v0.8.2

(cherry picked from commit 7d6e91f56e)

.commitlintrc.json

@@ -17,11 +17,17 @@
         "cli",
         "hooks",
         "i18n",
+        "jotai",
         "native",
         "templates",
+        "y-indexeddb",
+        "y-provider",
         "debug",
         "storage",
-        "infra"
+        "infra",
+        "plugin-cli",
+        "sdk",
+        "plugin"
       ]
     ]
   }

.devcontainer/Dockerfile

@@ -1,9 +0,0 @@
-FROM mcr.microsoft.com/devcontainers/base:bookworm
-
-# Install Homebrew For Linux
-RUN /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" && \
-    eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" && \
-    echo "eval \"\$($(brew --prefix)/bin/brew shellenv)\"" >> /home/vscode/.zshrc && \
-    echo "eval \"\$($(brew --prefix)/bin/brew shellenv)\"" >> /home/vscode/.bashrc && \
-    # Install Graphite
-    brew install withgraphite/tap/graphite && gt --version

.devcontainer/build.sh

@@ -1,18 +0,0 @@
-#!/bin/bash
-# This is a script used by the devcontainer to build the project
-
-#Enable yarn
-corepack enable
-corepack prepare yarn@stable --activate
-
-# install dependencies
-yarn install
-
-# Build Server Dependencies
-yarn workspace @affine/server-native build
-
-# Create database
-yarn workspace @affine/server prisma db push
-
-# Create user username: affine, password: affine
-echo "INSERT INTO \"users\"(\"id\",\"name\",\"email\",\"email_verified\",\"created_at\",\"password\") VALUES('99f3ad04-7c9b-441e-a6db-79f73aa64db9','affine','affine@affine.pro','2024-02-26 15:54:16.974','2024-02-26 15:54:16.974+00','\$argon2id\$v=19\$m=19456,t=2,p=1\$esDS3QCHRH0Kmeh87YPm5Q\$9S+jf+xzw2Hicj6nkWltvaaaXX3dQIxAFwCfFa9o38A');" | yarn workspace @affine/server prisma db execute --stdin

.devcontainer/devcontainer.json

@@ -1,26 +0,0 @@
-// For format details, see https://aka.ms/devcontainer.json.
-{
-  "name": "Debian",
-  "dockerComposeFile": "docker-compose.yml",
-  "service": "app",
-  "workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}",
-  "features": {
-    "ghcr.io/devcontainers/features/node:1": {
-      "version": "18"
-    },
-    "ghcr.io/devcontainers/features/rust:1": {}
-  },
-  // Configure tool-specific properties.
-  "customizations": {
-    "vscode": {
-      "extensions": [
-        "ms-playwright.playwright",
-        "esbenp.prettier-vscode",
-        "streetsidesoftware.code-spell-checker"
-      ]
-    }
-  },
-  "updateContentCommand": "bash ./.devcontainer/build.sh",
-  "postCreateCommand": "bash ./.devcontainer/setup-user.sh",
-  "postStartCommand": ["yarn dev", "yarn workspace @affine/server dev"]
-}

.devcontainer/docker-compose.yml

@@ -1,26 +0,0 @@
-version: '3.8'
-
-services:
-  app:
-    build:
-      context: .
-      dockerfile: Dockerfile
-    volumes:
-      - ../..:/workspaces:cached
-    command: sleep infinity
-    network_mode: service:db
-    environment:
-      DATABASE_URL: postgresql://affine:affine@db:5432/affine
-
-  db:
-    image: postgres:latest
-    restart: unless-stopped
-    volumes:
-      - postgres-data:/var/lib/postgresql/data
-    environment:
-      POSTGRES_PASSWORD: affine
-      POSTGRES_USER: affine
-      POSTGRES_DB: affine
-
-volumes:
-  postgres-data:

.devcontainer/setup-user.sh

@@ -1,9 +0,0 @@
-set -e
-
-if [ -v GRAPHITE_TOKEN ];then
-    gt auth --token $GRAPHITE_TOKEN
-fi
-
-git fetch origin canary:canary --depth=1
-git branch canary -t origin/canary
-gt init --trunk canary

.env.template

@@ -9,6 +9,3 @@ ENABLE_NEW_SETTING_UNSTABLE_API=
 ENABLE_NOTIFICATION_CENTER=
 ENABLE_CLOUD=
 ENABLE_MOVE_DATABASE=
-SHOULD_REPORT_TRACE=
-TRACE_REPORT_ENDPOINT=
-CAPTCHA_SITE_KEY=

.eslintignore

@@ -7,9 +7,10 @@ affine-out
 _next
 lib
 .eslintrc.js
+packages/i18n/src/i18n-generated.ts
 e2e-dist-*
 static
 web-static
 public
-packages/frontend/i18n/src/i18n-generated.ts
-packages/frontend/templates/*.gen.ts
+packages/sdk/src/*.d.ts
+packages/sdk/src/*.js

.eslintrc.js

@@ -1,4 +1,4 @@
-const { join } = require('node:path');
+const { resolve } = require('node:path');
 
 const createPattern = packageName => [
   {
@@ -32,27 +32,34 @@ const createPattern = packageName => [
     importNames: ['useNavigate'],
   },
   {
-    group: ['@affine/env/constant'],
-    message:
-      'Do not import from @affine/env/constant. Use `environment.isDesktop` instead',
-    importNames: ['isDesktop'],
+    group: ['yjs'],
+    message: 'Do not use this API because it has a bug',
+    importNames: ['mergeUpdates'],
   },
 ];
 
 const allPackages = [
-  'packages/backend/server',
-  'packages/frontend/component',
-  'packages/frontend/core',
-  'packages/frontend/electron',
-  'packages/frontend/graphql',
-  'packages/frontend/i18n',
-  'packages/frontend/native',
-  'packages/frontend/templates',
-  'packages/common/debug',
-  'packages/common/env',
-  'packages/common/infra',
-  'packages/common/theme',
-  'tools/cli',
+  'packages/cli',
+  'packages/component',
+  'packages/debug',
+  'packages/env',
+  'packages/graphql',
+  'packages/hooks',
+  'packages/i18n',
+  'packages/jotai',
+  'packages/native',
+  'packages/infra',
+  'packages/sdk',
+  'packages/templates',
+  'packages/theme',
+  'packages/workspace',
+  'packages/y-indexeddb',
+  'apps/web',
+  'apps/server',
+  'apps/electron',
+  'apps/storybook',
+  'plugins/copilot',
+  'plugins/bookmark-block',
 ];
 
 /**
@@ -65,7 +72,7 @@ const config = {
       version: 'detect',
     },
     next: {
-      rootDir: 'packages/frontend/core',
+      rootDir: 'apps/web',
     },
   },
   extends: [
@@ -85,17 +92,16 @@ const config = {
     },
     ecmaVersion: 'latest',
     sourceType: 'module',
-    project: join(__dirname, 'tsconfig.eslint.json'),
+    project: resolve(__dirname, './tsconfig.eslint.json'),
   },
   plugins: [
     'react',
     '@typescript-eslint',
     'simple-import-sort',
     'sonarjs',
-    'import-x',
+    'i',
     'unused-imports',
     'unicorn',
-    'rxjs',
   ],
   rules: {
     'array-callback-return': 'error',
@@ -105,18 +111,11 @@ const config = {
     'no-cond-assign': 'off',
     'no-constant-binary-expression': 'error',
     'no-constructor-return': 'error',
-    'no-self-compare': 'error',
-    eqeqeq: ['error', 'always', { null: 'ignore' }],
     'react/prop-types': 'off',
-    'react/jsx-no-useless-fragment': 'error',
     '@typescript-eslint/consistent-type-imports': 'error',
     '@typescript-eslint/no-non-null-assertion': 'error',
     '@typescript-eslint/no-explicit-any': 'off',
     '@typescript-eslint/no-empty-function': 'off',
-    '@typescript-eslint/await-thenable': 'error',
-    '@typescript-eslint/require-array-sort-compare': 'error',
-    '@typescript-eslint/unified-signatures': 'error',
-    '@typescript-eslint/prefer-for-of': 'error',
     '@typescript-eslint/no-unused-vars': [
       'error',
       {
@@ -128,7 +127,6 @@ const config = {
     'unused-imports/no-unused-imports': 'error',
     'simple-import-sort/imports': 'error',
     'simple-import-sort/exports': 'error',
-    'import-x/no-duplicates': 'error',
     '@typescript-eslint/ban-ts-comment': [
       'error',
       {
@@ -162,6 +160,11 @@ const config = {
             message: 'Use `useNavigateHelper` instead',
             importNames: ['useNavigate'],
           },
+          {
+            group: ['yjs'],
+            message: 'Do not use this API because it has a bug',
+            importNames: ['mergeUpdates'],
+          },
         ],
       },
     ],
@@ -172,19 +175,6 @@ const config = {
         ignore: ['^\\[[a-zA-Z0-9-_]+\\]\\.tsx$'],
       },
     ],
-    'unicorn/no-unnecessary-await': 'error',
-    'unicorn/no-useless-fallback-in-spread': 'error',
-    'unicorn/prefer-dom-node-dataset': 'error',
-    'unicorn/prefer-dom-node-append': 'error',
-    'unicorn/prefer-dom-node-remove': 'error',
-    'unicorn/prefer-array-some': 'error',
-    'unicorn/prefer-date-now': 'error',
-    'unicorn/prefer-blob-reading-methods': 'error',
-    'unicorn/no-typeof-undefined': 'error',
-    'unicorn/no-useless-promise-resolve-reject': 'error',
-    'unicorn/no-new-array': 'error',
-    'unicorn/new-for-builtins': 'error',
-    'unicorn/prefer-node-protocol': 'error',
     'sonarjs/no-all-duplicated-branches': 'error',
     'sonarjs/no-element-overwrite': 'error',
     'sonarjs/no-empty-collection': 'error',
@@ -201,25 +191,10 @@ const config = {
     'sonarjs/no-collection-size-mischeck': 'error',
     'sonarjs/no-useless-catch': 'error',
     'sonarjs/no-identical-functions': 'error',
-    'rxjs/finnish': [
-      'error',
-      {
-        functions: false,
-        methods: false,
-        strict: true,
-        types: {
-          '^LiveData$': true,
-          // some yjs classes are Observables, but they don't need to be in Finnish notation
-          '^Doc$': false, // yjs Doc
-          '^Awareness$': false, // yjs Awareness
-          '^UndoManager$': false, // yjs UndoManager
-        },
-      },
-    ],
   },
   overrides: [
     {
-      files: 'packages/backend/server/**/*.ts',
+      files: 'apps/server/**/*.ts',
       rules: {
         '@typescript-eslint/consistent-type-imports': 0,
       },
@@ -231,7 +206,10 @@ const config = {
       },
     },
     ...allPackages.map(pkg => ({
-      files: [`${pkg}/src/**/*.ts`, `${pkg}/src/**/*.tsx`, `${pkg}/**/*.mjs`],
+      files: [`${pkg}/src/**/*.ts`, `${pkg}/src/**/*.tsx`],
+      parserOptions: {
+        project: resolve(__dirname, './tsconfig.eslint.json'),
+      },
       rules: {
         '@typescript-eslint/no-restricted-imports': [
           'error',
@@ -247,14 +225,6 @@ const config = {
           },
         ],
         '@typescript-eslint/no-misused-promises': ['error'],
-        '@typescript-eslint/prefer-readonly': 'error',
-        'import-x/no-extraneous-dependencies': ['error'],
-        'react-hooks/exhaustive-deps': [
-          'warn',
-          {
-            additionalHooks: 'useAsyncCallback',
-          },
-        ],
       },
     })),
     {
@@ -281,7 +251,6 @@ const config = {
         ],
         '@typescript-eslint/no-floating-promises': 0,
         '@typescript-eslint/no-misused-promises': 0,
-        '@typescript-eslint/no-restricted-imports': 0,
       },
     },
   ],

.github/CLA.md

@@ -33,6 +33,30 @@ You accept and agree to the following terms and conditions for your past, presen
 
 9. This Agreement will be governed by the laws of Republic of Singapore without reference to conflict of laws principles.
 
-## How To Sign
+## List of Contributors
 
-Visit https://cla-assistant.io/toeverything/AFFiNE and sign it.
+The below-signed are contributors to a code repository that is part of the project named "AFFiNE". Each below-signed contributor has read, understand and agrees to the terms above in the section within this document entitled "AFFiNE Contributor License Agreement" as of the date beside their real name (or entity name) and GitHub account name.
+
+---
+
+<!--
+Example:
+
+- Dark Sky, @darkskygit, 2022/07/22
+-->
+
+- Dark Sky, @darkskygit, 2022/07/22
+- Lin Onetwo, @linonetwo, 2022/02/14
+- zqran, @zqran, 2023/02/17
+- Alessio Gravili, @AlessioGr, 2023/03/04
+- Victor Nanka, @victornanka, 2023/03/09
+- Aditya Sharma, @adityash1, 2023/03/21
+- Fangdun Tsai, @fundon, 2023/03/21
+- Zhilin Liu, @lzlme, 2023/04/09
+- Skye Sun, @skyesun, 2023/04/14
+- Jordy Delgado, @Jdelgad8, 2023/04/17
+- Howard Do, @howarddo2208, 2023/04/20
+- 三咲智子 Kevin Deng, @sxzz, 2023/04/21
+- Moeyua, @moeyua, 2023/04/22
+- Shishu, @shishudesu, 2023/05/19
+- Kushagra Singh, @kush002, 2023/06/28

.github/ISSUE_TEMPLATE/BUG-REPORT.yml

@@ -7,8 +7,6 @@ body:
     attributes:
       value: |
         Thanks for taking the time to fill out this bug report!
-        Check out this [link](https://github.com/toeverything/AFFiNE/blob/canary/docs/issue-triaging.md)
-        to learn how we manage issues and when your issue will be processed.
   - type: textarea
     id: what-happened
     attributes:
@@ -28,8 +26,8 @@ body:
         - Windows x64
         - Linux
         - Web (app.affine.pro)
-        - Web (affine.fail)
-        - Web (insider.affine.pro)
+        - Web (stage.affine.pro)
+        - Web (dev.affine.live)
     validations:
       required: true
   - type: dropdown
@@ -43,14 +41,6 @@ body:
         - Firefox
         - Safari
         - Other
-  - type: checkboxes
-    id: selfhost
-    attributes:
-      label: Are you self-hosting?
-      description: >
-        If you are self-hosting, please check the box and provide information about your setup.
-      options:
-        - label: 'Yes'
   - type: textarea
     id: logs
     attributes:
@@ -63,3 +53,11 @@ body:
       description: |
         Links? References? Anything that will give us more context about the issue you are encountering!
         Tip: You can attach images here
+  - type: checkboxes
+    attributes:
+      label: Are you willing to submit a PR?
+      description: >
+        (Optional) We encourage you to submit a [Pull Request](https://github.com/toeverything/affine/pulls) (PR) to help improve AFFiNE for everyone, especially if you have a good understanding of how to implement a fix or feature.
+        See the AFFiNE [Contributing Guide](https://github.com/toeverything/affine/blob/master/CONTRIBUTING.md) to get started.
+      options:
+        - label: Yes I'd like to help by submitting a PR!

.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml

@@ -31,6 +31,6 @@ body:
       label: Are you willing to submit a PR?
       description: >
         (Optional) We encourage you to submit a [Pull Request](https://github.com/toeverything/affine/pulls) (PR) to help improve AFFiNE for everyone, especially if you have a good understanding of how to implement a fix or feature.
-        See the AFFiNE [Contributing Guide](https://github.com/toeverything/affine/blob/canary/CONTRIBUTING.md) to get started.
+        See the AFFiNE [Contributing Guide](https://github.com/toeverything/affine/blob/master/CONTRIBUTING.md) to get started.
       options:
         - label: Yes I'd like to help by submitting a PR!

.github/actions/build-rust/action.yml

@@ -4,9 +4,6 @@ inputs:
   target:
     description: 'Cargo target'
     required: true
-  package:
-    description: 'Package to build'
-    required: true
   nx_token:
     description: 'Nx Cloud access token'
     required: false
@@ -14,42 +11,50 @@ inputs:
 runs:
   using: 'composite'
   steps:
-    - name: Print rustup toolchain version
-      shell: bash
-      id: rustup-version
-      run: |
-        export RUST_TOOLCHAIN_VERSION="$(grep 'channel' rust-toolchain.toml | head -1 | awk -F '"' '{print $2}')"
-        echo "Rust toolchain version: $RUST_TOOLCHAIN_VERSION"
-        echo "RUST_TOOLCHAIN_VERSION=$RUST_TOOLCHAIN_VERSION" >> "$GITHUB_OUTPUT"
     - name: Setup Rust
       uses: dtolnay/rust-toolchain@stable
       with:
-        toolchain: '${{ steps.rustup-version.outputs.RUST_TOOLCHAIN_VERSION }}'
+        toolchain: stable
         targets: ${{ inputs.target }}
-      env:
-        CARGO_INCREMENTAL: '1'
-
-    - name: Set CC
-      if: ${{ contains(inputs.target, 'linux') && inputs.package != '@affine/native' }}
-      shell: bash
-      run: |
-        echo "CC=clang" >> "$GITHUB_ENV"
-        echo "TARGET_CC=clang" >> "$GITHUB_ENV"
 
     - name: Cache cargo
-      uses: actions/cache@v4
+      uses: actions/cache@v3
       with:
         path: |
           ~/.cargo/registry/index/
           ~/.cargo/registry/cache/
           ~/.cargo/git/db/
-          ~/.napi-rs
+          .cargo-cache
           target/${{ inputs.target }}
         key: stable-${{ inputs.target }}-cargo-cache
     - name: Build
+      if: ${{ inputs.target != 'x86_64-unknown-linux-gnu' && inputs.target != 'aarch64-unknown-linux-gnu' }}
       shell: bash
       run: |
-        yarn workspace ${{ inputs.package }} nx build ${{ inputs.package }} -- --target ${{ inputs.target }} --use-napi-cross
+        yarn nx build @affine/native --target ${{ inputs.target }}
       env:
         NX_CLOUD_ACCESS_TOKEN: ${{ inputs.nx_token }}
-        DEBUG: 'napi:*'
+
+    - name: Build
+      if: ${{ inputs.target == 'x86_64-unknown-linux-gnu' }}
+      uses: addnab/docker-run-action@v3
+      with:
+        image: ghcr.io/napi-rs/napi-rs/nodejs-rust:lts-debian
+        options: --user 0:0 -v ${{ github.workspace }}/.cargo-cache/git/db:/usr/local/cargo/git/db -v ${{ github.workspace }}/.cargo/registry/cache:/usr/local/cargo/registry/cache -v ${{ github.workspace }}/.cargo/registry/index:/usr/local/cargo/registry/index -v ${{ github.workspace }}:/build -w /build -e NX_CLOUD_ACCESS_TOKEN=${{ inputs.nx_token }}
+        run: |
+          export CC=x86_64-unknown-linux-gnu-gcc
+          export CC_x86_64_unknown_linux_gnu=x86_64-unknown-linux-gnu-gcc
+          yarn nx build @affine/native --target ${{ inputs.target }}
+          chmod -R 777 node_modules/.cache
+          chmod -R 777 target
+
+    - name: Build
+      if: ${{ inputs.target == 'aarch64-unknown-linux-gnu' }}
+      uses: addnab/docker-run-action@v3
+      with:
+        image: ghcr.io/napi-rs/napi-rs/nodejs-rust:lts-debian-aarch64
+        options: --user 0:0 -v ${{ github.workspace }}/.cargo-cache/git/db:/usr/local/cargo/git/db -v ${{ github.workspace }}/.cargo/registry/cache:/usr/local/cargo/registry/cache -v ${{ github.workspace }}/.cargo/registry/index:/usr/local/cargo/registry/index -v ${{ github.workspace }}:/build -w /build -e NX_CLOUD_ACCESS_TOKEN=${{ inputs.nx_token }}
+        run: |
+          yarn nx build @affine/native --target ${{ inputs.target }}
+          chmod -R 777 node_modules/.cache
+          chmod -R 777 target

.github/actions/deploy/action.yml

@@ -1,50 +0,0 @@
-name: 'Deploy to Cluster'
-description: 'Deploy AFFiNE Cloud to cluster'
-inputs:
-  build-type:
-    description: 'Align with App build type, canary|beta|stable|internal'
-    default: 'canary'
-  gcp-project-number:
-    description: 'GCP project number'
-    required: true
-  gcp-project-id:
-    description: 'GCP project id'
-    required: true
-  service-account:
-    description: 'Service account'
-  cluster-name:
-    description: 'Cluster name'
-  cluster-location:
-    description: 'Cluster location'
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Setup Git short hash
-      shell: bash
-      run: |
-        echo "GIT_SHORT_HASH=$(git rev-parse --short HEAD)" >> "$GITHUB_ENV"
-    - uses: azure/setup-helm@v4
-    - id: auth
-      uses: google-github-actions/auth@v2
-      with:
-        workload_identity_provider: 'projects/${{ inputs.gcp-project-number }}/locations/global/workloadIdentityPools/github-actions/providers/github-actions-helm-deploy'
-        service_account: '${{ inputs.service-account }}'
-        token_format: 'access_token'
-        project_id: '${{ inputs.gcp-project-id }}'
-
-    - name: 'Setup gcloud cli'
-      uses: 'google-github-actions/setup-gcloud@v2'
-      with:
-        install_components: 'gke-gcloud-auth-plugin'
-
-    - id: get-gke-credentials
-      shell: bash
-      run: |
-        gcloud container clusters get-credentials ${{ inputs.cluster-name }} --region ${{ inputs.cluster-location }} --project ${{ inputs.gcp-project-id }}
-
-    - name: Deploy
-      shell: bash
-      run: node ./.github/actions/deploy/deploy.mjs
-      env:
-        BUILD_TYPE: '${{ inputs.build-type }}'

.github/actions/deploy/deploy.mjs

@@ -1,145 +0,0 @@
-import { execSync } from 'node:child_process';
-
-const {
-  APP_VERSION,
-  BUILD_TYPE,
-  DEPLOY_HOST,
-  CANARY_DEPLOY_HOST,
-  GIT_SHORT_HASH,
-  DATABASE_URL,
-  DATABASE_USERNAME,
-  DATABASE_PASSWORD,
-  DATABASE_NAME,
-  R2_ACCOUNT_ID,
-  R2_ACCESS_KEY_ID,
-  R2_SECRET_ACCESS_KEY,
-  CAPTCHA_TURNSTILE_SECRET,
-  COPILOT_OPENAI_API_KEY,
-  COPILOT_FAL_API_KEY,
-  COPILOT_UNSPLASH_API_KEY,
-  MAILER_SENDER,
-  MAILER_USER,
-  MAILER_PASSWORD,
-  AFFINE_GOOGLE_CLIENT_ID,
-  AFFINE_GOOGLE_CLIENT_SECRET,
-  CLOUD_SQL_IAM_ACCOUNT,
-  GCLOUD_CONNECTION_NAME,
-  GCLOUD_CLOUD_SQL_INTERNAL_ENDPOINT,
-  REDIS_HOST,
-  REDIS_PASSWORD,
-  STRIPE_API_KEY,
-  STRIPE_WEBHOOK_KEY,
-  STATIC_IP_NAME,
-} = process.env;
-
-// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-const buildType = BUILD_TYPE || 'canary';
-
-const isProduction = buildType === 'stable';
-const isBeta = buildType === 'beta';
-const isInternal = buildType === 'internal';
-
-const createHelmCommand = ({ isDryRun }) => {
-  const flag = isDryRun ? '--dry-run' : '--atomic';
-  const imageTag = `${buildType}-${GIT_SHORT_HASH}`;
-  const redisAndPostgres =
-    isProduction || isBeta || isInternal
-      ? [
-          `--set-string global.database.url=${DATABASE_URL}`,
-          `--set-string global.database.user=${DATABASE_USERNAME}`,
-          `--set-string global.database.password=${DATABASE_PASSWORD}`,
-          `--set-string global.database.name=${DATABASE_NAME}`,
-          `--set        global.database.gcloud.enabled=true`,
-          `--set-string global.database.gcloud.connectionName="${GCLOUD_CONNECTION_NAME}"`,
-          `--set-string global.database.gcloud.cloudSqlInternal="${GCLOUD_CLOUD_SQL_INTERNAL_ENDPOINT}"`,
-          `--set-string global.redis.host="${REDIS_HOST}"`,
-          `--set-string global.redis.password="${REDIS_PASSWORD}"`,
-        ]
-      : [];
-  const serviceAnnotations =
-    isProduction || isBeta || isInternal
-      ? [
-          `--set-json   web.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
-          `--set-json   graphql.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
-          `--set-json   sync.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
-          `--set-json   cloud-sql-proxy.serviceAccount.annotations=\"{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_SQL_IAM_ACCOUNT}\\" }\"`,
-          `--set-json   cloud-sql-proxy.nodeSelector=\"{ \\"iam.gke.io/gke-metadata-server-enabled\\": \\"true\\" }\"`,
-        ]
-      : [];
-  const webReplicaCount = isProduction ? 3 : isBeta ? 2 : 2;
-  const graphqlReplicaCount = isProduction
-    ? Number(process.env.PRODUCTION_GRAPHQL_REPLICA) || 3
-    : isBeta
-      ? Number(process.env.isBeta_GRAPHQL_REPLICA) || 2
-      : 2;
-  const syncReplicaCount = isProduction
-    ? Number(process.env.PRODUCTION_SYNC_REPLICA) || 3
-    : isBeta
-      ? Number(process.env.BETA_SYNC_REPLICA) || 2
-      : 2;
-  const namespace = isProduction
-    ? 'production'
-    : isBeta
-      ? 'beta'
-      : isInternal
-        ? 'internal'
-        : 'dev';
-  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-  const host = DEPLOY_HOST || CANARY_DEPLOY_HOST;
-  const deployCommand = [
-    `helm upgrade --install affine .github/helm/affine`,
-    `--namespace  ${namespace}`,
-    `--set        global.ingress.enabled=true`,
-    `--set-json   global.ingress.annotations=\"{ \\"kubernetes.io/ingress.class\\": \\"gce\\", \\"kubernetes.io/ingress.allow-http\\": \\"true\\", \\"kubernetes.io/ingress.global-static-ip-name\\": \\"${STATIC_IP_NAME}\\" }\"`,
-    `--set-string global.ingress.host="${host}"`,
-    `--set-string global.version="${APP_VERSION}"`,
-    ...redisAndPostgres,
-    `--set        web.replicaCount=${webReplicaCount}`,
-    `--set-string web.image.tag="${imageTag}"`,
-    `--set        graphql.replicaCount=${graphqlReplicaCount}`,
-    `--set-string graphql.image.tag="${imageTag}"`,
-    `--set        graphql.app.host=${host}`,
-    `--set        graphql.app.captcha.enabled=true`,
-    `--set-string graphql.app.captcha.turnstile.secret="${CAPTCHA_TURNSTILE_SECRET}"`,
-    `--set        graphql.app.copilot.enabled=true`,
-    `--set-string graphql.app.copilot.openai.key="${COPILOT_OPENAI_API_KEY}"`,
-    `--set-string graphql.app.copilot.fal.key="${COPILOT_FAL_API_KEY}"`,
-    `--set-string graphql.app.copilot.unsplash.key="${COPILOT_UNSPLASH_API_KEY}"`,
-    `--set        graphql.app.objectStorage.r2.enabled=true`,
-    `--set-string graphql.app.objectStorage.r2.accountId="${R2_ACCOUNT_ID}"`,
-    `--set-string graphql.app.objectStorage.r2.accessKeyId="${R2_ACCESS_KEY_ID}"`,
-    `--set-string graphql.app.objectStorage.r2.secretAccessKey="${R2_SECRET_ACCESS_KEY}"`,
-    `--set-string graphql.app.mailer.sender="${MAILER_SENDER}"`,
-    `--set-string graphql.app.mailer.user="${MAILER_USER}"`,
-    `--set-string graphql.app.mailer.password="${MAILER_PASSWORD}"`,
-    `--set-string graphql.app.oauth.google.enabled=true`,
-    `--set-string graphql.app.oauth.google.clientId="${AFFINE_GOOGLE_CLIENT_ID}"`,
-    `--set-string graphql.app.oauth.google.clientSecret="${AFFINE_GOOGLE_CLIENT_SECRET}"`,
-    `--set-string graphql.app.payment.stripe.apiKey="${STRIPE_API_KEY}"`,
-    `--set-string graphql.app.payment.stripe.webhookKey="${STRIPE_WEBHOOK_KEY}"`,
-    `--set        graphql.app.experimental.enableJwstCodec=${namespace === 'dev'}`,
-    `--set        graphql.app.features.earlyAccessPreview=false`,
-    `--set        graphql.app.features.syncClientVersionCheck=true`,
-    `--set        sync.replicaCount=${syncReplicaCount}`,
-    `--set-string sync.image.tag="${imageTag}"`,
-    ...serviceAnnotations,
-    `--timeout 10m`,
-    flag,
-  ].join(' ');
-  return deployCommand;
-};
-
-const output = execSync(createHelmCommand({ isDryRun: true }), {
-  encoding: 'utf-8',
-  stdio: ['inherit', 'pipe', 'inherit'],
-});
-const templates = output
-  .split('---')
-  .filter(yml => !yml.split('\n').some(line => line.trim() === 'kind: Secret'))
-  .join('---');
-console.log(templates);
-
-execSync(createHelmCommand({ isDryRun: false }), {
-  encoding: 'utf-8',
-  stdio: 'inherit',
-});

.github/actions/download-web/action.yml

@@ -1,22 +0,0 @@
-name: 'Download core artifacts'
-description: 'Download core artifacts and extract to dist'
-inputs:
-  path:
-    description: 'Path to extract'
-    required: true
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Download tar.gz
-      uses: actions/download-artifact@v4
-      with:
-        name: web
-        path: .
-
-    - name: Extract core artifacts
-      shell: bash
-      run: |
-        mkdir -p ${{ inputs.path }}
-        tar -xvf dist.tar.gz --directory ${{ inputs.path }}
-        rm dist.tar.gz

.github/actions/setup-maker/action.yml

@@ -0,0 +1,16 @@
+name: Setup maker
+description: 'Setup maker dmg for electron'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: 'Install @electron-forge/maker-dmg'
+      if: runner.os == 'macos'
+      shell: bash
+      working-directory: ./apps/electron
+      run: yarn add @electron-forge/maker-dmg --dev
+      env:
+        HUSKY: '0'
+        PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: '1'
+        ELECTRON_SKIP_BINARY_DOWNLOAD: '1'
+        SENTRYCLI_SKIP_DOWNLOAD: '1'

.github/actions/setup-node/action.yml

@@ -21,106 +21,43 @@ inputs:
     description: 'set nmMode to hardlinks-local in .yarnrc.yml'
     required: false
     default: 'true'
-  nmHoistingLimits:
-    description: 'Set nmHoistingLimits in .yarnrc.yml'
-    required: false
-  enableScripts:
-    description: 'Set enableScripts in .yarnrc.yml'
-    required: false
-    default: 'true'
-  full-cache:
-    description: 'Full installation cache'
-    required: false
 
 runs:
   using: 'composite'
   steps:
     - name: Setup Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v3
       with:
         node-version-file: '.nvmrc'
         registry-url: https://npm.pkg.github.com
         scope: '@toeverything'
+        cache: 'yarn'
 
     - name: Set nmMode
-      if: ${{ inputs.hard-link-nm == 'false' }}
+      if: ${{ inputs.hard-link-nm == 'true' }}
       shell: bash
-      run: yarn config set nmMode classic
-
-    - name: Set nmHoistingLimits
-      if: ${{ inputs.nmHoistingLimits }}
-      shell: bash
-      run: yarn config set nmHoistingLimits ${{ inputs.nmHoistingLimits }}
-
-    - name: Set enableScripts
-      if: ${{ inputs.enableScripts == 'false' }}
-      shell: bash
-      run: yarn config set enableScripts false
-
-    - name: Set yarn global cache path
-      shell: bash
-      id: yarn-cache
-      run: node -e "const p = $(yarn config cacheFolder --json).effective; console.log('yarn_global_cache=' + p)" >> $GITHUB_OUTPUT
-
-    - name: Cache non-full yarn cache on Linux
-      uses: actions/cache@v4
-      if: ${{ inputs.full-cache != 'true' && runner.os == 'Linux' }}
-      with:
-        path: |
-          node_modules
-          ${{ steps.yarn-cache.outputs.yarn_global_cache }}
-        key: node_modules-cache-${{ github.job }}-${{ runner.os }}
-
-    # The network performance on macOS is very poor
-    # and the decompression performance on Windows is very terrible
-    # so we reduce the number of cached files on non-Linux systems by remove node_modules from cache path.
-    - name: Cache non-full yarn cache on non-Linux
-      uses: actions/cache@v4
-      if: ${{ inputs.full-cache != 'true' && runner.os != 'Linux' }}
-      with:
-        path: |
-          ${{ steps.yarn-cache.outputs.yarn_global_cache }}
-        key: node_modules-cache-${{ github.job }}-${{ runner.os }}
-
-    - name: Cache full yarn cache on Linux
-      uses: actions/cache@v4
-      if: ${{ inputs.full-cache == 'true' && runner.os == 'Linux' }}
-      with:
-        path: |
-          node_modules
-          ${{ steps.yarn-cache.outputs.yarn_global_cache }}
-        key: node_modules-cache-full-${{ runner.os }}
-
-    - name: Cache full yarn cache on non-Linux
-      uses: actions/cache@v4
-      if: ${{ inputs.full-cache == 'true' && runner.os != 'Linux' }}
-      with:
-        path: |
-          ${{ steps.yarn-cache.outputs.yarn_global_cache }}
-        key: node_modules-cache-full-${{ runner.os }}
+      run: yarn config set nmMode hardlinks-local
 
     - name: yarn install
       if: ${{ inputs.package-install == 'true' }}
       continue-on-error: true
       shell: bash
-      run: yarn ${{ inputs.extra-flags }}
+      run: yarn install ${{ inputs.extra-flags }}
       env:
         HUSKY: '0'
         PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: '1'
         ELECTRON_SKIP_BINARY_DOWNLOAD: '1'
         SENTRYCLI_SKIP_DOWNLOAD: '1'
-        DEBUG: '*'
 
     - name: yarn install (try again)
       if: ${{ steps.install.outcome == 'failure' }}
       shell: bash
-      run: yarn ${{ inputs.extra-flags }}
+      run: yarn install ${{ inputs.extra-flags }}
       env:
         HUSKY: '0'
         PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: '1'
         ELECTRON_SKIP_BINARY_DOWNLOAD: '1'
         SENTRYCLI_SKIP_DOWNLOAD: '1'
-        DEBUG: '*'
 
     - name: Get installed Playwright version
       id: playwright-version
@@ -134,11 +71,11 @@ runs:
       # Note: Playwright's cache directory is hard coded because that's what it
       # says to do in the docs. There doesn't appear to be a command that prints
       # it out for us.
-    - uses: actions/cache@v4
+    - uses: actions/cache@v3
       id: playwright-cache
       if: ${{ inputs.playwright-install == 'true' }}
       with:
-        path: ${{ github.workspace }}/node_modules/.cache/ms-playwright
+        path: '~/.cache/ms-playwright'
         key: '${{ runner.os }}-playwright-${{ steps.playwright-version.outputs.version }}'
         # As a fallback, if the Playwright version has changed, try use the
         # most recently cached version. There's a good chance that at least one
@@ -152,13 +89,11 @@ runs:
           ${{ runner.os }}-playwright-
 
     # If the Playwright browser binaries weren't able to be restored, we tell
-    # playwright to install everything for us.
+    # paywright to install everything for us.
     - name: Install Playwright's dependencies
       shell: bash
-      if: inputs.playwright-install == 'true'
-      run: yarn playwright install --with-deps chromium
-      env:
-        PLAYWRIGHT_BROWSERS_PATH: ${{ github.workspace }}/node_modules/.cache/ms-playwright
+      if: inputs.playwright-install == 'true' && steps.playwright-cache.outputs.cache-hit != 'true'
+      run: yarn playwright install --with-deps
 
     - name: Get installed Electron version
       id: electron-version
@@ -167,7 +102,7 @@ runs:
       run: |
         echo "version=$(yarn why --json electron | grep -h 'workspace:.' | jq --raw-output '.children[].locator' | sed -e 's/@playwright\/test@.*://' | head -n 1)" >> $GITHUB_OUTPUT
 
-    - uses: actions/cache@v4
+    - uses: actions/cache@v3
       id: electron-cache
       if: ${{ inputs.electron-install == 'true' }}
       with:
@@ -179,6 +114,14 @@ runs:
     - name: Install Electron binary
       shell: bash
       if: inputs.electron-install == 'true'
-      run: node ./node_modules/electron/install.js
+      run: node apps/electron/node_modules/electron/install.js
       env:
-        electron_config_cache: ./node_modules/.cache/electron
+        ELECTRON_OVERRIDE_DIST_PATH: ./node_modules/.cache/electron
+
+    - name: Build Infra
+      shell: bash
+      run: yarn run build:infra
+
+    - name: Build Plugins
+      shell: bash
+      run: yarn run build:plugins

.github/actions/setup-rust/action.yml

@@ -0,0 +1,31 @@
+name: 'AFFiNE Rust setup'
+description: 'Rust setup, including cache configuration'
+inputs:
+  target:
+    description: 'Cargo target'
+    required: true
+  toolchain:
+    description: 'Rustup toolchain'
+    required: false
+    default: 'stable'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Setup Rust
+      uses: dtolnay/rust-toolchain@stable
+      with:
+        toolchain: ${{ inputs.toolchain }}
+        targets: ${{ inputs.target }}
+
+    - name: Cache cargo
+      uses: actions/cache@v3
+      with:
+        path: |
+          ~/.cargo/registry/index/
+          ~/.cargo/registry/cache/
+          ~/.cargo/git/db/
+          target/
+        key: cargo-cache-${{ runner.os }}-${{ inputs.toolchain }}-${{ hashFiles('**/Cargo.lock') }}
+        restore-keys: |
+          cargo-cache-${{ runner.os }}-${{ inputs.toolchain }}-

.github/actions/setup-version/action.yml

@@ -1,24 +0,0 @@
-name: Setup Version
-description: 'Setup Version'
-outputs:
-  APP_VERSION:
-    description: 'App Version'
-    value: ${{ steps.version.outputs.APP_VERSION }}
-runs:
-  using: 'composite'
-  steps:
-    - name: 'Write Version'
-      id: version
-      shell: bash
-      run: |
-        if [ "${{ github.ref_type }}" == "tag" ]; then
-          APP_VERSION=$(echo "${{ github.ref_name }}" | sed 's/^v//')
-        else
-          PACKAGE_VERSION=$(node -p "require('./package.json').version")
-          TIME_VERSION=$(date +%Y%m%d%H%M)
-          GIT_SHORT_HASH=$(git rev-parse --short HEAD)
-          APP_VERSION=$PACKAGE_VERSION-nightly-$TIME_VERSION-$GIT_SHORT_HASH
-        fi
-        echo $APP_VERSION
-        echo "APP_VERSION=$APP_VERSION" >> "$GITHUB_OUTPUT"
-        ./scripts/set-version.sh $APP_VERSION

.github/dependabot.yml

@@ -0,0 +1,9 @@
+version: 2
+updates:
+  - package-ecosystem: 'npm'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+    versioning-strategy: increase
+    commit-message:
+      prefix: 'chore'

.github/deployment/front/Dockerfile

@@ -1,6 +1,6 @@
-FROM openresty/openresty:1.25.3.1-0-buster
+FROM openresty/openresty:1.21.4.1-0-buster
 WORKDIR /app
-COPY ./packages/frontend/web/dist ./dist
+COPY ./apps/core/dist ./dist
 COPY ./.github/deployment/front/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
 COPY ./.github/deployment/front/affine.nginx.conf /etc/nginx/conf.d/affine.nginx.conf
 

.github/deployment/front/affine.nginx.conf

@@ -3,7 +3,7 @@ server {
     root /app/dist;
 
     location / {
-        try_files $uri $uri/ /index.html;
+        try_files $uri $uri/index.html $uri.html =404;
     }
 
     error_page 404 /404.html;

.github/deployment/node/Dockerfile

@@ -1,11 +1,10 @@
-FROM node:20-bookworm-slim
+FROM node:18-bookworm-slim
 
-COPY ./packages/backend/server /app
-COPY ./packages/frontend/web/dist /app/static
+COPY ./apps/server /app
 WORKDIR /app
 
 RUN apt-get update && \
   apt-get install -y --no-install-recommends openssl && \
   rm -rf /var/lib/apt/lists/*
 
-CMD ["node", "--import", "./scripts/register.js", "./dist/index.js"]
+CMD ["node", "--es-module-specifier-resolution=node", "./dist/index.js"]

.github/deployment/self-host/compose.yaml

@@ -1,62 +0,0 @@
-services:
-  affine:
-    image: ghcr.io/toeverything/affine-graphql:stable
-    container_name: affine_selfhosted
-    command:
-      ['sh', '-c', 'node ./scripts/self-host-predeploy && node ./dist/index.js']
-    ports:
-      - '3010:3010'
-      - '5555:5555'
-    depends_on:
-      redis:
-        condition: service_healthy
-      postgres:
-        condition: service_healthy
-    volumes:
-      # custom configurations
-      - ~/.affine/self-host/config:/root/.affine/config
-      # blob storage
-      - ~/.affine/self-host/storage:/root/.affine/storage
-    logging:
-      driver: 'json-file'
-      options:
-        max-size: '1000m'
-    restart: unless-stopped
-    environment:
-      - NODE_OPTIONS="--import=./scripts/register.js"
-      - AFFINE_CONFIG_PATH=/root/.affine/config
-      - REDIS_SERVER_HOST=redis
-      - DATABASE_URL=postgres://affine:affine@postgres:5432/affine
-      - NODE_ENV=production
-      - AFFINE_ADMIN_EMAIL=${AFFINE_ADMIN_EMAIL}
-      - AFFINE_ADMIN_PASSWORD=${AFFINE_ADMIN_PASSWORD}
-      # Telemetry allows us to collect data on how you use the affine. This data will helps us improve the app and provide better features.
-      # Uncomment next line if you wish to quit telemetry.
-      # - TELEMETRY_ENABLE=false
-  redis:
-    image: redis
-    container_name: affine_redis
-    restart: unless-stopped
-    volumes:
-      - ~/.affine/self-host/redis:/data
-    healthcheck:
-      test: ['CMD', 'redis-cli', '--raw', 'incr', 'ping']
-      interval: 10s
-      timeout: 5s
-      retries: 5
-  postgres:
-    image: postgres
-    container_name: affine_postgres
-    restart: unless-stopped
-    volumes:
-      - ~/.affine/self-host/postgres:/var/lib/postgresql/data
-    healthcheck:
-      test: ['CMD-SHELL', 'pg_isready -U affine']
-      interval: 10s
-      timeout: 5s
-      retries: 5
-    environment:
-      POSTGRES_USER: affine
-      POSTGRES_PASSWORD: affine
-      POSTGRES_DB: affine
-      PGDATA: /var/lib/postgresql/data/pgdata

.github/helm/affine-cloud/.gitignore

@@ -0,0 +1 @@
+charts/

.github/helm/affine-cloud/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

.github/helm/affine-cloud/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 12.5.8
+digest: sha256:c91c0dc1370e879538dc9d6e435e731a726ef99d6a3b081372318483792b48a7
+generated: "2023-06-27T18:34:12.683806+08:00"

.github/helm/affine-cloud/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: affine-cloud
+description: A Helm chart for AFFiNE Cloud
+
+type: application
+version: 0.6.1
+appVersion: '0.6.1'
+
+dependencies:
+  - name: postgresql
+    version: 12.5.8
+    repository: https://charts.bitnami.com/bitnami

.github/helm/affine-cloud/readme.md

@@ -0,0 +1,30 @@
+# Helm Chart Configuration
+
+The following table lists the configurable parameters of this Helm chart and their default values.
+
+## AFFiNE Cloud Server parameters
+
+| Parameter                      | Description                                        | Default            |
+| ------------------------------ | -------------------------------------------------- | ------------------ |
+| `affineCloud.tag`              | The Docker tag of the AffineCloud image to be used | `'nightly-latest'` |
+| `affineCloud.resources.cpu`    | The CPU resources allocated for AffineCloud        | `'250m'`           |
+| `affineCloud.resources.memory` | The memory resources allocated for AffineCloud     | `'0.5Gi'`          |
+| `affineCloud.signKey`          | The key used to sign the JWT tokens                | `'c2VjcmV0'`       |
+| `affineCloud.service.type`     | The type of the Kubernetes service                 | `'ClusterIP'`      |
+| `affineCloud.service.port`     | The port of the Kubernetes service                 | `'http'`           |
+| `affineCloud.mail.account`     | The email account used to send emails              | `''`               |
+| `affineCloud.mail.password`    | The password of the email account                  | `''`               |
+
+## PostgreSQL parameters
+
+| Parameter                                    | Description                                                                           | Default      |
+| -------------------------------------------- | ------------------------------------------------------------------------------------- | ------------ |
+| `postgresql.auth.username`                   | Username for the PostgreSQL database                                                  | `'affine'`   |
+| `postgresql.auth.password`                   | Password for the PostgreSQL database. Please change this for production environments. | `'password'` |
+| `postgresql.auth.database`                   | The name of the default database that will be created on image startup                | `'affine'`   |
+| `postgresql.primary.resources.limits.cpu`    | The CPU resources allocated for the PostgreSQL primary node                           | `'500m'`     |
+| `postgresql.primary.resources.limits.memory` | The memory resources allocated for the PostgreSQL primary node                        | `'0.5Gi'`    |
+
+For more postgres parameters, please refer to: https://artifacthub.io/packages/helm/bitnami/postgresql
+
+Please note that for the `postgresql.auth.password`, you should provide your own password for production environments. The default value is provided only for demonstration purposes.

.github/helm/affine-cloud/templates/_helper.tpl

@@ -0,0 +1,51 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "affine-cloud.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "affine-cloud.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "affine-cloud.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "affine-cloud.labels" -}}
+helm.sh/chart: {{ include "affine-cloud.chart" . }}
+{{ include "affine-cloud.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "affine-cloud.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "affine-cloud.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

.github/helm/affine-cloud/templates/deployment.yaml

@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ include "affine-cloud.fullname" . }}"
+  labels:
+    {{- include "affine-cloud.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "affine-cloud.selectorLabels" . | nindent 6 }}
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 2
+  template:
+    metadata:
+      labels:
+        {{- include "affine-cloud.selectorLabels" . | nindent 8 }}
+    spec:
+      restartPolicy: Always
+      containers:
+      - name: affine-cloud
+        image: "ghcr.io/toeverything/cloud-self-hosted:{{ .Values.affineCloud.tag | default .Chart.AppVersion }}"
+        env:
+        - name: PG_USER
+          value: "{{ .Values.postgresql.auth.username }}"
+        - name: PG_PASS
+          value: "{{ .Values.postgresql.auth.password }}"
+        - name: PG_DATABASE
+          value: "{{ .Values.postgresql.auth.database }}"
+        - name: PG_HOST
+          value: "{{ .Values.postgresql.fullnameOverride | default (printf "%s-postgresql" .Release.Name) }}"
+        - name: DATABASE_URL
+          value: "{{ .Values.affineCloud.databaseUrl | default "postgresql://$(PG_USER):$(PG_PASS)@$(PG_HOST)/$(PG_DATABASE)" }}"
+        envFrom:
+        - secretRef:
+            name: affine-cloud-secret
+        ports:
+        - containerPort: 3000
+        livenessProbe:
+          httpGet:
+            path: /api/healthz
+            port: 3000
+          failureThreshold: 1
+          initialDelaySeconds: 10
+          periodSeconds: 10
+        resources:
+          limits:
+            cpu: "{{ .Values.affineCloud.resources.cpu }}"
+            memory: "{{ .Values.affineCloud.resources.memory }}"

.github/helm/affine-cloud/templates/secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: affine-cloud-secret
+type: Opaque
+data:
+  SIGN_KEY: "{{ .Values.affineCloud.signKey }}"
+  MAIL_ACCOUNT: "{{ .Values.affineCloud.mail.account }}"
+  MAIL_PASSWORD: "{{ .Values.affineCloud.mail.password }}"

.github/helm/affine-cloud/templates/services.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ include "affine-cloud.fullname" . }}"
+  labels:
+    {{- include "affine-cloud.labels" . | nindent 4 }}
+spec:
+  type: "{{ .Values.affineCloud.service.type }}"
+  ports:
+    - name: http
+      protocol: TCP
+      port: {{ .Values.affineCloud.service.port }}
+      targetPort: 3000
+  selector:
+    {{- include "affine-cloud.selectorLabels" . | nindent 4 }}

.github/helm/affine-cloud/values.yaml

@@ -0,0 +1,30 @@
+affineCloud:
+  tag: 'canary-5e0d5e0cc65ea46f326fdde12658bfac59b38c9f-0949'
+  # databaseUrl: 'postgresql://affine:password@affine-cloud-postgresql:5432/affine'
+  signKey: TUFtdFdzQTJhdGJuem01TA==
+  mail:
+    account: ''
+    password: ''
+  service:
+    type: ClusterIP
+    port: 80
+  resources:
+    cpu: '250m'
+    memory: 0.5Gi
+postgresql:
+  fullnameOverride: tcp-postgresql
+  auth:
+    # only for demo, please modify it at prod env
+    username: affine
+    password: password
+    database: affine
+  primary:
+    initdb:
+      scripts:
+        01-init.sql: |
+          CREATE DATABASE affine_binary;
+          GRANT ALL PRIVILEGES ON DATABASE affine_binary TO affine;
+    resources:
+      limits:
+        cpu: '500m'
+        memory: 0.5Gi

.github/helm/affine/Chart.yaml

@@ -3,4 +3,4 @@ name: affine
 description: AFFiNE cloud chart
 type: application
 version: 0.0.0
-appVersion: "0.14.0"
+appVersion: '0.7.0-canary.18'

.github/helm/affine/charts/gcloud-sql-proxy/.helmignore

@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/

.github/helm/affine/charts/gcloud-sql-proxy/Chart.yaml

@@ -1,6 +0,0 @@
-apiVersion: v2
-name: cloud-sql-proxy
-description: Google Cloud SQL Proxy
-type: application
-version: 0.0.0
-appVersion: "2.8.1"

.github/helm/affine/charts/gcloud-sql-proxy/templates/NOTES.txt

@@ -1,18 +0,0 @@
-{{- if .Values.global.database.gcloud.enabled -}}
-1. Get the application URL by running these commands:
-{{- if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gcloud-sql-proxy.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "gcloud-sql-proxy.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "gcloud-sql-proxy.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "gcloud-sql-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
-{{- end }}
-{{- end }}

.github/helm/affine/charts/gcloud-sql-proxy/templates/_helpers.tpl

@@ -1,62 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "gcloud-sql-proxy.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "gcloud-sql-proxy.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "gcloud-sql-proxy.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "gcloud-sql-proxy.labels" -}}
-helm.sh/chart: {{ include "gcloud-sql-proxy.chart" . }}
-{{ include "gcloud-sql-proxy.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "gcloud-sql-proxy.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "gcloud-sql-proxy.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "gcloud-sql-proxy.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "gcloud-sql-proxy.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}

.github/helm/affine/charts/gcloud-sql-proxy/templates/deployment.yaml

@@ -1,132 +0,0 @@
-{{- if .Values.global.database.gcloud.enabled -}}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "gcloud-sql-proxy.fullname" . }}
-  labels:
-    {{- include "gcloud-sql-proxy.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "gcloud-sql-proxy.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      {{- with .Values.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        {{- include "gcloud-sql-proxy.labels" . | nindent 8 }}
-	{{- with .Values.podLabels }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "gcloud-sql-proxy.serviceAccountName" . }}
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      containers:
-        - name: {{ .Chart.Name }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          terminationMessagePath: /dev/termination-log
-          terminationMessagePolicy: File
-          image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          args:
-            - "--address"
-            - "0.0.0.0"
-            - "--structured-logs"
-            - "--auto-iam-authn"
-            - "{{ .Values.global.database.gcloud.connectionName }}"
-          env:
-            # Enable HTTP healthchecks on port 9801. This enables /liveness,
-            # /readiness and /startup health check endpoints. Allow connections
-            # listen for connections on any interface (0.0.0.0) so that the
-            # k8s management components can reach these endpoints.
-            - name: CSQL_PROXY_HEALTH_CHECK
-              value: "true"
-            - name: CSQL_PROXY_HTTP_PORT
-              value: "9801"
-            - name: CSQL_PROXY_HTTP_ADDRESS
-              value: 0.0.0.0
-          ports:
-            - name: cloud-sql-proxy
-              containerPort: {{ .Values.global.database.gcloud.proxyPort }}
-              protocol: TCP
-            - containerPort: 9801
-              protocol: TCP
-          # The /startup probe returns OK when the proxy is ready to receive
-          # connections from the application. In this example, k8s will check
-          # once a second for 60 seconds.
-          startupProbe:
-            failureThreshold: 60
-            httpGet:
-              path: /startup
-              port: 9801
-              scheme: HTTP
-            periodSeconds: 1
-            successThreshold: 1
-            timeoutSeconds: 10
-          # The /liveness probe returns OK as soon as the proxy application has
-          # begun its startup process and continues to return OK until the
-          # process stops.
-          livenessProbe:
-            failureThreshold: 3
-            httpGet:
-              path: /liveness
-              port: 9801
-              scheme: HTTP
-            # The probe will be checked every 10 seconds.
-            periodSeconds: 10
-            # Number of times the probe is allowed to fail before the transition
-            # from healthy to failure state.
-            #
-            # If periodSeconds = 60, 5 tries will result in five minutes of
-            # checks. The proxy starts to refresh a certificate five minutes
-            # before its expiration. If those five minutes lapse without a
-            # successful refresh, the liveness probe will fail and the pod will be
-            # restarted.
-            successThreshold: 1
-            # The probe will fail if it does not respond in 10 seconds
-            timeoutSeconds: 10
-          readinessProbe:
-            # The /readiness probe returns OK when the proxy can establish
-            # a new connections to its databases.
-            httpGet:
-              path: /readiness
-              port: 9801
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            timeoutSeconds: 10
-            # Number of times the probe must report success to transition from failure to healthy state.
-            # Defaults to 1 for readiness probe.
-            successThreshold: 1
-            failureThreshold: 6
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-          {{- with .Values.volumeMounts }}
-          volumeMounts:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-      {{- with .Values.volumes }}
-      volumes:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

.github/helm/affine/charts/gcloud-sql-proxy/templates/service.yaml

@@ -1,17 +0,0 @@
-{{- if .Values.global.database.gcloud.enabled -}}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "gcloud-sql-proxy.fullname" . }}
-  labels:
-    {{- include "gcloud-sql-proxy.labels" . | nindent 4 }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.global.database.port }}
-      targetPort: cloud-sql-proxy
-      protocol: TCP
-      name: cloud-sql-proxy
-  selector:
-    {{- include "gcloud-sql-proxy.selectorLabels" . | nindent 4 }}
-{{- end }}

.github/helm/affine/charts/gcloud-sql-proxy/templates/serviceaccount.yaml

@@ -1,15 +0,0 @@
-{{- if .Values.global.database.gcloud.enabled -}}
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "gcloud-sql-proxy.serviceAccountName" . }}
-  labels:
-    {{- include "gcloud-sql-proxy.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
-{{- end }}
-{{- end }}

.github/helm/affine/charts/gcloud-sql-proxy/templates/tests/test-connection.yaml

@@ -1,17 +0,0 @@
-{{- if .Values.global.database.gcloud.enabled -}}
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "{{ include "gcloud-sql-proxy.fullname" . }}-test-connection"
-  labels:
-    {{- include "gcloud-sql-proxy.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": test
-spec:
-  containers:
-    - name: wget
-      image: busybox
-      command: ['wget']
-      args: ['{{ include "gcloud-sql-proxy.fullname" . }}:{{ .Values.service.port }}']
-  restartPolicy: Never
-{{- end }}

.github/helm/affine/charts/gcloud-sql-proxy/values.yaml

@@ -1,40 +0,0 @@
-replicaCount: 3
-
-image:
-  # the tag is defined as chart appVersion.
-  repository: gcr.io/cloud-sql-connectors/cloud-sql-proxy
-  pullPolicy: IfNotPresent
-
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-
-serviceAccount:
-  create: true
-  automount: true
-  annotations: {}
-  name: ""
-
-podAnnotations: {}
-podLabels: {}
-
-podSecurityContext:
-  fsGroup: 2000
-
-securityContext:
-  runAsNonRoot: true
-
-service:
-  type: ClusterIP
-  port: 5432
-
-resources:
-  limits:
-    memory: "4Gi"
-    cpu: "2"
-
-volumes: []
-volumeMounts: []
-nodeSelector: {}
-tolerations: []
-affinity: {}

.github/helm/affine/charts/graphql/Chart.yaml

@@ -3,9 +3,4 @@ name: graphql
 description: AFFiNE GraphQL server
 type: application
 version: 0.0.0
-appVersion: "0.14.0"
-dependencies:
-  - name: gcloud-sql-proxy
-    version: 0.0.0
-    repository: "file://../gcloud-sql-proxy"
-    condition: .global.database.gcloud.enabled
+appVersion: '0.7.0-canary.18'

.github/helm/affine/charts/graphql/templates/_helpers.tpl

@@ -40,7 +40,6 @@ helm.sh/chart: {{ include "graphql.chart" . }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
-monitoring: enabled
 {{- end }}
 
 {{/*
@@ -61,3 +60,73 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{- define "jwt.key" -}}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.app.jwt.secretName -}}
+{{- if and $secret $secret.data.private -}}
+{{/*
+   Reusing existing secret data
+*/}}
+key: {{ $secret.data.private }}
+{{- else -}}
+{{/*
+    Generate new data
+*/}}
+key: {{ genPrivateKey "ecdsa" | b64enc }}
+{{- end -}}
+{{- end -}}
+
+{{- define "objectStorage.r2" -}}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.app.objectStorage.r2.secretName -}}
+{{- if $secret -}}
+{{/*
+   Reusing existing secret data
+*/}}
+accountId: {{ $secret.data.accountId }}
+accessKeyId: {{ $secret.data.accessKeyId }}
+secretAccessKey: {{ $secret.data.secretAccessKey }}
+bucket: {{ $secret.data.bucket }}
+{{- else -}}
+{{/*
+    Generate new data
+*/}}
+accountId: {{ .Values.app.objectStorage.r2.accountId | b64enc }}
+accessKeyId: {{ .Values.app.objectStorage.r2.accessKeyId | b64enc }}
+secretAccessKey: {{ .Values.app.objectStorage.r2.secretAccessKey | b64enc }}
+bucket: {{ .Values.app.objectStorage.r2.bucket | b64enc }}
+{{- end -}}
+{{- end -}}
+
+{{- define "objectStorage.oauth.google" -}}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.app.oauth.google.secretName -}}
+{{- if $secret -}}
+{{/*
+   Reusing existing secret data
+*/}}
+clientId: {{ $secret.data.clientId }}
+clientSecret: {{ $secret.data.clientSecret }}
+{{- else -}}
+{{/*
+    Generate new data
+*/}}
+clientId: "{{ .Values.app.oauth.google.clientId | b64enc }}"
+clientSecret: "{{ .Values.app.oauth.google.clientSecret | b64enc }}"
+{{- end -}}
+{{- end -}}
+
+{{- define "objectStorage.oauth.github" -}}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.app.oauth.github.secretName -}}
+{{- if $secret -}}
+{{/*
+   Reusing existing secret data
+*/}}
+clientId: {{ $secret.data.clientId }}
+clientSecret: {{ $secret.data.clientSecret }}
+{{- else -}}
+{{/*
+    Generate new data
+*/}}
+clientId: "{{ .Values.app.oauth.github.clientId | b64enc }}"
+clientSecret: "{{ .Values.app.oauth.github.clientSecret | b64enc }}"
+{{- end -}}
+{{- end -}}

.github/helm/affine/charts/graphql/templates/captcha-secret.yaml

@@ -1,9 +0,0 @@
-{{- if .Values.app.captcha.enabled -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: "{{ .Values.app.captcha.secretName }}"
-type: Opaque
-data:
-  turnstileSecret: {{ .Values.app.captcha.turnstile.secret | b64enc }}
-{{- end }}

.github/helm/affine/charts/graphql/templates/copilot-secret.yaml

@@ -1,11 +0,0 @@
-{{- if .Values.app.copilot.enabled -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: "{{ .Values.app.copilot.secretName }}"
-type: Opaque
-data:
-  openaiSecret: {{ .Values.app.copilot.openai.key | b64enc }}
-  falSecret: {{ .Values.app.copilot.fal.key | b64enc }}
-  unsplashSecret: {{ .Values.app.copilot.unsplash.key | b64enc }}
-{{- end }}

.github/helm/affine/charts/graphql/templates/deployment.yaml

@@ -28,102 +28,28 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
-          - name: AFFINE_PRIVATE_KEY
+          - name: AUTH_PRIVATE_KEY
             valueFrom:
               secretKeyRef:
-                name: "{{ .Values.global.secret.secretName }}"
+                name: "{{ .Values.app.jwt.secretName }}"
                 key: key
           - name: NODE_ENV
             value: "{{ .Values.env }}"
-          - name: NODE_OPTIONS
-            value: "--max-old-space-size=4096"
-          - name: NO_COLOR
-            value: "1"
-          - name: DEPLOYMENT_TYPE
-            value: "affine"
-          - name: SERVER_FLAVOR
-            value: "graphql"
-          - name: AFFINE_ENV
-            value: "{{ .Release.Namespace }}"
-          - name: DATABASE_PASSWORD
+          - name: DATABSE_PASSWORD
             valueFrom:
               secretKeyRef:
                 name: pg-postgresql
                 key: postgres-password
           - name: DATABASE_URL
-            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.url }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
-          - name: REDIS_SERVER_ENABLED
-            value: "true"
-          - name: REDIS_SERVER_HOST
-            value: "{{ .Values.global.redis.host }}"
-          - name: REDIS_SERVER_PORT
-            value: "{{ .Values.global.redis.port }}"
-          - name: REDIS_SERVER_USER
-            value: "{{ .Values.global.redis.username }}"
-          - name: REDIS_SERVER_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: redis
-                key: redis-password
-          - name: REDIS_SERVER_DATABASE
-            value: "{{ .Values.global.redis.database }}"
+            value: postgres://{{ .Values.database.user }}:$(DATABSE_PASSWORD)@{{ .Values.database.url }}:{{ .Values.database.port }}/{{ .Values.database.name }}
           - name: AFFINE_SERVER_PORT
             value: "{{ .Values.service.port }}"
           - name: AFFINE_SERVER_SUB_PATH
             value: "{{ .Values.app.path }}"
           - name: AFFINE_SERVER_HOST
             value: "{{ .Values.app.host }}"
-          - name: AFFINE_SERVER_HTTPS
-            value: "{{ .Values.app.https }}"
           - name: ENABLE_R2_OBJECT_STORAGE
             value: "{{ .Values.app.objectStorage.r2.enabled }}"
-          - name: ENABLE_CAPTCHA
-            value: "{{ .Values.app.captcha.enabled }}"
-          - name: FEATURES_EARLY_ACCESS_PREVIEW
-            value: "{{ .Values.app.features.earlyAccessPreview }}"
-          - name: FEATURES_SYNC_CLIENT_VERSION_CHECK
-            value: "{{ .Values.app.features.syncClientVersionCheck }}"
-          - name: MAILER_HOST
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.app.mailer.secretName }}"
-                key: host
-          - name: MAILER_PORT
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.app.mailer.secretName }}"
-                key: port
-          - name: MAILER_USER
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.app.mailer.secretName }}"
-                key: user
-          - name: MAILER_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.app.mailer.secretName }}"
-                key: password
-          - name: MAILER_SENDER
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.app.mailer.secretName }}"
-                key: sender
-          - name: STRIPE_API_KEY
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.app.payment.stripe.secretName }}"
-                key: stripeAPIKey
-          - name: STRIPE_WEBHOOK_KEY
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.app.payment.stripe.secretName }}"
-                key: stripeWebhookKey
-          - name: DOC_MERGE_INTERVAL
-            value: "{{ .Values.app.doc.mergeInterval }}"
-          {{ if .Values.app.experimental.enableJwstCodec }}
-          - name: DOC_MERGE_USE_JWST_CODEC
-            value: "true"
-          {{ end }}
           {{ if .Values.app.objectStorage.r2.enabled }}
           - name: R2_OBJECT_STORAGE_ACCOUNT_ID
             valueFrom:
@@ -140,34 +66,13 @@ spec:
               secretKeyRef:
                 name: "{{ .Values.app.objectStorage.r2.secretName }}"
                 key: secretAccessKey
-          {{ end }}
-          {{ if .Values.app.captcha.enabled }}
-          - name: CAPTCHA_TURNSTILE_SECRET
+          - name: R2_OBJECT_STORAGE_BUCKET
             valueFrom:
               secretKeyRef:
-                name: "{{ .Values.app.captcha.secretName }}"
-                key: turnstileSecret
-          {{ end }}
-          {{ if .Values.app.copilot.enabled }}
-          - name: COPILOT_OPENAI_API_KEY
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.app.copilot.secretName }}"
-                key: openaiSecret
-          - name: COPILOT_FAL_API_KEY
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.app.copilot.secretName }}"
-                key: falSecret
-          - name: COPILOT_UNSPLASH_API_KEY
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.app.copilot.secretName }}"
-                key: unsplashSecret
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
+                key: bucket
           {{ end }}
           {{ if .Values.app.oauth.google.enabled }}
-          - name: OAUTH_GOOGLE_ENABLED
-            value: "true"
           - name: OAUTH_GOOGLE_CLIENT_ID
             valueFrom:
               secretKeyRef:

.github/helm/affine/charts/graphql/templates/jwt-secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.jwt.secretName }}"
+type: Opaque
+data:
+{{- ( include "jwt.key" . ) | indent 2 -}}

.github/helm/affine/charts/graphql/templates/mailer.yaml

@@ -1,13 +0,0 @@
-{{- if .Values.app.mailer.secretName -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: "{{ .Values.app.mailer.secretName }}"
-type: Opaque
-data:
-  host: "{{ .Values.app.mailer.host | b64enc }}"
-  port: "{{ .Values.app.mailer.port | b64enc }}"
-  user: "{{ .Values.app.mailer.user | b64enc }}"
-  password: "{{ .Values.app.mailer.password | b64enc }}"
-  sender: "{{ .Values.app.mailer.sender | b64enc }}"
-{{- end }}

.github/helm/affine/charts/graphql/templates/migration.yaml

@@ -5,53 +5,27 @@ metadata:
   labels:
     {{- include "graphql.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": post-install,pre-upgrade
+    "helm.sh/hook": pre-install,pre-upgrade
     "helm.sh/hook-weight": "-1"
     "helm.sh/hook-delete-policy": before-hook-creation
 
 spec:
   template:
     spec:
-      serviceAccountName: {{ include "graphql.serviceAccountName" . }}
       containers:
       - name: {{ .Chart.Name }}
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-        command: ["yarn", "predeploy"]
+        command: ["yarn", "prisma", "migrate", "deploy"]
         env:
           - name: NODE_ENV
             value: "{{ .Values.env }}"
-          - name: AFFINE_ENV
-            value: "{{ .Release.Namespace }}"
-          - name: DATABASE_PASSWORD
+          - name: DATABSE_PASSWORD
             valueFrom:
               secretKeyRef:
                 name: pg-postgresql
                 key: postgres-password
-          {{ if not .Values.global.database.gcloud.enabled }}
           - name: DATABASE_URL
-            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.url }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
-          {{ end }}
-          {{ if .Values.global.database.gcloud.enabled }}
-          - name: DATABASE_URL
-            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.gcloud.cloudSqlInternal }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
-          {{ end }}
-          {{ if .Values.app.objectStorage.r2.enabled }}
-          - name: R2_OBJECT_STORAGE_ACCOUNT_ID
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.app.objectStorage.r2.secretName }}"
-                key: accountId
-          - name: R2_OBJECT_STORAGE_ACCESS_KEY_ID
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.app.objectStorage.r2.secretName }}"
-                key: accessKeyId
-          - name: R2_OBJECT_STORAGE_SECRET_ACCESS_KEY
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.app.objectStorage.r2.secretName }}"
-                key: secretAccessKey
-          {{ end }}
+            value: postgres://{{ .Values.database.user }}:$(DATABSE_PASSWORD)@{{ .Values.database.url }}:{{ .Values.database.port }}/{{ .Values.database.name }}
         resources:
           requests:
             cpu: '100m'

.github/helm/affine/charts/graphql/templates/oauth-github-secret.yaml

@@ -0,0 +1,10 @@
+{{- if .Values.app.oauth.github.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.oauth.github.secretName }}"
+type: Opaque
+data:
+{{- ( include "objectStorage.oauth.github" . ) | indent 2 -}}
+
+{{- end }}

.github/helm/affine/charts/graphql/templates/oauth-google-secret.yaml

@@ -0,0 +1,10 @@
+{{- if .Values.app.oauth.google.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.oauth.google.secretName }}"
+type: Opaque
+data:
+{{- ( include "objectStorage.oauth.google" . ) | indent 2 -}}
+
+{{- end }}

.github/helm/affine/charts/graphql/templates/oauth.yaml

@@ -1,21 +0,0 @@
-{{- if .Values.app.oauth.google.enabled -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: "{{ .Values.app.oauth.google.secretName }}"
-type: Opaque
-data:
-  clientId: "{{ .Values.app.oauth.google.clientId | b64enc }}"
-  clientSecret: "{{ .Values.app.oauth.google.clientSecret | b64enc }}"
-{{- end }}
----
-{{- if .Values.app.oauth.github.enabled -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: "{{ .Values.app.oauth.github.secretName }}"
-type: Opaque
-data:
-  clientId: "{{ .Values.app.oauth.github.clientId | b64enc }}"
-  clientSecret: "{{ .Values.app.oauth.github.clientSecret | b64enc }}"
-{{- end }}

.github/helm/affine/charts/graphql/templates/payment.yml

@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: "{{ .Values.app.payment.stripe.secretName }}"
-type: Opaque
-data:
-  stripeAPIKey: "{{ .Values.app.payment.stripe.apiKey | b64enc }}"
-  stripeWebhookKey: "{{ .Values.app.payment.stripe.webhookKey | b64enc }}"

.github/helm/affine/charts/graphql/templates/pg-secret.yaml

@@ -1,9 +0,0 @@
-{{- if .Values.global.database.password -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: pg-postgresql
-type: Opaque
-data:
-  postgres-password: {{ .Values.global.database.password | b64enc }}
-{{- end }}

.github/helm/affine/charts/graphql/templates/r2-secret.yaml

@@ -5,7 +5,5 @@ metadata:
   name: "{{ .Values.app.objectStorage.r2.secretName }}"
 type: Opaque
 data:
-  accountId: {{ .Values.app.objectStorage.r2.accountId | b64enc }}
-  accessKeyId: {{ .Values.app.objectStorage.r2.accessKeyId | b64enc }}
-  secretAccessKey: {{ .Values.app.objectStorage.r2.secretAccessKey | b64enc }}
+  {{- ( include "objectStorage.r2" . ) | indent 2 -}}
 {{- end }}

.github/helm/affine/charts/graphql/templates/redis-secret.yaml

@@ -1,9 +0,0 @@
-{{- if .Values.global.redis.password -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: redis
-type: Opaque
-data:
-  redis-password: {{ .Values.global.redis.password | b64enc }}
-{{- end }}

.github/helm/affine/charts/graphql/templates/secret.yaml

@@ -1,18 +0,0 @@
-{{- $privateKey := default (genPrivateKey "ecdsa") .Values.global.secret.privateKey | b64enc | quote }}
-
-{{- if not .Values.global.secret.privateKey }}
-{{- $existingKey := (lookup "v1" "Secret" .Release.Namespace .Values.global.secret.secretName) }}
-{{- if $existingKey }}
-{{- $privateKey = index $existingKey.data "key" }}
-{{- end -}}
-{{- end -}}
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Values.global.secret.secretName }}
-  annotations:
-    "helm.sh/resource-policy": "keep"
-type: Opaque
-data:
-  key: {{ $privateKey }}

.github/helm/affine/charts/graphql/values.yaml

@@ -9,26 +9,20 @@ nameOverride: ''
 fullnameOverride: ''
 # map to NODE_ENV environment variable
 env: 'production'
+database:
+  user: 'postgres'
+  url: 'pg-postgresql'
+  port: '5432'
+  name: 'affine'
 app:
-  experimental:
-    enableJwstCodec: true
   # AFFINE_SERVER_SUB_PATH
   path: ''
   # AFFINE_SERVER_HOST
   host: '0.0.0.0'
-  https: true
-  doc:
-    mergeInterval: "3000"
-  captcha:
-    enable: false
-    secretName: captcha
-    turnstile:
-      secret: ''
-  copilot:
-    enable: false
-    secretName: copilot
-    openai:
-      key: ''
+  jwt:
+    secretName: jwt-private-key
+    # base64 encoded ecdsa private key
+    privateKey: ''
   objectStorage:
     r2:
       enabled: false
@@ -36,7 +30,8 @@ app:
       accountId: ''
       accessKeyId: ''
       secretAccessKey: ''
-  oauth: 
+      bucket: ''
+  oauth:
     google:
       enabled: false
       secretName: oauth-google
@@ -47,21 +42,6 @@ app:
       secretName: oauth-github
       clientId: ''
       clientSecret: ''
-  mailer:
-    secretName: 'mailer'
-    host: 'smtp.gmail.com'
-    port: '465'
-    user: ''
-    password: ''
-    sender: 'noreply@toeverything.info'
-  payment:
-    stripe:
-      secretName: 'stripe'
-      apiKey: ''
-      webhookKey: ''
-  features:
-    earlyAccessPreview: false
-    syncClientVersionCheck: false
 
 serviceAccount:
   create: true
@@ -74,9 +54,12 @@ podSecurityContext:
   fsGroup: 2000
 
 resources:
-  requests:
-    cpu: '4'
+  limits:
+    cpu: '2000m'
     memory: 4Gi
+  requests:
+    cpu: '1000m'
+    memory: 2Gi
 
 probe:
   initialDelaySeconds: 20

.github/helm/affine/charts/sync/.helmignore

@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/

.github/helm/affine/charts/sync/Chart.yaml

@@ -1,11 +0,0 @@
-apiVersion: v2
-name: sync
-description: AFFiNE Sync Server
-type: application
-version: 0.0.0
-appVersion: "0.14.0"
-dependencies:
-  - name: gcloud-sql-proxy
-    version: 0.0.0
-    repository: "file://../gcloud-sql-proxy"
-    condition: .global.database.gcloud.enabled

.github/helm/affine/charts/sync/templates/NOTES.txt

@@ -1,16 +0,0 @@
-1. Get the application URL by running these commands:
-{{- if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "sync.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "sync.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "sync.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "sync.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
-{{- end }}

.github/helm/affine/charts/sync/templates/_helpers.tpl

@@ -1,63 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "sync.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "sync.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "sync.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "sync.labels" -}}
-helm.sh/chart: {{ include "sync.chart" . }}
-{{ include "sync.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-monitoring: enabled
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "sync.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "sync.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "sync.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "sync.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}

.github/helm/affine/charts/sync/templates/deployment.yaml

@@ -1,101 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "sync.fullname" . }}
-  labels:
-    {{- include "sync.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "sync.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      {{- with .Values.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        {{- include "sync.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "sync.serviceAccountName" . }}
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      containers:
-        - name: {{ .Chart.Name }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          env:
-          - name: AFFINE_PRIVATE_KEY
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.global.secret.secretName }}"
-                key: key
-          - name: NODE_ENV
-            value: "{{ .Values.env }}"
-          - name: NO_COLOR
-            value: "1"
-          - name: DEPLOYMENT_TYPE
-            value: "affine"
-          - name: SERVER_FLAVOR
-            value: "sync"
-          - name: AFFINE_ENV
-            value: "{{ .Release.Namespace }}"
-          - name: DATABASE_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: pg-postgresql
-                key: postgres-password
-          - name: DATABASE_URL
-            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.url }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
-          - name: REDIS_SERVER_ENABLED
-            value: "true"
-          - name: REDIS_SERVER_HOST
-            value: "{{ .Values.global.redis.host }}"
-          - name: REDIS_SERVER_PORT
-            value: "{{ .Values.global.redis.port }}"
-          - name: REDIS_SERVER_USER
-            value: "{{ .Values.global.redis.username }}"
-          - name: REDIS_SERVER_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: redis
-                key: redis-password
-          - name: REDIS_SERVER_DATABASE
-            value: "{{ .Values.global.redis.database }}"
-          - name: AFFINE_SERVER_PORT
-            value: "{{ .Values.service.port }}"
-          - name: AFFINE_SERVER_HOST
-            value: "{{ .Values.app.host }}"
-          ports:
-            - name: http
-              containerPort: {{ .Values.service.port }}
-              protocol: TCP
-          livenessProbe:
-            tcpSocket:
-              port: http
-            initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
-          readinessProbe:
-            tcpSocket:
-              port: http
-            initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}

.github/helm/affine/charts/sync/templates/service.yaml

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "sync.fullname" . }}
-  labels:
-    {{- include "sync.labels" . | nindent 4 }}
-  {{- with .Values.service.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.service.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    {{- include "sync.selectorLabels" . | nindent 4 }}

.github/helm/affine/charts/sync/templates/serviceaccount.yaml

@@ -1,12 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "sync.serviceAccountName" . }}
-  labels:
-    {{- include "sync.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

.github/helm/affine/charts/sync/templates/tests/test-connection.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "{{ include "sync.fullname" . }}-test-connection"
-  labels:
-    {{- include "sync.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": test
-spec:
-  containers:
-    - name: wget
-      image: busybox
-      command: ['wget']
-      args: ['{{ include "sync.fullname" . }}:{{ .Values.service.port }}']
-  restartPolicy: Never

.github/helm/affine/charts/sync/values.yaml

@@ -1,38 +0,0 @@
-replicaCount: 1
-image:
-  repository: ghcr.io/toeverything/affine-graphql
-  pullPolicy: IfNotPresent
-  tag: ''
-
-imagePullSecrets: []
-nameOverride: ''
-fullnameOverride: ''
-# map to NODE_ENV environment variable
-env: 'production'
-app:
-  # AFFINE_SERVER_HOST
-  host: '0.0.0.0'
-serviceAccount:
-  create: true
-  annotations: {}
-  name: 'affine-sync'
-
-podAnnotations: {}
-
-podSecurityContext:
-  fsGroup: 2000
-
-resources:
-  limits:
-    cpu: '4'
-    memory: 8Gi
-  requests:
-    cpu: '2'
-    memory: 4Gi
-
-probe:
-  initialDelaySeconds: 20
-
-nodeSelector: {}
-tolerations: []
-affinity: {}

.github/helm/affine/charts/web/templates/_helpers.tpl

@@ -40,7 +40,6 @@ helm.sh/chart: {{ include "web.chart" . }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
-monitoring: enabled
 {{- end }}
 
 {{/*

.github/helm/affine/templates/ingress.yaml

@@ -1,8 +1,8 @@
-{{- if .Values.global.ingress.enabled -}}
+{{- if .Values.ingress.enabled -}}
 {{- $fullName := include "affine.fullname" . -}}
-{{- if and .Values.global.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
-  {{- if not (hasKey .Values.global.ingress.annotations "kubernetes.io/ingress.class") }}
-  {{- $_ := set .Values.global.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
   {{- end }}
 {{- end }}
 {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
@@ -17,17 +17,17 @@ metadata:
   name: {{ $fullName }}
   labels:
     {{- include "affine.labels" . | nindent 4 }}
-  {{- with .Values.global.ingress.annotations }}
+  {{- with .Values.ingress.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-  {{- if and .Values.global.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
-  ingressClassName: {{ .Values.global.ingress.className }}
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
   {{- end }}
-  {{- if .Values.global.ingress.tls }}
+  {{- if .Values.ingress.tls }}
   tls:
-    {{- range .Values.global.ingress.tls }}
+    {{- range .Values.ingress.tls }}
     - hosts:
         {{- range .hosts }}
         - {{ . | quote }}
@@ -36,16 +36,9 @@ spec:
     {{- end }}
   {{- end }}
   rules:
-    - host: "{{ .Values.global.ingress.host }}"
+    - host: "{{ .Values.ingress.host }}"
       http:
         paths:
-          - path: /socket.io
-            pathType: Prefix
-            backend:
-              service:
-                name: affine-sync
-                port:
-                  number: {{ .Values.sync.service.port }}
           - path: /graphql
             pathType: Prefix
             backend:
@@ -60,13 +53,6 @@ spec:
                 name: affine-graphql
                 port:
                   number: {{ .Values.graphql.service.port }}
-          - path: /oauth
-            pathType: Prefix
-            backend:
-              service:
-                name: affine-graphql
-                port:
-                  number: {{ .Values.graphql.service.port }}
           - path: /
             pathType: Prefix
             backend:
@@ -74,4 +60,5 @@ spec:
                 name: affine-web
                 port:
                   number: {{ .Values.web.service.port }}
+
 {{- end }}

.github/helm/affine/values.yaml

@@ -1,49 +1,15 @@
-global:
-  ingress:
-    enabled: false
-    className: ''
-    host: affine.pro
-    tls: []
-  secret:
-    secretName: 'server-private-key'
-    privateKey: ''
-  database:
-    user: 'postgres'
-    url: 'pg-postgresql'
-    port: '5432'
-    name: 'affine'
-    password: ''
-    gcloud:
-      enabled: false
-      # use for migration
-      cloudSqlInternal: ''
-      connectionName: ''
-      serviceAccount: ''
-      cloudProxyReplicas: 3
-      proxyPort: '5432'
-  redis:
-    enabled: true
-    host: 'redis-master'
-    port: '6379'
-    username: ''
-    password: ''
-    database: 0
-  gke:
-    enabled: true
+ingress:
+  enabled: false
+  className: ''
+  annotations:
+    kubernetes.io/ingress.class: nginx
+  host: affine.pro
+  tls: []
 
 graphql:
   service:
     type: ClusterIP
     port: 3000
-    annotations:
-      cloud.google.com/backend-config: '{"default": "affine-backendconfig"}'
-
-sync:
-  service:
-    type: ClusterIP
-    port: 3010
-    annotations:
-      cloud.google.com/backend-config: '{"default": "affine-backendconfig"}'
 
 web:
   service:

.github/helm/deployment_guide.md

@@ -0,0 +1,60 @@
+# Cluster Deployment Guide
+
+This document provides a step-by-step guide for developers on how to deploy services in a Kubernetes cluster. The following content assumes that the reader already has a basic understanding of Kubernetes concepts and operations.
+
+### 1. Configure Service Mesh (Optional)
+
+In the Kubernetes cluster, we optionally use Service Mesh (like Istio and Anthos Service Mesh) to manage the network interactions of microservices. If Service Mesh is already deployed on your cluster or do not need to use the service network, you can skip this step. In this step, we assume that you are using Google Kubernetes Engine (GKE) and have already installed Anthos Service Mesh on your cluster, if you wish to use another Ingress Controller, please refer to the relevant documentation.
+
+To configure your kubectl context to interact with your Kubernetes cluster using the gcloud tool, you need to execute the following commands:
+
+```sh
+export CLUSTER_NAME=your_cluster_name
+export REGION=your_cluster_region
+export PROJECT=your_project_id
+gcloud container clusters get-credentials $CLUSTER_NAME --region $REGION --project $PROJECT
+```
+
+In this command, you should replace `CLUSTER_NAME`, `REGION` and `PROJECT` with the actual name, region and project id of your Kubernetes cluster. This command retrieves the access credentials for your Kubernetes cluster and automatically configures kubectl to use these credentials.
+
+Now, to inject Service Mesh for a specific Namespace, first, set the environment variable `NAMESPACE` that should correspond to your target Kubernetes Namespace. In this example, we use `prod` as the target Namespace:
+
+```sh
+export NAMESPACE=prod
+```
+
+Then, we label the Namespace which will enable Istio to automatically inject the sidecar container for all new Pods under this Namespace:
+
+```sh
+kubectl label namespace $NAMESPACE istio-injection- istio.io/rev=asm-managed --overwrite
+```
+
+Finally, we trigger the Kubernetes Deployment restart mechanism to allow existing Pods to also obtain sidecar container injection:
+
+```sh
+kubectl rollout restart deployment -n $NAMESPACE
+```
+
+### 2. Deploying the Application
+
+Next, we will deploy our application in the Kubernetes cluster through Helm. First, set relevant environment variables:
+
+```sh
+export NAMESPACE=prod
+export RELEASE=affine-cloud-prod
+export PATH=.github/helm/affine-cloud
+```
+
+- `NAMESPACE` should be consistent with the first step, indicating your target Kubernetes Namespace.
+- `RELEASE` is the name of your Helm release.
+- `PATH` is the location of your Helm chart in your file system.
+
+Finally, use the `helm upgrade --install` command to deploy or upgrade your application:
+
+```sh
+helm upgrade --namespace $NAMESPACE --create-namespace --install $RELEASE $PATH
+```
+
+This command creates (if it doesn't already exist) and deploys your Helm chart in the specified Namespace. If the release already exists, it will be upgraded.
+
+The above are the complete steps for deploying an application in a Kubernetes cluster. Make sure all prerequisites are met before deploying, and also ensure that you have the correct permissions for operations in Kubernetes.

.github/labeler.yml

@@ -1,85 +1,68 @@
 docs:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'docs/**/*'
-          - '**/README.md'
-          - 'packages/frontend/templates/**/*'
+  - 'docs/**/*'
+  - '**/README.md'
+  - 'packages/templates/**/*'
 
 test:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'tests/**/*'
-          - '**/tests/**/*'
-          - '**/__tests__/**/*'
+  - 'tests/**/*'
+  - '**/tests/**/*'
+  - '**/__tests__/**/*'
 
 mod:dev:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'scripts/**/*'
-          - 'tools/cli/**/*'
-          - 'packages/common/debug/**/*'
+  - 'scripts/**/*'
+  - 'packages/cli/**/*'
+  - 'packages/debug/**/*'
+
+mod:plugin:
+  - 'plugins/**/*'
+
+plugin:bookmark-block:
+  - 'plugins/bookmark-block/**/*'
+
+plugin:copilot:
+  - 'plugins/copilot/**/*'
 
 mod:infra:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'packages/common/infra/**/*'
+  - 'packages/infra/**/*'
+
+mod:sdk:
+  - 'packages/sdk/**/*'
 
 mod:plugin-cli:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'tools/plugin-cli/**/*'
+  - 'packages/plugin-cli/**/*'
 
-mod:i18n:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'packages/frontend/i18n/**/*'
+mod:workspace: 'packages/workspace/**/*'
 
-mod:env:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'packages/common/env/**/*'
+mod:i18n: 'packages/i18n/**/*'
 
-mod:component:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'packages/frontend/component/**/*'
+mod:env: 'packages/env/**/*'
 
-mod:server-native:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'packages/backend/native/**/*'
+mod:hooks: 'packages/hooks/**/*'
 
-mod:native:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'packages/frontend/native/**/*'
+mod:component: 'packages/component/**/*'
+
+mod:storage: 'packages/storage/**/*'
+
+mod:native: 'packages/native/**/*'
 
 mod:store:
-  - changed-files:
-      - any-glob-to-any-file:
-          - '**/atoms/**/*'
+  - 'packages/jotai/**/*'
+  - '**/atoms/**/*'
 
 rust:
-  - changed-files:
-      - any-glob-to-any-file:
-          - '**/*.rs'
-          - '**/Cargo.toml'
-          - '**/Cargo.lock'
-          - '**/rust-toolchain'
-          - '**/rust-toolchain.toml'
-          - '**/rustfmt.toml'
+  - '**/*.rs'
+  - '**/Cargo.toml'
+  - '**/Cargo.lock'
+  - '**/rust-toolchain'
+  - '**/rust-toolchain.toml'
+  - '**/rustfmt.toml'
 
-app:core:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'packages/frontend/core/**/*'
+package:y-indexeddb: 'packages/y-indexeddb/**/*'
 
-app:electron:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'packages/frontend/electron/**/*'
+app:core: 'apps/core/**/*'
 
-app:server:
-  - changed-files:
-      - any-glob-to-any-file:
-          - 'packages/backend/server/**/*'
+app:electron: 'apps/electron/**/*'
+
+app:server: 'apps/server/**/*'
+
+app:docs: 'apps/docs/**/*'

.github/renovate.json

@@ -1,66 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["config:recommended", ":disablePeerDependencies"],
-  "labels": ["dependencies"],
-  "ignorePaths": [
-    "**/node_modules/**",
-    "**/bower_components/**",
-    "**/vendor/**",
-    "**/examples/**",
-    "**/__tests__/**",
-    "**/test/**",
-    "**/__fixtures__/**"
-  ],
-  "packageRules": [
-    {
-      "matchPackagePatterns": ["^eslint", "^@typescript-eslint"],
-      "rangeStrategy": "replace",
-      "groupName": "linter"
-    },
-    {
-      "matchDepNames": ["oxlint"],
-      "rangeStrategy": "replace",
-      "groupName": "oxlint"
-    },
-    {
-      "groupName": "blocksuite-canary",
-      "matchPackagePatterns": ["^@blocksuite"],
-      "excludePackageNames": ["@blocksuite/icons"],
-      "rangeStrategy": "replace",
-      "followTag": "canary"
-    },
-    {
-      "groupName": "all non-major dependencies",
-      "groupSlug": "all-minor-patch",
-      "matchPackagePatterns": ["*"],
-      "excludePackagePatterns": ["^@blocksuite/", "oxlint"],
-      "matchUpdateTypes": ["minor", "patch"]
-    },
-    {
-      "groupName": "rust toolchain",
-      "matchManagers": ["custom.regex"],
-      "matchDepNames": ["rustc"]
-    }
-  ],
-  "commitMessagePrefix": "chore: ",
-  "commitMessageAction": "bump up",
-  "commitMessageTopic": "{{depName}} version",
-  "ignoreDeps": [],
-  "postUpdateOptions": ["yarnDedupeHighest"],
-  "lockFileMaintenance": {
-    "enabled": true,
-    "extends": ["schedule:weekly"]
-  },
-  "customManagers": [
-    {
-      "customType": "regex",
-      "fileMatch": ["^rust-toolchain\\.toml?$"],
-      "matchStrings": [
-        "channel\\s*=\\s*\"(?<currentValue>\\d+\\.\\d+(\\.\\d+)?)\""
-      ],
-      "depNameTemplate": "rustc",
-      "packageNameTemplate": "rust-lang/rust",
-      "datasourceTemplate": "github-releases"
-    }
-  ]
-}

.github/workflows/auto-labeler.yml

@@ -9,5 +9,4 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/labeler@v5
+      - uses: actions/labeler@v4

.github/workflows/build-desktop.yml

@@ -0,0 +1,177 @@
+name: Build(Desktop) & Test
+
+on:
+  push:
+    branches:
+      - master
+      - v[0-9]+.[0-9]+.x-staging
+      - v[0-9]+.[0-9]+.x
+    paths-ignore:
+      - README.md
+      - .github/**
+      - '!.github/workflows/build-desktop.yml'
+      - '!.github/actions/build-rust/action.yml'
+      - '!.github/actions/setup-node/action.yml'
+  pull_request:
+  merge_group:
+    branches:
+      - master
+      - v[0-9]+.[0-9]+.x-staging
+      - v[0-9]+.[0-9]+.x
+    paths-ignore:
+      - README.md
+      - .github/**
+      - '!.github/workflows/build-desktop.yml'
+      - '!.github/actions/build-rust/action.yml'
+      - '!.github/actions/setup-node/action.yml'
+
+env:
+  DEBUG: napi:*
+  BUILD_TYPE: canary
+  APP_NAME: affine
+  COVERAGE: true
+  DISTRIBUTION: desktop
+  MACOSX_DEPLOYMENT_TARGET: '10.13'
+  NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+
+jobs:
+  build-core:
+    name: Build @affine/core
+    runs-on: ubuntu-latest
+    environment: development
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+      - name: Build Plugins
+        run: yarn run build:plugins
+      - name: Build Core
+        run: yarn nx build @affine/core
+      - name: Upload core artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: core
+          path: ./apps/core/dist
+          if-no-files-found: error
+
+  desktop-test:
+    name: Desktop Test
+    runs-on: ${{ matrix.spec.os }}
+    environment: development
+    strategy:
+      fail-fast: false
+      # all combinations: macos-latest x64, macos-latest arm64, windows-latest x64, ubuntu-latest x64
+      matrix:
+        spec:
+          - {
+              os: macos-latest,
+              platform: macos,
+              arch: x64,
+              target: x86_64-apple-darwin,
+              test: true,
+            }
+          - {
+              os: macos-latest,
+              platform: macos,
+              arch: arm64,
+              target: aarch64-apple-darwin,
+              test: false,
+            }
+          - {
+              os: ubuntu-latest,
+              platform: linux,
+              arch: x64,
+              target: x86_64-unknown-linux-gnu,
+              test: true,
+            }
+          - {
+              os: windows-latest,
+              platform: windows,
+              arch: x64,
+              target: x86_64-pc-windows-msvc,
+              test: true,
+            }
+    needs: build-core
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+        timeout-minutes: 10
+        with:
+          playwright-install: true
+          hard-link-nm: false
+      - name: Build AFFiNE native
+        uses: ./.github/actions/build-rust
+        with:
+          target: ${{ matrix.spec.target }}
+          nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+      - name: Run unit tests
+        if: ${{ matrix.spec.test }}
+        shell: bash
+        run: yarn vitest
+        working-directory: ./apps/electron
+
+      - name: Download core artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: core
+          path: apps/electron/resources/web-static
+
+      - name: Build Plugins
+        run: yarn run build:plugins
+
+      - name: Build Desktop Layers
+        run: yarn workspace @affine/electron build
+
+      - name: Upload desktop dist
+        uses: actions/upload-artifact@v3
+        with:
+          name: dist-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
+          path: ./apps/electron/dist
+
+      - name: Run desktop tests
+        if: ${{ matrix.spec.test && matrix.spec.os == 'ubuntu-latest' }}
+        run: xvfb-run --auto-servernum --server-args="-screen 0 1280x960x24" -- yarn workspace @affine/electron test
+        env:
+          COVERAGE: true
+
+      - name: Run desktop tests
+        if: ${{ matrix.spec.test && matrix.spec.os != 'ubuntu-latest' }}
+        run: yarn workspace @affine/electron test
+        env:
+          COVERAGE: true
+
+      - name: Make bundle
+        if: ${{ matrix.spec.os == 'macos-latest' && matrix.spec.arch == 'arm64' }}
+        env:
+          SKIP_BUNDLE: true
+        run: yarn workspace @affine/electron make --platform=darwin --arch=arm64
+
+      - name: Bundle output check
+        if: ${{ matrix.spec.os == 'macos-latest' && matrix.spec.arch == 'arm64' }}
+        run: |
+          yarn ts-node-esm ./scripts/macos-arm64-output-check.mts
+        working-directory: apps/electron
+
+      - name: Collect code coverage report
+        if: ${{ matrix.spec.test }}
+        run: yarn exec nyc report -t .nyc_output --report-dir .coverage --reporter=lcov
+
+      - name: Upload e2e test coverage results
+        if: ${{ matrix.spec.test }}
+        uses: codecov/codecov-action@v3
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./.coverage/lcov.info
+          flags: e2etest-${{ matrix.spec.os }}-${{ matrix.spec.arch }}
+          name: affine
+          fail_ci_if_error: false
+
+      - name: Upload test results
+        if: ${{ failure() }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: test-results-e2e-${{ matrix.spec.os }}-${{ matrix.spec.arch }}
+          path: ./test-results
+          if-no-files-found: ignore

.github/workflows/build-selfhost-image.yml

@@ -1,25 +0,0 @@
-name: Build Selfhost Image
-
-on:
-  workflow_dispatch:
-    inputs:
-      flavor:
-        description: 'Select distribution to build'
-        type: choice
-        default: canary
-        options:
-          - canary
-          - beta
-          - stable
-
-permissions:
-  contents: 'write'
-  id-token: 'write'
-  packages: 'write'
-
-jobs:
-  build-image:
-    name: Build Image
-    uses: ./.github/workflows/build-server-image.yml
-    with:
-      flavor: ${{ github.event.inputs.flavor }}

.github/workflows/build-server-image.yml

@@ -1,196 +0,0 @@
-name: Build Images
-
-on:
-  workflow_call:
-    inputs:
-      flavor:
-        type: string
-        required: true
-
-env:
-  NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-
-permissions:
-  contents: 'write'
-  id-token: 'write'
-  packages: 'write'
-
-jobs:
-  build-server:
-    name: Build Server
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          electron-install: false
-          extra-flags: workspaces focus @affine/server
-      - name: Build Server
-        run: yarn workspace @affine/server build
-      - name: Upload server dist
-        uses: actions/upload-artifact@v4
-        with:
-          name: server-dist
-          path: ./packages/backend/server/dist
-          if-no-files-found: error
-
-  build-web-selfhost:
-    name: Build @affine/web selfhost
-    runs-on: ubuntu-latest
-    environment: ${{ github.event.inputs.flavor }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-      - name: Build Core
-        run: yarn nx build @affine/web --skip-nx-cache
-        env:
-          BUILD_TYPE: ${{ github.event.inputs.flavor }}
-          SHOULD_REPORT_TRACE: false
-          PUBLIC_PATH: '/'
-          SELF_HOSTED: true
-          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
-      - name: Download selfhost fonts
-        run: node ./scripts/download-blocksuite-fonts.mjs
-      - name: Upload web artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: selfhost-web
-          path: ./packages/frontend/web/dist
-          if-no-files-found: error
-
-  build-server-native:
-    name: Build Server native - ${{ matrix.targets.name }}
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        targets:
-          - name: x86_64-unknown-linux-gnu
-            file: server-native.node
-          - name: aarch64-unknown-linux-gnu
-            file: server-native.arm64.node
-          - name: armv7-unknown-linux-gnueabihf
-            file: server-native.armv7.node
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          electron-install: false
-          extra-flags: workspaces focus @affine/server-native
-      - name: Build Rust
-        uses: ./.github/actions/build-rust
-        with:
-          target: ${{ matrix.targets.name }}
-          package: '@affine/server-native'
-          nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-      - name: Upload ${{ matrix.targets.file }}
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.targets.file }}
-          path: ./packages/backend/native/server-native.node
-          if-no-files-found: error
-
-  build-docker:
-    name: Build Docker
-    runs-on: ubuntu-latest
-    needs:
-      - build-server
-      - build-web-selfhost
-      - build-server-native
-    steps:
-      - uses: actions/checkout@v4
-      - name: Download server dist
-        uses: actions/download-artifact@v4
-        with:
-          name: server-dist
-          path: ./packages/backend/server/dist
-      - name: Download server-native.node
-        uses: actions/download-artifact@v4
-        with:
-          name: server-native.node
-          path: ./packages/backend/server
-      - name: Download server-native.node arm64
-        uses: actions/download-artifact@v4
-        with:
-          name: server-native.arm64.node
-          path: ./packages/backend/native
-      - name: Download server-native.node arm64
-        uses: actions/download-artifact@v4
-        with:
-          name: server-native.armv7.node
-          path: .
-      - name: move server-native files
-        run: |
-          mv ./packages/backend/native/server-native.node ./packages/backend/server/server-native.arm64.node
-          mv server-native.node ./packages/backend/server/server-native.armv7.node
-      - name: Setup env
-        run: |
-          echo "GIT_SHORT_HASH=$(git rev-parse --short HEAD)" >> "$GITHUB_ENV"
-          if [ -z "${{ inputs.flavor }}" ]
-          then
-            echo "RELEASE_FLAVOR=canary" >> "$GITHUB_ENV"
-          else
-            echo "RELEASE_FLAVOR=${{ inputs.flavor }}" >> "$GITHUB_ENV"
-          fi
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          logout: false
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      # setup node without cache configuration
-      # Prisma cache is not compatible with docker build cache
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: '.nvmrc'
-          registry-url: https://npm.pkg.github.com
-          scope: '@toeverything'
-
-      - name: Download selfhost web artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: selfhost-web
-          path: ./packages/frontend/web/dist
-
-      - name: Install Node.js dependencies
-        run: |
-          yarn config set --json supportedArchitectures.cpu '["x64", "arm64", "arm"]'
-          yarn config set --json supportedArchitectures.libc '["glibc"]'
-          yarn workspaces focus @affine/server --production
-
-      - name: Generate Prisma client
-        run: yarn workspace @affine/server prisma generate
-
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-
-      - name: Build graphql Dockerfile
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          push: true
-          pull: true
-          platforms: linux/amd64,linux/arm64,linux/arm/v7
-          provenance: true
-          file: .github/deployment/node/Dockerfile
-          tags: ghcr.io/toeverything/affine-graphql:${{env.RELEASE_FLAVOR}}-${{ env.GIT_SHORT_HASH }},ghcr.io/toeverything/affine-graphql:${{env.RELEASE_FLAVOR}}

.github/workflows/build-test.yml

@@ -1,583 +0,0 @@
-name: Build & Test
-
-on:
-  push:
-    branches:
-      - canary
-      - beta
-      - stable
-      - v[0-9]+.[0-9]+.x-staging
-      - v[0-9]+.[0-9]+.x
-    paths-ignore:
-      - README.md
-  pull_request:
-
-env:
-  DEBUG: napi:*
-  BUILD_TYPE: canary
-  APP_NAME: affine
-  AFFINE_ENV: dev
-  COVERAGE: true
-  MACOSX_DEPLOYMENT_TARGET: '10.13'
-  NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-  PLAYWRIGHT_BROWSERS_PATH: ${{ github.workspace }}/node_modules/.cache/ms-playwright
-  DEPLOYMENT_TYPE: affine
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ['javascript', 'typescript']
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      # Initializes the CodeQL tools for scanning.
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: ${{ matrix.language }}
-          # If you wish to specify custom queries, you can do so here or in a config file.
-          # By default, queries listed here will override any specified in a config file.
-          # Prefix the list here with "+" to use these queries and those in the config file.
-
-          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-          # queries: security-extended,security-and-quality
-
-      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-      # If this step fails, then you should remove it and run the build manually (see below)
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
-
-      # ℹ️ Command-line programs to run using the OS shell.
-      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-      #   If the Autobuild fails above, remove it and uncomment the following three lines.
-      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
-      # - run: |
-      #   echo "Run, Build Application using script"
-      #   ./location_of_script_within_repo/buildscript.sh
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
-  lint:
-    name: Lint
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: Run oxlint
-        # oxlint is fast, so wrong code will fail quickly
-        run: yarn dlx $(node -e "console.log(require('./package.json').scripts['lint:ox'].replace('oxlint', 'oxlint@' + require('./package.json').devDependencies.oxlint))")
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          electron-install: false
-          full-cache: true
-      - name: Run i18n codegen
-        run: yarn i18n-codegen gen
-      - name: Run ESLint
-        run: yarn lint:eslint --max-warnings=0
-      - name: Run Prettier
-        # Set nmMode in `actions/setup-node` will modify the .yarnrc.yml
-        run: |
-          git checkout .yarnrc.yml
-          yarn lint:prettier
-      - name: Yarn Dedupe
-        run: yarn dedupe --check
-      - name: Run Type Check
-        run: yarn typecheck
-
-  check-yarn-binary:
-    name: Check yarn binary
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Run check
-        run: |
-          yarn set version $(node -e "console.log(require('./package.json').packageManager.split('@')[1])")
-          git diff --exit-code
-
-  e2e-test:
-    name: E2E Test
-    runs-on: ubuntu-latest
-    env:
-      DISTRIBUTION: browser
-      IN_CI_TEST: true
-    strategy:
-      fail-fast: false
-      matrix:
-        shard: [1, 2, 3, 4, 5]
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          playwright-install: true
-          electron-install: false
-          full-cache: true
-
-      - name: Run playwright tests
-        run: yarn workspace @affine-test/affine-local e2e --forbid-only --shard=${{ matrix.shard }}/${{ strategy.job-total }}
-
-      - name: Upload test results
-        if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
-        with:
-          name: test-results-e2e-${{ matrix.shard }}
-          path: ./test-results
-          if-no-files-found: ignore
-
-  e2e-migration-test:
-    name: E2E Migration Test
-    runs-on: ubuntu-latest
-    env:
-      DISTRIBUTION: browser
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          playwright-install: true
-          electron-install: false
-          full-cache: true
-
-      - name: Run playwright tests
-        run: yarn workspace @affine-test/affine-migration e2e --forbid-only
-
-      - name: Upload test results
-        if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
-        with:
-          name: test-results-e2e-migration
-          path: ./tests/affine-migration/test-results
-          if-no-files-found: ignore
-
-  unit-test:
-    name: Unit Test
-    runs-on: ubuntu-latest
-    needs:
-      - build-native
-    env:
-      DISTRIBUTION: browser
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          electron-install: false
-          full-cache: true
-
-      - name: Download affine.linux-x64-gnu.node
-        uses: actions/download-artifact@v4
-        with:
-          name: affine.linux-x64-gnu.node
-          path: ./packages/frontend/native
-
-      - name: Unit Test
-        run: yarn nx test:coverage @affine/monorepo
-
-      - name: Upload unit test coverage results
-        uses: codecov/codecov-action@v4
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./.coverage/store/lcov.info
-          flags: unittest
-          name: affine
-          fail_ci_if_error: false
-
-  build-native:
-    name: Build AFFiNE native (${{ matrix.spec.target }})
-    runs-on: ${{ matrix.spec.os }}
-    env:
-      CARGO_PROFILE_RELEASE_DEBUG: '1'
-    strategy:
-      fail-fast: false
-      matrix:
-        spec:
-          - { os: ubuntu-latest, target: x86_64-unknown-linux-gnu }
-          - { os: windows-latest, target: x86_64-pc-windows-msvc }
-          - { os: macos-14, target: x86_64-apple-darwin }
-          - { os: macos-14, target: aarch64-apple-darwin }
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          extra-flags: workspaces focus @affine/native
-          electron-install: false
-      - name: Setup filename
-        id: filename
-        shell: bash
-        run: |
-          export PLATFORM_ARCH_ABI=$(node -e "console.log(require('@napi-rs/cli').parseTriple('${{ matrix.spec.target }}').platformArchABI)")
-          echo "filename=affine.$PLATFORM_ARCH_ABI.node" >> "$GITHUB_OUTPUT"
-      - name: Build AFFiNE native
-        uses: ./.github/actions/build-rust
-        with:
-          target: ${{ matrix.spec.target }}
-          package: '@affine/native'
-          nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-      - name: Upload ${{ steps.filename.outputs.filename }}
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ steps.filename.outputs.filename }}
-          path: ./packages/frontend/native/${{ steps.filename.outputs.filename }}
-          if-no-files-found: error
-
-  build-server-native:
-    name: Build Server native
-    runs-on: ubuntu-latest
-    env:
-      CARGO_PROFILE_RELEASE_DEBUG: '1'
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          extra-flags: workspaces focus @affine/server-native
-          electron-install: false
-      - name: Build Rust
-        uses: ./.github/actions/build-rust
-        with:
-          target: 'x86_64-unknown-linux-gnu'
-          package: '@affine/server-native'
-          nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-      - name: Upload server-native.node
-        uses: actions/upload-artifact@v4
-        with:
-          name: server-native.node
-          path: ./packages/backend/native/server-native.node
-          if-no-files-found: error
-
-  build-web:
-    name: Build @affine/web
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          electron-install: false
-          full-cache: true
-      - name: Build Web
-        # always skip cache because its fast, and cache configuration is always changing
-        run: yarn nx build @affine/web --skip-nx-cache
-        env:
-          DISTRIBUTION: 'desktop'
-      - name: zip web
-        run: tar -czf dist.tar.gz --directory=packages/frontend/electron/renderer/dist .
-      - name: Upload web artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: web
-          path: dist.tar.gz
-          if-no-files-found: error
-
-  server-test:
-    name: Server Test
-    runs-on: ubuntu-latest
-    needs: build-server-native
-    env:
-      NODE_ENV: test
-      DISTRIBUTION: browser
-    services:
-      postgres:
-        image: postgres
-        env:
-          POSTGRES_PASSWORD: affine
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-        ports:
-          - 5432:5432
-      mailer:
-        image: mailhog/mailhog
-        ports:
-          - 1025:1025
-          - 8025:8025
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          electron-install: false
-          full-cache: true
-
-      - name: Download server-native.node
-        uses: actions/download-artifact@v4
-        with:
-          name: server-native.node
-          path: ./packages/backend/server
-
-      - name: Initialize database
-        run: |
-          psql -h localhost -U postgres -c "CREATE DATABASE affine;"
-          psql -h localhost -U postgres -c "CREATE USER affine WITH PASSWORD 'affine';"
-          psql -h localhost -U postgres -c "ALTER USER affine WITH SUPERUSER;"
-        env:
-          PGPASSWORD: affine
-
-      - name: Run init-db script
-        run: |
-          yarn workspace @affine/server exec prisma generate
-          yarn workspace @affine/server exec prisma db push
-          yarn workspace @affine/server data-migration run
-        env:
-          DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
-
-      - name: Run server tests
-        run: yarn workspace @affine/server test:coverage
-        env:
-          CARGO_TARGET_DIR: '${{ github.workspace }}/target'
-          DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
-          COPILOT_OPENAI_API_KEY: ${{ secrets.COPILOT_OPENAI_API_KEY }}
-
-      - name: Upload server test coverage results
-        uses: codecov/codecov-action@v4
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./packages/backend/server/.coverage/lcov.info
-          flags: server-test
-          name: affine
-          fail_ci_if_error: false
-
-  server-e2e-test:
-    name: ${{ matrix.tests.name }}
-    runs-on: ubuntu-latest
-    env:
-      DISTRIBUTION: browser
-      DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
-      IN_CI_TEST: true
-    strategy:
-      fail-fast: false
-      matrix:
-        tests:
-          - name: 'Server E2E Test 1/3'
-            script: yarn workspace @affine-test/affine-cloud e2e --forbid-only --shard=1/3
-          - name: 'Server E2E Test 2/3'
-            script: yarn workspace @affine-test/affine-cloud e2e --forbid-only --shard=2/3
-          - name: 'Server E2E Test 3/3'
-            script: yarn workspace @affine-test/affine-cloud e2e --forbid-only --shard=3/3
-          - name: 'Server Desktop E2E Test'
-            script: |
-              yarn workspace @affine/electron build:dev
-              xvfb-run --auto-servernum --server-args="-screen 0 1280x960x24" -- yarn workspace @affine-test/affine-desktop-cloud e2e
-    needs:
-      - build-server-native
-      - build-native
-    services:
-      postgres:
-        image: postgres
-        env:
-          POSTGRES_PASSWORD: affine
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-        ports:
-          - 5432:5432
-      mailer:
-        image: mailhog/mailhog
-        ports:
-          - 1025:1025
-          - 8025:8025
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          playwright-install: true
-          hard-link-nm: false
-
-      - name: Download server-native.node
-        uses: actions/download-artifact@v4
-        with:
-          name: server-native.node
-          path: ./packages/backend/server
-
-      - name: Download affine.linux-x64-gnu.node
-        uses: actions/download-artifact@v4
-        with:
-          name: affine.linux-x64-gnu.node
-          path: ./packages/frontend/native
-
-      - name: Initialize database
-        run: |
-          psql -h localhost -U postgres -c "CREATE DATABASE affine;"
-          psql -h localhost -U postgres -c "CREATE USER affine WITH PASSWORD 'affine';"
-          psql -h localhost -U postgres -c "ALTER USER affine WITH SUPERUSER;"
-        env:
-          PGPASSWORD: affine
-
-      - name: Run init-db script
-        run: |
-          yarn workspace @affine/server exec prisma generate
-          yarn workspace @affine/server exec prisma db push
-          yarn workspace @affine/server data-migration run
-
-      - name: ${{ matrix.tests.name }}
-        run: |
-          ${{ matrix.tests.script }}
-        env:
-          DEV_SERVER_URL: http://localhost:8080
-
-      - name: Upload test results
-        if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
-        with:
-          name: test-results-e2e-server
-          path: ./tests/affine-cloud/test-results
-          if-no-files-found: ignore
-
-  desktop-test:
-    name: Desktop Test (${{ matrix.spec.os }}, ${{ matrix.spec.platform }}, ${{ matrix.spec.arch }}, ${{ matrix.spec.target }}, ${{ matrix.spec.test }})
-    runs-on: ${{ matrix.spec.os }}
-    strategy:
-      fail-fast: false
-      matrix:
-        spec:
-          - {
-              os: macos-14,
-              platform: macos,
-              arch: x64,
-              target: x86_64-apple-darwin,
-              test: false,
-            }
-          - {
-              os: macos-14,
-              platform: macos,
-              arch: arm64,
-              target: aarch64-apple-darwin,
-              test: true,
-            }
-          - {
-              os: ubuntu-latest,
-              platform: linux,
-              arch: x64,
-              target: x86_64-unknown-linux-gnu,
-              test: true,
-            }
-          - {
-              os: windows-latest,
-              platform: windows,
-              arch: x64,
-              target: x86_64-pc-windows-msvc,
-              test: true,
-            }
-    needs:
-      - build-web
-      - build-native
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        timeout-minutes: 10
-        with:
-          extra-flags: workspaces focus @affine/electron @affine/monorepo @affine-test/affine-desktop
-          playwright-install: true
-          hard-link-nm: false
-          enableScripts: false
-
-      - name: Setup filename
-        id: filename
-        shell: bash
-        run: |
-          export PLATFORM_ARCH_ABI=$(node -e "console.log(require('@napi-rs/cli').parseTriple('${{ matrix.spec.target }}').platformArchABI)")
-          echo "filename=affine.$PLATFORM_ARCH_ABI.node" >> "$GITHUB_OUTPUT"
-
-      - name: Download ${{ steps.filename.outputs.filename }}
-        uses: actions/download-artifact@v4
-        with:
-          name: ${{ steps.filename.outputs.filename }}
-          path: ./packages/frontend/native
-
-      - name: Run unit tests
-        if: ${{ matrix.spec.test }}
-        shell: bash
-        run: yarn workspace @affine/electron vitest
-
-      - name: Download web artifact
-        uses: ./.github/actions/download-web
-        with:
-          path: packages/frontend/electron/resources/web-static
-
-      - name: Build Desktop Layers
-        run: yarn workspace @affine/electron build
-
-      - name: Run desktop tests
-        if: ${{ matrix.spec.os == 'ubuntu-latest' }}
-        run: xvfb-run --auto-servernum --server-args="-screen 0 1280x960x24" -- yarn workspace @affine-test/affine-desktop e2e
-
-      - name: Run desktop tests
-        if: ${{ matrix.spec.test && matrix.spec.os != 'ubuntu-latest' }}
-        run: yarn workspace @affine-test/affine-desktop e2e
-
-      - name: Make bundle
-        if: ${{ matrix.spec.target == 'aarch64-apple-darwin' }}
-        env:
-          SKIP_BUNDLE: true
-          SKIP_WEB_BUILD: true
-          HOIST_NODE_MODULES: 1
-        run: yarn workspace @affine/electron package --platform=darwin --arch=arm64
-
-      - name: Make AppImage
-        run: yarn workspace @affine/electron make --platform=linux --arch=x64
-        if: ${{ matrix.spec.target == 'x86_64-unknown-linux-gnu' }}
-        env:
-          SKIP_WEB_BUILD: 1
-          HOIST_NODE_MODULES: 1
-
-      - name: Output check
-        if: ${{ matrix.spec.os == 'macos-14' && matrix.spec.arch == 'arm64' }}
-        run: |
-          yarn workspace @affine/electron exec node --loader ts-node/esm/transpile-only ./scripts/macos-arm64-output-check.ts
-
-      - name: Upload test results
-        if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
-        with:
-          name: test-results-e2e-${{ matrix.spec.os }}-${{ matrix.spec.arch }}
-          path: ./test-results
-          if-no-files-found: ignore
-
-  test-done:
-    needs:
-      - analyze
-      - lint
-      - check-yarn-binary
-      - e2e-test
-      - e2e-migration-test
-      - unit-test
-      - server-test
-      - server-e2e-test
-      - desktop-test
-    if: always()
-    runs-on: ubuntu-latest
-    name: 3, 2, 1 Launch
-    steps:
-      - run: exit 1
-        # Thank you, next https://github.com/vercel/next.js/blob/canary/.github/workflows/build_and_test.yml#L379
-        if: ${{ always() && (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')) }}

.github/workflows/build.yml

@@ -0,0 +1,394 @@
+name: Build & Test
+
+on:
+  push:
+    branches:
+      - master
+      - v[0-9]+.[0-9]+.x-staging
+      - v[0-9]+.[0-9]+.x
+    paths-ignore:
+      - README.md
+      - .github/**
+      - '!.github/workflows/build.yml'
+      - '!.github/actions/build-rust/action.yml'
+      - '!.github/actions/setup-node/action.yml'
+  pull_request:
+  merge_group:
+    branches:
+      - master
+      - v[0-9]+.[0-9]+.x-staging
+      - v[0-9]+.[0-9]+.x
+    paths-ignore:
+      - README.md
+      - .github/**
+      - '!.github/workflows/build.yml'
+      - '!.github/actions/build-rust/action.yml'
+      - '!.github/actions/setup-node/action.yml'
+
+env:
+  DEBUG: napi:*
+  BUILD_TYPE: canary
+  APP_NAME: affine
+  COVERAGE: true
+  DISTRIBUTION: browser
+  MACOSX_DEPLOYMENT_TARGET: '10.13'
+  NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    environment: development
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+        with:
+          electron-install: false
+      - name: Run i18n codegen
+        run: yarn i18n-codegen gen
+      - name: Run ESLint
+        run: yarn lint:eslint --max-warnings=0
+      - name: Run Prettier
+        # Set nmMode in `actions/setup-node` will modify the .yarnrc.yml
+        run: |
+          git checkout .yarnrc.yml
+          yarn lint:prettier
+      - name: Run circular
+        run: yarn circular
+      - name: Run Type Check
+        run: yarn typecheck
+
+  build-prototype:
+    name: Build Prototype
+    runs-on: ubuntu-latest
+    environment: development
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+        with:
+          electron-install: false
+      - name: Build Prototype
+        run: yarn nx build prototype
+      - name: Upload prototype artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: prototype
+          path: ./apps/prototype/dist
+          if-no-files-found: error
+
+  build-server:
+    name: Build Server
+    runs-on: ubuntu-latest
+    environment: development
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+        with:
+          electron-install: false
+      - name: Build Server
+        run: yarn nx build @affine/server
+      - name: Upload server dist
+        uses: actions/upload-artifact@v3
+        with:
+          name: server-dist
+          path: ./apps/server/dist
+          if-no-files-found: error
+
+  build-docs:
+    name: Build Docs
+    runs-on: ubuntu-latest
+    environment: development
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+        with:
+          electron-install: false
+      - run: yarn nx build @affine/docs
+        env:
+          NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+
+  build-storybook:
+    name: Build Storybook
+    runs-on: ubuntu-latest
+    environment: development
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+        with:
+          electron-install: false
+      - run: yarn nx build @affine/storybook
+        env:
+          NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+      - name: Upload storybook artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: storybook
+          path: ./apps/storybook/storybook-static
+          if-no-files-found: error
+
+  build-storage:
+    name: Build Storage
+    runs-on: ubuntu-latest
+    environment: development
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+      - name: Setup Rust
+        uses: ./.github/actions/setup-rust
+        with:
+          target: 'x86_64-unknown-linux-gnu'
+      - name: Build Storage
+        run: yarn build:storage
+      - name: Upload storage.node
+        uses: actions/upload-artifact@v3
+        with:
+          name: storage.node
+          path: ./packages/storage/storage.node
+          if-no-files-found: error
+
+  server-test:
+    name: Server Test
+    runs-on: ubuntu-latest
+    environment: development
+    needs: build-storage
+    services:
+      postgres:
+        image: postgres
+        env:
+          POSTGRES_PASSWORD: affine
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 5432:5432
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+      - name: Initialize database
+        run: |
+          psql -h localhost -U postgres -c "CREATE DATABASE affine;"
+          psql -h localhost -U postgres -c "CREATE USER affine WITH PASSWORD 'affine';"
+          psql -h localhost -U postgres -c "ALTER USER affine WITH SUPERUSER;"
+        env:
+          PGPASSWORD: affine
+      - name: Generate prisma client
+        run: |
+          yarn exec prisma generate
+          yarn exec prisma db push
+        working-directory: apps/server
+        env:
+          DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
+      - name: Run init-db script
+        run: yarn exec ts-node-esm ./scripts/init-db.ts
+        working-directory: apps/server
+        env:
+          DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
+      - name: Download storage.node
+        uses: actions/download-artifact@v3
+        with:
+          name: storage.node
+          path: ./apps/server
+      - name: Run server tests
+        run: yarn test:coverage
+        working-directory: apps/server
+        env:
+          CARGO_TARGET_DIR: '${{ github.workspace }}/target'
+          DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
+      - name: Upload server test coverage results
+        uses: codecov/codecov-action@v3
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./apps/server/.coverage/lcov.info
+          flags: server-test
+          name: affine
+          fail_ci_if_error: false
+
+  e2e-plugin-test:
+    name: E2E Plugin Test
+    runs-on: ubuntu-latest
+    environment: development
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+        with:
+          playwright-install: true
+          electron-install: false
+      - name: Run playwright tests
+        run: yarn e2e --forbid-only
+        working-directory: tests/affine-plugin
+        env:
+          COVERAGE: true
+      - name: Collect code coverage report
+        run: yarn exec nyc report -t .nyc_output --report-dir .coverage --reporter=lcov
+
+      - name: Upload e2e test coverage results
+        uses: codecov/codecov-action@v3
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./.coverage/lcov.info
+          flags: e2e-plugin-test
+          name: affine
+          fail_ci_if_error: false
+
+      - name: Upload test results
+        if: ${{ failure() }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: test-results-e2e-plugin
+          path: ./test-results
+          if-no-files-found: ignore
+
+  e2e-prototype-test:
+    name: E2E Prototype Test
+    runs-on: ubuntu-latest
+    environment: development
+    needs: build-prototype
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+        with:
+          playwright-install: true
+          electron-install: false
+      - name: Download prototype artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: prototype
+          path: ./apps/prototype/dist
+      - name: Run playwright tests
+        run: yarn e2e --forbid-only
+        working-directory: tests/affine-prototype
+        env:
+          COVERAGE: true
+
+      #      - name: Collect code coverage report
+      #        run: yarn exec nyc report -t .nyc_output --report-dir .coverage --reporter=lcov
+
+      #      - name: Upload e2e test coverage results
+      #        uses: codecov/codecov-action@v3
+      #        with:
+      #          token: ${{ secrets.CODECOV_TOKEN }}
+      #          files: ./.coverage/lcov.info
+      #          flags: e2etest-prototype
+      #          name: affine
+      #          fail_ci_if_error: false
+
+      - name: Upload test results
+        if: ${{ failure() }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: test-results-e2e-prototype
+          path: ./test-results
+          if-no-files-found: ignore
+
+  e2e-test:
+    name: E2E Test
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        shard: [1, 2, 3, 4, 5]
+    environment: development
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+        with:
+          playwright-install: true
+          electron-install: false
+
+      - name: Run playwright tests
+        run: yarn e2e --forbid-only --shard=${{ matrix.shard }}/${{ strategy.job-total }}
+        working-directory: tests/affine-local
+        env:
+          COVERAGE: true
+
+      - name: Collect code coverage report
+        run: yarn exec nyc report -t .nyc_output --report-dir .coverage --reporter=lcov
+
+      - name: Upload e2e test coverage results
+        uses: codecov/codecov-action@v3
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./.coverage/lcov.info
+          flags: e2etest
+          name: affine
+          fail_ci_if_error: false
+
+      - name: Upload test results
+        if: ${{ failure() }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: test-results-e2e-${{ matrix.shard }}
+          path: ./test-results
+          if-no-files-found: ignore
+
+  e2e-migration-test:
+    name: E2E Migration Test
+    runs-on: ubuntu-latest
+    environment: development
+    strategy:
+      matrix:
+        spec:
+          - { package: 0.7.0-canary.18 }
+          - { package: 0.8.0-canary.7 }
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+        with:
+          playwright-install: true
+          electron-install: false
+
+      - name: Unzip
+        run: yarn unzip
+        working-directory: ./tests/affine-legacy/${{ matrix.spec.package }}
+
+      - name: Run playwright tests
+        run: yarn e2e --forbid-only
+        working-directory: ./tests/affine-legacy/${{ matrix.spec.package }}
+
+      - name: Upload test results
+        if: ${{ failure() }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: test-results-e2e-migration-${{ matrix.spec.package }}
+          path: ./tests/affine-legacy/${{ matrix.spec.package }}/test-results
+          if-no-files-found: ignore
+
+  unit-test:
+    name: Unit Test
+    runs-on: ubuntu-latest
+    environment: development
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+        with:
+          electron-install: false
+
+      - name: Unit Test
+        run: yarn nx test:coverage @affine/monorepo
+
+      - name: Upload unit test coverage results
+        uses: codecov/codecov-action@v3
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./.coverage/store/lcov.info
+          flags: unittest
+          name: affine
+          fail_ci_if_error: false

.github/workflows/cache-cleanup.yml

@@ -0,0 +1,36 @@
+# https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
+name: Cleanup caches for closed branches
+
+on:
+  pull_request:
+    types:
+      - closed
+  workflow_dispatch:
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - name: Cleanup
+        run: |
+          gh extension install actions/gh-actions-cache
+
+          REPO=${{ github.repository }}
+          BRANCH="refs/pull/${{ github.event.pull_request.number }}/merge"
+
+          echo "Fetching list of cache key"
+          cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH | cut -f 1 )
+
+          ## Setting this to not fail the workflow while deleting cache keys.
+          set +e
+          echo "Deleting caches..."
+          for cacheKey in $cacheKeysForPR
+          do
+              gh actions-cache delete $cacheKey -R $REPO -B $BRANCH --confirm
+          done
+          echo "Done"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/cancel.yml

@@ -0,0 +1,18 @@
+name: Cancel
+on:
+  pull_request_target:
+    types:
+      - edited
+      - synchronize
+
+jobs:
+  cancel:
+    name: 'Cancel Previous Runs'
+    runs-on: ubuntu-latest
+    timeout-minutes: 2
+    steps:
+      - uses: styfle/cancel-workflow-action@0.11.0
+        with:
+          # See https://api.github.com/repos/toeverything/AFFiNE/actions/workflows
+          workflow_id: 44038251, 61883931, 65188160, 66789140
+          access_token: ${{ github.token }}

.github/workflows/codeql.yml

@@ -0,0 +1,70 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: 'CodeQL'
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+  merge_group:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['javascript']
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #   echo "Run, Build Application using script"
+      #   ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2

.github/workflows/deploy-automatically.yml

@@ -1,32 +0,0 @@
-name: Deploy Automatically
-
-on:
-  push:
-    tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+-canary.[0-9]+'
-  schedule:
-    - cron: '0 9 * * *'
-
-permissions:
-  contents: write
-  pull-requests: write
-  actions: write
-
-jobs:
-  dispatch-deploy:
-    runs-on: ubuntu-latest
-    name: Setup Deploy
-    steps:
-      - name: dispatch deploy by tag
-        if: ${{ github.event_name == 'push' }}
-        uses: benc-uk/workflow-dispatch@v1
-        with:
-          workflow: deploy.yml
-          inputs: '{ "flavor": "canary" }'
-      - name: dispatch deploy by schedule
-        if: ${{ github.event_name == 'schedule' }}
-        uses: benc-uk/workflow-dispatch@v1
-        with:
-          workflow: deploy.yml
-          inputs: '{ "flavor": "canary" }'
-          ref: canary

.github/workflows/deploy.yml

@@ -1,157 +0,0 @@
-name: Deploy
-
-on:
-  workflow_dispatch:
-    inputs:
-      flavor:
-        description: 'Select what enverionment to deploy to'
-        type: choice
-        default: canary
-        options:
-          - canary
-          - beta
-          - stable
-          - internal
-env:
-  NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-
-permissions:
-  contents: 'write'
-  id-token: 'write'
-  packages: 'write'
-
-jobs:
-  build-server-image:
-    name: Build Server Image
-    uses: ./.github/workflows/build-server-image.yml
-    with:
-      flavor: ${{ github.event.inputs.flavor }}
-
-  build-web:
-    name: Build @affine/web
-    runs-on: ubuntu-latest
-    environment: ${{ github.event.inputs.flavor }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-      - name: Build Core
-        run: yarn nx build @affine/web --skip-nx-cache
-        env:
-          R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
-          R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
-          R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
-          BUILD_TYPE: ${{ github.event.inputs.flavor }}
-          SHOULD_REPORT_TRACE: true
-          TRACE_REPORT_ENDPOINT: ${{ secrets.TRACE_REPORT_ENDPOINT }}
-          CAPTCHA_SITE_KEY: ${{ secrets.CAPTCHA_SITE_KEY }}
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-          SENTRY_PROJECT: 'affine-web'
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          PERFSEE_TOKEN: ${{ secrets.PERFSEE_TOKEN }}
-          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
-      - name: Upload web artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: web
-          path: ./packages/frontend/web/dist
-          if-no-files-found: error
-
-  build-frontend-image:
-    name: Build Frontend Image
-    runs-on: ubuntu-latest
-    needs:
-      - build-web
-    steps:
-      - uses: actions/checkout@v4
-      - name: Download web artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: web
-          path: ./packages/frontend/web/dist
-      - name: Setup env
-        run: |
-          echo "GIT_SHORT_HASH=$(git rev-parse --short HEAD)" >> "$GITHUB_ENV"
-          if [ -z "${{ inputs.flavor }}" ]
-          then
-            echo "RELEASE_FLAVOR=canary" >> "$GITHUB_ENV"
-          else
-            echo "RELEASE_FLAVOR=${{ inputs.flavor }}" >> "$GITHUB_ENV"
-          fi
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          logout: false
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Build front Dockerfile
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          push: true
-          pull: true
-          platforms: linux/amd64,linux/arm64
-          provenance: true
-          file: .github/deployment/front/Dockerfile
-          tags: ghcr.io/toeverything/affine-front:${{env.RELEASE_FLAVOR}}-${{ env.GIT_SHORT_HASH }},ghcr.io/toeverything/affine-front:${{env.RELEASE_FLAVOR}}
-
-  deploy:
-    name: Deploy to cluster
-    if: ${{ github.event_name == 'workflow_dispatch' }}
-    environment: ${{ github.event.inputs.flavor }}
-    needs:
-      - build-frontend-image
-      - build-server-image
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Deploy to ${{ github.event.inputs.flavor }}
-        uses: ./.github/actions/deploy
-        with:
-          build-type: ${{ github.event.inputs.flavor }}
-          gcp-project-number: ${{ secrets.GCP_PROJECT_NUMBER }}
-          gcp-project-id: ${{ secrets.GCP_PROJECT_ID }}
-          service-account: ${{ secrets.GCP_HELM_DEPLOY_SERVICE_ACCOUNT }}
-          cluster-name: ${{ secrets.GCP_CLUSTER_NAME }}
-          cluster-location: ${{ secrets.GCP_CLUSTER_LOCATION }}
-        env:
-          APP_VERSION: ${{ steps.version.outputs.APP_VERSION }}
-          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
-          CANARY_DEPLOY_HOST: ${{ secrets.CANARY_DEPLOY_HOST }}
-          R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
-          R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
-          R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
-          CAPTCHA_TURNSTILE_SECRET: ${{ secrets.CAPTCHA_TURNSTILE_SECRET }}
-          COPILOT_OPENAI_API_KEY: ${{ secrets.COPILOT_OPENAI_API_KEY }}
-          COPILOT_FAL_API_KEY: ${{ secrets.COPILOT_FAL_API_KEY }}
-          COPILOT_UNSPLASH_API_KEY: ${{ secrets.COPILOT_UNSPLASH_API_KEY }}
-          MAILER_SENDER: ${{ secrets.OAUTH_EMAIL_SENDER }}
-          MAILER_USER: ${{ secrets.OAUTH_EMAIL_LOGIN }}
-          MAILER_PASSWORD: ${{ secrets.OAUTH_EMAIL_PASSWORD }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          AFFINE_GOOGLE_CLIENT_ID: ${{ secrets.AFFINE_GOOGLE_CLIENT_ID }}
-          AFFINE_GOOGLE_CLIENT_SECRET: ${{ secrets.AFFINE_GOOGLE_CLIENT_SECRET }}
-          DATABASE_URL: ${{ secrets.DATABASE_URL }}
-          DATABASE_USERNAME: ${{ secrets.DATABASE_USERNAME }}
-          DATABASE_PASSWORD: ${{ secrets.DATABASE_PASSWORD }}
-          DATABASE_NAME: ${{ secrets.DATABASE_NAME }}
-          GCLOUD_CONNECTION_NAME: ${{ secrets.GCLOUD_CONNECTION_NAME }}
-          GCLOUD_CLOUD_SQL_INTERNAL_ENDPOINT: ${{ secrets.GCLOUD_CLOUD_SQL_INTERNAL_ENDPOINT }}
-          REDIS_HOST: ${{ secrets.REDIS_HOST }}
-          REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}
-          CLOUD_SQL_IAM_ACCOUNT: ${{ secrets.CLOUD_SQL_IAM_ACCOUNT }}
-          STRIPE_API_KEY: ${{ secrets.STRIPE_API_KEY }}
-          STRIPE_WEBHOOK_KEY: ${{ secrets.STRIPE_WEBHOOK_KEY }}
-          STATIC_IP_NAME: ${{ secrets.STATIC_IP_NAME }}

.github/workflows/helm-releaser.yml

@@ -2,7 +2,7 @@ name: Release Charts
 
 on:
   push:
-    branches: [canary]
+    branches: [master]
     paths:
       - '.github/helm/**/Chart.yml'
 
@@ -11,12 +11,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
       - name: Checkout Helm chart repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           repository: toeverything/helm-charts
           path: .helm-chart-repo
@@ -24,7 +24,7 @@ jobs:
           token: ${{ secrets.HELM_RELEASER_TOKEN }}
 
       - name: Install Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@v3
 
       - name: Install chart releaser
         run: |

.github/workflows/label-checker.yml

@@ -6,7 +6,7 @@ on:
       - labeled
       - unlabeled
     branches:
-      - canary
+      - master
 
 jobs:
   check_labels:

.github/workflows/languages-sync.yml

@@ -2,15 +2,15 @@ name: Languages Sync
 
 on:
   push:
-    branches: ['canary']
+    branches: ['master']
     paths:
-      - 'packages/frontend/i18n/**'
+      - 'packages/i18n/**'
       - '.github/workflows/languages-sync.yml'
       - '!.github/actions/setup-node/action.yml'
   pull_request_target:
-    branches: ['canary']
+    branches: ['master']
     paths:
-      - 'packages/frontend/i18n/**'
+      - 'packages/i18n/**'
       - '.github/workflows/languages-sync.yml'
       - '!.github/actions/setup-node/action.yml'
   workflow_dispatch:
@@ -19,17 +19,19 @@ jobs:
   main:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Setup Node.js
         uses: ./.github/actions/setup-node
       - name: Check Language Key
-        if: github.ref != 'refs/heads/canary'
-        run: yarn workspace @affine/i18n run sync-languages:check
+        if: github.ref != 'refs/heads/master'
+        working-directory: ./packages/i18n
+        run: yarn run sync-languages:check
         env:
           TOLGEE_API_KEY: ${{ secrets.TOLGEE_API_KEY }}
 
       - name: Sync Languages
-        if: github.ref == 'refs/heads/canary'
-        run: yarn workspace @affine/i18n run sync-languages
+        if: github.ref == 'refs/heads/master'
+        working-directory: ./packages/i18n
+        run: yarn run sync-languages
         env:
           TOLGEE_API_KEY: ${{ secrets.TOLGEE_API_KEY }}

.github/workflows/nightly-build.yml

@@ -0,0 +1,225 @@
+name: Build Canary Desktop App on Staging Branch
+
+on:
+  push:
+    branches:
+      # 0.6.x-staging
+      - v[0-9]+.[0-9]+.x-staging
+      # 0.6.1-staging
+      - v[0-9]+.[0-9]+.[0-9]+-staging
+    paths-ignore:
+      - README.md
+      - .github/**
+      - '!.github/workflows/nightly-build.yml'
+      - '!.github/actions/build-rust/action.yml'
+      - '!.github/actions/setup-rust/action.yml'
+      - '!.github/actions/setup-node/action.yml'
+
+permissions:
+  actions: write
+  contents: write
+  security-events: write
+
+concurrency:
+  # The concurrency group contains the workflow name and the branch name for
+  # pull requests or the commit hash for any other events.
+  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
+  cancel-in-progress: true
+
+env:
+  BUILD_TYPE: internal
+
+jobs:
+  set-build-version:
+    runs-on: ubuntu-latest
+    environment: production
+    outputs:
+      version: 0.0.0-internal.${{ steps.version.outputs.version }}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: toeverything/set-build-version@latest
+      - id: version
+        run: echo ::set-output name=version::${{ env.BUILD_VERSION }}
+
+  before-make:
+    runs-on: ubuntu-latest
+    environment: production
+    needs:
+      - set-build-version
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+      - name: Setup @sentry/cli
+        uses: ./.github/actions/setup-sentry
+      - name: Replace Version
+        run: ./scripts/set-version.sh ${{ needs.set-build-version.outputs.version }}
+      - name: generate-assets
+        working-directory: apps/electron
+        run: yarn generate-assets
+        env:
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
+          NEXT_PUBLIC_SENTRY_DSN: ${{ secrets.NEXT_PUBLIC_SENTRY_DSN }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          RELEASE_VERSION: ${{ needs.set-build-version.outputs.version }}
+
+      - name: Upload core artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: core
+          path: apps/electron/resources/web-static
+
+  make-distribution:
+    environment: production
+    strategy:
+      # all combinations: macos-latest x64, macos-latest arm64, ubuntu-latest x64
+      # For windows, we need a separate approach
+      matrix:
+        spec:
+          - runner: macos-latest
+            platform: darwin
+            arch: x64
+            target: x86_64-apple-darwin
+          - runner: macos-latest
+            platform: darwin
+            arch: arm64
+            target: aarch64-apple-darwin
+          - runner: ubuntu-latest
+            platform: linux
+            arch: x64
+            target: x86_64-unknown-linux-gnu
+          - runner: windows-latest
+            platform: win32
+            arch: x64
+            target: x86_64-pc-windows-msvc
+    runs-on: ${{ matrix.spec.runner }}
+    needs:
+      - before-make
+      - set-build-version
+    env:
+      APPLE_ID: ${{ secrets.APPLE_ID }}
+      APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
+      APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+      SKIP_GENERATE_ASSETS: 1
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        timeout-minutes: 10
+        uses: ./.github/actions/setup-node
+      - name: Setup Maker
+        timeout-minutes: 10
+        uses: ./.github/actions/setup-maker
+      - name: Build AFFiNE native
+        uses: ./.github/actions/build-rust
+        with:
+          target: ${{ matrix.spec.target }}
+          nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+      - name: Replace Version
+        run: ./scripts/set-version.sh ${{ needs.set-build-version.outputs.version }}
+      - uses: actions/download-artifact@v3
+        with:
+          name: core
+          path: apps/electron/resources/web-static
+
+      - name: Build Plugins
+        run: yarn run build:plugins
+
+      - name: Build Desktop Layers
+        run: yarn workspace @affine/electron build
+
+      - name: Signing By Apple Developer ID
+        if: ${{ matrix.spec.platform == 'darwin' }}
+        uses: apple-actions/import-codesign-certs@v2
+        with:
+          p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
+          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
+
+      - name: make
+        run: yarn workspace @affine/electron make --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
+
+      - name: Save artifacts (mac)
+        if: ${{ matrix.spec.platform == 'darwin' }}
+        run: |
+          mkdir -p builds
+          mv apps/electron/out/*/make/*.dmg ./builds/affine-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.dmg
+          mv apps/electron/out/*/make/zip/darwin/${{ matrix.spec.arch }}/*.zip ./builds/affine-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.zip
+      - name: Save artifacts (windows)
+        if: ${{ matrix.spec.platform == 'win32' }}
+        run: |
+          mkdir -p builds
+          mv apps/electron/out/*/make/zip/win32/x64/AFFiNE*-win32-x64-*.zip ./builds/affine-${{ env.BUILD_TYPE }}-windows-x64.zip
+          mv apps/electron/out/*/make/squirrel.windows/x64/*.exe ./builds/affine-${{ env.BUILD_TYPE }}-windows-x64.exe
+          mv apps/electron/out/*/make/squirrel.windows/x64/*.msi ./builds/affine-${{ env.BUILD_TYPE }}-windows-x64.msi
+          mv apps/electron/out/*/make/squirrel.windows/x64/*.nupkg ./builds/affine-${{ env.BUILD_TYPE }}-windows-x64.nupkg
+
+      - name: Save artifacts (linux)
+        if: ${{ matrix.spec.platform == 'linux' }}
+        run: |
+          mkdir -p builds
+          mv apps/electron/out/*/make/zip/linux/x64/*.zip ./builds/affine-${{ env.BUILD_TYPE }}-linux-x64.zip
+          mv apps/electron/out/*/make/AppImage/x64/*.AppImage ./builds/affine-${{ env.BUILD_TYPE }}-linux-x64.AppImage
+
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: affine-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}-builds
+          path: builds
+
+  release:
+    needs:
+      - make-distribution
+      - set-build-version
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Download Artifacts (macos-x64)
+        uses: actions/download-artifact@v3
+        with:
+          name: affine-darwin-x64-builds
+          path: ./
+      - name: Download Artifacts (macos-arm64)
+        uses: actions/download-artifact@v3
+        with:
+          name: affine-darwin-arm64-builds
+          path: ./
+      - name: Download Artifacts (windows-x64)
+        uses: actions/download-artifact@v3
+        with:
+          name: affine-win32-x64-builds
+          path: ./
+      - name: Download Artifacts (linux-x64)
+        uses: actions/download-artifact@v3
+        with:
+          name: affine-linux-x64-builds
+          path: ./
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+      - name: Generate Release yml
+        run: |
+          cp ./apps/electron/scripts/generate-yml.js .
+          node generate-yml.js
+        env:
+          RELEASE_VERSION: ${{ needs.set-build-version.outputs.version }}
+      - name: Create Release Draft
+        uses: softprops/action-gh-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+        with:
+          repository: 'toeverything/AFFiNE-Releases'
+          name: ${{ needs.set-build-version.outputs.version }}
+          tag_name: ${{ needs.set-build-version.outputs.version }}
+          prerelease: true
+          files: |
+            ./VERSION
+            ./*.zip
+            ./*.dmg
+            ./*.exe
+            ./*.nupkg
+            ./RELEASES
+            ./*.AppImage
+            ./*.apk
+            ./*.yml

.github/workflows/nx.yml

@@ -0,0 +1,54 @@
+name: NX
+
+on:
+  push:
+    branches:
+      - master
+      - v[0-9]+.[0-9]+.x-staging
+      - v[0-9]+.[0-9]+.x
+    paths-ignore:
+      - README.md
+      - .github/**
+      - '!.github/workflows/nx.yml'
+      - '!.github/actions/build-rust/action.yml'
+      - '!.github/actions/setup-node/action.yml'
+  pull_request:
+  merge_group:
+    branches:
+      - master
+      - v[0-9]+.[0-9]+.x-staging
+      - v[0-9]+.[0-9]+.x
+    paths-ignore:
+      - README.md
+      - .github/**
+      - '!.github/workflows/nx.yml'
+      - '!.github/actions/build-rust/action.yml'
+      - '!.github/actions/setup-node/action.yml'
+
+jobs:
+  main:
+    name: Nx Cloud - Main Job
+    uses: nrwl/ci/.github/workflows/nx-cloud-main.yml@v0.13.0
+    with:
+      runs-on: macos-latest
+      main-branch-name: master
+      number-of-agents: 5
+      init-commands: |
+        yarn exec nx-cloud start-ci-run --stop-agents-after="build" --agent-count=5
+      environment-variables: |
+        BUILD_TYPE=canary
+      #      parallel-commands: |
+      #        yarn exec nx-cloud record -- yarn exec nx format:check
+      parallel-commands-on-agents: |
+        yarn exec nx affected --target=build --parallel=5
+      timeout: 60
+
+  agents:
+    name: Nx Cloud - Agents
+    uses: nrwl/ci/.github/workflows/nx-cloud-agents.yml@v0.13.0
+    with:
+      runs-on: macos-latest
+      number-of-agents: 5
+      environment-variables: |
+        BUILD_TYPE=canary
+      timeout: 60

.github/workflows/pr-auto-assign.yml

@@ -9,4 +9,4 @@ jobs:
   add-reviews:
     runs-on: ubuntu-latest
     steps:
-      - uses: kentaro-m/auto-assign-action@v2.0.0
+      - uses: kentaro-m/auto-assign-action@v1.2.4

.github/workflows/pr-title-lint.yml

@@ -7,7 +7,7 @@ on:
       - edited
       - synchronize
     branches:
-      - canary
+      - master
 
 permissions:
   contents: read
@@ -17,15 +17,7 @@ jobs:
     name: Check pull request title
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          cache: 'yarn'
-          node-version-file: '.nvmrc'
-      - name: Install dependencies
-        run: yarn workspaces focus @affine/commitlint-config
-      - name: Check PR title
-        env:
-          TITLE: ${{ github.event.pull_request.title }}
-        run: echo "$TITLE" | yarn workspace @affine/commitlint-config commitlint -g ./.commitlintrc.json
+        uses: ./.github/actions/setup-node
+      - run: echo "${{ github.event.pull_request.title }}" | npx commitlint -g ./.commitlintrc.json

.github/workflows/publish-storybook.yml

@@ -0,0 +1,38 @@
+name: Publish Storybook
+
+on:
+  push:
+    branches:
+      - master
+  pull_request_target:
+    branches:
+      - master
+    paths-ignore:
+      - README.md
+      - .github/**
+      - '!.github/workflows/publish-storybook.yml'
+
+jobs:
+  publish-storybook:
+    name: Publish Storybook
+    runs-on: ubuntu-latest
+    environment: development
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.merge_commit_sha }}
+          # This is required to fetch all commits for chromatic
+          fetch-depth: 0
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+        with:
+          electron-install: false
+      - name: Build Plugins
+        run: yarn run build:plugins
+      - name: Publish to Chromatic
+        uses: chromaui/action@v1
+        with:
+          workingDir: apps/storybook
+          buildScriptName: build
+          onlyChanged: true
+          projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}

.github/workflows/release-desktop-app.yml

@@ -0,0 +1,365 @@
+name: Release Desktop App
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+-canary.[0-9]+'
+  workflow_dispatch:
+    inputs:
+      version:
+        description: App Version
+        required: true
+        default: 0.0.0
+      is-draft:
+        description: 'Draft Release?'
+        type: boolean
+        required: true
+        default: true
+      is-pre-release:
+        description: 'Pre Release? (labeled as "PreRelease")'
+        type: boolean
+        required: true
+        default: true
+      build-type:
+        description: 'Build Type (canary, beta or stable)'
+        type: string
+        required: true
+        default: canary
+
+permissions:
+  actions: write
+  contents: write
+  security-events: write
+
+env:
+  BUILD_TYPE: ${{ github.event.inputs.build-type || (github.ref_type == 'tag' && contains(github.ref, 'canary') && 'canary') }}
+  DEBUG: napi:*
+  APP_NAME: affine
+  MACOSX_DEPLOYMENT_TARGET: '10.13'
+
+jobs:
+  before-make:
+    runs-on: ubuntu-latest
+    environment: production
+    outputs:
+      RELEASE_VERSION: ${{ steps.get-canary-version.outputs.RELEASE_VERSION }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+      - name: Setup @sentry/cli
+        uses: ./.github/actions/setup-sentry
+      - name: Get canary version
+        id: get-canary-version
+        if: ${{ github.ref_type == 'tag' }}
+        run: |
+          TAG_VERSION=${GITHUB_REF#refs/tags/v}
+          PACKAGE_VERSION=$(node -p "require('./apps/electron/package.json').version")
+          if [ "$TAG_VERSION" != "$PACKAGE_VERSION" ]; then
+            echo "Tag version ($TAG_VERSION) does not match package.json version ($PACKAGE_VERSION)"
+            exit 1
+          fi
+          echo "RELEASE_VERSION=$(node -p "require('./apps/electron/package.json').version")" >> $GITHUB_OUTPUT
+      - name: generate-assets
+        run: yarn workspace @affine/electron generate-assets
+        env:
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          RELEASE_VERSION: ${{ github.event.inputs.version || steps.get-canary-version.outputs.RELEASE_VERSION }}
+
+      - name: Upload core artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: core
+          path: apps/electron/resources/web-static
+
+  make-distribution:
+    environment: production
+    strategy:
+      # all combinations: macos-latest x64, macos-latest arm64, ubuntu-latest x64
+      # For windows, we need a separate approach
+      matrix:
+        spec:
+          - runner: macos-latest
+            platform: darwin
+            arch: x64
+            target: x86_64-apple-darwin
+          - runner: macos-latest
+            platform: darwin
+            arch: arm64
+            target: aarch64-apple-darwin
+          - runner: ubuntu-latest
+            platform: linux
+            arch: x64
+            target: x86_64-unknown-linux-gnu
+    runs-on: ${{ matrix.spec.runner }}
+    needs: before-make
+    env:
+      APPLE_ID: ${{ secrets.APPLE_ID }}
+      APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
+      APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+      SKIP_GENERATE_ASSETS: 1
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        timeout-minutes: 10
+        uses: ./.github/actions/setup-node
+      - name: Setup Maker
+        timeout-minutes: 10
+        uses: ./.github/actions/setup-maker
+      - name: Build AFFiNE native
+        uses: ./.github/actions/build-rust
+        with:
+          target: ${{ matrix.spec.target }}
+          nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+      - uses: actions/download-artifact@v3
+        with:
+          name: core
+          path: apps/electron/resources/web-static
+
+      - name: Build Plugins
+        run: yarn run build:plugins
+
+      - name: Build Desktop Layers
+        run: yarn workspace @affine/electron build
+
+      - name: Signing By Apple Developer ID
+        if: ${{ matrix.spec.platform == 'darwin' }}
+        uses: apple-actions/import-codesign-certs@v2
+        with:
+          p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
+          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
+
+      - name: make
+        run: yarn workspace @affine/electron make --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
+
+      - name: Save artifacts (mac)
+        if: ${{ matrix.spec.platform == 'darwin' }}
+        run: |
+          mkdir -p builds
+          mv apps/electron/out/*/make/*.dmg ./builds/affine-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.dmg
+          mv apps/electron/out/*/make/zip/darwin/${{ matrix.spec.arch }}/*.zip ./builds/affine-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.zip
+      - name: Save artifacts (linux)
+        if: ${{ matrix.spec.platform == 'linux' }}
+        run: |
+          mkdir -p builds
+          mv apps/electron/out/*/make/zip/linux/x64/*.zip ./builds/affine-${{ env.BUILD_TYPE }}-linux-x64.zip
+          mv apps/electron/out/*/make/AppImage/x64/*.AppImage ./builds/affine-${{ env.BUILD_TYPE }}-linux-x64.AppImage
+
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: affine-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}-builds
+          path: builds
+
+  package-distribution-windows:
+    environment: production
+    strategy:
+      # all combinations: macos-latest x64, macos-latest arm64, ubuntu-latest x64
+      # For windows, we need a separate approach
+      matrix:
+        spec:
+          - runner: windows-latest
+            platform: win32
+            arch: x64
+            target: x86_64-pc-windows-msvc
+    runs-on: ${{ matrix.spec.runner }}
+    needs: before-make
+    outputs:
+      FILES_TO_BE_SIGNED: ${{ steps.get_files_to_be_signed.outputs.FILES_TO_BE_SIGNED }}
+    env:
+      SKIP_GENERATE_ASSETS: 1
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        timeout-minutes: 10
+        uses: ./.github/actions/setup-node
+      - name: Setup Maker
+        timeout-minutes: 10
+        uses: ./.github/actions/setup-maker
+      - name: Build AFFiNE native
+        uses: ./.github/actions/build-rust
+        with:
+          target: ${{ matrix.spec.target }}
+          nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+      - uses: actions/download-artifact@v3
+        with:
+          name: core
+          path: apps/electron/resources/web-static
+
+      - name: Build Plugins
+        run: yarn run build:plugins
+
+      - name: Build Desktop Layers
+        run: yarn workspace @affine/electron build
+
+      - name: package
+        run: yarn workspace @affine/electron package --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
+
+      - name: get all files to be signed
+        id: get_files_to_be_signed
+        run: |
+          Set-Variable -Name FILES_TO_BE_SIGNED -Value ((Get-ChildItem -Path apps/electron/out -Recurse -File | Where-Object { $_.Extension -in @(".exe", ".node", ".dll", ".msi") } | ForEach-Object { '"' + $_.FullName.Replace((Get-Location).Path + '\apps\electron\out\', '') + '"' }) -join ' ')
+          "FILES_TO_BE_SIGNED=$FILES_TO_BE_SIGNED" >> $env:GITHUB_OUTPUT
+          echo $FILES_TO_BE_SIGNED
+
+      - name: Zip artifacts for faster upload
+        run: Compress-Archive -CompressionLevel Fastest -Path apps/electron/out/* -DestinationPath archive.zip
+
+      - name: Save packaged artifacts for signing
+        uses: actions/upload-artifact@v3
+        with:
+          name: packaged-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
+          path: |
+            archive.zip
+            !**/*.map
+
+  sign-packaged-artifacts-windows:
+    needs: package-distribution-windows
+    uses: ./.github/workflows/windows-signer.yml
+    with:
+      files: ${{ needs.package-distribution-windows.outputs.FILES_TO_BE_SIGNED }}
+      artifact-name: packaged-win32-x64
+
+  make-windows-installer:
+    environment: production
+    needs: sign-packaged-artifacts-windows
+    strategy:
+      # all combinations: macos-latest x64, macos-latest arm64, ubuntu-latest x64
+      # For windows, we need a separate approach
+      matrix:
+        spec:
+          - runner: windows-latest
+            platform: win32
+            arch: x64
+            target: x86_64-pc-windows-msvc
+    runs-on: ${{ matrix.spec.runner }}
+    outputs:
+      FILES_TO_BE_SIGNED: ${{ steps.get_files_to_be_signed.outputs.FILES_TO_BE_SIGNED }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        timeout-minutes: 10
+        uses: ./.github/actions/setup-node
+      - name: Download and overwrite packaged artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: signed-packaged-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
+          path: .
+      - name: unzip file
+        run: Expand-Archive -Path signed.zip -DestinationPath apps/electron/out
+
+      - name: Make squirrel.windows installer
+        run: yarn workspace @affine/electron make-squirrel --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
+
+      - name: Zip artifacts for faster upload
+        run: Compress-Archive -CompressionLevel Fastest -Path apps/electron/out/${{ env.BUILD_TYPE }}/make/* -DestinationPath archive.zip
+
+      - name: get all files to be signed
+        id: get_files_to_be_signed
+        run: |
+          Set-Variable -Name FILES_TO_BE_SIGNED -Value ((Get-ChildItem -Path apps/electron/out/${{ env.BUILD_TYPE }}/make -Recurse -File | Where-Object { $_.Extension -in @(".exe", ".node", ".dll", ".msi") } | ForEach-Object { '"' + $_.FullName.Replace((Get-Location).Path + '\apps\electron\out\${{ env.BUILD_TYPE }}\make\', '') + '"' }) -join ' ')
+          "FILES_TO_BE_SIGNED=$FILES_TO_BE_SIGNED" >> $env:GITHUB_OUTPUT
+          echo $FILES_TO_BE_SIGNED
+
+      - name: Save installer for signing
+        uses: actions/upload-artifact@v3
+        with:
+          name: installer-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
+          path: archive.zip
+
+  sign-installer-artifacts-windows:
+    needs: make-windows-installer
+    uses: ./.github/workflows/windows-signer.yml
+    with:
+      files: ${{ needs.make-windows-installer.outputs.FILES_TO_BE_SIGNED }}
+      artifact-name: installer-win32-x64
+
+  finalize-installer-windows:
+    environment: production
+    needs: sign-installer-artifacts-windows
+    strategy:
+      # all combinations: macos-latest x64, macos-latest arm64, ubuntu-latest x64
+      # For windows, we need a separate approach
+      matrix:
+        spec:
+          - runner: windows-latest
+            platform: win32
+            arch: x64
+            target: x86_64-pc-windows-msvc
+    runs-on: ${{ matrix.spec.runner }}
+    steps:
+      - name: Download and overwrite installer artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: signed-installer-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
+          path: .
+      - name: unzip file
+        run: Expand-Archive -Path signed.zip -DestinationPath apps/electron/out/${{ env.BUILD_TYPE }}/make
+
+      - name: Save artifacts
+        run: |
+          mkdir -p builds
+          mv apps/electron/out/*/make/zip/win32/x64/AFFiNE*-win32-x64-*.zip ./builds/affine-${{ env.BUILD_TYPE }}-windows-x64.zip
+          mv apps/electron/out/*/make/squirrel.windows/x64/*.exe ./builds/affine-${{ env.BUILD_TYPE }}-windows-x64.exe
+          mv apps/electron/out/*/make/squirrel.windows/x64/*.msi ./builds/affine-${{ env.BUILD_TYPE }}-windows-x64.msi
+
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: affine-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}-builds
+          path: builds
+
+  release:
+    needs: [before-make, make-distribution, finalize-installer-windows]
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Download Artifacts (macos-x64)
+        uses: actions/download-artifact@v3
+        with:
+          name: affine-darwin-x64-builds
+          path: ./
+      - name: Download Artifacts (macos-arm64)
+        uses: actions/download-artifact@v3
+        with:
+          name: affine-darwin-arm64-builds
+          path: ./
+      - name: Download Artifacts (windows-x64)
+        uses: actions/download-artifact@v3
+        with:
+          name: affine-win32-x64-builds
+          path: ./
+      - name: Download Artifacts (linux-x64)
+        uses: actions/download-artifact@v3
+        with:
+          name: affine-linux-x64-builds
+          path: ./
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 18
+      - name: Generate Release yml
+        run: |
+          cp ./apps/electron/scripts/generate-yml.js .
+          node generate-yml.js
+        env:
+          RELEASE_VERSION: ${{ github.event.inputs.version || needs.before-make.outputs.RELEASE_VERSION }}
+      - name: Create Release Draft
+        uses: softprops/action-gh-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+        with:
+          name: ${{ github.event.inputs.version || needs.before-make.outputs.RELEASE_VERSION }}
+          body: ''
+          draft: ${{ github.event.inputs.is-draft || true }}
+          prerelease: ${{ github.event.inputs.is-pre-release || needs.before-make.outputs.version }}
+          files: |
+            ./VERSION
+            ./*.zip
+            ./*.dmg
+            ./*.exe
+            ./*.AppImage
+            ./*.apk
+            ./*.yml

.github/workflows/release-desktop-automatically.yml

@@ -1,32 +0,0 @@
-name: Release Desktop Automatically
-
-on:
-  push:
-    tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+-canary.[0-9]+'
-  schedule:
-    - cron: '0 9 * * *'
-
-permissions:
-  contents: write
-  pull-requests: write
-  actions: write
-
-jobs:
-  dispatch-release-desktop:
-    runs-on: ubuntu-latest
-    name: Setup Release Desktop
-    steps:
-      - name: dispatch desktop release by tag
-        if: ${{ github.event_name == 'push' }}
-        uses: benc-uk/workflow-dispatch@v1
-        with:
-          workflow: release-desktop.yml
-          inputs: '{ "build-type": "canary", "is-draft": false, "is-pre-release": true }'
-      - name: dispatch desktop release by schedule
-        if: ${{ github.event_name == 'schedule' }}
-        uses: benc-uk/workflow-dispatch@v1
-        with:
-          workflow: release-desktop.yml
-          inputs: '{ "build-type": "canary", "is-draft": false, "is-pre-release": true }'
-          ref: canary

.github/workflows/release-desktop.yml

@@ -1,410 +0,0 @@
-name: Release Desktop App
-
-on:
-  workflow_dispatch:
-    inputs:
-      build-type:
-        description: 'Build Type'
-        type: choice
-        required: true
-        default: canary
-        options:
-          - canary
-          - beta
-          - stable
-      is-draft:
-        description: 'Draft Release?'
-        type: boolean
-        required: true
-        default: true
-      is-pre-release:
-        description: 'Pre Release? (labeled as "PreRelease")'
-        type: boolean
-        required: true
-        default: true
-
-permissions:
-  actions: write
-  contents: write
-  security-events: write
-
-env:
-  BUILD_TYPE: ${{ github.event.inputs.build-type }}
-  DEBUG: napi:*
-  APP_NAME: affine
-  MACOSX_DEPLOYMENT_TARGET: '10.13'
-
-jobs:
-  before-make:
-    runs-on: ubuntu-latest
-    environment: ${{ github.event.inputs.build-type }}
-    outputs:
-      RELEASE_VERSION: ${{ steps.version.outputs.APP_VERSION }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-      - name: Setup @sentry/cli
-        uses: ./.github/actions/setup-sentry
-      - name: generate-assets
-        run: yarn workspace @affine/electron generate-assets
-        env:
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-          SENTRY_PROJECT: 'affine'
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          RELEASE_VERSION: ${{ steps.version.outputs.APP_VERSION }}
-          SKIP_NX_CACHE: 'true'
-          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
-
-      - name: Upload web artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: web
-          path: packages/frontend/electron/resources/web-static
-
-  make-distribution:
-    strategy:
-      matrix:
-        spec:
-          - runner: macos-14
-            platform: darwin
-            arch: x64
-            target: x86_64-apple-darwin
-          - runner: macos-14
-            platform: darwin
-            arch: arm64
-            target: aarch64-apple-darwin
-          - runner: ubuntu-latest
-            platform: linux
-            arch: x64
-            target: x86_64-unknown-linux-gnu
-    runs-on: ${{ matrix.spec.runner }}
-    needs: before-make
-    env:
-      APPLE_ID: ${{ secrets.APPLE_ID }}
-      APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
-      APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
-      SKIP_GENERATE_ASSETS: 1
-      SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-      SENTRY_PROJECT: 'affine'
-      SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-      SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-      MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        timeout-minutes: 10
-        uses: ./.github/actions/setup-node
-        with:
-          extra-flags: workspaces focus @affine/electron @affine/monorepo
-          hard-link-nm: false
-          nmHoistingLimits: workspaces
-          enableScripts: false
-      - name: Build AFFiNE native
-        uses: ./.github/actions/build-rust
-        with:
-          target: ${{ matrix.spec.target }}
-          package: '@affine/native'
-          nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-      - uses: actions/download-artifact@v4
-        with:
-          name: web
-          path: packages/frontend/electron/resources/web-static
-
-      - name: Build Desktop Layers
-        run: yarn workspace @affine/electron build
-
-      - name: Signing By Apple Developer ID
-        if: ${{ matrix.spec.platform == 'darwin' }}
-        uses: apple-actions/import-codesign-certs@v3
-        with:
-          p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
-          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
-
-      - name: Install fuse on Linux (for patching AppImage)
-        if: ${{ matrix.spec.platform == 'linux' }}
-        run: |
-          sudo add-apt-repository universe
-          sudo apt install libfuse2 -y
-
-      - name: make
-        run: yarn workspace @affine/electron make --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
-        env:
-          SKIP_WEB_BUILD: 1
-          HOIST_NODE_MODULES: 1
-
-      - name: signing DMG
-        if: ${{ matrix.spec.platform == 'darwin' }}
-        run: |
-          codesign --force --sign "Developer ID Application: TOEVERYTHING PTE. LTD." packages/frontend/electron/out/${{ env.BUILD_TYPE }}/make/AFFiNE.dmg
-
-      - name: Save artifacts (mac)
-        if: ${{ matrix.spec.platform == 'darwin' }}
-        run: |
-          mkdir -p builds
-          mv packages/frontend/electron/out/*/make/*.dmg ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.dmg
-          mv packages/frontend/electron/out/*/make/zip/darwin/${{ matrix.spec.arch }}/*.zip ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.zip
-      - name: Save artifacts (linux)
-        if: ${{ matrix.spec.platform == 'linux' }}
-        run: |
-          mkdir -p builds
-          mv packages/frontend/electron/out/*/make/zip/linux/x64/*.zip ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.zip
-          mv packages/frontend/electron/out/*/make/*.AppImage ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.appimage
-
-      - name: Upload Artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: affine-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}-builds
-          path: builds
-
-  package-distribution-windows:
-    strategy:
-      matrix:
-        spec:
-          - runner: windows-latest
-            platform: win32
-            arch: x64
-            target: x86_64-pc-windows-msvc
-    runs-on: ${{ matrix.spec.runner }}
-    needs: before-make
-    outputs:
-      FILES_TO_BE_SIGNED: ${{ steps.get_files_to_be_signed.outputs.FILES_TO_BE_SIGNED }}
-    env:
-      SKIP_GENERATE_ASSETS: 1
-      SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-      SENTRY_PROJECT: 'affine'
-      SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-      SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-      MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        timeout-minutes: 10
-        uses: ./.github/actions/setup-node
-        with:
-          extra-flags: workspaces focus @affine/electron @affine/monorepo
-          hard-link-nm: false
-          nmHoistingLimits: workspaces
-      - name: Build AFFiNE native
-        uses: ./.github/actions/build-rust
-        with:
-          target: ${{ matrix.spec.target }}
-          package: '@affine/native'
-          nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-      - uses: actions/download-artifact@v4
-        with:
-          name: web
-          path: packages/frontend/electron/resources/web-static
-
-      - name: Build Desktop Layers
-        run: yarn workspace @affine/electron build
-
-      - name: package
-        run: yarn workspace @affine/electron package --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
-        env:
-          SKIP_WEB_BUILD: 1
-          HOIST_NODE_MODULES: 1
-
-      - name: get all files to be signed
-        id: get_files_to_be_signed
-        run: |
-          Set-Variable -Name FILES_TO_BE_SIGNED -Value ((Get-ChildItem -Path packages/frontend/electron/out -Recurse -File | Where-Object { $_.Extension -in @(".exe", ".node", ".dll", ".msi") } | ForEach-Object { '"' + $_.FullName.Replace((Get-Location).Path + '\packages\frontend\electron\out\', '') + '"' }) -join ' ')
-          "FILES_TO_BE_SIGNED=$FILES_TO_BE_SIGNED" >> $env:GITHUB_OUTPUT
-          echo $FILES_TO_BE_SIGNED
-
-      - name: Zip artifacts for faster upload
-        run: Compress-Archive -CompressionLevel Fastest -Path packages/frontend/electron/out/* -DestinationPath archive.zip
-
-      - name: Save packaged artifacts for signing
-        uses: actions/upload-artifact@v4
-        with:
-          name: packaged-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
-          path: |
-            archive.zip
-            !**/*.map
-
-  sign-packaged-artifacts-windows:
-    needs: package-distribution-windows
-    uses: ./.github/workflows/windows-signer.yml
-    with:
-      files: ${{ needs.package-distribution-windows.outputs.FILES_TO_BE_SIGNED }}
-      artifact-name: packaged-win32-x64
-
-  make-windows-installer:
-    needs: sign-packaged-artifacts-windows
-    strategy:
-      matrix:
-        spec:
-          - runner: windows-latest
-            platform: win32
-            arch: x64
-            target: x86_64-pc-windows-msvc
-    runs-on: ${{ matrix.spec.runner }}
-    outputs:
-      FILES_TO_BE_SIGNED: ${{ steps.get_files_to_be_signed.outputs.FILES_TO_BE_SIGNED }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Node.js
-        timeout-minutes: 10
-        uses: ./.github/actions/setup-node
-        with:
-          extra-flags: workspaces focus @affine/electron @affine/monorepo
-          hard-link-nm: false
-          nmHoistingLimits: workspaces
-      - name: Download and overwrite packaged artifacts
-        uses: actions/download-artifact@v4
-        with:
-          name: signed-packaged-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
-          path: .
-      - name: unzip file
-        run: Expand-Archive -Path signed.zip -DestinationPath packages/frontend/electron/out
-
-      - name: Make squirrel.windows installer
-        run: yarn workspace @affine/electron make-squirrel --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
-
-      - name: Make nsis.windows installer
-        run: yarn workspace @affine/electron make-nsis --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
-
-      - name: Zip artifacts for faster upload
-        run: Compress-Archive -CompressionLevel Fastest -Path packages/frontend/electron/out/${{ env.BUILD_TYPE }}/make/* -DestinationPath archive.zip
-
-      - name: get all files to be signed
-        id: get_files_to_be_signed
-        run: |
-          Set-Variable -Name FILES_TO_BE_SIGNED -Value ((Get-ChildItem -Path packages/frontend/electron/out/${{ env.BUILD_TYPE }}/make -Recurse -File | Where-Object { $_.Extension -in @(".exe", ".node", ".dll", ".msi") } | ForEach-Object { '"' + $_.FullName.Replace((Get-Location).Path + '\packages\frontend\electron\out\${{ env.BUILD_TYPE }}\make\', '') + '"' }) -join ' ')
-          "FILES_TO_BE_SIGNED=$FILES_TO_BE_SIGNED" >> $env:GITHUB_OUTPUT
-          echo $FILES_TO_BE_SIGNED
-
-      - name: Save installer for signing
-        uses: actions/upload-artifact@v4
-        with:
-          name: installer-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
-          path: archive.zip
-
-  sign-installer-artifacts-windows:
-    needs: make-windows-installer
-    uses: ./.github/workflows/windows-signer.yml
-    with:
-      files: ${{ needs.make-windows-installer.outputs.FILES_TO_BE_SIGNED }}
-      artifact-name: installer-win32-x64
-
-  finalize-installer-windows:
-    needs: [sign-installer-artifacts-windows, before-make]
-    strategy:
-      matrix:
-        spec:
-          - runner: windows-latest
-            platform: win32
-            arch: x64
-            target: x86_64-pc-windows-msvc
-    runs-on: ${{ matrix.spec.runner }}
-    steps:
-      - name: Download and overwrite installer artifacts
-        uses: actions/download-artifact@v4
-        with:
-          name: signed-installer-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
-          path: .
-      - name: unzip file
-        run: Expand-Archive -Path signed.zip -DestinationPath packages/frontend/electron/out/${{ env.BUILD_TYPE }}/make
-
-      - name: Save artifacts
-        run: |
-          mkdir -p builds
-          mv packages/frontend/electron/out/*/make/zip/win32/x64/AFFiNE*-win32-x64-*.zip ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-x64.zip
-          mv packages/frontend/electron/out/*/make/squirrel.windows/x64/*.exe ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-x64.exe
-          mv packages/frontend/electron/out/*/make/nsis.windows/x64/*.exe ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-x64.nsis.exe
-
-      - name: Upload Artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: affine-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}-builds
-          path: builds
-
-  release:
-    needs: [before-make, make-distribution, finalize-installer-windows]
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v4
-        with:
-          name: web
-          path: web-static
-      - name: Zip web-static
-        run: zip -r web-static.zip web-static
-      - name: Download Artifacts (macos-x64)
-        uses: actions/download-artifact@v4
-        with:
-          name: affine-darwin-x64-builds
-          path: ./
-      - name: Download Artifacts (macos-arm64)
-        uses: actions/download-artifact@v4
-        with:
-          name: affine-darwin-arm64-builds
-          path: ./
-      - name: Download Artifacts (windows-x64)
-        uses: actions/download-artifact@v4
-        with:
-          name: affine-win32-x64-builds
-          path: ./
-      - name: Download Artifacts (linux-x64)
-        uses: actions/download-artifact@v4
-        with:
-          name: affine-linux-x64-builds
-          path: ./
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 18
-      - name: Generate Release yml
-        run: |
-          node ./packages/frontend/electron/scripts/generate-yml.js
-        env:
-          RELEASE_VERSION: ${{ needs.before-make.outputs.RELEASE_VERSION }}
-      - name: Create Release Draft
-        if: ${{ github.ref_type == 'tag' }}
-        uses: softprops/action-gh-release@v2
-        with:
-          name: ${{ needs.before-make.outputs.RELEASE_VERSION }}
-          body: ''
-          draft: ${{ github.event.inputs.is-draft }}
-          prerelease: ${{ github.event.inputs.is-pre-release }}
-          files: |
-            ./VERSION
-            ./*.zip
-            ./*.dmg
-            ./*.exe
-            ./*.appimage
-            ./*.apk
-            ./*.yml
-      - name: Create Nightly Release Draft
-        if: ${{ github.ref_type == 'branch' }}
-        uses: softprops/action-gh-release@v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-        with:
-          # Temporarily, treat release from branch as nightly release, artifact saved to AFFiNE-Releases.
-          # Need to improve internal build and nightly release logic.
-          repository: 'toeverything/AFFiNE-Releases'
-          name: ${{ needs.before-make.outputs.RELEASE_VERSION }}
-          tag_name: ${{ needs.before-make.outputs.RELEASE_VERSION }}
-          body: ''
-          draft: false
-          prerelease: true
-          files: |
-            ./VERSION
-            ./*.zip
-            ./*.dmg
-            ./*.exe
-            ./*.appimage
-            ./*.apk
-            ./*.yml

.github/workflows/release.yml

@@ -0,0 +1,165 @@
+name: Release
+
+on:
+  push:
+    branches:
+      - master
+
+env:
+  BUILD_TYPE: stable
+  APP_NAME: affine
+  COVERAGE: false
+  DISTRIBUTION: browser
+  NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+
+jobs:
+  release:
+    name: Try publishing npm@latest release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+      - name: Try publishing to NPM
+        run: ./scripts/publish.sh
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+  build-core:
+    name: Build @affine/core
+    runs-on: ubuntu-latest
+    environment: development
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+      - name: Build Plugins
+        run: yarn run build:plugins
+      - name: Build Core
+        run: yarn nx build @affine/core
+      - name: Upload core artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: core
+          path: ./apps/core/dist
+          if-no-files-found: error
+
+  build-server:
+    name: Build Server
+    runs-on: ubuntu-latest
+    environment: development
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+        with:
+          electron-install: false
+      - name: Build Server
+        run: yarn nx build @affine/server
+      - name: Upload server dist
+        uses: actions/upload-artifact@v3
+        with:
+          name: server-dist
+          path: ./apps/server/dist
+          if-no-files-found: error
+
+  build-storage:
+    name: Build Storage
+    runs-on: ubuntu-latest
+    env:
+      RUSTFLAGS: '-C debuginfo=1'
+    environment: development
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+      - name: Setup Rust
+        uses: ./.github/actions/setup-rust
+        with:
+          target: 'x86_64-unknown-linux-gnu'
+      - name: Build Storage
+        run: yarn build:storage
+      - name: Upload storage.node
+        uses: actions/upload-artifact@v3
+        with:
+          name: storage.node
+          path: ./packages/storage/storage.node
+          if-no-files-found: error
+
+  build-docker:
+    if: github.ref == 'refs/heads/master'
+    name: Build Docker
+    runs-on: ubuntu-latest
+    needs:
+      - build-server
+      - build-core
+      - build-storage
+    steps:
+      - uses: actions/checkout@v3
+      - name: Download core artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: core
+          path: ./apps/core/dist
+      - name: Download server dist
+        uses: actions/download-artifact@v3
+        with:
+          name: server-dist
+          path: ./apps/server/dist
+      - name: Download storage.node
+        uses: actions/download-artifact@v3
+        with:
+          name: storage.node
+          path: ./apps/server
+      - name: Setup Git short hash
+        run: |
+          echo "GIT_SHORT_HASH=$(git rev-parse --short HEAD)" >> "$GITHUB_ENV"
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          logout: false
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Build front Dockerfile
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          push: true
+          pull: true
+          platforms: linux/amd64,linux/arm64
+          provenance: true
+          file: .github/deployment/front/Dockerfile
+          tags: ghcr.io/toeverything/affine-front:${{ env.GIT_SHORT_HASH }},ghcr.io/toeverything/affine-front:latest
+
+      # setup node without cache configuration
+      # Prisma cache is not compatible with docker build cache
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version-file: '.nvmrc'
+          registry-url: https://npm.pkg.github.com
+          scope: '@toeverything'
+
+      - name: Install Node.js dependencies
+        run: yarn workspaces focus @affine/server --production
+
+      - name: Generate Prisma client
+        run: yarn workspace @affine/server prisma generate
+
+      - name: Build graphql Dockerfile
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          push: true
+          pull: true
+          platforms: linux/amd64,linux/arm64
+          provenance: true
+          file: .github/deployment/node/Dockerfile
+          tags: ghcr.io/toeverything/affine-graphql:${{ env.GIT_SHORT_HASH }},ghcr.io/toeverything/affine-graphql:latest