
 mobile/lib/**/*.drift.dart linguist-generated=true

@@ -1 +1 @@
-24.15.0
+24.13.1
@@ -0,0 +1,395 @@
+import { readFileSync, appendFileSync, readdirSync, existsSync } from "node:fs";
+import { join } from "node:path";
+import { parseArgs } from "node:util";
+
+const { values } = parseArgs({
+  options: {
+    json: { type: "string" },
+    name: { type: "string" },
+    framework: { type: "string", default: "vitest" },
+    coverage: { type: "string" },
+    "pr-comment": { type: "boolean", default: false },
+    "artifacts-dir": { type: "string" },
+  },
+});
+
+function readJson(path) {
+  try {
+    return JSON.parse(readFileSync(path, "utf8"));
+  } catch {
+    return undefined;
+  }
+}
+
+function formatDuration(milliseconds) {
+  if (milliseconds < 1000) {
+    return `${milliseconds}ms`;
+  }
+  const seconds = milliseconds / 1000;
+  if (seconds < 60) {
+    return `${seconds.toFixed(1)}s`;
+  }
+  const minutes = Math.floor(seconds / 60);
+  const remainingSeconds = (seconds % 60).toFixed(0);
+  return `${minutes}m ${remainingSeconds}s`;
+}
+
+function parseVitestResults(data) {
+  const startTime = data.startTime ?? 0;
+  const endTime = Math.max(
+    ...(data.testResults ?? []).map((r) => r.endTime ?? 0),
+    startTime,
+  );
+
+  return {
+    total: data.numTotalTests ?? 0,
+    passed: data.numPassedTests ?? 0,
+    failed: data.numFailedTests ?? 0,
+    skipped: data.numPendingTests ?? 0,
+    flaky: 0,
+    duration: endTime - startTime,
+    success: data.success ?? false,
+  };
+}
+
+function parsePlaywrightResults(data) {
+  const stats = data.stats ?? {};
+  const passed = stats.expected ?? 0;
+  const failed = stats.unexpected ?? 0;
+  const flaky = stats.flaky ?? 0;
+  const skipped = stats.skipped ?? 0;
+
+  return {
+    total: passed + failed + flaky + skipped,
+    passed,
+    failed,
+    skipped,
+    flaky,
+    duration: stats.duration ?? 0,
+    success: failed === 0,
+  };
+}
+
+function parseCoverageSummary(data) {
+  const total = data.total ?? {};
+
+  const files = [];
+  for (const [filePath, entry] of Object.entries(data)) {
+    if (filePath === "total") {
+      continue;
+    }
+    files.push({
+      file: filePath.replace(/^.*?\/src\//, "src/"),
+      lines: entry.lines?.pct ?? 0,
+      branches: entry.branches?.pct ?? 0,
+      functions: entry.functions?.pct ?? 0,
+      statements: entry.statements?.pct ?? 0,
+    });
+  }
+  files.sort((a, b) => a.lines - b.lines);
+
+  return {
+    lines: total.lines?.pct ?? 0,
+    branches: total.branches?.pct ?? 0,
+    functions: total.functions?.pct ?? 0,
+    statements: total.statements?.pct ?? 0,
+    files,
+  };
+}
+
+function buildMarkdown(name, results, coverage) {
+  const statusIcon =
+    results.failed > 0
+      ? "\u274c"
+      : results.flaky > 0
+        ? "\u26a0\ufe0f"
+        : "\u2705";
+  const lines = [];
+
+  lines.push(`### ${statusIcon} ${name}`);
+  lines.push("");
+  lines.push("| Metric | Value |");
+  lines.push("|--------|-------|");
+  lines.push(`| Total | ${results.total} |`);
+  lines.push(`| Passed | ${results.passed} |`);
+  lines.push(`| Failed | ${results.failed} |`);
+  lines.push(`| Skipped | ${results.skipped} |`);
+  if (results.flaky > 0) {
+    lines.push(`| Flaky | ${results.flaky} |`);
+  }
+  lines.push(`| Duration | ${formatDuration(results.duration)} |`);
+  lines.push("");
+
+  if (coverage) {
+    lines.push("#### Coverage");
+    lines.push("");
+    lines.push("| Metric | Coverage |");
+    lines.push("|--------|----------|");
+    lines.push(`| Lines | ${coverage.lines}% |`);
+    lines.push(`| Branches | ${coverage.branches}% |`);
+    lines.push(`| Functions | ${coverage.functions}% |`);
+    lines.push(`| Statements | ${coverage.statements}% |`);
+    lines.push("");
+
+    if (coverage.files?.length > 0) {
+      lines.push("<details>");
+      lines.push(
+        `<summary>File coverage (${coverage.files.length} files)</summary>`,
+      );
+      lines.push("");
+      lines.push("| File | Lines | Branches | Functions |");
+      lines.push("|------|-------|----------|-----------|");
+      for (const file of coverage.files) {
+        lines.push(
+          `| ${file.file} | ${file.lines}% | ${file.branches}% | ${file.functions}% |`,
+        );
+      }
+      lines.push("");
+      lines.push("</details>");
+      lines.push("");
+    }
+  }
+
+  return lines.join("\n");
+}
+
+const ARTIFACT_CONFIGS = [
+  {
+    pattern: "report-server-unit",
+    name: "Server Unit Tests",
+    framework: "vitest",
+    testFile: "test-results.json",
+    coverageFile: "coverage/coverage-summary.json",
+  },
+  {
+    pattern: "report-web-unit",
+    name: "Web Unit Tests",
+    framework: "vitest",
+    testFile: "test-results.json",
+    coverageFile: "coverage/coverage-summary.json",
+  },
+  {
+    pattern: "report-server-medium",
+    name: "Server Medium Tests",
+    framework: "vitest",
+    testFile: "test-results-medium.json",
+    coverageFile: "coverage/coverage-summary.json",
+  },
+  {
+    pattern: "report-cli-unit",
+    name: "CLI Unit Tests",
+    framework: "vitest",
+    testFile: "test-results.json",
+    coverageFile: undefined,
+  },
+  {
+    pattern: "report-cli-unit-win",
+    name: "CLI Unit Tests (Windows)",
+    framework: "vitest",
+    testFile: "test-results.json",
+    coverageFile: undefined,
+  },
+  {
+    pattern: "report-e2e-server-cli-",
+    name: "E2E Server & CLI",
+    framework: "vitest",
+    testFile: "test-results.json",
+    coverageFile: undefined,
+  },
+  {
+    pattern: "report-e2e-server-maintenance-",
+    name: "E2E Server Maintenance",
+    framework: "vitest",
+    testFile: "test-results.json",
+    coverageFile: undefined,
+  },
+  {
+    pattern: "report-e2e-web-",
+    name: "E2E Web",
+    framework: "playwright",
+    testFile: "test-results.json",
+    coverageFile: undefined,
+  },
+  {
+    pattern: "report-e2e-web-ui-",
+    name: "E2E Web UI",
+    framework: "playwright",
+    testFile: "test-results.json",
+    coverageFile: undefined,
+  },
+  {
+    pattern: "report-e2e-web-maintenance-",
+    name: "E2E Web Maintenance",
+    framework: "playwright",
+    testFile: "test-results.json",
+    coverageFile: undefined,
+  },
+];
+
+function getStatusIcon(results) {
+  if (results.failed > 0) {
+    return "\u274c";
+  }
+  if (results.flaky > 0) {
+    return "\u26a0\ufe0f";
+  }
+  return "\u2705";
+}
+
+function discoverArtifacts(artifactsDir) {
+  const dirs = readdirSync(artifactsDir, { withFileTypes: true })
+    .filter((d) => d.isDirectory())
+    .map((d) => d.name);
+
+  const suites = [];
+
+  for (const dir of dirs) {
+    const config = ARTIFACT_CONFIGS.find((c) => dir.startsWith(c.pattern));
+    if (!config) {
+      continue;
+    }
+
+    const suffix = dir.slice(config.pattern.length);
+    const displayName = suffix ? `${config.name} (${suffix})` : config.name;
+
+    const testFilePath = join(artifactsDir, dir, config.testFile);
+    const testData = readJson(testFilePath);
+    if (!testData) {
+      continue;
+    }
+
+    const results =
+      config.framework === "playwright"
+        ? parsePlaywrightResults(testData)
+        : parseVitestResults(testData);
+
+    let coverage;
+    if (config.coverageFile) {
+      const coveragePath = join(artifactsDir, dir, config.coverageFile);
+      const coverageData = readJson(coveragePath);
+      if (coverageData) {
+        coverage = parseCoverageSummary(coverageData);
+      }
+    }
+
+    suites.push({ name: displayName, results, coverage });
+  }
+
+  return suites;
+}
+
+function buildPrComment(suites) {
+  if (suites.length === 0) {
+    return "## Test Report\n\nNo test results found.\n";
+  }
+
+  const lines = [];
+  const totalFailed = suites.reduce((s, r) => s + r.results.failed, 0);
+  const totalFlaky = suites.reduce((s, r) => s + r.results.flaky, 0);
+  const overallIcon =
+    totalFailed > 0 ? "\u274c" : totalFlaky > 0 ? "\u26a0\ufe0f" : "\u2705";
+
+  lines.push(`## ${overallIcon} Test Report`);
+  lines.push("");
+  lines.push("| Suite | Tests | Passed | Failed | Skipped | Duration |");
+  lines.push("|-------|------:|-------:|-------:|--------:|---------:|");
+
+  for (const suite of suites) {
+    const { results } = suite;
+    const icon = getStatusIcon(results);
+    const flaky = results.flaky > 0 ? ` (${results.flaky} flaky)` : "";
+    lines.push(
+      `| ${icon} ${suite.name} | ${results.total} | ${results.passed} | ${results.failed}${flaky} | ${results.skipped} | ${formatDuration(results.duration)} |`,
+    );
+  }
+  lines.push("");
+
+  const suitesWithCoverage = suites.filter((s) => s.coverage);
+  if (suitesWithCoverage.length > 0) {
+    lines.push("### Coverage");
+    lines.push("");
+    lines.push("| Suite | Lines | Branches | Functions | Statements |");
+    lines.push("|-------|------:|---------:|----------:|-----------:|");
+
+    for (const suite of suitesWithCoverage) {
+      const c = suite.coverage;
+      lines.push(
+        `| ${suite.name} | ${c.lines}% | ${c.branches}% | ${c.functions}% | ${c.statements}% |`,
+      );
+    }
+    lines.push("");
+
+    const allFiles = suitesWithCoverage.flatMap(
+      (s) =>
+        s.coverage.files?.map((f) => ({
+          ...f,
+          suite: s.name,
+        })) ?? [],
+    );
+
+    if (allFiles.length > 0) {
+      lines.push("<details>");
+      lines.push(`<summary>File coverage (${allFiles.length} files)</summary>`);
+      lines.push("");
+
+      for (const suite of suitesWithCoverage) {
+        if (!suite.coverage.files?.length) {
+          continue;
+        }
+        lines.push(`#### ${suite.name}`);
+        lines.push("");
+        lines.push("| File | Lines | Branches | Functions |");
+        lines.push("|------|------:|---------:|----------:|");
+        for (const file of suite.coverage.files) {
+          lines.push(
+            `| ${file.file} | ${file.lines}% | ${file.branches}% | ${file.functions}% |`,
+          );
+        }
+        lines.push("");
+      }
+
+      lines.push("</details>");
+      lines.push("");
+    }
+  }
+
+  return lines.join("\n");
+}
+
+if (values["pr-comment"]) {
+  const artifactsDir = values["artifacts-dir"];
+  if (!artifactsDir || !existsSync(artifactsDir)) {
+    console.error(`Artifacts directory not found: ${artifactsDir}`);
+    process.exit(1);
+  }
+
+  const suites = discoverArtifacts(artifactsDir);
+  const markdown = buildPrComment(suites);
+  process.stdout.write(markdown);
+} else {
+  const summaryFile = process.env.GITHUB_STEP_SUMMARY;
+  if (!summaryFile) {
+    console.error("GITHUB_STEP_SUMMARY is not set");
+    process.exit(1);
+  }
+
+  const testData = readJson(values.json);
+  if (!testData) {
+    const fallback = `### \u26a0\ufe0f ${values.name}\n\nNo test results found at \`${values.json}\`\n\n`;
+    appendFileSync(summaryFile, fallback);
+    process.exit(0);
+  }
+
+  const results =
+    values.framework === "playwright"
+      ? parsePlaywrightResults(testData)
+      : parseVitestResults(testData);
+
+  const coverageData = values.coverage ? readJson(values.coverage) : undefined;
+  const coverage = coverageData
+    ? parseCoverageSummary(coverageData)
+    : undefined;
+
+  const markdown = buildMarkdown(values.name, results, coverage);
+  appendFileSync(summaryFile, markdown);
+}
@@ -30,17 +30,12 @@ jobs:
          while IFS= read -r header; do
            printf '%s\n' "$BODY" | grep -qF "$header" || OK=false
          done < <(sed '/<!--/,/-->/d' .github/pull_request_template.md | grep "^## ")
-          echo "uses_template=$OK" | tee --append "$GITHUB_OUTPUT"
+          echo "uses_template=$OK" >> "$GITHUB_OUTPUT"

  close_template:
    runs-on: ubuntu-latest
    needs: parse_template
-    if: >-
-      ${{
-        needs.parse_template.outputs.uses_template == 'false'
-        && github.event.pull_request.state != 'closed'
-        && !contains(github.event.pull_request.labels.*.name, 'auto-closed:template')
-      }}
+    if: ${{ needs.parse_template.outputs.uses_template == 'false' && github.event.pull_request.state != 'closed' }}
    permissions:
      pull-requests: write
    steps:
@@ -51,7 +46,7 @@ jobs:
        run: |
          gh api graphql \
            -f prId="$NODE_ID" \
-            -f body="This PR has been automatically closed as the description doesn't follow [our template](https://github.com/immich-app/immich/blob/main/.github/pull_request_template.md). After you edit it to match the template, the PR will automatically be reopened." \
+            -f body="This PR has been automatically closed as the description doesn't follow our template. After you edit it to match the template, the PR will automatically be reopened." \
            -f query='
              mutation CommentAndClosePR($prId: ID!, $body: String!) {
                addComment(input: {
@@ -71,7 +66,7 @@ jobs:
        env:
          GH_TOKEN: ${{ github.token }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: gh pr edit "$PR_NUMBER" --repo "${{ github.repository }}" --add-label "auto-closed:template"
+        run: gh pr edit "$PR_NUMBER" --add-label "auto-closed:template"

  close_llm:
    runs-on: ubuntu-latest
@@ -118,7 +113,7 @@ jobs:
        env:
          GH_TOKEN: ${{ github.token }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: gh pr edit "$PR_NUMBER" --repo "${{ github.repository }}" --remove-label "auto-closed:template" || true
+        run: gh pr edit "$PR_NUMBER" --remove-label "auto-closed:template" || true

      - name: Check for remaining auto-closed labels
        id: check_labels
@@ -126,9 +121,9 @@ jobs:
          GH_TOKEN: ${{ github.token }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
        run: |
-          REMAINING=$(gh pr view "$PR_NUMBER" --repo "${{ github.repository }}" --json labels \
+          REMAINING=$(gh pr view "$PR_NUMBER" --json labels \
            --jq '[.labels[].name | select(startswith("auto-closed:"))] | length')
-          echo "remaining=$REMAINING" | tee --append "$GITHUB_OUTPUT"
+          echo "remaining=$REMAINING" >> "$GITHUB_OUTPUT"

      - name: Reopen PR
        if: ${{ steps.check_labels.outputs.remaining == '0' }}
@@ -51,14 +51,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -79,9 +79,9 @@ jobs:

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -103,7 +103,7 @@ jobs:

      - name: Restore Gradle Cache
        id: cache-gradle-restore
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
        with:
          path: |
            ~/.gradle/caches
@@ -114,14 +114,14 @@ jobs:
          key: build-mobile-gradle-${{ runner.os }}-main

      - name: Setup Flutter SDK
-        uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
+        uses: subosito/flutter-action@fd55f4c5af5b953cc57a2be44cb082c8f6635e8e # v2.21.0
        with:
          channel: 'stable'
          flutter-version-file: ./mobile/pubspec.yaml
          cache: true

      - name: Setup Android SDK
-        uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4.0.1
+        uses: android-actions/setup-android@9fc6c4e9069bf8d3d10b2204b1fb8f6ef7065407 # v3.2.2
        with:
          packages: ''

@@ -153,14 +153,14 @@ jobs:
          fi

      - name: Publish Android Artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: release-apk-signed
          path: mobile/build/app/outputs/flutter-apk/*.apk

      - name: Save Gradle Cache
        id: cache-gradle-save
-        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
        if: github.ref == 'refs/heads/main'
        with:
          path: |
@@ -185,13 +185,13 @@ jobs:
        run: sudo xcode-select -s /Applications/Xcode_26.2.app/Contents/Developer

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          ref: ${{ inputs.ref || github.sha }}
          persist-credentials: false

      - name: Setup Flutter SDK
-        uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
+        uses: subosito/flutter-action@fd55f4c5af5b953cc57a2be44cb082c8f6635e8e # v2
        with:
          channel: 'stable'
          flutter-version-file: ./mobile/pubspec.yaml
@@ -210,7 +210,7 @@ jobs:
        working-directory: ./mobile

      - name: Setup Ruby
-        uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
+        uses: ruby/setup-ruby@v1
        with:
          ruby-version: '3.3'
          bundler-cache: true
@@ -291,7 +291,7 @@ jobs:
          security delete-keychain build.keychain || true

      - name: Upload IPA artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: ios-release-ipa
          path: mobile/ios/Runner.ipa
@@ -19,9 +19,9 @@ jobs:
      actions: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check out code
@@ -24,7 +24,7 @@ jobs:
          persist-credentials: false

      - name: Check for breaking API changes
-        uses: oasdiff/oasdiff-action/breaking@37bf9ff785c7315df88216660826e71be4cc03da # v0.0.44
+        uses: oasdiff/oasdiff-action/breaking@748daafaf3aac877a36307f842a48d55db938ac8 # v0.0.31
        with:
          base: https://raw.githubusercontent.com/${{ github.repository }}/main/open-api/immich-openapi-specs.json
          revision: open-api/immich-openapi-specs.json
@@ -31,9 +31,9 @@ jobs:
        working-directory: ./cli
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -45,7 +45,7 @@ jobs:
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0

      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version-file: './cli/.nvmrc'
          registry-url: 'https://registry.npmjs.org'
@@ -71,9 +71,9 @@ jobs:

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
@@ -89,7 +89,7 @@ jobs:
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        if: ${{ !github.event.pull_request.head.repo.fork }}
        with:
          registry: ghcr.io
@@ -115,7 +115,7 @@ jobs:
            type=raw,value=latest,enable=${{ github.event_name == 'release' }}

      - name: Build and push image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          file: cli/Dockerfile
          platforms: linux/amd64,linux/arm64
@@ -35,7 +35,7 @@ jobs:
    needs: [get_body, should_run]
    if: ${{ needs.should_run.outputs.should_run == 'true' }}
    container:
-      image: ghcr.io/immich-app/mdq:main@sha256:32abe582452b12dff55055e1d6bc24508a8f17164f9d1831db7bb70953c014c6
+      image: ghcr.io/immich-app/mdq:main@sha256:4f9860d04c88f7f87861f8ee84bfeedaec15ed7ca5ca87bc7db44b036f81645f
    outputs:
      checked: ${{ steps.get_checkbox.outputs.checked }}
    steps:
@@ -44,9 +44,9 @@ jobs:

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout repository
@@ -57,7 +57,7 @@ jobs:

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
@@ -70,7 +70,7 @@ jobs:
      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
      # If this step fails, then you should remove it and run the build manually (see below)
      - name: Autobuild
-        uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6

      # ℹ️ Command-line programs to run using the OS shell.
      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -83,6 +83,6 @@ jobs:
      #   ./location_of_script_within_repo/buildscript.sh

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
        with:
          category: '/language:${{matrix.language}}'
@@ -23,14 +23,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -60,7 +60,7 @@ jobs:
        suffix: ['', '-cuda', '-rocm', '-openvino', '-armnn', '-rknn']
    steps:
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -90,7 +90,7 @@ jobs:
        suffix: ['']
    steps:
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -132,7 +132,7 @@ jobs:
            suffixes: '-rocm'
            platforms: linux/amd64
            runner-mapping: '{"linux/amd64": "pokedex-large"}'
-    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@5813c7c4f7016c748ae7ac5d5f684846649d4d20 # multi-runner-build-workflow-v2.4.0
+    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@bd49ed7a5a6022149f79b6564df48177476a822b # multi-runner-build-workflow-v2.2.1
    permissions:
      contents: read
      actions: read
@@ -155,7 +155,7 @@ jobs:
    name: Build and Push Server
    needs: pre-job
    if: ${{ fromJSON(needs.pre-job.outputs.should_run).server == true }}
-    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@5813c7c4f7016c748ae7ac5d5f684846649d4d20 # multi-runner-build-workflow-v2.4.0
+    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@bd49ed7a5a6022149f79b6564df48177476a822b # multi-runner-build-workflow-v2.2.1
    permissions:
      contents: read
      actions: read
@@ -178,7 +178,7 @@ jobs:
    runs-on: ubuntu-latest
    if: always()
    steps:
-      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
+      - uses: immich-app/devtools/actions/success-check@68f10eb389bb02a3cf9d1156111964c549eb421b # 0.0.4
        with:
          needs: ${{ toJSON(needs) }}

@@ -189,6 +189,6 @@ jobs:
    runs-on: ubuntu-latest
    if: always()
    steps:
-      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
+      - uses: immich-app/devtools/actions/success-check@68f10eb389bb02a3cf9d1156111964c549eb421b # 0.0.4
        with:
          needs: ${{ toJSON(needs) }}
@@ -21,14 +21,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -54,9 +54,9 @@ jobs:

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -70,7 +70,7 @@ jobs:
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0

      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version-file: './docs/.nvmrc'
          cache: 'pnpm'
@@ -86,7 +86,7 @@ jobs:
        run: pnpm build

      - name: Upload build output
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: docs-build-output
          path: docs/build/
@@ -20,16 +20,16 @@ jobs:
      artifact: ${{ steps.get-artifact.outputs.result }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - if: ${{ github.event.workflow_run.conclusion != 'success' }}
        run: echo 'The triggering workflow did not succeed' && exit 1
      - name: Get artifact
        id: get-artifact
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          script: |
@@ -48,7 +48,7 @@ jobs:
            return { found: true, id: matchArtifact.id };
      - name: Determine deploy parameters
        id: parameters
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
        with:
@@ -119,9 +119,9 @@ jobs:
    if: ${{ fromJson(needs.checks.outputs.artifact).found && fromJson(needs.checks.outputs.parameters).shouldDeploy }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -131,13 +131,11 @@ jobs:
          token: ${{ steps.token.outputs.token }}

      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
-        with:
-          github_token: ${{ steps.token.outputs.token }}
+        uses: immich-app/devtools/actions/use-mise@dab18118da6476e8237ac94080fd937983fecd42 # use-mise-action-v1.1.2

      - name: Load parameters
        id: parameters
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          PARAM_JSON: ${{ needs.checks.outputs.parameters }}
        with:
@@ -149,7 +147,7 @@ jobs:
            core.setOutput("shouldDeploy", parameters.shouldDeploy);

      - name: Download artifact
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          ARTIFACT_JSON: ${{ needs.checks.outputs.artifact }}
        with:
@@ -213,7 +211,7 @@ jobs:
        run: 'mise run //deployment:tf apply'

      - name: Comment
-        uses: actions-cool/maintain-one-comment@909842216bc8e8658364c572ec52100f4c2cc50a # v3.3.0
+        uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3.2.0
        if: ${{ steps.parameters.outputs.event == 'pr' }}
        with:
          token: ${{ steps.token.outputs.token }}
@@ -17,9 +17,9 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -29,9 +29,7 @@ jobs:
          token: ${{ steps.token.outputs.token }}

      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
-        with:
-          github_token: ${{ steps.token.outputs.token }}
+        uses: immich-app/devtools/actions/use-mise@dab18118da6476e8237ac94080fd937983fecd42 # use-mise-action-v1.1.2

      - name: Destroy Docs Subdomain
        env:
@@ -44,7 +42,7 @@ jobs:
        run: 'mise run //deployment:tf destroy -- -refresh=false'

      - name: Comment
-        uses: actions-cool/maintain-one-comment@909842216bc8e8658364c572ec52100f4c2cc50a # v3.3.0
+        uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3.2.0
        with:
          token: ${{ steps.token.outputs.token }}
          number: ${{ github.event.number }}
@@ -16,9 +16,9 @@ jobs:
    steps:
      - name: Generate a token
        id: generate-token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: 'Checkout'
@@ -29,10 +29,10 @@ jobs:
          persist-credentials: true

      - name: Setup pnpm
-        uses: pnpm/action-setup@26f6d4f2c533a43e6b5da0b4a5dd983f98f7b49a # v6.0.4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0

      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
@@ -42,13 +42,13 @@ jobs:
        run: pnpm --recursive install && pnpm run --recursive --if-present --parallel format:fix

      - name: Commit and push
-        uses: EndBug/add-and-commit@290ea2c423ad77ca9c62ae0f5b224379612c0321 # v10.0.0
+        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
        with:
          default_author: github_actions
          message: 'chore: fix formatting'

      - name: Remove label
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        if: always()
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
@@ -4,7 +4,7 @@ on:
  workflow_dispatch:
  workflow_call:
    secrets:
-      PUSH_O_MATIC_APP_CLIENT_ID:
+      PUSH_O_MATIC_APP_ID:
        required: true
      PUSH_O_MATIC_APP_KEY:
        required: true
@@ -31,9 +31,9 @@ jobs:
      - name: Generate a token
        id: generate_token
        if: ${{ inputs.skip != true }}
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Find translation PR
@@ -14,13 +14,13 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Require PR to have a changelog label
-        uses: mheap/github-action-required-labels@0ac283b4e65c1fb28ce6079dea5546ceca98ccbe # v5.5.2
+        uses: mheap/github-action-required-labels@8afbe8ae6ab7647d0c9f0cfa7c2f939650d22509 # v5.5.1
        with:
          token: ${{ steps.token.outputs.token }}
          mode: exactly
@@ -12,9 +12,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
@@ -36,7 +36,7 @@ jobs:
    permissions:
      pull-requests: write
    secrets:
-      PUSH_O_MATIC_APP_CLIENT_ID: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+      PUSH_O_MATIC_APP_ID: ${{ secrets.PUSH_O_MATIC_APP_ID }}
      PUSH_O_MATIC_APP_KEY: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      WEBLATE_TOKEN: ${{ secrets.WEBLATE_TOKEN }}

@@ -50,9 +50,9 @@ jobs:
    steps:
      - name: Generate a token
        id: generate-token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
@@ -63,13 +63,13 @@ jobs:
          ref: main

      - name: Install uv
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@6ee6290f1cbc4156c0bdd66691b2c144ef8df19a # v7.4.0

      - name: Setup pnpm
-        uses: pnpm/action-setup@26f6d4f2c533a43e6b5da0b4a5dd983f98f7b49a # v6.0.4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0

      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
@@ -86,7 +86,7 @@ jobs:

      - name: Commit and tag
        id: push-tag
-        uses: EndBug/add-and-commit@290ea2c423ad77ca9c62ae0f5b224379612c0321 # v10.0.0
+        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
        with:
          default_author: github_actions
          message: 'chore: version ${{ steps.output.outputs.version }}'
@@ -124,9 +124,9 @@ jobs:
    steps:
      - name: Generate a token
        id: generate-token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
@@ -142,7 +142,7 @@ jobs:
          github-token: ${{ steps.generate-token.outputs.token }}

      - name: Create draft release
-        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
        with:
          draft: true
          tag_name: ${{ needs.bump_version.outputs.version }}
@@ -14,12 +14,12 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
+      - uses: mshick/add-pr-comment@ffd016c7e151d97d69d21a843022fd4cd5b96fe5 # v3.9.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          message-id: 'preview-status'
@@ -32,12 +32,12 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          script: |
@@ -48,14 +48,14 @@ jobs:
              name: 'preview'
            })

-      - uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
+      - uses: mshick/add-pr-comment@ffd016c7e151d97d69d21a843022fd4cd5b96fe5 # v3.9.0
        if: ${{ github.event.pull_request.head.repo.fork }}
        with:
          github-token: ${{ steps.token.outputs.token }}
          message-id: 'preview-status'
          message: 'PRs from forks cannot have preview environments.'

-      - uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
+      - uses: mshick/add-pr-comment@ffd016c7e151d97d69d21a843022fd4cd5b96fe5 # v3.9.0
        if: ${{ !github.event.pull_request.head.repo.fork }}
        with:
          github-token: ${{ steps.token.outputs.token }}
@@ -19,9 +19,9 @@ jobs:
        working-directory: ./open-api/typescript-sdk
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -33,7 +33,7 @@ jobs:
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0

      # Setup .npmrc file to publish to npm
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version-file: './open-api/typescript-sdk/.nvmrc'
          registry-url: 'https://registry.npmjs.org'
@@ -20,14 +20,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -49,9 +49,9 @@ jobs:
        working-directory: ./mobile
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -61,7 +61,7 @@ jobs:
          token: ${{ steps.token.outputs.token }}

      - name: Setup Flutter SDK
-        uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
+        uses: subosito/flutter-action@fd55f4c5af5b953cc57a2be44cb082c8f6635e8e # v2.21.0
        with:
          channel: 'stable'
          flutter-version-file: ./mobile/pubspec.yaml
@@ -17,14 +17,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -34,17 +34,13 @@ jobs:
              - 'web/**'
              - 'i18n/**'
              - 'open-api/typescript-sdk/**'
-              - 'pnpm-lock.yaml'
            server:
              - 'server/**'
-              - 'pnpm-lock.yaml'
            cli:
              - 'cli/**'
              - 'open-api/typescript-sdk/**'
-              - 'pnpm-lock.yaml'
            e2e:
              - 'e2e/**'
-              - 'pnpm-lock.yaml'
            mobile:
              - 'mobile/**'
            machine-learning:
@@ -67,9 +63,9 @@ jobs:
        working-directory: ./server
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -81,7 +77,7 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
@@ -98,8 +94,20 @@ jobs:
        run: pnpm check
        if: ${{ !cancelled() }}
      - name: Run small tests & coverage
-        run: pnpm test
+        run: pnpm test --reporter=default --reporter=json --outputFile test-results.json --coverage --coverage.reporter=text --coverage.reporter=json-summary --coverage.reporter=json
        if: ${{ !cancelled() }}
+      - name: Write test summary
+        if: always()
+        run: node ${{ github.workspace }}/.github/scripts/write-test-summary.mjs --json test-results.json --name "Server Unit Tests" --framework vitest --coverage coverage/coverage-summary.json
+      - name: Upload test results
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: report-server-unit
+          path: |
+            server/test-results.json
+            server/coverage/coverage-summary.json
+          retention-days: 1
  cli-unit-tests:
    name: Unit Test CLI
    needs: pre-job
@@ -112,9 +120,9 @@ jobs:
        working-directory: ./cli
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -125,7 +133,7 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version-file: './cli/.nvmrc'
          cache: 'pnpm'
@@ -145,8 +153,18 @@ jobs:
        run: pnpm check
        if: ${{ !cancelled() }}
      - name: Run unit tests & coverage
-        run: pnpm test
+        run: pnpm test --reporter=default --reporter=json --outputFile test-results.json
        if: ${{ !cancelled() }}
+      - name: Write test summary
+        if: always()
+        run: node ${{ github.workspace }}/.github/scripts/write-test-summary.mjs --json test-results.json --name "CLI Unit Tests" --framework vitest
+      - name: Upload test results
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: report-cli-unit
+          path: cli/test-results.json
+          retention-days: 1
  cli-unit-tests-win:
    name: Unit Test CLI (Windows)
    needs: pre-job
@@ -159,9 +177,9 @@ jobs:
        working-directory: ./cli
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -172,7 +190,7 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version-file: './cli/.nvmrc'
          cache: 'pnpm'
@@ -187,8 +205,18 @@ jobs:
        run: pnpm check
        if: ${{ !cancelled() }}
      - name: Run unit tests & coverage
-        run: pnpm test
+        run: pnpm test --reporter=default --reporter=json --outputFile test-results.json
        if: ${{ !cancelled() }}
+      - name: Write test summary
+        if: always()
+        run: node ${{ github.workspace }}/.github/scripts/write-test-summary.mjs --json test-results.json --name "CLI Unit Tests (Windows)" --framework vitest
+      - name: Upload test results
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: report-cli-unit-win
+          path: cli/test-results.json
+          retention-days: 1
  web-lint:
    name: Lint Web
    needs: pre-job
@@ -201,9 +229,9 @@ jobs:
        working-directory: ./web
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -214,7 +242,7 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version-file: './web/.nvmrc'
          cache: 'pnpm'
@@ -245,9 +273,9 @@ jobs:
        working-directory: ./web
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -258,7 +286,7 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version-file: './web/.nvmrc'
          cache: 'pnpm'
@@ -272,8 +300,20 @@ jobs:
        run: pnpm check:typescript
        if: ${{ !cancelled() }}
      - name: Run unit tests & coverage
-        run: pnpm test
+        run: pnpm test --reporter=default --reporter=json --outputFile test-results.json --coverage --coverage.reporter=text --coverage.reporter=json-summary --coverage.reporter=json
        if: ${{ !cancelled() }}
+      - name: Write test summary
+        if: always()
+        run: node ${{ github.workspace }}/.github/scripts/write-test-summary.mjs --json test-results.json --name "Web Unit Tests" --framework vitest --coverage coverage/coverage-summary.json
+      - name: Upload test results
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: report-web-unit
+          path: |
+            web/test-results.json
+            web/coverage/coverage-summary.json
+          retention-days: 1
  i18n-tests:
    name: Test i18n
    needs: pre-job
@@ -283,9 +323,9 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -296,7 +336,7 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version-file: './web/.nvmrc'
          cache: 'pnpm'
@@ -331,9 +371,9 @@ jobs:
        working-directory: ./e2e
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -344,7 +384,7 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version-file: './e2e/.nvmrc'
          cache: 'pnpm'
@@ -377,9 +417,9 @@ jobs:
        working-directory: ./server
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -391,20 +431,28 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
-        with:
-          github_token: ${{ steps.token.outputs.token }}
      - name: Run pnpm install
        run: SHARP_IGNORE_GLOBAL_LIBVIPS=true pnpm install --frozen-lockfile
      - name: Run medium tests
-        run: pnpm test:medium
+        run: pnpm test:medium --reporter=default --reporter=json --outputFile test-results-medium.json --coverage --coverage.reporter=text --coverage.reporter=json-summary --coverage.reporter=json
        if: ${{ !cancelled() }}
+      - name: Write test summary
+        if: always()
+        run: node ${{ github.workspace }}/.github/scripts/write-test-summary.mjs --json test-results-medium.json --name "Server Medium Tests" --framework vitest --coverage coverage/coverage-summary.json
+      - name: Upload test results
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: report-server-medium
+          path: |
+            server/test-results-medium.json
+            server/coverage/coverage-summary.json
+          retention-days: 1
  e2e-tests-server-cli:
    name: End-to-End Tests (Server & CLI)
    needs: pre-job
@@ -412,6 +460,7 @@ jobs:
    runs-on: ${{ matrix.runner }}
    permissions:
      contents: read
+      actions: write
    defaults:
      run:
        working-directory: ./e2e
@@ -420,63 +469,114 @@ jobs:
        runner: [ubuntu-latest, ubuntu-24.04-arm]
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
-
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          submodules: 'recursive'
          token: ${{ steps.token.outputs.token }}
-      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
-        with:
-          node-version-file: './e2e/.nvmrc'
-          cache: 'pnpm'
-          cache-dependency-path: '**/pnpm-lock.yaml'
-      - name: Run setup typescript-sdk
-        run: pnpm install --frozen-lockfile && pnpm build
-        working-directory: ./open-api/typescript-sdk
-        if: ${{ !cancelled() }}
-      - name: Run setup web
-        run: pnpm install --frozen-lockfile && pnpm exec svelte-kit sync
-        working-directory: ./web
-        if: ${{ !cancelled() }}
-      - name: Run setup cli
-        run: pnpm install --frozen-lockfile && pnpm build
-        working-directory: ./cli
-        if: ${{ !cancelled() }}
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-        if: ${{ !cancelled() }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+      - name: Compute server cache key
+        run: |
+          BUILD_ARGS=$'DEVICE=cpu\n'
+          HASH=$(sha256sum <<< "${BUILD_ARGS}" | cut -d' ' -f1)
+          ARCH=$(echo "${{ runner.arch }}" | tr '[:upper:]' '[:lower:]')
+          [[ "$ARCH" == "x64" ]] && ARCH="amd64"
+          echo "SERVER_CACHE_KEY=linux-${ARCH}-${HASH}-main" >> $GITHUB_ENV
+      - name: Build Docker images from cache
+        run: docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile test build
      - name: Start Docker Compose
-        run: docker compose up -d --build --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
+        run: docker compose up -d --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
        if: ${{ !cancelled() }}
      - name: Run e2e tests (api & cli)
-        env:
-          VITEST_DISABLE_DOCKER_SETUP: true
-        run: pnpm test
+        run: docker compose --profile test run --rm e2e-runner pnpm test --reporter=default --reporter=json --outputFile playwright-report/test-results.json
        if: ${{ !cancelled() }}
-      - name: Run e2e tests (maintenance)
-        env:
-          VITEST_DISABLE_DOCKER_SETUP: true
-        run: pnpm test:maintenance
+      - name: Write test summary
+        if: always()
+        run: node ${{ github.workspace }}/.github/scripts/write-test-summary.mjs --json playwright-report/test-results.json --name "E2E Server & CLI Tests (${{ matrix.runner }})" --framework vitest
+      - name: Upload test results
        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: report-e2e-server-cli-${{ matrix.runner }}
+          path: e2e/playwright-report/test-results.json
+          retention-days: 1
      - name: Capture Docker logs
        if: always()
        run: docker compose logs --no-color > docker-compose-logs.txt
-        working-directory: ./e2e
      - name: Archive Docker logs
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        if: always()
        with:
          name: e2e-server-docker-logs-${{ matrix.runner }}
          path: e2e/docker-compose-logs.txt
+  e2e-tests-server-maintenance:
+    name: End-to-End Tests (Server Maintenance)
+    needs: pre-job
+    if: ${{ fromJSON(needs.pre-job.outputs.should_run).e2e == true || fromJSON(needs.pre-job.outputs.should_run).server == true || fromJSON(needs.pre-job.outputs.should_run).cli == true }}
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+      actions: write
+    defaults:
+      run:
+        working-directory: ./e2e
+    strategy:
+      matrix:
+        runner: [ubuntu-latest, ubuntu-24.04-arm]
+    steps:
+      - id: token
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        with:
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          submodules: 'recursive'
+          token: ${{ steps.token.outputs.token }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+      - name: Compute server cache key
+        run: |
+          BUILD_ARGS=$'DEVICE=cpu\n'
+          HASH=$(sha256sum <<< "${BUILD_ARGS}" | cut -d' ' -f1)
+          ARCH=$(echo "${{ runner.arch }}" | tr '[:upper:]' '[:lower:]')
+          [[ "$ARCH" == "x64" ]] && ARCH="amd64"
+          echo "SERVER_CACHE_KEY=linux-${ARCH}-${HASH}-main" >> $GITHUB_ENV
+      - name: Build Docker images from cache
+        run: docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile test build
+      - name: Start Docker Compose
+        run: docker compose up -d --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
+        if: ${{ !cancelled() }}
+      - name: Run e2e tests (maintenance)
+        run: docker compose --profile test run --rm e2e-runner pnpm test:maintenance --reporter=default --reporter=json --outputFile playwright-report/test-results.json
+        if: ${{ !cancelled() }}
+      - name: Write test summary
+        if: always()
+        run: node ${{ github.workspace }}/.github/scripts/write-test-summary.mjs --json playwright-report/test-results.json --name "E2E Server Maintenance Tests (${{ matrix.runner }})" --framework vitest
+      - name: Upload test results
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: report-e2e-server-maintenance-${{ matrix.runner }}
+          path: e2e/playwright-report/test-results.json
+          retention-days: 1
+      - name: Capture Docker logs
+        if: always()
+        run: docker compose logs --no-color > docker-compose-logs.txt
+      - name: Archive Docker logs
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        if: always()
+        with:
+          name: e2e-server-maintenance-docker-logs-${{ matrix.runner }}
+          path: e2e/docker-compose-logs.txt
  e2e-tests-web:
    name: End-to-End Tests (Web)
    needs: pre-job
@@ -484,6 +584,7 @@ jobs:
    runs-on: ${{ matrix.runner }}
    permissions:
      contents: read
+      actions: write
    defaults:
      run:
        working-directory: ./e2e
@@ -492,67 +593,181 @@ jobs:
        runner: [ubuntu-latest, ubuntu-24.04-arm]
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
-
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          submodules: 'recursive'
          token: ${{ steps.token.outputs.token }}
-      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
-        with:
-          node-version-file: './e2e/.nvmrc'
-          cache: 'pnpm'
-          cache-dependency-path: '**/pnpm-lock.yaml'
-      - name: Run setup typescript-sdk
-        run: pnpm install --frozen-lockfile && pnpm build
-        working-directory: ./open-api/typescript-sdk
-        if: ${{ !cancelled() }}
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-        if: ${{ !cancelled() }}
-      - name: Install Playwright Browsers
-        run: pnpm exec playwright install chromium --only-shell
-        if: ${{ !cancelled() }}
-      - name: Docker build
-        run: docker compose up -d --build --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+      - name: Compute server cache key
+        run: |
+          BUILD_ARGS=$'DEVICE=cpu\n'
+          HASH=$(sha256sum <<< "${BUILD_ARGS}" | cut -d' ' -f1)
+          ARCH=$(echo "${{ runner.arch }}" | tr '[:upper:]' '[:lower:]')
+          [[ "$ARCH" == "x64" ]] && ARCH="amd64"
+          echo "SERVER_CACHE_KEY=linux-${ARCH}-${HASH}-main" >> $GITHUB_ENV
+      - name: Build Docker images from cache
+        run: docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile test build
+      - name: Start Docker Compose
+        run: docker compose up -d --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
        if: ${{ !cancelled() }}
      - name: Run e2e tests (web)
-        env:
-          PLAYWRIGHT_DISABLE_WEBSERVER: true
-        run: pnpm test:web
+        run: docker compose --profile test run --rm e2e-runner pnpm test:web
        if: ${{ !cancelled() }}
+      - name: Write test summary (web)
+        if: always()
+        run: node ${{ github.workspace }}/.github/scripts/write-test-summary.mjs --json playwright-report/test-results.json --name "E2E Web Tests (${{ matrix.runner }})" --framework playwright
+      - name: Upload test results (web)
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: report-e2e-web-${{ matrix.runner }}
+          path: e2e/playwright-report/test-results.json
+          retention-days: 1
      - name: Archive e2e test (web) results
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        if: success() || failure()
        with:
          name: e2e-web-test-results-${{ matrix.runner }}
          path: e2e/playwright-report/
-      - name: Run ui tests (web)
-        env:
-          PLAYWRIGHT_DISABLE_WEBSERVER: true
-        run: pnpm test:web:ui
+      - name: Capture Docker logs
+        if: always()
+        run: docker compose logs --no-color > docker-compose-logs.txt
+      - name: Archive Docker logs
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        if: always()
+        with:
+          name: e2e-web-docker-logs-${{ matrix.runner }}
+          path: e2e/docker-compose-logs.txt
+  e2e-tests-web-ui:
+    name: End-to-End Tests (Web UI)
+    needs: pre-job
+    if: ${{ fromJSON(needs.pre-job.outputs.should_run).e2e == true || fromJSON(needs.pre-job.outputs.should_run).web == true }}
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+      actions: write
+    defaults:
+      run:
+        working-directory: ./e2e
+    strategy:
+      matrix:
+        runner: [ubuntu-latest, ubuntu-24.04-arm]
+    steps:
+      - id: token
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        with:
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          submodules: 'recursive'
+          token: ${{ steps.token.outputs.token }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+      - name: Compute server cache key
+        run: |
+          BUILD_ARGS=$'DEVICE=cpu\n'
+          HASH=$(sha256sum <<< "${BUILD_ARGS}" | cut -d' ' -f1)
+          ARCH=$(echo "${{ runner.arch }}" | tr '[:upper:]' '[:lower:]')
+          [[ "$ARCH" == "x64" ]] && ARCH="amd64"
+          echo "SERVER_CACHE_KEY=linux-${ARCH}-${HASH}-main" >> $GITHUB_ENV
+      - name: Build Docker images from cache
+        run: docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile test build
+      - name: Start Docker Compose
+        run: docker compose up -d --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
        if: ${{ !cancelled() }}
+      - name: Run ui tests (web)
+        run: docker compose --profile test run --rm e2e-runner pnpm test:web:ui
+        if: ${{ !cancelled() }}
+      - name: Write test summary (ui)
+        if: always()
+        run: node ${{ github.workspace }}/.github/scripts/write-test-summary.mjs --json playwright-report/test-results.json --name "E2E Web UI Tests (${{ matrix.runner }})" --framework playwright
+      - name: Upload test results (ui)
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: report-e2e-web-ui-${{ matrix.runner }}
+          path: e2e/playwright-report/test-results.json
+          retention-days: 1
      - name: Archive ui test (web) results
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        if: success() || failure()
        with:
          name: e2e-ui-test-results-${{ matrix.runner }}
          path: e2e/playwright-report/
-      - name: Run maintenance tests
-        env:
-          PLAYWRIGHT_DISABLE_WEBSERVER: true
-        run: pnpm test:web:maintenance
+      - name: Capture Docker logs
+        if: always()
+        run: docker compose logs --no-color > docker-compose-logs.txt
+      - name: Archive Docker logs
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        if: always()
+        with:
+          name: e2e-web-ui-docker-logs-${{ matrix.runner }}
+          path: e2e/docker-compose-logs.txt
+  e2e-tests-web-maintenance:
+    name: End-to-End Tests (Web Maintenance)
+    needs: pre-job
+    if: ${{ fromJSON(needs.pre-job.outputs.should_run).e2e == true || fromJSON(needs.pre-job.outputs.should_run).web == true }}
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+      actions: write
+    defaults:
+      run:
+        working-directory: ./e2e
+    strategy:
+      matrix:
+        runner: [ubuntu-latest, ubuntu-24.04-arm]
+    steps:
+      - id: token
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
+        with:
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          submodules: 'recursive'
+          token: ${{ steps.token.outputs.token }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+      - name: Compute server cache key
+        run: |
+          BUILD_ARGS=$'DEVICE=cpu\n'
+          HASH=$(sha256sum <<< "${BUILD_ARGS}" | cut -d' ' -f1)
+          ARCH=$(echo "${{ runner.arch }}" | tr '[:upper:]' '[:lower:]')
+          [[ "$ARCH" == "x64" ]] && ARCH="amd64"
+          echo "SERVER_CACHE_KEY=linux-${ARCH}-${HASH}-main" >> $GITHUB_ENV
+      - name: Build Docker images from cache
+        run: docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile test build
+      - name: Start Docker Compose
+        run: docker compose up -d --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
        if: ${{ !cancelled() }}
+      - name: Run maintenance tests
+        run: docker compose --profile test run --rm e2e-runner pnpm test:web:maintenance
+        if: ${{ !cancelled() }}
+      - name: Write test summary (maintenance)
+        if: always()
+        run: node ${{ github.workspace }}/.github/scripts/write-test-summary.mjs --json playwright-report/test-results.json --name "E2E Web Maintenance Tests (${{ matrix.runner }})" --framework playwright
+      - name: Upload test results (maintenance)
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: report-e2e-web-maintenance-${{ matrix.runner }}
+          path: e2e/playwright-report/test-results.json
+          retention-days: 1
      - name: Archive maintenance tests (web) results
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        if: success() || failure()
        with:
          name: e2e-maintenance-isolated-test-results-${{ matrix.runner }}
@@ -560,23 +775,62 @@ jobs:
      - name: Capture Docker logs
        if: always()
        run: docker compose logs --no-color > docker-compose-logs.txt
-        working-directory: ./e2e
      - name: Archive Docker logs
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        if: always()
        with:
-          name: e2e-web-docker-logs-${{ matrix.runner }}
+          name: e2e-web-maintenance-docker-logs-${{ matrix.runner }}
          path: e2e/docker-compose-logs.txt
  success-check-e2e:
    name: End-to-End Tests Success
-    needs: [e2e-tests-server-cli, e2e-tests-web]
+    needs:
+      [
+        e2e-tests-server-cli,
+        e2e-tests-server-maintenance,
+        e2e-tests-web,
+        e2e-tests-web-ui,
+        e2e-tests-web-maintenance,
+      ]
    permissions: {}
    runs-on: ubuntu-latest
    if: always()
    steps:
-      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
+      - uses: immich-app/devtools/actions/success-check@68f10eb389bb02a3cf9d1156111964c549eb421b # 0.0.4
        with:
          needs: ${{ toJSON(needs) }}
+  test-report:
+    name: PR Test Report
+    if: github.event_name == 'pull_request' && always()
+    needs:
+      - server-unit-tests
+      - web-unit-tests
+      - server-medium-tests
+      - cli-unit-tests
+      - cli-unit-tests-win
+      - e2e-tests-server-cli
+      - e2e-tests-server-maintenance
+      - e2e-tests-web
+      - e2e-tests-web-ui
+      - e2e-tests-web-maintenance
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          pattern: 'report-*'
+          path: artifacts
+      - name: Generate unified report
+        run: node .github/scripts/write-test-summary.mjs --pr-comment --artifacts-dir artifacts > pr-comment.md
+      - name: Post PR comment
+        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 # v3.0.2
+        with:
+          header: test-report
+          path: pr-comment.md
  mobile-unit-tests:
    name: Unit Test Mobile
    needs: pre-job
@@ -586,9 +840,9 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -596,7 +850,7 @@ jobs:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
      - name: Setup Flutter SDK
-        uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
+        uses: subosito/flutter-action@fd55f4c5af5b953cc57a2be44cb082c8f6635e8e # v2.21.0
        with:
          channel: 'stable'
          flutter-version-file: ./mobile/pubspec.yaml
@@ -613,40 +867,39 @@ jobs:
    runs-on: ubuntu-latest
    permissions:
      contents: read
-    env:
-      MISE_CEILING_PATHS: ${{ github.workspace }}
-      MISE_TRUSTED_CONFIG_PATHS: ${{ github.workspace }}/machine-learning/mise.toml
    defaults:
      run:
        working-directory: ./machine-learning
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
+      - name: Install uv
+        uses: astral-sh/setup-uv@6ee6290f1cbc4156c0bdd66691b2c144ef8df19a # v7.4.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
-          working_directory: ./machine-learning
-
+          python-version: 3.11
      - name: Install dependencies
-        run: mise run install --extra cpu
-      - name: Lint code
-        run: mise run lint --output-format=github
-      - name: Format code
-        run: mise run format
-      - name: Run type checking
-        run: mise run check
+        run: |
+          uv sync --extra cpu
+      - name: Lint with ruff
+        run: |
+          uv run ruff check --output-format=github immich_ml
+      - name: Format with ruff
+        run: |
+          uv run ruff format --check immich_ml
+      - name: Run mypy type checking
+        run: |
+          uv run mypy --strict immich_ml/
      - name: Run tests and coverage
-        run: mise run test
+        run: |
+          uv run pytest --cov=immich_ml --cov-report term-missing
  github-files-formatting:
    name: .github Files Formatting
    needs: pre-job
@@ -659,9 +912,9 @@ jobs:
        working-directory: ./.github
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -672,7 +925,7 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version-file: './.github/.nvmrc'
          cache: 'pnpm'
@@ -689,9 +942,9 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -710,9 +963,9 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -723,7 +976,7 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
@@ -772,9 +1025,9 @@ jobs:
        working-directory: ./server
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -785,7 +1038,7 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version-file: './server/.nvmrc'
          cache: 'pnpm'
@@ -24,14 +24,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -47,9 +47,9 @@ jobs:
    if: ${{ fromJSON(needs.pre-job.outputs.should_run).i18n == true }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@05e16407c0a5492138bb38139c9d9bf067b40886 # create-workflow-token-action-v1.0.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Bot review status
@@ -68,6 +68,6 @@ jobs:
    permissions: {}
    if: always()
    steps:
-      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
+      - uses: immich-app/devtools/actions/success-check@68f10eb389bb02a3cf9d1156111964c549eb421b # 0.0.4
        with:
          needs: ${{ toJSON(needs) }}
@@ -28,5 +28,3 @@ vite.config.js.timestamp-*
 .pnpm-store
 .devcontainer/library
 .devcontainer/.env*
-*.tsbuildinfo
-*.tsbuildInfo
@@ -1,3 +1,6 @@
+[submodule "mobile/.isar"]
+	path = mobile/.isar
+	url = https://github.com/isar/isar
 [submodule "e2e/test-assets"]
 	path = e2e/test-assets
 	url = https://github.com/immich-app/test-assets
@@ -13,6 +13,10 @@
    "editor.wordBasedSuggestions": "off"
  },
  "[javascript]": {
+    "editor.codeActionsOnSave": {
+      "source.organizeImports": "explicit",
+      "source.removeUnusedImports": "explicit"
+    },
    "editor.defaultFormatter": "esbenp.prettier-vscode",
    "editor.formatOnSave": true
  },
@@ -25,14 +29,18 @@
    "editor.formatOnSave": true
  },
  "[svelte]": {
+    "editor.codeActionsOnSave": {
+      "source.organizeImports": "explicit",
+      "source.removeUnusedImports": "explicit"
+    },
    "editor.defaultFormatter": "svelte.svelte-vscode",
-    "editor.formatOnSave": true,
-    "tailwindCSS.lint.suggestCanonicalClasses": "ignore"
-  },
-  "svelte.plugin.svelte.compilerWarnings": {
-    "state_referenced_locally": "ignore"
+    "editor.formatOnSave": true
  },
  "[typescript]": {
+    "editor.codeActionsOnSave": {
+      "source.organizeImports": "explicit",
+      "source.removeUnusedImports": "explicit"
+    },
    "editor.defaultFormatter": "esbenp.prettier-vscode",
    "editor.formatOnSave": true
  },
@@ -24,7 +24,7 @@ e2e-update:
 	@trap 'make e2e-down' EXIT; COMPOSE_BAKE=true docker compose -f ./e2e/docker-compose.yml up --build -V --remove-orphans

 e2e-down:
-	docker compose -f ./e2e/docker-compose.yml down --remove-orphans
+	docker compose -f ./e2e/docker-compose.yml --profile test down --remove-orphans

 prod:
 	@trap 'make prod-down' EXIT; COMPOSE_BAKE=true docker compose -f ./docker/docker-compose.prod.yml up --build -V --remove-orphans
@@ -101,10 +101,30 @@ check-web:
 	pnpm --filter immich-web run check:svelte
 test-%:
 	pnpm --filter $(call map-package,$*) run test
-test-e2e:
-	docker compose -f ./e2e/docker-compose.yml build
-	pnpm --filter immich-e2e run test
-	pnpm --filter immich-e2e run test:web
+test-e2e: build-e2e test-e2e-server test-e2e-server-maintenance test-e2e-web test-e2e-web-ui test-e2e-web-maintenance
+
+test-e2e-server:
+	docker compose -f ./e2e/docker-compose.yml up -d --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
+	docker compose -f ./e2e/docker-compose.yml --profile test run --rm e2e-runner pnpm test
+
+test-e2e-server-maintenance:
+	docker compose -f ./e2e/docker-compose.yml up -d --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
+	docker compose -f ./e2e/docker-compose.yml --profile test run --rm e2e-runner pnpm test:maintenance
+
+test-e2e-web:
+	docker compose -f ./e2e/docker-compose.yml up -d --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
+	docker compose -f ./e2e/docker-compose.yml --profile test run --rm e2e-runner pnpm test:web
+
+test-e2e-web-ui:
+	docker compose -f ./e2e/docker-compose.yml up -d --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
+	docker compose -f ./e2e/docker-compose.yml --profile test run --rm e2e-runner pnpm test:web:ui
+
+test-e2e-web-maintenance:
+	docker compose -f ./e2e/docker-compose.yml up -d --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
+	docker compose -f ./e2e/docker-compose.yml --profile test run --rm e2e-runner pnpm test:web:maintenance
+
+build-e2e:
+	docker compose -f ./e2e/docker-compose.yml --profile test build
 test-medium:
 	docker run \
    --rm \
@@ -1 +1 @@
-24.15.0
+24.13.1
@@ -1,6 +1,6 @@
 {
  "name": "@immich/cli",
-  "version": "2.7.5",
+  "version": "2.6.2",
  "description": "Command Line Interface (CLI) for Immich",
  "type": "module",
  "exports": "./dist/index.js",
@@ -20,7 +20,7 @@
    "@types/lodash-es": "^4.17.12",
    "@types/micromatch": "^4.0.9",
    "@types/mock-fs": "^4.13.1",
-    "@types/node": "^24.12.2",
+    "@types/node": "^24.11.0",
    "@vitest/coverage-v8": "^4.0.0",
    "byte-size": "^9.0.0",
    "cli-progress": "^3.12.0",
@@ -28,13 +28,13 @@
    "eslint": "^10.0.0",
    "eslint-config-prettier": "^10.1.8",
    "eslint-plugin-prettier": "^5.1.3",
-    "eslint-plugin-unicorn": "^64.0.0",
+    "eslint-plugin-unicorn": "^63.0.0",
    "globals": "^17.0.0",
    "mock-fs": "^5.2.0",
    "prettier": "^3.7.4",
    "prettier-plugin-organize-imports": "^4.0.0",
-    "typescript": "^6.0.0",
-    "typescript-eslint": "^8.58.0",
+    "typescript": "^5.3.3",
+    "typescript-eslint": "^8.28.0",
    "vite": "^8.0.0",
    "vitest": "^4.0.0",
    "vitest-fetch-mock": "^0.4.0",
@@ -68,6 +68,6 @@
    "micromatch": "^4.0.8"
  },
  "volta": {
-    "node": "24.15.0"
+    "node": "24.13.1"
  }
 }
@@ -4,7 +4,7 @@ import path from 'node:path';
 import { setTimeout as sleep } from 'node:timers/promises';
 import { describe, expect, it, MockedFunction, vi } from 'vitest';

-import { AssetRejectReason, AssetUploadAction, checkBulkUpload, defaults, getSupportedMediaTypes } from '@immich/sdk';
+import { Action, checkBulkUpload, defaults, getSupportedMediaTypes, Reason } from '@immich/sdk';
 import createFetchMock from 'vitest-fetch-mock';

 import {
@@ -120,7 +120,7 @@ describe('checkForDuplicates', () => {
    vi.mocked(checkBulkUpload).mockResolvedValue({
      results: [
        {
-          action: AssetUploadAction.Accept,
+          action: Action.Accept,
          id: testFilePath,
        },
      ],
@@ -144,10 +144,10 @@ describe('checkForDuplicates', () => {
    vi.mocked(checkBulkUpload).mockResolvedValue({
      results: [
        {
-          action: AssetUploadAction.Reject,
+          action: Action.Reject,
          id: testFilePath,
          assetId: 'fc5621b1-86f6-44a1-9905-403e607df9f5',
-          reason: AssetRejectReason.Duplicate,
+          reason: Reason.Duplicate,
        },
      ],
    });
@@ -167,7 +167,7 @@ describe('checkForDuplicates', () => {
    vi.mocked(checkBulkUpload).mockResolvedValue({
      results: [
        {
-          action: AssetUploadAction.Accept,
+          action: Action.Accept,
          id: testFilePath,
        },
      ],
@@ -187,7 +187,7 @@ describe('checkForDuplicates', () => {
    mocked.mockResolvedValue({
      results: [
        {
-          action: AssetUploadAction.Accept,
+          action: Action.Accept,
          id: testFilePath,
        },
      ],
@@ -1,9 +1,9 @@
 import {
+  Action,
  AssetBulkUploadCheckItem,
  AssetBulkUploadCheckResult,
  AssetMediaResponseDto,
  AssetMediaStatus,
-  AssetUploadAction,
  Permission,
  addAssetsToAlbum,
  checkBulkUpload,
@@ -234,7 +234,7 @@ export const checkForDuplicates = async (files: string[], { concurrency, skipHas
      const results = response.results as AssetBulkUploadCheckResults;

      for (const { id: filepath, assetId, action } of results) {
-        if (action === AssetUploadAction.Accept) {
+        if (action === Action.Accept) {
          newFiles.push(filepath);
        } else {
          // rejects are always duplicates
@@ -404,6 +404,8 @@ const uploadFile = async (input: string, stats: Stats): Promise<AssetMediaRespon
  const { baseUrl, headers } = defaults;

  const formData = new FormData();
+  formData.append('deviceAssetId', `${basename(input)}-${stats.size}`.replaceAll(/\s+/g, ''));
+  formData.append('deviceId', 'CLI');
  formData.append('fileCreatedAt', stats.mtime.toISOString());
  formData.append('fileModifiedAt', stats.mtime.toISOString());
  formData.append('fileSize', String(stats.size));
@@ -15,12 +15,8 @@
    "incremental": true,
    "skipLibCheck": true,
    "esModuleInterop": true,
-    "rootDir": "./src",
-    "paths": {
-      "src/*": ["./src/*"],
-    },
-    "tsBuildInfoFile": "./dist/tsconfig.tsbuildinfo",
+    "baseUrl": "./",
    "types": ["vitest/globals"]
  },
-  "exclude": ["dist", "node_modules", "vite.config.ts"]
+  "exclude": ["dist", "node_modules"]
 }
@@ -1,6 +1,6 @@
 [tools]
-terragrunt = "1.0.3"
-opentofu = "1.11.6"
+terragrunt = "0.99.4"
+opentofu = "1.11.5"

 [tasks."tg:fmt"]
 run = "terragrunt hclfmt"
@@ -20,7 +20,6 @@ services:
      - /tmp
    volumes:
      - ..:/usr/src/app
-      # - ../../ui:/usr/src/ui
      - pnpm_cache:/buildcache/pnpm_cache
      - server_node_modules:/usr/src/app/server/node_modules
      - web_node_modules:/usr/src/app/web/node_modules
@@ -91,7 +90,6 @@ services:
      IMMICH_THIRD_PARTY_BUG_FEATURE_URL: https://github.com/immich-app/immich/issues
      IMMICH_THIRD_PARTY_DOCUMENTATION_URL: https://docs.immich.app
      IMMICH_THIRD_PARTY_SUPPORT_URL: https://docs.immich.app/community-guides
-      IMMICH_HELMET_FILE: 'true'
    ports:
      - 9230:9230
      - 9231:9231
@@ -157,7 +155,7 @@ services:

  redis:
    container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:3b55fbaa0cd93cf0d9d961f405e4dfcc70efe325e2d84da207a0a8e6d8fde4f9
+    image: docker.io/valkey/valkey:9@sha256:3eeb09785cd61ec8e3be35f8804c8892080f3ca21934d628abc24ee4ed1698f6
    healthcheck:
      test: redis-cli ping || exit 1

@@ -56,7 +56,7 @@ services:

  redis:
    container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:3b55fbaa0cd93cf0d9d961f405e4dfcc70efe325e2d84da207a0a8e6d8fde4f9
+    image: docker.io/valkey/valkey:9@sha256:3eeb09785cd61ec8e3be35f8804c8892080f3ca21934d628abc24ee4ed1698f6
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always
@@ -85,7 +85,7 @@ services:
    container_name: immich_prometheus
    ports:
      - 9090:9090
-    image: prom/prometheus@sha256:e4254400b85610324913f0dc4acf92603d9984e7519414c5a12811aa6146acc3
+    image: prom/prometheus@sha256:4a61322ac1103a0e3aea2a61ef1718422a48fa046441f299d71e660a3bc71ae9
    volumes:
      - ./prometheus.yml:/etc/prometheus/prometheus.yml
      - prometheus-data:/prometheus
@@ -97,7 +97,7 @@ services:
    command: ['./run.sh', '-disable-reporting']
    ports:
      - 3000:3000
-    image: grafana/grafana:12.4.3-ubuntu@sha256:ca3f764fdc48cebdf22dd206f33ecb0795a9a7210eacd1b5c02204aebd78b223
+    image: grafana/grafana:12.3.2-ubuntu@sha256:6cca4b429a1dc0d37d401dee54825c12d40056c3c6f3f56e3f0d6318ce77749b
    volumes:
      - grafana-data:/var/lib/grafana

@@ -61,7 +61,7 @@ services:

  redis:
    container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:3b55fbaa0cd93cf0d9d961f405e4dfcc70efe325e2d84da207a0a8e6d8fde4f9
+    image: docker.io/valkey/valkey:9@sha256:3eeb09785cd61ec8e3be35f8804c8892080f3ca21934d628abc24ee4ed1698f6
    user: '1000:1000'
    security_opt:
      - no-new-privileges:true
@@ -49,7 +49,7 @@ services:

  redis:
    container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:3b55fbaa0cd93cf0d9d961f405e4dfcc70efe325e2d84da207a0a8e6d8fde4f9
+    image: docker.io/valkey/valkey:9@sha256:3eeb09785cd61ec8e3be35f8804c8892080f3ca21934d628abc24ee4ed1698f6
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always
@@ -1 +1 @@
-24.15.0
+24.13.1
@@ -210,7 +210,7 @@ The provided restore process ensures your database is never in a broken state by

 ## Filesystem

-Immich does not handle filesystem backups for you. You have to arrange these yourself! Immich stores two types of content in the filesystem: (a) original, unmodified assets (photos and videos), and (b) generated content. We recommend backing up the entire contents of `UPLOAD_LOCATION`, but only the original content is critical, which is stored in the following folders:
+Immich stores two types of content in the filesystem: (a) original, unmodified assets (photos and videos), and (b) generated content. We recommend backing up the entire contents of `UPLOAD_LOCATION`, but only the original content is critical, which is stored in the following folders:

 1. `UPLOAD_LOCATION/library`
 2. `UPLOAD_LOCATION/upload`
@@ -14,7 +14,6 @@ Immich supports 3rd party authentication via [OpenID Connect][oidc] (OIDC), an i
 - [Authelia](https://www.authelia.com/integration/openid-connect/immich/)
 - [Okta](https://www.okta.com/openid-connect/)
 - [Google](https://developers.google.com/identity/openid-connect/openid-connect)
- [Keycloak](https://www.keycloak.org)

 ## Prerequisites

@@ -50,10 +49,6 @@ Before enabling OAuth in Immich, a new client application needs to be configured
   - `https://immich.example.com/auth/login`
   - `https://immich.example.com/user-settings`

-3. Configure Backchannel logout URL
-
-   If the authentication server supports it, the **Backchannel logout URL** can be specified, and it is of the form: `http://DOMAIN:PORT/api/oauth/backchannel-logout`.
-
 ## Enable OAuth

 Once you have a new OAuth client application configured, Immich can be configured using the Administration Settings page, available on the web (Administration -> Settings).
@@ -67,8 +62,6 @@ Once you have a new OAuth client application configured, Immich can be configure
 | `scope`                                              | string  | openid email profile | Full list of scopes to send with the request (space delimited)                      |
 | `id_token_signed_response_alg`                       | string  | RS256                | The algorithm used to sign the id token (examples: RS256, HS256)                    |
 | `userinfo_signed_response_alg`                       | string  | none                 | The algorithm used to sign the userinfo response (examples: RS256, HS256)           |
-| `prompt`                                             | string  | (empty)              | Prompt parameter for authorization url (examples: select_account, login, consent)   |
-| `end_session_endpoint`                               | URL     | (empty)              | Http(s) alternative end session endpoint (logout URI)                               |
 | Request timeout                                      | string  | 30,000 (30 seconds)  | Number of milliseconds to wait for http requests to complete before giving up       |
 | Storage Label Claim                                  | string  | preferred_username   | Claim mapping for the user's storage label**¹**                                     |
 | Role Claim                                           | string  | immich_role          | Claim mapping for the user's role. (should return "user" or "admin")**¹**           |
@@ -187,7 +180,6 @@ Configuration of OAuth in Immich System Settings
 | Scope                              | openid email profile immich_scope                                   |
 | ID Token Signed Response Algorithm | RS256                                                               |
 | Userinfo Signed Response Algorithm | RS256                                                               |
-| End Session Endpoint               | https://auth.example.com/logout?rd=https://immich.example.com/      |
 | Storage Label Claim                | uid                                                                 |
 | Storage Quota Claim                | immich_quota                                                        |
 | Default Storage Quota (GiB)        | 0 (empty for unlimited quota)                                       |
@@ -261,40 +253,4 @@ Configuration of OAuth in Immich System Settings

 </details>

-<details>
-<summary>Keycloak Example</summary>
-
-### Keycloak Example
-
-Here's an example of OAuth configured for Keycloak:
-
-Create your immich client on your Keycloak Realm.
-
-<img src={require('./img/keycloak-general-settings.webp').default} width='100%' title="Keycloak Client general Settings" />
-<img src={require('./img/keycloak-access-settings.webp').default} width='100%' title="Keycloak Client Access Settings" />
-<img src={require('./img/keycloak-capability-config.webp').default} width='100%' title="Keycloak Client Capability Configuration" />
-
-Configuration of OAuth in Immich System Settings
-
-| Setting                      | Value                                                 |
-| ---------------------------- | ----------------------------------------------------- |
-| Issuer URL                   | `https://<KEYCLOAK_DOMAIN>/realms/<YOUR_REALM>`       |
-| Client ID                    | immich                                                |
-| Client Secret                | can be optained from Clients -> immich -> Credentials |
-| Scope                        | openid email profile                                  |
-| Signing Algorithm            | RS256                                                 |
-| Storage Label Claim          | preferred_username                                    |
-| Role Claim                   | immich_role                                           |
-| Storage Quota Claim          | immich_quota                                          |
-| Default Storage Quota (GiB)  | 0 (empty for unlimited quota)                         |
-| Button Text                  | Sign in with Keycloak (recommended)                   |
-| Auto Register                | Enabled (optional)                                    |
-| Auto Launch                  | Enabled (optional)                                    |
-| Mobile Redirect URI Override | Disabled                                              |
-| Mobile Redirect URI          |                                                       |
-
-Role Claim can be managed via Client Role. Remember to create a mapper with claim name `immich_role`.
-
-</details>
-
 [oidc]: https://openid.net/connect/
@@ -81,7 +81,7 @@ VectorChord is the successor extension to pgvecto.rs, allowing for higher perfor

 ### Migrating from pgvecto.rs

-Support for pgvecto.rs has been dropped as of 3.0, hence all users currently using pgvecto.rs should migrate to VectorChord. There are two primary approaches to do so.
+Support for pgvecto.rs will be dropped in a later release, hence we recommend all users currently using pgvecto.rs to migrate to VectorChord at their convenience. There are two primary approaches to do so.

 The easiest option is to have both extensions installed during the migration:

@@ -80,9 +80,9 @@ To see local changes to `@immich/ui` in Immich, do the following:

 1. Install `@immich/ui` as a sibling to `immich/`, for example `/home/user/immich` and `/home/user/ui`
 2. Build the `@immich/ui` project via `pnpm run build`
-3. Uncomment the corresponding volume in web service of the `docker/docker-compose.dev.yml` file (`../../ui:/usr/src/ui`)
-4. Uncomment the corresponding alias in the `web/vite.config.ts` file (`'@immich/ui': path.resolve(\_\_dirname, '../../ui/packages/ui')`)
-5. Uncomment the import statement in `web/src/app.css` file `@import '../../../ui/packages/ui/dist/theme/default.css';` and comment out `@import '@immich/ui/theme/default.css';`
+3. Uncomment the corresponding volume in web service of the `docker/docker-compose.dev.yaml` file (`../../ui:/usr/ui`)
+4. Uncomment the corresponding alias in the `web/vite.config.js` file (`'@immich/ui': path.resolve(\_\_dirname, '../../ui')`)
+5. Uncomment the import statement in `web/src/app.css` file `@import '/usr/ui/dist/theme/default.css';` and comment out `@import '@immich/ui/theme/default.css';`
 6. Start up the stack via `make dev`
 7. After making changes in `@immich/ui`, rebuild it (`pnpm run build`)

@@ -1,28 +0,0 @@
-# Duplicates Utility
-
-Immich comes with a duplicates utility to help you detect assets that look visually similar. The duplicate detection feature relies on machine learning and is enabled by default. For more information about when the duplicate detection job runs, see [Jobs and Workers](/administration/jobs-workers). Once an asset has been processed and added to a duplicate group, it becomes available to review in the "Review duplicates" utility, which can be found [here](https://my.immich.app/utilities/duplicates).
-
-## Reviewing duplicates
-
-The review duplicates page allows the user to individually select which assets should be kept and which ones should be trashed. When more than one asset is kept, there is an option to automatically put the kept assets into a stack.
-
-### Automatic preselection
-
-When using "Deduplicate All" or viewing suggestions, Immich automatically preselects which assets to keep based on:
-
-1. **Image size in bytes** — larger files are preferred as they typically have higher quality.
-2. **Count of EXIF data** — assets with more metadata are preferred.
-
-### Synchronizing metadata
-
-When resolving duplicates, metadata from trashed assets is automatically synchronized to the kept assets. The following metadata is synchronized:
-
-| Name        | Description                                                                                                                     |
-| ----------- | ------------------------------------------------------------------------------------------------------------------------------- |
-| Album       | The kept assets will be added to _every_ album that the other assets in the group belong to.                                    |
-| Favorite    | If any of the assets in the group have been added to favorites, every kept asset will also be added to favorites.               |
-| Rating      | If one or more assets in the duplicate group have a rating, the highest rating is selected and synchronized to the kept assets. |
-| Description | Descriptions from each asset are combined together and synchronized to all the kept assets.                                     |
-| Visibility  | The most restrictive visibility is applied to the kept assets.                                                                  |
-| Location    | Latitude and longitude are copied if all assets with geolocation data in the group share the same coordinates.                  |
-| Tag         | Tags from all assets in the group are merged and applied to every kept asset.                                                   |
@@ -50,8 +50,6 @@ Some basic examples:
 - `**/Raw/**` will exclude all files in any directory named `Raw`
 - `**/*.{tif,jpg}` will exclude all files with the extension `.tif` or `.jpg`

-Note that `*` is a wildcard matching zero or more characters (i.e., withinin a filename or single directory name). `**` matches zero or more subdirectories, recursively. It also includes any/all files within a subdirectory, i.e., when used at the end of a pattern. For example, `**/exclude_me/**` will exclude all files in any directory named `exclude_me`, as well as all files in any subdirectories of `exclude_me`, recursively.
-
 Special characters such as @ should be escaped, for instance:

 - `**/\@eaDir/**` will exclude all files in any directory named `@eaDir`
@@ -47,7 +47,6 @@ You do not need to redo any machine learning jobs after enabling hardware accele

 #### ROCm

- On Linux, The [AMDGPU driver module](https://rocm.docs.amd.com/projects/install-on-linux/en/latest/how-to/docker.html) needs to be installed on the server and, if secure boot is used, the signing key of DKMS [needs to be enrolled in UEFI BIOS](https://wiki.debian.org/SecureBoot)
 - The GPU must be supported by ROCm. If it isn't officially supported, you can attempt to use the `HSA_OVERRIDE_GFX_VERSION` environmental variable: `HSA_OVERRIDE_GFX_VERSION=<a supported version, e.g. 10.3.0>`. If this doesn't work, you might need to also set `HSA_USE_SVM=0`.
 - The ROCm image is quite large and requires at least 35GiB of free disk space. However, pulling later updates to the service through Docker will generally only amount to a few hundred megabytes as the rest will be cached.
 - This backend is new and may experience some issues. For example, GPU power consumption can be higher than usual after running inference, even if the machine learning service is idle. In this case, it will only go back to normal after being idle for 5 minutes (configurable with the [MACHINE_LEARNING_MODEL_TTL](/install/environment-variables) setting).
@@ -18,7 +18,6 @@ You can search the following types of content:
 | People                              | Faces that are recognized in your photos/videos.      |
 | Contextual                          | Content of the photos and videos.                     |
 | File name or extension              | Full or partial file's name, or file's extension      |
-| Full path or folder                 | Full or partial folder names from the original path.  |
 | Description                         | Description added to assets.                          |
 | Optical Character Recognition (OCR) | Text in images                                        |
 | Locations                           | Cities, states, and countries from reverse geocoding. |
@@ -27,16 +26,10 @@ You can search the following types of content:
 | Time frame                          | Start and end date of a specific time bucket          |
 | Media type                          | Image or video or both                                |
 | Display options                     | In Archive, in Favorites or Not in any album          |
-| Star rating                         | User-assigned star rating                             |
+| Start rating                        | User-assigned start rating                            |

 <img src={require('./img/advanced-search-filters.webp').default} width="70%" title='Advanced search filters' />

-### Full path or folder
-
-Use this mode when you know a folder name or part of the original asset path.
-
-Example: for /John/Projects/3D_Printing/2026-07-01/IMG_0001.jpg, searches like Projects, 3D, Printing, or 2026 match the asset.
-
 ## Configuration

 Navigating to `Administration > Settings > Machine Learning Settings > Smart Search` will show the options available.
@@ -18,7 +18,6 @@ For the full list, refer to the [Immich source code](https://github.com/immich-a
 | `JPEG 2000` | `.jp2`                        | :white_check_mark: |                 |
 | `JPEG`      | `.jpeg` `.jpg` `.jpe` `.insp` | :white_check_mark: |                 |
 | `JPEG XL`   | `.jxl`                        | :white_check_mark: |                 |
-| `MPO`       | `.mpo`                        | :white_check_mark: | Multi-Picture   |
 | `PNG`       | `.png`                        | :white_check_mark: |                 |
 | `PSD`       | `.psd`                        | :white_check_mark: | Adobe Photoshop |
 | `RAW`       | `.raw`                        | :white_check_mark: |                 |
@@ -29,17 +28,17 @@ For the full list, refer to the [Immich source code](https://github.com/immich-a

 ## Video formats

-| Format      | Extension(s)                |     Supported?     | Notes |
-| :---------- | :-------------------------- | :----------------: | :---- |
-| `3GPP`      | `.3gp` `.3gpp`              | :white_check_mark: |       |
-| `AVI`       | `.avi`                      | :white_check_mark: |       |
-| `FLV`       | `.flv`                      | :white_check_mark: |       |
-| `M4V`       | `.m4v`                      | :white_check_mark: |       |
-| `MATROSKA`  | `.mkv`                      | :white_check_mark: |       |
-| `MP2T`      | `.mts` `.m2ts` `.m2t` `.ts` | :white_check_mark: |       |
-| `MP4`       | `.mp4` `.insv`              | :white_check_mark: |       |
-| `MPEG`      | `.mpg` `.mpe` `.mpeg`       | :white_check_mark: |       |
-| `MXF`       | `.mxf`                      | :white_check_mark: |       |
-| `QUICKTIME` | `.mov`                      | :white_check_mark: |       |
-| `WEBM`      | `.webm`                     | :white_check_mark: |       |
-| `WMV`       | `.wmv`                      | :white_check_mark: |       |
+| Format      | Extension(s)          |     Supported?     | Notes |
+| :---------- | :-------------------- | :----------------: | :---- |
+| `3GPP`      | `.3gp` `.3gpp`        | :white_check_mark: |       |
+| `AVI`       | `.avi`                | :white_check_mark: |       |
+| `FLV`       | `.flv`                | :white_check_mark: |       |
+| `M4V`       | `.m4v`                | :white_check_mark: |       |
+| `MATROSKA`  | `.mkv`                | :white_check_mark: |       |
+| `MP2T`      | `.mts` `.m2ts` `.m2t` | :white_check_mark: |       |
+| `MP4`       | `.mp4` `.insv`        | :white_check_mark: |       |
+| `MPEG`      | `.mpg` `.mpe` `.mpeg` | :white_check_mark: |       |
+| `MXF`       | `.mxf`                | :white_check_mark: |       |
+| `QUICKTIME` | `.mov`                | :white_check_mark: |       |
+| `WEBM`      | `.webm`               | :white_check_mark: |       |
+| `WMV`       | `.wmv`                | :white_check_mark: |       |
@@ -3,8 +3,8 @@
 You may decide that you'd like to modify the style document which is used to
 draw the maps in Immich. In addition to visual customization, this also allows
 you to pick your own map tile provider instead of the default one. The default
-`style.json` for [light theme](https://tiles.immich.cloud/v1/style/light.json)
-and [dark theme](https://tiles.immich.cloud/v1/style/dark.json)
+`style.json` for [light theme](https://github.com/immich-app/immich/tree/main/server/resources/style-light.json)
+and [dark theme](https://github.com/immich-app/immich/blob/main/server/resources/style-dark.json)
 can be used as a basis for creating your own style.

 There are several sources for already-made `style.json` map themes, as well as
@@ -20,6 +20,8 @@ def upload(file):
    }

    data = {
+        'deviceAssetId': f'{file}-{stats.st_mtime}',
+        'deviceId': 'python',
        'fileCreatedAt': datetime.fromtimestamp(stats.st_mtime),
        'fileModifiedAt': datetime.fromtimestamp(stats.st_mtime),
        'isFavorite': 'false',
@@ -39,7 +39,7 @@ You can learn how to set up Tailscale together with Immich with the [tutorial vi
 ### Cons

 - The Tailscale client usually needs to run as root on your devices and it increases the attack surface slightly compared to a minimal Wireguard server. e.g., an [RCE vulnerability](https://github.com/tailscale/tailscale/security/advisories/GHSA-vqp6-rc3h-83cp) was discovered in the Windows Tailscale client in November 2022.
- Tailscale is a paid service. However, there is a generous [free tier](https://tailscale.com/pricing/) suitable for personal use.
+- Tailscale is a paid service. However, there is a generous [free tier](https://tailscale.com/pricing/) that permits up to 3 users and up to 100 devices.
 - Tailscale needs to be installed and running on both server-side and client-side.

 ## Option 3: Reverse Proxy
@@ -193,7 +193,6 @@ The default configuration looks like this:
    "defaultStorageQuota": null,
    "enabled": false,
    "issuerUrl": "",
-    "endSessionEndpoint": "",
    "mobileOverrideEnabled": false,
    "mobileRedirectUri": "",
    "profileSigningAlgorithm": "none",
@@ -29,31 +29,28 @@ These environment variables are used by the `docker-compose.yml` file and do **N

 ## General

-| Variable                            | Description                                                                                                                                                          |           Default            | Containers               | Workers            |
-| :---------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------: | :----------------------- | :----------------- |
-| `TZ`                                | Timezone                                                                                                                                                             |        <sup>\*1</sup>        | server                   | microservices      |
-| `IMMICH_ENV`                        | Environment (production, development)                                                                                                                                |         `production`         | server, machine learning | api, microservices |
-| `IMMICH_LOG_LEVEL`                  | Log level (verbose, debug, log, warn, error)                                                                                                                         |            `log`             | server, machine learning | api, microservices |
-| `IMMICH_LOG_FORMAT`                 | Log output format (`console`, `json`)                                                                                                                                |          `console`           | server                   | api, microservices |
-| `IMMICH_MEDIA_LOCATION`             | Media location inside the container ⚠️**You probably shouldn't set this**<sup>\*2</sup>⚠️                                                                            |           `/data`            | server                   | api, microservices |
-| `IMMICH_CONFIG_FILE`                | Path to config file                                                                                                                                                  |                              | server                   | api, microservices |
-| `IMMICH_HELMET_FILE`                | Path to a json file with [helmet](https://www.npmjs.com/package/helmet) options. Set to `false` to disable. Set to `true` to use `server/helmet.json`<sup>\*3</sup>. |           `false`            | server                   | api                |
-| `NO_COLOR`                          | Set to `true` to disable color-coded log output                                                                                                                      |           `false`            | server, machine learning |                    |
-| `CPU_CORES`                         | Number of cores available to the Immich server                                                                                                                       | auto-detected CPU core count | server                   |                    |
-| `IMMICH_API_METRICS_PORT`           | Port for the OTEL metrics                                                                                                                                            |            `8081`            | server                   | api                |
-| `IMMICH_MICROSERVICES_METRICS_PORT` | Port for the OTEL metrics                                                                                                                                            |            `8082`            | server                   | microservices      |
-| `IMMICH_PROCESS_INVALID_IMAGES`     | When `true`, generate thumbnails for invalid images                                                                                                                  |                              | server                   | microservices      |
-| `IMMICH_TRUSTED_PROXIES`            | List of comma-separated IPs set as trusted proxies                                                                                                                   |                              | server                   | api                |
-| `IMMICH_IGNORE_MOUNT_CHECK_ERRORS`  | See [System Integrity](/administration/system-integrity)                                                                                                             |                              | server                   | api, microservices |
-| `IMMICH_ALLOW_SETUP`                | When `false` disables the `/auth/admin-sign-up` endpoint                                                                                                             |            `true`            | server                   | api                |
+| Variable                            | Description                                                                               |           Default            | Containers               | Workers            |
+| :---------------------------------- | :---------------------------------------------------------------------------------------- | :--------------------------: | :----------------------- | :----------------- |
+| `TZ`                                | Timezone                                                                                  |        <sup>\*1</sup>        | server                   | microservices      |
+| `IMMICH_ENV`                        | Environment (production, development)                                                     |         `production`         | server, machine learning | api, microservices |
+| `IMMICH_LOG_LEVEL`                  | Log level (verbose, debug, log, warn, error)                                              |            `log`             | server, machine learning | api, microservices |
+| `IMMICH_LOG_FORMAT`                 | Log output format (`console`, `json`)                                                     |          `console`           | server                   | api, microservices |
+| `IMMICH_MEDIA_LOCATION`             | Media location inside the container ⚠️**You probably shouldn't set this**<sup>\*2</sup>⚠️ |           `/data`            | server                   | api, microservices |
+| `IMMICH_CONFIG_FILE`                | Path to config file                                                                       |                              | server                   | api, microservices |
+| `NO_COLOR`                          | Set to `true` to disable color-coded log output                                           |           `false`            | server, machine learning |                    |
+| `CPU_CORES`                         | Number of cores available to the Immich server                                            | auto-detected CPU core count | server                   |                    |
+| `IMMICH_API_METRICS_PORT`           | Port for the OTEL metrics                                                                 |            `8081`            | server                   | api                |
+| `IMMICH_MICROSERVICES_METRICS_PORT` | Port for the OTEL metrics                                                                 |            `8082`            | server                   | microservices      |
+| `IMMICH_PROCESS_INVALID_IMAGES`     | When `true`, generate thumbnails for invalid images                                       |                              | server                   | microservices      |
+| `IMMICH_TRUSTED_PROXIES`            | List of comma-separated IPs set as trusted proxies                                        |                              | server                   | api                |
+| `IMMICH_IGNORE_MOUNT_CHECK_ERRORS`  | See [System Integrity](/administration/system-integrity)                                  |                              | server                   | api, microservices |
+| `IMMICH_ALLOW_SETUP`                | When `false` disables the `/auth/admin-sign-up` endpoint                                  |            `true`            | server                   | api                |

 \*1: `TZ` should be set to a `TZ identifier` from [this list][tz-list]. For example, `TZ="Etc/UTC"`.
 `TZ` is used by `exiftool` as a fallback in case the timezone cannot be determined from the image metadata. It is also used for logfile timestamps and cron job execution.

 \*2: This path is where the Immich code looks for the files, which is internal to the docker container. Setting it to a path on your host will certainly break things, you should use the `UPLOAD_LOCATION` variable instead.

-\*3: The [default configuration](https://helmetjs.github.io/#content-security-policy) sets `upgrade-insecure-requests`, which tells the browser to upgrade all requests to HTTPS. This breaks on HTTP-only deployments. If you cannot use HTTPS, you should use a custom helmet config file with `"upgrade-insecure-requests": null`.
-
 ## Workers

 | Variable                 | Description                                                                                          | Default | Containers |
@@ -83,7 +80,7 @@ Information on the current workers can be found [here](/administration/jobs-work
 | `DB_PASSWORD`                       | Database password                                                                      | `postgres` | server, database<sup>\*1</sup> |
 | `DB_DATABASE_NAME`                  | Database name                                                                          |  `immich`  | server, database<sup>\*1</sup> |
 | `DB_SSL_MODE`                       | Database SSL mode                                                                      |            | server                         |
-| `DB_VECTOR_EXTENSION`<sup>\*2</sup> | Database vector extension (one of [`vectorchord`, `pgvector`])                         |            | server                         |
+| `DB_VECTOR_EXTENSION`<sup>\*2</sup> | Database vector extension (one of [`vectorchord`, `pgvector`, `pgvecto.rs`])           |            | server                         |
 | `DB_SKIP_MIGRATIONS`                | Whether to skip running migrations on startup (one of [`true`, `false`])               |  `false`   | server                         |
 | `DB_STORAGE_TYPE`                   | Optimize concurrent IO on SSDs or sequential IO on HDDs ([`SSD`, `HDD`])<sup>\*3</sup> |   `SSD`    | database                       |

@@ -49,7 +49,7 @@ Immich requires [**Docker**](https://docs.docker.com/get-started/get-docker/) wi
 The Compose plugin will be installed by both Docker Engine and Desktop by following the linked installation guides; it can also be [separately installed](https://docs.docker.com/compose/install/).

 :::note
-Immich requires the command `docker compose`; the similarly named `docker-compose` is [deprecated](https://docs.docker.com/retired/#docker-compose-v1-replaced-by-compose-v2) and is no longer supported by Immich.
+Immich requires the command `docker compose`; the similarly named `docker-compose` is [deprecated](https://docs.docker.com/compose/migrate/) and is no longer supported by Immich.
 :::

 ### Special requirements for Windows users
@@ -130,3 +130,7 @@ These storage mediums have different performance characteristics. As a result, t
 #### Can I use the new database image as a general PostgreSQL image outside of Immich?

 It’s a standard PostgreSQL container image that additionally contains the VectorChord, pgvector, and (optionally) pgvecto.rs extensions. If you were using the previous pgvecto.rs image for other purposes, you can similarly do so with this image.
+
+#### If pgvecto.rs and pgvector still work, why should I switch to VectorChord?
+
+VectorChord is faster, more stable, uses less RAM, and (with the settings Immich uses) offers higher-quality results than pgvector and pgvecto.rs. This translates to better search and facial recognition experiences. In addition, pgvecto.rs support will be dropped in the future, so changing it sooner will avoid disruption.
@@ -6,8 +6,6 @@ You can read more about the differences between storage template engine on and o

 The admin user can set the template by using the template builder in the `Administration -> Settings -> Storage Template`. Immich provides a set of variables that you can use in constructing the template, along with additional custom text. If the template produces [multiple files with the same filename, they won't be overwritten](https://github.com/immich-app/immich/discussions/3324) as a sequence number is appended to the filename.

-Date and time variables in storage templates are rendered in the server's local timezone.
-
 ```bash title="Default template"
 Year/Year-Month-Day/Filename.Extension
 ```
@@ -17,10 +17,10 @@
    "write-heading-ids": "docusaurus write-heading-ids"
  },
  "dependencies": {
-    "@docusaurus/core": "~3.10.0",
-    "@docusaurus/preset-classic": "~3.10.0",
-    "@docusaurus/theme-common": "~3.10.0",
-    "@docusaurus/theme-mermaid": "~3.10.0",
+    "@docusaurus/core": "~3.9.0",
+    "@docusaurus/preset-classic": "~3.9.0",
+    "@docusaurus/theme-common": "~3.9.0",
+    "@docusaurus/theme-mermaid": "~3.9.0",
    "@mdi/js": "^7.3.67",
    "@mdi/react": "^1.6.1",
    "@mdx-js/react": "^3.0.0",
@@ -30,17 +30,17 @@
    "postcss": "^8.4.25",
    "prism-react-renderer": "^2.3.1",
    "raw-loader": "^4.0.2",
-    "react": "^19.0.0",
-    "react-dom": "^19.0.0",
+    "react": "^18.0.0",
+    "react-dom": "^18.0.0",
    "tailwindcss": "^3.2.4",
    "url": "^0.11.0"
  },
  "devDependencies": {
-    "@docusaurus/module-type-aliases": "~3.10.0",
-    "@docusaurus/tsconfig": "^3.10.0",
-    "@docusaurus/types": "^3.10.0",
+    "@docusaurus/module-type-aliases": "~3.9.0",
+    "@docusaurus/tsconfig": "^3.7.0",
+    "@docusaurus/types": "^3.7.0",
    "prettier": "^3.7.4",
-    "typescript": "^6.0.0"
+    "typescript": "^5.1.6"
  },
  "browserslist": {
    "production": [
@@ -58,6 +58,6 @@
    "node": ">=20"
  },
  "volta": {
-    "node": "24.15.0"
+    "node": "24.13.1"
  }
 }
@@ -1,11 +1,7 @@
 [
  {
-    "label": "v2.7.5",
-    "url": "https://docs.v2.7.5.archive.immich.app"
-  },
-  {
-    "label": "v2.6.3",
-    "url": "https://docs.v2.6.3.archive.immich.app"
+    "label": "v2.6.2",
+    "url": "https://docs.v2.6.2.archive.immich.app"
  },
  {
    "label": "v2.5.6",
@@ -1,4 +1,8 @@
 {
  // This file is not used in compilation. It is here just for a nice editor experience.
-  "extends": "@docusaurus/tsconfig"
+  "extends": "@docusaurus/tsconfig",
+
+  "compilerOptions": {
+    "baseUrl": "."
+  }
 }
@@ -1,12 +1,5 @@
-import {
-  calculateJwkThumbprint,
-  exportJWK,
-  importPKCS8,
-  importSPKI,
-  SignJWT,
-} from 'jose';
+import { exportJWK, generateKeyPair } from 'jose';
 import Provider from 'oidc-provider';
-import { PRIVATE_KEY_PEM, PUBLIC_KEY_PEM } from './test-keys';

 export enum OAuthClient {
  DEFAULT = 'client-default',
@@ -51,29 +44,6 @@ const claims = [
  },
 ];

-const privateKey = await importPKCS8(PRIVATE_KEY_PEM, 'RS256', {
-  extractable: true,
-});
-const publicKey = await importSPKI(PUBLIC_KEY_PEM, 'RS256', {
-  extractable: true,
-});
-const kid = await calculateJwkThumbprint(await exportJWK(publicKey));
-
-export async function generateLogoutToken(iss: string, sub: string) {
-  return await new SignJWT({
-    iss: iss,
-    aud: OAuthClient.DEFAULT,
-    iat: Math.floor(Date.now() / 1000),
-    jti: crypto.randomUUID(),
-    sub: sub,
-    events: {
-      'http://schemas.openid.net/event/backchannel-logout': {},
-    },
-  })
-    .setProtectedHeader({ alg: 'RS256', typ: 'logout+jwt', kid: kid })
-    .sign(privateKey);
-}
-
 const withDefaultClaims = (sub: string) => ({
  sub,
  email: `${sub}@immich.app`,
@@ -96,9 +66,12 @@ const getClaims = (sub: string, use?: string) => {
 };

 const setup = async () => {
+  const { privateKey, publicKey } = await generateKeyPair('RS256');
+
  const redirectUris = [
    'http://127.0.0.1:2285/auth/login',
    'https://photos.immich.app/oauth/mobile-redirect',
+    ...(process.env.EXTRA_REDIRECT_URIS?.split(',').filter(Boolean) ?? []),
  ];
  const port = 2286;
  const host = '0.0.0.0';
@@ -1,13 +1,14 @@
 {
  "name": "@immich/e2e-auth-server",
  "version": "0.1.0",
+  "packageManager": "pnpm@10.30.3+sha512.c961d1e0a2d8e354ecaa5166b822516668b7f44cb5bd95122d590dd81922f606f5473b6d23ec4a5be05e7fcd18e8488d47d978bbe981872f1145d06e9a740017",
  "type": "module",
  "main": "auth-server.ts",
  "scripts": {
    "start": "tsx startup.ts"
  },
  "devDependencies": {
-    "jose": "^6.0.0",
+    "jose": "^5.6.3",
    "@types/oidc-provider": "^9.0.0",
    "oidc-provider": "^9.0.0",
    "tsx": "^4.20.6"
@@ -1,38 +0,0 @@
-export const PRIVATE_KEY_PEM = `-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCVj5C7hzN3E2HO
-TcJ+DN/e2NSTQFj4rPylz4J8xjm8Es7l0k2kK5EEGvUNVGZbw7s055c+6kwP9eqg
-B5XFE7+26Fcq1sou6Tbm310kU4dnMW5l2CgwrhaGyb1pNysao0AMLT60dFYqtUwn
-ha9ceCsa+ZU1JrknVf3rONtppBvhWoI7CO9XX1keVQ0unHPzCWUjpXTzC8OGEbmB
-2w7ZIUf8OfJkd5RZ4OtIpML71W9n13aDxT50x2/EW/pFLFtQ/oaleOKHpvlRXDRX
-W86G4moUJym3gHMXMUj2aOcFG2UJnpLruKz3i5qZwYiTRlBP6O9EIQNCVtYxchuN
-V1CCcBU1AgMBAAECggEAJLfXMu8Nx89ynPVyyUMMaFfoEpHC9iR0L5obQVpiPMYK
-VRqVVLecdftPS9s7eQ58BNBRzdC0ZVu841aRYs3HLNbsZZhPkYZQpAxU//Dg5okY
-fzj7Hv5yidt4HN9+Pd8z/3lRMnj4WapifLaBt8xJ2ujJBMBRxzJBsXDnT0+Kx7+y
-bYDeuVfyUTEikaK3QZTbuRF3D3eiuN16GG+hv8UqTF2eYbPxdiLjYpTSHa4mH88C
-qfJz2Xt4SEzmyeo3G+MO17wDFOwtEe8ojlJfULHnHJSFdUwTfYIFM1bg5/fJ9MOS
-/fO3TSG+wkQqjQa6eoGssAzP87fL2XNLzlDtGY/7uQKBgQDHuJHOtf1EjOvNYiP7
-EN+8QGs41ghzt9CQRQxWbHpusR3IW3P83KMXwYmrlG70oOUXBRGSB/ESXUofXc5W
-pu5+Y55S44aUnu/a9yOBttYW0dtHZSL0zFT+PlVASwUzFZ2zcH1KXlUkSpfL5OAD
-PyDDTnBZ2AWh45fRO9wLo6PPuQKBgQC/tI03RqU3mOjqukKbquYeIpXHfRU5Z0DM
-u9ru1THYEl6fmkMXycxo/mvW3awyFuyKy/VodqIgKnFgumEqCHZh6OAMm/LC7TfA
-l9tjFSs/MyOqQVD4kbX+z6Oq4c4GccDoXfsQ3gzECoBapegi/F+6/25y+/C8ghXb
-J/Jg1GQXXQKBgQDFgWbfzuVZZyrBfu4qGLPJDMN7/114YizknwPma3xf/tN/EcGQ
-K/k1QvWMMkvPq1UiAKcxjJ0AFjV482FcG9T6NDWbrtmmG88C8Sex3Ue2ZW2+GuwI
-vhDHJIlV/Vp0/Elp7DJa2xLDwuh+gCZvz3vs6KL+ljxrrhCyn8mp0PfsMQKBgFFZ
-KnuETOO0zVGdzFoGQTQUdP58A5+iQwsdxB+I9Ge+E80iRso3ZbhADj7VPhbbR3D2
-b6LuhImluQrUzBpsEOAnU7vGCVPSGdBuIDiBaSKebsn2gYeZPWNtdQQ0YZq2dqek
-Cb/0mfIuipzsvf7qnSza62F7q4IyqVegMegI+Jg5AoGATM3NMy7JZeKzSkm+3ohU
-3xZOwgqKV9SH+0OeYWpuBxT7D7FlrKKI4NJ3XN3hg2f/DJAF6dH11CPe7pk94yol
-HMbh+PQUQ6GYvAzxIOvagWboQ3lzeyubNMpyFjfOrIE/WOQCUBZ9tIwCHIarIuyi
-QRuNOj3+U8T/n1Ww352HBdw=
-----END PRIVATE KEY-----`;
-
-export const PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlY+Qu4czdxNhzk3Cfgzf
-3tjUk0BY+Kz8pc+CfMY5vBLO5dJNpCuRBBr1DVRmW8O7NOeXPupMD/XqoAeVxRO/
-tuhXKtbKLuk25t9dJFOHZzFuZdgoMK4Whsm9aTcrGqNADC0+tHRWKrVMJ4WvXHgr
-GvmVNSa5J1X96zjbaaQb4VqCOwjvV19ZHlUNLpxz8wllI6V08wvDhhG5gdsO2SFH
-/DnyZHeUWeDrSKTC+9VvZ9d2g8U+dMdvxFv6RSxbUP6GpXjih6b5UVw0V1vOhuJq
-FCcpt4BzFzFI9mjnBRtlCZ6S67is94uamcGIk0ZQT+jvRCEDQlbWMXIbjVdQgnAV
-NQIDAQAB
-----END PUBLIC KEY-----`;
@@ -1 +1 @@
-24.15.0
+24.13.1
@@ -0,0 +1,40 @@
+FROM node:22-bookworm-slim
+
+ENV PNPM_HOME="/pnpm"
+ENV PATH="$PNPM_HOME:$PATH"
+
+RUN corepack enable && corepack prepare pnpm@10.30.3 --activate
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    docker.io \
+    unzip \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+COPY package.json pnpm-workspace.yaml pnpm-lock.yaml .pnpmfile.cjs ./
+COPY open-api/typescript-sdk/package.json open-api/typescript-sdk/
+COPY cli/package.json cli/
+COPY web/package.json web/
+COPY e2e/package.json e2e/
+COPY e2e-auth-server/package.json e2e-auth-server/
+
+RUN pnpm install --frozen-lockfile
+
+COPY open-api/typescript-sdk/ open-api/typescript-sdk/
+RUN pnpm --filter @immich/sdk build
+
+COPY cli/ cli/
+RUN pnpm --filter @immich/cli build && ln -s /app/cli/bin/immich /app/cli/node_modules/.bin/immich
+
+COPY web/svelte.config.js web/vite.config.ts web/tsconfig.json web/
+COPY web/src/ web/src/
+COPY web/static/ web/static/
+RUN pnpm --filter immich-web exec svelte-kit sync
+
+COPY e2e/ e2e/
+COPY e2e-auth-server/ e2e-auth-server/
+
+RUN pnpm --filter immich-e2e exec playwright install --with-deps chromium
+
+WORKDIR /app/e2e
@@ -0,0 +1,23 @@
+.vscode/
+.github/
+.git/
+*.log
+*.tmp
+*.temp
+
+**/node_modules/
+**/.pnpm-store/
+**/dist/
+**/coverage/
+**/build/
+
+design/
+docker/
+docs/
+fastlane/
+machine-learning/
+misc/
+mobile/
+server/
+plugins/
+i18n/
@@ -0,0 +1,16 @@
+name: immich-e2e
+
+services:
+  e2e-auth-server:
+    build:
+      cache_from:
+        - type=gha,scope=e2e-auth-${RUNNER_ARCH:-X64}
+      cache_to:
+        - type=gha,mode=max,scope=e2e-auth-${RUNNER_ARCH:-X64}
+
+  e2e-runner:
+    build:
+      cache_from:
+        - type=gha,scope=e2e-runner-${RUNNER_ARCH:-X64}
+      cache_to:
+        - type=gha,mode=max,scope=e2e-runner-${RUNNER_ARCH:-X64}
@@ -5,6 +5,8 @@ services:
    container_name: immich-e2e-auth-server
    build:
      context: ../e2e-auth-server
+    environment:
+      EXTRA_REDIRECT_URIS: http://immich-server:2285/auth/login
    ports:
      - 2286:2286

@@ -15,8 +17,7 @@ services:
      context: ../
      dockerfile: server/Dockerfile
      cache_from:
-        - type=registry,ref=ghcr.io/immich-app/immich-server-build-cache:linux-amd64-cc099f297acd18c924b35ece3245215b53d106eb2518e3af6415931d055746cd-main
-        - type=registry,ref=ghcr.io/immich-app/immich-server-build-cache:linux-arm64-cc099f297acd18c924b35ece3245215b53d106eb2518e3af6415931d055746cd-main
+        - type=registry,ref=ghcr.io/immich-app/immich-server-build-cache:${SERVER_CACHE_KEY:-linux-amd64-cc099f297acd18c924b35ece3245215b53d106eb2518e3af6415931d055746cd-main}
      args:
        - BUILD_ID=1234567890
        - BUILD_IMAGE=e2e
@@ -44,7 +45,7 @@ services:

  redis:
    container_name: immich-e2e-redis
-    image: docker.io/valkey/valkey:9@sha256:3b55fbaa0cd93cf0d9d961f405e4dfcc70efe325e2d84da207a0a8e6d8fde4f9
+    image: docker.io/valkey/valkey:9@sha256:3eeb09785cd61ec8e3be35f8804c8892080f3ca21934d628abc24ee4ed1698f6
    healthcheck:
      test: redis-cli ping || exit 1

@@ -65,3 +66,30 @@ services:
      timeout: 5s
      retries: 30
      start_period: 10s
+
+  e2e-runner:
+    container_name: immich-e2e-runner
+    build:
+      context: ../
+      dockerfile: e2e/Dockerfile.playwright
+    network_mode: 'service:immich-server'
+    shm_size: 1gb
+    environment:
+      PLAYWRIGHT_DB_HOST: database
+      PLAYWRIGHT_DB_PORT: '5432'
+      PLAYWRIGHT_DISABLE_WEBSERVER: 'true'
+      PLAYWRIGHT_AUTH_SERVER_URL: http://e2e-auth-server:2286
+      VITEST_DISABLE_DOCKER_SETUP: 'true'
+      CI: '${CI:-}'
+    volumes:
+      - ./test-assets:/app/e2e/test-assets
+      - ./playwright-report:/app/e2e/playwright-report
+      - ./blob-report:/app/e2e/blob-report
+      - /var/run/docker.sock:/var/run/docker.sock
+    depends_on:
+      immich-server:
+        condition: service_started
+      database:
+        condition: service_healthy
+    profiles:
+      - test
@@ -1,6 +1,6 @@
 {
  "name": "immich-e2e",
-  "version": "2.7.5",
+  "version": "2.6.2",
  "description": "",
  "main": "index.js",
  "type": "module",
@@ -32,15 +32,15 @@
    "@playwright/test": "^1.44.1",
    "@socket.io/component-emitter": "^3.1.2",
    "@types/luxon": "^3.4.2",
-    "@types/node": "^24.12.2",
+    "@types/node": "^24.11.0",
    "@types/pg": "^8.15.1",
    "@types/pngjs": "^6.0.4",
-    "@types/supertest": "^7.0.0",
+    "@types/supertest": "^6.0.2",
    "dotenv": "^17.2.3",
    "eslint": "^10.0.0",
    "eslint-config-prettier": "^10.1.8",
    "eslint-plugin-prettier": "^5.1.3",
-    "eslint-plugin-unicorn": "^64.0.0",
+    "eslint-plugin-unicorn": "^63.0.0",
    "exiftool-vendored": "^35.0.0",
    "globals": "^17.0.0",
    "luxon": "^3.4.4",
@@ -51,13 +51,13 @@
    "sharp": "^0.34.5",
    "socket.io-client": "^4.7.4",
    "supertest": "^7.0.0",
-    "typescript": "^6.0.0",
+    "typescript": "^5.3.3",
    "typescript-eslint": "^8.28.0",
    "utimes": "^5.2.1",
    "vite-tsconfig-paths": "^6.1.1",
    "vitest": "^4.0.0"
  },
  "volta": {
-    "node": "24.15.0"
+    "node": "24.13.1"
  }
 }
@@ -7,6 +7,7 @@ dotenv.config({ quiet: true, path: resolve(import.meta.dirname, '.env') });

 export const playwrightHost = process.env.PLAYWRIGHT_HOST ?? '127.0.0.1';
 export const playwrightDbHost = process.env.PLAYWRIGHT_DB_HOST ?? '127.0.0.1';
+export const playwrightDbPort = process.env.PLAYWRIGHT_DB_PORT ?? '5435';
 export const playwriteBaseUrl = process.env.PLAYWRIGHT_BASE_URL ?? `http://${playwrightHost}:2285`;
 export const playwriteSlowMo = Number.parseInt(process.env.PLAYWRIGHT_SLOW_MO ?? '0');
 export const playwrightDisableWebserver = process.env.PLAYWRIGHT_DISABLE_WEBSERVER;
@@ -19,7 +20,11 @@ const config: PlaywrightTestConfig = {
  fullyParallel: false,
  forbidOnly: !!process.env.CI,
  retries: process.env.CI ? 4 : 0,
-  reporter: 'html',
+  reporter: [
+    ['html'],
+    ['json', { outputFile: 'playwright-report/test-results.json' }],
+    ...(process.env.CI ? [['blob', { outputDir: 'blob-report' }] as const] : []),
+  ],
  use: {
    baseURL: playwriteBaseUrl,
    trace: 'on-first-retry',
@@ -43,7 +48,7 @@ const config: PlaywrightTestConfig = {
      use: { ...devices['Desktop Chrome'] },
      testDir: './src/ui/specs',
      fullyParallel: true,
-      workers: process.env.CI ? 3 : Math.max(1, Math.round(cpus().length * 0.75) - 1),
+      workers: process.env.CI ? 3 : Math.min(10, Math.max(1, Math.round(cpus().length * 0.75) - 1)),
    },
    {
      name: 'maintenance',
@@ -1,651 +0,0 @@
-import { LoginResponseDto } from '@immich/sdk';
-import { createUserDto, uuidDto } from 'src/fixtures';
-import { errorDto } from 'src/responses';
-import { app, utils } from 'src/utils';
-import request from 'supertest';
-import { beforeAll, beforeEach, describe, expect, it } from 'vitest';
-
-describe('/duplicates', () => {
-  let admin: LoginResponseDto;
-  let user1: LoginResponseDto;
-  let user2: LoginResponseDto;
-
-  beforeAll(async () => {
-    await utils.resetDatabase();
-
-    admin = await utils.adminSetup();
-
-    [user1, user2] = await Promise.all([
-      utils.userSetup(admin.accessToken, createUserDto.user1),
-      utils.userSetup(admin.accessToken, createUserDto.user2),
-    ]);
-  });
-
-  beforeEach(async () => {
-    // Reset assets, albums, tags, and stacks between tests to ensure clean state for repeated test runs
-    // Note: We don't reset users since they're set up once in beforeAll
-    // Stack must be reset before asset due to foreign key constraint
-    await utils.resetDatabase(['stack', 'asset', 'album', 'tag']);
-  });
-
-  describe('GET /duplicates', () => {
-    it('should return empty array when no duplicates', async () => {
-      const { status, body } = await request(app)
-        .get('/duplicates')
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-
-      expect(status).toBe(200);
-      expect(body).toEqual([]);
-    });
-
-    it('should return duplicate groups with suggestedKeepAssetIds', async () => {
-      // Create assets with different file sizes for duplicate detection
-      const [asset1, asset2] = await Promise.all([
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-      ]);
-
-      // Manually set duplicateId on both assets to create a duplicate group
-      const duplicateId = '00000000-0000-4000-8000-000000000001';
-      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
-      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
-
-      const { status, body } = await request(app)
-        .get('/duplicates')
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-
-      expect(status).toBe(200);
-      expect(body).toEqual([
-        {
-          duplicateId,
-          assets: expect.arrayContaining([
-            expect.objectContaining({ id: asset1.id }),
-            expect.objectContaining({ id: asset2.id }),
-          ]),
-          suggestedKeepAssetIds: expect.any(Array),
-        },
-      ]);
-      expect(body[0].suggestedKeepAssetIds.length).toBe(1);
-    });
-  });
-
-  describe('POST /duplicates/resolve', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .send({
-          groups: [{ duplicateId: uuidDto.dummy, keepAssetIds: [], trashAssetIds: [] }],
-        });
-
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
-    it('should return failure for non-existent duplicate group', async () => {
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({
-          groups: [{ duplicateId: uuidDto.dummy, keepAssetIds: [], trashAssetIds: [] }],
-        });
-
-      expect(status).toBe(200);
-      expect(body).toEqual({
-        status: 'COMPLETED',
-        results: [
-          {
-            duplicateId: uuidDto.dummy,
-            status: 'FAILED',
-            reason: expect.stringContaining('not found or access denied'),
-          },
-        ],
-      });
-    });
-
-    it('should resolve duplicate group with keepers', async () => {
-      const [asset1, asset2] = await Promise.all([
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-      ]);
-
-      const duplicateId = '00000000-0000-4000-8000-000000000002';
-      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
-      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
-
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({
-          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
-        });
-
-      expect(status).toBe(200);
-      expect(body).toEqual({
-        status: 'COMPLETED',
-        results: [
-          {
-            duplicateId,
-            status: 'SUCCESS',
-          },
-        ],
-      });
-
-      // Verify side effects: duplicateId cleared on kept asset
-      const keptAsset = await utils.getAssetInfo(user1.accessToken, asset1.id);
-      expect(keptAsset.duplicateId).toBeNull();
-
-      // Verify side effects: trashed asset is trashed and duplicateId cleared
-      const trashedAsset = await utils.getAssetInfo(user1.accessToken, asset2.id);
-      expect(trashedAsset.isTrashed).toBe(true);
-      expect(trashedAsset.duplicateId).toBeNull();
-    });
-
-    it('should reject when keepAssetIds and trashAssetIds overlap', async () => {
-      const [asset1, asset2] = await Promise.all([
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-      ]);
-
-      const duplicateId = '00000000-0000-4000-8000-000000000003';
-      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
-      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
-
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({
-          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset1.id] }],
-        });
-
-      expect(status).toBe(200);
-      expect(body.results[0].status).toBe('FAILED');
-      expect(body.results[0].reason).toContain('disjoint');
-    });
-
-    it('should require keepAssetIds when partially trashing', async () => {
-      const [asset1, asset2] = await Promise.all([
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-      ]);
-
-      const duplicateId = '00000000-0000-4000-8000-000000000004';
-      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
-      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
-
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({
-          groups: [{ duplicateId, keepAssetIds: [], trashAssetIds: [asset1.id] }],
-        });
-
-      expect(status).toBe(200);
-      expect(body.results[0].status).toBe('FAILED');
-      expect(body.results[0].reason).toContain('must cover all assets');
-    });
-
-    it('should reject partial resolution (not all assets covered)', async () => {
-      const [asset1, asset2, asset3] = await Promise.all([
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-      ]);
-
-      const duplicateId = '00000000-0000-4000-8000-000000000010';
-      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
-      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
-      await utils.setAssetDuplicateId(user1.accessToken, asset3.id, duplicateId);
-
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({
-          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
-        });
-
-      expect(status).toBe(200);
-      expect(body.results[0].status).toBe('FAILED');
-      expect(body.results[0].reason).toContain('must cover all assets');
-    });
-
-    it('should reject asset not in duplicate group', async () => {
-      const [asset1, asset2, outsideAsset] = await Promise.all([
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-      ]);
-
-      const duplicateId = '00000000-0000-4000-8000-000000000011';
-      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
-      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
-
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({
-          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [outsideAsset.id] }],
-        });
-
-      expect(status).toBe(200);
-      expect(body.results[0].status).toBe('FAILED');
-      expect(body.results[0].reason).toContain('not a member of duplicate group');
-    });
-
-    it('should allow trash-all without keepers', async () => {
-      const [asset1, asset2] = await Promise.all([
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-      ]);
-
-      const duplicateId = '00000000-0000-4000-8000-000000000012';
-      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
-      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
-
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({
-          groups: [{ duplicateId, keepAssetIds: [], trashAssetIds: [asset1.id, asset2.id] }],
-        });
-
-      expect(status).toBe(200);
-      expect(body).toEqual({
-        status: 'COMPLETED',
-        results: [
-          {
-            duplicateId,
-            status: 'SUCCESS',
-          },
-        ],
-      });
-
-      // Verify both assets are trashed
-      const [asset1Info, asset2Info] = await Promise.all([
-        utils.getAssetInfo(user1.accessToken, asset1.id),
-        utils.getAssetInfo(user1.accessToken, asset2.id),
-      ]);
-
-      expect(asset1Info.isTrashed).toBe(true);
-      expect(asset1Info.duplicateId).toBeNull();
-      expect(asset2Info.isTrashed).toBe(true);
-      expect(asset2Info.duplicateId).toBeNull();
-    });
-
-    it('should reject cross-user duplicate group access', async () => {
-      const asset1 = await utils.createAsset(user1.accessToken);
-      const asset2 = await utils.createAsset(user2.accessToken);
-
-      const duplicateId = '00000000-0000-4000-8000-000000000013';
-      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
-      await utils.setAssetDuplicateId(user2.accessToken, asset2.id, duplicateId);
-
-      // User1 tries to resolve a group containing user2's asset
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({
-          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
-        });
-
-      expect(status).toBe(200);
-      expect(body.results[0].status).toBe('FAILED');
-      expect(body.results[0].reason).toContain('not a member of duplicate group');
-    });
-
-    it('should synchronize favorites when enabled', async () => {
-      const [asset1, asset2] = await Promise.all([
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-      ]);
-
-      // Mark one asset as favorite
-      await request(app)
-        .put('/assets')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({ ids: [asset2.id], isFavorite: true });
-
-      const duplicateId = '00000000-0000-4000-8000-000000000020';
-      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
-      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
-
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({
-          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
-        });
-
-      expect(status).toBe(200);
-      expect(body.results[0].status).toBe('SUCCESS');
-
-      // Verify favorite was synchronized to keeper
-      const keptAsset = await utils.getAssetInfo(user1.accessToken, asset1.id);
-      expect(keptAsset.isFavorite).toBe(true);
-      expect(keptAsset.duplicateId).toBeNull();
-    });
-
-    it('should synchronize visibility when enabled', async () => {
-      const [asset1, asset2] = await Promise.all([
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-      ]);
-
-      // Archive one asset
-      await utils.archiveAssets(user1.accessToken, [asset2.id]);
-
-      const duplicateId = '00000000-0000-4000-8000-000000000021';
-      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
-      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
-
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({
-          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
-        });
-
-      expect(status).toBe(200);
-      expect(body.results[0].status).toBe('SUCCESS');
-
-      // Verify visibility was synchronized to keeper
-      const keptAsset = await utils.getAssetInfo(user1.accessToken, asset1.id);
-      expect(keptAsset.visibility).toBe('archive');
-      expect(keptAsset.duplicateId).toBeNull();
-    });
-
-    it('should synchronize rating when enabled', async () => {
-      const [asset1, asset2] = await Promise.all([
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-      ]);
-
-      // Set rating on one asset
-      await request(app)
-        .put('/assets')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({ ids: [asset2.id], rating: 5 });
-
-      const duplicateId = '00000000-0000-4000-8000-000000000022';
-      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
-      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
-
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({
-          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
-        });
-
-      expect(status).toBe(200);
-      expect(body.results[0].status).toBe('SUCCESS');
-
-      // Verify rating was synchronized to keeper
-      const keptAsset = await utils.getAssetInfo(user1.accessToken, asset1.id);
-      expect(keptAsset.exifInfo?.rating).toBe(5);
-      expect(keptAsset.duplicateId).toBeNull();
-    });
-
-    it('should synchronize description when enabled', async () => {
-      const [asset1, asset2] = await Promise.all([
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-      ]);
-
-      // Set description on one asset
-      await request(app)
-        .put('/assets')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({ ids: [asset2.id], description: 'Test description for duplicate' });
-
-      const duplicateId = '00000000-0000-4000-8000-000000000023';
-      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
-      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
-
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({
-          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
-        });
-
-      expect(status).toBe(200);
-      expect(body.results[0].status).toBe('SUCCESS');
-
-      // Verify description was synchronized to keeper
-      const keptAsset = await utils.getAssetInfo(user1.accessToken, asset1.id);
-      expect(keptAsset.exifInfo?.description).toBe('Test description for duplicate');
-      expect(keptAsset.duplicateId).toBeNull();
-    });
-
-    it('should synchronize location when enabled', async () => {
-      const [asset1, asset2] = await Promise.all([
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-      ]);
-
-      // Set location on one asset
-      await request(app)
-        .put('/assets')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({ ids: [asset2.id], latitude: 40.7128, longitude: -74.006 });
-
-      const duplicateId = '00000000-0000-4000-8000-000000000024';
-      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
-      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
-
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({
-          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
-        });
-
-      expect(status).toBe(200);
-      expect(body.results[0].status).toBe('SUCCESS');
-
-      // Verify location was synchronized to keeper
-      const keptAsset = await utils.getAssetInfo(user1.accessToken, asset1.id);
-      expect(keptAsset.exifInfo?.latitude).toBe(40.7128);
-      expect(keptAsset.exifInfo?.longitude).toBe(-74.006);
-      expect(keptAsset.duplicateId).toBeNull();
-    });
-
-    it('should synchronize albums when enabled', async () => {
-      const [asset1, asset2] = await Promise.all([
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-      ]);
-
-      // Create albums and add assets to different albums
-      const album1 = await utils.createAlbum(user1.accessToken, {
-        albumName: 'Album 1',
-        assetIds: [asset1.id],
-      });
-      const album2 = await utils.createAlbum(user1.accessToken, {
-        albumName: 'Album 2',
-        assetIds: [asset2.id],
-      });
-
-      const duplicateId = '00000000-0000-4000-8000-000000000025';
-      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
-      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
-
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({
-          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
-        });
-
-      expect(status).toBe(200);
-      expect(body.results[0].status).toBe('SUCCESS');
-
-      // Verify keeper is now in both albums
-      const keptAsset = await utils.getAssetInfo(user1.accessToken, asset1.id);
-      expect(keptAsset.duplicateId).toBeNull();
-
-      // Check albums directly
-      const { status: album1Status, body: album1Body } = await request(app)
-        .get(`/albums/${album1.id}`)
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-      const { status: album2Status, body: album2Body } = await request(app)
-        .get(`/albums/${album2.id}`)
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-
-      expect(album1Status).toBe(200);
-      expect(album2Status).toBe(200);
-      expect(album1Body.assets.map((a: any) => a.id)).toContain(asset1.id);
-      expect(album2Body.assets.map((a: any) => a.id)).toContain(asset1.id);
-    });
-
-    it('should synchronize tags when enabled', async () => {
-      const [asset1, asset2] = await Promise.all([
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-      ]);
-
-      // Wait for metadata extraction to complete before adding tags
-      // Otherwise, metadata jobs will race and overwrite our tags
-      await utils.waitForQueueFinish(admin.accessToken, 'metadataExtraction');
-
-      // Create tags and tag assets differently
-      const tags = await utils.upsertTags(user1.accessToken, ['tag1', 'tag2']);
-      await utils.tagAssets(user1.accessToken, tags[0].id, [asset1.id]);
-      await utils.tagAssets(user1.accessToken, tags[1].id, [asset2.id]);
-
-      const duplicateId = '00000000-0000-4000-8000-000000000026';
-      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
-      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
-
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({
-          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
-        });
-
-      expect(status).toBe(200);
-      expect(body.results[0].status).toBe('SUCCESS');
-
-      // Verify keeper has both tags
-      const keptAsset = await utils.getAssetInfo(user1.accessToken, asset1.id);
-      expect(keptAsset.duplicateId).toBeNull();
-      expect(keptAsset.tags).toBeDefined();
-      const tagIds = keptAsset.tags?.map((t) => t.id) || [];
-      expect(tagIds).toContain(tags[0].id);
-      expect(tagIds).toContain(tags[1].id);
-    });
-
-    it('should handle batch resolve with mixed success and failure', async () => {
-      // Create first group that will succeed
-      const [asset1, asset2] = await Promise.all([
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-      ]);
-      const duplicateId1 = '00000000-0000-4000-8000-000000000027';
-      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId1);
-      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId1);
-
-      // Create second group with non-existent duplicate ID (will fail)
-      const fakeId = '00000000-0000-4000-8000-000000000099';
-
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({
-          groups: [
-            { duplicateId: duplicateId1, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] },
-            { duplicateId: fakeId, keepAssetIds: [], trashAssetIds: [] },
-          ],
-        });
-
-      expect(status).toBe(200);
-      expect(body.status).toBe('COMPLETED');
-      expect(body.results).toHaveLength(2);
-
-      // First group should succeed
-      expect(body.results[0].duplicateId).toBe(duplicateId1);
-      expect(body.results[0].status).toBe('SUCCESS');
-
-      // Second group should fail
-      expect(body.results[1].duplicateId).toBe(fakeId);
-      expect(body.results[1].status).toBe('FAILED');
-      expect(body.results[1].reason).toContain('not found or access denied');
-
-      // Verify first group was actually resolved despite second failure
-      const asset1Info = await utils.getAssetInfo(user1.accessToken, asset1.id);
-      expect(asset1Info.duplicateId).toBeNull();
-      const asset2Info = await utils.getAssetInfo(user1.accessToken, asset2.id);
-      expect(asset2Info.isTrashed).toBe(true);
-    });
-
-    it('should trash assets when trash is enabled', async () => {
-      const [asset1, asset2] = await Promise.all([
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-      ]);
-
-      const duplicateId = '00000000-0000-4000-8000-000000000028';
-      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
-      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
-
-      // Ensure trash is enabled (default)
-      const config = await utils.getSystemConfig(admin.accessToken);
-      expect(config.trash.enabled).toBe(true);
-
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({
-          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
-        });
-
-      expect(status).toBe(200);
-      expect(body.results[0].status).toBe('SUCCESS');
-
-      // Verify asset is trashed (not deleted)
-      const trashedAsset = await utils.getAssetInfo(user1.accessToken, asset2.id);
-      expect(trashedAsset.isTrashed).toBe(true);
-    });
-
-    it('should delete assets when trash is disabled', async () => {
-      const [asset1, asset2] = await Promise.all([
-        utils.createAsset(user1.accessToken),
-        utils.createAsset(user1.accessToken),
-      ]);
-
-      const duplicateId = '00000000-0000-4000-8000-000000000029';
-      await utils.setAssetDuplicateId(user1.accessToken, asset1.id, duplicateId);
-      await utils.setAssetDuplicateId(user1.accessToken, asset2.id, duplicateId);
-
-      // Disable trash
-      await request(app)
-        .put('/system-config')
-        .set('Authorization', `Bearer ${admin.accessToken}`)
-        .send({
-          trash: { enabled: false, days: 30 },
-        });
-
-      const { status, body } = await request(app)
-        .post('/duplicates/resolve')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({
-          groups: [{ duplicateId, keepAssetIds: [asset1.id], trashAssetIds: [asset2.id] }],
-        });
-
-      expect(status).toBe(200);
-      expect(body.results[0].status).toBe('SUCCESS');
-
-      // Asset should be marked as deleted (force delete)
-      const { status: getStatus } = await request(app)
-        .get(`/assets/${asset2.id}`)
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-
-      // Asset should still be accessible (soft deleted) but marked as deleted
-      expect(getStatus).toBe(200);
-
-      // Re-enable trash for other tests
-      await utils.resetAdminConfig(admin.accessToken);
-    });
-  });
-});
@@ -2,8 +2,6 @@ export const uuidDto = {
  invalid: 'invalid-uuid',
  // valid uuid v4
  notFound: '00000000-0000-4000-a000-000000000000',
-  dummy: '00000000-0000-4000-a000-000000000001',
-  dummy2: '00000000-0000-4000-a000-000000000002',
 };

 const adminLoginDto = {
@@ -2,44 +2,82 @@ import { expect } from 'vitest';

 export const errorDto = {
  unauthorized: {
+    error: 'Unauthorized',
+    statusCode: 401,
    message: 'Authentication required',
+    correlationId: expect.any(String),
  },
  unauthorizedWithMessage: (message: string) => ({
+    error: 'Unauthorized',
+    statusCode: 401,
    message,
+    correlationId: expect.any(String),
  }),
  forbidden: {
+    error: 'Forbidden',
+    statusCode: 403,
    message: expect.any(String),
+    correlationId: expect.any(String),
  },
  missingPermission: (permission: string) => ({
+    error: 'Forbidden',
+    statusCode: 403,
    message: `Missing required permission: ${permission}`,
+    correlationId: expect.any(String),
  }),
  wrongPassword: {
+    error: 'Bad Request',
+    statusCode: 400,
    message: 'Wrong password',
+    correlationId: expect.any(String),
  },
  invalidToken: {
+    error: 'Unauthorized',
+    statusCode: 401,
    message: 'Invalid user token',
+    correlationId: expect.any(String),
  },
  invalidShareKey: {
+    error: 'Unauthorized',
+    statusCode: 401,
    message: 'Invalid share key',
+    correlationId: expect.any(String),
  },
  passwordRequired: {
+    error: 'Unauthorized',
+    statusCode: 401,
    message: 'Password required',
+    correlationId: expect.any(String),
  },
  badRequest: (message: any = null) => ({
+    error: 'Bad Request',
+    statusCode: 400,
    message: message ?? expect.anything(),
-  }),
-  validationError: (errors?: ReadonlyArray<{ path: ReadonlyArray<string | number>; message: string }>) => ({
-    message: 'Validation failed',
-    errors: errors ? expect.arrayContaining(errors.map((e) => expect.objectContaining(e))) : expect.any(Array),
+    correlationId: expect.any(String),
  }),
  noPermission: {
+    error: 'Bad Request',
+    statusCode: 400,
    message: expect.stringContaining('Not found or no'),
+    correlationId: expect.any(String),
  },
  incorrectLogin: {
+    error: 'Unauthorized',
+    statusCode: 401,
    message: 'Incorrect email or password',
+    correlationId: expect.any(String),
  },
  alreadyHasAdmin: {
+    error: 'Bad Request',
+    statusCode: 400,
    message: 'The server already has an admin',
+    correlationId: expect.any(String),
+  },
+  invalidEmail: {
+    error: 'Bad Request',
+    statusCode: 400,
+    message: ['email must be an email'],
+    correlationId: expect.any(String),
  },
 };

@@ -10,9 +10,7 @@ describe('/admin/database-backups', () => {

  beforeAll(async () => {
    await utils.resetDatabase();
-    admin = await utils.adminSetup({
-      onboarding: false,
-    });
+    admin = await utils.adminSetup();
    await utils.resetBackups(admin.accessToken);
  });

@@ -96,9 +94,7 @@ describe('/admin/database-backups', () => {
        ({ status, body }) => status === 200 && !body.maintenanceMode,
      );

-      admin = await utils.adminSetup({
-        onboarding: false,
-      });
+      admin = await utils.adminSetup();
    });

    it.sequential('should not work when the server is configured', async () => {
@@ -130,11 +130,12 @@ describe('/albums', () => {
  describe('GET /albums', () => {
    it("should not show other users' favorites", async () => {
      const { status, body } = await request(app)
-        .get(`/albums/${user1Albums[0].id}`)
+        .get(`/albums/${user1Albums[0].id}?withoutAssets=false`)
        .set('Authorization', `Bearer ${user2.accessToken}`);
      expect(status).toEqual(200);
      expect(body).toEqual({
        ...user1Albums[0],
+        assets: [expect.objectContaining({ isFavorite: false })],
        contributorCounts: [{ userId: user1.userId, assetCount: 1 }],
        lastModifiedAssetTimestamp: expect.any(String),
        startDate: expect.any(String),
@@ -154,31 +155,23 @@ describe('/albums', () => {
      expect(body).toEqual(
        expect.arrayContaining([
          expect.objectContaining({
+            ownerId: user1.userId,
            albumName: user1SharedLink,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
            shared: true,
          }),
          expect.objectContaining({
+            ownerId: user1.userId,
            albumName: user1SharedEditorUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
            shared: true,
          }),
          expect.objectContaining({
+            ownerId: user1.userId,
            albumName: user1SharedViewerUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
            shared: true,
          }),
          expect.objectContaining({
+            ownerId: user2.userId,
            albumName: user2SharedUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user2.userId }) },
-            ]),
            shared: true,
          }),
        ]),
@@ -192,31 +185,23 @@ describe('/albums', () => {
      expect(body).toEqual(
        expect.arrayContaining([
          expect.objectContaining({
+            ownerId: user1.userId,
            albumName: user1SharedEditorUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
            shared: true,
          }),
          expect.objectContaining({
+            ownerId: user1.userId,
            albumName: user1SharedViewerUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
            shared: true,
          }),
          expect.objectContaining({
+            ownerId: user1.userId,
            albumName: user1SharedLink,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
            shared: true,
          }),
          expect.objectContaining({
+            ownerId: user1.userId,
            albumName: user1NotShared,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
            shared: false,
          }),
        ]),
@@ -232,31 +217,23 @@ describe('/albums', () => {
      expect(body).toEqual(
        expect.arrayContaining([
          expect.objectContaining({
+            ownerId: user1.userId,
            albumName: user1SharedEditorUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
            shared: true,
          }),
          expect.objectContaining({
+            ownerId: user1.userId,
            albumName: user1SharedViewerUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
            shared: true,
          }),
          expect.objectContaining({
+            ownerId: user1.userId,
            albumName: user1SharedLink,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
            shared: true,
          }),
          expect.objectContaining({
+            ownerId: user2.userId,
            albumName: user2SharedUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user2.userId }) },
-            ]),
            shared: true,
          }),
        ]),
@@ -272,10 +249,8 @@ describe('/albums', () => {
      expect(body).toEqual(
        expect.arrayContaining([
          expect.objectContaining({
+            ownerId: user1.userId,
            albumName: user1NotShared,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
            shared: false,
          }),
        ]),
@@ -312,17 +287,13 @@ describe('/albums', () => {
      expect(body).toEqual(
        expect.arrayContaining([
          expect.objectContaining({
+            ownerId: user4.userId,
            albumName: user4DeletedAsset,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user4.userId }) },
-            ]),
            shared: false,
          }),
          expect.objectContaining({
+            ownerId: user4.userId,
            albumName: user4Empty,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user4.userId }) },
-            ]),
            shared: false,
          }),
        ]),
@@ -333,12 +304,13 @@ describe('/albums', () => {
  describe('GET /albums/:id', () => {
    it('should return album info for own album', async () => {
      const { status, body } = await request(app)
-        .get(`/albums/${user1Albums[0].id}`)
+        .get(`/albums/${user1Albums[0].id}?withoutAssets=false`)
        .set('Authorization', `Bearer ${user1.accessToken}`);

      expect(status).toBe(200);
      expect(body).toEqual({
        ...user1Albums[0],
+        assets: [expect.objectContaining({ id: user1Albums[0].assets[0].id })],
        contributorCounts: [{ userId: user1.userId, assetCount: 1 }],
        lastModifiedAssetTimestamp: expect.any(String),
        startDate: expect.any(String),
@@ -350,7 +322,7 @@ describe('/albums', () => {

    it('should return album info for shared album (editor)', async () => {
      const { status, body } = await request(app)
-        .get(`/albums/${user2Albums[0].id}`)
+        .get(`/albums/${user2Albums[0].id}?withoutAssets=false`)
        .set('Authorization', `Bearer ${user1.accessToken}`);

      expect(status).toBe(200);
@@ -359,14 +331,14 @@ describe('/albums', () => {

    it('should return album info for shared album (viewer)', async () => {
      const { status, body } = await request(app)
-        .get(`/albums/${user1Albums[3].id}`)
+        .get(`/albums/${user1Albums[3].id}?withoutAssets=false`)
        .set('Authorization', `Bearer ${user2.accessToken}`);

      expect(status).toBe(200);
      expect(body).toMatchObject({ id: user1Albums[3].id });
    });

-    it('should return album info', async () => {
+    it('should return album info with assets when withoutAssets is undefined', async () => {
      const { status, body } = await request(app)
        .get(`/albums/${user1Albums[0].id}`)
        .set('Authorization', `Bearer ${user1.accessToken}`);
@@ -374,6 +346,25 @@ describe('/albums', () => {
      expect(status).toBe(200);
      expect(body).toEqual({
        ...user1Albums[0],
+        assets: [expect.objectContaining({ id: user1Albums[0].assets[0].id })],
+        contributorCounts: [{ userId: user1.userId, assetCount: 1 }],
+        lastModifiedAssetTimestamp: expect.any(String),
+        startDate: expect.any(String),
+        endDate: expect.any(String),
+        albumUsers: expect.any(Array),
+        shared: true,
+      });
+    });
+
+    it('should return album info without assets when withoutAssets is true', async () => {
+      const { status, body } = await request(app)
+        .get(`/albums/${user1Albums[0].id}?withoutAssets=true`)
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+
+      expect(status).toBe(200);
+      expect(body).toEqual({
+        ...user1Albums[0],
+        assets: [],
        contributorCounts: [{ userId: user1.userId, assetCount: 1 }],
        assetCount: 1,
        lastModifiedAssetTimestamp: expect.any(String),
@@ -388,21 +379,21 @@ describe('/albums', () => {
      await utils.deleteAssets(user1.accessToken, [user1Asset2.id]);

      const { status, body } = await request(app)
-        .get(`/albums/${user2Albums[0].id}`)
+        .get(`/albums/${user2Albums[0].id}?withoutAssets=true`)
        .set('Authorization', `Bearer ${user1.accessToken}`);

      expect(status).toBe(200);
-      expect(body).toEqual(
-        expect.objectContaining({
-          contributorCounts: [{ userId: user1.userId, assetCount: 1 }],
-          assetCount: 1,
-          lastModifiedAssetTimestamp: expect.any(String),
-          endDate: expect.any(String),
-          startDate: expect.any(String),
-          albumUsers: expect.any(Array),
-          shared: true,
-        }),
-      );
+      expect(body).toEqual({
+        ...user2Albums[0],
+        assets: [],
+        contributorCounts: [{ userId: user1.userId, assetCount: 1 }],
+        assetCount: 1,
+        lastModifiedAssetTimestamp: expect.any(String),
+        endDate: expect.any(String),
+        startDate: expect.any(String),
+        albumUsers: expect.any(Array),
+        shared: true,
+      });
    });
  });

@@ -428,13 +419,16 @@ describe('/albums', () => {
        id: expect.any(String),
        createdAt: expect.any(String),
        updatedAt: expect.any(String),
+        ownerId: user1.userId,
        albumName: 'New album',
        description: '',
        albumThumbnailAssetId: null,
        shared: false,
-        albumUsers: [{ role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) }],
+        albumUsers: [],
        hasSharedLink: false,
+        assets: [],
        assetCount: 0,
+        owner: expect.objectContaining({ email: user1.userEmail }),
        isActivityEnabled: true,
        order: AssetOrder.Desc,
      });
@@ -650,11 +644,11 @@ describe('/albums', () => {
      expect(status).toBe(200);
      expect(body).toEqual(
        expect.objectContaining({
-          albumUsers: expect.arrayContaining([
+          albumUsers: [
            expect.objectContaining({
              user: expect.objectContaining({ id: user2.userId }),
            }),
-          ]),
+          ],
        }),
      );
    });
@@ -666,7 +660,7 @@ describe('/albums', () => {
        .send({ albumUsers: [{ userId: user1.userId, role: AlbumUserRole.Editor }] });

      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest('User already added'));
+      expect(body).toEqual(errorDto.badRequest('Cannot be shared with owner'));
    });

    it('should not be able to add existing user to shared album', async () => {
@@ -692,7 +686,7 @@ describe('/albums', () => {
        albumUsers: [{ userId: user2.userId, role: AlbumUserRole.Viewer }],
      });

-      expect(album.albumUsers[1].role).toEqual(AlbumUserRole.Viewer);
+      expect(album.albumUsers[0].role).toEqual(AlbumUserRole.Viewer);

      const { status } = await request(app)
        .put(`/albums/${album.id}/user/${user2.userId}`)
@@ -707,10 +701,7 @@ describe('/albums', () => {
        .set('Authorization', `Bearer ${user1.accessToken}`);
      expect(body).toEqual(
        expect.objectContaining({
-          albumUsers: [
-            expect.objectContaining({ role: AlbumUserRole.Owner }),
-            expect.objectContaining({ role: AlbumUserRole.Editor }),
-          ],
+          albumUsers: [expect.objectContaining({ role: AlbumUserRole.Editor })],
        }),
      );
    });
@@ -721,7 +712,7 @@ describe('/albums', () => {
        albumUsers: [{ userId: user2.userId, role: AlbumUserRole.Viewer }],
      });

-      expect(album.albumUsers[1].role).toEqual(AlbumUserRole.Viewer);
+      expect(album.albumUsers[0].role).toEqual(AlbumUserRole.Viewer);

      const { status, body } = await request(app)
        .put(`/albums/${album.id}/user/${user2.userId}`)
@@ -1,6 +1,7 @@
 import {
  AssetMediaResponseDto,
  AssetMediaStatus,
+  AssetResponseDto,
  AssetTypeEnum,
  AssetVisibility,
  getAssetInfo,
@@ -18,7 +19,7 @@ import { Socket } from 'socket.io-client';
 import { createUserDto, uuidDto } from 'src/fixtures';
 import { makeRandomImage } from 'src/generators';
 import { errorDto } from 'src/responses';
-import { app, asBearerAuth, tempDir, testAssetDir, utils } from 'src/utils';
+import { app, asBearerAuth, tempDir, TEN_TIMES, testAssetDir, utils } from 'src/utils';
 import request from 'supertest';
 import { afterAll, beforeAll, describe, expect, it } from 'vitest';

@@ -94,8 +95,8 @@ describe('/asset', () => {
      utils.createAsset(user1.accessToken),
      utils.createAsset(user1.accessToken, {
        isFavorite: true,
-        fileCreatedAt: yesterday.toUTC().toISO(),
-        fileModifiedAt: yesterday.toUTC().toISO(),
+        fileCreatedAt: yesterday.toISO(),
+        fileModifiedAt: yesterday.toISO(),
        assetData: { filename: 'example.mp4' },
      }),
      utils.createAsset(user1.accessToken),
@@ -379,12 +380,62 @@ describe('/asset', () => {
    });
  });

+  describe('GET /assets/random', () => {
+    beforeAll(async () => {
+      await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+
+      await utils.waitForQueueFinish(admin.accessToken, 'thumbnailGeneration');
+    });
+
+    it.each(TEN_TIMES)('should return 1 random assets', async () => {
+      const { status, body } = await request(app)
+        .get('/assets/random')
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+
+      expect(status).toBe(200);
+
+      const assets: AssetResponseDto[] = body;
+      expect(assets.length).toBe(1);
+      expect(assets[0].ownerId).toBe(user1.userId);
+    });
+
+    it.each(TEN_TIMES)('should return 2 random assets', async () => {
+      const { status, body } = await request(app)
+        .get('/assets/random?count=2')
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+
+      expect(status).toBe(200);
+
+      const assets: AssetResponseDto[] = body;
+      expect(assets.length).toBe(2);
+
+      for (const asset of assets) {
+        expect(asset.ownerId).toBe(user1.userId);
+      }
+    });
+
+    it.skip('should return 1 asset if there are 10 assets in the database but user 2 only has 1', async () => {
+      const { status, body } = await request(app)
+        .get('/assets/random')
+        .set('Authorization', `Bearer ${user2.accessToken}`);
+
+      expect(status).toBe(200);
+      expect(body).toEqual([expect.objectContaining({ id: user2Assets[0].id })]);
+    });
+  });
+
  describe('PUT /assets/:id', () => {
    it('should require access', async () => {
      const { status, body } = await request(app)
        .put(`/assets/${user2Assets[0].id}`)
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({});
+        .set('Authorization', `Bearer ${user1.accessToken}`);
      expect(status).toBe(400);
      expect(body).toEqual(errorDto.noPermission);
    });
@@ -1091,6 +1142,8 @@ describe('/asset', () => {
      const { body, status } = await request(app)
        .post('/assets')
        .set('Authorization', `Bearer ${quotaUser.accessToken}`)
+        .field('deviceAssetId', 'example-image')
+        .field('deviceId', 'e2e')
        .field('fileCreatedAt', new Date().toISOString())
        .field('fileModifiedAt', new Date().toISOString())
        .attach('assetData', makeRandomImage(), 'example.jpg');
@@ -1107,6 +1160,8 @@ describe('/asset', () => {
      const { body, status } = await request(app)
        .post('/assets')
        .set('Authorization', `Bearer ${quotaUser.accessToken}`)
+        .field('deviceAssetId', 'example-image')
+        .field('deviceId', 'e2e')
        .field('fileCreatedAt', new Date().toISOString())
        .field('fileModifiedAt', new Date().toISOString())
        .attach('assetData', randomBytes(2014), 'example.jpg');
@@ -1160,4 +1215,29 @@ describe('/asset', () => {
      expect(video.checksum).toStrictEqual(checksum);
    });
  });
+
+  describe('POST /assets/exist', () => {
+    it('ignores invalid deviceAssetIds', async () => {
+      const response = await utils.checkExistingAssets(user1.accessToken, {
+        deviceId: 'test-assets-exist',
+        deviceAssetIds: ['invalid', 'INVALID'],
+      });
+
+      expect(response.existingIds).toHaveLength(0);
+    });
+
+    it('returns the IDs of existing assets', async () => {
+      await utils.createAsset(user1.accessToken, {
+        deviceId: 'test-assets-exist',
+        deviceAssetId: 'test-asset-0',
+      });
+
+      const response = await utils.checkExistingAssets(user1.accessToken, {
+        deviceId: 'test-assets-exist',
+        deviceAssetIds: ['test-asset-0'],
+      });
+
+      expect(response.existingIds).toEqual(['test-asset-0']);
+    });
+  });
 });
@@ -110,9 +110,7 @@ describe('/libraries', () => {
        });

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['importPaths'], message: 'Array must have unique items' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(["All importPaths's elements must be unique"]));
    });

    it('should not create an external library with duplicate exclusion patterns', async () => {
@@ -127,9 +125,7 @@ describe('/libraries', () => {
        });

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['exclusionPatterns'], message: 'Array must have unique items' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(["All exclusionPatterns's elements must be unique"]));
    });
  });

@@ -161,9 +157,7 @@ describe('/libraries', () => {
        .send({ name: '' });

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['name'], message: 'Too small: expected string to have >=1 characters' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['name should not be empty']));
    });

    it('should change the import paths', async () => {
@@ -187,9 +181,7 @@ describe('/libraries', () => {
        .send({ importPaths: [''] });

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['importPaths'], message: 'Array items must not be empty' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['each value in importPaths should not be empty']));
    });

    it('should reject duplicate import paths', async () => {
@@ -199,9 +191,7 @@ describe('/libraries', () => {
        .send({ importPaths: ['/path', '/path'] });

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['importPaths'], message: 'Array must have unique items' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(["All importPaths's elements must be unique"]));
    });

    it('should change the exclusion pattern', async () => {
@@ -225,9 +215,7 @@ describe('/libraries', () => {
        .send({ exclusionPatterns: ['**/*.jpg', '**/*.jpg'] });

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['exclusionPatterns'], message: 'Array must have unique items' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(["All exclusionPatterns's elements must be unique"]));
    });

    it('should reject an empty exclusion pattern', async () => {
@@ -237,9 +225,7 @@ describe('/libraries', () => {
        .send({ exclusionPatterns: [''] });

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['exclusionPatterns'], message: 'Array items must not be empty' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['each value in exclusionPatterns should not be empty']));
    });
  });

@@ -109,9 +109,7 @@ describe('/map', () => {
        .get('/map/reverse-geocode?lon=123')
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['lat'], message: 'Invalid input: expected number, received NaN' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['lat must be a number between -90 and 90']));
    });

    it('should throw an error if a lat is not a number', async () => {
@@ -119,9 +117,7 @@ describe('/map', () => {
        .get('/map/reverse-geocode?lat=abc&lon=123.456')
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['lat'], message: 'Invalid input: expected number, received NaN' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['lat must be a number between -90 and 90']));
    });

    it('should throw an error if a lat is out of range', async () => {
@@ -129,9 +125,7 @@ describe('/map', () => {
        .get('/map/reverse-geocode?lat=91&lon=123.456')
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['lat'], message: 'Too big: expected number to be <=90' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['lat must be a number between -90 and 90']));
    });

    it('should throw an error if a lon is not provided', async () => {
@@ -139,9 +133,7 @@ describe('/map', () => {
        .get('/map/reverse-geocode?lat=75')
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['lon'], message: 'Invalid input: expected number, received NaN' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['lon must be a number between -180 and 180']));
    });

    const reverseGeocodeTestCases = [
@@ -1,10 +1,9 @@
-import { OAuthClient, OAuthUser, generateLogoutToken } from '@immich/e2e-auth-server';
+import { OAuthClient, OAuthUser } from '@immich/e2e-auth-server';
 import {
  LoginResponseDto,
  SystemConfigOAuthDto,
  getConfigDefaults,
  getMyUser,
-  getSessions,
  startOAuth,
  updateConfig,
 } from '@immich/sdk';
@@ -16,7 +15,7 @@ import { beforeAll, describe, expect, it } from 'vitest';

 const authServer = {
  internal: 'http://e2e-auth-server:2286',
-  external: 'http://127.0.0.1:2286',
+  external: process.env.PLAYWRIGHT_AUTH_SERVER_URL ?? 'http://127.0.0.1:2286',
 };

 const mobileOverrideRedirectUri = 'https://photos.immich.app/oauth/mobile-redirect';
@@ -77,7 +76,6 @@ const setupOAuth = async (token: string, dto: Partial<SystemConfigOAuthDto>) =>
    ...defaults.oauth,
    buttonText: 'Login with Immich',
    issuerUrl: `${authServer.internal}/.well-known/openid-configuration`,
-    allowInsecureRequests: true,
    ...dto,
  };
  await updateConfig({ systemConfigDto: { ...defaults, oauth: merged } }, options);
@@ -89,27 +87,21 @@ describe(`/oauth`, () => {
  beforeAll(async () => {
    await utils.resetDatabase();
    admin = await utils.adminSetup();
+
+    await setupOAuth(admin.accessToken, {
+      enabled: true,
+      clientId: OAuthClient.DEFAULT,
+      clientSecret: OAuthClient.DEFAULT,
+      buttonText: 'Login with Immich',
+      storageLabelClaim: 'immich_username',
+    });
  });

  describe('POST /oauth/authorize', () => {
-    beforeAll(async () => {
-      await setupOAuth(admin.accessToken, {
-        enabled: true,
-        clientId: OAuthClient.DEFAULT,
-        clientSecret: OAuthClient.DEFAULT,
-        buttonText: 'Login with Immich',
-        storageLabelClaim: 'immich_username',
-      });
-    });
-
    it(`should throw an error if a redirect uri is not provided`, async () => {
      const { status, body } = await request(app).post('/oauth/authorize').send({});
      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([
-          { path: ['redirectUri'], message: 'Invalid input: expected string, received undefined' },
-        ]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['redirectUri must be a string', 'redirectUri should not be empty']));
    });

    it('should return a redirect uri', async () => {
@@ -125,60 +117,19 @@ describe(`/oauth`, () => {
      expect(params.get('redirect_uri')).toBe('http://127.0.0.1:2285/auth/login');
      expect(params.get('state')).toBeDefined();
    });
-
-    it('should not include the prompt parameter when not configured', async () => {
-      const { status, body } = await request(app)
-        .post('/oauth/authorize')
-        .send({ redirectUri: 'http://127.0.0.1:2285/auth/login' });
-      expect(status).toBe(201);
-
-      const params = new URL(body.url).searchParams;
-      expect(params.get('prompt')).toBeNull();
-    });
-
-    it('should include the prompt parameter when configured', async () => {
-      await setupOAuth(admin.accessToken, {
-        enabled: true,
-        clientId: OAuthClient.DEFAULT,
-        clientSecret: OAuthClient.DEFAULT,
-        prompt: 'select_account',
-      });
-
-      const { status, body } = await request(app)
-        .post('/oauth/authorize')
-        .send({ redirectUri: 'http://127.0.0.1:2285/auth/login' });
-      expect(status).toBe(201);
-
-      const params = new URL(body.url).searchParams;
-      expect(params.get('prompt')).toBe('select_account');
-    });
  });

  describe('POST /oauth/callback', () => {
-    beforeAll(async () => {
-      await setupOAuth(admin.accessToken, {
-        enabled: true,
-        clientId: OAuthClient.DEFAULT,
-        clientSecret: OAuthClient.DEFAULT,
-        buttonText: 'Login with Immich',
-        storageLabelClaim: 'immich_username',
-      });
-    });
-
    it(`should throw an error if a url is not provided`, async () => {
      const { status, body } = await request(app).post('/oauth/callback').send({});
      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['url'], message: 'Invalid input: expected string, received undefined' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['url must be a string', 'url should not be empty']));
    });

    it(`should throw an error if the url is empty`, async () => {
      const { status, body } = await request(app).post('/oauth/callback').send({ url: '' });
      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['url'], message: 'Too small: expected string to have >=1 characters' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['url should not be empty']));
    });

    it(`should throw an error if the state is not provided`, async () => {
@@ -207,9 +158,10 @@ describe(`/oauth`, () => {
    it(`should throw an error if the codeVerifier doesn't match the challenge`, async () => {
      const callbackParams = await loginWithOAuth('oauth-auto-register');
      const { codeVerifier } = await loginWithOAuth('oauth-auto-register');
-      const { status } = await request(app)
+      const { status, body } = await request(app)
        .post('/oauth/callback')
        .send({ ...callbackParams, codeVerifier });
+      console.log(body);
      expect(status).toBeGreaterThanOrEqual(400);
    });

@@ -306,7 +258,7 @@ describe(`/oauth`, () => {
        accessToken: expect.any(String),
        isAdmin: false,
        name: 'OAuth User',
-        userEmail: 'oauth-rs256-token@immich.app',
+        userEmail: 'oauth-RS256-token@immich.app',
        userId: expect.any(String),
      });
    });
@@ -340,7 +292,9 @@ describe(`/oauth`, () => {
      const { status, body } = await request(app).post('/oauth/callback').send(callbackParams);
      expect(status).toBe(500);
      expect(body).toMatchObject({
+        error: 'Internal Server Error',
        message: 'Failed to finish oauth',
+        statusCode: 500,
      });
    });

@@ -359,7 +313,7 @@ describe(`/oauth`, () => {
        const callbackParams = await loginWithOAuth('oauth-no-auto-register');
        const { status, body } = await request(app).post('/oauth/callback').send(callbackParams);
        expect(status).toBe(400);
-        expect(body).toEqual(errorDto.badRequest('OAuth authentication failed'));
+        expect(body).toEqual(errorDto.badRequest('User does not exist and auto registering is disabled.'));
      });

      it('should link to an existing user by email', async () => {
@@ -379,54 +333,6 @@ describe(`/oauth`, () => {
    });
  });

-  describe(`POST /oauth/backchannel-logout`, () => {
-    it(`should throw an error if the logout_token is not provided`, async () => {
-      const { status, body } = await request(app).post('/oauth/backchannel-logout').send({});
-      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([
-          { path: ['logout_token'], message: 'Invalid input: expected string, received undefined' },
-        ]),
-      );
-    });
-
-    it(`should throw an error if an invalid logout token is provided`, async () => {
-      const { status, body } = await request(app)
-        .post('/oauth/backchannel-logout')
-        .send({ logout_token: 'invalid token' });
-      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest('Error backchannel logout: token validation failed'));
-    });
-
-    it(`should logout user if a valid logout token is provided`, async () => {
-      await setupOAuth(admin.accessToken, {
-        enabled: true,
-        clientId: OAuthClient.DEFAULT,
-        clientSecret: OAuthClient.DEFAULT,
-        autoRegister: true,
-        signingAlgorithm: 'RS256',
-        buttonText: 'Login with Immich',
-      });
-
-      const callbackParams = await loginWithOAuth('backchannel-logout-user');
-      const { status: callbackStatus, body: callbackBody } = await request(app)
-        .post('/oauth/callback')
-        .send(callbackParams);
-      expect(callbackStatus).toBe(201);
-
-      await expect(getSessions({ headers: asBearerAuth(callbackBody.accessToken) })).resolves.toHaveLength(1);
-
-      const logoutToken = await generateLogoutToken('http://0.0.0.0:2286', 'backchannel-logout-user');
-      const { status, body } = await request(app).post('/oauth/backchannel-logout').send({ logout_token: logoutToken });
-      expect(status).toBe(200);
-      expect(body).toMatchObject({});
-
-      await expect(getSessions({ headers: asBearerAuth(callbackBody.accessToken) })).rejects.toMatchObject({
-        status: 401,
-      });
-    });
-  });
-
  describe('mobile redirect override', () => {
    beforeAll(async () => {
      await setupOAuth(admin.accessToken, {
@@ -493,22 +399,4 @@ describe(`/oauth`, () => {
      });
    });
  });
-
-  describe('allowInsecureRequests: false', () => {
-    beforeAll(async () => {
-      await setupOAuth(admin.accessToken, {
-        enabled: true,
-        clientId: OAuthClient.DEFAULT,
-        clientSecret: OAuthClient.DEFAULT,
-        allowInsecureRequests: false,
-      });
-    });
-
-    it('should reject OAuth discovery over HTTP', async () => {
-      const { status } = await request(app)
-        .post('/oauth/authorize')
-        .send({ redirectUri: 'http://127.0.0.1:2285/auth/login' });
-      expect(status).toBe(500);
-    });
-  });
 });
@@ -74,6 +74,7 @@ describe('/search', () => {
      const bytes = await readFile(join(testAssetDir, filename));
      assets.push(
        await utils.createAsset(admin.accessToken, {
+          deviceAssetId: `test-${filename}`,
          assetData: { bytes, filename },
          ...dto,
        }),
@@ -457,7 +458,7 @@ describe('/search', () => {
      expect(Array.isArray(body)).toBe(true);
      if (Array.isArray(body)) {
        expect(body.length).toBeGreaterThan(10);
-        expect(body[0].name).toEqual(expect.stringContaining(name));
+        expect(body[0].name).toEqual(name);
        expect(body[0].admin2name).toEqual(name);
      }
    });
@@ -207,6 +207,16 @@ describe('/server', () => {
    });
  });

+  describe('GET /server/theme', () => {
+    it('should respond with the server theme', async () => {
+      const { status, body } = await request(app).get('/server/theme');
+      expect(status).toBe(200);
+      expect(body).toEqual({
+        customCss: '',
+      });
+    });
+  });
+
  describe('GET /server/license', () => {
    it('should require authentication', async () => {
      const { status, body } = await request(app).get('/server/license');
@@ -106,7 +106,7 @@ describe('/shared-links', () => {
      const resp = await request(shareUrl).get(`/${linkWithAssets.key}`);
      expect(resp.status).toBe(200);
      expect(resp.header['content-type']).toContain('text/html');
-      expect(resp.text).toContain(`<meta property="og:image" content="http://127.0.0.1:2285`);
+      expect(resp.text).toContain(`<meta property="og:image" content="${baseUrl}`);
    });

    it('should fall back to my.immich.app og:image meta tag for shared asset if Host header is not present', async () => {
@@ -243,21 +243,9 @@ describe('/shared-links', () => {
    });

    it('should get data for correct password protected link', async () => {
-      const response = await request(app)
-        .post('/shared-links/login')
-        .send({ password: 'foo' })
-        .query({ key: linkWithPassword.key });
-
-      expect(response.status).toBe(201);
-
-      const cookies = response.get('Set-Cookie') ?? [];
-      expect(cookies).toHaveLength(1);
-      expect(cookies[0]).toContain('immich_shared_link_token');
-
      const { status, body } = await request(app)
        .get('/shared-links/me')
-        .query({ key: linkWithPassword.key })
-        .set('Cookie', cookies);
+        .query({ key: linkWithPassword.key, password: 'foo' });

      expect(status).toBe(200);
      expect(body).toEqual(
@@ -341,9 +329,7 @@ describe('/shared-links', () => {
        .set('Authorization', `Bearer ${user1.accessToken}`);

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: [], message: 'Invalid input: expected object, received undefined' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest());
    });

    it('should require an asset/album id', async () => {
@@ -41,9 +41,7 @@ describe('/stacks', () => {
        .send({ assetIds: [asset.id] });

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['assetIds'], message: 'Too small: expected array to have >=2 items' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest());
    });

    it('should require a valid id', async () => {
@@ -53,12 +51,7 @@ describe('/stacks', () => {
        .send({ assetIds: [uuidDto.invalid, uuidDto.invalid] });

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([
-          { path: ['assetIds', 0], message: 'Invalid UUID' },
-          { path: ['assetIds', 1], message: 'Invalid UUID' },
-        ]),
-      );
+      expect(body).toEqual(errorDto.badRequest());
    });

    it('should require access', async () => {
@@ -309,7 +309,7 @@ describe('/tags', () => {
        .get(`/tags/${uuidDto.invalid}`)
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.validationError([{ path: ['id'], message: 'Invalid UUID' }]));
+      expect(body).toEqual(errorDto.badRequest(['id must be a UUID']));
    });

    it('should get tag details', async () => {
@@ -427,7 +427,7 @@ describe('/tags', () => {
        .delete(`/tags/${uuidDto.invalid}`)
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.validationError([{ path: ['id'], message: 'Invalid UUID' }]));
+      expect(body).toEqual(errorDto.badRequest(['id must be a UUID']));
    });

    it('should delete a tag', async () => {
@@ -108,20 +108,14 @@ describe('/admin/users', () => {
      expect(body).toEqual(errorDto.forbidden);
    });

-    for (const [key, message] of [
-      ['password', 'Invalid input: expected string, received null'],
-      ['email', 'Invalid input: expected email, received object'],
-      ['name', 'Invalid input: expected string, received null'],
-      ['shouldChangePassword', 'Invalid input: expected boolean, received null'],
-      ['notify', 'Invalid input: expected boolean, received null'],
-    ] as const) {
+    for (const key of ['password', 'email', 'name', 'quotaSizeInBytes', 'shouldChangePassword', 'notify']) {
      it(`should not allow null ${key}`, async () => {
        const { status, body } = await request(app)
          .post(`/admin/users`)
          .set('Authorization', `Bearer ${admin.accessToken}`)
          .send({ ...createUserDto.user1, [key]: null });
        expect(status).toBe(400);
-        expect(body).toEqual(errorDto.validationError([{ path: [key], message }]));
+        expect(body).toEqual(errorDto.badRequest());
      });
    }

@@ -159,19 +153,14 @@ describe('/admin/users', () => {
      expect(body).toEqual(errorDto.forbidden);
    });

-    for (const [key, message] of [
-      ['password', 'Invalid input: expected string, received null'],
-      ['email', 'Invalid input: expected email, received object'],
-      ['name', 'Invalid input: expected string, received null'],
-      ['shouldChangePassword', 'Invalid input: expected boolean, received null'],
-    ] as const) {
+    for (const key of ['password', 'email', 'name', 'shouldChangePassword']) {
      it(`should not allow null ${key}`, async () => {
        const { status, body } = await request(app)
          .put(`/admin/users/${uuidDto.notFound}`)
          .set('Authorization', `Bearer ${admin.accessToken}`)
          .send({ [key]: null });
        expect(status).toBe(400);
-        expect(body).toEqual(errorDto.validationError([{ path: [key], message }]));
+        expect(body).toEqual(errorDto.badRequest());
      });
    }

@@ -298,8 +287,7 @@ describe('/admin/users', () => {
    it('should delete user', async () => {
      const { status, body } = await request(app)
        .delete(`/admin/users/${userToDelete.userId}`)
-        .set('Authorization', `Bearer ${admin.accessToken}`)
-        .send({});
+        .set('Authorization', `Bearer ${admin.accessToken}`);

      expect(status).toBe(200);
      expect(body).toMatchObject({
@@ -120,7 +120,7 @@ describe('/users', () => {
        .set('Authorization', `Bearer ${nonAdmin.accessToken}`);

      expect(status).toBe(400);
-      expect(body).toMatchObject(errorDto.badRequest('Email is not available'));
+      expect(body).toMatchObject(errorDto.badRequest('Email already in use by another account'));
    });

    it('should update my email', async () => {
@@ -178,11 +178,7 @@ describe('/users', () => {
        .set('Authorization', `Bearer ${admin.accessToken}`);

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([
-          { path: ['download', 'archiveSize'], message: 'Invalid input: expected int, received number' },
-        ]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['download.archiveSize must be an integer number']));
    });

    it('should update download archive size', async () => {
@@ -208,11 +204,7 @@ describe('/users', () => {
        .set('Authorization', `Bearer ${admin.accessToken}`);

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([
-          { path: ['download', 'includeEmbeddedVideos'], message: 'Invalid input: expected boolean, received number' },
-        ]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['download.includeEmbeddedVideos must be a boolean value']));
    });

    it('should update download include embedded videos', async () => {
@@ -1,6 +1,6 @@
 import { Permission } from '@immich/sdk';
 import { stat } from 'node:fs/promises';
-import { app, immichCli, utils } from 'src/utils';
+import { app, baseUrl, immichCli, utils } from 'src/utils';
 import { beforeEach, describe, expect, it } from 'vitest';

 describe(`immich login`, () => {
@@ -33,7 +33,7 @@ describe(`immich login`, () => {
    const key = await utils.createApiKey(admin.accessToken, [Permission.All]);
    const { stdout, stderr, exitCode } = await immichCli(['login', app, `${key.secret}`]);
    expect(stdout.split('\n')).toEqual([
-      'Logging in to http://127.0.0.1:2285/api',
+      `Logging in to ${baseUrl}/api`,
      'Logged in as admin@immich.cloud',
      'Wrote auth info to /tmp/immich/auth.yml',
    ]);
@@ -50,8 +50,8 @@ describe(`immich login`, () => {
    const key = await utils.createApiKey(admin.accessToken, [Permission.All]);
    const { stdout, stderr, exitCode } = await immichCli(['login', app.replaceAll('/api', ''), `${key.secret}`]);
    expect(stdout.split('\n')).toEqual([
-      'Logging in to http://127.0.0.1:2285',
-      'Discovered API at http://127.0.0.1:2285/api',
+      `Logging in to ${baseUrl}`,
+      `Discovered API at ${baseUrl}/api`,
      'Logged in as admin@immich.cloud',
      'Wrote auth info to /tmp/immich/auth.yml',
    ]);
@@ -1,4 +1,4 @@
-import { immichCli, utils } from 'src/utils';
+import { baseUrl, immichCli, utils } from 'src/utils';
 import { beforeAll, describe, expect, it } from 'vitest';

 describe(`immich server-info`, () => {
@@ -12,7 +12,7 @@ describe(`immich server-info`, () => {
    const { stderr, stdout, exitCode } = await immichCli(['server-info']);
    expect(stdout.split('\n')).toEqual([
      expect.stringContaining('Server Info (via admin@immich.cloud'),
-      '  Url: http://127.0.0.1:2285/api',
+      `  Url: ${baseUrl}/api`,
      expect.stringContaining('Version:'),
      '  Formats:',
      expect.stringContaining('Images:'),
@@ -1,7 +1,6 @@
 import { LoginResponseDto } from '@immich/sdk';
-import { expect, test } from '@playwright/test';
-import { readFileSync } from 'node:fs';
-import { testAssetDir, utils } from 'src/utils';
+import { test } from '@playwright/test';
+import { utils } from 'src/utils';

 test.describe('Album', () => {
  let admin: LoginResponseDto;
@@ -23,41 +22,4 @@ test.describe('Album', () => {
    await page.reload();
    await page.getByRole('button', { name: 'Select photos' }).waitFor();
  });
-
-  test('should keep map view open after viewing an asset from the map and going back', async ({ context, page }) => {
-    await utils.setAuthCookies(context, admin.accessToken);
-
-    const imagePath = `${testAssetDir}/metadata/gps-position/thompson-springs.jpg`;
-    const mapAsset = await utils.createAsset(admin.accessToken, {
-      assetData: {
-        bytes: readFileSync(imagePath),
-        filename: 'thompson-springs.jpg',
-      },
-    });
-
-    await utils.waitForQueueFinish(admin.accessToken, 'metadataExtraction');
-
-    const mapAlbum = await utils.createAlbum(admin.accessToken, {
-      albumName: 'Map Test Album',
-      assetIds: [mapAsset.id],
-    });
-
-    await page.goto(`/albums/${mapAlbum.id}`);
-    const mapButton = page.getByRole('button', { name: 'Map' });
-    await expect(mapButton).toBeVisible();
-    await mapButton.click();
-
-    const mapModal = page.getByRole('dialog');
-    await expect(mapModal).toBeVisible();
-
-    const mapMarker = mapModal.getByRole('img', { name: /Map marker/i }).first();
-    await expect(mapMarker).toBeVisible();
-    await mapMarker.click();
-
-    await page.waitForSelector('#immich-asset-viewer');
-    await page.getByRole('button', { name: 'Go back' }).click();
-
-    await expect(page.locator('#immich-asset-viewer')).not.toBeVisible();
-    await expect(mapModal).toBeVisible();
-  });
 });
@@ -1,9 +1,7 @@
 import { AssetMediaResponseDto, LoginResponseDto, SharedLinkType } from '@immich/sdk';
 import { expect, test } from '@playwright/test';
-import { readFile } from 'node:fs/promises';
-import { basename, join } from 'node:path';
 import type { Socket } from 'socket.io-client';
-import { testAssetDir, utils } from 'src/utils';
+import { utils } from 'src/utils';

 test.describe('Detail Panel', () => {
  let admin: LoginResponseDto;
@@ -85,42 +83,4 @@ test.describe('Detail Panel', () => {
    await utils.waitForWebsocketEvent({ event: 'assetUpdate', id: asset.id });
    await expect(textarea).toHaveValue('new description');
  });
-
-  test.describe('Date editor', () => {
-    test('displays inferred asset timezone', async ({ context, page }) => {
-      const test = {
-        filepath: 'metadata/dates/datetimeoriginal-gps.jpg',
-        expected: {
-          dateTime: '2025-12-01T11:30',
-          // Test with a timezone which is NOT the first among timezones with the same offset
-          // This is to check that the editor does not simply fall back to the first available timezone with that offset
-          // America/Denver (-07:00) is not the first among timezones with offset -07:00
-          timeZoneWithOffset: 'America/Denver (-07:00)',
-        },
-      };
-
-      const asset = await utils.createAsset(admin.accessToken, {
-        assetData: {
-          bytes: await readFile(join(testAssetDir, test.filepath)),
-          filename: basename(test.filepath),
-        },
-      });
-
-      await utils.waitForWebsocketEvent({ event: 'assetUpload', id: asset.id });
-
-      // asset viewer -> detail panel -> date editor
-      await utils.setAuthCookies(context, admin.accessToken);
-      await page.goto(`/photos/${asset.id}`);
-      await page.waitForSelector('#immich-asset-viewer');
-
-      await page.getByRole('button', { name: 'Info' }).click();
-      await page.getByTestId('detail-panel-edit-date-button').click();
-      await page.waitForSelector('[role="dialog"]');
-
-      const datetime = page.locator('#datetime');
-      await expect(datetime).toHaveValue(test.expected.dateTime);
-      const timezone = page.getByRole('combobox', { name: 'Timezone' });
-      await expect(timezone).toHaveValue(test.expected.timeZoneWithOffset);
-    });
-  });
 });
@@ -16,8 +16,8 @@ test.describe('Duplicates Utility', () => {

  test.beforeEach(async ({ context }) => {
    [firstAsset, secondAsset] = await Promise.all([
-      utils.createAsset(admin.accessToken, {}),
-      utils.createAsset(admin.accessToken, {}),
+      utils.createAsset(admin.accessToken, { deviceAssetId: 'duplicate-a' }),
+      utils.createAsset(admin.accessToken, { deviceAssetId: 'duplicate-b' }),
    ]);

    await updateAssets(
@@ -77,4 +77,18 @@ test.describe('Photo Viewer', () => {
    });
    expect(tagAtCenter).toBe('IMG');
  });
+
+  test('reloads photo when checksum changes', async ({ page }) => {
+    await page.goto(`/photos/${asset.id}`);
+
+    const preview = page.getByTestId('preview').filter({ visible: true });
+    await expect(preview).toHaveAttribute('src', /.+/);
+    const initialSrc = await preview.getAttribute('src');
+
+    const websocketEvent = utils.waitForWebsocketEvent({ event: 'assetUpdate', id: asset.id });
+    await utils.replaceAsset(admin.accessToken, asset.id);
+    await websocketEvent;
+
+    await expect(preview).not.toHaveAttribute('src', initialSrc!);
+  });
 });
@@ -1,5 +1,7 @@
 import { LoginResponseDto } from '@immich/sdk';
 import { expect, test } from '@playwright/test';
+import { lookup } from 'node:dns/promises';
+import { playwrightHost } from 'playwright.config';
 import { utils } from 'src/utils';

 test.describe('Websocket', () => {
@@ -12,14 +14,28 @@ test.describe('Websocket', () => {
  });

  test('connects using ipv4', async ({ page, context }) => {
-    await utils.setAuthCookies(context, admin.accessToken);
-    await page.goto('http://127.0.0.1:2285/');
+    const { address: ipv4 } = await lookup(playwrightHost, 4);
+    await utils.setAuthCookies(context, admin.accessToken, ipv4);
+    await page.goto(`http://${ipv4}:2285/`);
    await expect(page.locator('#sidebar')).toContainText('Server Online');
  });

  test('connects using ipv6', async ({ page, context }) => {
-    await utils.setAuthCookies(context, admin.accessToken, '[::1]');
-    await page.goto('http://[::1]:2285/');
+    let ipv6: string;
+    if (playwrightHost === '127.0.0.1') {
+      ipv6 = '::1';
+    } else {
+      try {
+        const { address } = await lookup(playwrightHost, 6);
+        ipv6 = address;
+      } catch {
+        test.skip(true, 'No IPv6 address available');
+        return;
+      }
+    }
+    const ipv6Url = `http://[${ipv6}]:2285/`;
+    await utils.setAuthCookies(context, admin.accessToken, undefined, ipv6Url);
+    await page.goto(ipv6Url);
    await expect(page.locator('#sidebar')).toContainText('Server Online');
  });
 });
@@ -32,12 +32,8 @@ export function generateThumbhash(rng: SeededRandom): string {
  return Array.from({ length: 10 }, () => rng.nextInt(0, 256).toString(16).padStart(2, '0')).join('');
 }

-export function generateDuration(rng: SeededRandom): number {
-  return (
-    rng.nextInt(GENERATION_CONSTANTS.MIN_VIDEO_DURATION_SECONDS, GENERATION_CONSTANTS.MAX_VIDEO_DURATION_SECONDS) *
-      1000 +
-    rng.nextInt(0, 1000)
-  );
+export function generateDuration(rng: SeededRandom): string {
+  return `${rng.nextInt(GENERATION_CONSTANTS.MIN_VIDEO_DURATION_SECONDS, GENERATION_CONSTANTS.MAX_VIDEO_DURATION_SECONDS)}.${rng.nextInt(0, 1000).toString().padStart(3, '0')}`;
 }

 export function generateUUID(): string {
@@ -3,7 +3,6 @@
 */

 import {
-  AlbumUserRole,
  AssetTypeEnum,
  AssetVisibility,
  UserAvatarColor,
@@ -316,9 +315,11 @@ export function toAssetResponseDto(asset: MockTimelineAsset, owner?: UserRespons

  return {
    id: asset.id,
+    deviceAssetId: `device-${asset.id}`,
    ownerId: asset.ownerId,
    owner: owner || defaultOwner,
    libraryId: `library-${asset.ownerId}`,
+    deviceId: `device-${asset.ownerId}`,
    type: asset.isVideo ? AssetTypeEnum.Video : AssetTypeEnum.Image,
    originalPath: `/original/${asset.id}.${asset.isVideo ? 'mp4' : 'jpg'}`,
    originalFileName: `${asset.id}.${asset.isVideo ? 'mp4' : 'jpg'}`,
@@ -333,7 +334,7 @@ export function toAssetResponseDto(asset: MockTimelineAsset, owner?: UserRespons
    isArchived: false,
    isTrashed: asset.isTrashed,
    visibility: asset.visibility,
-    duration: asset.duration,
+    duration: asset.duration || '0:00:00.00000',
    exifInfo,
    livePhotoVideoId: asset.livePhotoVideoId,
    tags: [],
@@ -421,11 +422,14 @@ export function getAlbum(
    albumThumbnailAssetId: album.thumbnailAssetId,
    createdAt: album.createdAt,
    updatedAt: album.updatedAt,
-    albumUsers: [{ user: albumOwner, role: AlbumUserRole.Owner }],
+    ownerId: albumOwner.id,
+    owner: albumOwner,
+    albumUsers: [], // Empty array for non-shared album
    shared: false,
    hasSharedLink: false,
    isActivityEnabled: true,
    assetCount: albumAssets.length,
+    assets: albumAssets,
    startDate: albumAssets.length > 0 ? albumAssets.at(-1)?.fileCreatedAt : undefined,
    endDate: albumAssets.length > 0 ? albumAssets[0].fileCreatedAt : undefined,
    lastModifiedAssetTimestamp: albumAssets.length > 0 ? albumAssets[0].fileCreatedAt : undefined,
@@ -43,7 +43,7 @@ export type MockTimelineAsset = {
  isTrashed: boolean;
  isVideo: boolean;
  isImage: boolean;
-  duration: number | null;
+  duration: string | null;
  projectionType: string | null;
  livePhotoVideoId: string | null;
  city: string | null;
@@ -1,5 +1,5 @@
-import { BrowserContext } from '@playwright/test';
-import { playwrightHost } from 'src/../playwright.config';
+import { BrowserContext, expect, Page } from '@playwright/test';
+import { playwrightHost } from 'playwright.config';

 export const setupBaseMockApiRoutes = async (context: BrowserContext, adminUserId: string) => {
  await context.addCookies([
@@ -173,7 +173,6 @@ export const setupBaseMockApiRoutes = async (context: BrowserContext, adminUserI
          '.mpeg',
          '.mpg',
          '.mts',
-          '.ts',
          '.vob',
          '.webm',
          '.wmv',
@@ -223,7 +222,6 @@ export const setupBaseMockApiRoutes = async (context: BrowserContext, adminUserI
          '.jp2',
          '.jpe',
          '.jxl',
-          '.mpo',
          '.svg',
          '.tif',
          '.tiff',
@@ -285,3 +283,13 @@ export const setupBaseMockApiRoutes = async (context: BrowserContext, adminUserI
    });
  });
 };
+
+export const waitForServiceWorker = async (page: Page) => {
+  await expect
+    .poll(() => page.context().serviceWorkers().length, {
+      message:
+        'Service worker not registered. Ensure the origin is a secure context (localhost or use --unsafely-treat-insecure-origin-as-secure flag).',
+      timeout: 10_000,
+    })
+    .toBeGreaterThan(0);
+};
@@ -16,6 +16,7 @@ export const createMockStackAsset = (ownerId: string): AssetResponseDto => {
  const now = new Date().toISOString();
  return {
    id: assetId,
+    deviceAssetId: `device-${assetId}`,
    ownerId,
    owner: {
      id: ownerId,
@@ -26,6 +27,7 @@ export const createMockStackAsset = (ownerId: string): AssetResponseDto => {
      avatarColor: 'blue' as never,
    },
    libraryId: `library-${ownerId}`,
+    deviceId: `device-${ownerId}`,
    type: AssetTypeEnum.Image,
    originalPath: `/original/${assetId}.jpg`,
    originalFileName: `${assetId}.jpg`,
@@ -40,7 +42,7 @@ export const createMockStackAsset = (ownerId: string): AssetResponseDto => {
    isArchived: false,
    isTrashed: false,
    visibility: AssetVisibility.Timeline,
-    duration: null,
+    duration: '0:00:00.00000',
    exifInfo: {
      make: null,
      model: null,
@@ -67,7 +69,7 @@ export const createMockStackAsset = (ownerId: string): AssetResponseDto => {
    tags: [],
    people: [],
    unassignedFaces: [],
-    stack: undefined,
+    stack: null,
    isOffline: false,
    hasMetadata: true,
    duplicateId: null,
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
midzelis	9935f75cc9	chore(ci): add unified test report PR comment Change-Id: I1cee5c74dcff06215bf8f75b307a2d296a6a6964	2026-03-25 03:15:32 +00:00
midzelis	1d6131e490	chore(ci): deduplicate e2e server image cache with docker.yml Change-Id: Idf104d87732b85b7402870195509752a6a6a6964	2026-03-24 18:17:37 +00:00
midzelis	10218fb900	feat: run e2e tests inside Docker compose network and in parallel Change-Id: I04332d4f153b720316ab7b08c12f9a6e6a6a6964	2026-03-24 18:17:37 +00:00
@@ -1 +1 @@
 .15.0
 .13.1