chore: yarn dedupe

- use correctly endpoint in r2
- consume blob stream correctly

.cargo/config.toml

@@ -1,14 +1,2 @@
 [target.x86_64-pc-windows-msvc]
 rustflags = ["-C", "target-feature=+crt-static"]
-[target.aarch64-pc-windows-msvc]
-rustflags = ["-C", "target-feature=+crt-static"]
-[target.'cfg(target_os = "linux")']
-rustflags = ["-C", "link-args=-Wl,--warn-unresolved-symbols"]
-[target.'cfg(target_os = "macos")']
-rustflags = ["-C", "link-args=-all_load", "-C", "link-args=-weak_framework ScreenCaptureKit"]
-# https://sourceware.org/bugzilla/show_bug.cgi?id=21032
-# https://sourceware.org/bugzilla/show_bug.cgi?id=21031
-# https://github.com/rust-lang/rust/issues/134820
-# pthread_key_create() destructors and segfault after a DSO unloading
-[target.'cfg(all(target_env = "gnu", not(target_os = "windows")))']
-rustflags = ["-C", "link-args=-Wl,-z,nodelete"]

.devcontainer/Dockerfile

@@ -1,6 +1,5 @@
 FROM mcr.microsoft.com/devcontainers/base:bookworm
 
-USER vscode
 # Install Homebrew For Linux
 RUN /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" && \
     eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" && \

.devcontainer/build.sh

@@ -8,8 +8,5 @@ corepack prepare yarn@stable --activate
 # install dependencies
 yarn install
 
-# Build Server Dependencies
-yarn affine @affine/server-native build
-
 # Create database
-yarn affine @affine/server prisma migrate reset -f
+yarn workspace @affine/server prisma db push

.devcontainer/docker-compose.yml

@@ -11,10 +11,9 @@ services:
     network_mode: service:db
     environment:
       DATABASE_URL: postgresql://affine:affine@db:5432/affine
-      REDIS_SERVER_HOST: redis
 
   db:
-    image: pgvector/pgvector:pg16
+    image: postgres:latest
     restart: unless-stopped
     volumes:
       - postgres-data:/var/lib/postgresql/data
@@ -22,10 +21,6 @@ services:
       POSTGRES_PASSWORD: affine
       POSTGRES_USER: affine
       POSTGRES_DB: affine
-  redis:
-    image: redis
-    ports:
-      - 6379:6379
 
 volumes:
   postgres-data:

.devcontainer/setup-user.sh

@@ -1,9 +1,7 @@
-set -e
-
 if [ -v GRAPHITE_TOKEN ];then
     gt auth --token $GRAPHITE_TOKEN
 fi
 
-git fetch origin canary:canary --depth=1
+git fetch
 git branch canary -t origin/canary
 gt init --trunk canary

.docker/dev/.env.example

@@ -1,6 +0,0 @@
-# postgres major version
-DB_VERSION=16
-# database credentials
-DB_PASSWORD=affine
-DB_USERNAME=affine
-DB_DATABASE_NAME=affine

.docker/dev/.gitignore

@@ -1,3 +0,0 @@
-postgres
-.env
-compose.yml

.docker/dev/compose.yml.example

@@ -1,31 +0,0 @@
-name: affine_dev_services
-services:
-  postgres:
-    env_file:
-      - .env
-    image: pgvector/pgvector:pg${DB_VERSION:-16}
-    ports:
-      - 5432:5432
-    environment:
-      POSTGRES_PASSWORD: ${DB_PASSWORD}
-      POSTGRES_USER: ${DB_USERNAME}
-      POSTGRES_DB: ${DB_DATABASE_NAME}
-    volumes:
-      - postgres_data:/var/lib/postgresql/data
-
-  redis:
-    image: redis:latest
-    ports:
-      - 6379:6379
-
-  mailhog:
-    image: mailhog/mailhog:latest
-    ports:
-      - 1025:1025
-      - 8025:8025
-
-networks:
-  dev:
-
-volumes:
-  postgres_data:

.docker/selfhost/.env.example

@@ -1,23 +0,0 @@
-# select a revision to deploy, available values: stable, beta, canary
-AFFINE_REVISION=stable
-
-# set the port for the server container it will expose the server on
-PORT=3010
-
-# set the host for the server for outgoing links
-# AFFINE_SERVER_HTTPS=true
-# AFFINE_SERVER_HOST=affine.yourdomain.com
-# or 
-# AFFINE_SERVER_EXTERNAL_URL=https://affine.yourdomain.com
-
-# position of the database data to persist
-DB_DATA_LOCATION=~/.affine/self-host/postgres/pgdata
-# position of the upload data(images, files, etc.) to persist
-UPLOAD_LOCATION=~/.affine/self-host/storage
-# position of the configuration files to persist
-CONFIG_LOCATION=~/.affine/self-host/config
-
-# database credentials
-DB_USERNAME=affine
-DB_PASSWORD=
-DB_DATABASE=affine

.docker/selfhost/compose.yml

@@ -1,74 +0,0 @@
-name: affine
-services:
-  affine:
-    image: ghcr.io/toeverything/affine-graphql:${AFFINE_REVISION:-stable}
-    container_name: affine_server
-    ports:
-      - '${PORT:-3010}:3010'
-    depends_on:
-      redis:
-        condition: service_healthy
-      postgres:
-        condition: service_healthy
-      affine_migration:
-        condition: service_completed_successfully
-    volumes:
-      # custom configurations
-      - ${UPLOAD_LOCATION}:/root/.affine/storage
-      - ${CONFIG_LOCATION}:/root/.affine/config
-    env_file:
-      - .env
-    environment:
-      - REDIS_SERVER_HOST=redis
-      - DATABASE_URL=postgresql://${DB_USERNAME}:${DB_PASSWORD}@postgres:5432/${DB_DATABASE:-affine}
-    restart: unless-stopped
-
-  affine_migration:
-    image: ghcr.io/toeverything/affine-graphql:${AFFINE_REVISION:-stable}
-    container_name: affine_migration_job
-    volumes:
-      # custom configurations
-      - ${UPLOAD_LOCATION}:/root/.affine/storage
-      - ${CONFIG_LOCATION}:/root/.affine/config
-    command: ['sh', '-c', 'node ./scripts/self-host-predeploy.js']
-    env_file:
-      - .env
-    environment:
-      - REDIS_SERVER_HOST=redis
-      - DATABASE_URL=postgresql://${DB_USERNAME}:${DB_PASSWORD}@postgres:5432/${DB_DATABASE:-affine}
-    depends_on:
-      postgres:
-        condition: service_healthy
-      redis:
-        condition: service_healthy
-
-  redis:
-    image: redis
-    container_name: redis
-    healthcheck:
-      test: ['CMD', 'redis-cli', '--raw', 'incr', 'ping']
-      interval: 10s
-      timeout: 5s
-      retries: 5
-    restart: unless-stopped
-
-  postgres:
-    image: postgres:16
-    container_name: postgres
-    volumes:
-      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
-    environment:
-      POSTGRES_USER: ${DB_USERNAME}
-      POSTGRES_PASSWORD: ${DB_PASSWORD}
-      POSTGRES_DB: ${DB_DATABASE:-affine}
-      POSTGRES_INITDB_ARGS: '--data-checksums'
-      # you better set a password for you database
-      # or you may add 'POSTGRES_HOST_AUTH_METHOD=trust' to ignore postgres security policy
-      POSTGRES_HOST_AUTH_METHOD: trust
-    healthcheck:
-      test:
-        ['CMD', 'pg_isready', '-U', "${DB_USERNAME}", '-d', "${DB_DATABASE:-affine}"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-    restart: unless-stopped

.docker/selfhost/schema.json

@@ -1,900 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "title": "AFFiNE Application Configuration",
-  "type": "object",
-  "properties": {
-    "redis": {
-      "type": "object",
-      "description": "Configuration for redis module",
-      "properties": {
-        "db": {
-          "type": "number",
-          "description": "The database index of redis server to be used(Must be less than 10).\n@default 0\n@environment `REDIS_DATABASE`",
-          "default": 0
-        },
-        "host": {
-          "type": "string",
-          "description": "The host of the redis server.\n@default \"localhost\"\n@environment `REDIS_HOST`",
-          "default": "localhost"
-        },
-        "port": {
-          "type": "number",
-          "description": "The port of the redis server.\n@default 6379\n@environment `REDIS_PORT`",
-          "default": 6379
-        },
-        "username": {
-          "type": "string",
-          "description": "The username of the redis server.\n@default \"\"\n@environment `REDIS_USERNAME`",
-          "default": ""
-        },
-        "password": {
-          "type": "string",
-          "description": "The password of the redis server.\n@default \"\"\n@environment `REDIS_PASSWORD`",
-          "default": ""
-        },
-        "ioredis": {
-          "type": "object",
-          "description": "The config for the ioredis client.\n@default {}\n@link https://github.com/luin/ioredis",
-          "default": {}
-        }
-      }
-    },
-    "metrics": {
-      "type": "object",
-      "description": "Configuration for metrics module",
-      "properties": {
-        "enabled": {
-          "type": "boolean",
-          "description": "Enable metric and tracing collection\n@default false",
-          "default": false
-        }
-      }
-    },
-    "graphql": {
-      "type": "object",
-      "description": "Configuration for graphql module",
-      "properties": {
-        "apolloDriverConfig": {
-          "type": "object",
-          "description": "The config for underlying nestjs GraphQL and apollo driver engine.\n@default {\"buildSchemaOptions\":{\"numberScalarMode\":\"integer\"},\"useGlobalPrefix\":true,\"playground\":true,\"introspection\":true,\"sortSchema\":true}\n@link https://docs.nestjs.com/graphql/quick-start",
-          "default": {
-            "buildSchemaOptions": {
-              "numberScalarMode": "integer"
-            },
-            "useGlobalPrefix": true,
-            "playground": true,
-            "introspection": true,
-            "sortSchema": true
-          }
-        }
-      }
-    },
-    "crypto": {
-      "type": "object",
-      "description": "Configuration for crypto module",
-      "properties": {
-        "privateKey": {
-          "type": "string",
-          "description": "The private key for used by the crypto module to create signed tokens or encrypt data.\n@default \"\"\n@environment `AFFINE_PRIVATE_KEY`",
-          "default": ""
-        }
-      }
-    },
-    "job": {
-      "type": "object",
-      "description": "Configuration for job module",
-      "properties": {
-        "queue": {
-          "type": "object",
-          "description": "The config for job queues\n@default {\"prefix\":\"affine_job\",\"defaultJobOptions\":{\"attempts\":5,\"removeOnComplete\":true,\"removeOnFail\":{\"age\":86400,\"count\":500}}}\n@link https://api.docs.bullmq.io/interfaces/v5.QueueOptions.html",
-          "default": {
-            "prefix": "affine_job",
-            "defaultJobOptions": {
-              "attempts": 5,
-              "removeOnComplete": true,
-              "removeOnFail": {
-                "age": 86400,
-                "count": 500
-              }
-            }
-          }
-        },
-        "worker": {
-          "type": "object",
-          "description": "The config for job workers\n@default {\"defaultWorkerOptions\":{}}\n@link https://api.docs.bullmq.io/interfaces/v5.WorkerOptions.html",
-          "default": {
-            "defaultWorkerOptions": {}
-          }
-        },
-        "queues.copilot": {
-          "type": "object",
-          "description": "The config for copilot job queue\n@default {\"concurrency\":1}",
-          "properties": {
-            "concurrency": {
-              "type": "number"
-            }
-          },
-          "default": {
-            "concurrency": 1
-          }
-        },
-        "queues.doc": {
-          "type": "object",
-          "description": "The config for doc job queue\n@default {\"concurrency\":1}",
-          "properties": {
-            "concurrency": {
-              "type": "number"
-            }
-          },
-          "default": {
-            "concurrency": 1
-          }
-        },
-        "queues.notification": {
-          "type": "object",
-          "description": "The config for notification job queue\n@default {\"concurrency\":10}",
-          "properties": {
-            "concurrency": {
-              "type": "number"
-            }
-          },
-          "default": {
-            "concurrency": 10
-          }
-        },
-        "queues.nightly": {
-          "type": "object",
-          "description": "The config for nightly job queue\n@default {\"concurrency\":1}",
-          "properties": {
-            "concurrency": {
-              "type": "number"
-            }
-          },
-          "default": {
-            "concurrency": 1
-          }
-        }
-      }
-    },
-    "throttle": {
-      "type": "object",
-      "description": "Configuration for throttle module",
-      "properties": {
-        "enabled": {
-          "type": "boolean",
-          "description": "Whether the throttler is enabled.\n@default true",
-          "default": true
-        },
-        "throttlers.default": {
-          "type": "object",
-          "description": "The config for the default throttler.\n@default {\"ttl\":60,\"limit\":120}",
-          "default": {
-            "ttl": 60,
-            "limit": 120
-          }
-        },
-        "throttlers.strict": {
-          "type": "object",
-          "description": "The config for the strict throttler.\n@default {\"ttl\":60,\"limit\":20}",
-          "default": {
-            "ttl": 60,
-            "limit": 20
-          }
-        }
-      }
-    },
-    "websocket": {
-      "type": "object",
-      "description": "Configuration for websocket module",
-      "properties": {
-        "transports": {
-          "type": "array",
-          "description": "The enabled transports for accepting websocket traffics.\n@default [\"websocket\",\"polling\"]\n@link https://docs.nestjs.com/websockets/gateways#transports",
-          "items": {
-            "type": "string",
-            "enum": [
-              "websocket",
-              "polling"
-            ]
-          },
-          "default": [
-            "websocket",
-            "polling"
-          ]
-        },
-        "maxHttpBufferSize": {
-          "type": "number",
-          "description": "How many bytes or characters a message can be, before closing the session (to avoid DoS).\n@default 100000000",
-          "default": 100000000
-        }
-      }
-    },
-    "db": {
-      "type": "object",
-      "description": "Configuration for db module",
-      "properties": {
-        "datasourceUrl": {
-          "type": "string",
-          "description": "The datasource url for the prisma client.\n@default \"postgresql://localhost:5432/affine\"\n@environment `DATABASE_URL`",
-          "default": "postgresql://localhost:5432/affine"
-        },
-        "prisma": {
-          "type": "object",
-          "description": "The config for the prisma client.\n@default {}\n@link https://www.prisma.io/docs/reference/api-reference/prisma-client-reference",
-          "default": {}
-        }
-      }
-    },
-    "auth": {
-      "type": "object",
-      "description": "Configuration for auth module",
-      "properties": {
-        "allowSignup": {
-          "type": "boolean",
-          "description": "Whether allow new registrations.\n@default true",
-          "default": true
-        },
-        "requireEmailDomainVerification": {
-          "type": "boolean",
-          "description": "Whether require email domain record verification before accessing restricted resources.\n@default false",
-          "default": false
-        },
-        "requireEmailVerification": {
-          "type": "boolean",
-          "description": "Whether require email verification before accessing restricted resources(not implemented).\n@default true",
-          "default": true
-        },
-        "passwordRequirements": {
-          "type": "object",
-          "description": "The password strength requirements when set new password.\n@default {\"min\":8,\"max\":32}",
-          "properties": {
-            "min": {
-              "type": "number"
-            },
-            "max": {
-              "type": "number"
-            }
-          },
-          "default": {
-            "min": 8,
-            "max": 32
-          }
-        },
-        "session.ttl": {
-          "type": "number",
-          "description": "Application auth expiration time in seconds.\n@default 1296000",
-          "default": 1296000
-        },
-        "session.ttr": {
-          "type": "number",
-          "description": "Application auth time to refresh in seconds.\n@default 604800",
-          "default": 604800
-        }
-      }
-    },
-    "mailer": {
-      "type": "object",
-      "description": "Configuration for mailer module",
-      "properties": {
-        "enabled": {
-          "type": "boolean",
-          "description": "Whether enabled mail service.\n@default false",
-          "default": false
-        },
-        "SMTP.host": {
-          "type": "string",
-          "description": "Host of the email server (e.g. smtp.gmail.com)\n@default \"\"\n@environment `MAILER_HOST`",
-          "default": ""
-        },
-        "SMTP.port": {
-          "type": "number",
-          "description": "Port of the email server (they commonly are 25, 465 or 587)\n@default 465\n@environment `MAILER_PORT`",
-          "default": 465
-        },
-        "SMTP.username": {
-          "type": "string",
-          "description": "Username used to authenticate the email server\n@default \"\"\n@environment `MAILER_USER`",
-          "default": ""
-        },
-        "SMTP.password": {
-          "type": "string",
-          "description": "Password used to authenticate the email server\n@default \"\"\n@environment `MAILER_PASSWORD`",
-          "default": ""
-        },
-        "SMTP.sender": {
-          "type": "string",
-          "description": "Sender of all the emails (e.g. \"AFFiNE Team <noreply@affine.pro>\")\n@default \"\"\n@environment `MAILER_SENDER`",
-          "default": ""
-        },
-        "SMTP.ignoreTLS": {
-          "type": "boolean",
-          "description": "Whether ignore email server's TSL certification verification. Enable it for self-signed certificates.\n@default false\n@environment `MAILER_IGNORE_TLS`",
-          "default": false
-        }
-      }
-    },
-    "doc": {
-      "type": "object",
-      "description": "Configuration for doc module",
-      "properties": {
-        "experimental.yocto": {
-          "type": "boolean",
-          "description": "Use `y-octo` to merge updates at the same time when merging using Yjs.\n@default false",
-          "default": false
-        },
-        "history.interval": {
-          "type": "number",
-          "description": "The minimum time interval in milliseconds of creating a new history snapshot when doc get updated.\n@default 600000",
-          "default": 600000
-        }
-      }
-    },
-    "storages": {
-      "type": "object",
-      "description": "Configuration for storages module",
-      "properties": {
-        "avatar.publicPath": {
-          "type": "string",
-          "description": "The public accessible path prefix for user avatars.\n@default \"/api/avatars/\"",
-          "default": "/api/avatars/"
-        },
-        "avatar.storage": {
-          "type": "object",
-          "description": "The config of storage for user avatars.\n@default {\"provider\":\"fs\",\"bucket\":\"avatars\",\"config\":{\"path\":\"~/.affine/storage\"}}",
-          "oneOf": [
-            {
-              "type": "object",
-              "properties": {
-                "provider": {
-                  "type": "string",
-                  "enum": [
-                    "fs"
-                  ]
-                },
-                "bucket": {
-                  "type": "string"
-                },
-                "config": {
-                  "type": "object",
-                  "properties": {
-                    "path": {
-                      "type": "string"
-                    }
-                  }
-                }
-              }
-            },
-            {
-              "type": "object",
-              "properties": {
-                "provider": {
-                  "type": "string",
-                  "enum": [
-                    "aws-s3"
-                  ]
-                },
-                "bucket": {
-                  "type": "string"
-                },
-                "config": {
-                  "type": "object",
-                  "description": "The config for the s3 compatible storage provider. directly passed to aws-sdk client.\n@link https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html",
-                  "properties": {
-                    "credentials": {
-                      "type": "object",
-                      "description": "The credentials for the s3 compatible storage provider.",
-                      "properties": {
-                        "accessKeyId": {
-                          "type": "string"
-                        },
-                        "secretAccessKey": {
-                          "type": "string"
-                        }
-                      }
-                    }
-                  }
-                }
-              }
-            },
-            {
-              "type": "object",
-              "properties": {
-                "provider": {
-                  "type": "string",
-                  "enum": [
-                    "cloudflare-r2"
-                  ]
-                },
-                "bucket": {
-                  "type": "string"
-                },
-                "config": {
-                  "type": "object",
-                  "description": "The config for the s3 compatible storage provider. directly passed to aws-sdk client.\n@link https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html",
-                  "properties": {
-                    "credentials": {
-                      "type": "object",
-                      "description": "The credentials for the s3 compatible storage provider.",
-                      "properties": {
-                        "accessKeyId": {
-                          "type": "string"
-                        },
-                        "secretAccessKey": {
-                          "type": "string"
-                        }
-                      }
-                    },
-                    "accountId": {
-                      "type": "string",
-                      "description": "The account id for the cloudflare r2 storage provider."
-                    }
-                  }
-                }
-              }
-            }
-          ],
-          "default": {
-            "provider": "fs",
-            "bucket": "avatars",
-            "config": {
-              "path": "~/.affine/storage"
-            }
-          }
-        },
-        "blob.storage": {
-          "type": "object",
-          "description": "The config of storage for all uploaded blobs(images, videos, etc.).\n@default {\"provider\":\"fs\",\"bucket\":\"blobs\",\"config\":{\"path\":\"~/.affine/storage\"}}",
-          "oneOf": [
-            {
-              "type": "object",
-              "properties": {
-                "provider": {
-                  "type": "string",
-                  "enum": [
-                    "fs"
-                  ]
-                },
-                "bucket": {
-                  "type": "string"
-                },
-                "config": {
-                  "type": "object",
-                  "properties": {
-                    "path": {
-                      "type": "string"
-                    }
-                  }
-                }
-              }
-            },
-            {
-              "type": "object",
-              "properties": {
-                "provider": {
-                  "type": "string",
-                  "enum": [
-                    "aws-s3"
-                  ]
-                },
-                "bucket": {
-                  "type": "string"
-                },
-                "config": {
-                  "type": "object",
-                  "description": "The config for the s3 compatible storage provider. directly passed to aws-sdk client.\n@link https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html",
-                  "properties": {
-                    "credentials": {
-                      "type": "object",
-                      "description": "The credentials for the s3 compatible storage provider.",
-                      "properties": {
-                        "accessKeyId": {
-                          "type": "string"
-                        },
-                        "secretAccessKey": {
-                          "type": "string"
-                        }
-                      }
-                    }
-                  }
-                }
-              }
-            },
-            {
-              "type": "object",
-              "properties": {
-                "provider": {
-                  "type": "string",
-                  "enum": [
-                    "cloudflare-r2"
-                  ]
-                },
-                "bucket": {
-                  "type": "string"
-                },
-                "config": {
-                  "type": "object",
-                  "description": "The config for the s3 compatible storage provider. directly passed to aws-sdk client.\n@link https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html",
-                  "properties": {
-                    "credentials": {
-                      "type": "object",
-                      "description": "The credentials for the s3 compatible storage provider.",
-                      "properties": {
-                        "accessKeyId": {
-                          "type": "string"
-                        },
-                        "secretAccessKey": {
-                          "type": "string"
-                        }
-                      }
-                    },
-                    "accountId": {
-                      "type": "string",
-                      "description": "The account id for the cloudflare r2 storage provider."
-                    }
-                  }
-                }
-              }
-            }
-          ],
-          "default": {
-            "provider": "fs",
-            "bucket": "blobs",
-            "config": {
-              "path": "~/.affine/storage"
-            }
-          }
-        }
-      }
-    },
-    "server": {
-      "type": "object",
-      "description": "Configuration for server module",
-      "properties": {
-        "name": {
-          "type": "string",
-          "description": "A recognizable name for the server. Will be shown when connected with AFFiNE Desktop.\n@default \"AFFiNE Cloud\"",
-          "default": "AFFiNE Cloud"
-        },
-        "externalUrl": {
-          "type": "string",
-          "description": "Base url of AFFiNE server, used for generating external urls.\nDefault to be `[server.protocol]://[server.host][:server.port]` if not specified.\n    \n@default \"http://localhost:3010\"\n@environment `AFFINE_SERVER_EXTERNAL_URL`",
-          "default": "http://localhost:3010"
-        },
-        "https": {
-          "type": "boolean",
-          "description": "Whether the server is hosted on a ssl enabled domain (https://).\n@default false\n@environment `AFFINE_SERVER_HTTPS`",
-          "default": false
-        },
-        "host": {
-          "type": "string",
-          "description": "Where the server get deployed(FQDN).\n@default \"localhost\"\n@environment `AFFINE_SERVER_HOST`",
-          "default": "localhost"
-        },
-        "port": {
-          "type": "number",
-          "description": "Which port the server will listen on.\n@default 3010\n@environment `AFFINE_SERVER_PORT`",
-          "default": 3010
-        },
-        "path": {
-          "type": "string",
-          "description": "Subpath where the server get deployed if there is.\n@default \"\"\n@environment `AFFINE_SERVER_SUB_PATH`",
-          "default": ""
-        }
-      }
-    },
-    "flags": {
-      "type": "object",
-      "description": "Configuration for flags module",
-      "properties": {
-        "earlyAccessControl": {
-          "type": "boolean",
-          "description": "Only allow users with early access features to access the app\n@default false",
-          "default": false
-        }
-      }
-    },
-    "client": {
-      "type": "object",
-      "description": "Configuration for client module",
-      "properties": {
-        "versionControl.enabled": {
-          "type": "boolean",
-          "description": "Whether check version of client before accessing the server.\n@default false",
-          "default": false
-        },
-        "versionControl.requiredVersion": {
-          "type": "string",
-          "description": "Allowed version range of the app that allowed to access the server. Requires 'client/versionControl.enabled' to be true to take effect.\n@default \">=0.20.0\"",
-          "default": ">=0.20.0"
-        }
-      }
-    },
-    "captcha": {
-      "type": "object",
-      "description": "Configuration for captcha module",
-      "properties": {
-        "enabled": {
-          "type": "boolean",
-          "description": "Check captcha challenge when user authenticating the app.\n@default false",
-          "default": false
-        },
-        "config": {
-          "type": "object",
-          "description": "The config for the captcha plugin.\n@default {\"turnstile\":{\"secret\":\"\"},\"challenge\":{\"bits\":20}}",
-          "default": {
-            "turnstile": {
-              "secret": ""
-            },
-            "challenge": {
-              "bits": 20
-            }
-          }
-        }
-      }
-    },
-    "copilot": {
-      "type": "object",
-      "description": "Configuration for copilot module",
-      "properties": {
-        "enabled": {
-          "type": "boolean",
-          "description": "Whether to enable the copilot plugin.\n@default false",
-          "default": false
-        },
-        "providers.openai": {
-          "type": "object",
-          "description": "The config for the openai provider.\n@default {\"apiKey\":\"\"}\n@link https://github.com/openai/openai-node",
-          "default": {
-            "apiKey": ""
-          }
-        },
-        "providers.fal": {
-          "type": "object",
-          "description": "The config for the fal provider.\n@default {\"apiKey\":\"\"}",
-          "default": {
-            "apiKey": ""
-          }
-        },
-        "providers.gemini": {
-          "type": "object",
-          "description": "The config for the gemini provider.\n@default {\"apiKey\":\"\"}",
-          "default": {
-            "apiKey": ""
-          }
-        },
-        "providers.perplexity": {
-          "type": "object",
-          "description": "The config for the perplexity provider.\n@default {\"apiKey\":\"\"}",
-          "default": {
-            "apiKey": ""
-          }
-        },
-        "unsplash": {
-          "type": "object",
-          "description": "The config for the unsplash key.\n@default {\"key\":\"\"}",
-          "default": {
-            "key": ""
-          }
-        },
-        "storage": {
-          "type": "object",
-          "description": "The config for the storage provider.\n@default {\"provider\":\"fs\",\"bucket\":\"copilot\",\"config\":{\"path\":\"~/.affine/storage\"}}",
-          "oneOf": [
-            {
-              "type": "object",
-              "properties": {
-                "provider": {
-                  "type": "string",
-                  "enum": [
-                    "fs"
-                  ]
-                },
-                "bucket": {
-                  "type": "string"
-                },
-                "config": {
-                  "type": "object",
-                  "properties": {
-                    "path": {
-                      "type": "string"
-                    }
-                  }
-                }
-              }
-            },
-            {
-              "type": "object",
-              "properties": {
-                "provider": {
-                  "type": "string",
-                  "enum": [
-                    "aws-s3"
-                  ]
-                },
-                "bucket": {
-                  "type": "string"
-                },
-                "config": {
-                  "type": "object",
-                  "description": "The config for the s3 compatible storage provider. directly passed to aws-sdk client.\n@link https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html",
-                  "properties": {
-                    "credentials": {
-                      "type": "object",
-                      "description": "The credentials for the s3 compatible storage provider.",
-                      "properties": {
-                        "accessKeyId": {
-                          "type": "string"
-                        },
-                        "secretAccessKey": {
-                          "type": "string"
-                        }
-                      }
-                    }
-                  }
-                }
-              }
-            },
-            {
-              "type": "object",
-              "properties": {
-                "provider": {
-                  "type": "string",
-                  "enum": [
-                    "cloudflare-r2"
-                  ]
-                },
-                "bucket": {
-                  "type": "string"
-                },
-                "config": {
-                  "type": "object",
-                  "description": "The config for the s3 compatible storage provider. directly passed to aws-sdk client.\n@link https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html",
-                  "properties": {
-                    "credentials": {
-                      "type": "object",
-                      "description": "The credentials for the s3 compatible storage provider.",
-                      "properties": {
-                        "accessKeyId": {
-                          "type": "string"
-                        },
-                        "secretAccessKey": {
-                          "type": "string"
-                        }
-                      }
-                    },
-                    "accountId": {
-                      "type": "string",
-                      "description": "The account id for the cloudflare r2 storage provider."
-                    }
-                  }
-                }
-              }
-            }
-          ],
-          "default": {
-            "provider": "fs",
-            "bucket": "copilot",
-            "config": {
-              "path": "~/.affine/storage"
-            }
-          }
-        }
-      }
-    },
-    "customerIo": {
-      "type": "object",
-      "description": "Configuration for customerIo module",
-      "properties": {
-        "enabled": {
-          "type": "boolean",
-          "description": "Enable customer.io integration\n@default false",
-          "default": false
-        },
-        "token": {
-          "type": "string",
-          "description": "Customer.io token\n@default \"\"",
-          "default": ""
-        }
-      }
-    },
-    "oauth": {
-      "type": "object",
-      "description": "Configuration for oauth module",
-      "properties": {
-        "providers.google": {
-          "type": "object",
-          "description": "Google OAuth provider config\n@default {\"clientId\":\"\",\"clientSecret\":\"\"}\n@link https://developers.google.com/identity/protocols/oauth2/web-server",
-          "properties": {
-            "clientId": {
-              "type": "string"
-            },
-            "clientSecret": {
-              "type": "string"
-            },
-            "args": {
-              "type": "object"
-            }
-          },
-          "default": {
-            "clientId": "",
-            "clientSecret": ""
-          }
-        },
-        "providers.github": {
-          "type": "object",
-          "description": "GitHub OAuth provider config\n@default {\"clientId\":\"\",\"clientSecret\":\"\"}\n@link https://docs.github.com/en/apps/oauth-apps",
-          "properties": {
-            "clientId": {
-              "type": "string"
-            },
-            "clientSecret": {
-              "type": "string"
-            },
-            "args": {
-              "type": "object"
-            }
-          },
-          "default": {
-            "clientId": "",
-            "clientSecret": ""
-          }
-        },
-        "providers.oidc": {
-          "type": "object",
-          "description": "OIDC OAuth provider config\n@default {\"clientId\":\"\",\"clientSecret\":\"\",\"issuer\":\"\",\"args\":{}}",
-          "default": {
-            "clientId": "",
-            "clientSecret": "",
-            "issuer": "",
-            "args": {}
-          }
-        }
-      }
-    },
-    "payment": {
-      "type": "object",
-      "description": "Configuration for payment module",
-      "properties": {
-        "enabled": {
-          "type": "boolean",
-          "description": "Whether enable payment plugin\n@default false",
-          "default": false
-        },
-        "showLifetimePrice": {
-          "type": "boolean",
-          "description": "Whether enable lifetime price and allow user to pay for it.\n@default true",
-          "default": true
-        },
-        "apiKey": {
-          "type": "string",
-          "description": "Stripe API key to enable payment service.\n@default \"\"\n@environment `STRIPE_API_KEY`",
-          "default": ""
-        },
-        "webhookKey": {
-          "type": "string",
-          "description": "Stripe webhook key to enable payment service.\n@default \"\"\n@environment `STRIPE_WEBHOOK_KEY`",
-          "default": ""
-        },
-        "stripe": {
-          "type": "object",
-          "description": "Stripe API keys\n@default {}\n@link https://docs.stripe.com/api",
-          "default": {}
-        }
-      }
-    },
-    "worker": {
-      "type": "object",
-      "description": "Configuration for worker module",
-      "properties": {
-        "allowedOrigin": {
-          "type": "array",
-          "description": "Allowed origin\n@default [\"localhost\",\"127.0.0.1\"]",
-          "default": [
-            "localhost",
-            "127.0.0.1"
-          ]
-        }
-      }
-    }
-  }
-}

.env.template

@@ -0,0 +1,14 @@
+ENABLE_PLUGIN=
+ENABLE_TEST_PROPERTIES=
+ENABLE_BC_PROVIDER=
+CHANGELOG_URL=
+ENABLE_PRELOADING=
+ENABLE_NEW_SETTING_MODAL=
+ENABLE_SQLITE_PROVIDER=
+ENABLE_NEW_SETTING_UNSTABLE_API=
+ENABLE_NOTIFICATION_CENTER=
+ENABLE_CLOUD=
+ENABLE_MOVE_DATABASE=
+SHOULD_REPORT_TRACE=
+TRACE_REPORT_ENDPOINT=
+CAPTCHA_SITE_KEY=

.eslintignore

@@ -0,0 +1,14 @@
+node_modules
+dist
+.next
+out
+storybook-static
+affine-out
+_next
+lib
+.eslintrc.js
+e2e-dist-*
+static
+web-static
+public
+packages/frontend/i18n/src/i18n-generated.ts

.eslintrc.js

@@ -0,0 +1,310 @@
+const { resolve } = require('node:path');
+
+const createPattern = packageName => [
+  {
+    group: ['**/dist', '**/dist/**'],
+    message: 'Do not import from dist',
+    allowTypeImports: false,
+  },
+  {
+    group: ['**/src', '**/src/**'],
+    message: 'Do not import from src',
+    allowTypeImports: false,
+  },
+  {
+    group: [`@affine/${packageName}`],
+    message: 'Do not import package itself',
+    allowTypeImports: false,
+  },
+  {
+    group: [`@toeverything/${packageName}`],
+    message: 'Do not import package itself',
+    allowTypeImports: false,
+  },
+  {
+    group: ['@blocksuite/store'],
+    message: "Import from '@blocksuite/global/utils'",
+    importNames: ['assertExists', 'assertEquals'],
+  },
+  {
+    group: ['react-router-dom'],
+    message: 'Use `useNavigateHelper` instead',
+    importNames: ['useNavigate'],
+  },
+  {
+    group: ['next-auth/react'],
+    message: "Import hooks from 'use-current-user.tsx'",
+    // useSession is type unsafe
+    importNames: ['useSession'],
+  },
+  {
+    group: ['next-auth/react'],
+    message: "Import hooks from 'cloud-utils.ts'",
+    importNames: ['signIn', 'signOut'],
+  },
+  {
+    group: ['yjs'],
+    message: 'Do not use this API because it has a bug',
+    importNames: ['mergeUpdates'],
+  },
+  {
+    group: ['@affine/env/constant'],
+    message:
+      'Do not import from @affine/env/constant. Use `environment.isDesktop` instead',
+    importNames: ['isDesktop'],
+  },
+];
+
+const allPackages = [
+  'packages/backend/server',
+  'packages/frontend/component',
+  'packages/frontend/core',
+  'packages/frontend/electron',
+  'packages/frontend/graphql',
+  'packages/frontend/i18n',
+  'packages/frontend/native',
+  'packages/frontend/templates',
+  'packages/frontend/workspace',
+  'packages/common/debug',
+  'packages/common/env',
+  'packages/common/infra',
+  'packages/common/theme',
+  'packages/common/y-indexeddb',
+  'tools/cli',
+  'tests/storybook',
+];
+
+/**
+ * @type {import('eslint').Linter.Config}
+ */
+const config = {
+  root: true,
+  settings: {
+    react: {
+      version: 'detect',
+    },
+    next: {
+      rootDir: 'packages/frontend/core',
+    },
+  },
+  extends: [
+    'eslint:recommended',
+    'plugin:react-hooks/recommended',
+    'plugin:react/recommended',
+    'plugin:react/jsx-runtime',
+    'plugin:@typescript-eslint/recommended',
+    'prettier',
+  ],
+  parser: '@typescript-eslint/parser',
+  parserOptions: {
+    ecmaFeatures: {
+      globalReturn: false,
+      impliedStrict: true,
+      jsx: true,
+    },
+    ecmaVersion: 'latest',
+    sourceType: 'module',
+    project: resolve(__dirname, './tsconfig.eslint.json'),
+  },
+  plugins: [
+    'react',
+    '@typescript-eslint',
+    'simple-import-sort',
+    'sonarjs',
+    'i',
+    'unused-imports',
+    'unicorn',
+  ],
+  rules: {
+    'array-callback-return': 'error',
+    'no-undef': 'off',
+    'no-empty': 'off',
+    'no-func-assign': 'off',
+    'no-cond-assign': 'off',
+    'no-constant-binary-expression': 'error',
+    'no-constructor-return': 'error',
+    'no-self-compare': 'error',
+    eqeqeq: ['error', 'always', { null: 'ignore' }],
+    'react/prop-types': 'off',
+    'react/jsx-no-useless-fragment': 'error',
+    '@typescript-eslint/consistent-type-imports': 'error',
+    '@typescript-eslint/no-non-null-assertion': 'error',
+    '@typescript-eslint/no-explicit-any': 'off',
+    '@typescript-eslint/no-empty-function': 'off',
+    '@typescript-eslint/await-thenable': 'error',
+    '@typescript-eslint/require-array-sort-compare': 'error',
+    '@typescript-eslint/unified-signatures': 'error',
+    '@typescript-eslint/prefer-for-of': 'error',
+    '@typescript-eslint/no-unused-vars': [
+      'error',
+      {
+        varsIgnorePattern: '^_',
+        argsIgnorePattern: '^_',
+        caughtErrorsIgnorePattern: '^_',
+      },
+    ],
+    'unused-imports/no-unused-imports': 'error',
+    'simple-import-sort/imports': 'error',
+    'simple-import-sort/exports': 'error',
+    '@typescript-eslint/ban-ts-comment': [
+      'error',
+      {
+        'ts-expect-error': 'allow-with-description',
+        'ts-ignore': true,
+        'ts-nocheck': true,
+        'ts-check': false,
+      },
+    ],
+    '@typescript-eslint/no-restricted-imports': [
+      'error',
+      {
+        patterns: [
+          {
+            group: ['**/dist'],
+            message: "Don't import from dist",
+            allowTypeImports: false,
+          },
+          {
+            group: ['**/src'],
+            message: "Don't import from src",
+            allowTypeImports: false,
+          },
+          {
+            group: ['@blocksuite/store'],
+            message: "Import from '@blocksuite/global/utils'",
+            importNames: ['assertExists', 'assertEquals'],
+          },
+          {
+            group: ['react-router-dom'],
+            message: 'Use `useNavigateHelper` instead',
+            importNames: ['useNavigate'],
+          },
+          {
+            group: ['next-auth/react'],
+            message: "Import hooks from 'use-current-user.tsx'",
+            // useSession is type unsafe
+            importNames: ['useSession'],
+          },
+          {
+            group: ['next-auth/react'],
+            message: "Import hooks from 'cloud-utils.ts'",
+            importNames: ['signIn', 'signOut'],
+          },
+          {
+            group: ['yjs'],
+            message: 'Do not use this API because it has a bug',
+            importNames: ['mergeUpdates'],
+          },
+        ],
+      },
+    ],
+    'unicorn/filename-case': [
+      'error',
+      {
+        case: 'kebabCase',
+        ignore: ['^\\[[a-zA-Z0-9-_]+\\]\\.tsx$'],
+      },
+    ],
+    'unicorn/no-unnecessary-await': 'error',
+    'unicorn/no-useless-fallback-in-spread': 'error',
+    'unicorn/prefer-dom-node-dataset': 'error',
+    'unicorn/prefer-dom-node-append': 'error',
+    'unicorn/prefer-dom-node-remove': 'error',
+    'unicorn/prefer-array-some': 'error',
+    'unicorn/prefer-date-now': 'error',
+    'unicorn/prefer-blob-reading-methods': 'error',
+    'unicorn/no-typeof-undefined': 'error',
+    'unicorn/no-useless-promise-resolve-reject': 'error',
+    'unicorn/no-new-array': 'error',
+    'unicorn/new-for-builtins': 'error',
+    'sonarjs/no-all-duplicated-branches': 'error',
+    'sonarjs/no-element-overwrite': 'error',
+    'sonarjs/no-empty-collection': 'error',
+    'sonarjs/no-extra-arguments': 'error',
+    'sonarjs/no-identical-conditions': 'error',
+    'sonarjs/no-identical-expressions': 'error',
+    'sonarjs/no-ignored-return': 'error',
+    'sonarjs/no-one-iteration-loop': 'error',
+    'sonarjs/no-use-of-empty-return-value': 'error',
+    'sonarjs/non-existent-operator': 'error',
+    'sonarjs/no-collapsible-if': 'error',
+    'sonarjs/no-same-line-conditional': 'error',
+    'sonarjs/no-duplicated-branches': 'error',
+    'sonarjs/no-collection-size-mischeck': 'error',
+    'sonarjs/no-useless-catch': 'error',
+    'sonarjs/no-identical-functions': 'error',
+  },
+  overrides: [
+    {
+      files: 'packages/backend/server/**/*.ts',
+      rules: {
+        '@typescript-eslint/consistent-type-imports': 0,
+      },
+    },
+    {
+      files: '*.cjs',
+      rules: {
+        '@typescript-eslint/no-var-requires': 0,
+      },
+    },
+    ...allPackages.map(pkg => ({
+      files: [`${pkg}/src/**/*.ts`, `${pkg}/src/**/*.tsx`],
+      parserOptions: {
+        project: resolve(__dirname, './tsconfig.eslint.json'),
+      },
+      rules: {
+        '@typescript-eslint/no-restricted-imports': [
+          'error',
+          {
+            patterns: createPattern(pkg),
+          },
+        ],
+        '@typescript-eslint/no-floating-promises': [
+          'error',
+          {
+            ignoreVoid: false,
+            ignoreIIFE: false,
+          },
+        ],
+        '@typescript-eslint/no-misused-promises': ['error'],
+        '@typescript-eslint/prefer-readonly': 'error',
+        'i/no-extraneous-dependencies': ['error'],
+        'react-hooks/exhaustive-deps': [
+          'warn',
+          {
+            additionalHooks: 'useAsyncCallback',
+          },
+        ],
+      },
+    })),
+    {
+      files: [
+        '**/__tests__/**/*',
+        '**/*.stories.tsx',
+        '**/*.spec.ts',
+        '**/tests/**/*',
+        'scripts/**/*',
+        '**/benchmark/**/*',
+        '**/__debug__/**/*',
+        '**/e2e/**/*',
+      ],
+      rules: {
+        '@typescript-eslint/no-non-null-assertion': 0,
+        '@typescript-eslint/ban-ts-comment': [
+          'error',
+          {
+            'ts-expect-error': false,
+            'ts-ignore': true,
+            'ts-nocheck': true,
+            'ts-check': false,
+          },
+        ],
+        '@typescript-eslint/no-floating-promises': 0,
+        '@typescript-eslint/no-misused-promises': 0,
+        '@typescript-eslint/no-restricted-imports': 0,
+      },
+    },
+  ],
+};
+
+module.exports = config;

.github/CODEOWNERS

@@ -1,2 +0,0 @@
-/blocksuite/ @toeverything/blocksuite-core
-/packages/frontend/core/src/blocksuite @toeverything/blocksuite-core

.github/ISSUE_TEMPLATE/BUG-REPORT.yml

@@ -1,14 +1,12 @@
 name: Bug Report
 description: File a bug report
-title: '[Bug]: '
+title: "\u200b"
 labels: ['bug']
 body:
   - type: markdown
     attributes:
       value: |
         Thanks for taking the time to fill out this bug report!
-        Check out this [link](https://github.com/toeverything/AFFiNE/blob/canary/docs/issue-triaging.md)
-        to learn how we manage issues and when your issue will be processed.
   - type: textarea
     id: what-happened
     attributes:
@@ -18,26 +16,20 @@ body:
     validations:
       required: true
   - type: dropdown
-    id: distribution
+    id: version
     attributes:
       label: Distribution version
-      description: What distribution of AFFiNE are you using?
+      description: What version of AFFiNE are you using?
       options:
         - macOS x64 (Intel)
         - macOS ARM 64 (Apple Silicon)
         - Windows x64
         - Linux
-        - Web (https://app.affine.pro)
-        - Beta Web (https://insider.affine.pro)
-        - Canary Web (https://affine.fail)
+        - Web (app.affine.pro)
+        - Web (affine.fail)
+        - Web (insider.affine.pro)
     validations:
       required: true
-  - type: input
-    id: version
-    attributes:
-      label: App Version
-      description: What version of AFFiNE are you using?
-      placeholder: (You can find AFFiNE version in [About AFFiNE] setting panel)
   - type: dropdown
     id: browsers
     attributes:
@@ -49,19 +41,6 @@ body:
         - Firefox
         - Safari
         - Other
-  - type: checkboxes
-    id: selfhost
-    attributes:
-      label: Are you self-hosting?
-      description: >
-        If you are self-hosting, please check the box and provide information about your setup.
-      options:
-        - label: 'Yes'
-  - type: input
-    id: selfhost-version
-    attributes:
-      label: Self-hosting Version
-      description: What version of AFFiNE are you selfhosting?
   - type: textarea
     id: logs
     attributes:
@@ -74,3 +53,11 @@ body:
       description: |
         Links? References? Anything that will give us more context about the issue you are encountering!
         Tip: You can attach images here
+  - type: checkboxes
+    attributes:
+      label: Are you willing to submit a PR?
+      description: >
+        (Optional) We encourage you to submit a [Pull Request](https://github.com/toeverything/affine/pulls) (PR) to help improve AFFiNE for everyone, especially if you have a good understanding of how to implement a fix or feature.
+        See the AFFiNE [Contributing Guide](https://github.com/toeverything/affine/blob/canary/CONTRIBUTING.md) to get started.
+      options:
+        - label: Yes I'd like to help by submitting a PR!

.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml

@@ -1,8 +1,7 @@
 name: Feature Request
 description: Suggest a feature or improvement
-title: '[Feature Request]: '
+title: "\u200b"
 labels: ['feat', 'story']
-assignees: ['hwangdev97']
 body:
   - type: markdown
     attributes:

.github/actions/build-rust/action.yml

@@ -7,10 +7,9 @@ inputs:
   package:
     description: 'Package to build'
     required: true
-  no-build:
-    description: 'Whether to skip building'
+  nx_token:
+    description: 'Nx Cloud access token'
     required: false
-    default: 'false'
 
 runs:
   using: 'composite'
@@ -18,74 +17,39 @@ runs:
     - name: Print rustup toolchain version
       shell: bash
       id: rustup-version
-      working-directory: ${{ env.DEV_DRIVE_WORKSPACE || github.workspace }}
       run: |
         export RUST_TOOLCHAIN_VERSION="$(grep 'channel' rust-toolchain.toml | head -1 | awk -F '"' '{print $2}')"
         echo "Rust toolchain version: $RUST_TOOLCHAIN_VERSION"
         echo "RUST_TOOLCHAIN_VERSION=$RUST_TOOLCHAIN_VERSION" >> "$GITHUB_OUTPUT"
     - name: Setup Rust
       uses: dtolnay/rust-toolchain@stable
-      if: ${{ runner.os != 'Windows' }}
       with:
         toolchain: '${{ steps.rustup-version.outputs.RUST_TOOLCHAIN_VERSION }}'
         targets: ${{ inputs.target }}
       env:
         CARGO_INCREMENTAL: '1'
 
-    - name: Setup Rust
-      uses: dtolnay/rust-toolchain@stable
-      if: ${{ runner.os == 'Windows' }}
-      with:
-        toolchain: '${{ steps.rustup-version.outputs.RUST_TOOLCHAIN_VERSION }}'
-        targets: ${{ inputs.target }}
-      env:
-        CARGO_INCREMENTAL: '1'
-        CARGO_HOME: ${{ env.DEV_DRIVE }}/.cargo
-        RUSTUP_HOME: ${{ env.DEV_DRIVE }}/.rustup
-
     - name: Set CC
-      if: ${{ contains(inputs.target, 'linux') && inputs.no-build != 'true' }}
-      working-directory: ${{ env.DEV_DRIVE_WORKSPACE || github.workspace }}
+      if: ${{ contains(inputs.target, 'linux') && inputs.package != '@affine/native' }}
       shell: bash
-      # https://github.com/tree-sitter/tree-sitter/issues/4186
-      # pass -D_BSD_SOURCE to clang to fix the tree-sitter build issue
       run: |
-        echo "CC=clang -D_BSD_SOURCE" >> "$GITHUB_ENV"
-        echo "TARGET_CC=clang -D_BSD_SOURCE" >> "$GITHUB_ENV"
+        echo "CC=clang" >> "$GITHUB_ENV"
+        echo "TARGET_CC=clang" >> "$GITHUB_ENV"
 
     - name: Cache cargo
-      uses: Swatinem/rust-cache@v2
-      if: ${{ runner.os == 'Windows' }}
+      uses: actions/cache@v3
       with:
-        workspaces: ${{ env.DEV_DRIVE_WORKSPACE }}
-        save-if: ${{ github.ref_name == 'canary' }}
-        shared-key: ${{ inputs.target }}-${{ inputs.package }}
-      env:
-        CARGO_HOME: ${{ env.DEV_DRIVE }}/.cargo
-        RUSTUP_HOME: ${{ env.DEV_DRIVE }}/.rustup
-
-    - name: Cache cargo
-      uses: Swatinem/rust-cache@v2
-      if: ${{ runner.os != 'Windows' }}
-      with:
-        save-if: ${{ github.ref_name == 'canary' }}
-        shared-key: ${{ inputs.target }}-${{ inputs.package }}
-
+        path: |
+          ~/.cargo/registry/index/
+          ~/.cargo/registry/cache/
+          ~/.cargo/git/db/
+          ~/.napi-rs
+          target/${{ inputs.target }}
+        key: stable-${{ inputs.target }}-cargo-cache
     - name: Build
       shell: bash
-      if: ${{ runner.os != 'Windows' && inputs.no-build != 'true' }}
       run: |
-        yarn workspace ${{ inputs.package }} build --target ${{ inputs.target }} --use-napi-cross
+        yarn workspace ${{ inputs.package }} nx build ${{ inputs.package }} --target ${{ inputs.target }} --use-napi-cross
       env:
+        NX_CLOUD_ACCESS_TOKEN: ${{ inputs.nx_token }}
         DEBUG: 'napi:*'
-
-    - name: Build
-      working-directory: ${{ env.DEV_DRIVE_WORKSPACE || github.workspace }}
-      shell: bash
-      if: ${{ runner.os == 'Windows' && inputs.no-build != 'true' }}
-      run: |
-        yarn workspace ${{ inputs.package }} build --target ${{ inputs.target }}
-      env:
-        DEBUG: 'napi:*'
-        CARGO_HOME: ${{ env.DEV_DRIVE }}/.cargo
-        RUSTUP_HOME: ${{ env.DEV_DRIVE }}/.rustup

.github/actions/cluster-auth/action.yml

@@ -1,36 +0,0 @@
-name: 'Auth to Cluster'
-description: 'Auth to the GCP Cluster'
-inputs:
-  gcp-project-number:
-    description: 'GCP project number'
-    required: true
-  gcp-project-id:
-    description: 'GCP project id'
-    required: true
-  service-account:
-    description: 'Service account'
-  cluster-name:
-    description: 'Cluster name'
-  cluster-location:
-    description: 'Cluster location'
-
-runs:
-  using: 'composite'
-  steps:
-    - id: auth
-      uses: google-github-actions/auth@v2
-      with:
-        workload_identity_provider: 'projects/${{ inputs.gcp-project-number }}/locations/global/workloadIdentityPools/github-actions/providers/github-actions-helm-deploy'
-        service_account: '${{ inputs.service-account }}'
-        token_format: 'access_token'
-        project_id: '${{ inputs.gcp-project-id }}'
-
-    - name: 'Setup gcloud cli'
-      uses: 'google-github-actions/setup-gcloud@v2'
-      with:
-        install_components: 'gke-gcloud-auth-plugin'
-
-    - id: get-gke-credentials
-      shell: bash
-      run: |
-        gcloud container clusters get-credentials ${{ inputs.cluster-name }} --region ${{ inputs.cluster-location }} --project ${{ inputs.gcp-project-id }}

.github/actions/copilot-test/action.yml

@@ -1,25 +0,0 @@
-name: 'Run Copilot E2E Test'
-description: 'Run Copilot E2E Test'
-inputs:
-  script:
-    description: 'Script to run'
-    default: 'yarn affine @affine-test/affine-cloud-copilot e2e --forbid-only'
-    required: false
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Server Copilot E2E Test
-      shell: bash
-      run: ${{ inputs.script }}
-      env:
-        COPILOT: true
-        DEV_SERVER_URL: http://localhost:8080
-
-    - name: Upload test results
-      if: ${{ failure() }}
-      uses: actions/upload-artifact@v4
-      with:
-        name: test-results-e2e-server-copilot
-        path: ./test-results
-        if-no-files-found: ignore

.github/actions/deploy/action.yml

@@ -24,14 +24,24 @@ runs:
       shell: bash
       run: |
         echo "GIT_SHORT_HASH=$(git rev-parse --short HEAD)" >> "$GITHUB_ENV"
-    - name: 'Auth to cluster'
-      uses: './.github/actions/cluster-auth'
+    - uses: azure/setup-helm@v3
+    - id: auth
+      uses: google-github-actions/auth@v2
       with:
-        gcp-project-number: '${{ inputs.gcp-project-number }}'
-        gcp-project-id: '${{ inputs.gcp-project-id }}'
-        service-account: '${{ inputs.service-account }}'
-        cluster-name: '${{ inputs.cluster-name }}'
-        cluster-location: '${{ inputs.cluster-location }}'
+        workload_identity_provider: 'projects/${{ inputs.gcp-project-number }}/locations/global/workloadIdentityPools/github-actions/providers/github-actions-helm-deploy'
+        service_account: '${{ inputs.service-account }}'
+        token_format: 'access_token'
+        project_id: '${{ inputs.gcp-project-id }}'
+
+    - name: 'Setup gcloud cli'
+      uses: 'google-github-actions/setup-gcloud@v2'
+      with:
+        install_components: 'gke-gcloud-auth-plugin'
+
+    - id: get-gke-credentials
+      shell: bash
+      run: |
+        gcloud container clusters get-credentials ${{ inputs.cluster-name }} --region ${{ inputs.cluster-location }} --project ${{ inputs.gcp-project-id }}
 
     - name: Deploy
       shell: bash

.github/actions/deploy/deploy.mjs

@@ -10,104 +10,63 @@ const {
   DATABASE_USERNAME,
   DATABASE_PASSWORD,
   DATABASE_NAME,
+  R2_ACCOUNT_ID,
+  R2_ACCESS_KEY_ID,
+  R2_SECRET_ACCESS_KEY,
+  ENABLE_CAPTCHA,
+  CAPTCHA_TURNSTILE_SECRET,
+  OAUTH_EMAIL_SENDER,
+  OAUTH_EMAIL_LOGIN,
+  OAUTH_EMAIL_PASSWORD,
+  AFFINE_GOOGLE_CLIENT_ID,
+  AFFINE_GOOGLE_CLIENT_SECRET,
   CLOUD_SQL_IAM_ACCOUNT,
-  APP_IAM_ACCOUNT,
-  REDIS_SERVER_HOST,
-  REDIS_SERVER_PASSWORD,
+  GCLOUD_CONNECTION_NAME,
+  GCLOUD_CLOUD_SQL_INTERNAL_ENDPOINT,
+  REDIS_HOST,
+  REDIS_PASSWORD,
+  STRIPE_API_KEY,
+  STRIPE_WEBHOOK_KEY,
   STATIC_IP_NAME,
 } = process.env;
 
+// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
 const buildType = BUILD_TYPE || 'canary';
 
 const isProduction = buildType === 'stable';
 const isBeta = buildType === 'beta';
 const isInternal = buildType === 'internal';
 
-const replicaConfig = {
-  stable: {
-    web: 3,
-    graphql: Number(process.env.PRODUCTION_GRAPHQL_REPLICA) || 3,
-    sync: Number(process.env.PRODUCTION_SYNC_REPLICA) || 3,
-    renderer: Number(process.env.PRODUCTION_RENDERER_REPLICA) || 3,
-    doc: Number(process.env.PRODUCTION_DOC_REPLICA) || 3,
-  },
-  beta: {
-    web: 2,
-    graphql: Number(process.env.BETA_GRAPHQL_REPLICA) || 2,
-    sync: Number(process.env.BETA_SYNC_REPLICA) || 2,
-    renderer: Number(process.env.BETA_RENDERER_REPLICA) || 2,
-    doc: Number(process.env.BETA_DOC_REPLICA) || 2,
-  },
-  canary: {
-    web: 2,
-    graphql: 2,
-    sync: 2,
-    renderer: 2,
-    doc: 2,
-  },
-};
-
-const cpuConfig = {
-  beta: {
-    web: '300m',
-    graphql: '1',
-    sync: '1',
-    doc: '1',
-    renderer: '300m',
-  },
-  canary: {
-    web: '300m',
-    graphql: '1',
-    sync: '1',
-    doc: '1',
-    renderer: '300m',
-  },
-};
-
 const createHelmCommand = ({ isDryRun }) => {
   const flag = isDryRun ? '--dry-run' : '--atomic';
   const imageTag = `${buildType}-${GIT_SHORT_HASH}`;
   const redisAndPostgres =
     isProduction || isBeta || isInternal
       ? [
-          `--set        cloud-sql-proxy.enabled=true`,
-          `--set-string global.database.host=${DATABASE_URL}`,
+          `--set-string global.database.url=${DATABASE_URL}`,
           `--set-string global.database.user=${DATABASE_USERNAME}`,
           `--set-string global.database.password=${DATABASE_PASSWORD}`,
           `--set-string global.database.name=${DATABASE_NAME}`,
-          `--set-string global.redis.host="${REDIS_SERVER_HOST}"`,
-          `--set-string global.redis.password="${REDIS_SERVER_PASSWORD}"`,
+          `--set        global.database.gcloud.enabled=true`,
+          `--set-string global.database.gcloud.connectionName="${GCLOUD_CONNECTION_NAME}"`,
+          `--set-string global.database.gcloud.cloudSqlInternal="${GCLOUD_CLOUD_SQL_INTERNAL_ENDPOINT}"`,
+          `--set-string global.redis.host="${REDIS_HOST}"`,
+          `--set-string global.redis.password="${REDIS_PASSWORD}"`,
         ]
       : [];
-  const serviceAnnotations = [
-    `--set-json   web.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
-    `--set-json   graphql.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
-    `--set-json   sync.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
-    `--set-json   doc.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
-  ].concat(
+  const serviceAnnotations =
     isProduction || isBeta || isInternal
       ? [
-          `--set-json   web.service.annotations="{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }"`,
-          `--set-json   graphql.service.annotations="{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }"`,
-          `--set-json   sync.service.annotations="{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }"`,
-          `--set-json   cloud-sql-proxy.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_SQL_IAM_ACCOUNT}\\" }"`,
-          `--set-json   cloud-sql-proxy.nodeSelector="{ \\"iam.gke.io/gke-metadata-server-enabled\\": \\"true\\" }"`,
+          `--set-json   web.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
+          `--set-json   graphql.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
+          `--set-json   sync.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
+          `--set-json   cloud-sql-proxy.serviceAccount.annotations=\"{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_SQL_IAM_ACCOUNT}\\" }\"`,
+          `--set-json   cloud-sql-proxy.nodeSelector=\"{ \\"iam.gke.io/gke-metadata-server-enabled\\": \\"true\\" }\"`,
         ]
-      : []
-  );
-
-  const cpu = cpuConfig[buildType];
-  const resources = cpu
-    ? [
-        `--set        web.resources.requests.cpu="${cpu.web}"`,
-        `--set        graphql.resources.requests.cpu="${cpu.graphql}"`,
-        `--set        sync.resources.requests.cpu="${cpu.sync}"`,
-        `--set        doc.resources.requests.cpu="${cpu.doc}"`,
-      ]
-    : [];
-
-  const replica = replicaConfig[buildType] || replicaConfig.canary;
-
+      : [];
+  const webReplicaCount = isProduction ? 3 : isBeta ? 2 : 2;
+  const graphqlReplicaCount = isProduction ? 10 : isBeta ? 5 : 2;
+  const syncReplicaCount = isProduction ? 10 : isBeta ? 5 : 2;
   const namespace = isProduction
     ? 'production'
     : isBeta
@@ -115,34 +74,40 @@ const createHelmCommand = ({ isDryRun }) => {
       : isInternal
         ? 'internal'
         : 'dev';
-
+  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
   const host = DEPLOY_HOST || CANARY_DEPLOY_HOST;
   const deployCommand = [
     `helm upgrade --install affine .github/helm/affine`,
     `--namespace  ${namespace}`,
-    `--set-string global.deployment.type="affine"`,
-    `--set-string global.deployment.platform="gcp"`,
-    `--set-string global.app.buildType="${buildType}"`,
     `--set        global.ingress.enabled=true`,
-    `--set-json   global.ingress.annotations="{ \\"kubernetes.io/ingress.class\\": \\"gce\\", \\"kubernetes.io/ingress.allow-http\\": \\"true\\", \\"kubernetes.io/ingress.global-static-ip-name\\": \\"${STATIC_IP_NAME}\\" }"`,
+    `--set-json   global.ingress.annotations=\"{ \\"kubernetes.io/ingress.class\\": \\"gce\\", \\"kubernetes.io/ingress.allow-http\\": \\"true\\", \\"kubernetes.io/ingress.global-static-ip-name\\": \\"${STATIC_IP_NAME}\\" }\"`,
     `--set-string global.ingress.host="${host}"`,
     `--set-string global.version="${APP_VERSION}"`,
     ...redisAndPostgres,
-    `--set        web.replicaCount=${replica.web}`,
+    `--set        web.replicaCount=${webReplicaCount}`,
     `--set-string web.image.tag="${imageTag}"`,
-    `--set        graphql.replicaCount=${replica.graphql}`,
+    `--set        graphql.replicaCount=${graphqlReplicaCount}`,
     `--set-string graphql.image.tag="${imageTag}"`,
     `--set        graphql.app.host=${host}`,
-    `--set        sync.replicaCount=${replica.sync}`,
+    `--set        graphql.app.captcha.enabled=${ENABLE_CAPTCHA}`,
+    `--set-string graphql.app.captcha.turnstile.secret="${CAPTCHA_TURNSTILE_SECRET}"`,
+    `--set        graphql.app.objectStorage.r2.enabled=true`,
+    `--set-string graphql.app.objectStorage.r2.accountId="${R2_ACCOUNT_ID}"`,
+    `--set-string graphql.app.objectStorage.r2.accessKeyId="${R2_ACCESS_KEY_ID}"`,
+    `--set-string graphql.app.objectStorage.r2.secretAccessKey="${R2_SECRET_ACCESS_KEY}"`,
+    `--set-string graphql.app.oauth.email.sender="${OAUTH_EMAIL_SENDER}"`,
+    `--set-string graphql.app.oauth.email.login="${OAUTH_EMAIL_LOGIN}"`,
+    `--set-string graphql.app.oauth.email.password="${OAUTH_EMAIL_PASSWORD}"`,
+    `--set-string graphql.app.oauth.google.enabled=true`,
+    `--set-string graphql.app.oauth.google.clientId="${AFFINE_GOOGLE_CLIENT_ID}"`,
+    `--set-string graphql.app.oauth.google.clientSecret="${AFFINE_GOOGLE_CLIENT_SECRET}"`,
+    `--set-string graphql.app.payment.stripe.apiKey="${STRIPE_API_KEY}"`,
+    `--set-string graphql.app.payment.stripe.webhookKey="${STRIPE_WEBHOOK_KEY}"`,
+    `--set        graphql.app.experimental.enableJwstCodec=true`,
+    `--set        graphql.app.features.earlyAccessPreview=false`,
+    `--set        sync.replicaCount=${syncReplicaCount}`,
     `--set-string sync.image.tag="${imageTag}"`,
-    `--set-string renderer.image.tag="${imageTag}"`,
-    `--set        renderer.app.host=${host}`,
-    `--set        renderer.replicaCount=${replica.renderer}`,
-    `--set-string doc.image.tag="${imageTag}"`,
-    `--set        doc.app.host=${host}`,
-    `--set        doc.replicaCount=${replica.doc}`,
     ...serviceAnnotations,
-    ...resources,
     `--timeout 10m`,
     flag,
   ].join(' ');

.github/actions/download-core/action.yml

@@ -0,0 +1,22 @@
+name: 'Download core artifacts'
+description: 'Download core artifacts and extract to dist'
+inputs:
+  path:
+    description: 'Path to extract'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Download tar.gz
+      uses: actions/download-artifact@v4
+      with:
+        name: core
+        path: .
+
+    - name: Extract core artifacts
+      shell: bash
+      run: |
+        mkdir -p ${{ inputs.path }}
+        tar -xvf dist.tar.gz --directory ${{ inputs.path }}
+        rm dist.tar.gz

.github/actions/download-web/action.yml

@@ -1,22 +0,0 @@
-name: 'Download core artifacts'
-description: 'Download core artifacts and extract to dist'
-inputs:
-  path:
-    description: 'Path to extract'
-    required: true
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Download tar.gz
-      uses: actions/download-artifact@v4
-      with:
-        name: web
-        path: .
-
-    - name: Extract core artifacts
-      shell: bash
-      run: |
-        mkdir -p ${{ inputs.path }}
-        tar -xvf dist.tar.gz --directory ${{ inputs.path }}
-        rm dist.tar.gz

.github/actions/server-test-env/action.yml

@@ -1,31 +0,0 @@
-name: 'Prepare Server Test Environment'
-description: 'Prepare Server Test Environment'
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Initialize database
-      shell: bash
-      run: |
-        psql -h localhost -U postgres -c "CREATE DATABASE affine;"
-        psql -h localhost -U postgres -c "CREATE USER affine WITH PASSWORD 'affine';"
-        psql -h localhost -U postgres -c "ALTER USER affine WITH SUPERUSER;"
-      env:
-        PGPASSWORD: affine
-
-    - name: Run init-db script
-      shell: bash
-      env:
-        NODE_ENV: test
-      run: |
-        yarn affine @affine/server prisma generate
-        yarn affine @affine/server prisma migrate deploy
-        yarn affine @affine/server data-migration run
-    - name: Import config
-      shell: bash
-      run: |
-        printf '{"copilot":{"enabled":true,"providers.fal":{"apiKey":"%s"},"providers.gemini":{"apiKey":"%s"},"providers.openai":{"apiKey":"%s"},"providers.perplexity":{"apiKey":"%s"}}}' \
-        "$COPILOT_FAL_API_KEY" \
-        "$COPILOT_GOOGLE_API_KEY" \
-        "$COPILOT_OPENAI_API_KEY" \
-        "$COPILOT_PERPLEXITY_API_KEY" > ./packages/backend/server/config.json

.github/actions/setup-node/action.yml

@@ -13,18 +13,10 @@ inputs:
     description: 'Run the install step for Playwright.'
     required: false
     default: 'false'
-  playwright-platform:
-    description: 'The platform to install Playwright for.'
-    required: false
-    default: 'chromium,webkit'
   electron-install:
     description: 'Download the Electron binary'
     required: false
     default: 'true'
-  corepack-install:
-    description: 'Install CorePack'
-    required: false
-    default: 'false'
   hard-link-nm:
     description: 'set nmMode to hardlinks-local in .yarnrc.yml'
     required: false
@@ -39,19 +31,10 @@ inputs:
   full-cache:
     description: 'Full installation cache'
     required: false
+
 runs:
   using: 'composite'
   steps:
-    - name: Output workspace path
-      id: workspace-path
-      shell: bash
-      run: |
-        if [ -n "${{ env.DEV_DRIVE_WORKSPACE }}" ]; then
-          echo "workspace_path=${{ env.DEV_DRIVE_WORKSPACE }}" >> $GITHUB_OUTPUT
-        else
-          echo "workspace_path=${{ github.workspace }}" >> $GITHUB_OUTPUT
-        fi
-
     - name: Setup Node.js
       uses: actions/setup-node@v4
       with:
@@ -59,80 +42,78 @@ runs:
         registry-url: https://npm.pkg.github.com
         scope: '@toeverything'
 
-    - uses: kenchan0130/actions-system-info@master
-      id: system-info
-
-    - name: Init CorePack
-      if: ${{ inputs.corepack-install == 'true' }}
-      shell: bash
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
-      run: corepack enable
-
     - name: Set nmMode
       if: ${{ inputs.hard-link-nm == 'false' }}
       shell: bash
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       run: yarn config set nmMode classic
 
     - name: Set nmHoistingLimits
       if: ${{ inputs.nmHoistingLimits }}
       shell: bash
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       run: yarn config set nmHoistingLimits ${{ inputs.nmHoistingLimits }}
 
     - name: Set enableScripts
       if: ${{ inputs.enableScripts == 'false' }}
       shell: bash
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       run: yarn config set enableScripts false
 
     - name: Set yarn global cache path
       shell: bash
       id: yarn-cache
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       run: node -e "const p = $(yarn config cacheFolder --json).effective; console.log('yarn_global_cache=' + p)" >> $GITHUB_OUTPUT
 
     - name: Cache non-full yarn cache on Linux
-      uses: actions/cache@v4
+      uses: actions/cache@v3
       if: ${{ inputs.full-cache != 'true' && runner.os == 'Linux' }}
       with:
         path: |
-          ${{ steps.workspace-path.outputs.workspace_path }}/node_modules
+          node_modules
           ${{ steps.yarn-cache.outputs.yarn_global_cache }}
-        key: node_modules-cache-${{ github.job }}-${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}
+        key: node_modules-cache-${{ github.job }}-${{ runner.os }}
 
     # The network performance on macOS is very poor
     # and the decompression performance on Windows is very terrible
     # so we reduce the number of cached files on non-Linux systems by remove node_modules from cache path.
     - name: Cache non-full yarn cache on non-Linux
-      uses: actions/cache@v4
+      uses: actions/cache@v3
       if: ${{ inputs.full-cache != 'true' && runner.os != 'Linux' }}
       with:
         path: |
           ${{ steps.yarn-cache.outputs.yarn_global_cache }}
-        key: node_modules-cache-${{ github.job }}-${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}
+        key: node_modules-cache-${{ github.job }}-${{ runner.os }}
 
     - name: Cache full yarn cache on Linux
-      uses: actions/cache@v4
+      uses: actions/cache@v3
       if: ${{ inputs.full-cache == 'true' && runner.os == 'Linux' }}
       with:
         path: |
           node_modules
           ${{ steps.yarn-cache.outputs.yarn_global_cache }}
-        key: node_modules-cache-full-${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}
+        key: node_modules-cache-full-${{ runner.os }}
 
     - name: Cache full yarn cache on non-Linux
-      uses: actions/cache@v4
+      uses: actions/cache@v3
       if: ${{ inputs.full-cache == 'true' && runner.os != 'Linux' }}
       with:
         path: |
           ${{ steps.yarn-cache.outputs.yarn_global_cache }}
-        key: node_modules-cache-full-${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}
+        key: node_modules-cache-full-${{ runner.os }}
 
     - name: yarn install
       if: ${{ inputs.package-install == 'true' }}
+      continue-on-error: true
+      shell: bash
+      run: yarn ${{ inputs.extra-flags }}
+      env:
+        HUSKY: '0'
+        PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: '1'
+        ELECTRON_SKIP_BINARY_DOWNLOAD: '1'
+        SENTRYCLI_SKIP_DOWNLOAD: '1'
+        DEBUG: '*'
+
+    - name: yarn install (try again)
+      if: ${{ steps.install.outcome == 'failure' }}
       shell: bash
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       run: yarn ${{ inputs.extra-flags }}
       env:
         HUSKY: '0'
@@ -145,7 +126,6 @@ runs:
       id: playwright-version
       if: ${{ inputs.playwright-install == 'true' }}
       shell: bash
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       run: echo "version=$(yarn why --json @playwright/test | grep -h 'workspace:.' | jq --raw-output '.children[].locator' | sed -e 's/@playwright\/test@.*://' | head -n 1)" >> $GITHUB_OUTPUT
 
       # Attempt to restore the correct Playwright browser binaries based on the
@@ -154,12 +134,12 @@ runs:
       # Note: Playwright's cache directory is hard coded because that's what it
       # says to do in the docs. There doesn't appear to be a command that prints
       # it out for us.
-    - uses: actions/cache@v4
+    - uses: actions/cache@v3
       id: playwright-cache
       if: ${{ inputs.playwright-install == 'true' }}
       with:
-        path: ${{ steps.workspace-path.outputs.workspace_path }}/node_modules/.cache/ms-playwright
-        key: '${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}-playwright-${{ steps.playwright-version.outputs.version }}'
+        path: ${{ github.workspace }}/node_modules/.cache/ms-playwright
+        key: '${{ runner.os }}-playwright-${{ steps.playwright-version.outputs.version }}'
         # As a fallback, if the Playwright version has changed, try use the
         # most recently cached version. There's a good chance that at least one
         # of the browser binary versions haven't been updated, so Playwright can
@@ -169,44 +149,36 @@ runs:
         # date cache, but still let Playwright decide if it needs to download
         # new binaries or not.
         restore-keys: |
-          ${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}-playwright-
+          ${{ runner.os }}-playwright-
 
     # If the Playwright browser binaries weren't able to be restored, we tell
     # playwright to install everything for us.
     - name: Install Playwright's dependencies
       shell: bash
       if: inputs.playwright-install == 'true'
-      run: yarn playwright install --with-deps $(echo "${{ inputs.playwright-platform }}" | tr ',' ' ')
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
+      run: yarn playwright install --with-deps chromium
       env:
-        PLAYWRIGHT_BROWSERS_PATH: ${{ steps.workspace-path.outputs.workspace_path }}/node_modules/.cache/ms-playwright
+        PLAYWRIGHT_BROWSERS_PATH: ${{ github.workspace }}/node_modules/.cache/ms-playwright
 
     - name: Get installed Electron version
       id: electron-version
       if: ${{ inputs.electron-install == 'true' }}
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       shell: bash
       run: |
         echo "version=$(yarn why --json electron | grep -h 'workspace:.' | jq --raw-output '.children[].locator' | sed -e 's/@playwright\/test@.*://' | head -n 1)" >> $GITHUB_OUTPUT
 
-    - uses: actions/cache@v4
+    - uses: actions/cache@v3
       id: electron-cache
       if: ${{ inputs.electron-install == 'true' }}
       with:
-        path: ${{ steps.workspace-path.outputs.workspace_path }}/node_modules/.cache/electron
-        key: '${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}-electron-${{ steps.electron-version.outputs.version }}'
+        path: 'node_modules/.cache/electron'
+        key: '${{ runner.os }}-electron-${{ steps.electron-version.outputs.version }}'
         restore-keys: |
-          ${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}-electron-
+          ${{ runner.os }}-electron-
 
     - name: Install Electron binary
       shell: bash
       if: inputs.electron-install == 'true'
       run: node ./node_modules/electron/install.js
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       env:
-        electron_config_cache: ${{ steps.workspace-path.outputs.workspace_path }}/node_modules/.cache/electron
-
-    - name: Write PLAYWRIGHT_BROWSERS_PATH env
-      shell: bash
-      run: |
-        echo "PLAYWRIGHT_BROWSERS_PATH=${{ steps.workspace-path.outputs.workspace_path }}/node_modules/.cache/ms-playwright" >> $GITHUB_ENV
+        electron_config_cache: ./node_modules/.cache/electron

.github/actions/setup-version/action.yml

@@ -17,7 +17,7 @@ runs:
           PACKAGE_VERSION=$(node -p "require('./package.json').version")
           TIME_VERSION=$(date +%Y%m%d%H%M)
           GIT_SHORT_HASH=$(git rev-parse --short HEAD)
-          APP_VERSION=$PACKAGE_VERSION-nightly-$GIT_SHORT_HASH
+          APP_VERSION=$PACKAGE_VERSION-nightly-$TIME_VERSION-$GIT_SHORT_HASH
         fi
         echo $APP_VERSION
         echo "APP_VERSION=$APP_VERSION" >> "$GITHUB_OUTPUT"

.github/deployment/front/Dockerfile

@@ -1,8 +1,6 @@
-FROM openresty/openresty:1.27.1.1-0-buster
+FROM openresty/openresty:1.21.4.3-0-buster
 WORKDIR /app
-COPY ./packages/frontend/apps/web/dist ./dist
-COPY ./packages/frontend/admin/dist ./admin
-COPY ./packages/frontend/apps/mobile/dist ./mobile
+COPY ./packages/frontend/core/dist ./dist
 COPY ./.github/deployment/front/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
 COPY ./.github/deployment/front/affine.nginx.conf /etc/nginx/conf.d/affine.nginx.conf
 

.github/deployment/front/affine.nginx.conf

@@ -1,42 +1,13 @@
 server {
-  listen 8080;
-  location /admin {
-    root /app/;
-    index index.html;
-    try_files $uri/index.html $uri/ $uri /admin/index.html;
-  }
+    listen 8080;
+    root /app/dist;
 
-  set $app_root_path /app/dist/;
-  set $mobile_root /app/dist/;
-  set_by_lua $affine_env 'return os.getenv("AFFINE_ENV")';
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
 
-  if ($affine_env = "dev") {
-    set $mobile_root /app/mobile/;
-  }
-
-  # https://gist.github.com/mariusom/6683dc52b1cad1a1f372e908bdb209d0
-  if ($http_user_agent ~* "(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino") {
-    set $app_root_path $mobile_root;
-  }
-
-  if ($http_user_agent ~* "^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-)") {
-    set $app_root_path $mobile_root;
-  }
-
-  location ~ ^/(_plugin|assets|imgs|js|plugins|static)/ {
-    root $app_root_path;
-    try_files $uri $uri/ =404;
-  }
-
-  location / {
-    root $app_root_path;
-    index index.html;
-    try_files $uri $uri/ /index.html;
-    add_header Cache-Control "private, no-cache, no-store, max-age=0, must-revalidate";
-  }
-
-  error_page 404 /404.html;
-  location = /404.html {
-    internal;
-  }
+    error_page 404 /404.html;
+    location = /404.html {
+        internal;
+    }
 }

.github/deployment/front/nginx.conf

@@ -1,15 +1,14 @@
-worker_processes 4;
+worker_processes  4;
 error_log /var/log/nginx/error.log warn;
 pcre_jit on;
-env AFFINE_ENV;
 events {
-  worker_connections 1024;
+    worker_connections 1024;
 }
 http {
-  include mime.types;
-  log_format main '$remote_addr [$time_local] "$request" '
-  '$status $body_bytes_sent "$http_referer" '
-  '"$http_user_agent" "$http_x_forwarded_for"';
-  access_log /var/log/nginx/access.log main;
-  include /etc/nginx/conf.d/*.conf;
+    include       mime.types;
+    log_format    main  '$remote_addr [$time_local] "$request" '
+                        '$status $body_bytes_sent "$http_referer" '
+                        '"$http_user_agent" "$http_x_forwarded_for"';
+    access_log    /var/log/nginx/access.log  main;
+    include /etc/nginx/conf.d/*.conf;
 }

.github/deployment/node/Dockerfile

@@ -1,13 +1,10 @@
-FROM node:22-bookworm-slim
+FROM node:18-bookworm-slim
 
 COPY ./packages/backend/server /app
-COPY ./packages/frontend/apps/web/dist /app/static
-COPY ./packages/frontend/admin/dist /app/static/admin
-COPY ./packages/frontend/apps/mobile/dist /app/static/mobile
 WORKDIR /app
 
 RUN apt-get update && \
   apt-get install -y --no-install-recommends openssl && \
   rm -rf /var/lib/apt/lists/*
 
-CMD ["node", "--import", "./scripts/register.js", "./dist/index.js"]
+CMD ["node", "--es-module-specifier-resolution=node", "./dist/index.js"]

.github/deployment/self-host/compose.yaml

@@ -1,60 +0,0 @@
-services:
-  affine:
-    image: ghcr.io/toeverything/affine-graphql:stable
-    container_name: affine_selfhosted
-    command:
-      ['sh', '-c', 'node ./scripts/self-host-predeploy && node ./dist/index.js']
-    ports:
-      - '3010:3010'
-      - '5555:5555'
-    depends_on:
-      redis:
-        condition: service_healthy
-      postgres:
-        condition: service_healthy
-    volumes:
-      # custom configurations
-      - ~/.affine/self-host/config:/root/.affine/config
-      # blob storage
-      - ~/.affine/self-host/storage:/root/.affine/storage
-    logging:
-      driver: 'json-file'
-      options:
-        max-size: '1000m'
-    restart: unless-stopped
-    environment:
-      - NODE_OPTIONS="--import=./scripts/register.js"
-      - AFFINE_CONFIG_PATH=/root/.affine/config
-      - REDIS_SERVER_HOST=redis
-      - DATABASE_URL=postgres://affine:affine@postgres:5432/affine
-      - NODE_ENV=production
-      # Telemetry allows us to collect data on how you use the affine. This data will helps us improve the app and provide better features.
-      # Uncomment next line if you wish to quit telemetry.
-      # - TELEMETRY_ENABLE=false
-  redis:
-    image: redis
-    container_name: affine_redis
-    restart: unless-stopped
-    volumes:
-      - ~/.affine/self-host/redis:/data
-    healthcheck:
-      test: ['CMD', 'redis-cli', '--raw', 'incr', 'ping']
-      interval: 10s
-      timeout: 5s
-      retries: 5
-  postgres:
-    image: postgres:16
-    container_name: affine_postgres
-    restart: unless-stopped
-    volumes:
-      - ~/.affine/self-host/postgres:/var/lib/postgresql/data
-    healthcheck:
-      test: ['CMD-SHELL', 'pg_isready -U affine']
-      interval: 10s
-      timeout: 5s
-      retries: 5
-    environment:
-      POSTGRES_USER: affine
-      POSTGRES_PASSWORD: affine
-      POSTGRES_DB: affine
-      PGDATA: /var/lib/postgresql/data/pgdata

.github/helm/affine/Chart.yaml

@@ -3,4 +3,4 @@ name: affine
 description: AFFiNE cloud chart
 type: application
 version: 0.0.0
-appVersion: "0.20.0"
+appVersion: "0.11.0"

.github/helm/affine/charts/doc/Chart.yaml

@@ -1,11 +0,0 @@
-apiVersion: v2
-name: doc
-description: AFFiNE doc server
-type: application
-version: 0.0.0
-appVersion: "0.20.0"
-dependencies:
-  - name: gcloud-sql-proxy
-    version: 0.0.0
-    repository: "file://../gcloud-sql-proxy"
-    condition: .global.database.gcloud.enabled

.github/helm/affine/charts/doc/templates/NOTES.txt

@@ -1,16 +0,0 @@
-1. Get the application URL by running these commands:
-{{- if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "doc.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "doc.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "doc.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "doc.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
-{{- end }}

.github/helm/affine/charts/doc/templates/_helpers.tpl

@@ -1,63 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "doc.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "doc.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "doc.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "doc.labels" -}}
-helm.sh/chart: {{ include "doc.chart" . }}
-{{ include "doc.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-monitoring: enabled
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "doc.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "doc.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "doc.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "doc.fullname" .) .Values.global.docService.name }}
-{{- else }}
-{{- default "default" .Values.global.docService.name }}
-{{- end }}
-{{- end }}

.github/helm/affine/charts/doc/templates/deployment.yaml

@@ -1,107 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "doc.fullname" . }}
-  labels:
-    {{- include "doc.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "doc.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      {{- with .Values.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        {{- include "doc.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "doc.serviceAccountName" . }}
-      containers:
-        - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          env:
-          - name: AFFINE_PRIVATE_KEY
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.global.secret.secretName }}"
-                key: key
-          - name: NODE_ENV
-            value: "{{ .Values.env }}"
-          - name: NODE_OPTIONS
-            value: "--max-old-space-size=4096"
-          - name: NO_COLOR
-            value: "1"
-          - name: DEPLOYMENT_TYPE
-            value: "{{ .Values.global.deployment.type }}"
-          - name: DEPLOYMENT_PLATFORM
-            value: "{{ .Values.global.deployment.platform }}"
-          - name: SERVER_FLAVOR
-            value: "doc"
-          - name: AFFINE_ENV
-            value: "{{ .Release.Namespace }}"
-          - name: DATABASE_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: pg-postgresql
-                key: postgres-password
-          - name: DATABASE_URL
-            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.host }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
-          - name: REDIS_SERVER_ENABLED
-            value: "true"
-          - name: REDIS_SERVER_HOST
-            value: "{{ .Values.global.redis.host }}"
-          - name: REDIS_SERVER_PORT
-            value: "{{ .Values.global.redis.port }}"
-          - name: REDIS_SERVER_USER
-            value: "{{ .Values.global.redis.username }}"
-          - name: REDIS_SERVER_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: redis
-                key: redis-password
-          - name: REDIS_SERVER_DATABASE
-            value: "{{ .Values.global.redis.database }}"
-          - name: AFFINE_SERVER_PORT
-            value: "{{ .Values.global.docService.port }}"
-          - name: AFFINE_SERVER_SUB_PATH
-            value: "{{ .Values.app.path }}"
-          - name: AFFINE_SERVER_HOST
-            value: "{{ .Values.app.host }}"
-          - name: AFFINE_SERVER_HTTPS
-            value: "{{ .Values.app.https }}"
-          ports:
-            - name: http
-              containerPort: {{ .Values.global.docService.port }}
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /info
-              port: http
-            initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
-          readinessProbe:
-            httpGet:
-              path: /info
-              port: http
-            initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}

.github/helm/affine/charts/doc/templates/service.yaml

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "doc.fullname" . }}
-  labels:
-    {{- include "doc.labels" . | nindent 4 }}
-  {{- with .Values.service.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.global.docService.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    {{- include "doc.selectorLabels" . | nindent 4 }}

.github/helm/affine/charts/doc/templates/serviceaccount.yaml

@@ -1,12 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "doc.serviceAccountName" . }}
-  labels:
-    {{- include "doc.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

.github/helm/affine/charts/doc/templates/tests/test-connection.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "{{ include "doc.fullname" . }}-test-connection"
-  labels:
-    {{- include "doc.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": test
-spec:
-  containers:
-    - name: wget
-      image: busybox
-      command: ['wget']
-      args: ['{{ include "doc.fullname" . }}:{{ .Values.global.docService.port }}']
-  restartPolicy: Never

.github/helm/affine/charts/doc/values.yaml

@@ -1,42 +0,0 @@
-replicaCount: 1
-image:
-  repository: ghcr.io/toeverything/affine-graphql
-  pullPolicy: IfNotPresent
-  tag: ''
-
-imagePullSecrets: []
-nameOverride: ''
-fullnameOverride: ''
-# map to NODE_ENV environment variable
-env: 'production'
-app:
-  # AFFINE_SERVER_SUB_PATH
-  path: ''
-  # AFFINE_SERVER_HOST
-  host: '0.0.0.0'
-  https: true
-  copilot:
-    enabled: false
-    secretName: copilot
-    openai:
-      key: ''
-serviceAccount:
-  create: true
-  annotations: {}
-
-podAnnotations: {}
-
-podSecurityContext:
-  fsGroup: 2000
-
-resources:
-  requests:
-    cpu: '1'
-    memory: 4Gi
-
-probe:
-  initialDelaySeconds: 20
-
-nodeSelector: {}
-tolerations: []
-affinity: {}

.github/helm/affine/charts/gcloud-sql-proxy/templates/NOTES.txt

@@ -1,4 +1,4 @@
-{{- if .Values.enabled -}}
+{{- if .Values.global.database.gcloud.enabled -}}
 1. Get the application URL by running these commands:
 {{- if contains "NodePort" .Values.service.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gcloud-sql-proxy.fullname" . }})

.github/helm/affine/charts/gcloud-sql-proxy/templates/deployment.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.enabled -}}
+{{- if .Values.global.database.gcloud.enabled -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -42,7 +42,7 @@ spec:
             - "0.0.0.0"
             - "--structured-logs"
             - "--auto-iam-authn"
-            - "{{ .Values.database.connectionName }}"
+            - "{{ .Values.global.database.gcloud.connectionName }}"
           env:
             # Enable HTTP healthchecks on port 9801. This enables /liveness,
             # /readiness and /startup health check endpoints. Allow connections
@@ -56,7 +56,7 @@ spec:
               value: 0.0.0.0
           ports:
             - name: cloud-sql-proxy
-              containerPort: {{ .Values.service.port }}
+              containerPort: {{ .Values.global.database.gcloud.proxyPort }}
               protocol: TCP
             - containerPort: 9801
               protocol: TCP

.github/helm/affine/charts/gcloud-sql-proxy/templates/service.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.enabled -}}
+{{- if .Values.global.database.gcloud.enabled -}}
 apiVersion: v1
 kind: Service
 metadata:

.github/helm/affine/charts/gcloud-sql-proxy/templates/serviceaccount.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.enabled -}}
+{{- if .Values.global.database.gcloud.enabled -}}
 {{- if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount

.github/helm/affine/charts/gcloud-sql-proxy/templates/tests/test-connection.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.enabled -}}
+{{- if .Values.global.database.gcloud.enabled -}}
 apiVersion: v1
 kind: Pod
 metadata:

.github/helm/affine/charts/gcloud-sql-proxy/values.yaml

@@ -1,5 +1,4 @@
 replicaCount: 3
-enabled: false
 
 image:
   # the tag is defined as chart appVersion.

.github/helm/affine/charts/graphql/Chart.yaml

@@ -3,7 +3,7 @@ name: graphql
 description: AFFiNE GraphQL server
 type: application
 version: 0.0.0
-appVersion: "0.20.0"
+appVersion: "0.11.0"
 dependencies:
   - name: gcloud-sql-proxy
     version: 0.0.0

.github/helm/affine/charts/graphql/templates/_helpers.tpl

@@ -61,3 +61,18 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{- define "jwt.key" -}}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.app.jwt.secretName -}}
+{{- if and $secret $secret.data.private -}}
+{{/*
+   Reusing existing secret data
+*/}}
+key: {{ $secret.data.private }}
+{{- else -}}
+{{/*
+    Generate new data
+*/}}
+key: {{ genPrivateKey "ecdsa" | b64enc }}
+{{- end -}}
+{{- end -}}

.github/helm/affine/charts/graphql/templates/captcha-secret.yaml

@@ -0,0 +1,9 @@
+{{- if .Values.app.captcha.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.captcha.secretName }}"
+type: Opaque
+data:
+  turnstileSecret: {{ .Values.app.captcha.turnstile.secret | b64enc }}
+{{- end }}

.github/helm/affine/charts/graphql/templates/deployment.yaml

@@ -28,32 +28,32 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
-          - name: AFFINE_PRIVATE_KEY
+          - name: AUTH_PRIVATE_KEY
             valueFrom:
               secretKeyRef:
-                name: "{{ .Values.global.secret.secretName }}"
+                name: "{{ .Values.app.jwt.secretName }}"
                 key: key
           - name: NODE_ENV
             value: "{{ .Values.env }}"
           - name: NODE_OPTIONS
-            value: "--max-old-space-size=2048"
+            value: "--max-old-space-size=4096"
           - name: NO_COLOR
             value: "1"
-          - name: DEPLOYMENT_TYPE
-            value: "{{ .Values.global.deployment.type }}"
-          - name: DEPLOYMENT_PLATFORM
-            value: "{{ .Values.global.deployment.platform }}"
           - name: SERVER_FLAVOR
             value: "graphql"
           - name: AFFINE_ENV
             value: "{{ .Release.Namespace }}"
+          - name: NEXTAUTH_URL
+            value: "{{ .Values.global.ingress.host }}"
           - name: DATABASE_PASSWORD
             valueFrom:
               secretKeyRef:
                 name: pg-postgresql
                 key: postgres-password
           - name: DATABASE_URL
-            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.host }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.url }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+          - name: REDIS_SERVER_ENABLED
+            value: "true"
           - name: REDIS_SERVER_HOST
             value: "{{ .Values.global.redis.host }}"
           - name: REDIS_SERVER_PORT
@@ -73,22 +73,113 @@ spec:
             value: "{{ .Values.app.path }}"
           - name: AFFINE_SERVER_HOST
             value: "{{ .Values.app.host }}"
-          - name: AFFINE_SERVER_HTTPS
-            value: "{{ .Values.app.https }}"
-          - name: DOC_SERVICE_ENDPOINT
-            value: "http://{{ .Values.global.docService.name }}:{{ .Values.global.docService.port }}"
+          - name: ENABLE_R2_OBJECT_STORAGE
+            value: "{{ .Values.app.objectStorage.r2.enabled }}"
+          - name: ENABLE_CAPTCHA
+            value: "{{ .Values.app.captcha.enabled }}"
+          - name: FEATURES_EARLY_ACCESS_PREVIEW
+            value: "{{ .Values.app.features.earlyAccessPreview }}"
+          - name: OAUTH_EMAIL_SENDER
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.email.secretName }}"
+                key: sender
+          - name: OAUTH_EMAIL_LOGIN
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.email.secretName }}"
+                key: login
+          - name: OAUTH_EMAIL_SERVER
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.email.secretName }}"
+                key: server
+          - name: OAUTH_EMAIL_PORT
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.email.secretName }}"
+                key: port
+          - name: OAUTH_EMAIL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.email.secretName }}"
+                key: password
+          - name: STRIPE_API_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.payment.stripe.secretName }}"
+                key: stripeAPIKey
+          - name: STRIPE_WEBHOOK_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.payment.stripe.secretName }}"
+                key: stripeWebhookKey
+          - name: DOC_MERGE_INTERVAL
+            value: "{{ .Values.app.doc.mergeInterval }}"
+          {{ if .Values.app.experimental.enableJwstCodec }}
+          - name: DOC_MERGE_USE_JWST_CODEC
+            value: "true"
+          {{ end }}
+          {{ if .Values.app.objectStorage.r2.enabled }}
+          - name: R2_OBJECT_STORAGE_ACCOUNT_ID
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
+                key: accountId
+          - name: R2_OBJECT_STORAGE_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
+                key: accessKeyId
+          - name: R2_OBJECT_STORAGE_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
+                key: secretAccessKey
+          {{ end }}
+          {{ if .Values.app.captcha.enabled }}
+          - name: CAPTCHA_TURNSTILE_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.captcha.secretName }}"
+                key: turnstileSecret
+          {{ end }}
+          {{ if .Values.app.oauth.google.enabled }}
+          - name: OAUTH_GOOGLE_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.google.secretName }}"
+                key: clientId
+          - name: OAUTH_GOOGLE_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.google.secretName }}"
+                key: clientSecret
+          {{ end }}
+          {{ if .Values.app.oauth.github.enabled }}
+          - name: OAUTH_GITHUB_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.github.secretName }}"
+                key: clientId
+          - name: OAUTH_GITHUB_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.github.secretName }}"
+                key: clientSecret
+          {{ end }}
           ports:
             - name: http
               containerPort: {{ .Values.service.port }}
               protocol: TCP
           livenessProbe:
             httpGet:
-              path: /info
+              path: /
               port: http
             initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
           readinessProbe:
             httpGet:
-              path: /info
+              path: /
               port: http
             initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
           resources:

.github/helm/affine/charts/graphql/templates/jwt-secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.jwt.secretName }}"
+type: Opaque
+data:
+{{- ( include "jwt.key" . ) | indent 2 -}}

.github/helm/affine/charts/graphql/templates/migration.yaml

@@ -22,28 +22,36 @@ spec:
             value: "{{ .Values.env }}"
           - name: AFFINE_ENV
             value: "{{ .Release.Namespace }}"
-          - name: DEPLOYMENT_TYPE
-            value: "{{ .Values.global.deployment.type }}"
-          - name: DEPLOYMENT_PLATFORM
-            value: "{{ .Values.global.deployment.platform }}"
           - name: DATABASE_PASSWORD
             valueFrom:
               secretKeyRef:
                 name: pg-postgresql
                 key: postgres-password
+          {{ if not .Values.global.database.gcloud.enabled }}
           - name: DATABASE_URL
-            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.host }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
-          - name: REDIS_SERVER_HOST
-            value: "{{ .Values.global.redis.host }}"
-          - name: REDIS_SERVER_PORT
-            value: "{{ .Values.global.redis.port }}"
-          - name: REDIS_SERVER_USER
-            value: "{{ .Values.global.redis.username }}"
-          - name: REDIS_SERVER_PASSWORD
+            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.url }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+          {{ end }}
+          {{ if .Values.global.database.gcloud.enabled }}
+          - name: DATABASE_URL
+            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.gcloud.cloudSqlInternal }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+          {{ end }}
+          {{ if .Values.app.objectStorage.r2.enabled }}
+          - name: R2_OBJECT_STORAGE_ACCOUNT_ID
             valueFrom:
               secretKeyRef:
-                name: redis
-                key: redis-password
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
+                key: accountId
+          - name: R2_OBJECT_STORAGE_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
+                key: accessKeyId
+          - name: R2_OBJECT_STORAGE_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
+                key: secretAccessKey
+          {{ end }}
         resources:
           requests:
             cpu: '100m'

.github/helm/affine/charts/graphql/templates/oauth.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.oauth.email.secretName }}"
+type: Opaque
+data:
+  sender: "{{ .Values.app.oauth.email.sender | b64enc }}"
+  login: "{{ .Values.app.oauth.email.login | b64enc }}"
+  password: "{{ .Values.app.oauth.email.password | b64enc }}"
+  server: "{{ .Values.app.oauth.email.server | b64enc }}"
+  port: "{{ .Values.app.oauth.email.port | b64enc }}"
+---
+{{- if .Values.app.oauth.google.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.oauth.google.secretName }}"
+type: Opaque
+data:
+  clientId: "{{ .Values.app.oauth.google.clientId | b64enc }}"
+  clientSecret: "{{ .Values.app.oauth.google.clientSecret | b64enc }}"
+{{- end }}
+---
+{{- if .Values.app.oauth.github.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.oauth.github.secretName }}"
+type: Opaque
+data:
+  clientId: "{{ .Values.app.oauth.github.clientId | b64enc }}"
+  clientSecret: "{{ .Values.app.oauth.github.clientSecret | b64enc }}"
+{{- end }}

.github/helm/affine/charts/graphql/templates/payment.yml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.payment.stripe.secretName }}"
+type: Opaque
+data:
+  stripeAPIKey: "{{ .Values.app.payment.stripe.apiKey | b64enc }}"
+  stripeWebhookKey: "{{ .Values.app.payment.stripe.webhookKey | b64enc }}"

.github/helm/affine/charts/graphql/templates/r2-secret.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.app.objectStorage.r2.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.objectStorage.r2.secretName }}"
+type: Opaque
+data:
+  accountId: {{ .Values.app.objectStorage.r2.accountId | b64enc }}
+  accessKeyId: {{ .Values.app.objectStorage.r2.accessKeyId | b64enc }}
+  secretAccessKey: {{ .Values.app.objectStorage.r2.secretAccessKey | b64enc }}
+{{- end }}

.github/helm/affine/charts/graphql/templates/secret.yaml

@@ -1,18 +0,0 @@
-{{- $privateKey := default (genPrivateKey "ecdsa") .Values.global.secret.privateKey | b64enc | quote }}
-
-{{- if not .Values.global.secret.privateKey }}
-{{- $existingKey := (lookup "v1" "Secret" .Release.Namespace .Values.global.secret.secretName) }}
-{{- if $existingKey }}
-{{- $privateKey = index $existingKey.data "key" }}
-{{- end -}}
-{{- end -}}
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Values.global.secret.secretName }}
-  annotations:
-    "helm.sh/resource-policy": "keep"
-type: Opaque
-data:
-  key: {{ $privateKey }}

.github/helm/affine/charts/graphql/templates/service.yaml

@@ -4,10 +4,6 @@ metadata:
   name: {{ include "graphql.fullname" . }}
   labels:
     {{- include "graphql.labels" . | nindent 4 }}
-  {{- with .Values.service.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
 spec:
   type: {{ .Values.service.type }}
   ports:

.github/helm/affine/charts/graphql/values.yaml

@@ -10,12 +10,56 @@ fullnameOverride: ''
 # map to NODE_ENV environment variable
 env: 'production'
 app:
+  experimental:
+    enableJwstCodec: true
   # AFFINE_SERVER_SUB_PATH
   path: ''
   # AFFINE_SERVER_HOST
   host: '0.0.0.0'
-  https: true
-  
+  doc:
+    mergeInterval: "3000"
+  jwt:
+    secretName: jwt-private-key
+    # base64 encoded ecdsa private key
+    privateKey: ''
+  captcha:
+    enable: false
+    secretName: captcha
+    turnstile:
+      secret: ''
+  objectStorage:
+    r2:
+      enabled: false
+      secretName: r2
+      accountId: ''
+      accessKeyId: ''
+      secretAccessKey: ''
+  oauth:
+    email:
+      secretName: 'oauth-email'
+      sender: 'noreply@toeverything.info'
+      login: ''
+      password: ''
+      server: 'smtp.gmail.com'
+      port: '465'
+    google:
+      enabled: false
+      secretName: oauth-google
+      clientId: ''
+      clientSecret: ''
+    github:
+      enabled: false
+      secretName: oauth-github
+      clientId: ''
+      clientSecret: ''
+  payment:
+    stripe:
+      secretName: 'stripe'
+      apiKey: ''
+      webhookKey: ''
+  features:
+    earlyAccessPreview: false
+
 serviceAccount:
   create: true
   annotations: {}
@@ -28,8 +72,8 @@ podSecurityContext:
 
 resources:
   requests:
-    cpu: '2'
-    memory: 2Gi
+    cpu: '4'
+    memory: 4Gi
 
 probe:
   initialDelaySeconds: 20

.github/helm/affine/charts/renderer/Chart.yaml

@@ -1,11 +0,0 @@
-apiVersion: v2
-name: renderer
-description: AFFiNE renderer server
-type: application
-version: 0.0.0
-appVersion: "0.16.0"
-dependencies:
-  - name: gcloud-sql-proxy
-    version: 0.0.0
-    repository: "file://../gcloud-sql-proxy"
-    condition: .global.database.gcloud.enabled

.github/helm/affine/charts/renderer/templates/NOTES.txt

@@ -1,16 +0,0 @@
-1. Get the application URL by running these commands:
-{{- if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "renderer.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "renderer.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "renderer.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "renderer.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
-{{- end }}

.github/helm/affine/charts/renderer/templates/_helpers.tpl

@@ -1,63 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "renderer.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "renderer.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "renderer.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "renderer.labels" -}}
-helm.sh/chart: {{ include "renderer.chart" . }}
-{{ include "renderer.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-monitoring: enabled
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "renderer.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "renderer.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "renderer.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "renderer.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}

.github/helm/affine/charts/renderer/templates/deployment.yaml

@@ -1,109 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "renderer.fullname" . }}
-  labels:
-    {{- include "renderer.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "renderer.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      {{- with .Values.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        {{- include "renderer.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "renderer.serviceAccountName" . }}
-      containers:
-        - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          env:
-          - name: AFFINE_PRIVATE_KEY
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.global.secret.secretName }}"
-                key: key
-          - name: NODE_ENV
-            value: "{{ .Values.env }}"
-          - name: NODE_OPTIONS
-            value: "--max-old-space-size=2048"
-          - name: NO_COLOR
-            value: "1"
-          - name: DEPLOYMENT_TYPE
-            value: "{{ .Values.global.deployment.type }}"
-          - name: DEPLOYMENT_PLATFORM
-            value: "{{ .Values.global.deployment.platform }}"
-          - name: SERVER_FLAVOR
-            value: "renderer"
-          - name: AFFINE_ENV
-            value: "{{ .Release.Namespace }}"
-          - name: DATABASE_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: pg-postgresql
-                key: postgres-password
-          - name: DATABASE_URL
-            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.host }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
-          - name: REDIS_SERVER_ENABLED
-            value: "true"
-          - name: REDIS_SERVER_HOST
-            value: "{{ .Values.global.redis.host }}"
-          - name: REDIS_SERVER_PORT
-            value: "{{ .Values.global.redis.port }}"
-          - name: REDIS_SERVER_USER
-            value: "{{ .Values.global.redis.username }}"
-          - name: REDIS_SERVER_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: redis
-                key: redis-password
-          - name: REDIS_SERVER_DATABASE
-            value: "{{ .Values.global.redis.database }}"
-          - name: AFFINE_SERVER_PORT
-            value: "{{ .Values.service.port }}"
-          - name: AFFINE_SERVER_SUB_PATH
-            value: "{{ .Values.app.path }}"
-          - name: AFFINE_SERVER_HOST
-            value: "{{ .Values.app.host }}"
-          - name: AFFINE_SERVER_HTTPS
-            value: "{{ .Values.app.https }}"
-          - name: DOC_SERVICE_ENDPOINT
-            value: "http://{{ .Values.global.docService.name }}:{{ .Values.global.docService.port }}"
-          ports:
-            - name: http
-              containerPort: {{ .Values.service.port }}
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /info
-              port: http
-            initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
-          readinessProbe:
-            httpGet:
-              path: /info
-              port: http
-            initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}

.github/helm/affine/charts/renderer/templates/service.yaml

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "graphql.fullname" . }}
-  labels:
-    {{- include "graphql.labels" . | nindent 4 }}
-  {{- with .Values.service.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.service.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    {{- include "graphql.selectorLabels" . | nindent 4 }}

.github/helm/affine/charts/renderer/templates/serviceaccount.yaml

@@ -1,12 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "graphql.serviceAccountName" . }}
-  labels:
-    {{- include "graphql.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

.github/helm/affine/charts/renderer/templates/tests/test-connection.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "{{ include "renderer.fullname" . }}-test-connection"
-  labels:
-    {{- include "renderer.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": test
-spec:
-  containers:
-    - name: wget
-      image: busybox
-      command: ['wget']
-      args: ['{{ include "renderer.fullname" . }}:{{ .Values.service.port }}']
-  restartPolicy: Never

.github/helm/affine/charts/renderer/values.yaml

@@ -1,38 +0,0 @@
-replicaCount: 1
-image:
-  repository: ghcr.io/toeverything/affine-graphql
-  pullPolicy: IfNotPresent
-  tag: ''
-
-imagePullSecrets: []
-nameOverride: ''
-fullnameOverride: ''
-# map to NODE_ENV environment variable
-env: 'production'
-app:
-  # AFFINE_SERVER_SUB_PATH
-  path: ''
-  # AFFINE_SERVER_HOST
-  host: '0.0.0.0'
-  https: true
-serviceAccount:
-  create: true
-  annotations: {}
-  name: 'affine-renderer'
-
-podAnnotations: {}
-
-podSecurityContext:
-  fsGroup: 2000
-
-resources:
-  requests:
-    cpu: '1'
-    memory: 2Gi
-
-probe:
-  initialDelaySeconds: 20
-
-nodeSelector: {}
-tolerations: []
-affinity: {}

.github/helm/affine/charts/sync/Chart.yaml

@@ -3,7 +3,7 @@ name: sync
 description: AFFiNE Sync Server
 type: application
 version: 0.0.0
-appVersion: "0.20.0"
+appVersion: "0.11.0"
 dependencies:
   - name: gcloud-sql-proxy
     version: 0.0.0

.github/helm/affine/charts/sync/templates/deployment.yaml

@@ -32,21 +32,14 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
-          - name: AFFINE_PRIVATE_KEY
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.global.secret.secretName }}"
-                key: key
           - name: NODE_ENV
             value: "{{ .Values.env }}"
           - name: NO_COLOR
             value: "1"
-          - name: DEPLOYMENT_TYPE
-            value: "{{ .Values.global.deployment.type }}"
-          - name: DEPLOYMENT_PLATFORM
-            value: "{{ .Values.global.deployment.platform }}"
           - name: SERVER_FLAVOR
             value: "sync"
+          - name: NEXTAUTH_URL
+            value: "{{ .Values.global.ingress.host }}"
           - name: AFFINE_ENV
             value: "{{ .Release.Namespace }}"
           - name: DATABASE_PASSWORD
@@ -55,7 +48,9 @@ spec:
                 name: pg-postgresql
                 key: postgres-password
           - name: DATABASE_URL
-            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.host }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.url }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+          - name: REDIS_SERVER_ENABLED
+            value: "true"
           - name: REDIS_SERVER_HOST
             value: "{{ .Values.global.redis.host }}"
           - name: REDIS_SERVER_PORT
@@ -73,8 +68,6 @@ spec:
             value: "{{ .Values.service.port }}"
           - name: AFFINE_SERVER_HOST
             value: "{{ .Values.app.host }}"
-          - name: DOC_SERVICE_ENDPOINT
-            value: "http://{{ .Values.global.docService.name }}:{{ .Values.global.docService.port }}"
           ports:
             - name: http
               containerPort: {{ .Values.service.port }}

.github/helm/affine/charts/sync/values.yaml

@@ -12,6 +12,7 @@ env: 'production'
 app:
   # AFFINE_SERVER_HOST
   host: '0.0.0.0'
+
 serviceAccount:
   create: true
   annotations: {}
@@ -24,11 +25,11 @@ podSecurityContext:
 
 resources:
   limits:
+    cpu: '4'
+    memory: 8Gi
+  requests:
     cpu: '2'
     memory: 4Gi
-  requests:
-    cpu: '1'
-    memory: 2Gi
 
 probe:
   initialDelaySeconds: 20

.github/helm/affine/charts/web/templates/deployment.yaml

@@ -27,9 +27,6 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          env:
-          - name: AFFINE_ENV
-            value: "{{ .Release.Namespace }}"
           ports:
             - name: http
               containerPort: {{ .Values.service.port }}

.github/helm/affine/templates/configmap.yaml

@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ .Release.Name }}-runtime-config
-data:
-  web-assets-manifest: |-
-    {{ .Files.Get "web-assets-manifest.json" | nindent 4 }}
-  mobile-assets-manifest: |-
-    {{ .Files.Get "mobile-assets-manifest.json" | nindent 4 }}

.github/helm/affine/templates/ingress.yaml

@@ -60,13 +60,6 @@ spec:
                 name: affine-graphql
                 port:
                   number: {{ .Values.graphql.service.port }}
-          - path: /workspace
-            pathType: Prefix
-            backend:
-              service:
-                name: affine-renderer
-                port:
-                  number: {{ .Values.renderer.service.port }}
           - path: /
             pathType: Prefix
             backend:

.github/helm/affine/values.yaml

@@ -1,60 +1,44 @@
 global:
-  app:
-    buildType: 'stable'
   ingress:
     enabled: false
     className: ''
     host: affine.pro
     tls: []
-  secret:
-    secretName: 'server-private-key'
-    privateKey: ''
   database:
     user: 'postgres'
-    host: 'pg-postgresql'
+    url: 'pg-postgresql'
     port: '5432'
     name: 'affine'
     password: ''
+    gcloud:
+      enabled: false
+      # use for migration
+      cloudSqlInternal: ''
+      connectionName: ''
+      serviceAccount: ''
+      cloudProxyReplicas: 3
+      proxyPort: '5432'
   redis:
+    enabled: true
     host: 'redis-master'
     port: '6379'
     username: ''
     password: ''
     database: 0
-  docService:
-    name: 'affine-doc'
-    port: 3020
-  deployment:
-    # change to 'selfhosted' and 'unknown' if this chart is ready to be used for selfhosted deployment
-    type: 'affine'
-    platform: 'gcp'
+  gke:
+    enabled: true
 
 graphql:
   service:
     type: ClusterIP
     port: 3000
-    annotations:
-      cloud.google.com/backend-config: '{"default": "affine-api-backendconfig"}'
 
 sync:
   service:
     type: ClusterIP
     port: 3010
     annotations:
-      cloud.google.com/backend-config: '{"default": "affine-api-backendconfig"}'
-
-renderer:
-  service:
-    type: ClusterIP
-    port: 3000
-    annotations:
-      cloud.google.com/backend-config: '{"default": "affine-api-backendconfig"}'
-
-doc:
-  service:
-    type: ClusterIP
-    annotations:
-      cloud.google.com/backend-config: '{"default": "affine-api-backendconfig"}'
+      cloud.google.com/backend-config: '{"default": "affine-backendconfig"}'
 
 web:
   service:

.github/helm/separate-config/Dockerfile_pgvector

@@ -1,6 +0,0 @@
-FROM pgvector/pgvector:pg15 AS builder
-
-FROM bitnami/postgresql:15
-
-COPY --from=builder /usr/lib/postgresql/15/lib/vector.so /opt/bitnami/postgresql/lib/
-COPY --from=builder /usr/share/postgresql/15/extension/vector* /opt/bitnami/postgresql/share/extension/

.github/helm/separate-config/backend-config.yaml

@@ -1,10 +0,0 @@
-apiVersion: cloud.google.com/v1
-kind: BackendConfig
-metadata:
-  name: "affine-api-backendconfig"
-spec:
-  healthCheck:
-    timeoutSec: 1
-    type: HTTP
-    requestPath: /info
-

.github/labeler.yml

@@ -29,6 +29,16 @@ mod:plugin-cli:
       - any-glob-to-any-file:
           - 'tools/plugin-cli/**/*'
 
+mod:workspace:
+  - changed-files:
+      - any-glob-to-any-file:
+          - 'packages/common/workspace/**/*'
+
+mod:workspace-impl:
+  - changed-files:
+      - any-glob-to-any-file:
+          - 'packages/frontend/workspace-impl/**/*'
+
 mod:i18n:
   - changed-files:
       - any-glob-to-any-file:
@@ -44,10 +54,10 @@ mod:component:
       - any-glob-to-any-file:
           - 'packages/frontend/component/**/*'
 
-mod:server-native:
+mod:storage:
   - changed-files:
       - any-glob-to-any-file:
-          - 'packages/backend/native/**/*'
+          - 'packages/backend/storage/**/*'
 
 mod:native:
   - changed-files:
@@ -69,6 +79,11 @@ rust:
           - '**/rust-toolchain.toml'
           - '**/rustfmt.toml'
 
+package:y-indexeddb:
+  - changed-files:
+      - any-glob-to-any-file:
+          - 'packages/common/y-indexeddb/**/*'
+
 app:core:
   - changed-files:
       - any-glob-to-any-file:
@@ -77,7 +92,7 @@ app:core:
 app:electron:
   - changed-files:
       - any-glob-to-any-file:
-          - 'packages/frontend/apps/electron/**/*'
+          - 'packages/frontend/electron/**/*'
 
 app:server:
   - changed-files:

.github/renovate.json

@@ -7,67 +7,71 @@
     "**/bower_components/**",
     "**/vendor/**",
     "**/examples/**",
-    "**/__tests__/**"
+    "**/__tests__/**",
+    "**/test/**",
+    "**/__fixtures__/**"
   ],
   "packageRules": [
     {
+      "matchPackageNames": ["napi", "napi-build", "napi-derive"],
       "rangeStrategy": "replace",
-      "groupName": "linter",
-      "matchPackageNames": ["/^eslint/", "/^@typescript-eslint/"]
+      "groupName": "napi-rs"
     },
     {
-      "matchDepNames": ["oxlint"],
+      "matchPackagePatterns": ["^eslint", "^@typescript-eslint"],
       "rangeStrategy": "replace",
-      "groupName": "oxlint"
+      "groupName": "linter"
     },
     {
-      "groupName": "blocksuite",
+      "matchPackagePatterns": ["^@nestjs"],
       "rangeStrategy": "replace",
-      "changelogUrl": "https://github.com/toeverything/blocksuite/blob/master/packages/blocks/CHANGELOG.md",
-      "matchPackageNames": ["/^@blocksuite/", "!@blocksuite/icons"]
+      "groupName": "nestjs"
+    },
+    {
+      "matchPackagePatterns": ["^@opentelemetry"],
+      "rangeStrategy": "replace",
+      "groupName": "opentelemetry"
+    },
+    {
+      "matchPackageNames": [
+        "@prisma/client",
+        "@prisma/instrumentation",
+        "prisma"
+      ],
+      "rangeStrategy": "replace",
+      "groupName": "prisma"
+    },
+    {
+      "matchPackagePatterns": ["^@electron-forge"],
+      "rangeStrategy": "replace",
+      "groupName": "electron-forge"
+    },
+    {
+      "groupName": "blocksuite-nightly",
+      "matchPackagePatterns": ["^@blocksuite"],
+      "excludePackageNames": ["@blocksuite/icons"],
+      "rangeStrategy": "replace",
+      "followTag": "nightly"
     },
     {
       "groupName": "all non-major dependencies",
       "groupSlug": "all-minor-patch",
-      "matchUpdateTypes": ["minor", "patch"],
-      "matchPackageNames": ["*", "!/^@blocksuite//", "!/oxlint/"]
+      "matchPackagePatterns": ["*"],
+      "excludePackagePatterns": ["^@blocksuite/"],
+      "matchUpdateTypes": ["minor", "patch"]
     },
     {
-      "groupName": "rust toolchain",
-      "matchManagers": ["custom.regex"],
-      "matchDepNames": ["rustc"]
-    },
-    {
-      "groupName": "nestjs",
-      "matchPackageNames": ["/^@nestjs/"]
-    },
-    {
-      "groupName": "opentelemetry",
-      "matchPackageNames": [
-        "/^@opentelemetry/",
-        "/^@google-cloud\/opentelemetry-/"
-      ]
+      "matchPackagePatterns": ["*"],
+      "rangeStrategy": "replace",
+      "excludePackagePatterns": ["^@blocksuite/"]
     }
   ],
   "commitMessagePrefix": "chore: ",
   "commitMessageAction": "bump up",
   "commitMessageTopic": "{{depName}} version",
   "ignoreDeps": [],
-  "postUpdateOptions": ["yarnDedupeHighest"],
   "lockFileMaintenance": {
     "enabled": true,
     "extends": ["schedule:weekly"]
-  },
-  "customManagers": [
-    {
-      "customType": "regex",
-      "fileMatch": ["^rust-toolchain\\.toml?$"],
-      "matchStrings": [
-        "channel\\s*=\\s*\"(?<currentValue>\\d+\\.\\d+(\\.\\d+)?)\""
-      ],
-      "depNameTemplate": "rustc",
-      "packageNameTemplate": "rust-lang/rust",
-      "datasourceTemplate": "github-releases"
-    }
-  ]
+  }
 }

.github/workflows/build-images.yml

@@ -1,290 +0,0 @@
-name: Build Images
-
-on:
-  workflow_call:
-    inputs:
-      flavor:
-        type: string
-        required: true
-
-permissions:
-  contents: 'write'
-  id-token: 'write'
-  packages: 'write'
-
-jobs:
-  build-server:
-    name: Build Server
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          electron-install: false
-          extra-flags: workspaces focus @affine/server @types/affine__env
-      - name: Build Server
-        run: |
-          find packages/backend/server/src -type d -name "__tests__" -exec rm -rf {} +
-          rm -rf packages/backend/server/src/seed
-          yarn workspace @affine/server build
-      - name: Upload server dist
-        uses: actions/upload-artifact@v4
-        with:
-          name: server-dist
-          path: ./packages/backend/server/dist
-          if-no-files-found: error
-
-  build-web:
-    name: Build @affine/web
-    runs-on: ubuntu-latest
-    environment: ${{ github.event.inputs.flavor }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-      - name: Build Core
-        run: yarn affine @affine/web build
-        env:
-          R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
-          R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
-          R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
-          BUILD_TYPE: ${{ github.event.inputs.flavor }}
-          CAPTCHA_SITE_KEY: ${{ secrets.CAPTCHA_SITE_KEY }}
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-          SENTRY_PROJECT: 'affine-web'
-          SENTRY_RELEASE: ${{ steps.version.outputs.APP_VERSION }}
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          PERFSEE_TOKEN: ${{ secrets.PERFSEE_TOKEN }}
-          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
-      - name: Upload web artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: web
-          path: ./packages/frontend/apps/web/dist
-          if-no-files-found: error
-
-  build-admin:
-    name: Build @affine/admin
-    runs-on: ubuntu-latest
-    environment: ${{ github.event.inputs.flavor }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-      - name: Build Admin
-        run: yarn affine @affine/admin build
-        env:
-          R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
-          R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
-          R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
-          BUILD_TYPE: ${{ github.event.inputs.flavor }}
-          CAPTCHA_SITE_KEY: ${{ secrets.CAPTCHA_SITE_KEY }}
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-          SENTRY_PROJECT: 'affine-admin'
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          PERFSEE_TOKEN: ${{ secrets.PERFSEE_TOKEN }}
-          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
-      - name: Upload admin artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: admin
-          path: ./packages/frontend/admin/dist
-          if-no-files-found: error
-
-  build-mobile:
-    name: Build @affine/mobile
-    runs-on: ubuntu-latest
-    environment: ${{ github.event.inputs.flavor }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-      - name: Build Mobile
-        run: yarn affine @affine/mobile build
-        env:
-          R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
-          R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
-          R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
-          BUILD_TYPE: ${{ github.event.inputs.flavor }}
-          CAPTCHA_SITE_KEY: ${{ secrets.CAPTCHA_SITE_KEY }}
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-          SENTRY_PROJECT: 'affine-mobile'
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          PERFSEE_TOKEN: ${{ secrets.PERFSEE_TOKEN }}
-          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
-      - name: Upload mobile artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: mobile
-          path: ./packages/frontend/apps/mobile/dist
-          if-no-files-found: error
-
-  build-server-native:
-    name: Build Server native - ${{ matrix.targets.name }}
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        targets:
-          - name: x86_64-unknown-linux-gnu
-            file: server-native.node
-          - name: aarch64-unknown-linux-gnu
-            file: server-native.arm64.node
-          - name: armv7-unknown-linux-gnueabihf
-            file: server-native.armv7.node
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          electron-install: false
-          extra-flags: workspaces focus @affine/server-native
-      - name: Build Rust
-        uses: ./.github/actions/build-rust
-        with:
-          target: ${{ matrix.targets.name }}
-          package: '@affine/server-native'
-      - name: Upload ${{ matrix.targets.file }}
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.targets.file }}
-          path: ./packages/backend/native/server-native.node
-          if-no-files-found: error
-
-  build-images:
-    name: Build Images
-    runs-on: ubuntu-latest
-    needs:
-      - build-server
-      - build-web
-      - build-mobile
-      - build-admin
-      - build-server-native
-    steps:
-      - uses: actions/checkout@v4
-      - name: Download server dist
-        uses: actions/download-artifact@v4
-        with:
-          name: server-dist
-          path: ./packages/backend/server/dist
-      - name: Download server-native.node
-        uses: actions/download-artifact@v4
-        with:
-          name: server-native.node
-          path: ./packages/backend/server
-      - name: Download server-native.node arm64
-        uses: actions/download-artifact@v4
-        with:
-          name: server-native.arm64.node
-          path: ./packages/backend/native
-      - name: Download server-native.node arm64
-        uses: actions/download-artifact@v4
-        with:
-          name: server-native.armv7.node
-          path: .
-      - name: move server-native files
-        run: |
-          mv ./packages/backend/native/server-native.node ./packages/backend/server/server-native.arm64.node
-          mv server-native.node ./packages/backend/server/server-native.armv7.node
-      - name: Setup env
-        run: |
-          echo "GIT_SHORT_HASH=$(git rev-parse --short HEAD)" >> "$GITHUB_ENV"
-          if [ -z "${{ inputs.flavor }}" ]
-          then
-            echo "RELEASE_FLAVOR=canary" >> "$GITHUB_ENV"
-          else
-            echo "RELEASE_FLAVOR=${{ inputs.flavor }}" >> "$GITHUB_ENV"
-          fi
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          logout: false
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      # setup node without cache configuration
-      # Prisma cache is not compatible with docker build cache
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: '.nvmrc'
-          registry-url: https://npm.pkg.github.com
-          scope: '@toeverything'
-
-      - name: Download web artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: web
-          path: ./packages/frontend/apps/web/dist
-
-      - name: Download mobile artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: mobile
-          path: ./packages/frontend/apps/mobile/dist
-
-      - name: Download admin artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: admin
-          path: ./packages/frontend/admin/dist
-
-      - name: Install Node.js dependencies
-        run: |
-          yarn config set --json supportedArchitectures.cpu '["x64", "arm64", "arm"]'
-          yarn config set --json supportedArchitectures.libc '["glibc"]'
-          yarn workspaces focus @affine/server --production
-
-      - name: Generate Prisma client
-        run: yarn workspace @affine/server prisma generate
-
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-
-      - name: Build front Dockerfile
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: true
-          pull: true
-          platforms: linux/amd64,linux/arm64
-          provenance: true
-          file: .github/deployment/front/Dockerfile
-          tags: ghcr.io/toeverything/affine-front:${{env.RELEASE_FLAVOR}}-${{ env.GIT_SHORT_HASH }},ghcr.io/toeverything/affine-front:${{env.RELEASE_FLAVOR}}
-
-      - name: Build graphql Dockerfile
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: true
-          pull: true
-          platforms: linux/amd64,linux/arm64,linux/arm/v7
-          provenance: true
-          file: .github/deployment/node/Dockerfile
-          tags: ghcr.io/toeverything/affine-graphql:${{env.RELEASE_FLAVOR}}-${{ env.GIT_SHORT_HASH }},ghcr.io/toeverything/affine-graphql:${{env.RELEASE_FLAVOR}}

.github/workflows/build-selfhost-image.yml

@@ -1,25 +0,0 @@
-name: Build Selfhost Image
-
-on:
-  workflow_dispatch:
-    inputs:
-      flavor:
-        description: 'Select distribution to build'
-        type: choice
-        default: canary
-        options:
-          - canary
-          - beta
-          - stable
-
-permissions:
-  contents: 'write'
-  id-token: 'write'
-  packages: 'write'
-
-jobs:
-  build-image:
-    name: Build Image
-    uses: ./.github/workflows/build-images.yml
-    with:
-      flavor: ${{ github.event.inputs.flavor }}

.github/workflows/copilot-test-automatically.yml

@@ -1,29 +0,0 @@
-name: Copilot Test Automatically
-
-on:
-  push:
-    tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+-canary.[0-9]+'
-  schedule:
-    - cron: '0 8 * * *'
-  workflow_dispatch:
-
-permissions:
-  actions: write
-
-jobs:
-  dispatch-test:
-    runs-on: ubuntu-latest
-    name: Setup Test
-    steps:
-      - name: dispatch test by tag
-        if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
-        uses: benc-uk/workflow-dispatch@v1
-        with:
-          workflow: copilot-test.yml
-      - name: dispatch test by schedule
-        if: ${{ github.event_name == 'schedule' }}
-        uses: benc-uk/workflow-dispatch@v1
-        with:
-          workflow: copilot-test.yml
-          ref: canary

.github/workflows/copilot-test.yml

@@ -1,204 +0,0 @@
-name: Copilot Cron Test
-
-on:
-  workflow_dispatch:
-
-jobs:
-  build-server-native:
-    name: Build Server native
-    runs-on: ubuntu-latest
-    env:
-      CARGO_PROFILE_RELEASE_DEBUG: '1'
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          extra-flags: workspaces focus @affine/server-native
-          electron-install: false
-      - name: Build Rust
-        uses: ./.github/actions/build-rust
-        with:
-          target: 'x86_64-unknown-linux-gnu'
-          package: '@affine/server-native'
-      - name: Upload server-native.node
-        uses: actions/upload-artifact@v4
-        with:
-          name: server-native.node
-          path: ./packages/backend/native/server-native.node
-          if-no-files-found: error
-
-  copilot-api-test:
-    name: Server Copilot Api Test
-    runs-on: ubuntu-latest
-    needs:
-      - build-server-native
-    env:
-      NODE_ENV: test
-      DISTRIBUTION: web
-      DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
-      REDIS_SERVER_HOST: localhost
-    services:
-      postgres:
-        image: pgvector/pgvector:pg16
-        env:
-          POSTGRES_PASSWORD: affine
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-        ports:
-          - 5432:5432
-      redis:
-        image: redis
-        ports:
-          - 6379:6379
-      mailer:
-        image: mailhog/mailhog
-        ports:
-          - 1025:1025
-          - 8025:8025
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          playwright-install: true
-          electron-install: false
-          full-cache: true
-
-      - name: Download server-native.node
-        uses: actions/download-artifact@v4
-        with:
-          name: server-native.node
-          path: ./packages/backend/server
-
-      - name: Prepare Server Test Environment
-        env:
-          COPILOT_OPENAI_API_KEY: ${{ secrets.COPILOT_OPENAI_API_KEY }}
-          COPILOT_FAL_API_KEY: ${{ secrets.COPILOT_FAL_API_KEY }}
-          COPILOT_GOOGLE_API_KEY: ${{ secrets.COPILOT_GOOGLE_API_KEY }}
-          COPILOT_PERPLEXITY_API_KEY: ${{ secrets.COPILOT_PERPLEXITY_API_KEY }}
-        uses: ./.github/actions/server-test-env
-
-      - name: Run server tests
-        run: yarn affine @affine/server test:copilot:coverage --forbid-only
-        env:
-          CARGO_TARGET_DIR: '${{ github.workspace }}/target'
-
-      - name: Upload server test coverage results
-        uses: codecov/codecov-action@v5
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./packages/backend/server/.coverage/lcov.info
-          flags: server-test
-          name: affine
-          fail_ci_if_error: false
-
-  copilot-e2e-test:
-    name: Frontend Copilot E2E Test
-    runs-on: ubuntu-latest
-    env:
-      DISTRIBUTION: web
-      DATABASE_URL: postgresql://affine:affine@localhost:5432/affine
-      REDIS_SERVER_HOST: localhost
-      IN_CI_TEST: true
-    strategy:
-      fail-fast: false
-      matrix:
-        shardIndex: [1, 2, 3]
-        shardTotal: [3]
-    needs:
-      - build-server-native
-    services:
-      postgres:
-        image: pgvector/pgvector:pg16
-        env:
-          POSTGRES_PASSWORD: affine
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-        ports:
-          - 5432:5432
-      redis:
-        image: redis
-        ports:
-          - 6379:6379
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          playwright-install: true
-          electron-install: false
-          hard-link-nm: false
-
-      - name: Download server-native.node
-        uses: actions/download-artifact@v4
-        with:
-          name: server-native.node
-          path: ./packages/backend/server
-
-      - name: Prepare Server Test Environment
-        env:
-          COPILOT_OPENAI_API_KEY: ${{ secrets.COPILOT_OPENAI_API_KEY }}
-          COPILOT_FAL_API_KEY: ${{ secrets.COPILOT_FAL_API_KEY }}
-          COPILOT_GOOGLE_API_KEY: ${{ secrets.COPILOT_GOOGLE_API_KEY }}
-          COPILOT_PERPLEXITY_API_KEY: ${{ secrets.COPILOT_PERPLEXITY_API_KEY }}
-        uses: ./.github/actions/server-test-env
-
-      - name: Run Copilot E2E Test ${{ matrix.shardIndex }}/${{ matrix.shardTotal }}
-        uses: ./.github/actions/copilot-test
-        with:
-          script: yarn affine @affine-test/affine-cloud-copilot e2e --forbid-only --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }}
-
-  test-done:
-    needs:
-      - copilot-api-test
-      - copilot-e2e-test
-    if: always()
-    runs-on: ubuntu-latest
-    name: Post test result message
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          extra-flags: 'workspaces focus @affine/copilot-result'
-          electron-install: false
-      - name: Post Success event to a Slack channel
-        if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
-        run: node ./tools/copilot-result/index.js
-        env:
-          CHANNEL_ID: ${{ secrets.RELEASE_SLACK_CHNNEL_ID }}
-          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-          BRANCH_SHA: ${{ github.sha }}
-          BRANCH_NAME: ${{ github.ref }}
-          COPILOT_RESULT: success
-      - name: Post Failed event to a Slack channel
-        id: failed-slack
-        if: ${{ always() && contains(needs.*.result, 'failure') }}
-        run: node ./tools/copilot-result/index.js
-        env:
-          CHANNEL_ID: ${{ secrets.RELEASE_SLACK_CHNNEL_ID }}
-          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-          BRANCH_SHA: ${{ github.sha }}
-          BRANCH_NAME: ${{ github.ref }}
-          COPILOT_RESULT: failed
-      - name: Post Cancel event to a Slack channel
-        id: cancel-slack
-        if: ${{ always() && contains(needs.*.result, 'cancelled') && !contains(needs.*.result, 'failure') }}
-        run: node ./tools/copilot-result/index.js
-        env:
-          CHANNEL_ID: ${{ secrets.RELEASE_SLACK_CHNNEL_ID }}
-          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-          BRANCH_SHA: ${{ github.sha }}
-          BRANCH_NAME: ${{ github.ref }}
-          COPILOT_RESULT: canceled

.github/workflows/deploy-automatically.yml

@@ -7,11 +7,6 @@ on:
   schedule:
     - cron: '0 9 * * *'
 
-permissions:
-  contents: write
-  pull-requests: write
-  actions: write
-
 jobs:
   dispatch-deploy:
     runs-on: ubuntu-latest

.github/workflows/deploy.yml

@@ -12,67 +12,212 @@ on:
           - beta
           - stable
           - internal
-
-permissions:
-  contents: 'write'
-  id-token: 'write'
-  packages: 'write'
+env:
+  APP_NAME: affine
+  NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
 
 jobs:
-  output-prev-version:
-    name: Output previous version
+  build-server:
+    name: Build Server
     runs-on: ubuntu-latest
-    environment: ${{ github.event.inputs.flavor }}
-    outputs:
-      prev: ${{ steps.print.outputs.version }}
-      namespace: ${{ steps.print.outputs.namespace }}
     steps:
       - uses: actions/checkout@v4
-      - name: Auth to Cluster
-        uses: './.github/actions/cluster-auth'
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
         with:
-          gcp-project-number: ${{ secrets.GCP_PROJECT_NUMBER }}
-          gcp-project-id: ${{ secrets.GCP_PROJECT_ID }}
-          service-account: ${{ secrets.GCP_HELM_DEPLOY_SERVICE_ACCOUNT }}
-          cluster-name: ${{ secrets.GCP_CLUSTER_NAME }}
-          cluster-location: ${{ secrets.GCP_CLUSTER_LOCATION }}
-      - name: Output previous version
-        id: print
+          electron-install: false
+      - name: Build Server
+        run: yarn workspace @affine/server build
+      - name: Upload server dist
+        uses: actions/upload-artifact@v4
+        with:
+          name: server-dist
+          path: ./packages/backend/server/dist
+          if-no-files-found: error
+  build-core:
+    name: Build @affine/core
+    runs-on: ubuntu-latest
+    environment: ${{ github.event.inputs.flavor }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+      - name: Build Core
+        run: yarn nx build @affine/core --skip-nx-cache
+        env:
+          R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
+          R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          BUILD_TYPE: ${{ github.event.inputs.flavor }}
+          SHOULD_REPORT_TRACE: true
+          TRACE_REPORT_ENDPOINT: ${{ secrets.TRACE_REPORT_ENDPOINT }}
+          CAPTCHA_SITE_KEY: ${{ secrets.CAPTCHA_SITE_KEY }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
+      - name: Upload core artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: core
+          path: ./packages/frontend/core/dist
+          if-no-files-found: error
+
+  build-storage:
+    name: Build Storage
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+      - name: Build Rust
+        uses: ./.github/actions/build-rust
+        with:
+          target: 'x86_64-unknown-linux-gnu'
+          package: '@affine/storage'
+          nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+      - name: Upload storage.node
+        uses: actions/upload-artifact@v4
+        with:
+          name: storage.node
+          path: ./packages/backend/storage/storage.node
+          if-no-files-found: error
+
+  build-storage-arm64:
+    name: Build Storage arm64
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+      - name: Build Rust
+        uses: ./.github/actions/build-rust
+        with:
+          target: 'aarch64-unknown-linux-gnu'
+          package: '@affine/storage'
+          nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+      - name: Upload storage.node
+        uses: actions/upload-artifact@v4
+        with:
+          name: storage.arm64.node
+          path: ./packages/backend/storage/storage.node
+          if-no-files-found: error
+
+  build-docker:
+    name: Build Docker
+    runs-on: ubuntu-latest
+    needs:
+      - build-server
+      - build-core
+      - build-storage
+      - build-storage-arm64
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download core artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: core
+          path: ./packages/frontend/core/dist
+      - name: Download server dist
+        uses: actions/download-artifact@v4
+        with:
+          name: server-dist
+          path: ./packages/backend/server/dist
+      - name: Download storage.node
+        uses: actions/download-artifact@v4
+        with:
+          name: storage.node
+          path: ./packages/backend/server
+      - name: Download storage.node arm64
+        uses: actions/download-artifact@v4
+        with:
+          name: storage.arm64.node
+          path: ./packages/backend/storage
+      - name: move storage.arm64.node
+        run: mv ./packages/backend/storage/storage.node ./packages/backend/server/storage.arm64.node
+      - name: Setup env
         run: |
-          namespace=""
-          if [ "${{ github.event.inputs.flavor }}" = "canary" ]; then
-            namespace="dev"
-          elif [ "${{ github.event.inputs.flavor }}" = "beta" ]; then
-            namespace="beta"
-          elif [ "${{ github.event.inputs.flavor }}" = "stable" ]; then
-            namespace="production"
+          echo "GIT_SHORT_HASH=$(git rev-parse --short HEAD)" >> "$GITHUB_ENV"
+          if [ -z "${{ inputs.flavor }}" ]
+          then
+            echo "RELEASE_FLAVOR=canary" >> "$GITHUB_ENV"
           else
-            echo "Invalid flavor: ${{ github.event.inputs.flavor }}"
-            exit 1
+            echo "RELEASE_FLAVOR=${{ inputs.flavor }}" >> "$GITHUB_ENV"
           fi
 
-          echo "Namespace set to: $namespace"
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          logout: false
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build front Dockerfile
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          pull: true
+          platforms: linux/amd64,linux/arm64
+          provenance: true
+          file: .github/deployment/front/Dockerfile
+          tags: ghcr.io/toeverything/affine-front:${{env.RELEASE_FLAVOR}}-${{ env.GIT_SHORT_HASH }},ghcr.io/toeverything/affine-front:${{env.RELEASE_FLAVOR}}
 
-          # Get the previous version from the deployment
-          prev_version=$(kubectl get deployment -n $namespace affine-graphql -o=jsonpath='{.spec.template.spec.containers[0].image}' | awk -F '-' '{print $3}')
+      # setup node without cache configuration
+      # Prisma cache is not compatible with docker build cache
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+          registry-url: https://npm.pkg.github.com
+          scope: '@toeverything'
 
-          echo "Previous version: $prev_version"
-          echo "version=$prev_version" >> $GITHUB_OUTPUT
-          echo "namesapce=$namespace" >> $GITHUB_OUTPUT
+      - name: Install Node.js dependencies
+        run: |
+          yarn config set --json supportedArchitectures.cpu '["x64", "arm64"]'
+          yarn workspaces focus @affine/server --production
 
-  build-images:
-    name: Build Images
-    uses: ./.github/workflows/build-images.yml
-    secrets: inherit
-    with:
-      flavor: ${{ github.event.inputs.flavor }}
+      - name: Generate Prisma client
+        run: yarn workspace @affine/server prisma generate
+
+      - name: Build graphql Dockerfile
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          pull: true
+          platforms: linux/amd64,linux/arm64
+          provenance: true
+          file: .github/deployment/node/Dockerfile
+          tags: ghcr.io/toeverything/affine-graphql:${{env.RELEASE_FLAVOR}}-${{ env.GIT_SHORT_HASH }},ghcr.io/toeverything/affine-graphql:${{env.RELEASE_FLAVOR}}
 
   deploy:
     name: Deploy to cluster
     if: ${{ github.event_name == 'workflow_dispatch' }}
     environment: ${{ github.event.inputs.flavor }}
+    permissions:
+      contents: 'write'
+      id-token: 'write'
     needs:
-      - build-images
+      - build-docker
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -95,16 +240,11 @@ jobs:
           R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
           R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
           R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          ENABLE_CAPTCHA: true
           CAPTCHA_TURNSTILE_SECRET: ${{ secrets.CAPTCHA_TURNSTILE_SECRET }}
-          COPILOT_OPENAI_API_KEY: ${{ secrets.COPILOT_OPENAI_API_KEY }}
-          COPILOT_FAL_API_KEY: ${{ secrets.COPILOT_FAL_API_KEY }}
-          COPILOT_GOOGLE_API_KEY: ${{ secrets.COPILOT_GOOGLE_API_KEY }}
-          COPILOT_PERPLEXITY_API_KEY: ${{ secrets.COPILOT_PERPLEXITY_API_KEY }}
-          COPILOT_UNSPLASH_API_KEY: ${{ secrets.COPILOT_UNSPLASH_API_KEY }}
-          METRICS_CUSTOMER_IO_TOKEN: ${{ secrets.METRICS_CUSTOMER_IO_TOKEN }}
-          MAILER_SENDER: ${{ secrets.OAUTH_EMAIL_SENDER }}
-          MAILER_USER: ${{ secrets.OAUTH_EMAIL_LOGIN }}
-          MAILER_PASSWORD: ${{ secrets.OAUTH_EMAIL_PASSWORD }}
+          OAUTH_EMAIL_SENDER: ${{ secrets.OAUTH_EMAIL_SENDER }}
+          OAUTH_EMAIL_LOGIN: ${{ secrets.OAUTH_EMAIL_LOGIN }}
+          OAUTH_EMAIL_PASSWORD: ${{ secrets.OAUTH_EMAIL_PASSWORD }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           AFFINE_GOOGLE_CLIENT_ID: ${{ secrets.AFFINE_GOOGLE_CLIENT_ID }}
           AFFINE_GOOGLE_CLIENT_SECRET: ${{ secrets.AFFINE_GOOGLE_CLIENT_SECRET }}
@@ -114,91 +254,9 @@ jobs:
           DATABASE_NAME: ${{ secrets.DATABASE_NAME }}
           GCLOUD_CONNECTION_NAME: ${{ secrets.GCLOUD_CONNECTION_NAME }}
           GCLOUD_CLOUD_SQL_INTERNAL_ENDPOINT: ${{ secrets.GCLOUD_CLOUD_SQL_INTERNAL_ENDPOINT }}
-          REDIS_SERVER_HOST: ${{ secrets.REDIS_SERVER_HOST }}
-          REDIS_SERVER_PASSWORD: ${{ secrets.REDIS_SERVER_PASSWORD }}
+          REDIS_HOST: ${{ secrets.REDIS_HOST }}
+          REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}
           CLOUD_SQL_IAM_ACCOUNT: ${{ secrets.CLOUD_SQL_IAM_ACCOUNT }}
-          APP_IAM_ACCOUNT: ${{ secrets.APP_IAM_ACCOUNT }}
           STRIPE_API_KEY: ${{ secrets.STRIPE_API_KEY }}
           STRIPE_WEBHOOK_KEY: ${{ secrets.STRIPE_WEBHOOK_KEY }}
           STATIC_IP_NAME: ${{ secrets.STATIC_IP_NAME }}
-
-  deploy-done:
-    needs:
-      - output-prev-version
-      - build-images
-      - deploy
-    if: always()
-    runs-on: ubuntu-latest
-    name: Post deploy message
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: actions/checkout@v4
-        with:
-          repository: toeverything/blocksuite
-          path: blocksuite
-          fetch-depth: 0
-          fetch-tags: true
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          extra-flags: 'workspaces focus @affine/changelog'
-          electron-install: false
-      - name: Output deployed info
-        if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
-        id: set_info
-        run: |
-          if [ "${{ github.event.inputs.flavor }}" = "canary" ]; then
-            echo "deployed_url=https://affine.fail" >> $GITHUB_OUTPUT
-          elif [ "${{ github.event.inputs.flavor }}" = "beta" ]; then
-            echo "deployed_url=https://insider.affine.pro" >> $GITHUB_OUTPUT
-          elif [ "${{ github.event.inputs.flavor }}" = "stable" ]; then
-            echo "deployed_url=https://app.affine.pro" >> $GITHUB_OUTPUT
-          else
-            exit 1
-          fi
-        env:
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
-      - name: Post Success event to a Slack channel
-        if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
-        run: node ./tools/changelog/index.js
-        env:
-          CHANNEL_ID: ${{ secrets.RELEASE_SLACK_CHNNEL_ID }}
-          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-          DEPLOYED_URL: ${{ steps.set_info.outputs.deployed_url }}
-          PREV_VERSION: ${{ needs.output-prev-version.outputs.prev }}
-          NAMESPACE: ${{ needs.output-prev-version.outputs.namespace }}
-          DEPLOYMENT: 'SERVER'
-          FLAVOR: ${{ github.event.inputs.flavor }}
-          BLOCKSUITE_REPO_PATH: ${{ github.workspace }}/blocksuite
-      - name: Post Failed event to a Slack channel
-        id: failed-slack
-        uses: slackapi/slack-github-action@v2.0.0
-        if: ${{ always() && contains(needs.*.result, 'failure') }}
-        with:
-          method: chat.postMessage
-          token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload: |
-            channel: ${{ secrets.RELEASE_SLACK_CHNNEL_ID }}
-            text: "<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|Backend deploy failed `${{ github.event.inputs.flavor }}`>"
-            blocks:
-              - type: section
-                text:
-                  type: mrkdwn
-                  text: "<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|Backend deploy failed `${{ github.event.inputs.flavor }}`>"
-      - name: Post Cancel event to a Slack channel
-        id: cancel-slack
-        uses: slackapi/slack-github-action@v2.0.0
-        if: ${{ always() && contains(needs.*.result, 'cancelled') && !contains(needs.*.result, 'failure') }}
-        with:
-          token: ${{ secrets.SLACK_BOT_TOKEN }}
-          method: chat.postMessage
-          payload: |
-            channel: ${{ secrets.RELEASE_SLACK_CHNNEL_ID }}
-            text: "<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|Backend deploy cancelled `${{ github.event.inputs.flavor }}`>"
-            blocks:
-              - type: section
-                text:
-                  type: mrkdwn
-                  text: "<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|Backend deploy cancelled `${{ github.event.inputs.flavor }}`>"

.github/workflows/helm-releaser.yml

@@ -24,7 +24,7 @@ jobs:
           token: ${{ secrets.HELM_RELEASER_TOKEN }}
 
       - name: Install Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@v3
 
       - name: Install chart releaser
         run: |

.github/workflows/languages-sync.yml

@@ -0,0 +1,35 @@
+name: Languages Sync
+
+on:
+  push:
+    branches: ['canary']
+    paths:
+      - 'packages/frontend/i18n/**'
+      - '.github/workflows/languages-sync.yml'
+      - '!.github/actions/setup-node/action.yml'
+  pull_request_target:
+    branches: ['canary']
+    paths:
+      - 'packages/frontend/i18n/**'
+      - '.github/workflows/languages-sync.yml'
+      - '!.github/actions/setup-node/action.yml'
+  workflow_dispatch:
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+      - name: Check Language Key
+        if: github.ref != 'refs/heads/canary'
+        run: yarn workspace @affine/i18n run sync-languages:check
+        env:
+          TOLGEE_API_KEY: ${{ secrets.TOLGEE_API_KEY }}
+
+      - name: Sync Languages
+        if: github.ref == 'refs/heads/canary'
+        run: yarn workspace @affine/i18n run sync-languages
+        env:
+          TOLGEE_API_KEY: ${{ secrets.TOLGEE_API_KEY }}

.github/workflows/pr-auto-assign.yml

@@ -9,4 +9,4 @@ jobs:
   add-reviews:
     runs-on: ubuntu-latest
     steps:
-      - uses: kentaro-m/auto-assign-action@v2.0.0
+      - uses: kentaro-m/auto-assign-action@v1.2.5

.github/workflows/pr-title-lint.yml

@@ -25,7 +25,4 @@ jobs:
           node-version-file: '.nvmrc'
       - name: Install dependencies
         run: yarn workspaces focus @affine/commitlint-config
-      - name: Check PR title
-        env:
-          TITLE: ${{ github.event.pull_request.title }}
-        run: echo "$TITLE" | yarn workspace @affine/commitlint-config commitlint -g ./.commitlintrc.json
+      - run: echo "${{ github.event.pull_request.title }}" | yarn workspace @affine/commitlint-config commitlint -g ./.commitlintrc.json

.github/workflows/publish-storybook.yml

@@ -0,0 +1,51 @@
+name: Publish Storybook
+
+env:
+  NODE_OPTIONS: --max-old-space-size=4096
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - canary
+  pull_request:
+    branches:
+      - canary
+    paths-ignore:
+      - README.md
+      - .github/**
+      - packages/backend/server
+      - packages/frontend/electron
+      - '!.github/workflows/publish-storybook.yml'
+
+jobs:
+  publish-storybook:
+    name: Publish Storybook
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.merge_commit_sha }}
+          # This is required to fetch all commits for chromatic
+          fetch-depth: 0
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+        with:
+          electron-install: false
+      - uses: chromaui/action-next@v1
+        with:
+          workingDir: tests/storybook
+          buildScriptName: build
+          exitOnceUploaded: true
+          onlyChanged: false
+          diagnostics: true
+        env:
+          CHROMATIC_PROJECT_TOKEN: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}
+          NODE_OPTIONS: ${{ env.NODE_OPTIONS }}
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: chromatic-build-artifacts-${{ github.run_id }}
+          path: |
+            chromatic-diagnostics.json
+            **/build-storybook.log

.github/workflows/release-automatically.yml

@@ -1,38 +0,0 @@
-name: Release Desktop/Mobile Automatically
-
-on:
-  push:
-    tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+-canary.[0-9]+'
-  schedule:
-    - cron: '0 9 * * *'
-
-permissions:
-  contents: write
-  pull-requests: write
-  actions: write
-
-jobs:
-  dispatch-release-desktop:
-    runs-on: ubuntu-latest
-    name: Setup Release Desktop
-    steps:
-      - name: dispatch desktop release by tag
-        if: ${{ github.event_name == 'push' }}
-        uses: benc-uk/workflow-dispatch@v1
-        with:
-          workflow: release-desktop.yml
-          inputs: '{ "build-type": "canary", "is-draft": false, "is-pre-release": true }'
-
-      - name: dispatch desktop release by schedule
-        if: ${{ github.event_name == 'schedule' }}
-        uses: benc-uk/workflow-dispatch@v1
-        with:
-          workflow: release-desktop.yml
-          inputs: '{ "build-type": "canary", "is-draft": false, "is-pre-release": true }'
-          ref: canary
-      - name: dispatch desktop release by tag
-        uses: benc-uk/workflow-dispatch@v1
-        with:
-          workflow: release-mobile.yml
-          inputs: '{ "build-type": "canary", "build-target": "distribution" }'

.github/workflows/release-desktop-automatically.yml

@@ -0,0 +1,27 @@
+name: Release Desktop Automatically
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+-canary.[0-9]+'
+  schedule:
+    - cron: '0 9 * * *'
+
+jobs:
+  dispatch-release-desktop:
+    runs-on: ubuntu-latest
+    name: Setup Release Desktop
+    steps:
+      - name: dispatch desktop release by tag
+        if: ${{ github.event_name == 'push' }}
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: release-desktop.yml
+          inputs: '{ "build-type": "canary", "is-draft": false, "is-pre-release": true }'
+      - name: dispatch desktop release by schedule
+        if: ${{ github.event_name == 'schedule' }}
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: release-desktop.yml
+          inputs: '{ "build-type": "canary", "is-draft": false, "is-pre-release": true }'
+          ref: canary

.github/workflows/release-desktop.yml

@@ -27,12 +27,10 @@ permissions:
   actions: write
   contents: write
   security-events: write
-  id-token: write
-  attestations: write
 
 env:
   BUILD_TYPE: ${{ github.event.inputs.build-type }}
-  DEBUG: 'affine:*,napi:*'
+  DEBUG: napi:*
   APP_NAME: affine
   MACOSX_DEPLOYMENT_TARGET: '10.13'
 
@@ -52,25 +50,26 @@ jobs:
       - name: Setup @sentry/cli
         uses: ./.github/actions/setup-sentry
       - name: generate-assets
-        run: yarn affine @affine/electron generate-assets
+        run: yarn workspace @affine/electron generate-assets
         env:
           SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-          SENTRY_PROJECT: 'affine'
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          SENTRY_RELEASE: ${{ steps.version.outputs.APP_VERSION }}
           RELEASE_VERSION: ${{ steps.version.outputs.APP_VERSION }}
-          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
+          SKIP_PLUGIN_BUILD: 'true'
+          SKIP_NX_CACHE: 'true'
 
-      - name: Upload web artifact
+      - name: Upload core artifact
         uses: actions/upload-artifact@v4
         with:
-          name: web
-          path: packages/frontend/apps/electron/resources/web-static
+          name: core
+          path: packages/frontend/electron/resources/web-static
 
   make-distribution:
     strategy:
-      fail-fast: false
+      # all combinations: macos-latest x64, macos-latest arm64, ubuntu-latest x64
+      # For windows, we need a separate approach
       matrix:
         spec:
           - runner: macos-latest
@@ -87,213 +86,11 @@ jobs:
             target: x86_64-unknown-linux-gnu
     runs-on: ${{ matrix.spec.runner }}
     needs: before-make
-    environment: ${{ github.event.inputs.build-type }}
     env:
       APPLE_ID: ${{ secrets.APPLE_ID }}
       APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
       APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
       SKIP_GENERATE_ASSETS: 1
-      SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-      SENTRY_PROJECT: 'affine'
-      SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-      SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-      SENTRY_RELEASE: ${{ needs.before-make.outputs.RELEASE_VERSION }}
-      MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        timeout-minutes: 10
-        uses: ./.github/actions/setup-node
-        with:
-          extra-flags: workspaces focus @affine/electron @affine/monorepo @affine/nbstore @toeverything/infra
-          hard-link-nm: false
-          nmHoistingLimits: workspaces
-          enableScripts: false
-      - name: Build AFFiNE native
-        uses: ./.github/actions/build-rust
-        with:
-          target: ${{ matrix.spec.target }}
-          package: '@affine/native'
-      - uses: actions/download-artifact@v4
-        with:
-          name: web
-          path: packages/frontend/apps/electron/resources/web-static
-
-      - name: Build Desktop Layers
-        run: yarn affine @affine/electron build
-
-      - name: Signing By Apple Developer ID
-        if: ${{ matrix.spec.platform == 'darwin' }}
-        uses: apple-actions/import-codesign-certs@v5
-        with:
-          p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
-          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
-
-      - name: Install additional dependencies on Linux
-        if: ${{ matrix.spec.platform == 'linux' }}
-        run: |
-          sudo add-apt-repository universe
-          sudo apt install -y libfuse2 elfutils flatpak flatpak-builder
-          flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
-          flatpak update
-          # some flatpak deps need git protocol.file.allow
-          git config --global protocol.file.allow always
-
-      - name: make
-        run: yarn affine @affine/electron make --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
-        env:
-          SKIP_WEB_BUILD: 1
-          HOIST_NODE_MODULES: 1
-
-      - name: signing DMG
-        if: ${{ matrix.spec.platform == 'darwin' }}
-        run: |
-          codesign --force --sign "Developer ID Application: TOEVERYTHING PTE. LTD." packages/frontend/apps/electron/out/${{ env.BUILD_TYPE }}/make/AFFiNE.dmg
-
-      - name: Save artifacts (mac)
-        if: ${{ matrix.spec.platform == 'darwin' }}
-        run: |
-          mkdir -p builds
-          mv packages/frontend/apps/electron/out/*/make/*.dmg ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.dmg
-          mv packages/frontend/apps/electron/out/*/make/zip/darwin/${{ matrix.spec.arch }}/*.zip ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.zip
-      - name: Save artifacts (linux)
-        if: ${{ matrix.spec.platform == 'linux' }}
-        run: |
-          mkdir -p builds
-          mv packages/frontend/apps/electron/out/*/make/zip/linux/${{ matrix.spec.arch }}/*.zip ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-${{ matrix.spec.arch }}.zip
-          mv packages/frontend/apps/electron/out/*/make/*.AppImage ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-${{ matrix.spec.arch }}.appimage
-          mv packages/frontend/apps/electron/out/*/make/deb/${{ matrix.spec.arch }}/*.deb ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-${{ matrix.spec.arch }}.deb
-          mv packages/frontend/apps/electron/out/*/make/flatpak/*/*.flatpak ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-${{ matrix.spec.arch }}.flatpak
-
-      - uses: actions/attest-build-provenance@v2
-        if: ${{ matrix.spec.platform == 'darwin' }}
-        with:
-          subject-path: |
-            ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.zip
-            ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.dmg
-
-      - uses: actions/attest-build-provenance@v2
-        if: ${{ matrix.spec.platform == 'linux' }}
-        with:
-          subject-path: |
-            ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.zip
-            ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.appimage
-            ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-linux-x64.deb
-      - name: Upload Artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: affine-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}-builds
-          path: builds
-
-  package-distribution-windows:
-    environment: ${{ github.event.inputs.build-type }}
-    strategy:
-      fail-fast: false
-      matrix:
-        spec:
-          - runner: windows-latest
-            platform: win32
-            arch: x64
-            target: x86_64-pc-windows-msvc
-          - runner: windows-latest
-            platform: win32
-            arch: arm64
-            target: aarch64-pc-windows-msvc
-    runs-on: ${{ matrix.spec.runner }}
-    needs: before-make
-    outputs:
-      FILES_TO_BE_SIGNED_x64: ${{ steps.get_files_to_be_signed.outputs.FILES_TO_BE_SIGNED_x64 }}
-      FILES_TO_BE_SIGNED_arm64: ${{ steps.get_files_to_be_signed.outputs.FILES_TO_BE_SIGNED_arm64 }}
-    env:
-      SKIP_GENERATE_ASSETS: 1
-      SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-      SENTRY_PROJECT: 'affine'
-      SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-      SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-      SENTRY_RELEASE: ${{ needs.before-make.outputs.RELEASE_VERSION }}
-      MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        timeout-minutes: 10
-        uses: ./.github/actions/setup-node
-        with:
-          extra-flags: workspaces focus @affine/electron @affine/monorepo @affine/nbstore @toeverything/infra
-          hard-link-nm: false
-          nmHoistingLimits: workspaces
-      - name: Build AFFiNE native
-        uses: ./.github/actions/build-rust
-        with:
-          target: ${{ matrix.spec.target }}
-          package: '@affine/native'
-      - uses: actions/download-artifact@v4
-        with:
-          name: web
-          path: packages/frontend/apps/electron/resources/web-static
-
-      - name: Build Desktop Layers
-        run: yarn affine @affine/electron build
-
-      - name: package
-        run: yarn affine @affine/electron package --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
-        env:
-          SKIP_WEB_BUILD: 1
-          HOIST_NODE_MODULES: 1
-
-      - name: get all files to be signed
-        id: get_files_to_be_signed
-        run: |
-          Set-Variable -Name FILES_TO_BE_SIGNED -Value ((Get-ChildItem -Path packages/frontend/apps/electron/out -Recurse -File | Where-Object { $_.Extension -in @(".exe", ".node", ".dll", ".msi") } | ForEach-Object { '"' + $_.FullName.Replace((Get-Location).Path + '\packages\frontend\apps\electron\out\', '') + '"' }) -join ' ')
-          "FILES_TO_BE_SIGNED_${{ matrix.spec.arch }}=$FILES_TO_BE_SIGNED" >> $env:GITHUB_OUTPUT
-          echo $FILES_TO_BE_SIGNED
-
-      - name: Zip artifacts for faster upload
-        run: Compress-Archive -CompressionLevel Fastest -Path packages/frontend/apps/electron/out/* -DestinationPath archive.zip
-
-      - name: Save packaged artifacts for signing
-        uses: actions/upload-artifact@v4
-        with:
-          name: packaged-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
-          path: |
-            archive.zip
-            !**/*.map
-
-  sign-packaged-artifacts-windows_x64:
-    needs: package-distribution-windows
-    uses: ./.github/workflows/windows-signer.yml
-    with:
-      files: ${{ needs.package-distribution-windows.outputs.FILES_TO_BE_SIGNED_x64 }}
-      artifact-name: packaged-win32-x64
-
-  sign-packaged-artifacts-windows_arm64:
-    needs: package-distribution-windows
-    uses: ./.github/workflows/windows-signer.yml
-    with:
-      files: ${{ needs.package-distribution-windows.outputs.FILES_TO_BE_SIGNED_arm64 }}
-      artifact-name: packaged-win32-arm64
-
-  make-windows-installer:
-    needs:
-      - sign-packaged-artifacts-windows_x64
-      - sign-packaged-artifacts-windows_arm64
-    strategy:
-      fail-fast: false
-      matrix:
-        spec:
-          - platform: win32
-            arch: x64
-          - platform: win32
-            arch: arm64
-    runs-on: windows-latest
-    outputs:
-      FILES_TO_BE_SIGNED_x64: ${{ steps.get_files_to_be_signed.outputs.FILES_TO_BE_SIGNED_x64 }}
-      FILES_TO_BE_SIGNED_arm64: ${{ steps.get_files_to_be_signed.outputs.FILES_TO_BE_SIGNED_arm64 }}
     steps:
       - uses: actions/checkout@v4
       - name: Setup Version
@@ -306,30 +103,166 @@ jobs:
           extra-flags: workspaces focus @affine/electron @affine/monorepo
           hard-link-nm: false
           nmHoistingLimits: workspaces
+          enableScripts: false
+      - name: Build AFFiNE native
+        uses: ./.github/actions/build-rust
+        with:
+          target: ${{ matrix.spec.target }}
+          package: '@affine/native'
+          nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+      - uses: actions/download-artifact@v4
+        with:
+          name: core
+          path: packages/frontend/electron/resources/web-static
+
+      - name: Build Desktop Layers
+        run: yarn workspace @affine/electron build
+
+      - name: Signing By Apple Developer ID
+        if: ${{ matrix.spec.platform == 'darwin' }}
+        uses: apple-actions/import-codesign-certs@v2
+        with:
+          p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
+          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
+
+      - name: make
+        run: yarn workspace @affine/electron make --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
         env:
-          npm_config_arch: ${{ matrix.spec.arch }}
+          SKIP_PLUGIN_BUILD: 1
+          SKIP_WEB_BUILD: 1
+          HOIST_NODE_MODULES: 1
+
+      - name: Save artifacts (mac)
+        if: ${{ matrix.spec.platform == 'darwin' }}
+        run: |
+          mkdir -p builds
+          mv packages/frontend/electron/out/*/make/*.dmg ./builds/affine-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.dmg
+          mv packages/frontend/electron/out/*/make/zip/darwin/${{ matrix.spec.arch }}/*.zip ./builds/affine-${{ env.BUILD_TYPE }}-macos-${{ matrix.spec.arch }}.zip
+      - name: Save artifacts (linux)
+        if: ${{ matrix.spec.platform == 'linux' }}
+        run: |
+          mkdir -p builds
+          mv packages/frontend/electron/out/*/make/zip/linux/x64/*.zip ./builds/affine-${{ env.BUILD_TYPE }}-linux-x64.zip
+          mv packages/frontend/electron/out/*/make/AppImage/x64/*.AppImage ./builds/affine-${{ env.BUILD_TYPE }}-linux-x64.AppImage
+
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: affine-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}-builds
+          path: builds
+
+  package-distribution-windows:
+    strategy:
+      # all combinations: macos-latest x64, macos-latest arm64, ubuntu-latest x64
+      # For windows, we need a separate approach
+      matrix:
+        spec:
+          - runner: windows-latest
+            platform: win32
+            arch: x64
+            target: x86_64-pc-windows-msvc
+    runs-on: ${{ matrix.spec.runner }}
+    needs: before-make
+    outputs:
+      FILES_TO_BE_SIGNED: ${{ steps.get_files_to_be_signed.outputs.FILES_TO_BE_SIGNED }}
+    env:
+      SKIP_GENERATE_ASSETS: 1
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Version
+        id: version
+        uses: ./.github/actions/setup-version
+      - name: Setup Node.js
+        timeout-minutes: 10
+        uses: ./.github/actions/setup-node
+        with:
+          extra-flags: workspaces focus @affine/electron @affine/monorepo
+          hard-link-nm: false
+          nmHoistingLimits: workspaces
+      - name: Build AFFiNE native
+        uses: ./.github/actions/build-rust
+        with:
+          target: ${{ matrix.spec.target }}
+          package: '@affine/native'
+          nx_token: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+      - uses: actions/download-artifact@v4
+        with:
+          name: core
+          path: packages/frontend/electron/resources/web-static
+
+      - name: Build Desktop Layers
+        run: yarn workspace @affine/electron build
+
+      - name: package
+        run: yarn workspace @affine/electron package --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
+        env:
+          SKIP_PLUGIN_BUILD: 1
+          SKIP_WEB_BUILD: 1
+          HOIST_NODE_MODULES: 1
+
+      - name: get all files to be signed
+        id: get_files_to_be_signed
+        run: |
+          Set-Variable -Name FILES_TO_BE_SIGNED -Value ((Get-ChildItem -Path packages/frontend/electron/out -Recurse -File | Where-Object { $_.Extension -in @(".exe", ".node", ".dll", ".msi") } | ForEach-Object { '"' + $_.FullName.Replace((Get-Location).Path + '\packages\frontend\electron\out\', '') + '"' }) -join ' ')
+          "FILES_TO_BE_SIGNED=$FILES_TO_BE_SIGNED" >> $env:GITHUB_OUTPUT
+          echo $FILES_TO_BE_SIGNED
+
+      - name: Zip artifacts for faster upload
+        run: Compress-Archive -CompressionLevel Fastest -Path packages/frontend/electron/out/* -DestinationPath archive.zip
+
+      - name: Save packaged artifacts for signing
+        uses: actions/upload-artifact@v4
+        with:
+          name: packaged-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
+          path: |
+            archive.zip
+            !**/*.map
+
+  sign-packaged-artifacts-windows:
+    needs: package-distribution-windows
+    uses: ./.github/workflows/windows-signer.yml
+    with:
+      files: ${{ needs.package-distribution-windows.outputs.FILES_TO_BE_SIGNED }}
+      artifact-name: packaged-win32-x64
+
+  make-windows-installer:
+    needs: sign-packaged-artifacts-windows
+    strategy:
+      # all combinations: macos-latest x64, macos-latest arm64, ubuntu-latest x64
+      # For windows, we need a separate approach
+      matrix:
+        spec:
+          - runner: windows-latest
+            platform: win32
+            arch: x64
+            target: x86_64-pc-windows-msvc
+    runs-on: ${{ matrix.spec.runner }}
+    outputs:
+      FILES_TO_BE_SIGNED: ${{ steps.get_files_to_be_signed.outputs.FILES_TO_BE_SIGNED }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Node.js
+        timeout-minutes: 10
+        uses: ./.github/actions/setup-node
       - name: Download and overwrite packaged artifacts
         uses: actions/download-artifact@v4
         with:
           name: signed-packaged-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
           path: .
       - name: unzip file
-        run: Expand-Archive -Path signed.zip -DestinationPath packages/frontend/apps/electron/out
+        run: Expand-Archive -Path signed.zip -DestinationPath packages/frontend/electron/out
 
       - name: Make squirrel.windows installer
-        run: yarn affine @affine/electron make-squirrel --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
-
-      - name: Make nsis.windows installer
-        run: yarn affine @affine/electron make-nsis --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
+        run: yarn workspace @affine/electron make-squirrel --platform=${{ matrix.spec.platform }} --arch=${{ matrix.spec.arch }}
 
       - name: Zip artifacts for faster upload
-        run: Compress-Archive -CompressionLevel Fastest -Path packages/frontend/apps/electron/out/${{ env.BUILD_TYPE }}/make/* -DestinationPath archive.zip
+        run: Compress-Archive -CompressionLevel Fastest -Path packages/frontend/electron/out/${{ env.BUILD_TYPE }}/make/* -DestinationPath archive.zip
 
       - name: get all files to be signed
         id: get_files_to_be_signed
         run: |
-          Set-Variable -Name FILES_TO_BE_SIGNED -Value ((Get-ChildItem -Path packages/frontend/apps/electron/out/${{ env.BUILD_TYPE }}/make -Recurse -File | Where-Object { $_.Extension -in @(".exe", ".node", ".dll", ".msi") } | ForEach-Object { '"' + $_.FullName.Replace((Get-Location).Path + '\packages\frontend\apps\electron\out\${{ env.BUILD_TYPE }}\make\', '') + '"' }) -join ' ')
-          "FILES_TO_BE_SIGNED_${{ matrix.spec.arch }}=$FILES_TO_BE_SIGNED" >> $env:GITHUB_OUTPUT
+          Set-Variable -Name FILES_TO_BE_SIGNED -Value ((Get-ChildItem -Path packages/frontend/electron/out/${{ env.BUILD_TYPE }}/make -Recurse -File | Where-Object { $_.Extension -in @(".exe", ".node", ".dll", ".msi") } | ForEach-Object { '"' + $_.FullName.Replace((Get-Location).Path + '\packages\frontend\electron\out\${{ env.BUILD_TYPE }}\make\', '') + '"' }) -join ' ')
+          "FILES_TO_BE_SIGNED=$FILES_TO_BE_SIGNED" >> $env:GITHUB_OUTPUT
           echo $FILES_TO_BE_SIGNED
 
       - name: Save installer for signing
@@ -338,37 +271,24 @@ jobs:
           name: installer-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
           path: archive.zip
 
-  sign-installer-artifacts-windows-x64:
+  sign-installer-artifacts-windows:
     needs: make-windows-installer
     uses: ./.github/workflows/windows-signer.yml
     with:
-      files: ${{ needs.make-windows-installer.outputs.FILES_TO_BE_SIGNED_x64 }}
+      files: ${{ needs.make-windows-installer.outputs.FILES_TO_BE_SIGNED }}
       artifact-name: installer-win32-x64
 
-  sign-installer-artifacts-windows-arm64:
-    needs: make-windows-installer
-    uses: ./.github/workflows/windows-signer.yml
-    with:
-      files: ${{ needs.make-windows-installer.outputs.FILES_TO_BE_SIGNED_arm64 }}
-      artifact-name: installer-win32-arm64
-
   finalize-installer-windows:
-    needs:
-      [
-        sign-installer-artifacts-windows-x64,
-        sign-installer-artifacts-windows-arm64,
-        before-make,
-      ]
+    needs: sign-installer-artifacts-windows
     strategy:
-      fail-fast: false
+      # all combinations: macos-latest x64, macos-latest arm64, ubuntu-latest x64
+      # For windows, we need a separate approach
       matrix:
         spec:
           - runner: windows-latest
             platform: win32
             arch: x64
-          - runner: windows-latest
-            platform: win32
-            arch: arm64
+            target: x86_64-pc-windows-msvc
     runs-on: ${{ matrix.spec.runner }}
     steps:
       - name: Download and overwrite installer artifacts
@@ -377,21 +297,14 @@ jobs:
           name: signed-installer-${{ matrix.spec.platform }}-${{ matrix.spec.arch }}
           path: .
       - name: unzip file
-        run: Expand-Archive -Path signed.zip -DestinationPath packages/frontend/apps/electron/out/${{ env.BUILD_TYPE }}/make
+        run: Expand-Archive -Path signed.zip -DestinationPath packages/frontend/electron/out/${{ env.BUILD_TYPE }}/make
 
       - name: Save artifacts
         run: |
           mkdir -p builds
-          mv packages/frontend/apps/electron/out/*/make/zip/win32/${{ matrix.spec.arch }}/AFFiNE*-win32-${{ matrix.spec.arch }}-*.zip ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-${{ matrix.spec.arch }}.zip
-          mv packages/frontend/apps/electron/out/*/make/squirrel.windows/${{ matrix.spec.arch }}/*.exe ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-${{ matrix.spec.arch }}.exe
-          mv packages/frontend/apps/electron/out/*/make/nsis.windows/${{ matrix.spec.arch }}/*.exe ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-${{ matrix.spec.arch }}.nsis.exe
-
-      - uses: actions/attest-build-provenance@v2
-        with:
-          subject-path: |
-            ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-${{ matrix.spec.arch }}.zip
-            ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-${{ matrix.spec.arch }}.exe
-            ./builds/affine-${{ needs.before-make.outputs.RELEASE_VERSION }}-${{ env.BUILD_TYPE }}-windows-${{ matrix.spec.arch }}.nsis.exe
+          mv packages/frontend/electron/out/*/make/zip/win32/x64/AFFiNE*-win32-x64-*.zip ./builds/affine-${{ env.BUILD_TYPE }}-windows-x64.zip
+          mv packages/frontend/electron/out/*/make/squirrel.windows/x64/*.exe ./builds/affine-${{ env.BUILD_TYPE }}-windows-x64.exe
+          mv packages/frontend/electron/out/*/make/squirrel.windows/x64/*.msi ./builds/affine-${{ env.BUILD_TYPE }}-windows-x64.msi
 
       - name: Upload Artifact
         uses: actions/upload-artifact@v4
@@ -407,7 +320,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/download-artifact@v4
         with:
-          name: web
+          name: core
           path: web-static
       - name: Zip web-static
         run: zip -r web-static.zip web-static
@@ -415,53 +328,49 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           name: affine-darwin-x64-builds
-          path: ./release
+          path: ./
       - name: Download Artifacts (macos-arm64)
         uses: actions/download-artifact@v4
         with:
           name: affine-darwin-arm64-builds
-          path: ./release
+          path: ./
       - name: Download Artifacts (windows-x64)
         uses: actions/download-artifact@v4
         with:
           name: affine-win32-x64-builds
-          path: ./release
-      - name: Download Artifacts (windows-arm64)
-        uses: actions/download-artifact@v4
-        with:
-          name: affine-win32-arm64-builds
-          path: ./release
+          path: ./
       - name: Download Artifacts (linux-x64)
         uses: actions/download-artifact@v4
         with:
           name: affine-linux-x64-builds
-          path: ./release
+          path: ./
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
-      - name: Copy Selfhost Release Files
-        run: |
-          cp ./.docker/selfhost/compose.yml ./release/docker-compose.yml
-          cp ./.docker/selfhost/.env.example ./release/.env.example
+          node-version: 18
       - name: Generate Release yml
         run: |
-          node ./scripts/generate-release-yml.mjs
+          node ./packages/frontend/electron/scripts/generate-yml.js
         env:
           RELEASE_VERSION: ${{ needs.before-make.outputs.RELEASE_VERSION }}
       - name: Create Release Draft
         if: ${{ github.ref_type == 'tag' }}
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v1
         with:
           name: ${{ needs.before-make.outputs.RELEASE_VERSION }}
           body: ''
           draft: ${{ github.event.inputs.is-draft }}
           prerelease: ${{ github.event.inputs.is-pre-release }}
           files: |
-            ./release/*
-            ./release/.env.example
+            ./VERSION
+            ./*.zip
+            ./*.dmg
+            ./*.exe
+            ./*.AppImage
+            ./*.apk
+            ./*.yml
       - name: Create Nightly Release Draft
         if: ${{ github.ref_type == 'branch' }}
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v1
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
         with:
@@ -474,5 +383,10 @@ jobs:
           draft: false
           prerelease: true
           files: |
-            ./release/*
-            ./release/.env.example
+            ./VERSION
+            ./*.zip
+            ./*.dmg
+            ./*.exe
+            ./*.AppImage
+            ./*.apk
+            ./*.yml

.github/workflows/release-mobile.yml

@@ -1,246 +0,0 @@
-name: Release Mobile App
-
-on:
-  workflow_call:
-    inputs:
-      build-target:
-        description: 'Build Target'
-        type: string
-        required: true
-      build-type:
-        description: 'Build Type'
-        type: string
-        required: true
-  workflow_dispatch:
-    inputs:
-      build-target:
-        description: 'Build Target'
-        type: choice
-        required: true
-        default: distribution
-        options:
-          - development
-          - distribution
-      build-type:
-        description: 'Build Type'
-        type: choice
-        required: true
-        default: canary
-        options:
-          - canary
-          - beta
-          - stable
-env:
-  BUILD_TYPE: ${{ inputs.build-type || github.event.inputs.build-type }}
-  BUILD_TARGET: ${{ inputs.build-target || github.event.inputs.build-target }}
-  DEBUG: napi:*
-  KEYCHAIN_NAME: ${{ github.workspace }}/signing_temp
-
-jobs:
-  output-env:
-    runs-on: ubuntu-latest
-    outputs:
-      ENVIRONMENT: ${{ steps.env.outputs.ENVIRONMENT }}
-    steps:
-      - name: Output Environment
-        id: env
-        run: |
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            echo "ENVIRONMENT=${{ github.event.inputs.build-type }}" >> $GITHUB_OUTPUT
-          else
-            echo "ENVIRONMENT=" >> $GITHUB_OUTPUT
-          fi
-
-  build-ios-web:
-    needs:
-      - output-env
-    runs-on: ubuntu-24.04-arm
-    environment: ${{ needs.output-env.outputs.ENVIRONMENT }}
-    outputs:
-      RELEASE_VERSION: ${{ steps.version.outputs.APP_VERSION }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-      - name: Setup @sentry/cli
-        uses: ./.github/actions/setup-sentry
-      - name: Build Mobile
-        run: yarn affine @affine/ios build
-        env:
-          PUBLIC_PATH: '/'
-          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-          SENTRY_PROJECT: 'affine'
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          SENTRY_RELEASE: ${{ steps.version.outputs.APP_VERSION }}
-          RELEASE_VERSION: ${{ steps.version.outputs.APP_VERSION }}
-      - name: Upload ios artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: ios
-          path: packages/frontend/apps/ios/dist
-
-  build-android-web:
-    runs-on: ubuntu-24.04-arm
-    needs:
-      - output-env
-    environment: ${{ needs.output-env.outputs.ENVIRONMENT }}
-    outputs:
-      RELEASE_VERSION: ${{ steps.version.outputs.APP_VERSION }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Version
-        id: version
-        uses: ./.github/actions/setup-version
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-      - name: Setup @sentry/cli
-        uses: ./.github/actions/setup-sentry
-      - name: Build Mobile
-        run: yarn affine @affine/android build
-        env:
-          PUBLIC_PATH: '/'
-          MIXPANEL_TOKEN: ${{ secrets.MIXPANEL_TOKEN }}
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-          SENTRY_PROJECT: 'affine'
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          SENTRY_RELEASE: ${{ steps.version.outputs.APP_VERSION }}
-          RELEASE_VERSION: ${{ steps.version.outputs.APP_VERSION }}
-      - name: Upload android artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: android
-          path: packages/frontend/apps/android/dist
-
-  ios:
-    runs-on: namespace-profile-macos
-    needs:
-      - build-ios-web
-    steps:
-      - uses: actions/checkout@v4
-      - name: Download mobile artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: ios
-          path: packages/frontend/apps/ios/dist
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        timeout-minutes: 10
-        with:
-          extra-flags: workspaces focus @affine/ios
-          playwright-install: false
-          electron-install: false
-          hard-link-nm: false
-          enableScripts: false
-      - uses: maxim-lobanov/setup-xcode@v1
-        with:
-          xcode-version: 16.2
-      - name: Install Swiftformat
-        run: brew install swiftformat
-      - name: Cap sync
-        run: yarn workspace @affine/ios sync
-      - name: Signing By Apple Developer ID
-        uses: apple-actions/import-codesign-certs@v5
-        id: import-codesign-certs
-        with:
-          p12-file-base64: ${{ secrets.CERTIFICATES_P12_MOBILE }}
-          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD_MOBILE }}
-      - name: Setup Rust
-        uses: ./.github/actions/build-rust
-        with:
-          target: 'aarch64-apple-ios'
-          package: 'affine_mobile_native'
-          no-build: 'true'
-      - name: Testflight
-        if: ${{ env.BUILD_TYPE != 'stable' }}
-        working-directory: packages/frontend/apps/ios/App
-        run: |
-          echo -n "${{ env.BUILD_PROVISION_PROFILE }}" | base64 --decode -o $PP_PATH
-          mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
-          cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
-          fastlane beta
-        env:
-          BUILD_PROVISION_PROFILE: ${{ secrets.BUILD_PROVISION_PROFILE }}
-          PP_PATH: ${{ runner.temp }}/build_pp.mobileprovision
-          APPLE_STORE_CONNECT_API_KEY_ID: ${{ secrets.APPLE_STORE_CONNECT_API_KEY_ID }}
-          APPLE_STORE_CONNECT_API_ISSUER_ID: ${{ secrets.APPLE_STORE_CONNECT_API_ISSUER_ID }}
-          APPLE_STORE_CONNECT_API_KEY: ${{ secrets.APPLE_STORE_CONNECT_API_KEY }}
-
-  android:
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: 'write'
-    needs:
-      - build-android-web
-    steps:
-      - uses: actions/checkout@v4
-      - name: Download mobile artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: android
-          path: packages/frontend/apps/android/dist
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        timeout-minutes: 10
-        with:
-          extra-flags: workspaces focus @affine/monorepo @affine-tools/cli @affine/android @affine/playstore-auto-bump
-          playwright-install: false
-          electron-install: false
-          hard-link-nm: false
-          enableScripts: false
-      - name: Setup Rust
-        uses: ./.github/actions/build-rust
-        with:
-          target: 'aarch64-linux-android'
-          package: 'affine_mobile_native'
-          no-build: 'true'
-      - name: Cap sync
-        run: yarn workspace @affine/android cap sync
-      - uses: actions/setup-python@v5
-        with:
-          python-version: '3.13'
-      - name: Auth gcloud
-        id: auth
-        uses: google-github-actions/auth@v2
-        if: ${{ env.BUILD_TARGET == 'distribution' }}
-        with:
-          workload_identity_provider: 'projects/${{ secrets.GCP_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/github-actions/providers/github-actions-helm-deploy'
-          service_account: '${{ secrets.GCP_HELM_DEPLOY_SERVICE_ACCOUNT }}'
-          token_format: 'access_token'
-          project_id: '${{ secrets.GCP_PROJECT_ID }}'
-          access_token_scopes: 'https://www.googleapis.com/auth/androidpublisher'
-      - uses: actions/setup-java@v4
-        with:
-          distribution: 'temurin'
-          java-version: '21'
-          cache: 'gradle'
-      - name: Auto increment version code
-        id: bump
-        if: ${{ env.BUILD_TARGET == 'distribution' }}
-        run: yarn affine @affine/playstore-auto-bump bump
-        env:
-          GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.auth.outputs.credentials_file_path }}
-      - name: Build
-        run: |
-          echo -n "${{ env.AFFINE_ANDROID_SIGN_KEYSTORE }}" | base64 --decode > packages/frontend/apps/android/affine.keystore
-          yarn workspace @affine/android cap build android --flavor ${{ env.BUILD_TYPE }} --androidreleasetype AAB
-        env:
-          AFFINE_ANDROID_KEYSTORE_PASSWORD: ${{ secrets.AFFINE_ANDROID_KEYSTORE_PASSWORD }}
-          AFFINE_ANDROID_KEYSTORE_ALIAS_PASSWORD: ${{ secrets.AFFINE_ANDROID_KEYSTORE_ALIAS_PASSWORD }}
-          AFFINE_ANDROID_SIGN_KEYSTORE: ${{ secrets.AFFINE_ANDROID_SIGN_KEYSTORE }}
-
-      - name: Upload to Google Play
-        uses: r0adkll/upload-google-play@v1
-        if: ${{ env.BUILD_TARGET == 'distribution' }}
-        with:
-          serviceAccountJson: ${{ steps.auth.outputs.credentials_file_path }}
-          packageName: app.affine.pro
-          releaseFiles: packages/frontend/apps/android/App/app/build/outputs/bundle/${{ env.BUILD_TYPE }}Release/app-${{ env.BUILD_TYPE }}-release-signed.aab
-          track: internal
-          status: draft
-          existingEditId: ${{ steps.bump.outputs.EDIT_ID }}

.github/workflows/sync-i18n.yml

@@ -1,72 +0,0 @@
-name: Sync I18n with Crowdin
-
-on:
-  push:
-    branches:
-      - canary
-    paths:
-      - 'packages/frontend/i18n/**'
-  workflow_dispatch:
-
-jobs:
-  synchronize-with-crowdin:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Crowdin action
-        id: crowdin
-        uses: crowdin/github-action@v2
-        with:
-          upload_sources: true
-          upload_translations: false
-          download_translations: true
-          auto_approve_imported: true
-          import_eq_suggestions: true
-          export_only_approved: true
-          skip_untranslated_strings: true
-          localization_branch_name: l10n_crowdin_translations
-          create_pull_request: true
-          pull_request_title: 'chore(i18n): sync translations'
-          pull_request_body: 'New Crowdin translations by [Crowdin GH Action](https://github.com/crowdin/github-action)'
-          pull_request_base_branch_name: 'canary'
-          config: packages/frontend/i18n/crowdin.yml
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
-          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
-  i18n-codegen:
-    needs: synchronize-with-crowdin
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: write
-      pull-requests: write
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          ref: l10n_crowdin_translations
-
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-        with:
-          electron-install: false
-          full-cache: true
-
-      - name: Run i18n codegen
-        run: yarn affine @affine/i18n build
-
-      - name: Commit changes
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add .
-          git commit -m "chore(i18n): i18n codegen"
-          git push origin l10n_crowdin_translations

.github/workflows/workers.yml

@@ -0,0 +1,23 @@
+name: Deploy Cloudflare Worker
+
+on:
+  push:
+    branches:
+      - canary
+    paths:
+      - tools/workers/**
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    name: Deploy
+    environment: stable
+    steps:
+      - uses: actions/checkout@v4
+      - name: Publish
+        uses: cloudflare/wrangler-action@v3.4.0
+        with:
+          apiToken: ${{ secrets.CF_API_TOKEN }}
+          accountId: ${{ secrets.CF_ACCOUNT_ID }}
+          workingDirectory: 'tools/workers'
+          packageManager: 'yarn'

.gitignore

@@ -29,6 +29,7 @@ node_modules
 
 # IDE - VSCode
 .vscode/*
+!.vscode/tasks.json
 !.vscode/settings.template.json
 !.vscode/launch.template.json
 !.vscode/extensions.json
@@ -58,6 +59,7 @@ Thumbs.db
 .vercel
 out/
 storybook-static
+i18n-generated.ts
 
 test-results
 playwright-report
@@ -77,11 +79,3 @@ lib
 affine.db
 apps/web/next-routes.conf
 .nx
-
-packages/frontend/templates/edgeless
-packages/frontend/core/public/static/templates
-
-# script
-af
-af.cmd
-*.resolved

.husky/pre-commit

@@ -1 +1,4 @@
+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
 yarn lint-staged && yarn lint:ox