feat: refresh captcha correctly (#8491)

fix AF-1482

.cargo/config.toml

@@ -1,14 +1,2 @@
 [target.x86_64-pc-windows-msvc]
 rustflags = ["-C", "target-feature=+crt-static"]
-[target.aarch64-pc-windows-msvc]
-rustflags = ["-C", "target-feature=+crt-static"]
-[target.'cfg(target_os = "linux")']
-rustflags = ["-C", "link-args=-Wl,--warn-unresolved-symbols"]
-[target.'cfg(target_os = "macos")']
-rustflags = ["-C", "link-args=-Wl,-undefined,dynamic_lookup,-no_fixup_chains", "-C", "link-args=-all_load", "-C", "link-args=-weak_framework ScreenCaptureKit"]
-# https://sourceware.org/bugzilla/show_bug.cgi?id=21032
-# https://sourceware.org/bugzilla/show_bug.cgi?id=21031
-# https://github.com/rust-lang/rust/issues/134820
-# pthread_key_create() destructors and segfault after a DSO unloading
-[target.'cfg(all(target_env = "gnu", not(target_os = "windows")))']
-rustflags = ["-C", "link-args=-Wl,-z,nodelete"]

.devcontainer/Dockerfile

@@ -0,0 +1,9 @@
+FROM mcr.microsoft.com/devcontainers/base:bookworm
+
+# Install Homebrew For Linux
+RUN /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" && \
+    eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" && \
+    echo "eval \"\$($(brew --prefix)/bin/brew shellenv)\"" >> /home/vscode/.zshrc && \
+    echo "eval \"\$($(brew --prefix)/bin/brew shellenv)\"" >> /home/vscode/.bashrc && \
+    # Install Graphite
+    brew install withgraphite/tap/graphite && gt --version

.devcontainer/build.sh

@@ -1,12 +1,18 @@
 #!/bin/bash
 # This is a script used by the devcontainer to build the project
 
+#Enable yarn
+corepack enable
+corepack prepare yarn@stable --activate
+
 # install dependencies
 yarn install
 
 # Build Server Dependencies
-yarn affine @affine/server-native build
-yarn affine @affine/reader build
+yarn workspace @affine/server-native build
 
 # Create database
-yarn affine @affine/server prisma migrate reset -f
+yarn workspace @affine/server prisma db push
+
+# Create user username: affine, password: affine
+echo "INSERT INTO \"users\"(\"id\",\"name\",\"email\",\"email_verified\",\"created_at\",\"password\") VALUES('99f3ad04-7c9b-441e-a6db-79f73aa64db9','affine','affine@affine.pro','2024-02-26 15:54:16.974','2024-02-26 15:54:16.974+00','\$argon2id\$v=19\$m=19456,t=2,p=1\$esDS3QCHRH0Kmeh87YPm5Q\$9S+jf+xzw2Hicj6nkWltvaaaXX3dQIxAFwCfFa9o38A');" | yarn workspace @affine/server prisma db execute --stdin

.devcontainer/devcontainer.json

@@ -1,16 +1,12 @@
 // For format details, see https://aka.ms/devcontainer.json.
 {
-  "name": "AFFiNE Dev Container",
+  "name": "Debian",
   "dockerComposeFile": "docker-compose.yml",
   "service": "app",
   "workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}",
-  "containerEnv": {
-    "COREPACK_ENABLE_DOWNLOAD_PROMPT": "0"
-  },
   "features": {
     "ghcr.io/devcontainers/features/node:1": {
-      "version": "lts",
-      "installYarnUsingApt": false
+      "version": "18"
     },
     "ghcr.io/devcontainers/features/rust:1": {}
   },
@@ -20,10 +16,11 @@
       "extensions": [
         "ms-playwright.playwright",
         "esbenp.prettier-vscode",
-        "dbaeumer.vscode-eslint"
+        "streetsidesoftware.code-spell-checker"
       ]
     }
   },
   "updateContentCommand": "bash ./.devcontainer/build.sh",
-  "postCreateCommand": "bash ./.devcontainer/setup-user.sh"
+  "postCreateCommand": "bash ./.devcontainer/setup-user.sh",
+  "postStartCommand": ["yarn dev", "yarn workspace @affine/server dev"]
 }

.devcontainer/docker-compose.yml

@@ -2,18 +2,18 @@ version: '3.8'
 
 services:
   app:
-    image: mcr.microsoft.com/devcontainers/base:bookworm
+    build:
+      context: .
+      dockerfile: Dockerfile
     volumes:
       - ../..:/workspaces:cached
     command: sleep infinity
     network_mode: service:db
     environment:
       DATABASE_URL: postgresql://affine:affine@db:5432/affine
-      REDIS_SERVER_HOST: redis
-      AFFINE_INDEXER_SEARCH_ENDPOINT: http://indexer:9308
 
   db:
-    image: pgvector/pgvector:pg16
+    image: postgres:latest
     restart: unless-stopped
     volumes:
       - postgres-data:/var/lib/postgresql/data
@@ -21,22 +21,6 @@ services:
       POSTGRES_PASSWORD: affine
       POSTGRES_USER: affine
       POSTGRES_DB: affine
-  redis:
-    image: redis
-
-  indexer:
-    image: manticoresearch/manticore:${MANTICORE_VERSION:-10.1.0}
-    ulimits:
-      nproc: 65535
-      nofile:
-        soft: 65535
-        hard: 65535
-      memlock:
-        soft: -1
-        hard: -1
-    volumes:
-      - manticoresearch_data:/var/lib/manticore
 
 volumes:
   postgres-data:
-  manticoresearch_data:

.devcontainer/setup-user.sh

@@ -1,9 +1,9 @@
 set -e
 
-npm install -g @withgraphite/graphite-cli@stable
-
 if [ -v GRAPHITE_TOKEN ];then
     gt auth --token $GRAPHITE_TOKEN
 fi
 
+git fetch origin canary:canary --depth=1
+git branch canary -t origin/canary
 gt init --trunk canary

.docker/dev/.env.example

@@ -1,15 +0,0 @@
-# postgres major version
-DB_VERSION=16
-# database credentials
-DB_PASSWORD=affine
-DB_USERNAME=affine
-DB_DATABASE_NAME=affine
-
-# elasticsearch env
-# ELASTIC_VERSION=9.0.1
-# enable for arm64, e.g.: macOS M1+
-# ELASTIC_VERSION_ARM64=-arm64
-# ELASTIC_PLATFORM=linux/arm64
-
-# manticoresearch
-MANTICORE_VERSION=10.1.0

.docker/dev/.gitignore

@@ -1,6 +0,0 @@
-postgres
-.env
-compose.yml
-certs/*
-!certs/.gitkeep
-nginx/conf.d/*

.docker/dev/README.md

@@ -1,21 +0,0 @@
-# Dev containers
-
-## Develop with domain
-
-> MacOs only, OrbStack only
-
-### 1. Generate and install Root CA
-
-```bash
-# the root ca file will be located at `./.docker/dev/certs/ca`
-yarn affine cert --install
-```
-
-### 2. Generate domain certs
-
-```bash
-# certificates will be located at `./.docker/dev/certs/${domain}`
-yarn affine cert --domain affine.localhost
-```
-
-### 3. Enable nginx service in compose.yml

.docker/dev/compose.yml.example

@@ -1,99 +0,0 @@
-name: affine_dev_services
-services:
-  postgres:
-    env_file:
-      - .env
-    image: pgvector/pgvector:pg${DB_VERSION:-16}
-    ports:
-      - 5432:5432
-    environment:
-      POSTGRES_PASSWORD: ${DB_PASSWORD}
-      POSTGRES_USER: ${DB_USERNAME}
-      POSTGRES_DB: ${DB_DATABASE_NAME}
-    volumes:
-      - postgres_data:/var/lib/postgresql/data
-
-  redis:
-    image: redis:latest
-    ports:
-      - 6379:6379
-
-  # https://mailpit.axllent.org/docs/install/docker/
-  mailpit:
-    image: axllent/mailpit:latest
-    ports:
-      - 1025:1025
-      - 8025:8025
-    environment:
-      MP_MAX_MESSAGES: 5000
-      MP_DATABASE: /data/mailpit.db
-      MP_SMTP_AUTH_ACCEPT_ANY: 1
-      MP_SMTP_AUTH_ALLOW_INSECURE: 1
-    volumes:
-      - mailpit_data:/data
-
-  # https://manual.manticoresearch.com/Starting_the_server/Docker
-  manticoresearch:
-    image: manticoresearch/manticore:${MANTICORE_VERSION:-10.1.0}
-    ports:
-      - 9308:9308
-    ulimits:
-      nproc: 65535
-      nofile:
-        soft: 65535
-        hard: 65535
-      memlock:
-        soft: -1
-        hard: -1
-    volumes:
-      - manticoresearch_data:/var/lib/manticore
-  
-  # elasticsearch:
-  #   image: docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION:-9.0.1}${ELASTIC_VERSION_ARM64}
-  #   platform: ${ELASTIC_PLATFORM}
-  #   labels:
-  #     co.elastic.logs/module: elasticsearch
-  #   volumes:
-  #     - elasticsearch_data:/usr/share/elasticsearch/data
-  #   ports:
-  #     - ${ES_PORT:-9200}:9200
-  #   environment:
-  #     - node.name=es01
-  #     - cluster.name=affine-dev
-  #     - discovery.type=single-node
-  #     - bootstrap.memory_lock=true
-  #     - xpack.security.enabled=false
-  #     - xpack.security.http.ssl.enabled=false
-  #     - xpack.security.transport.ssl.enabled=false
-  #     - xpack.license.self_generated.type=basic
-  #   mem_limit: ${ES_MEM_LIMIT:-1073741824}
-  #   ulimits:
-  #     memlock:
-  #       soft: -1
-  #       hard: -1
-  #   healthcheck:
-  #     test:
-  #       [
-  #         "CMD-SHELL",
-  #         "curl -s http://localhost:9200 | grep -q 'affine-dev'",
-  #       ]
-  #     interval: 10s
-  #     timeout: 10s
-  #     retries: 120
-
-  # nginx:
-  #   image: nginx:alpine
-  #   volumes:
-  #     - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
-  #     - ./nginx/conf.d:/etc/nginx/conf.d:ro
-  #     - ./certs:/etc/nginx/certs:ro
-  #   network_mode: host
-
-networks:
-  dev:
-
-volumes:
-  postgres_data:
-  manticoresearch_data:
-  mailpit_data:
-  elasticsearch_data:

.docker/dev/nginx/nginx.conf

@@ -1,28 +0,0 @@
-user nginx;
-worker_processes auto;
-
-error_log   /var/log/nginx/error.log;
-pid         /var/run/nginx.pid;
-
-events {
-  worker_connections  1024;
-}
-
-http {
-  include mime.types;
-  default_type  application/octet-stream;
-
-  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                    '$status $body_bytes_sent "$http_referer" '
-                    '"$http_user_agent" "$http_x_forwarded_for"';
-  access_log  /var/log/nginx/access.log  main;
-
-  sendfile on;
-  keepalive_timeout  65;
-  types_hash_max_size 2048;
-  client_max_body_size 512M;
-  server_names_hash_bucket_size 128;
-  ssi on;
-  gzip  on;
-  include "/etc/nginx/conf.d/*";
-}

.docker/dev/templates/nginx.conf

@@ -1,27 +0,0 @@
-server {
-  listen 80;
-  server_name DEV_DOMAIN;
-  
-  location / {
-    return 301 https://$host$request_uri;
-  }
-}
-
-server {
-  listen 443 ssl;
-  http2 on;
-  ssl_certificate /etc/nginx/certs/$host/crt;
-  ssl_certificate_key /etc/nginx/certs/$host/key;
-  server_name DEV_DOMAIN;
-
-  location / {
-    proxy_pass http://localhost:8080;
-    proxy_set_header   Host              $host;
-    proxy_set_header   X-Real-IP         $remote_addr;
-    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
-    proxy_set_header   X-Forwarded-Proto $scheme;
-    proxy_set_header   Upgrade           $http_upgrade;
-    proxy_set_header   Connection        "upgrade";
-    resolver 127.0.0.1;
-  }
-}

.docker/dev/templates/openssl.conf

@@ -1,25 +0,0 @@
-[req]
-distinguished_name = req_distinguished_name
-req_extensions = v3_req
-
-[req_distinguished_name]
-countryName = Country Name (2 letter code)
-countryName_default = US
-stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = MN
-localityName = Locality Name (eg, city)
-localityName_default = Minneapolis
-organizationalUnitName	= Organizational Unit Name (eg, section)
-organizationalUnitName_default	= Domain Control Validated
-commonName = Internet Widgits Ltd
-commonName_max	= 64
-
-[ v3_req ]
-# Extensions to add to a certificate request
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-subjectAltName = @alt_names
-
-[alt_names]
-DNS.1 = DEV_DOMAIN
-DNS.2 = *.DEV_DOMAIN

.docker/selfhost/.env.example

@@ -1,23 +0,0 @@
-# select a revision to deploy, available values: stable, beta, canary
-AFFINE_REVISION=stable
-
-# set the port for the server container it will expose the server on
-PORT=3010
-
-# set the host for the server for outgoing links
-# AFFINE_SERVER_HTTPS=true
-# AFFINE_SERVER_HOST=affine.yourdomain.com
-# or 
-# AFFINE_SERVER_EXTERNAL_URL=https://affine.yourdomain.com
-
-# position of the database data to persist
-DB_DATA_LOCATION=~/.affine/self-host/postgres/pgdata
-# position of the upload data(images, files, etc.) to persist
-UPLOAD_LOCATION=~/.affine/self-host/storage
-# position of the configuration files to persist
-CONFIG_LOCATION=~/.affine/self-host/config
-
-# database credentials
-DB_USERNAME=affine
-DB_PASSWORD=
-DB_DATABASE=affine

.docker/selfhost/.gitignore

@@ -1 +0,0 @@
-.env

.docker/selfhost/compose.yml

@@ -1,76 +0,0 @@
-name: affine
-services:
-  affine:
-    image: ghcr.io/toeverything/affine:${AFFINE_REVISION:-stable}
-    container_name: affine_server
-    ports:
-      - '${PORT:-3010}:3010'
-    depends_on:
-      redis:
-        condition: service_healthy
-      postgres:
-        condition: service_healthy
-      affine_migration:
-        condition: service_completed_successfully
-    volumes:
-      # custom configurations
-      - ${UPLOAD_LOCATION}:/root/.affine/storage
-      - ${CONFIG_LOCATION}:/root/.affine/config
-    env_file:
-      - .env
-    environment:
-      - REDIS_SERVER_HOST=redis
-      - DATABASE_URL=postgresql://${DB_USERNAME}:${DB_PASSWORD}@postgres:5432/${DB_DATABASE:-affine}
-      - AFFINE_INDEXER_ENABLED=false
-    restart: unless-stopped
-
-  affine_migration:
-    image: ghcr.io/toeverything/affine:${AFFINE_REVISION:-stable}
-    container_name: affine_migration_job
-    volumes:
-      # custom configurations
-      - ${UPLOAD_LOCATION}:/root/.affine/storage
-      - ${CONFIG_LOCATION}:/root/.affine/config
-    command: ['sh', '-c', 'node ./scripts/self-host-predeploy.js']
-    env_file:
-      - .env
-    environment:
-      - REDIS_SERVER_HOST=redis
-      - DATABASE_URL=postgresql://${DB_USERNAME}:${DB_PASSWORD}@postgres:5432/${DB_DATABASE:-affine}
-      - AFFINE_INDEXER_ENABLED=false
-    depends_on:
-      postgres:
-        condition: service_healthy
-      redis:
-        condition: service_healthy
-
-  redis:
-    image: redis
-    container_name: affine_redis
-    healthcheck:
-      test: ['CMD', 'redis-cli', '--raw', 'incr', 'ping']
-      interval: 10s
-      timeout: 5s
-      retries: 5
-    restart: unless-stopped
-
-  postgres:
-    image: pgvector/pgvector:pg16
-    container_name: affine_postgres
-    volumes:
-      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
-    environment:
-      POSTGRES_USER: ${DB_USERNAME}
-      POSTGRES_PASSWORD: ${DB_PASSWORD}
-      POSTGRES_DB: ${DB_DATABASE:-affine}
-      POSTGRES_INITDB_ARGS: '--data-checksums'
-      # you better set a password for you database
-      # or you may add 'POSTGRES_HOST_AUTH_METHOD=trust' to ignore postgres security policy
-      POSTGRES_HOST_AUTH_METHOD: trust
-    healthcheck:
-      test:
-        ['CMD', 'pg_isready', '-U', "${DB_USERNAME}", '-d', "${DB_DATABASE:-affine}"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-    restart: unless-stopped

.docker/selfhost/config.example.json

@@ -1,6 +0,0 @@
-{
-  "$schema": "https://github.com/toeverything/affine/releases/latest/download/config.schema.json",
-  "server": {
-    "name": "AFFiNE Self Hosted Server"
-  }
-}

.env.template

@@ -0,0 +1,7 @@
+CHANGELOG_URL=
+ENABLE_NEW_SETTING_UNSTABLE_API=
+ENABLE_CAPTCHA=
+CAPTCHA_SITE_KEY=
+ENABLE_ENHANCE_SHARE_MODE=
+ALLOW_LOCAL_WORKSPACE=
+DEBUG_JOTAI=

.eslintignore

@@ -0,0 +1,15 @@
+node_modules
+dist
+.next
+out
+storybook-static
+affine-out
+_next
+lib
+.eslintrc.js
+e2e-dist-*
+static
+web-static
+public
+packages/frontend/i18n/src/i18n-generated.ts
+packages/frontend/templates/*.gen.ts

.eslintrc.js

@@ -0,0 +1,289 @@
+const { join } = require('node:path');
+
+const createPattern = packageName => [
+  {
+    group: ['**/dist', '**/dist/**'],
+    message: 'Do not import from dist',
+    allowTypeImports: false,
+  },
+  {
+    group: ['**/src', '**/src/**'],
+    message: 'Do not import from src',
+    allowTypeImports: false,
+  },
+  {
+    group: [`@affine/${packageName}`],
+    message: 'Do not import package itself',
+    allowTypeImports: false,
+  },
+  {
+    group: [`@toeverything/${packageName}`],
+    message: 'Do not import package itself',
+    allowTypeImports: false,
+  },
+  {
+    group: ['@blocksuite/store'],
+    message: "Import from '@blocksuite/global/utils'",
+    importNames: ['assertExists', 'assertEquals'],
+  },
+  {
+    group: ['react-router-dom'],
+    message: 'Use `useNavigateHelper` instead',
+    importNames: ['useNavigate'],
+  },
+  {
+    group: ['@affine/env/constant'],
+    message:
+      'Do not import from @affine/env/constant. Use `BUILD_CONFIG.isElectron` instead',
+    importNames: ['isElectron'],
+  },
+];
+
+const allPackages = [
+  'packages/backend/server',
+  'packages/frontend/component',
+  'packages/frontend/core',
+  'packages/frontend/apps/electron',
+  'packages/frontend/apps/web',
+  'packages/frontend/apps/mobile',
+  'packages/frontend/graphql',
+  'packages/frontend/i18n',
+  'packages/frontend/native',
+  'packages/frontend/templates',
+  'packages/frontend/track',
+  'packages/common/debug',
+  'packages/common/env',
+  'packages/common/infra',
+  'packages/common/theme',
+  'tools/cli',
+];
+
+/**
+ * @type {import('eslint').Linter.Config}
+ */
+const config = {
+  root: true,
+  settings: {
+    react: {
+      version: 'detect',
+    },
+    next: {
+      rootDir: 'packages/frontend/core',
+    },
+  },
+  extends: [
+    'eslint:recommended',
+    'plugin:react-hooks/recommended',
+    'plugin:react/recommended',
+    'plugin:react/jsx-runtime',
+    'plugin:@typescript-eslint/recommended',
+    'prettier',
+  ],
+  parser: '@typescript-eslint/parser',
+  parserOptions: {
+    ecmaFeatures: {
+      globalReturn: false,
+      impliedStrict: true,
+      jsx: true,
+    },
+    ecmaVersion: 'latest',
+    sourceType: 'module',
+    project: join(__dirname, 'tsconfig.eslint.json'),
+  },
+  plugins: [
+    'react',
+    '@typescript-eslint',
+    'simple-import-sort',
+    'sonarjs',
+    'import-x',
+    'unused-imports',
+    'unicorn',
+    'rxjs',
+  ],
+  rules: {
+    'array-callback-return': 'error',
+    'no-undef': 'off',
+    'no-empty': 'off',
+    'no-func-assign': 'off',
+    'no-cond-assign': 'off',
+    'no-constant-binary-expression': 'error',
+    'no-constructor-return': 'error',
+    'no-self-compare': 'error',
+    eqeqeq: ['error', 'always', { null: 'ignore' }],
+    'react/prop-types': 'off',
+    'react/jsx-no-useless-fragment': 'error',
+    '@typescript-eslint/consistent-type-imports': 'error',
+    '@typescript-eslint/no-non-null-assertion': 'error',
+    '@typescript-eslint/no-explicit-any': 'off',
+    '@typescript-eslint/no-empty-function': 'off',
+    '@typescript-eslint/await-thenable': 'error',
+    '@typescript-eslint/require-array-sort-compare': 'error',
+    '@typescript-eslint/unified-signatures': 'error',
+    '@typescript-eslint/prefer-for-of': 'error',
+    '@typescript-eslint/no-unused-vars': [
+      'error',
+      {
+        varsIgnorePattern: '^_',
+        argsIgnorePattern: '^_',
+        caughtErrorsIgnorePattern: '^_',
+      },
+    ],
+    'unused-imports/no-unused-imports': 'error',
+    'simple-import-sort/imports': 'error',
+    'simple-import-sort/exports': 'error',
+    'import-x/no-duplicates': 'error',
+    '@typescript-eslint/ban-ts-comment': [
+      'error',
+      {
+        'ts-expect-error': 'allow-with-description',
+        'ts-ignore': true,
+        'ts-nocheck': true,
+        'ts-check': false,
+      },
+    ],
+    '@typescript-eslint/no-restricted-imports': [
+      'error',
+      {
+        patterns: [
+          {
+            group: ['**/dist'],
+            message: "Don't import from dist",
+            allowTypeImports: false,
+          },
+          {
+            group: ['**/src'],
+            message: "Don't import from src",
+            allowTypeImports: false,
+          },
+          {
+            group: ['@blocksuite/store'],
+            message: "Import from '@blocksuite/global/utils'",
+            importNames: ['assertExists', 'assertEquals'],
+          },
+        ],
+      },
+    ],
+    'unicorn/filename-case': [
+      'error',
+      {
+        case: 'kebabCase',
+        ignore: ['^\\[[a-zA-Z0-9-_]+\\]\\.tsx$'],
+      },
+    ],
+    'unicorn/no-unnecessary-await': 'error',
+    'unicorn/no-useless-fallback-in-spread': 'error',
+    'unicorn/prefer-dom-node-dataset': 'error',
+    'unicorn/prefer-dom-node-append': 'error',
+    'unicorn/prefer-dom-node-remove': 'error',
+    'unicorn/prefer-array-some': 'error',
+    'unicorn/prefer-date-now': 'error',
+    'unicorn/prefer-blob-reading-methods': 'error',
+    'unicorn/no-typeof-undefined': 'error',
+    'unicorn/no-useless-promise-resolve-reject': 'error',
+    'unicorn/no-new-array': 'error',
+    'unicorn/new-for-builtins': 'error',
+    'unicorn/prefer-node-protocol': 'error',
+    'sonarjs/no-all-duplicated-branches': 'error',
+    'sonarjs/no-element-overwrite': 'error',
+    'sonarjs/no-empty-collection': 'error',
+    'sonarjs/no-extra-arguments': 'error',
+    'sonarjs/no-identical-conditions': 'error',
+    'sonarjs/no-identical-expressions': 'error',
+    'sonarjs/no-ignored-return': 'error',
+    'sonarjs/no-one-iteration-loop': 'error',
+    'sonarjs/no-use-of-empty-return-value': 'error',
+    'sonarjs/non-existent-operator': 'error',
+    'sonarjs/no-collapsible-if': 'error',
+    'sonarjs/no-same-line-conditional': 'error',
+    'sonarjs/no-duplicated-branches': 'error',
+    'sonarjs/no-collection-size-mischeck': 'error',
+    'sonarjs/no-useless-catch': 'error',
+    'sonarjs/no-identical-functions': 'error',
+    'rxjs/finnish': [
+      'error',
+      {
+        functions: false,
+        methods: false,
+        strict: true,
+        types: {
+          '^LiveData$': true,
+          // some yjs classes are Observables, but they don't need to be in Finnish notation
+          '^Doc$': false, // yjs Doc
+          '^Awareness$': false, // yjs Awareness
+          '^UndoManager$': false, // yjs UndoManager
+        },
+      },
+    ],
+  },
+  overrides: [
+    {
+      files: 'packages/backend/server/**/*.ts',
+      rules: {
+        '@typescript-eslint/consistent-type-imports': 0,
+      },
+    },
+    {
+      files: '*.cjs',
+      rules: {
+        '@typescript-eslint/no-var-requires': 0,
+      },
+    },
+    ...allPackages.map(pkg => ({
+      files: [`${pkg}/src/**/*.ts`, `${pkg}/src/**/*.tsx`, `${pkg}/**/*.mjs`],
+      rules: {
+        '@typescript-eslint/no-restricted-imports': [
+          'error',
+          {
+            patterns: createPattern(pkg),
+          },
+        ],
+        '@typescript-eslint/no-floating-promises': [
+          'error',
+          {
+            ignoreVoid: false,
+            ignoreIIFE: false,
+          },
+        ],
+        '@typescript-eslint/no-misused-promises': ['error'],
+        '@typescript-eslint/prefer-readonly': 'error',
+        'import-x/no-extraneous-dependencies': ['error'],
+        'react-hooks/exhaustive-deps': [
+          'warn',
+          {
+            additionalHooks:
+              '(useAsyncCallback|useCatchEventCallback|useDraggable|useDropTarget|useRefEffect)',
+          },
+        ],
+      },
+    })),
+    {
+      files: [
+        '**/__tests__/**/*',
+        '**/*.stories.tsx',
+        '**/*.spec.ts',
+        '**/tests/**/*',
+        'scripts/**/*',
+        '**/benchmark/**/*',
+        '**/__debug__/**/*',
+        '**/e2e/**/*',
+      ],
+      rules: {
+        '@typescript-eslint/no-non-null-assertion': 0,
+        '@typescript-eslint/ban-ts-comment': [
+          'error',
+          {
+            'ts-expect-error': false,
+            'ts-ignore': true,
+            'ts-nocheck': true,
+            'ts-check': false,
+          },
+        ],
+        '@typescript-eslint/no-floating-promises': 0,
+        '@typescript-eslint/no-misused-promises': 0,
+        '@typescript-eslint/no-restricted-imports': 0,
+      },
+    },
+  ],
+};
+
+module.exports = config;

.github/CODEOWNERS

@@ -1,2 +0,0 @@
-/blocksuite/ @toeverything/blocksuite-core
-/packages/frontend/core/src/blocksuite @toeverything/blocksuite-core

.github/ISSUE_TEMPLATE/BUG-REPORT.yml

@@ -1,6 +1,6 @@
 name: Bug Report
 description: File a bug report
-title: '[Bug]: '
+title: "\u200b"
 labels: ['bug']
 body:
   - type: markdown
@@ -18,26 +18,20 @@ body:
     validations:
       required: true
   - type: dropdown
-    id: distribution
+    id: version
     attributes:
       label: Distribution version
-      description: What distribution of AFFiNE are you using?
+      description: What version of AFFiNE are you using?
       options:
         - macOS x64 (Intel)
         - macOS ARM 64 (Apple Silicon)
         - Windows x64
         - Linux
-        - Web (https://app.affine.pro)
-        - Beta Web (https://insider.affine.pro)
-        - Canary Web (https://affine.fail)
+        - Web (app.affine.pro)
+        - Web (affine.fail)
+        - Web (insider.affine.pro)
     validations:
       required: true
-  - type: input
-    id: version
-    attributes:
-      label: App Version
-      description: What version of AFFiNE are you using?
-      placeholder: (You can find AFFiNE version in [About AFFiNE] setting panel)
   - type: dropdown
     id: browsers
     attributes:
@@ -57,11 +51,6 @@ body:
         If you are self-hosting, please check the box and provide information about your setup.
       options:
         - label: 'Yes'
-  - type: input
-    id: selfhost-version
-    attributes:
-      label: Self-hosting Version
-      description: What version of AFFiNE are you selfhosting?
   - type: textarea
     id: logs
     attributes:

.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml

@@ -1,8 +1,7 @@
 name: Feature Request
 description: Suggest a feature or improvement
-title: '[Feature Request]: '
+title: "\u200b"
 labels: ['feat', 'story']
-assignees: ['hwangdev97']
 body:
   - type: markdown
     attributes:

.github/actions/build-rust/action.yml

@@ -7,10 +7,9 @@ inputs:
   package:
     description: 'Package to build'
     required: true
-  no-build:
-    description: 'Whether to skip building'
+  nx_token:
+    description: 'Nx Cloud access token'
     required: false
-    default: 'false'
 
 runs:
   using: 'composite'
@@ -18,74 +17,39 @@ runs:
     - name: Print rustup toolchain version
       shell: bash
       id: rustup-version
-      working-directory: ${{ env.DEV_DRIVE_WORKSPACE || github.workspace }}
       run: |
         export RUST_TOOLCHAIN_VERSION="$(grep 'channel' rust-toolchain.toml | head -1 | awk -F '"' '{print $2}')"
         echo "Rust toolchain version: $RUST_TOOLCHAIN_VERSION"
         echo "RUST_TOOLCHAIN_VERSION=$RUST_TOOLCHAIN_VERSION" >> "$GITHUB_OUTPUT"
     - name: Setup Rust
       uses: dtolnay/rust-toolchain@stable
-      if: ${{ runner.os != 'Windows' }}
       with:
         toolchain: '${{ steps.rustup-version.outputs.RUST_TOOLCHAIN_VERSION }}'
         targets: ${{ inputs.target }}
       env:
         CARGO_INCREMENTAL: '1'
 
-    - name: Setup Rust
-      uses: dtolnay/rust-toolchain@stable
-      if: ${{ runner.os == 'Windows' }}
-      with:
-        toolchain: '${{ steps.rustup-version.outputs.RUST_TOOLCHAIN_VERSION }}'
-        targets: ${{ inputs.target }}
-      env:
-        CARGO_INCREMENTAL: '1'
-        CARGO_HOME: ${{ env.DEV_DRIVE }}/.cargo
-        RUSTUP_HOME: ${{ env.DEV_DRIVE }}/.rustup
-
     - name: Set CC
-      if: ${{ contains(inputs.target, 'linux') && inputs.no-build != 'true' }}
-      working-directory: ${{ env.DEV_DRIVE_WORKSPACE || github.workspace }}
+      if: ${{ contains(inputs.target, 'linux') && inputs.package != '@affine/native' }}
       shell: bash
-      # https://github.com/tree-sitter/tree-sitter/issues/4186
-      # pass -D_BSD_SOURCE to clang to fix the tree-sitter build issue
       run: |
-        echo "CC=clang -D_BSD_SOURCE" >> "$GITHUB_ENV"
-        echo "TARGET_CC=clang -D_BSD_SOURCE" >> "$GITHUB_ENV"
+        echo "CC=clang" >> "$GITHUB_ENV"
+        echo "TARGET_CC=clang" >> "$GITHUB_ENV"
 
     - name: Cache cargo
-      uses: Swatinem/rust-cache@v2
-      if: ${{ runner.os == 'Windows' }}
+      uses: actions/cache@v4
       with:
-        workspaces: ${{ env.DEV_DRIVE_WORKSPACE }}
-        save-if: ${{ github.ref_name == 'canary' }}
-        shared-key: ${{ inputs.target }}-${{ inputs.package }}
-      env:
-        CARGO_HOME: ${{ env.DEV_DRIVE }}/.cargo
-        RUSTUP_HOME: ${{ env.DEV_DRIVE }}/.rustup
-
-    - name: Cache cargo
-      uses: Swatinem/rust-cache@v2
-      if: ${{ runner.os != 'Windows' }}
-      with:
-        save-if: ${{ github.ref_name == 'canary' }}
-        shared-key: ${{ inputs.target }}-${{ inputs.package }}
-
+        path: |
+          ~/.cargo/registry/index/
+          ~/.cargo/registry/cache/
+          ~/.cargo/git/db/
+          ~/.napi-rs
+          target/${{ inputs.target }}
+        key: stable-${{ inputs.target }}-cargo-cache
     - name: Build
       shell: bash
-      if: ${{ runner.os != 'Windows' && inputs.no-build != 'true' }}
       run: |
-        yarn workspace ${{ inputs.package }} build --target ${{ inputs.target }} --use-napi-cross
+        yarn workspace ${{ inputs.package }} nx build ${{ inputs.package }} -- --target ${{ inputs.target }} --use-napi-cross
       env:
+        NX_CLOUD_ACCESS_TOKEN: ${{ inputs.nx_token }}
         DEBUG: 'napi:*'
-
-    - name: Build
-      working-directory: ${{ env.DEV_DRIVE_WORKSPACE || github.workspace }}
-      shell: bash
-      if: ${{ runner.os == 'Windows' && inputs.no-build != 'true' }}
-      run: |
-        yarn workspace ${{ inputs.package }} build --target ${{ inputs.target }}
-      env:
-        DEBUG: 'napi:*'
-        CARGO_HOME: ${{ env.DEV_DRIVE }}/.cargo
-        RUSTUP_HOME: ${{ env.DEV_DRIVE }}/.rustup

.github/actions/copilot-test/action.yml

@@ -1,25 +0,0 @@
-name: 'Run Copilot E2E Test'
-description: 'Run Copilot E2E Test'
-inputs:
-  script:
-    description: 'Script to run'
-    default: 'yarn affine @affine-test/affine-cloud-copilot e2e --forbid-only'
-    required: false
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Server Copilot E2E Test
-      shell: bash
-      run: ${{ inputs.script }}
-      env:
-        COPILOT: true
-        DEV_SERVER_URL: http://localhost:8080
-
-    - name: Upload test results
-      if: ${{ failure() }}
-      uses: actions/upload-artifact@v4
-      with:
-        name: test-results-e2e-server-copilot
-        path: ./test-results
-        if-no-files-found: ignore

.github/actions/deploy/action.yml

@@ -1,6 +1,9 @@
 name: 'Deploy to Cluster'
 description: 'Deploy AFFiNE Cloud to cluster'
 inputs:
+  build-type:
+    description: 'Align with App build type, canary|beta|stable|internal'
+    default: 'canary'
   gcp-project-number:
     description: 'GCP project number'
     required: true
@@ -33,3 +36,5 @@ runs:
     - name: Deploy
       shell: bash
       run: node ./.github/actions/deploy/deploy.mjs
+      env:
+        BUILD_TYPE: '${{ inputs.build-type }}'

.github/actions/deploy/deploy.mjs

@@ -10,114 +10,74 @@ const {
   DATABASE_USERNAME,
   DATABASE_PASSWORD,
   DATABASE_NAME,
-  GCLOUD_CONNECTION_NAME,
+  R2_ACCOUNT_ID,
+  R2_ACCESS_KEY_ID,
+  R2_SECRET_ACCESS_KEY,
+  CAPTCHA_TURNSTILE_SECRET,
+  METRICS_CUSTOMER_IO_TOKEN,
+  COPILOT_OPENAI_API_KEY,
+  COPILOT_FAL_API_KEY,
+  COPILOT_UNSPLASH_API_KEY,
+  MAILER_SENDER,
+  MAILER_USER,
+  MAILER_PASSWORD,
+  AFFINE_GOOGLE_CLIENT_ID,
+  AFFINE_GOOGLE_CLIENT_SECRET,
   CLOUD_SQL_IAM_ACCOUNT,
-  APP_IAM_ACCOUNT,
-  REDIS_SERVER_HOST,
-  REDIS_SERVER_PASSWORD,
+  GCLOUD_CONNECTION_NAME,
+  GCLOUD_CLOUD_SQL_INTERNAL_ENDPOINT,
+  REDIS_HOST,
+  REDIS_PASSWORD,
+  STRIPE_API_KEY,
+  STRIPE_WEBHOOK_KEY,
   STATIC_IP_NAME,
-  AFFINE_INDEXER_SEARCH_PROVIDER,
-  AFFINE_INDEXER_SEARCH_ENDPOINT,
-  AFFINE_INDEXER_SEARCH_API_KEY,
 } = process.env;
 
+// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
 const buildType = BUILD_TYPE || 'canary';
 
 const isProduction = buildType === 'stable';
 const isBeta = buildType === 'beta';
 const isInternal = buildType === 'internal';
 
-const replicaConfig = {
-  stable: {
-    web: 2,
-    graphql: Number(process.env.PRODUCTION_GRAPHQL_REPLICA) || 2,
-    sync: Number(process.env.PRODUCTION_SYNC_REPLICA) || 2,
-    renderer: Number(process.env.PRODUCTION_RENDERER_REPLICA) || 2,
-    doc: Number(process.env.PRODUCTION_DOC_REPLICA) || 2,
-  },
-  beta: {
-    web: 1,
-    graphql: Number(process.env.BETA_GRAPHQL_REPLICA) || 1,
-    sync: Number(process.env.BETA_SYNC_REPLICA) || 1,
-    renderer: Number(process.env.BETA_RENDERER_REPLICA) || 1,
-    doc: Number(process.env.BETA_DOC_REPLICA) || 1,
-  },
-  canary: {
-    web: 1,
-    graphql: 1,
-    sync: 1,
-    renderer: 1,
-    doc: 1,
-  },
-};
-
-const cpuConfig = {
-  beta: {
-    web: '300m',
-    graphql: '1',
-    sync: '1',
-    doc: '1',
-    renderer: '300m',
-  },
-  canary: {
-    web: '300m',
-    graphql: '1',
-    sync: '1',
-    doc: '1',
-    renderer: '300m',
-  },
-};
-
 const createHelmCommand = ({ isDryRun }) => {
   const flag = isDryRun ? '--dry-run' : '--atomic';
   const imageTag = `${buildType}-${GIT_SHORT_HASH}`;
   const redisAndPostgres =
     isProduction || isBeta || isInternal
       ? [
-          `--set        cloud-sql-proxy.enabled=true`,
-          `--set-string cloud-sql-proxy.database.connectionName="${GCLOUD_CONNECTION_NAME}"`,
-          `--set-string global.database.host=${DATABASE_URL}`,
+          `--set-string global.database.url=${DATABASE_URL}`,
           `--set-string global.database.user=${DATABASE_USERNAME}`,
           `--set-string global.database.password=${DATABASE_PASSWORD}`,
           `--set-string global.database.name=${DATABASE_NAME}`,
-          `--set-string global.redis.host="${REDIS_SERVER_HOST}"`,
-          `--set-string global.redis.password="${REDIS_SERVER_PASSWORD}"`,
+          `--set        global.database.gcloud.enabled=true`,
+          `--set-string global.database.gcloud.connectionName="${GCLOUD_CONNECTION_NAME}"`,
+          `--set-string global.database.gcloud.cloudSqlInternal="${GCLOUD_CLOUD_SQL_INTERNAL_ENDPOINT}"`,
+          `--set-string global.redis.host="${REDIS_HOST}"`,
+          `--set-string global.redis.password="${REDIS_PASSWORD}"`,
         ]
       : [];
-  const indexerOptions = [
-    `--set-string global.indexer.provider="${AFFINE_INDEXER_SEARCH_PROVIDER}"`,
-    `--set-string global.indexer.endpoint="${AFFINE_INDEXER_SEARCH_ENDPOINT}"`,
-    `--set-string global.indexer.apiKey="${AFFINE_INDEXER_SEARCH_API_KEY}"`,
-  ];
-  const serviceAnnotations = [
-    `--set-json   web.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
-    `--set-json   graphql.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
-    `--set-json   sync.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
-    `--set-json   doc.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
-  ].concat(
+  const serviceAnnotations =
     isProduction || isBeta || isInternal
       ? [
-          `--set-json   web.service.annotations="{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }"`,
-          `--set-json   graphql.service.annotations="{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }"`,
-          `--set-json   sync.service.annotations="{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }"`,
-          `--set-json   cloud-sql-proxy.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_SQL_IAM_ACCOUNT}\\" }"`,
-          `--set-json   cloud-sql-proxy.nodeSelector="{ \\"iam.gke.io/gke-metadata-server-enabled\\": \\"true\\" }"`,
+          `--set-json   web.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
+          `--set-json   graphql.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
+          `--set-json   sync.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
+          `--set-json   cloud-sql-proxy.serviceAccount.annotations=\"{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_SQL_IAM_ACCOUNT}\\" }\"`,
+          `--set-json   cloud-sql-proxy.nodeSelector=\"{ \\"iam.gke.io/gke-metadata-server-enabled\\": \\"true\\" }\"`,
         ]
-      : []
-  );
-
-  const cpu = cpuConfig[buildType];
-  const resources = cpu
-    ? [
-        `--set        web.resources.requests.cpu="${cpu.web}"`,
-        `--set        graphql.resources.requests.cpu="${cpu.graphql}"`,
-        `--set        sync.resources.requests.cpu="${cpu.sync}"`,
-        `--set        doc.resources.requests.cpu="${cpu.doc}"`,
-      ]
-    : [];
-
-  const replica = replicaConfig[buildType] || replicaConfig.canary;
-
+      : [];
+  const webReplicaCount = isProduction ? 3 : isBeta ? 2 : 2;
+  const graphqlReplicaCount = isProduction
+    ? Number(process.env.PRODUCTION_GRAPHQL_REPLICA) || 3
+    : isBeta
+      ? Number(process.env.isBeta_GRAPHQL_REPLICA) || 2
+      : 2;
+  const syncReplicaCount = isProduction
+    ? Number(process.env.PRODUCTION_SYNC_REPLICA) || 3
+    : isBeta
+      ? Number(process.env.BETA_SYNC_REPLICA) || 2
+      : 2;
   const namespace = isProduction
     ? 'production'
     : isBeta
@@ -125,40 +85,50 @@ const createHelmCommand = ({ isDryRun }) => {
       : isInternal
         ? 'internal'
         : 'dev';
-
-  const hosts = (DEPLOY_HOST || CANARY_DEPLOY_HOST)
-    .split(',')
-    .map(host => host.trim())
-    .filter(host => host);
+  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+  const host = DEPLOY_HOST || CANARY_DEPLOY_HOST;
   const deployCommand = [
     `helm upgrade --install affine .github/helm/affine`,
     `--namespace  ${namespace}`,
-    `--set-string global.deployment.type="affine"`,
-    `--set-string global.deployment.platform="gcp"`,
     `--set-string global.app.buildType="${buildType}"`,
     `--set        global.ingress.enabled=true`,
-    `--set-json   global.ingress.annotations="{ \\"kubernetes.io/ingress.class\\": \\"gce\\", \\"kubernetes.io/ingress.allow-http\\": \\"true\\", \\"kubernetes.io/ingress.global-static-ip-name\\": \\"${STATIC_IP_NAME}\\" }"`,
-    ...hosts.map(
-      (host, index) => `--set global.ingress.hosts[${index}]=${host}`
-    ),
+    `--set-json   global.ingress.annotations=\"{ \\"kubernetes.io/ingress.class\\": \\"gce\\", \\"kubernetes.io/ingress.allow-http\\": \\"true\\", \\"kubernetes.io/ingress.global-static-ip-name\\": \\"${STATIC_IP_NAME}\\" }\"`,
+    `--set-string global.ingress.host="${host}"`,
+    `--set        global.objectStorage.r2.enabled=true`,
+    `--set-string global.objectStorage.r2.accountId="${R2_ACCOUNT_ID}"`,
+    `--set-string global.objectStorage.r2.accessKeyId="${R2_ACCESS_KEY_ID}"`,
+    `--set-string global.objectStorage.r2.secretAccessKey="${R2_SECRET_ACCESS_KEY}"`,
     `--set-string global.version="${APP_VERSION}"`,
     ...redisAndPostgres,
-    ...indexerOptions,
-    `--set        web.replicaCount=${replica.web}`,
+    `--set        web.replicaCount=${webReplicaCount}`,
     `--set-string web.image.tag="${imageTag}"`,
-    `--set        graphql.replicaCount=${replica.graphql}`,
+    `--set        graphql.replicaCount=${graphqlReplicaCount}`,
     `--set-string graphql.image.tag="${imageTag}"`,
-    `--set        graphql.app.host=${hosts[0]}`,
-    `--set        sync.replicaCount=${replica.sync}`,
+    `--set        graphql.app.host=${host}`,
+    `--set        graphql.app.captcha.enabled=true`,
+    `--set-string graphql.app.captcha.turnstile.secret="${CAPTCHA_TURNSTILE_SECRET}"`,
+    `--set        graphql.app.copilot.enabled=true`,
+    `--set-string graphql.app.copilot.openai.key="${COPILOT_OPENAI_API_KEY}"`,
+    `--set-string graphql.app.copilot.fal.key="${COPILOT_FAL_API_KEY}"`,
+    `--set-string graphql.app.copilot.unsplash.key="${COPILOT_UNSPLASH_API_KEY}"`,
+    `--set-string graphql.app.mailer.sender="${MAILER_SENDER}"`,
+    `--set-string graphql.app.mailer.user="${MAILER_USER}"`,
+    `--set-string graphql.app.mailer.password="${MAILER_PASSWORD}"`,
+    `--set-string graphql.app.oauth.google.enabled=true`,
+    `--set-string graphql.app.oauth.google.clientId="${AFFINE_GOOGLE_CLIENT_ID}"`,
+    `--set-string graphql.app.oauth.google.clientSecret="${AFFINE_GOOGLE_CLIENT_SECRET}"`,
+    `--set-string graphql.app.payment.stripe.apiKey="${STRIPE_API_KEY}"`,
+    `--set-string graphql.app.payment.stripe.webhookKey="${STRIPE_WEBHOOK_KEY}"`,
+    `--set        graphql.app.metrics.enabled=true`,
+    `--set-string graphql.app.metrics.customerIo.token="${METRICS_CUSTOMER_IO_TOKEN}"`,
+    `--set        graphql.app.experimental.enableJwstCodec=${namespace === 'dev'}`,
+    `--set        graphql.app.features.earlyAccessPreview=false`,
+    `--set        graphql.app.features.syncClientVersionCheck=true`,
+    `--set        sync.replicaCount=${syncReplicaCount}`,
     `--set-string sync.image.tag="${imageTag}"`,
     `--set-string renderer.image.tag="${imageTag}"`,
-    `--set        renderer.app.host=${hosts[0]}`,
-    `--set        renderer.replicaCount=${replica.renderer}`,
-    `--set-string doc.image.tag="${imageTag}"`,
-    `--set        doc.app.host=${hosts[0]}`,
-    `--set        doc.replicaCount=${replica.doc}`,
+    `--set        renderer.app.host=${host}`,
     ...serviceAnnotations,
-    ...resources,
     `--timeout 10m`,
     flag,
   ].join(' ');

.github/actions/prepare-release/action.yml

@@ -1,41 +0,0 @@
-name: Prepare Release
-description: 'Prepare Release'
-outputs:
-  APP_VERSION:
-    description: 'App Version'
-    value: ${{ steps.get-version.outputs.APP_VERSION }}
-  GIT_SHORT_HASH:
-    description: 'Git Short Hash'
-    value: ${{ steps.get-version.outputs.GIT_SHORT_HASH }}
-  BUILD_TYPE:
-    description: 'Build Type'
-    value: ${{ steps.get-version.outputs.BUILD_TYPE }}
-runs:
-  using: 'composite'
-  steps:
-    - name: Get Version
-      id: get-version
-      shell: bash
-      run: |
-        GIT_SHORT_HASH=$(git rev-parse --short HEAD)
-        if [ "${{ github.ref_type }}" == "tag" ]; then
-          APP_VERSION=$(echo "${{ github.ref_name }}" | sed 's/^v//')
-        else
-          APP_VERSION=$(date '+%Y.%-m.%-d-canary.%-H%M')
-        fi
-        if [[ "$APP_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-          BUILD_TYPE=stable
-        elif [[ "$APP_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+-beta\.[0-9]+$ ]]; then
-          BUILD_TYPE=beta
-        elif [[ "$APP_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+-canary\.[0-9a-f]+$ ]]; then
-          BUILD_TYPE=canary
-        else
-          echo "Error: unsupported version string: $APP_VERSION" >&2
-          exit 1
-        fi
-        echo $APP_VERSION
-        echo $GIT_SHORT_HASH
-        echo $BUILD_TYPE
-        echo "APP_VERSION=$APP_VERSION" >> "$GITHUB_OUTPUT"
-        echo "GIT_SHORT_HASH=$GIT_SHORT_HASH" >> "$GITHUB_OUTPUT"
-        echo "BUILD_TYPE=$BUILD_TYPE" >> "$GITHUB_OUTPUT"

.github/actions/server-test-env/action.yml

@@ -1,35 +0,0 @@
-name: 'Prepare Server Test Environment'
-description: 'Prepare Server Test Environment'
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Bundle @affine/reader
-      shell: bash
-      run: |
-        yarn affine @affine/reader build
-
-    - name: Initialize database
-      shell: bash
-      run: |
-        psql -h localhost -U postgres -c "CREATE DATABASE affine;"
-        psql -h localhost -U postgres -c "CREATE USER affine WITH PASSWORD 'affine';"
-        psql -h localhost -U postgres -c "ALTER USER affine WITH SUPERUSER;"
-      env:
-        PGPASSWORD: affine
-
-    - name: Run init-db script
-      shell: bash
-      env:
-        NODE_ENV: test
-      run: |
-        yarn affine @affine/server prisma generate
-        yarn affine @affine/server prisma migrate deploy
-        yarn affine @affine/server data-migration run
-
-    - name: Import config
-      shell: bash
-      env:
-        DEFAULT_CONFIG: '{}'
-      run: |
-        printf '%s\n' "${SERVER_CONFIG:-$DEFAULT_CONFIG}" > ./packages/backend/server/config.json

.github/actions/setup-node/action.yml

@@ -13,18 +13,10 @@ inputs:
     description: 'Run the install step for Playwright.'
     required: false
     default: 'false'
-  playwright-platform:
-    description: 'The platform to install Playwright for.'
-    required: false
-    default: 'chromium,webkit'
   electron-install:
     description: 'Download the Electron binary'
     required: false
     default: 'true'
-  corepack-install:
-    description: 'Install CorePack'
-    required: false
-    default: 'false'
   hard-link-nm:
     description: 'set nmMode to hardlinks-local in .yarnrc.yml'
     required: false
@@ -39,19 +31,10 @@ inputs:
   full-cache:
     description: 'Full installation cache'
     required: false
+
 runs:
   using: 'composite'
   steps:
-    - name: Output workspace path
-      id: workspace-path
-      shell: bash
-      run: |
-        if [ -n "${{ env.DEV_DRIVE_WORKSPACE }}" ]; then
-          echo "workspace_path=${{ env.DEV_DRIVE_WORKSPACE }}" >> $GITHUB_OUTPUT
-        else
-          echo "workspace_path=${{ github.workspace }}" >> $GITHUB_OUTPUT
-        fi
-
     - name: Setup Node.js
       uses: actions/setup-node@v4
       with:
@@ -59,37 +42,24 @@ runs:
         registry-url: https://npm.pkg.github.com
         scope: '@toeverything'
 
-    - uses: kenchan0130/actions-system-info@master
-      id: system-info
-
-    - name: Init CorePack
-      if: ${{ inputs.corepack-install == 'true' }}
-      shell: bash
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
-      run: corepack enable
-
     - name: Set nmMode
       if: ${{ inputs.hard-link-nm == 'false' }}
       shell: bash
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       run: yarn config set nmMode classic
 
     - name: Set nmHoistingLimits
       if: ${{ inputs.nmHoistingLimits }}
       shell: bash
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       run: yarn config set nmHoistingLimits ${{ inputs.nmHoistingLimits }}
 
     - name: Set enableScripts
       if: ${{ inputs.enableScripts == 'false' }}
       shell: bash
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       run: yarn config set enableScripts false
 
     - name: Set yarn global cache path
       shell: bash
       id: yarn-cache
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       run: node -e "const p = $(yarn config cacheFolder --json).effective; console.log('yarn_global_cache=' + p)" >> $GITHUB_OUTPUT
 
     - name: Cache non-full yarn cache on Linux
@@ -97,9 +67,9 @@ runs:
       if: ${{ inputs.full-cache != 'true' && runner.os == 'Linux' }}
       with:
         path: |
-          ${{ steps.workspace-path.outputs.workspace_path }}/node_modules
+          node_modules
           ${{ steps.yarn-cache.outputs.yarn_global_cache }}
-        key: node_modules-cache-${{ github.job }}-${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}
+        key: node_modules-cache-${{ github.job }}-${{ runner.os }}
 
     # The network performance on macOS is very poor
     # and the decompression performance on Windows is very terrible
@@ -110,7 +80,7 @@ runs:
       with:
         path: |
           ${{ steps.yarn-cache.outputs.yarn_global_cache }}
-        key: node_modules-cache-${{ github.job }}-${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}
+        key: node_modules-cache-${{ github.job }}-${{ runner.os }}
 
     - name: Cache full yarn cache on Linux
       uses: actions/cache@v4
@@ -119,7 +89,7 @@ runs:
         path: |
           node_modules
           ${{ steps.yarn-cache.outputs.yarn_global_cache }}
-        key: node_modules-cache-full-${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}
+        key: node_modules-cache-full-${{ runner.os }}
 
     - name: Cache full yarn cache on non-Linux
       uses: actions/cache@v4
@@ -127,12 +97,23 @@ runs:
       with:
         path: |
           ${{ steps.yarn-cache.outputs.yarn_global_cache }}
-        key: node_modules-cache-full-${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}
+        key: node_modules-cache-full-${{ runner.os }}
 
     - name: yarn install
       if: ${{ inputs.package-install == 'true' }}
+      continue-on-error: true
+      shell: bash
+      run: yarn ${{ inputs.extra-flags }}
+      env:
+        HUSKY: '0'
+        PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: '1'
+        ELECTRON_SKIP_BINARY_DOWNLOAD: '1'
+        SENTRYCLI_SKIP_DOWNLOAD: '1'
+        DEBUG: '*'
+
+    - name: yarn install (try again)
+      if: ${{ steps.install.outcome == 'failure' }}
       shell: bash
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       run: yarn ${{ inputs.extra-flags }}
       env:
         HUSKY: '0'
@@ -145,7 +126,6 @@ runs:
       id: playwright-version
       if: ${{ inputs.playwright-install == 'true' }}
       shell: bash
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       run: echo "version=$(yarn why --json @playwright/test | grep -h 'workspace:.' | jq --raw-output '.children[].locator' | sed -e 's/@playwright\/test@.*://' | head -n 1)" >> $GITHUB_OUTPUT
 
       # Attempt to restore the correct Playwright browser binaries based on the
@@ -158,8 +138,8 @@ runs:
       id: playwright-cache
       if: ${{ inputs.playwright-install == 'true' }}
       with:
-        path: ${{ steps.workspace-path.outputs.workspace_path }}/node_modules/.cache/ms-playwright
-        key: '${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}-playwright-${{ steps.playwright-version.outputs.version }}'
+        path: ${{ github.workspace }}/node_modules/.cache/ms-playwright
+        key: '${{ runner.os }}-playwright-${{ steps.playwright-version.outputs.version }}'
         # As a fallback, if the Playwright version has changed, try use the
         # most recently cached version. There's a good chance that at least one
         # of the browser binary versions haven't been updated, so Playwright can
@@ -169,22 +149,20 @@ runs:
         # date cache, but still let Playwright decide if it needs to download
         # new binaries or not.
         restore-keys: |
-          ${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}-playwright-
+          ${{ runner.os }}-playwright-
 
     # If the Playwright browser binaries weren't able to be restored, we tell
     # playwright to install everything for us.
     - name: Install Playwright's dependencies
       shell: bash
       if: inputs.playwright-install == 'true'
-      run: yarn playwright install --with-deps $(echo "${{ inputs.playwright-platform }}" | tr ',' ' ')
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
+      run: yarn playwright install --with-deps chromium webkit
       env:
-        PLAYWRIGHT_BROWSERS_PATH: ${{ steps.workspace-path.outputs.workspace_path }}/node_modules/.cache/ms-playwright
+        PLAYWRIGHT_BROWSERS_PATH: ${{ github.workspace }}/node_modules/.cache/ms-playwright
 
     - name: Get installed Electron version
       id: electron-version
       if: ${{ inputs.electron-install == 'true' }}
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       shell: bash
       run: |
         echo "version=$(yarn why --json electron | grep -h 'workspace:.' | jq --raw-output '.children[].locator' | sed -e 's/@playwright\/test@.*://' | head -n 1)" >> $GITHUB_OUTPUT
@@ -193,20 +171,14 @@ runs:
       id: electron-cache
       if: ${{ inputs.electron-install == 'true' }}
       with:
-        path: ${{ steps.workspace-path.outputs.workspace_path }}/node_modules/.cache/electron
-        key: '${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}-electron-${{ steps.electron-version.outputs.version }}'
+        path: 'node_modules/.cache/electron'
+        key: '${{ runner.os }}-electron-${{ steps.electron-version.outputs.version }}'
         restore-keys: |
-          ${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}-electron-
+          ${{ runner.os }}-electron-
 
     - name: Install Electron binary
       shell: bash
       if: inputs.electron-install == 'true'
       run: node ./node_modules/electron/install.js
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       env:
-        electron_config_cache: ${{ steps.workspace-path.outputs.workspace_path }}/node_modules/.cache/electron
-
-    - name: Write PLAYWRIGHT_BROWSERS_PATH env
-      shell: bash
-      run: |
-        echo "PLAYWRIGHT_BROWSERS_PATH=${{ steps.workspace-path.outputs.workspace_path }}/node_modules/.cache/ms-playwright" >> $GITHUB_ENV
+        electron_config_cache: ./node_modules/.cache/electron

.github/actions/setup-version/action.yml

@@ -1,18 +1,24 @@
 name: Setup Version
 description: 'Setup Version'
-inputs:
-  app-version:
+outputs:
+  APP_VERSION:
     description: 'App Version'
-    required: true
-  ios-app-version:
-    description: 'iOS App Store Version (Optional, use App version if empty)'
-    required: false
-    type: string
+    value: ${{ steps.version.outputs.APP_VERSION }}
 runs:
   using: 'composite'
   steps:
     - name: 'Write Version'
+      id: version
       shell: bash
-      env:
-        IOS_APP_VERSION: ${{ inputs.ios-app-version }}
-      run: ./scripts/set-version.sh ${{ inputs.app-version }}
+      run: |
+        if [ "${{ github.ref_type }}" == "tag" ]; then
+          APP_VERSION=$(echo "${{ github.ref_name }}" | sed 's/^v//')
+        else
+          PACKAGE_VERSION=$(node -p "require('./package.json').version")
+          TIME_VERSION=$(date +%Y%m%d%H%M)
+          GIT_SHORT_HASH=$(git rev-parse --short HEAD)
+          APP_VERSION=$PACKAGE_VERSION-nightly-$GIT_SHORT_HASH
+        fi
+        echo $APP_VERSION
+        echo "APP_VERSION=$APP_VERSION" >> "$GITHUB_OUTPUT"
+        ./scripts/set-version.sh $APP_VERSION

.github/deployment/front/Dockerfile

@@ -1,4 +1,4 @@
-FROM openresty/openresty:1.27.1.1-0-buster
+FROM openresty/openresty:1.25.3.2-0-buster
 WORKDIR /app
 COPY ./packages/frontend/apps/web/dist ./dist
 COPY ./packages/frontend/admin/dist ./admin

.github/deployment/node/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:22-bookworm-slim
+FROM node:20-bookworm-slim
 
 COPY ./packages/backend/server /app
 COPY ./packages/frontend/apps/web/dist /app/static
@@ -7,10 +7,7 @@ COPY ./packages/frontend/apps/mobile/dist /app/static/mobile
 WORKDIR /app
 
 RUN apt-get update && \
-  apt-get install -y --no-install-recommends openssl libjemalloc2 && \
+  apt-get install -y --no-install-recommends openssl && \
   rm -rf /var/lib/apt/lists/*
 
-# Enable jemalloc by preloading the library
-ENV LD_PRELOAD=libjemalloc.so.2
-
-CMD ["node", "./dist/main.js"]
+CMD ["node", "--import", "./scripts/register.js", "./dist/index.js"]

.github/deployment/self-host/compose.yaml

@@ -0,0 +1,60 @@
+services:
+  affine:
+    image: ghcr.io/toeverything/affine-graphql:stable
+    container_name: affine_selfhosted
+    command:
+      ['sh', '-c', 'node ./scripts/self-host-predeploy && node ./dist/index.js']
+    ports:
+      - '3010:3010'
+      - '5555:5555'
+    depends_on:
+      redis:
+        condition: service_healthy
+      postgres:
+        condition: service_healthy
+    volumes:
+      # custom configurations
+      - ~/.affine/self-host/config:/root/.affine/config
+      # blob storage
+      - ~/.affine/self-host/storage:/root/.affine/storage
+    logging:
+      driver: 'json-file'
+      options:
+        max-size: '1000m'
+    restart: unless-stopped
+    environment:
+      - NODE_OPTIONS="--import=./scripts/register.js"
+      - AFFINE_CONFIG_PATH=/root/.affine/config
+      - REDIS_SERVER_HOST=redis
+      - DATABASE_URL=postgres://affine:affine@postgres:5432/affine
+      - NODE_ENV=production
+      # Telemetry allows us to collect data on how you use the affine. This data will helps us improve the app and provide better features.
+      # Uncomment next line if you wish to quit telemetry.
+      # - TELEMETRY_ENABLE=false
+  redis:
+    image: redis
+    container_name: affine_redis
+    restart: unless-stopped
+    volumes:
+      - ~/.affine/self-host/redis:/data
+    healthcheck:
+      test: ['CMD', 'redis-cli', '--raw', 'incr', 'ping']
+      interval: 10s
+      timeout: 5s
+      retries: 5
+  postgres:
+    image: postgres:16
+    container_name: affine_postgres
+    restart: unless-stopped
+    volumes:
+      - ~/.affine/self-host/postgres:/var/lib/postgresql/data
+    healthcheck:
+      test: ['CMD-SHELL', 'pg_isready -U affine']
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    environment:
+      POSTGRES_USER: affine
+      POSTGRES_PASSWORD: affine
+      POSTGRES_DB: affine
+      PGDATA: /var/lib/postgresql/data/pgdata

.github/helm/affine/Chart.yaml

@@ -3,4 +3,4 @@ name: affine
 description: AFFiNE cloud chart
 type: application
 version: 0.0.0
-appVersion: "0.22.4"
+appVersion: "0.17.0"

.github/helm/affine/charts/doc/Chart.yaml

@@ -1,11 +0,0 @@
-apiVersion: v2
-name: doc
-description: AFFiNE doc server
-type: application
-version: 0.0.0
-appVersion: "0.22.4"
-dependencies:
-  - name: gcloud-sql-proxy
-    version: 0.0.0
-    repository: "file://../gcloud-sql-proxy"
-    condition: .global.database.gcloud.enabled

.github/helm/affine/charts/doc/templates/NOTES.txt

@@ -1,16 +0,0 @@
-1. Get the application URL by running these commands:
-{{- if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "doc.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "doc.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "doc.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "doc.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
-{{- end }}

.github/helm/affine/charts/doc/templates/_helpers.tpl

@@ -1,63 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "doc.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "doc.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "doc.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "doc.labels" -}}
-helm.sh/chart: {{ include "doc.chart" . }}
-{{ include "doc.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-monitoring: enabled
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "doc.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "doc.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "doc.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "doc.fullname" .) .Values.global.docService.name }}
-{{- else }}
-{{- default "default" .Values.global.docService.name }}
-{{- end }}
-{{- end }}

.github/helm/affine/charts/doc/templates/deployment.yaml

@@ -1,118 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "doc.fullname" . }}
-  labels:
-    {{- include "doc.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "doc.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      {{- with .Values.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        {{- include "doc.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "doc.serviceAccountName" . }}
-      containers:
-        - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          env:
-          - name: AFFINE_PRIVATE_KEY
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.global.secret.secretName }}"
-                key: key
-          - name: NODE_ENV
-            value: "{{ .Values.env }}"
-          - name: NODE_OPTIONS
-            value: "--max-old-space-size=4096"
-          - name: NO_COLOR
-            value: "1"
-          - name: DEPLOYMENT_TYPE
-            value: "{{ .Values.global.deployment.type }}"
-          - name: DEPLOYMENT_PLATFORM
-            value: "{{ .Values.global.deployment.platform }}"
-          - name: SERVER_FLAVOR
-            value: "doc"
-          - name: AFFINE_ENV
-            value: "{{ .Release.Namespace }}"
-          - name: DATABASE_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: pg-postgresql
-                key: postgres-password
-          - name: DATABASE_URL
-            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.host }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
-          - name: REDIS_SERVER_ENABLED
-            value: "true"
-          - name: REDIS_SERVER_HOST
-            value: "{{ .Values.global.redis.host }}"
-          - name: REDIS_SERVER_PORT
-            value: "{{ .Values.global.redis.port }}"
-          - name: REDIS_SERVER_USER
-            value: "{{ .Values.global.redis.username }}"
-          - name: REDIS_SERVER_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: redis
-                key: redis-password
-          - name: REDIS_SERVER_DATABASE
-            value: "{{ .Values.global.redis.database }}"
-          - name: AFFINE_INDEXER_SEARCH_PROVIDER
-            value: "{{ .Values.global.indexer.provider }}"
-          - name: AFFINE_INDEXER_SEARCH_ENDPOINT
-            value: "{{ .Values.global.indexer.endpoint }}"
-          - name: AFFINE_INDEXER_SEARCH_API_KEY
-            valueFrom:
-              secretKeyRef:
-                name: indexer
-                key: indexer-apiKey
-          - name: AFFINE_SERVER_PORT
-            value: "{{ .Values.global.docService.port }}"
-          - name: AFFINE_SERVER_SUB_PATH
-            value: "{{ .Values.app.path }}"
-          - name: AFFINE_SERVER_HOST
-            value: "{{ .Values.app.host }}"
-          - name: AFFINE_SERVER_HTTPS
-            value: "{{ .Values.app.https }}"
-          ports:
-            - name: http
-              containerPort: {{ .Values.global.docService.port }}
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /info
-              port: http
-            initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
-            timeoutSeconds: {{ .Values.probe.timeoutSeconds }}
-          readinessProbe:
-            httpGet:
-              path: /info
-              port: http
-            initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
-            timeoutSeconds: {{ .Values.probe.timeoutSeconds }}
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}

.github/helm/affine/charts/doc/templates/service.yaml

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "doc.fullname" . }}
-  labels:
-    {{- include "doc.labels" . | nindent 4 }}
-  {{- with .Values.service.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.global.docService.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    {{- include "doc.selectorLabels" . | nindent 4 }}

.github/helm/affine/charts/doc/templates/serviceaccount.yaml

@@ -1,12 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "doc.serviceAccountName" . }}
-  labels:
-    {{- include "doc.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

.github/helm/affine/charts/doc/templates/tests/test-connection.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "{{ include "doc.fullname" . }}-test-connection"
-  labels:
-    {{- include "doc.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": test
-spec:
-  containers:
-    - name: wget
-      image: busybox
-      command: ['wget']
-      args: ['{{ include "doc.fullname" . }}:{{ .Values.global.docService.port }}']
-  restartPolicy: Never

.github/helm/affine/charts/doc/values.yaml

@@ -1,43 +0,0 @@
-replicaCount: 1
-image:
-  repository: ghcr.io/toeverything/affine
-  pullPolicy: IfNotPresent
-  tag: ''
-
-imagePullSecrets: []
-nameOverride: ''
-fullnameOverride: ''
-# map to NODE_ENV environment variable
-env: 'production'
-app:
-  # AFFINE_SERVER_SUB_PATH
-  path: ''
-  # AFFINE_SERVER_HOST
-  host: '0.0.0.0'
-  https: true
-  copilot:
-    enabled: false
-    secretName: copilot
-    openai:
-      key: ''
-serviceAccount:
-  create: true
-  annotations: {}
-
-podAnnotations: {}
-
-podSecurityContext:
-  fsGroup: 2000
-
-resources:
-  requests:
-    cpu: '1'
-    memory: 4Gi
-
-probe:
-  initialDelaySeconds: 20
-  timeoutSeconds: 5
-
-nodeSelector: {}
-tolerations: []
-affinity: {}

.github/helm/affine/charts/gcloud-sql-proxy/templates/NOTES.txt

@@ -1,4 +1,4 @@
-{{- if .Values.enabled -}}
+{{- if .Values.global.database.gcloud.enabled -}}
 1. Get the application URL by running these commands:
 {{- if contains "NodePort" .Values.service.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gcloud-sql-proxy.fullname" . }})

.github/helm/affine/charts/gcloud-sql-proxy/templates/deployment.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.enabled -}}
+{{- if .Values.global.database.gcloud.enabled -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -42,7 +42,7 @@ spec:
             - "0.0.0.0"
             - "--structured-logs"
             - "--auto-iam-authn"
-            - "{{ .Values.database.connectionName }}"
+            - "{{ .Values.global.database.gcloud.connectionName }}"
           env:
             # Enable HTTP healthchecks on port 9801. This enables /liveness,
             # /readiness and /startup health check endpoints. Allow connections
@@ -56,7 +56,7 @@ spec:
               value: 0.0.0.0
           ports:
             - name: cloud-sql-proxy
-              containerPort: {{ .Values.service.port }}
+              containerPort: {{ .Values.global.database.gcloud.proxyPort }}
               protocol: TCP
             - containerPort: 9801
               protocol: TCP

.github/helm/affine/charts/gcloud-sql-proxy/templates/service.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.enabled -}}
+{{- if .Values.global.database.gcloud.enabled -}}
 apiVersion: v1
 kind: Service
 metadata:

.github/helm/affine/charts/gcloud-sql-proxy/templates/serviceaccount.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.enabled -}}
+{{- if .Values.global.database.gcloud.enabled -}}
 {{- if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount

.github/helm/affine/charts/gcloud-sql-proxy/templates/tests/test-connection.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.enabled -}}
+{{- if .Values.global.database.gcloud.enabled -}}
 apiVersion: v1
 kind: Pod
 metadata:

.github/helm/affine/charts/gcloud-sql-proxy/values.yaml

@@ -1,7 +1,4 @@
-replicaCount: 2
-enabled: false
-database: 
-  connectionName: ""
+replicaCount: 3
 
 image:
   # the tag is defined as chart appVersion.
@@ -33,11 +30,8 @@ service:
 
 resources:
   limits:
-    memory: "1Gi"
-    cpu: "1"
-  requests:
-    memory: "512Mi"
-    cpu: "100m"
+    memory: "4Gi"
+    cpu: "2"
 
 volumes: []
 volumeMounts: []

.github/helm/affine/charts/graphql/Chart.yaml

@@ -3,7 +3,7 @@ name: graphql
 description: AFFiNE GraphQL server
 type: application
 version: 0.0.0
-appVersion: "0.22.4"
+appVersion: "0.17.0"
 dependencies:
   - name: gcloud-sql-proxy
     version: 0.0.0

.github/helm/affine/charts/graphql/templates/captcha-secret.yaml

@@ -0,0 +1,9 @@
+{{- if .Values.app.captcha.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.captcha.secretName }}"
+type: Opaque
+data:
+  turnstileSecret: {{ .Values.app.captcha.turnstile.secret | b64enc }}
+{{- end }}

.github/helm/affine/charts/graphql/templates/copilot-secret.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.app.copilot.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.copilot.secretName }}"
+type: Opaque
+data:
+  openaiSecret: {{ .Values.app.copilot.openai.key | b64enc }}
+  falSecret: {{ .Values.app.copilot.fal.key | b64enc }}
+  unsplashSecret: {{ .Values.app.copilot.unsplash.key | b64enc }}
+{{- end }}

.github/helm/affine/charts/graphql/templates/deployment.yaml

@@ -36,13 +36,11 @@ spec:
           - name: NODE_ENV
             value: "{{ .Values.env }}"
           - name: NODE_OPTIONS
-            value: "--max-old-space-size=2048"
+            value: "--max-old-space-size=4096"
           - name: NO_COLOR
             value: "1"
           - name: DEPLOYMENT_TYPE
-            value: "{{ .Values.global.deployment.type }}"
-          - name: DEPLOYMENT_PLATFORM
-            value: "{{ .Values.global.deployment.platform }}"
+            value: "affine"
           - name: SERVER_FLAVOR
             value: "graphql"
           - name: AFFINE_ENV
@@ -53,7 +51,9 @@ spec:
                 name: pg-postgresql
                 key: postgres-password
           - name: DATABASE_URL
-            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.host }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.url }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+          - name: REDIS_SERVER_ENABLED
+            value: "true"
           - name: REDIS_SERVER_HOST
             value: "{{ .Values.global.redis.host }}"
           - name: REDIS_SERVER_PORT
@@ -67,15 +67,6 @@ spec:
                 key: redis-password
           - name: REDIS_SERVER_DATABASE
             value: "{{ .Values.global.redis.database }}"
-          - name: AFFINE_INDEXER_SEARCH_PROVIDER
-            value: "{{ .Values.global.indexer.provider }}"
-          - name: AFFINE_INDEXER_SEARCH_ENDPOINT
-            value: "{{ .Values.global.indexer.endpoint }}"
-          - name: AFFINE_INDEXER_SEARCH_API_KEY
-            valueFrom:
-              secretKeyRef:
-                name: indexer
-                key: indexer-apiKey
           - name: AFFINE_SERVER_PORT
             value: "{{ .Values.service.port }}"
           - name: AFFINE_SERVER_SUB_PATH
@@ -84,8 +75,127 @@ spec:
             value: "{{ .Values.app.host }}"
           - name: AFFINE_SERVER_HTTPS
             value: "{{ .Values.app.https }}"
-          - name: DOC_SERVICE_ENDPOINT
-            value: "http://{{ .Values.global.docService.name }}:{{ .Values.global.docService.port }}"
+          - name: ENABLE_R2_OBJECT_STORAGE
+            value: "{{ .Values.global.objectStorage.r2.enabled }}"
+          - name: FEATURES_EARLY_ACCESS_PREVIEW
+            value: "{{ .Values.app.features.earlyAccessPreview }}"
+          - name: FEATURES_SYNC_CLIENT_VERSION_CHECK
+            value: "{{ .Values.app.features.syncClientVersionCheck }}"
+          - name: MAILER_HOST
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.mailer.secretName }}"
+                key: host
+          - name: MAILER_PORT
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.mailer.secretName }}"
+                key: port
+          - name: MAILER_USER
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.mailer.secretName }}"
+                key: user
+          - name: MAILER_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.mailer.secretName }}"
+                key: password
+          - name: MAILER_SENDER
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.mailer.secretName }}"
+                key: sender
+          - name: STRIPE_API_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.payment.stripe.secretName }}"
+                key: stripeAPIKey
+          - name: STRIPE_WEBHOOK_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.payment.stripe.secretName }}"
+                key: stripeWebhookKey
+          - name: DOC_MERGE_INTERVAL
+            value: "{{ .Values.app.doc.mergeInterval }}"
+          {{ if .Values.app.experimental.enableJwstCodec }}
+          - name: DOC_MERGE_USE_JWST_CODEC
+            value: "true"
+          {{ end }}
+          {{ if .Values.global.objectStorage.r2.enabled }}
+          - name: R2_OBJECT_STORAGE_ACCOUNT_ID
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.global.objectStorage.r2.secretName }}"
+                key: accountId
+          - name: R2_OBJECT_STORAGE_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.global.objectStorage.r2.secretName }}"
+                key: accessKeyId
+          - name: R2_OBJECT_STORAGE_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.global.objectStorage.r2.secretName }}"
+                key: secretAccessKey
+          {{ end }}
+          {{ if .Values.app.captcha.enabled }}
+          - name: CAPTCHA_TURNSTILE_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.captcha.secretName }}"
+                key: turnstileSecret
+          {{ end }}
+          {{ if .Values.app.copilot.enabled }}
+          - name: COPILOT_OPENAI_API_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.copilot.secretName }}"
+                key: openaiSecret
+          - name: COPILOT_FAL_API_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.copilot.secretName }}"
+                key: falSecret
+          - name: COPILOT_UNSPLASH_API_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.copilot.secretName }}"
+                key: unsplashSecret
+          {{ end }}
+          {{ if .Values.app.oauth.google.enabled }}
+          - name: OAUTH_GOOGLE_ENABLED
+            value: "true"
+          - name: OAUTH_GOOGLE_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.google.secretName }}"
+                key: clientId
+          - name: OAUTH_GOOGLE_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.google.secretName }}"
+                key: clientSecret
+          {{ end }}
+          {{ if .Values.app.oauth.github.enabled }}
+          - name: OAUTH_GITHUB_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.github.secretName }}"
+                key: clientId
+          - name: OAUTH_GITHUB_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.github.secretName }}"
+                key: clientSecret
+          {{ end }}
+          {{ if .Values.app.metrics.enabled }}
+          - name: METRICS_CUSTOMER_IO_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.metrics.secretName }}"
+                key: customerIoSecret
+          {{ end }}
           ports:
             - name: http
               containerPort: {{ .Values.service.port }}

.github/helm/affine/charts/graphql/templates/mailer.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.app.mailer.secretName -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.mailer.secretName }}"
+type: Opaque
+data:
+  host: "{{ .Values.app.mailer.host | b64enc }}"
+  port: "{{ .Values.app.mailer.port | b64enc }}"
+  user: "{{ .Values.app.mailer.user | b64enc }}"
+  password: "{{ .Values.app.mailer.password | b64enc }}"
+  sender: "{{ .Values.app.mailer.sender | b64enc }}"
+{{- end }}

.github/helm/affine/charts/graphql/templates/metrics-secret.yaml

@@ -0,0 +1,9 @@
+{{- if .Values.app.metrics.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.metrics.secretName }}"
+type: Opaque
+data:
+  customerIoSecret: {{ .Values.app.metrics.customerIo.token | b64enc }}
+{{- end }}

.github/helm/affine/charts/graphql/templates/migration.yaml

@@ -23,36 +23,37 @@ spec:
           - name: AFFINE_ENV
             value: "{{ .Release.Namespace }}"
           - name: DEPLOYMENT_TYPE
-            value: "{{ .Values.global.deployment.type }}"
-          - name: DEPLOYMENT_PLATFORM
-            value: "{{ .Values.global.deployment.platform }}"
+            value: "affine"
           - name: DATABASE_PASSWORD
             valueFrom:
               secretKeyRef:
                 name: pg-postgresql
                 key: postgres-password
+          {{ if not .Values.global.database.gcloud.enabled }}
           - name: DATABASE_URL
-            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.host }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
-          - name: REDIS_SERVER_HOST
-            value: "{{ .Values.global.redis.host }}"
-          - name: REDIS_SERVER_PORT
-            value: "{{ .Values.global.redis.port }}"
-          - name: REDIS_SERVER_USER
-            value: "{{ .Values.global.redis.username }}"
-          - name: REDIS_SERVER_PASSWORD
+            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.url }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+          {{ end }}
+          {{ if .Values.global.database.gcloud.enabled }}
+          - name: DATABASE_URL
+            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.gcloud.cloudSqlInternal }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+          {{ end }}
+          {{ if .Values.global.objectStorage.r2.enabled }}
+          - name: R2_OBJECT_STORAGE_ACCOUNT_ID
             valueFrom:
               secretKeyRef:
-                name: redis
-                key: redis-password
-          - name: AFFINE_INDEXER_SEARCH_PROVIDER
-            value: "{{ .Values.global.indexer.provider }}"
-          - name: AFFINE_INDEXER_SEARCH_ENDPOINT
-            value: "{{ .Values.global.indexer.endpoint }}"
-          - name: AFFINE_INDEXER_SEARCH_API_KEY
+                name: "{{ .Values.global.objectStorage.r2.secretName }}"
+                key: accountId
+          - name: R2_OBJECT_STORAGE_ACCESS_KEY_ID
             valueFrom:
               secretKeyRef:
-                name: indexer
-                key: indexer-apiKey
+                name: "{{ .Values.global.objectStorage.r2.secretName }}"
+                key: accessKeyId
+          - name: R2_OBJECT_STORAGE_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.global.objectStorage.r2.secretName }}"
+                key: secretAccessKey
+          {{ end }}
         resources:
           requests:
             cpu: '100m'

.github/helm/affine/charts/graphql/templates/oauth.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.app.oauth.google.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.oauth.google.secretName }}"
+type: Opaque
+data:
+  clientId: "{{ .Values.app.oauth.google.clientId | b64enc }}"
+  clientSecret: "{{ .Values.app.oauth.google.clientSecret | b64enc }}"
+{{- end }}
+---
+{{- if .Values.app.oauth.github.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.oauth.github.secretName }}"
+type: Opaque
+data:
+  clientId: "{{ .Values.app.oauth.github.clientId | b64enc }}"
+  clientSecret: "{{ .Values.app.oauth.github.clientSecret | b64enc }}"
+{{- end }}

.github/helm/affine/charts/graphql/templates/payment.yml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.payment.stripe.secretName }}"
+type: Opaque
+data:
+  stripeAPIKey: "{{ .Values.app.payment.stripe.apiKey | b64enc }}"
+  stripeWebhookKey: "{{ .Values.app.payment.stripe.webhookKey | b64enc }}"

.github/helm/affine/charts/graphql/values.yaml

@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  repository: ghcr.io/toeverything/affine
+  repository: ghcr.io/toeverything/affine-graphql
   pullPolicy: IfNotPresent
   tag: ''
 
@@ -10,12 +10,57 @@ fullnameOverride: ''
 # map to NODE_ENV environment variable
 env: 'production'
 app:
+  experimental:
+    enableJwstCodec: true
   # AFFINE_SERVER_SUB_PATH
   path: ''
   # AFFINE_SERVER_HOST
   host: '0.0.0.0'
   https: true
-  
+  doc:
+    mergeInterval: "3000"
+  captcha:
+    enabled: false
+    secretName: captcha
+    turnstile:
+      secret: ''
+  copilot:
+    enabled: false
+    secretName: copilot
+    openai:
+      key: ''
+  oauth:
+    google:
+      enabled: false
+      secretName: oauth-google
+      clientId: ''
+      clientSecret: ''
+    github:
+      enabled: false
+      secretName: oauth-github
+      clientId: ''
+      clientSecret: ''
+  mailer:
+    secretName: 'mailer'
+    host: 'smtp.gmail.com'
+    port: '465'
+    user: ''
+    password: ''
+    sender: 'noreply@toeverything.info'
+  metrics:
+    enabled: false
+    secretName: 'metrics'
+    customerIo:
+      token: ''
+  payment:
+    stripe:
+      secretName: 'stripe'
+      apiKey: ''
+      webhookKey: ''
+  features:
+    earlyAccessPreview: false
+    syncClientVersionCheck: false
+
 serviceAccount:
   create: true
   annotations: {}
@@ -28,8 +73,8 @@ podSecurityContext:
 
 resources:
   requests:
-    cpu: '2'
-    memory: 2Gi
+    cpu: '4'
+    memory: 4Gi
 
 probe:
   initialDelaySeconds: 20

.github/helm/affine/charts/renderer/Chart.yaml

@@ -3,7 +3,7 @@ name: renderer
 description: AFFiNE renderer server
 type: application
 version: 0.0.0
-appVersion: "0.22.4"
+appVersion: "0.16.0"
 dependencies:
   - name: gcloud-sql-proxy
     version: 0.0.0

.github/helm/affine/charts/renderer/templates/deployment.yaml

@@ -36,13 +36,11 @@ spec:
           - name: NODE_ENV
             value: "{{ .Values.env }}"
           - name: NODE_OPTIONS
-            value: "--max-old-space-size=2048"
+            value: "--max-old-space-size=4096"
           - name: NO_COLOR
             value: "1"
           - name: DEPLOYMENT_TYPE
-            value: "{{ .Values.global.deployment.type }}"
-          - name: DEPLOYMENT_PLATFORM
-            value: "{{ .Values.global.deployment.platform }}"
+            value: "affine"
           - name: SERVER_FLAVOR
             value: "renderer"
           - name: AFFINE_ENV
@@ -53,7 +51,7 @@ spec:
                 name: pg-postgresql
                 key: postgres-password
           - name: DATABASE_URL
-            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.host }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.url }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
           - name: REDIS_SERVER_ENABLED
             value: "true"
           - name: REDIS_SERVER_HOST
@@ -69,15 +67,6 @@ spec:
                 key: redis-password
           - name: REDIS_SERVER_DATABASE
             value: "{{ .Values.global.redis.database }}"
-          - name: AFFINE_INDEXER_SEARCH_PROVIDER
-            value: "{{ .Values.global.indexer.provider }}"
-          - name: AFFINE_INDEXER_SEARCH_ENDPOINT
-            value: "{{ .Values.global.indexer.endpoint }}"
-          - name: AFFINE_INDEXER_SEARCH_API_KEY
-            valueFrom:
-              secretKeyRef:
-                name: indexer
-                key: indexer-apiKey
           - name: AFFINE_SERVER_PORT
             value: "{{ .Values.service.port }}"
           - name: AFFINE_SERVER_SUB_PATH
@@ -86,8 +75,25 @@ spec:
             value: "{{ .Values.app.host }}"
           - name: AFFINE_SERVER_HTTPS
             value: "{{ .Values.app.https }}"
-          - name: DOC_SERVICE_ENDPOINT
-            value: "http://{{ .Values.global.docService.name }}:{{ .Values.global.docService.port }}"
+          - name: ENABLE_R2_OBJECT_STORAGE
+            value: "{{ .Values.global.objectStorage.r2.enabled }}"
+          {{ if .Values.global.objectStorage.r2.enabled }}
+          - name: R2_OBJECT_STORAGE_ACCOUNT_ID
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.global.objectStorage.r2.secretName }}"
+                key: accountId
+          - name: R2_OBJECT_STORAGE_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.global.objectStorage.r2.secretName }}"
+                key: accessKeyId
+          - name: R2_OBJECT_STORAGE_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.global.objectStorage.r2.secretName }}"
+                key: secretAccessKey
+          {{ end }}
           ports:
             - name: http
               containerPort: {{ .Values.service.port }}

.github/helm/affine/charts/renderer/values.yaml

@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  repository: ghcr.io/toeverything/affine
+  repository: ghcr.io/toeverything/affine-graphql
   pullPolicy: IfNotPresent
   tag: ''
 
@@ -27,8 +27,8 @@ podSecurityContext:
 
 resources:
   requests:
-    cpu: '1'
-    memory: 2Gi
+    cpu: '4'
+    memory: 4Gi
 
 probe:
   initialDelaySeconds: 20

.github/helm/affine/charts/sync/Chart.yaml

@@ -3,7 +3,7 @@ name: sync
 description: AFFiNE Sync Server
 type: application
 version: 0.0.0
-appVersion: "0.22.4"
+appVersion: "0.17.0"
 dependencies:
   - name: gcloud-sql-proxy
     version: 0.0.0

.github/helm/affine/charts/sync/templates/deployment.yaml

@@ -42,9 +42,7 @@ spec:
           - name: NO_COLOR
             value: "1"
           - name: DEPLOYMENT_TYPE
-            value: "{{ .Values.global.deployment.type }}"
-          - name: DEPLOYMENT_PLATFORM
-            value: "{{ .Values.global.deployment.platform }}"
+            value: "affine"
           - name: SERVER_FLAVOR
             value: "sync"
           - name: AFFINE_ENV
@@ -55,7 +53,9 @@ spec:
                 name: pg-postgresql
                 key: postgres-password
           - name: DATABASE_URL
-            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.host }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.url }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+          - name: REDIS_SERVER_ENABLED
+            value: "true"
           - name: REDIS_SERVER_HOST
             value: "{{ .Values.global.redis.host }}"
           - name: REDIS_SERVER_PORT
@@ -69,21 +69,10 @@ spec:
                 key: redis-password
           - name: REDIS_SERVER_DATABASE
             value: "{{ .Values.global.redis.database }}"
-          - name: AFFINE_INDEXER_SEARCH_PROVIDER
-            value: "{{ .Values.global.indexer.provider }}"
-          - name: AFFINE_INDEXER_SEARCH_ENDPOINT
-            value: "{{ .Values.global.indexer.endpoint }}"
-          - name: AFFINE_INDEXER_SEARCH_API_KEY
-            valueFrom:
-              secretKeyRef:
-                name: indexer
-                key: indexer-apiKey
           - name: AFFINE_SERVER_PORT
             value: "{{ .Values.service.port }}"
           - name: AFFINE_SERVER_HOST
             value: "{{ .Values.app.host }}"
-          - name: DOC_SERVICE_ENDPOINT
-            value: "http://{{ .Values.global.docService.name }}:{{ .Values.global.docService.port }}"
           ports:
             - name: http
               containerPort: {{ .Values.service.port }}

.github/helm/affine/charts/sync/values.yaml

@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  repository: ghcr.io/toeverything/affine
+  repository: ghcr.io/toeverything/affine-graphql
   pullPolicy: IfNotPresent
   tag: ''
 
@@ -24,11 +24,11 @@ podSecurityContext:
 
 resources:
   limits:
+    cpu: '4'
+    memory: 8Gi
+  requests:
     cpu: '2'
     memory: 4Gi
-  requests:
-    cpu: '1'
-    memory: 2Gi
 
 probe:
   initialDelaySeconds: 20

.github/helm/affine/templates/indexer-secret.yaml

@@ -1,13 +0,0 @@
-{{- if .Values.global.indexer.apiKey -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: indexer
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-weight": "-2"
-    "helm.sh/hook-delete-policy": before-hook-creation
-type: Opaque
-data:
-  indexer-apiKey: {{ .Values.global.indexer.apiKey | b64enc }}
-{{- end }}

.github/helm/affine/templates/ingress.yaml

@@ -36,8 +36,7 @@ spec:
     {{- end }}
   {{- end }}
   rules:
-    {{- range .Values.global.ingress.hosts }}
-    - host: {{ . | quote }}
+    - host: "{{ .Values.global.ingress.host }}"
       http:
         paths:
           - path: /socket.io
@@ -46,34 +45,33 @@ spec:
               service:
                 name: affine-sync
                 port:
-                  number: {{ $.Values.sync.service.port }}
+                  number: {{ .Values.sync.service.port }}
           - path: /graphql
             pathType: Prefix
             backend:
               service:
                 name: affine-graphql
                 port:
-                  number: {{ $.Values.graphql.service.port }}
+                  number: {{ .Values.graphql.service.port }}
           - path: /api
             pathType: Prefix
             backend:
               service:
                 name: affine-graphql
                 port:
-                  number: {{ $.Values.graphql.service.port }}
+                  number: {{ .Values.graphql.service.port }}
           - path: /workspace
             pathType: Prefix
             backend:
               service:
                 name: affine-renderer
                 port:
-                  number: {{ $.Values.renderer.service.port }}
+                  number: {{ .Values.renderer.service.port }}
           - path: /
             pathType: Prefix
             backend:
               service:
                 name: affine-web
                 port:
-                  number: {{ $.Values.web.service.port }}
-    {{- end }}
+                  number: {{ .Values.web.service.port }}
 {{- end }}

.github/helm/affine/templates/monitoring.yaml

@@ -1,13 +0,0 @@
-{{- if eq .Values.global.deployment.platform "gcp" -}}
-apiVersion: monitoring.googleapis.com/v1
-kind: PodMonitoring
-metadata:
-  name: "{{ .Release.Name }}-monitoring"
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/instance: {{ .Release.Name }}
-  endpoints:
-    - port: 9464
-      interval: 30s
-{{- end }}

.github/helm/affine/templates/r2-secret.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.global.objectStorage.r2.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.global.objectStorage.r2.secretName }}"
+type: Opaque
+data:
+  accountId: {{ .Values.global.objectStorage.r2.accountId | b64enc }}
+  accessKeyId: {{ .Values.global.objectStorage.r2.accessKeyId | b64enc }}
+  secretAccessKey: {{ .Values.global.objectStorage.r2.secretAccessKey | b64enc }}
+{{- end }}

.github/helm/affine/values.yaml

@@ -4,41 +4,41 @@ global:
   ingress:
     enabled: false
     className: ''
-    # hosts for ingress rules
-    # e.g.
-    # hosts:
-    #  - affine.pro
-    #  - www.affine.pro
-    hosts:
-      - affine.pro
+    host: affine.pro
     tls: []
   secret:
     secretName: 'server-private-key'
     privateKey: ''
   database:
     user: 'postgres'
-    host: 'pg-postgresql'
+    url: 'pg-postgresql'
     port: '5432'
     name: 'affine'
     password: ''
+    gcloud:
+      enabled: false
+      # use for migration
+      cloudSqlInternal: ''
+      connectionName: ''
+      serviceAccount: ''
+      cloudProxyReplicas: 3
+      proxyPort: '5432'
   redis:
+    enabled: true
     host: 'redis-master'
     port: '6379'
     username: ''
     password: ''
     database: 0
-  indexer:
-    provider: ''
-    endpoint: ''
-    username: ''
-    password: ''
-  docService:
-    name: 'affine-doc'
-    port: 3020
-  deployment:
-    # change to 'selfhosted' and 'unknown' if this chart is ready to be used for selfhosted deployment
-    type: 'affine'
-    platform: 'gcp'
+  objectStorage:
+    r2:
+      enabled: false
+      secretName: r2
+      accountId: ''
+      accessKeyId: ''
+      secretAccessKey: ''
+  gke:
+    enabled: true
 
 graphql:
   service:
@@ -61,12 +61,6 @@ renderer:
     annotations:
       cloud.google.com/backend-config: '{"default": "affine-api-backendconfig"}'
 
-doc:
-  service:
-    type: ClusterIP
-    annotations:
-      cloud.google.com/backend-config: '{"default": "affine-api-backendconfig"}'
-
 web:
   service:
     type: ClusterIP

.github/helm/separate-config/Dockerfile_pgvector

@@ -1,6 +0,0 @@
-FROM pgvector/pgvector:pg15 AS builder
-
-FROM bitnami/postgresql:15
-
-COPY --from=builder /usr/lib/postgresql/15/lib/vector.so /opt/bitnami/postgresql/lib/
-COPY --from=builder /usr/share/postgresql/15/extension/vector* /opt/bitnami/postgresql/share/extension/

.github/renovate.json

@@ -7,13 +7,15 @@
     "**/bower_components/**",
     "**/vendor/**",
     "**/examples/**",
-    "**/__tests__/**"
+    "**/__tests__/**",
+    "**/test/**",
+    "**/__fixtures__/**"
   ],
   "packageRules": [
     {
+      "matchPackagePatterns": ["^eslint", "^@typescript-eslint"],
       "rangeStrategy": "replace",
-      "groupName": "linter",
-      "matchPackageNames": ["/^eslint/", "/^@typescript-eslint/"]
+      "groupName": "linter"
     },
     {
       "matchDepNames": ["oxlint"],
@@ -21,34 +23,18 @@
       "groupName": "oxlint"
     },
     {
-      "groupName": "all non-major rust dependencies",
-      "groupSlug": "all-minor-patch",
-      "matchUpdateTypes": ["minor", "patch"],
-      "matchManagers": ["cargo"]
-    },
-    {
-      "groupName": "all non-major npm dependencies",
-      "groupSlug": "all-minor-patch",
-      "matchUpdateTypes": ["minor", "patch"],
-      "matchManagers": ["npm"],
-      "matchPackageNames": ["*", "!/^@blocksuite//", "!/oxlint/"]
+      "groupName": "blocksuite",
+      "matchPackagePatterns": ["^@blocksuite"],
+      "excludePackageNames": ["@blocksuite/icons"],
+      "rangeStrategy": "replace",
+      "changelogUrl": "https://github.com/toeverything/blocksuite/blob/master/packages/blocks/CHANGELOG.md"
     },
     {
       "groupName": "all non-major dependencies",
       "groupSlug": "all-minor-patch",
-      "matchUpdateTypes": ["minor", "patch"],
-      "matchManagers": [
-        "dockerfile",
-        "github-actions",
-        "helmv3",
-        "helm-values",
-        "gradle-wrapper",
-        "gradle",
-        "docker-compose",
-        "devcontainer",
-        "cocoapods",
-        "bundler"
-      ]
+      "matchPackagePatterns": ["*"],
+      "excludePackagePatterns": ["^@blocksuite/", "oxlint"],
+      "matchUpdateTypes": ["minor", "patch"]
     },
     {
       "groupName": "rust toolchain",
@@ -57,14 +43,7 @@
     },
     {
       "groupName": "nestjs",
-      "matchPackageNames": ["/^@nestjs/"]
-    },
-    {
-      "groupName": "opentelemetry",
-      "matchPackageNames": [
-        "/^@opentelemetry/",
-        "/^@google-cloud\/opentelemetry-/"
-      ]
+      "matchPackagePatterns": ["^@nestjs"]
     }
   ],
   "commitMessagePrefix": "chore: ",

.github/workflows/build-images.yml

@@ -3,45 +3,63 @@ name: Build Images
 on:
   workflow_call:
     inputs:
-      build-type:
-        type: string
-        required: true
-      app-version:
-        type: string
-        required: true
-      git-short-hash:
+      flavor:
         type: string
         required: true
 
+env:
+  NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+
 permissions:
   contents: 'write'
   id-token: 'write'
   packages: 'write'
 
 jobs:
-  build-web:
-    name: Build @affine/web
+  build-server:
+    name: Build Server
     runs-on: ubuntu-latest
-    environment: ${{ inputs.build-type }}
     steps:
       - uses: actions/checkout@v4
       - name: Setup Version
+        id: version
         uses: ./.github/actions/setup-version
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
         with:
-          app-version: ${{ inputs.app-version }}
+          electron-install: false
+          extra-flags: workspaces focus @affine/server
+      - name: Build Server
+        run: yarn workspace @affine/server build
+      - name: Upload server dist
+        uses: actions/upload-artifact@v4
+        with:
+          name: server-dist
+          path: ./packages/backend/server/dist
+          if-no-files-found: error
+
+  build-web:
+    name: Build @affine/web
+    runs-on: ubuntu-latest
+    environment: ${{ github.event.inputs.flavor }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
       - name: Setup Node.js
         uses: ./.github/actions/setup-node
       - name: Build Core
-        run: yarn affine @affine/web build
+        run: yarn nx build @affine/web --skip-nx-cache
         env:
           R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
           R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
           R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
-          BUILD_TYPE: ${{ inputs.build-type }}
+          BUILD_TYPE: ${{ github.event.inputs.flavor }}
           CAPTCHA_SITE_KEY: ${{ secrets.CAPTCHA_SITE_KEY }}
           SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
           SENTRY_PROJECT: 'affine-web'
-          SENTRY_RELEASE: ${{ inputs.app-version }}
+          SENTRY_RELEASE: ${{ steps.version.outputs.APP_VERSION }}
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
           PERFSEE_TOKEN: ${{ secrets.PERFSEE_TOKEN }}
@@ -56,22 +74,21 @@ jobs:
   build-admin:
     name: Build @affine/admin
     runs-on: ubuntu-latest
-    environment: ${{ inputs.build-type }}
+    environment: ${{ github.event.inputs.flavor }}
     steps:
       - uses: actions/checkout@v4
       - name: Setup Version
+        id: version
         uses: ./.github/actions/setup-version
-        with:
-          app-version: ${{ inputs.app-version }}
       - name: Setup Node.js
         uses: ./.github/actions/setup-node
       - name: Build Admin
-        run: yarn affine @affine/admin build
+        run: yarn nx build @affine/admin --skip-nx-cache
         env:
           R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
           R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
           R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
-          BUILD_TYPE: ${{ inputs.build-type }}
+          BUILD_TYPE: ${{ github.event.inputs.flavor }}
           CAPTCHA_SITE_KEY: ${{ secrets.CAPTCHA_SITE_KEY }}
           SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
           SENTRY_PROJECT: 'affine-admin'
@@ -89,22 +106,21 @@ jobs:
   build-mobile:
     name: Build @affine/mobile
     runs-on: ubuntu-latest
-    environment: ${{ inputs.build-type }}
+    environment: ${{ github.event.inputs.flavor }}
     steps:
       - uses: actions/checkout@v4
       - name: Setup Version
+        id: version
         uses: ./.github/actions/setup-version
-        with:
-          app-version: ${{ inputs.app-version }}
       - name: Setup Node.js
         uses: ./.github/actions/setup-node
       - name: Build Mobile
-        run: yarn affine @affine/mobile build
+        run: yarn nx build @affine/mobile --skip-nx-cache
         env:
           R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
           R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
           R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
-          BUILD_TYPE: ${{ inputs.build-type }}
+          BUILD_TYPE: ${{ github.event.inputs.flavor }}
           CAPTCHA_SITE_KEY: ${{ secrets.CAPTCHA_SITE_KEY }}
           SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
           SENTRY_PROJECT: 'affine-mobile'
@@ -119,16 +135,91 @@ jobs:
           path: ./packages/frontend/apps/mobile/dist
           if-no-files-found: error
 
+  build-web-selfhost:
+    name: Build @affine/web selfhost
+    runs-on: ubuntu-latest
+    environment: ${{ github.event.inputs.flavor }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+      - name: Build Core
+        run: yarn nx build @affine/web --skip-nx-cache
+        env:
+          BUILD_TYPE: ${{ github.event.inputs.flavor }}
+          PUBLIC_PATH: '/'
+          SELF_HOSTED: true
+          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
+      - name: Download selfhost fonts
+        run: node ./scripts/download-blocksuite-fonts.mjs
+      - name: Upload web artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: selfhost-web
+          path: ./packages/frontend/apps/web/dist
+          if-no-files-found: error
+
+  build-mobile-selfhost:
+    name: Build @affine/mobile selfhost
+    runs-on: ubuntu-latest
+    environment: ${{ github.event.inputs.flavor }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+      - name: Build Mobile
+        run: yarn nx build @affine/mobile --skip-nx-cache
+        env:
+          BUILD_TYPE: ${{ github.event.inputs.flavor }}
+          PUBLIC_PATH: '/'
+          SELF_HOSTED: true
+          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
+      - name: Upload mobile artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: selfhost-mobile
+          path: ./packages/frontend/apps/mobile/dist
+          if-no-files-found: error
+
+  build-admin-selfhost:
+    name: Build @affine/admin selfhost
+    runs-on: ubuntu-latest
+    environment: ${{ github.event.inputs.flavor }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+      - name: Build admin
+        run: yarn nx build @affine/admin --skip-nx-cache
+        env:
+          BUILD_TYPE: ${{ github.event.inputs.flavor }}
+          PUBLIC_PATH: '/admin/'
+          SELF_HOSTED: true
+          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
+      - name: Upload admin artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: selfhost-admin
+          path: ./packages/frontend/admin/dist
+          if-no-files-found: error
+
   build-server-native:
     name: Build Server native - ${{ matrix.targets.name }}
     runs-on: ubuntu-latest
-    environment: ${{ inputs.build-type }}
     strategy:
-      fail-fast: false
       matrix:
         targets:
           - name: x86_64-unknown-linux-gnu
-            file: server-native.x64.node
+            file: server-native.node
           - name: aarch64-unknown-linux-gnu
             file: server-native.arm64.node
           - name: armv7-unknown-linux-gnueabihf
@@ -137,9 +228,8 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Setup Version
+        id: version
         uses: ./.github/actions/setup-version
-        with:
-          app-version: ${{ inputs.app-version }}
       - name: Setup Node.js
         uses: ./.github/actions/setup-node
         with:
@@ -147,55 +237,15 @@ jobs:
           extra-flags: workspaces focus @affine/server-native
       - name: Build Rust
         uses: ./.github/actions/build-rust
-        env:
-          AFFINE_PRO_PUBLIC_KEY: ${{ secrets.AFFINE_PRO_PUBLIC_KEY }}
-          AFFINE_PRO_LICENSE_AES_KEY: ${{ secrets.AFFINE_PRO_LICENSE_AES_KEY }}
         with:
           target: ${{ matrix.targets.name }}
           package: '@affine/server-native'
-      - name: Rename ${{ matrix.targets.file }}
-        run: |
-          mv ./packages/backend/native/server-native.node ./packages/backend/native/${{ matrix.targets.file }}
+          nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
       - name: Upload ${{ matrix.targets.file }}
         uses: actions/upload-artifact@v4
         with:
-          name: server-native-${{ matrix.targets.file }}
-          path: ./packages/backend/native/${{ matrix.targets.file }}
-          if-no-files-found: error
-
-  build-server:
-    name: Build Server
-    runs-on: ubuntu-latest
-    needs:
-      - build-server-native
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        uses: ./.github/actions/setup-version
-        with:
-          app-version: ${{ inputs.app-version }}
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          electron-install: false
-          extra-flags: workspaces focus @affine/server @types/affine__env
-      - name: Download server-native
-        uses: actions/download-artifact@v4
-        with:
-          pattern: server-native-*
-          merge-multiple: true
-          path: ./packages/backend/native
-      - name: List server-native files
-        run: ls -alh ./packages/backend/native
-      - name: Build @affine/reader
-        run: yarn workspace @affine/reader build
-      - name: Build Server
-        run: yarn workspace @affine/server build
-      - name: Upload server dist
-        uses: actions/upload-artifact@v4
-        with:
-          name: server-dist
-          path: ./packages/backend/server/dist
+          name: ${{ matrix.targets.file }}
+          path: ./packages/backend/native/server-native.node
           if-no-files-found: error
 
   build-images:
@@ -206,6 +256,10 @@ jobs:
       - build-web
       - build-mobile
       - build-admin
+      - build-web-selfhost
+      - build-mobile-selfhost
+      - build-admin-selfhost
+      - build-server-native
     steps:
       - uses: actions/checkout@v4
       - name: Download server dist
@@ -213,6 +267,35 @@ jobs:
         with:
           name: server-dist
           path: ./packages/backend/server/dist
+      - name: Download server-native.node
+        uses: actions/download-artifact@v4
+        with:
+          name: server-native.node
+          path: ./packages/backend/server
+      - name: Download server-native.node arm64
+        uses: actions/download-artifact@v4
+        with:
+          name: server-native.arm64.node
+          path: ./packages/backend/native
+      - name: Download server-native.node arm64
+        uses: actions/download-artifact@v4
+        with:
+          name: server-native.armv7.node
+          path: .
+      - name: move server-native files
+        run: |
+          mv ./packages/backend/native/server-native.node ./packages/backend/server/server-native.arm64.node
+          mv server-native.node ./packages/backend/server/server-native.armv7.node
+      - name: Setup env
+        run: |
+          echo "GIT_SHORT_HASH=$(git rev-parse --short HEAD)" >> "$GITHUB_ENV"
+          if [ -z "${{ inputs.flavor }}" ]
+          then
+            echo "RELEASE_FLAVOR=canary" >> "$GITHUB_ENV"
+          else
+            echo "RELEASE_FLAVOR=${{ inputs.flavor }}" >> "$GITHUB_ENV"
+          fi
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -251,6 +334,24 @@ jobs:
           name: admin
           path: ./packages/frontend/admin/dist
 
+      - name: Download selfhost web artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: selfhost-web
+          path: ./packages/frontend/apps/web/dist/selfhost
+
+      - name: Download selfhost mobile artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: selfhost-mobile
+          path: ./packages/frontend/apps/mobile/dist/selfhost
+
+      - name: Download selfhost admin artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: selfhost-admin
+          path: ./packages/frontend/admin/dist/selfhost
+
       - name: Install Node.js dependencies
         run: |
           yarn config set --json supportedArchitectures.cpu '["x64", "arm64", "arm"]'
@@ -260,13 +361,9 @@ jobs:
       - name: Generate Prisma client
         run: yarn workspace @affine/server prisma generate
 
-      - name: Mv node_modules
-        run: mv ./node_modules ./packages/backend/server
-
       - name: Setup Version
+        id: version
         uses: ./.github/actions/setup-version
-        with:
-          app-version: ${{ inputs.app-version }}
 
       - name: Build front Dockerfile
         uses: docker/build-push-action@v6
@@ -277,7 +374,7 @@ jobs:
           platforms: linux/amd64,linux/arm64
           provenance: true
           file: .github/deployment/front/Dockerfile
-          tags: ghcr.io/toeverything/affine-front:${{inputs.build-type}}-${{ inputs.git-short-hash }}
+          tags: ghcr.io/toeverything/affine-front:${{env.RELEASE_FLAVOR}}-${{ env.GIT_SHORT_HASH }},ghcr.io/toeverything/affine-front:${{env.RELEASE_FLAVOR}}
 
       - name: Build graphql Dockerfile
         uses: docker/build-push-action@v6
@@ -288,4 +385,4 @@ jobs:
           platforms: linux/amd64,linux/arm64,linux/arm/v7
           provenance: true
           file: .github/deployment/node/Dockerfile
-          tags: ghcr.io/toeverything/affine:${{inputs.build-type}}-${{ inputs.git-short-hash }}
+          tags: ghcr.io/toeverything/affine-graphql:${{env.RELEASE_FLAVOR}}-${{ env.GIT_SHORT_HASH }},ghcr.io/toeverything/affine-graphql:${{env.RELEASE_FLAVOR}}

.github/workflows/build-selfhost-image.yml

@@ -0,0 +1,25 @@
+name: Build Selfhost Image
+
+on:
+  workflow_dispatch:
+    inputs:
+      flavor:
+        description: 'Select distribution to build'
+        type: choice
+        default: canary
+        options:
+          - canary
+          - beta
+          - stable
+
+permissions:
+  contents: 'write'
+  id-token: 'write'
+  packages: 'write'
+
+jobs:
+  build-image:
+    name: Build Image
+    uses: ./.github/workflows/build-images.yml
+    with:
+      flavor: ${{ github.event.inputs.flavor }}

.github/workflows/copilot-test-automatically.yml

@@ -1,29 +0,0 @@
-name: Copilot Test Automatically
-
-on:
-  push:
-    tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+-canary.[0-9]+'
-  schedule:
-    - cron: '0 8 * * *'
-  workflow_dispatch:
-
-permissions:
-  actions: write
-
-jobs:
-  dispatch-test:
-    runs-on: ubuntu-latest
-    name: Setup Test
-    steps:
-      - name: dispatch test by tag
-        if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
-        uses: benc-uk/workflow-dispatch@v1
-        with:
-          workflow: copilot-test.yml
-      - name: dispatch test by schedule
-        if: ${{ github.event_name == 'schedule' }}
-        uses: benc-uk/workflow-dispatch@v1
-        with:
-          workflow: copilot-test.yml
-          ref: canary

.github/workflows/copilot-test.yml

@@ -1,206 +0,0 @@
-name: Copilot Cron Test
-
-on:
-  workflow_dispatch:
-
-jobs:
-  build-server-native:
-    name: Build Server native
-    runs-on: ubuntu-latest
-    env:
-      CARGO_PROFILE_RELEASE_DEBUG: '1'
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          extra-flags: workspaces focus @affine/server-native
-          electron-install: false
-      - name: Build Rust
-        uses: ./.github/actions/build-rust
-        with:
-          target: 'x86_64-unknown-linux-gnu'
-          package: '@affine/server-native'
-      - name: Upload server-native.node
-        uses: actions/upload-artifact@v4
-        with:
-          name: server-native.node
-          path: ./packages/backend/native/server-native.node
-          if-no-files-found: error
-
-  copilot-api-test:
-    name: Server Copilot Api Test
-    runs-on: ubuntu-latest
-    needs:
-      - build-server-native
-    env:
-      NODE_ENV: test
-      DISTRIBUTION: web
-      DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
-      REDIS_SERVER_HOST: localhost
-    services:
-      postgres:
-        image: pgvector/pgvector:pg16
-        env:
-          POSTGRES_PASSWORD: affine
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-        ports:
-          - 5432:5432
-      redis:
-        image: redis
-        ports:
-          - 6379:6379
-      mailer:
-        image: mailhog/mailhog
-        ports:
-          - 1025:1025
-          - 8025:8025
-      indexer:
-        image: manticoresearch/manticore:10.1.0
-        ports:
-          - 9308:9308
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          playwright-install: true
-          electron-install: false
-          full-cache: true
-
-      - name: Download server-native.node
-        uses: actions/download-artifact@v4
-        with:
-          name: server-native.node
-          path: ./packages/backend/native
-
-      - name: Prepare Server Test Environment
-        env:
-          SERVER_CONFIG: ${{ secrets.TEST_SERVER_CONFIG }}
-        uses: ./.github/actions/server-test-env
-
-      - name: Run server tests
-        run: yarn affine @affine/server test:copilot:coverage --forbid-only
-        env:
-          CARGO_TARGET_DIR: '${{ github.workspace }}/target'
-
-      - name: Upload server test coverage results
-        uses: codecov/codecov-action@v5
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./packages/backend/server/.coverage/lcov.info
-          flags: server-test
-          name: affine
-          fail_ci_if_error: false
-
-  copilot-e2e-test:
-    name: Frontend Copilot E2E Test
-    runs-on: ubuntu-latest
-    env:
-      DISTRIBUTION: web
-      DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
-      REDIS_SERVER_HOST: localhost
-      IN_CI_TEST: true
-    strategy:
-      fail-fast: false
-      matrix:
-        shardIndex: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
-        shardTotal: [10]
-    needs:
-      - build-server-native
-    services:
-      postgres:
-        image: pgvector/pgvector:pg16
-        env:
-          POSTGRES_PASSWORD: affine
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-        ports:
-          - 5432:5432
-      redis:
-        image: redis
-        ports:
-          - 6379:6379
-      indexer:
-        image: manticoresearch/manticore:10.1.0
-        ports:
-          - 9308:9308
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          playwright-install: true
-          electron-install: false
-          hard-link-nm: false
-
-      - name: Download server-native.node
-        uses: actions/download-artifact@v4
-        with:
-          name: server-native.node
-          path: ./packages/backend/native
-
-      - name: Prepare Server Test Environment
-        env:
-          SERVER_CONFIG: ${{ secrets.TEST_SERVER_CONFIG }}
-        uses: ./.github/actions/server-test-env
-
-      - name: Run Copilot E2E Test ${{ matrix.shardIndex }}/${{ matrix.shardTotal }}
-        uses: ./.github/actions/copilot-test
-        with:
-          script: yarn affine @affine-test/affine-cloud-copilot e2e --forbid-only --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }}
-
-  test-done:
-    needs:
-      - copilot-api-test
-      - copilot-e2e-test
-    if: always()
-    runs-on: ubuntu-latest
-    name: Post test result message
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          extra-flags: 'workspaces focus @affine/copilot-result'
-          electron-install: false
-      - name: Post Success event to a Slack channel
-        if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
-        run: node ./tools/copilot-result/index.js
-        env:
-          CHANNEL_ID: ${{ secrets.RELEASE_SLACK_CHNNEL_ID }}
-          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-          BRANCH_SHA: ${{ github.sha }}
-          BRANCH_NAME: ${{ github.ref }}
-          COPILOT_RESULT: success
-      - name: Post Failed event to a Slack channel
-        id: failed-slack
-        if: ${{ always() && contains(needs.*.result, 'failure') }}
-        run: node ./tools/copilot-result/index.js
-        env:
-          CHANNEL_ID: ${{ secrets.RELEASE_SLACK_CHNNEL_ID }}
-          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-          BRANCH_SHA: ${{ github.sha }}
-          BRANCH_NAME: ${{ github.ref }}
-          COPILOT_RESULT: failed
-      - name: Post Cancel event to a Slack channel
-        id: cancel-slack
-        if: ${{ always() && contains(needs.*.result, 'cancelled') && !contains(needs.*.result, 'failure') }}
-        run: node ./tools/copilot-result/index.js
-        env:
-          CHANNEL_ID: ${{ secrets.RELEASE_SLACK_CHNNEL_ID }}
-          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-          BRANCH_SHA: ${{ github.sha }}
-          BRANCH_NAME: ${{ github.ref }}
-          COPILOT_RESULT: canceled

.github/workflows/deploy-automatically.yml

@@ -0,0 +1,32 @@
+name: Deploy Automatically
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+-canary.[0-9]+'
+  schedule:
+    - cron: '0 9 * * *'
+
+permissions:
+  contents: write
+  pull-requests: write
+  actions: write
+
+jobs:
+  dispatch-deploy:
+    runs-on: ubuntu-latest
+    name: Setup Deploy
+    steps:
+      - name: dispatch deploy by tag
+        if: ${{ github.event_name == 'push' }}
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: deploy.yml
+          inputs: '{ "flavor": "canary" }'
+      - name: dispatch deploy by schedule
+        if: ${{ github.event_name == 'schedule' }}
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: deploy.yml
+          inputs: '{ "flavor": "canary" }'
+          ref: canary

.github/workflows/deploy.yml

@@ -0,0 +1,213 @@
+name: Deploy
+
+on:
+  workflow_dispatch:
+    inputs:
+      flavor:
+        description: 'Select what enverionment to deploy to'
+        type: choice
+        default: canary
+        options:
+          - canary
+          - beta
+          - stable
+          - internal
+env:
+  NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+
+permissions:
+  contents: 'write'
+  id-token: 'write'
+  packages: 'write'
+
+jobs:
+  output-prev-version:
+    name: Output previous version
+    runs-on: ubuntu-latest
+    environment: ${{ github.event.inputs.flavor }}
+    outputs:
+      prev: ${{ steps.print.outputs.version }}
+      namespace: ${{ steps.print.outputs.namespace }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Auth to Cluster
+        uses: './.github/actions/cluster-auth'
+        with:
+          gcp-project-number: ${{ secrets.GCP_PROJECT_NUMBER }}
+          gcp-project-id: ${{ secrets.GCP_PROJECT_ID }}
+          service-account: ${{ secrets.GCP_HELM_DEPLOY_SERVICE_ACCOUNT }}
+          cluster-name: ${{ secrets.GCP_CLUSTER_NAME }}
+          cluster-location: ${{ secrets.GCP_CLUSTER_LOCATION }}
+      - name: Output previous version
+        id: print
+        run: |
+          namespace=""
+          if [ "${{ github.event.inputs.flavor }}" = "canary" ]; then
+            namespace="dev"
+          elif [ "${{ github.event.inputs.flavor }}" = "beta" ]; then
+            namespace="beta"
+          elif [ "${{ github.event.inputs.flavor }}" = "stable" ]; then
+            namespace="production"
+          else
+            echo "Invalid flavor: ${{ github.event.inputs.flavor }}"
+            exit 1
+          fi
+
+          echo "Namespace set to: $namespace"
+
+          # Get the previous version from the deployment
+          prev_version=$(kubectl get deployment -n $namespace affine-graphql -o=jsonpath='{.spec.template.spec.containers[0].image}' | awk -F '-' '{print $3}')
+
+          echo "Previous version: $prev_version"
+          echo "version=$prev_version" >> $GITHUB_OUTPUT
+          echo "namesapce=$namespace" >> $GITHUB_OUTPUT
+
+  build-images:
+    name: Build Images
+    uses: ./.github/workflows/build-images.yml
+    secrets: inherit
+    with:
+      flavor: ${{ github.event.inputs.flavor }}
+
+  deploy:
+    name: Deploy to cluster
+    if: ${{ github.event_name == 'workflow_dispatch' }}
+    environment: ${{ github.event.inputs.flavor }}
+    needs:
+      - build-images
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
+      - name: Deploy to ${{ github.event.inputs.flavor }}
+        uses: ./.github/actions/deploy
+        with:
+          build-type: ${{ github.event.inputs.flavor }}
+          gcp-project-number: ${{ secrets.GCP_PROJECT_NUMBER }}
+          gcp-project-id: ${{ secrets.GCP_PROJECT_ID }}
+          service-account: ${{ secrets.GCP_HELM_DEPLOY_SERVICE_ACCOUNT }}
+          cluster-name: ${{ secrets.GCP_CLUSTER_NAME }}
+          cluster-location: ${{ secrets.GCP_CLUSTER_LOCATION }}
+        env:
+          APP_VERSION: ${{ steps.version.outputs.APP_VERSION }}
+          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
+          CANARY_DEPLOY_HOST: ${{ secrets.CANARY_DEPLOY_HOST }}
+          R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
+          R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          CAPTCHA_TURNSTILE_SECRET: ${{ secrets.CAPTCHA_TURNSTILE_SECRET }}
+          COPILOT_OPENAI_API_KEY: ${{ secrets.COPILOT_OPENAI_API_KEY }}
+          COPILOT_FAL_API_KEY: ${{ secrets.COPILOT_FAL_API_KEY }}
+          COPILOT_UNSPLASH_API_KEY: ${{ secrets.COPILOT_UNSPLASH_API_KEY }}
+          METRICS_CUSTOMER_IO_TOKEN: ${{ secrets.METRICS_CUSTOMER_IO_TOKEN }}
+          MAILER_SENDER: ${{ secrets.OAUTH_EMAIL_SENDER }}
+          MAILER_USER: ${{ secrets.OAUTH_EMAIL_LOGIN }}
+          MAILER_PASSWORD: ${{ secrets.OAUTH_EMAIL_PASSWORD }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          AFFINE_GOOGLE_CLIENT_ID: ${{ secrets.AFFINE_GOOGLE_CLIENT_ID }}
+          AFFINE_GOOGLE_CLIENT_SECRET: ${{ secrets.AFFINE_GOOGLE_CLIENT_SECRET }}
+          DATABASE_URL: ${{ secrets.DATABASE_URL }}
+          DATABASE_USERNAME: ${{ secrets.DATABASE_USERNAME }}
+          DATABASE_PASSWORD: ${{ secrets.DATABASE_PASSWORD }}
+          DATABASE_NAME: ${{ secrets.DATABASE_NAME }}
+          GCLOUD_CONNECTION_NAME: ${{ secrets.GCLOUD_CONNECTION_NAME }}
+          GCLOUD_CLOUD_SQL_INTERNAL_ENDPOINT: ${{ secrets.GCLOUD_CLOUD_SQL_INTERNAL_ENDPOINT }}
+          REDIS_HOST: ${{ secrets.REDIS_HOST }}
+          REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}
+          CLOUD_SQL_IAM_ACCOUNT: ${{ secrets.CLOUD_SQL_IAM_ACCOUNT }}
+          STRIPE_API_KEY: ${{ secrets.STRIPE_API_KEY }}
+          STRIPE_WEBHOOK_KEY: ${{ secrets.STRIPE_WEBHOOK_KEY }}
+          STATIC_IP_NAME: ${{ secrets.STATIC_IP_NAME }}
+
+  deploy-done:
+    needs:
+      - output-prev-version
+      - build-images
+      - deploy
+    if: always()
+    runs-on: ubuntu-latest
+    name: Post deploy message
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/checkout@v4
+        with:
+          repository: toeverything/blocksuite
+          path: blocksuite
+          fetch-depth: 0
+          fetch-tags: true
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+        with:
+          extra-flags: 'workspaces focus @affine/changelog'
+          electron-install: false
+      - name: Output deployed info
+        if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
+        id: set_info
+        run: |
+          if [ "${{ github.event.inputs.flavor }}" = "canary" ]; then
+            echo "deployed_url=https://affine.fail" >> $GITHUB_OUTPUT
+          elif [ "${{ github.event.inputs.flavor }}" = "beta" ]; then
+            echo "deployed_url=https://insider.affine.pro" >> $GITHUB_OUTPUT
+          elif [ "${{ github.event.inputs.flavor }}" = "stable" ]; then
+            echo "deployed_url=https://app.affine.pro" >> $GITHUB_OUTPUT
+          else
+            exit 1
+          fi
+        env:
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - name: Post Success event to a Slack channel
+        if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
+        run: node ./tools/changelog/index.js
+        env:
+          CHANNEL_ID: ${{ secrets.RELEASE_SLACK_CHNNEL_ID }}
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+          DEPLOYED_URL: ${{ steps.set_info.outputs.deployed_url }}
+          PREV_VERSION: ${{ needs.output-prev-version.outputs.prev }}
+          NAMESPACE: ${{ needs.output-prev-version.outputs.namespace }}
+          DEPLOYMENT: 'SERVER'
+          FLAVOR: ${{ github.event.inputs.flavor }}
+          BLOCKSUITE_REPO_PATH: ${{ github.workspace }}/blocksuite
+      - name: Post Failed event to a Slack channel
+        id: failed-slack
+        uses: slackapi/slack-github-action@v1.27.0
+        if: ${{ always() && contains(needs.*.result, 'failure') }}
+        with:
+          channel-id: ${{ secrets.RELEASE_SLACK_CHNNEL_ID }}
+          payload: |
+            {
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "text": "<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|Backend deploy failed `${{ github.event.inputs.flavor }}`>",
+                    "type": "mrkdwn"
+                  }
+                }
+              ]
+            }
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+      - name: Post Cancel event to a Slack channel
+        id: cancel-slack
+        uses: slackapi/slack-github-action@v1.27.0
+        if: ${{ always() && contains(needs.*.result, 'cancelled') && !contains(needs.*.result, 'failure') }}
+        with:
+          channel-id: ${{ secrets.RELEASE_SLACK_CHNNEL_ID }}
+          payload: |
+            {
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "text": "<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|Backend deploy cancelled `${{ github.event.inputs.flavor }}`>",
+                    "type": "mrkdwn"
+                  }
+                }
+              ]
+            }
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}

.github/workflows/helm-releaser.yml

@@ -0,0 +1,66 @@
+name: Release Charts
+
+on:
+  push:
+    branches: [canary]
+    paths:
+      - '.github/helm/**/Chart.yml'
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Checkout Helm chart repo
+        uses: actions/checkout@v4
+        with:
+          repository: toeverything/helm-charts
+          path: .helm-chart-repo
+          ref: gh-pages
+          token: ${{ secrets.HELM_RELEASER_TOKEN }}
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+
+      - name: Install chart releaser
+        run: |
+          set -e
+          arch="$(dpkg --print-architecture)"
+          curl -s https://api.github.com/repos/helm/chart-releaser/releases/latest \
+          | yq --indent 0 --no-colors --input-format json --unwrapScalar \
+            ".assets[] | select(.name | test("\""^chart-releaser_.+_linux_${arch}\.tar\.gz$"\"")) | .browser_download_url" \
+          | xargs curl -SsL \
+          | tar zxf - -C /usr/local/bin
+
+      - name: Package charts
+        working-directory: .helm-chart-repo
+        run: |
+          mkdir -p .cr-index
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm repo update
+
+          helm dependencies build ../.github/helm/affine
+          helm dependencies build ../.github/helm/affine-cloud
+          cr package ../.github/helm/affine
+          cr package ../.github/helm/affine-cloud
+
+      - name: Publish charts
+        working-directory: .helm-chart-repo
+        run: |
+          set -ex
+          git config --local user.name "$GITHUB_ACTOR"
+          git config --local user.email "$GITHUB_ACTOR@users.noreply.github.com"
+          owner=$(cut -d '/' -f 1 <<< '${{ github.repository }}')
+          repo=helm-charts
+          git_hash=$(git rev-parse HEAD)
+          cr upload --commit "$git_hash" \
+            --git-repo "$repo" --owner "$owner" \
+            --token '${{ secrets.HELM_RELEASER_TOKEN }}' \
+            --skip-existing
+          cr index --git-repo "$repo" --owner "$owner" \
+            --token '${{ secrets.HELM_RELEASER_TOKEN }}' \
+            --index-path .cr-index --push

.github/workflows/label-checker.yml

@@ -0,0 +1,19 @@
+name: Label Checker
+on:
+  pull_request:
+    types:
+      - opened
+      - labeled
+      - unlabeled
+    branches:
+      - canary
+
+jobs:
+  check_labels:
+    name: PR should not have a blocked label
+    runs-on: ubuntu-latest
+    steps:
+      - uses: docker://agilepathway/pull-request-label-checker:latest
+        with:
+          none_of: blocked
+          repo_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr-auto-assign.yml

@@ -0,0 +1,12 @@
+name: Pull request auto assign
+
+# on: pull_request
+on:
+  pull_request:
+    types: [opened, ready_for_review]
+
+jobs:
+  add-reviews:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: kentaro-m/auto-assign-action@v2.0.0

.github/workflows/release-cloud.yml

@@ -1,66 +0,0 @@
-name: Release Cloud
-
-on:
-  workflow_call:
-    inputs:
-      build-type:
-        required: true
-        type: string
-      app-version:
-        required: true
-        type: string
-      git-short-hash:
-        required: true
-        type: string
-
-permissions:
-  contents: 'write'
-  id-token: 'write'
-  packages: 'write'
-
-jobs:
-  build-images:
-    name: Build Images
-    uses: ./.github/workflows/build-images.yml
-    secrets: inherit
-    with:
-      build-type: ${{ inputs.build-type }}
-      app-version: ${{ inputs.app-version }}
-      git-short-hash: ${{ inputs.git-short-hash }}
-
-  deploy:
-    name: Deploy to cluster
-    environment: ${{ inputs.build-type }}
-    needs:
-      - build-images
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Deploy to ${{ inputs.build-type }}
-        uses: ./.github/actions/deploy
-        with:
-          gcp-project-number: ${{ secrets.GCP_PROJECT_NUMBER }}
-          gcp-project-id: ${{ secrets.GCP_PROJECT_ID }}
-          service-account: ${{ secrets.GCP_HELM_DEPLOY_SERVICE_ACCOUNT }}
-          cluster-name: ${{ secrets.GCP_CLUSTER_NAME }}
-          cluster-location: ${{ secrets.GCP_CLUSTER_LOCATION }}
-        env:
-          BUILD_TYPE: ${{ inputs.build-type }}
-          APP_VERSION: ${{ inputs.app-version }}
-          GIT_SHORT_HASH: ${{ inputs.git-short-hash }}
-          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
-          CANARY_DEPLOY_HOST: ${{ secrets.CANARY_DEPLOY_HOST }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          DATABASE_URL: ${{ secrets.DATABASE_URL }}
-          DATABASE_USERNAME: ${{ secrets.DATABASE_USERNAME }}
-          DATABASE_PASSWORD: ${{ secrets.DATABASE_PASSWORD }}
-          DATABASE_NAME: ${{ secrets.DATABASE_NAME }}
-          GCLOUD_CONNECTION_NAME: ${{ secrets.GCLOUD_CONNECTION_NAME }}
-          REDIS_SERVER_HOST: ${{ secrets.REDIS_SERVER_HOST }}
-          REDIS_SERVER_PASSWORD: ${{ secrets.REDIS_SERVER_PASSWORD }}
-          CLOUD_SQL_IAM_ACCOUNT: ${{ secrets.CLOUD_SQL_IAM_ACCOUNT }}
-          APP_IAM_ACCOUNT: ${{ secrets.APP_IAM_ACCOUNT }}
-          STATIC_IP_NAME: ${{ secrets.STATIC_IP_NAME }}
-          AFFINE_INDEXER_SEARCH_PROVIDER: ${{ secrets.AFFINE_INDEXER_SEARCH_PROVIDER }}
-          AFFINE_INDEXER_SEARCH_ENDPOINT: ${{ secrets.AFFINE_INDEXER_SEARCH_ENDPOINT }}
-          AFFINE_INDEXER_SEARCH_API_KEY: ${{ secrets.AFFINE_INDEXER_SEARCH_API_KEY }}

.github/workflows/release-desktop-automatically.yml

@@ -0,0 +1,32 @@
+name: Release Desktop Automatically
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+-canary.[0-9]+'
+  schedule:
+    - cron: '0 9 * * *'
+
+permissions:
+  contents: write
+  pull-requests: write
+  actions: write
+
+jobs:
+  dispatch-release-desktop:
+    runs-on: ubuntu-latest
+    name: Setup Release Desktop
+    steps:
+      - name: dispatch desktop release by tag
+        if: ${{ github.event_name == 'push' }}
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: release-desktop.yml
+          inputs: '{ "build-type": "canary", "is-draft": false, "is-pre-release": true }'
+      - name: dispatch desktop release by schedule
+        if: ${{ github.event_name == 'schedule' }}
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: release-desktop.yml
+          inputs: '{ "build-type": "canary", "is-draft": false, "is-pre-release": true }'
+          ref: canary

.github/workflows/release-desktop.yml

@@ -1,17 +1,27 @@
-name: Release Desktop
+name: Release Desktop App
 
 on:
-  workflow_call:
+  workflow_dispatch:
     inputs:
       build-type:
+        description: 'Build Type'
+        type: choice
         required: true
-        type: string
-      app-version:
+        default: canary
+        options:
+          - canary
+          - beta
+          - stable
+      is-draft:
+        description: 'Draft Release?'
+        type: boolean
         required: true
-        type: string
-      git-short-hash:
+        default: true
+      is-pre-release:
+        description: 'Pre Release? (labeled as "PreRelease")'
+        type: boolean
         required: true
-        type: string
+        default: true
 
 permissions:
   actions: write
@@ -21,53 +31,53 @@ permissions:
   attestations: write
 
 env:
-  BUILD_TYPE: ${{ inputs.build-type }}
-  RELEASE_VERSION: ${{ inputs.app-version }}
-  DEBUG: 'affine:*,napi:*'
+  BUILD_TYPE: ${{ github.event.inputs.build-type }}
+  DEBUG: napi:*
   APP_NAME: affine
   MACOSX_DEPLOYMENT_TARGET: '10.13'
 
 jobs:
   before-make:
     runs-on: ubuntu-latest
-    environment: ${{ inputs.build-type }}
+    environment: ${{ github.event.inputs.build-type }}
+    outputs:
+      RELEASE_VERSION: ${{ steps.version.outputs.APP_VERSION }}
     steps:
       - uses: actions/checkout@v4
       - name: Setup Version
+        id: version
         uses: ./.github/actions/setup-version
-        with:
-          app-version: ${{ inputs.app-version }}
       - name: Setup Node.js
         uses: ./.github/actions/setup-node
       - name: Setup @sentry/cli
         uses: ./.github/actions/setup-sentry
       - name: generate-assets
-        run: yarn affine @affine/electron generate-assets
+        run: yarn workspace @affine/electron generate-assets
         env:
           SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
           SENTRY_PROJECT: 'affine'
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          SENTRY_RELEASE: ${{ inputs.app-version }}
-          RELEASE_VERSION: ${{ inputs.app-version }}
+          SENTRY_RELEASE: ${{ steps.version.outputs.APP_VERSION }}
+          RELEASE_VERSION: ${{ steps.version.outputs.APP_VERSION }}
+          SKIP_NX_CACHE: 'true'
           MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
 
       - name: Upload web artifact
         uses: actions/upload-artifact@v4
         with:
-          name: desktop-web
+          name: web
           path: packages/frontend/apps/electron/resources/web-static
 
   make-distribution:
     strategy:
-      fail-fast: false
       matrix:
         spec:
-          - runner: macos-latest
+          - runner: macos-14
             platform: darwin
             arch: x64
             target: x86_64-apple-darwin
-          - runner: macos-latest
+          - runner: macos-14
             platform: darwin
             arch: arm64
             target: aarch64-apple-darwin
@@ -77,7 +87,6 @@ jobs:
             target: x86_64-unknown-linux-gnu
     runs-on: ${{ matrix.spec.runner }}
     needs: before-make
-    environment: ${{ inputs.build-type }}
     env:
       APPLE_ID: ${{ secrets.APPLE_ID }}
       APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
@@ -87,19 +96,17 @@ jobs:
       SENTRY_PROJECT: 'affine'
       SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
       SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-      SENTRY_RELEASE: ${{ inputs.app-version }}
       MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
     steps:
       - uses: actions/checkout@v4
       - name: Setup Version
+        id: version
         uses: ./.github/actions/setup-version
-        with:
-          app-version: ${{ inputs.app-version }}
       - name: Setup Node.js
         timeout-minutes: 10
         uses: ./.github/actions/setup-node
         with:
-          extra-flags: workspaces focus @affine/electron @affine/monorepo @affine/nbstore @toeverything/infra
+          extra-flags: workspaces focus @affine/electron @affine/monorepo
           hard-link-nm: false
           nmHoistingLimits: workspaces
           enableScripts: false
@@ -108,44 +115,33 @@ jobs:
         with:
           target: ${{ matrix.spec.target }}
           package: '@affine/native'
+          nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
       - uses: actions/download-artifact@v4
         with:
-          name: desktop-web
+          name: web
           path: packages/frontend/apps/electron/resources/web-static
 
       - name: Build Desktop Layers
-        run: yarn affine @affine/electron build
+        run: yarn workspace @affine/electron build
 
       - name: Signing By Apple Developer ID
         if: ${{ matrix.spec.platform == 'darwin' }}
-        uses: apple-actions/import-codesign-certs@v5
+        uses: apple-actions/import-codesign-certs@v3
         with:
           p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
           p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
 
-      - name: Install additional dependencies on Linux
+      - name: Install fuse on Linux (for patching AppImage)
         if: ${{ matrix.spec.platform == 'linux' }}
         run: |
           sudo add-apt-repository universe
-          sudo apt install -y libfuse2 elfutils flatpak flatpak-builder
-          flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
-          flatpak update
-          # some flatpak deps need git protocol.file.allow
-          git config --global protocol.file.allow always
-
-      - name: Remove nbstore node_modules
-        shell: bash
-        # node_modules of nbstore is not needed for building, and it will make the build process out of memory
-        run: |
-          rm -rf packages/frontend/apps/electron/node_modules/@affine/nbstore/node_modules/@blocksuite
-          rm -rf packages/frontend/apps/electron/node_modules/@affine/native/node_modules
+          sudo apt install libfuse2 -y
 
       - name: make
-        run: yarn affine @affine/electron make --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
+        run: yarn workspace @affine/electron make --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
         env:
           SKIP_WEB_BUILD: 1
           HOIST_NODE_MODULES: 1
-          NODE_OPTIONS: --max-old-space-size=14384
 
       - name: signing DMG
         if: ${{ matrix.spec.platform == 'darwin' }}
@@ -156,31 +152,29 @@ jobs:
         if: ${{ matrix.spec.platform == 'darwin' }}
         run: |
           mkdir -p builds
-          mv packages/frontend/apps/electron/out/*/make/*.dmg ./builds/affine-${{ env.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.dmg
-          mv packages/frontend/apps/electron/out/*/make/zip/darwin/${{ matrix.spec.arch }}/*.zip ./builds/affine-${{ env.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.zip
+          mv packages/frontend/apps/electron/out/*/make/*.dmg ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.dmg
+          mv packages/frontend/apps/electron/out/*/make/zip/darwin/${{ matrix.spec.arch }}/*.zip ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.zip
       - name: Save artifacts (linux)
         if: ${{ matrix.spec.platform == 'linux' }}
         run: |
           mkdir -p builds
-          mv packages/frontend/apps/electron/out/*/make/zip/linux/${{ matrix.spec.arch }}/*.zip ./builds/affine-${{ env.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-${{ matrix.spec.arch }}.zip
-          mv packages/frontend/apps/electron/out/*/make/*.AppImage ./builds/affine-${{ env.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-${{ matrix.spec.arch }}.appimage
-          mv packages/frontend/apps/electron/out/*/make/deb/${{ matrix.spec.arch }}/*.deb ./builds/affine-${{ env.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-${{ matrix.spec.arch }}.deb
-          mv packages/frontend/apps/electron/out/*/make/flatpak/*/*.flatpak ./builds/affine-${{ env.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-${{ matrix.spec.arch }}.flatpak
+          mv packages/frontend/apps/electron/out/*/make/zip/linux/x64/*.zip ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.zip
+          mv packages/frontend/apps/electron/out/*/make/*.AppImage ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.appimage
 
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v1
         if: ${{ matrix.spec.platform == 'darwin' }}
         with:
           subject-path: |
-            ./builds/affine-${{ env.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.zip
-            ./builds/affine-${{ env.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.dmg
+            ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.zip
+            ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.dmg
 
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v1
         if: ${{ matrix.spec.platform == 'linux' }}
         with:
           subject-path: |
-            ./builds/affine-${{ env.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.zip
-            ./builds/affine-${{ env.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.appimage
-            ./builds/affine-${{ env.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.deb
+            ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.zip
+            ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.appimage
+
       - name: Upload Artifact
         uses: actions/upload-artifact@v4
         with:
@@ -188,43 +182,34 @@ jobs:
           path: builds
 
   package-distribution-windows:
-    environment: ${{ inputs.build-type }}
     strategy:
-      fail-fast: false
       matrix:
         spec:
           - runner: windows-latest
             platform: win32
             arch: x64
             target: x86_64-pc-windows-msvc
-          - runner: windows-latest
-            platform: win32
-            arch: arm64
-            target: aarch64-pc-windows-msvc
     runs-on: ${{ matrix.spec.runner }}
     needs: before-make
     outputs:
-      FILES_TO_BE_SIGNED_x64: ${{ steps.get_files_to_be_signed.outputs.FILES_TO_BE_SIGNED_x64 }}
-      FILES_TO_BE_SIGNED_arm64: ${{ steps.get_files_to_be_signed.outputs.FILES_TO_BE_SIGNED_arm64 }}
+      FILES_TO_BE_SIGNED: ${{ steps.get_files_to_be_signed.outputs.FILES_TO_BE_SIGNED }}
     env:
       SKIP_GENERATE_ASSETS: 1
       SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
       SENTRY_PROJECT: 'affine'
       SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
       SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-      SENTRY_RELEASE: ${{ inputs.app-version }}
       MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
     steps:
       - uses: actions/checkout@v4
       - name: Setup Version
+        id: version
         uses: ./.github/actions/setup-version
-        with:
-          app-version: ${{ inputs.app-version }}
       - name: Setup Node.js
         timeout-minutes: 10
         uses: ./.github/actions/setup-node
         with:
-          extra-flags: workspaces focus @affine/electron @affine/monorepo @affine/nbstore @toeverything/infra
+          extra-flags: workspaces focus @affine/electron @affine/monorepo
           hard-link-nm: false
           nmHoistingLimits: workspaces
       - name: Build AFFiNE native
@@ -232,34 +217,26 @@ jobs:
         with:
           target: ${{ matrix.spec.target }}
           package: '@affine/native'
+          nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
       - uses: actions/download-artifact@v4
         with:
-          name: desktop-web
+          name: web
           path: packages/frontend/apps/electron/resources/web-static
 
       - name: Build Desktop Layers
-        run: yarn affine @affine/electron build
-
-      - name: Remove nbstore node_modules
-        shell: bash
-        # node_modules of nbstore is not needed for building, and it will make the build process out of memory
-        run: |
-          rm -rf packages/frontend/apps/electron/node_modules/@affine/nbstore/node_modules/@blocksuite/affine/node_modules
-          rm -rf packages/frontend/apps/electron/node_modules/@affine/native/node_modules
+        run: yarn workspace @affine/electron build
 
       - name: package
-        run: |
-          yarn affine @affine/electron package --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
+        run: yarn workspace @affine/electron package --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
         env:
           SKIP_WEB_BUILD: 1
           HOIST_NODE_MODULES: 1
-          NODE_OPTIONS: --max-old-space-size=14384
 
       - name: get all files to be signed
         id: get_files_to_be_signed
         run: |
           Set-Variable -Name FILES_TO_BE_SIGNED -Value ((Get-ChildItem -Path packages/frontend/apps/electron/out -Recurse -File | Where-Object { $_.Extension -in @(".exe", ".node", ".dll", ".msi") } | ForEach-Object { '"' + $_.FullName.Replace((Get-Location).Path + '\packages\frontend\apps\electron\out\', '') + '"' }) -join ' ')
-          "FILES_TO_BE_SIGNED_${{ matrix.spec.arch }}=$FILES_TO_BE_SIGNED" >> $env:GITHUB_OUTPUT
+          "FILES_TO_BE_SIGNED=$FILES_TO_BE_SIGNED" >> $env:GITHUB_OUTPUT
           echo $FILES_TO_BE_SIGNED
 
       - name: Zip artifacts for faster upload
@@ -273,42 +250,30 @@ jobs:
             archive.zip
             !**/*.map
 
-  sign-packaged-artifacts-windows_x64:
+  sign-packaged-artifacts-windows:
     needs: package-distribution-windows
     uses: ./.github/workflows/windows-signer.yml
     with:
-      files: ${{ needs.package-distribution-windows.outputs.FILES_TO_BE_SIGNED_x64 }}
+      files: ${{ needs.package-distribution-windows.outputs.FILES_TO_BE_SIGNED }}
       artifact-name: packaged-win32-x64
 
-  sign-packaged-artifacts-windows_arm64:
-    needs: package-distribution-windows
-    uses: ./.github/workflows/windows-signer.yml
-    with:
-      files: ${{ needs.package-distribution-windows.outputs.FILES_TO_BE_SIGNED_arm64 }}
-      artifact-name: packaged-win32-arm64
-
   make-windows-installer:
-    needs:
-      - sign-packaged-artifacts-windows_x64
-      - sign-packaged-artifacts-windows_arm64
+    needs: sign-packaged-artifacts-windows
     strategy:
-      fail-fast: false
       matrix:
         spec:
-          - platform: win32
+          - runner: windows-latest
+            platform: win32
             arch: x64
-          - platform: win32
-            arch: arm64
-    runs-on: windows-latest
+            target: x86_64-pc-windows-msvc
+    runs-on: ${{ matrix.spec.runner }}
     outputs:
-      FILES_TO_BE_SIGNED_x64: ${{ steps.get_files_to_be_signed.outputs.FILES_TO_BE_SIGNED_x64 }}
-      FILES_TO_BE_SIGNED_arm64: ${{ steps.get_files_to_be_signed.outputs.FILES_TO_BE_SIGNED_arm64 }}
+      FILES_TO_BE_SIGNED: ${{ steps.get_files_to_be_signed.outputs.FILES_TO_BE_SIGNED }}
     steps:
       - uses: actions/checkout@v4
       - name: Setup Version
+        id: version
         uses: ./.github/actions/setup-version
-        with:
-          app-version: ${{ inputs.app-version }}
       - name: Setup Node.js
         timeout-minutes: 10
         uses: ./.github/actions/setup-node
@@ -316,8 +281,6 @@ jobs:
           extra-flags: workspaces focus @affine/electron @affine/monorepo
           hard-link-nm: false
           nmHoistingLimits: workspaces
-        env:
-          npm_config_arch: ${{ matrix.spec.arch }}
       - name: Download and overwrite packaged artifacts
         uses: actions/download-artifact@v4
         with:
@@ -327,10 +290,10 @@ jobs:
         run: Expand-Archive -Path signed.zip -DestinationPath packages/frontend/apps/electron/out
 
       - name: Make squirrel.windows installer
-        run: yarn affine @affine/electron make-squirrel --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
+        run: yarn workspace @affine/electron make-squirrel --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
 
       - name: Make nsis.windows installer
-        run: yarn affine @affine/electron make-nsis --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
+        run: yarn workspace @affine/electron make-nsis --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
 
       - name: Zip artifacts for faster upload
         run: Compress-Archive -CompressionLevel Fastest -Path packages/frontend/apps/electron/out/${{ env.BUILD_TYPE }}/make/* -DestinationPath archive.zip
@@ -339,7 +302,7 @@ jobs:
         id: get_files_to_be_signed
         run: |
           Set-Variable -Name FILES_TO_BE_SIGNED -Value ((Get-ChildItem -Path packages/frontend/apps/electron/out/${{ env.BUILD_TYPE }}/make -Recurse -File | Where-Object { $_.Extension -in @(".exe", ".node", ".dll", ".msi") } | ForEach-Object { '"' + $_.FullName.Replace((Get-Location).Path + '\packages\frontend\apps\electron\out\${{ env.BUILD_TYPE }}\make\', '') + '"' }) -join ' ')
-          "FILES_TO_BE_SIGNED_${{ matrix.spec.arch }}=$FILES_TO_BE_SIGNED" >> $env:GITHUB_OUTPUT
+          "FILES_TO_BE_SIGNED=$FILES_TO_BE_SIGNED" >> $env:GITHUB_OUTPUT
           echo $FILES_TO_BE_SIGNED
 
       - name: Save installer for signing
@@ -348,37 +311,22 @@ jobs:
           name: installer-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
           path: archive.zip
 
-  sign-installer-artifacts-windows-x64:
+  sign-installer-artifacts-windows:
     needs: make-windows-installer
     uses: ./.github/workflows/windows-signer.yml
     with:
-      files: ${{ needs.make-windows-installer.outputs.FILES_TO_BE_SIGNED_x64 }}
+      files: ${{ needs.make-windows-installer.outputs.FILES_TO_BE_SIGNED }}
       artifact-name: installer-win32-x64
 
-  sign-installer-artifacts-windows-arm64:
-    needs: make-windows-installer
-    uses: ./.github/workflows/windows-signer.yml
-    with:
-      files: ${{ needs.make-windows-installer.outputs.FILES_TO_BE_SIGNED_arm64 }}
-      artifact-name: installer-win32-arm64
-
   finalize-installer-windows:
-    needs:
-      [
-        sign-installer-artifacts-windows-x64,
-        sign-installer-artifacts-windows-arm64,
-        before-make,
-      ]
+    needs: [sign-installer-artifacts-windows, before-make]
     strategy:
-      fail-fast: false
       matrix:
         spec:
           - runner: windows-latest
             platform: win32
             arch: x64
-          - runner: windows-latest
-            platform: win32
-            arch: arm64
+            target: x86_64-pc-windows-msvc
     runs-on: ${{ matrix.spec.runner }}
     steps:
       - name: Download and overwrite installer artifacts
@@ -392,16 +340,16 @@ jobs:
       - name: Save artifacts
         run: |
           mkdir -p builds
-          mv packages/frontend/apps/electron/out/*/make/zip/win32/${{ matrix.spec.arch }}/AFFiNE*-win32-${{ matrix.spec.arch }}-*.zip ./builds/affine-${{ env.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-${{ matrix.spec.arch }}.zip
-          mv packages/frontend/apps/electron/out/*/make/squirrel.windows/${{ matrix.spec.arch }}/*.exe ./builds/affine-${{ env.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-${{ matrix.spec.arch }}.exe
-          mv packages/frontend/apps/electron/out/*/make/nsis.windows/${{ matrix.spec.arch }}/*.exe ./builds/affine-${{ env.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-${{ matrix.spec.arch }}.nsis.exe
+          mv packages/frontend/apps/electron/out/*/make/zip/win32/x64/AFFiNE*-win32-x64-*.zip ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-x64.zip
+          mv packages/frontend/apps/electron/out/*/make/squirrel.windows/x64/*.exe ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-x64.exe
+          mv packages/frontend/apps/electron/out/*/make/nsis.windows/x64/*.exe ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-x64.nsis.exe
 
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v1
         with:
           subject-path: |
-            ./builds/affine-${{ env.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-${{ matrix.spec.arch }}.zip
-            ./builds/affine-${{ env.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-${{ matrix.spec.arch }}.exe
-            ./builds/affine-${{ env.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-${{ matrix.spec.arch }}.nsis.exe
+            ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-x64.zip
+            ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-x64.exe
+            ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-x64.nsis.exe
 
       - name: Upload Artifact
         uses: actions/upload-artifact@v4
@@ -417,7 +365,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/download-artifact@v4
         with:
-          name: desktop-web
+          name: web
           path: web-static
       - name: Zip web-static
         run: zip -r web-static.zip web-static
@@ -425,47 +373,65 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           name: affine-darwin-x64-builds
-          path: ./release
+          path: ./
       - name: Download Artifacts (macos-arm64)
         uses: actions/download-artifact@v4
         with:
           name: affine-darwin-arm64-builds
-          path: ./release
+          path: ./
       - name: Download Artifacts (windows-x64)
         uses: actions/download-artifact@v4
         with:
           name: affine-win32-x64-builds
-          path: ./release
-      - name: Download Artifacts (windows-arm64)
-        uses: actions/download-artifact@v4
-        with:
-          name: affine-win32-arm64-builds
-          path: ./release
+          path: ./
       - name: Download Artifacts (linux-x64)
         uses: actions/download-artifact@v4
         with:
           name: affine-linux-x64-builds
-          path: ./release
+          path: ./
       - uses: actions/setup-node@v4
         with:
           node-version: 20
-      - name: Copy Selfhost Release Files
-        run: |
-          cp ./.docker/selfhost/compose.yml ./release/docker-compose.yml
-          cp ./.docker/selfhost/.env.example ./release/.env.example
-          cp ./.docker/selfhost/schema.json ./release/config.schema.json
       - name: Generate Release yml
         run: |
-          node ./scripts/generate-release-yml.mjs
+          node ./packages/frontend/apps/electron/scripts/generate-yml.js
         env:
-          RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
-      - name: Create GitHub Release
+          RELEASE_VERSION: ${{ needs.before-make.outputs.RELEASE_VERSION }}
+      - name: Create Release Draft
+        if: ${{ github.ref_type == 'tag' }}
         uses: softprops/action-gh-release@v2
         with:
-          name: ${{ env.RELEASE_VERSION }}
-          draft: ${{ inputs.build-type == 'stable' }}
-          prerelease: ${{ inputs.build-type != 'stable' }}
-          tag_name: v${{ env.RELEASE_VERSION}}
+          name: ${{ needs.before-make.outputs.RELEASE_VERSION }}
+          body: ''
+          draft: ${{ github.event.inputs.is-draft }}
+          prerelease: ${{ github.event.inputs.is-pre-release }}
           files: |
-            ./release/*
-            ./release/.env.example
+            ./VERSION
+            ./*.zip
+            ./*.dmg
+            ./*.exe
+            ./*.appimage
+            ./*.apk
+            ./*.yml
+      - name: Create Nightly Release Draft
+        if: ${{ github.ref_type == 'branch' }}
+        uses: softprops/action-gh-release@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+        with:
+          # Temporarily, treat release from branch as nightly release, artifact saved to AFFiNE-Releases.
+          # Need to improve internal build and nightly release logic.
+          repository: 'toeverything/AFFiNE-Releases'
+          name: ${{ needs.before-make.outputs.RELEASE_VERSION }}
+          tag_name: ${{ needs.before-make.outputs.RELEASE_VERSION }}
+          body: ''
+          draft: false
+          prerelease: true
+          files: |
+            ./VERSION
+            ./*.zip
+            ./*.dmg
+            ./*.exe
+            ./*.appimage
+            ./*.apk
+            ./*.yml

.github/workflows/release-mobile.yml

@@ -1,223 +0,0 @@
-name: Release Mobile
-
-on:
-  workflow_call:
-    inputs:
-      app-version:
-        type: string
-        required: true
-      git-short-hash:
-        type: string
-        required: true
-      build-type:
-        type: string
-        required: true
-      ios-app-version:
-        type: string
-        required: false
-
-env:
-  BUILD_TYPE: ${{ inputs.build-type }}
-  DEBUG: napi:*
-  KEYCHAIN_NAME: ${{ github.workspace }}/signing_temp
-
-jobs:
-  build-ios-web:
-    runs-on: ubuntu-latest
-    environment: ${{ inputs.build-type }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        uses: ./.github/actions/setup-version
-        with:
-          app-version: ${{ inputs.app-version }}
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-      - name: Setup @sentry/cli
-        uses: ./.github/actions/setup-sentry
-      - name: Build Mobile
-        run: yarn affine @affine/ios build
-        env:
-          PUBLIC_PATH: '/'
-          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-          SENTRY_PROJECT: 'affine'
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          SENTRY_RELEASE: ${{ inputs.app-version }}
-          RELEASE_VERSION: ${{ inputs.app-version }}
-      - name: Upload ios artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: ios
-          path: packages/frontend/apps/ios/dist
-
-  build-android-web:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        uses: ./.github/actions/setup-version
-        with:
-          app-version: ${{ inputs.app-version }}
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-      - name: Setup @sentry/cli
-        uses: ./.github/actions/setup-sentry
-      - name: Build Mobile
-        run: yarn affine @affine/android build
-        env:
-          PUBLIC_PATH: '/'
-          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-          SENTRY_PROJECT: 'affine'
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          SENTRY_RELEASE: ${{ inputs.app-version }}
-      - name: Upload android artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: android
-          path: packages/frontend/apps/android/dist
-
-  ios:
-    runs-on: 'macos-15'
-    needs:
-      - build-ios-web
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        uses: ./.github/actions/setup-version
-        with:
-          app-version: ${{ inputs.app-version }}
-          ios-app-version: ${{ inputs.ios-app-version }}
-      - name: 'Update Code Sign Identity'
-        shell: bash
-        run: ./packages/frontend/apps/ios/update_code_sign_identity.sh
-      - name: Download mobile artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: ios
-          path: packages/frontend/apps/ios/dist
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        timeout-minutes: 10
-        with:
-          extra-flags: workspaces focus @affine/ios
-          playwright-install: false
-          electron-install: false
-          hard-link-nm: false
-          enableScripts: false
-      - uses: maxim-lobanov/setup-xcode@v1
-        with:
-          xcode-version: 16.4
-      - name: Install Swiftformat
-        run: brew install swiftformat
-      - name: Cap sync
-        run: yarn workspace @affine/ios sync
-      - name: Signing By Apple Developer ID
-        uses: apple-actions/import-codesign-certs@v5
-        id: import-codesign-certs
-        with:
-          p12-file-base64: ${{ secrets.CERTIFICATES_P12_MOBILE }}
-          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD_MOBILE }}
-      - name: Setup Rust
-        uses: ./.github/actions/build-rust
-        with:
-          target: 'aarch64-apple-ios'
-          package: 'affine_mobile_native'
-          no-build: 'true'
-      - name: Testflight
-        working-directory: packages/frontend/apps/ios/App
-        run: |
-          echo -n "${{ env.BUILD_PROVISION_PROFILE }}" | base64 --decode -o $PP_PATH
-          mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
-          cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
-          fastlane beta
-        env:
-          BUILD_TARGET: distribution
-          BUILD_PROVISION_PROFILE: ${{ secrets.BUILD_PROVISION_PROFILE }}
-          PP_PATH: ${{ runner.temp }}/build_pp.mobileprovision
-          APPLE_STORE_CONNECT_API_KEY_ID: ${{ secrets.APPLE_STORE_CONNECT_API_KEY_ID }}
-          APPLE_STORE_CONNECT_API_ISSUER_ID: ${{ secrets.APPLE_STORE_CONNECT_API_ISSUER_ID }}
-          APPLE_STORE_CONNECT_API_KEY: ${{ secrets.APPLE_STORE_CONNECT_API_KEY }}
-
-  android:
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: 'write'
-    needs:
-      - build-android-web
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        uses: ./.github/actions/setup-version
-        with:
-          app-version: ${{ inputs.app-version }}
-      - name: Download mobile artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: android
-          path: packages/frontend/apps/android/dist
-      - name: Load Google Service file
-        env:
-          DATA: ${{ secrets.FIREBASE_ANDROID_GOOGLE_SERVICE_JSON }}
-        run: echo $DATA | base64 -di > packages/frontend/apps/android/App/app/google-services.json
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        timeout-minutes: 10
-        with:
-          extra-flags: workspaces focus @affine/monorepo @affine-tools/cli @affine/android @affine/playstore-auto-bump
-          playwright-install: false
-          electron-install: false
-          hard-link-nm: false
-          enableScripts: false
-      - name: Setup Rust
-        uses: ./.github/actions/build-rust
-        with:
-          target: 'aarch64-linux-android'
-          package: 'affine_mobile_native'
-          no-build: 'true'
-      - name: Cap sync
-        run: yarn workspace @affine/android cap sync
-      - uses: actions/setup-python@v5
-        with:
-          python-version: '3.13'
-      - name: Auth gcloud
-        id: auth
-        uses: google-github-actions/auth@v2
-        with:
-          workload_identity_provider: 'projects/${{ secrets.GCP_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/github-actions/providers/github-actions-helm-deploy'
-          service_account: '${{ secrets.GCP_HELM_DEPLOY_SERVICE_ACCOUNT }}'
-          token_format: 'access_token'
-          project_id: '${{ secrets.GCP_PROJECT_ID }}'
-          access_token_scopes: 'https://www.googleapis.com/auth/androidpublisher'
-      - uses: actions/setup-java@v4
-        with:
-          distribution: 'temurin'
-          java-version: '21'
-          cache: 'gradle'
-      - name: Auto increment version code
-        id: bump
-        run: yarn affine @affine/playstore-auto-bump bump
-        env:
-          GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.auth.outputs.credentials_file_path }}
-      - name: Build
-        run: |
-          echo -n "${{ env.AFFINE_ANDROID_SIGN_KEYSTORE }}" | base64 --decode > packages/frontend/apps/android/affine.keystore
-          yarn workspace @affine/android cap build android --flavor ${{ env.BUILD_TYPE }} --androidreleasetype AAB
-        env:
-          AFFINE_ANDROID_KEYSTORE_PASSWORD: ${{ secrets.AFFINE_ANDROID_KEYSTORE_PASSWORD }}
-          AFFINE_ANDROID_KEYSTORE_ALIAS_PASSWORD: ${{ secrets.AFFINE_ANDROID_KEYSTORE_ALIAS_PASSWORD }}
-          AFFINE_ANDROID_SIGN_KEYSTORE: ${{ secrets.AFFINE_ANDROID_SIGN_KEYSTORE }}
-          VERSION_NAME: ${{ inputs.app-version }}
-      - name: Upload to Google Play
-        uses: r0adkll/upload-google-play@v1
-        with:
-          serviceAccountJson: ${{ steps.auth.outputs.credentials_file_path }}
-          packageName: app.affine.pro
-          releaseName: ${{ inputs.app-version }}
-          releaseFiles: packages/frontend/apps/android/App/app/build/outputs/bundle/${{ env.BUILD_TYPE }}Release/app-${{ env.BUILD_TYPE }}-release-signed.aab
-          track: internal
-          status: draft
-          existingEditId: ${{ steps.bump.outputs.EDIT_ID }}

.github/workflows/release.yml

@@ -1,126 +0,0 @@
-name: Release
-
-on:
-  schedule:
-    - cron: '0 9 * * *'
-
-  workflow_dispatch:
-    inputs:
-      web:
-        description: 'Release Web?'
-        required: true
-        type: boolean
-        default: false
-      desktop:
-        description: 'Release Desktop?'
-        required: true
-        type: boolean
-        default: false
-      mobile:
-        description: 'Release Mobile?'
-        required: true
-        type: boolean
-        default: false
-      ios-app-version:
-        description: 'iOS App Store Version (Optional, use tag version if empty)'
-        required: false
-        type: string
-
-permissions:
-  contents: write
-  pull-requests: write
-  actions: write
-  id-token: write
-  packages: write
-  security-events: write
-  attestations: write
-  issues: write
-
-jobs:
-  prepare:
-    name: Prepare
-    runs-on: ubuntu-latest
-    outputs:
-      APP_VERSION: ${{ steps.prepare.outputs.APP_VERSION }}
-      GIT_SHORT_HASH: ${{ steps.prepare.outputs.GIT_SHORT_HASH }}
-      BUILD_TYPE: ${{ steps.prepare.outputs.BUILD_TYPE }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Prepare Release
-        id: prepare
-        uses: ./.github/actions/prepare-release
-
-  cloud:
-    name: Release Cloud
-    if: ${{ inputs.web || github.event_name != 'workflow_dispatch' }}
-    needs:
-      - prepare
-    uses: ./.github/workflows/release-cloud.yml
-    secrets: inherit
-    with:
-      build-type: ${{ needs.prepare.outputs.BUILD_TYPE }}
-      app-version: ${{ needs.prepare.outputs.APP_VERSION }}
-      git-short-hash: ${{ needs.prepare.outputs.GIT_SHORT_HASH }}
-
-  image:
-    name: Release Docker Image
-    runs-on: ubuntu-latest
-    needs:
-      - prepare
-      - cloud
-    steps:
-      - uses: trstringer/manual-approval@v1
-        if: ${{ needs.prepare.outputs.BUILD_TYPE == 'stable' }}
-        name: Wait for approval
-        with:
-          secret: ${{ secrets.GITHUB_TOKEN }}
-          approvers: forehalo,fengmk2,darkskygit
-          minimum-approvals: 1
-          fail-on-denial: true
-          issue-title: Please confirm to release docker image
-          issue-body: |
-            Env: ${{ needs.prepare.outputs.BUILD_TYPE }}
-            Candidate: ghcr.io/toeverything/affine:${{ needs.prepare.outputs.BUILD_TYPE }}-${{ needs.prepare.outputs.GIT_SHORT_HASH }}
-            Tag: ghcr.io/toeverything/affine:${{ needs.prepare.outputs.BUILD_TYPE }}
-
-            > comment with "approve", "approved", "lgtm", "yes" to approve
-            > comment with "deny", "denied", "no" to deny
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          logout: false
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Tag Image
-        run: |
-          docker buildx imagetools create --tag ghcr.io/toeverything/affine:${{needs.prepare.outputs.BUILD_TYPE}} ghcr.io/toeverything/affine:${{needs.prepare.outputs.BUILD_TYPE}}-${{needs.prepare.outputs.GIT_SHORT_HASH}}
-          docker buildx imagetools create --tag ghcr.io/toeverything/affine:${{needs.prepare.outputs.APP_VERSION}} ghcr.io/toeverything/affine:${{needs.prepare.outputs.BUILD_TYPE}}-${{needs.prepare.outputs.GIT_SHORT_HASH}}
-
-  desktop:
-    name: Release Desktop
-    if: ${{ inputs.desktop || github.event_name != 'workflow_dispatch' }}
-    needs:
-      - prepare
-    uses: ./.github/workflows/release-desktop.yml
-    secrets: inherit
-    with:
-      build-type: ${{ needs.prepare.outputs.BUILD_TYPE }}
-      app-version: ${{ needs.prepare.outputs.APP_VERSION }}
-      git-short-hash: ${{ needs.prepare.outputs.GIT_SHORT_HASH }}
-
-  mobile:
-    name: Release Mobile
-    if: ${{ inputs.mobile }}
-    needs:
-      - prepare
-    uses: ./.github/workflows/release-mobile.yml
-    secrets: inherit
-    with:
-      build-type: ${{ needs.prepare.outputs.BUILD_TYPE }}
-      app-version: ${{ needs.prepare.outputs.APP_VERSION }}
-      git-short-hash: ${{ needs.prepare.outputs.GIT_SHORT_HASH }}
-      ios-app-version: ${{ inputs.ios-app-version }}

.github/workflows/sync-i18n.yml

@@ -11,6 +11,7 @@ on:
 jobs:
   synchronize-with-crowdin:
     runs-on: ubuntu-latest
+
     permissions:
       contents: write
       pull-requests: write
@@ -20,11 +21,10 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Crowdin action
-        id: crowdin
         uses: crowdin/github-action@v2
         with:
           upload_sources: true
-          upload_translations: false
+          upload_translations: true
           download_translations: true
           auto_approve_imported: true
           import_eq_suggestions: true
@@ -32,7 +32,7 @@ jobs:
           skip_untranslated_strings: true
           localization_branch_name: l10n_crowdin_translations
           create_pull_request: true
-          pull_request_title: 'chore(i18n): sync translations'
+          pull_request_title: 'New Crowdin Translations'
           pull_request_body: 'New Crowdin translations by [Crowdin GH Action](https://github.com/crowdin/github-action)'
           pull_request_base_branch_name: 'canary'
           config: packages/frontend/i18n/crowdin.yml
@@ -40,33 +40,3 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
           CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
-  i18n-codegen:
-    needs: synchronize-with-crowdin
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: write
-      pull-requests: write
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          ref: l10n_crowdin_translations
-
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          electron-install: false
-          full-cache: true
-
-      - name: Run i18n codegen
-        run: yarn affine @affine/i18n build
-
-      - name: Commit changes
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add .
-          git commit -m "chore(i18n): i18n codegen"
-          git push origin l10n_crowdin_translations

.github/workflows/windows-signer.yml

@@ -29,7 +29,7 @@ jobs:
         shell: cmd
         run: |
           cd ${{ env.ARCHIVE_DIR }}/out
-          signtool sign /tr http://timestamp.globalsign.com/tsa/r6advanced1 /td sha256 /fd sha256 /a ${{ inputs.files }}
+          signtool sign /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /a ${{ inputs.files }}
       - name: zip file
         shell: cmd
         run: |

.github/workflows/workers.yml

@@ -0,0 +1,23 @@
+name: Deploy Cloudflare Worker
+
+on:
+  push:
+    branches:
+      - canary
+    paths:
+      - tools/workers/**
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    name: Deploy
+    environment: stable
+    steps:
+      - uses: actions/checkout@v4
+      - name: Publish
+        uses: cloudflare/wrangler-action@v3.7.0
+        with:
+          apiToken: ${{ secrets.CF_API_TOKEN }}
+          accountId: ${{ secrets.CF_ACCOUNT_ID }}
+          workingDirectory: 'tools/workers'
+          packageManager: 'yarn'

.gitignore

@@ -29,6 +29,7 @@ node_modules
 
 # IDE - VSCode
 .vscode/*
+!.vscode/tasks.json
 !.vscode/settings.template.json
 !.vscode/launch.template.json
 !.vscode/extensions.json
@@ -58,6 +59,7 @@ Thumbs.db
 .vercel
 out/
 storybook-static
+i18n-generated.ts
 
 test-results
 playwright-report
@@ -80,11 +82,3 @@ apps/web/next-routes.conf
 
 packages/frontend/templates/edgeless
 packages/frontend/core/public/static/templates
-
-# script
-af
-af.cmd
-*.resolved
-
-# playwright
-storageState.json

.i18n-codegen.json

@@ -3,8 +3,8 @@
   "version": 1,
   "list": [
     {
-      "input": "./src/resources/en.json",
-      "output": "./src/i18n.gen",
+      "input": "./packages/frontend/i18n/src/resources/en.json",
+      "output": "./packages/frontend/i18n/src/i18n-generated",
       "parser": {
         "type": "i18next",
         "contextSeparator": "$",

.nvmrc

@@ -1 +1 @@
-22.16.0
+20.17.0

.prettierignore

@@ -1,43 +1,27 @@
-# we will make this file shared by prettier|eslint|oxlint
-**/node_modules
+yarn.lock
+target
+lib
+test-results
+.next
+out
+dist
 .yarn
 .github/helm
-.git
-.vscode
+_next
+storybook-static
+web-static
+public
+packages/backend/server/src/schema.gql
+packages/backend/server/src/fundamentals/error/errors.gen.ts
+packages/frontend/i18n/src/i18n-generated.ts
+packages/frontend/graphql/src/graphql/index.ts
+tests/affine-legacy/**/static
 .yarnrc.yml
-.docker
-**/.storybook
+packages/frontend/templates/*.gen.ts
+packages/frontend/templates/onboarding
 
-# compiled output
-.coverage
-.nx/**
-target
-test-results
-**/dist
-**/lib
-**/storybook-static
-**/web-static
-**/public
-**/e2e-dist-*
-**/static
-
-# generated files
-**/*.gen.ts
-**/*.gql
-**/*.d.ts
-
-# per files
-tools/cli/src/webpack/error-handler.js
+# auto-generated by NAPI-RS
+# fixme(@joooye34): need script to check and generate ignore list here
 packages/backend/native/index.d.ts
-packages/backend/server/src/__tests__/__snapshots__
-packages/common/native/fixtures/**
-packages/common/graphql/src/graphql/index.ts
 packages/frontend/native/index.d.ts
 packages/frontend/native/index.js
-packages/frontend/apps/android/App/**
-packages/frontend/apps/ios/App/**
-tests/blocksuite/snapshots
-blocksuite/docs/api/**
-packages/frontend/admin/src/config.json
-**/test-docs.json
-**/test-blocks.json

.vscode/launch.template.json

@@ -1,35 +1,25 @@
 {
   "version": "0.2.0",
   "configurations": [
+    {
+      "name": "Run Dev",
+      "type": "node-terminal",
+      "request": "launch",
+      "command": "yarn run dev"
+    },
+    {
+      "name": "Run Dev Locally",
+      "type": "node-terminal",
+      "request": "launch",
+      "command": "yarn run dev:local"
+    },
     {
       "name": "Launch AFFiNE Cloud",
       "type": "node",
       "request": "launch",
       "runtimeExecutable": "yarn",
       "cwd": "${workspaceFolder}",
-      "runtimeArgs": [
-        "affine",
-        "@affine/server",
-        "dev"
-      ]
-    },
-    {
-      "name": "Lanuch AFFiNE Web",
-      "type": "node",
-      "request": "launch",
-      "runtimeExecutable": "yarn",
-      "cwd": "${workspaceFolder}",
-      "runtimeArgs": [
-        "affine",
-        "@affine/web",
-        "dev"
-      ]
-    },
-    {
-      "type": "chrome",
-      "request": "launch",
-      "name": "Debug AFFiNE Web",
-      "url": "http://localhost:8080"
+      "runtimeArgs": ["workspace", "@affine/server", "dev"]
     }
   ]
-}
+}

.yarn/patches/@atlaskit-pragmatic-drag-and-drop-npm-1.4.0-75c45f52d3.patch

@@ -1,19 +0,0 @@
-diff --git a/dist/esm/adapter/external-adapter.js b/dist/esm/adapter/external-adapter.js
-index ef7a963d91f08c9e70c8ed9c6b41972bec349319..e682841ec10a4a8a9ce7a79642e58de5c9e664d5 100644
---- a/dist/esm/adapter/external-adapter.js
-+++ b/dist/esm/adapter/external-adapter.js
-@@ -54,9 +54,11 @@ var adapter = makeAdapter({
-       type: 'dragenter',
-       listener: function listener(event) {
-         // drag operation was started within the document, it won't be an "external" drag
--        if (didDragStartLocally) {
--          return;
--        }
-+
-+        // we will handle all events actually
-+        // if (didDragStartLocally) {
-+        //   return;
-+        // }
- 
-         // Note: not checking if event was cancelled (`event.defaultPrevented`) as
-         // cancelling a "dragenter" accepts the drag operation (not prevent it)

.yarn/patches/@nestjs-testing-npm-10.4.15-d591a1705a.patch

@@ -1,36 +0,0 @@
-diff --git a/testing-module.d.ts b/testing-module.d.ts
-index 0b08dfe24534c605f58f2104255eb2a20c3fb566..8fad3ab267decccca2d4d9a8e208ace2cd811e92 100644
---- a/testing-module.d.ts
-+++ b/testing-module.d.ts
-@@ -13,6 +13,7 @@ export declare class TestingModule extends NestApplicationContext {
-     protected readonly graphInspector: GraphInspector;
-     constructor(container: NestContainer, graphInspector: GraphInspector, contextModule: Module, applicationConfig: ApplicationConfig, scope?: Type<any>[]);
-     private isHttpServer;
-+    useCustomApplicationConstructor(Ctor: Type<INestApplication>): void;
-     createNestApplication<T extends INestApplication = INestApplication>(httpAdapter: HttpServer | AbstractHttpAdapter, options?: NestApplicationOptions): T;
-     createNestApplication<T extends INestApplication = INestApplication>(options?: NestApplicationOptions): T;
-     createNestMicroservice<T extends object>(options: NestMicroserviceOptions & T): INestMicroservice;
-diff --git a/testing-module.js b/testing-module.js
-index 17957b409b224bc43c7e40a1071cf08061366063..6bc4e8a694fdec02df91e512131ffd70259d8859 100644
---- a/testing-module.js
-+++ b/testing-module.js
-@@ -15,6 +15,9 @@ class TestingModule extends core_1.NestApplicationContext {
-         this.applicationConfig = applicationConfig;
-         this.graphInspector = graphInspector;
-     }
-+    useCustomApplicationConstructor(Ctor) {
-+        this.applicationConstructor = Ctor;
-+    }
-     isHttpServer(serverOrOptions) {
-         return !!(serverOrOptions && serverOrOptions.patch);
-     }
-@@ -24,7 +27,8 @@ class TestingModule extends core_1.NestApplicationContext {
-             : [this.createHttpAdapter(), serverOrOptions];
-         this.applyLogger(appOptions);
-         this.container.setHttpAdapter(httpAdapter);
--        const instance = new core_1.NestApplication(this.container, httpAdapter, this.applicationConfig, this.graphInspector, appOptions);
-+        const Ctor = this.applicationConstructor || core_1.NestApplication;
-+        const instance = new Ctor(this.container, httpAdapter, this.applicationConfig, this.graphInspector, appOptions);
-         return this.createAdapterProxy(instance, httpAdapter);
-     }
-     createNestMicroservice(options) {

.yarn/patches/decode-named-character-reference-npm-1.0.2-db17a755fd.patch

@@ -1,13 +0,0 @@
-diff --git a/package.json b/package.json
-index 5fef2811aa86f3f1f8228daef7d867863e71db72..b795fbd2a0e1cba0b6389ff051220f4e3c52fc13 100644
---- a/package.json
-+++ b/package.json
-@@ -34,7 +34,7 @@
-       "deno": "./index.js",
-       "react-native": "./index.js",
-       "worker": "./index.js",
--      "browser": "./index.dom.js",
-+      "browser": "./index.js",
-       "default": "./index.js"
-     }
-   },