Update build-and-release.yml

This reverts commit 8d1f23e9d6.

.github/workflows/build-and-release.yml

@@ -0,0 +1,430 @@
+name: 'Build and Release'
+on:
+  workflow_run:
+    workflows:
+      - ci
+    types:
+      - completed
+permissions:
+  contents: write
+  packages: write
+  pull-requests: write
+env:
+  DEFAULT_UV_VERSION: "0.8.x"
+  DEFAULT_PYTHON_VERSION: "3.11"
+  NLTK_DATA: "/usr/share/nltk_data"
+jobs:
+  prepare:
+    if: >-
+      github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'push'
+    name: Prepare build context
+    runs-on: ubuntu-24.04
+    outputs:
+      should-build: ${{ steps.determine.outputs.should-build }}
+      ref: ${{ steps.determine.outputs.ref }}
+      ref-name: ${{ steps.determine.outputs.ref-name }}
+      sha: ${{ steps.determine.outputs.sha }}
+      is-tag: ${{ steps.determine.outputs.is-tag }}
+      is-release-target: ${{ steps.determine.outputs.is-release-target }}
+      is-beta-rc: ${{ steps.determine.outputs.is-beta-rc }}
+    steps:
+      - name: Determine ref information
+        id: determine
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const run = context.payload.workflow_run;
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+            const sha = run.head_sha;
+            const branch = run.head_branch;
+
+            let ref = undefined;
+            let refName = undefined;
+
+            if (branch) {
+              ref = `refs/heads/${branch}`;
+              refName = branch;
+            } else {
+              const iterator = github.paginate.iterator(
+                github.rest.repos.listTags,
+                {
+                  owner,
+                  repo,
+                  per_page: 100,
+                },
+              );
+
+              for await (const { data } of iterator) {
+                const match = data.find((tag) => tag.commit?.sha === sha);
+                if (match) {
+                  ref = `refs/tags/${match.name}`;
+                  refName = match.name;
+                  break;
+                }
+              }
+            }
+
+            const outputs = {
+              shouldBuild: false,
+              ref: ref ?? '',
+              refName: refName ?? '',
+              sha,
+              isTag: ref?.startsWith('refs/tags/') ?? false,
+              isReleaseTarget: false,
+              isBetaRc: false,
+            };
+
+            if (!ref || !refName) {
+              core.info('No matching ref found for workflow run; skipping post-CI workflow.');
+            } else {
+              const allowed =
+                ref.startsWith('refs/heads/feature-') ||
+                ref.startsWith('refs/heads/fix-') ||
+                ref.startsWith('refs/heads/l10n_') ||
+                ref === 'refs/heads/dev' ||
+                ref === 'refs/heads/beta' ||
+                ref.includes('beta.rc') ||
+                ref.startsWith('refs/tags/v');
+
+              const isBetaRc = refName.includes('beta.rc');
+              const isReleaseTarget = outputs.isTag && (refName.startsWith('v') || isBetaRc);
+
+              outputs.shouldBuild = allowed;
+              outputs.isReleaseTarget = isReleaseTarget;
+              outputs.isBetaRc = isBetaRc;
+            }
+
+            core.setOutput('should-build', outputs.shouldBuild ? 'true' : 'false');
+            core.setOutput('ref', outputs.ref);
+            core.setOutput('ref-name', outputs.refName);
+            core.setOutput('sha', outputs.sha);
+            core.setOutput('is-tag', outputs.isTag ? 'true' : 'false');
+            core.setOutput('is-release-target', outputs.isReleaseTarget ? 'true' : 'false');
+            core.setOutput('is-beta-rc', outputs.isBetaRc ? 'true' : 'false');
+  build-docker-image:
+    needs: prepare
+    if: needs.prepare.outputs.should-build == 'true'
+    name: Build Docker image for ${{ needs.prepare.outputs.ref-name }}
+    runs-on: ubuntu-24.04
+    concurrency:
+      group: ${{ github.workflow }}-build-docker-image-${{ needs.prepare.outputs.ref-name || needs.prepare.outputs.sha }}
+      cancel-in-progress: true
+    env:
+      REF: ${{ needs.prepare.outputs.ref }}
+      REF_NAME: ${{ needs.prepare.outputs.ref-name }}
+      SHA: ${{ needs.prepare.outputs.sha }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ env.SHA }}
+      - name: Check pushing to Docker Hub
+        id: push-other-places
+        env:
+          REPOSITORY_OWNER: ${{ github.repository_owner }}
+          REF_NAME: ${{ env.REF_NAME }}
+          REF: ${{ env.REF }}
+        run: |
+          if [[ "$REPOSITORY_OWNER" == "paperless-ngx" ]] && \
+             ([[ "$REF_NAME" == "dev" ]] || [[ "$REF_NAME" == "beta" ]] || [[ "$REF" == refs/tags/v* ]]); then
+            echo "Enabling DockerHub image push"
+            echo "enable=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "Not pushing to DockerHub"
+            echo "enable=false" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Set ghcr repository name
+        id: set-ghcr-repository
+        run: |
+          ghcr_name=$(echo "${{ github.repository }}" | awk '{ print tolower($0) }')
+          echo "Name is ${ghcr_name}"
+          echo "ghcr-repository=${ghcr_name}" >> "$GITHUB_OUTPUT"
+      - name: Gather Docker metadata
+        id: docker-meta
+        uses: docker/metadata-action@v5
+        env:
+          GITHUB_REF: ${{ env.REF }}
+          GITHUB_REF_NAME: ${{ env.REF_NAME }}
+          GITHUB_SHA: ${{ env.SHA }}
+        with:
+          images: |
+            ghcr.io/${{ steps.set-ghcr-repository.outputs.ghcr-repository }}
+            name=paperlessngx/paperless-ngx,enable=${{ steps.push-other-places.outputs.enable }}
+            name=quay.io/paperlessngx/paperless-ngx,enable=${{ steps.push-other-places.outputs.enable }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: arm64
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to Docker Hub
+        if: steps.push-other-places.outputs.enable == 'true'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to Quay.io
+        if: steps.push-other-places.outputs.enable == 'true'
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_ROBOT_TOKEN }}
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.docker-meta.outputs.tags }}
+          labels: ${{ steps.docker-meta.outputs.labels }}
+          build-args: |
+            PNGX_TAG_VERSION=${{ steps.docker-meta.outputs.version }}
+          cache-from: |
+            type=registry,ref=ghcr.io/${{ steps.set-ghcr-repository.outputs.ghcr-repository }}/builder/cache/app:${{ env.REF_NAME }}
+            type=registry,ref=ghcr.io/${{ steps.set-ghcr-repository.outputs.ghcr-repository }}/builder/cache/app:dev
+          cache-to: |
+            type=registry,mode=max,ref=ghcr.io/${{ steps.set-ghcr-repository.outputs.ghcr-repository }}/builder/cache/app:${{ env.REF_NAME }}
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ fromJSON(steps.docker-meta.outputs.json).tags[0] }}
+      - name: Export frontend artifact from docker
+        run: |
+          docker create --name frontend-extract ${{ fromJSON(steps.docker-meta.outputs.json).tags[0] }}
+          docker cp frontend-extract:/usr/src/paperless/src/documents/static/frontend src/documents/static/frontend/
+      - name: Upload frontend artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: frontend-compiled
+          path: src/documents/static/frontend/
+          retention-days: 7
+  build-release:
+    needs:
+      - prepare
+      - build-docker-image
+    if: needs.prepare.outputs.should-build == 'true'
+    name: Build release bundle
+    runs-on: ubuntu-24.04
+    env:
+      REF_NAME: ${{ needs.prepare.outputs.ref-name }}
+      SHA: ${{ needs.prepare.outputs.sha }}
+      CI_RUN_ID: ${{ github.event.workflow_run.id }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ env.SHA }}
+      - name: Set up Python
+        id: setup-python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          version: ${{ env.DEFAULT_UV_VERSION }}
+          enable-cache: true
+          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
+      - name: Install Python dependencies
+        run: |
+          uv sync --python ${{ steps.setup-python.outputs.python-version }} --dev --frozen
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -qq --no-install-recommends gettext liblept5
+      - name: Download frontend artifact
+        uses: actions/download-artifact@v5
+        with:
+          name: frontend-compiled
+          path: src/documents/static/frontend/
+      - name: Download documentation artifact
+        uses: actions/download-artifact@v5
+        with:
+          name: documentation
+          path: docs/_build/html/
+          run-id: ${{ env.CI_RUN_ID }}
+      - name: Generate requirements file
+        run: |
+          uv export --quiet --no-dev --all-extras --format requirements-txt --output-file requirements.txt
+      - name: Compile messages
+        run: |
+          cd src/
+          uv run \
+            --python ${{ steps.setup-python.outputs.python-version }} \
+            manage.py compilemessages
+      - name: Collect static files
+        run: |
+          cd src/
+          uv run \
+            --python ${{ steps.setup-python.outputs.python-version }} \
+            manage.py collectstatic --no-input
+      - name: Move files
+        run: |
+          echo "Making dist folders"
+          for directory in dist \
+                          dist/paperless-ngx \
+                          dist/paperless-ngx/scripts;
+          do
+            mkdir --verbose --parents ${directory}
+          done
+
+          echo "Copying basic files"
+          for file_name in .dockerignore \
+                          .env \
+                          Dockerfile \
+                          pyproject.toml \
+                          uv.lock \
+                          requirements.txt \
+                          LICENSE \
+                          README.md \
+                          paperless.conf.example
+          do
+            cp --verbose ${file_name} dist/paperless-ngx/
+          done
+          mv --verbose dist/paperless-ngx/paperless.conf.example dist/paperless-ngx/paperless.conf
+
+          echo "Copying Docker related files"
+          cp --recursive docker/ dist/paperless-ngx/docker
+
+          echo "Copying startup scripts"
+          cp --verbose scripts/*.service scripts/*.sh scripts/*.socket dist/paperless-ngx/scripts/
+
+          echo "Copying source files"
+          cp --recursive src/ dist/paperless-ngx/src
+          echo "Copying documentation"
+          cp --recursive docs/_build/html/ dist/paperless-ngx/docs
+
+          mv --verbose static dist/paperless-ngx
+      - name: Make release package
+        run: |
+          echo "Creating release archive"
+          cd dist
+          sudo chown -R 1000:1000 paperless-ngx/
+          tar -cJf paperless-ngx.tar.xz paperless-ngx/
+      - name: Upload release artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: release
+          path: dist/paperless-ngx.tar.xz
+          retention-days: 7
+  publish-release:
+    needs:
+      - prepare
+      - build-release
+    if: needs.prepare.outputs.is-release-target == 'true'
+    name: Publish release
+    runs-on: ubuntu-24.04
+    outputs:
+      prerelease: ${{ steps.get_version.outputs.prerelease }}
+      changelog: ${{ steps.create-release.outputs.body }}
+      version: ${{ steps.get_version.outputs.version }}
+    steps:
+      - name: Download release artifact
+        uses: actions/download-artifact@v5
+        with:
+          name: release
+          path: ./
+      - name: Get version
+        id: get_version
+        run: |
+          echo "version=${{ needs.prepare.outputs.ref-name }}" >> "$GITHUB_OUTPUT"
+          if [[ ${{ needs.prepare.outputs.is-beta-rc }} == 'true' ]]; then
+            echo "prerelease=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "prerelease=false" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Create Release and Changelog
+        id: create-release
+        uses: release-drafter/release-drafter@v6
+        with:
+          name: Paperless-ngx ${{ steps.get_version.outputs.version }}
+          tag: ${{ steps.get_version.outputs.version }}
+          version: ${{ steps.get_version.outputs.version }}
+          prerelease: ${{ steps.get_version.outputs.prerelease }}
+          publish: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload release archive
+        id: upload-release-asset
+        uses: shogo82148/actions-upload-release-asset@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          upload_url: ${{ steps.create-release.outputs.upload_url }}
+          asset_path: ./paperless-ngx.tar.xz
+          asset_name: paperless-ngx-${{ steps.get_version.outputs.version }}.tar.xz
+          asset_content_type: application/x-xz
+  append-changelog:
+    needs:
+      - publish-release
+    if: needs.publish-release.outputs.prerelease == 'false'
+    name: Append changelog to docs
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          ref: main
+      - name: Set up Python
+        id: setup-python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          version: ${{ env.DEFAULT_UV_VERSION }}
+          enable-cache: true
+          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
+      - name: Append Changelog to docs
+        id: append-Changelog
+        working-directory: docs
+        run: |
+          git branch ${{ needs.publish-release.outputs.version }}-changelog
+          git checkout ${{ needs.publish-release.outputs.version }}-changelog
+          echo -e "# Changelog\n\n${{ needs.publish-release.outputs.changelog }}\n" > changelog-new.md
+          echo "Manually linking usernames"
+          sed -i -r 's|@([a-zA-Z0-9_]+) \(\[#|[@\1](https://github.com/\1) ([#|g' changelog-new.md
+          echo "Removing unneeded comment tags"
+          sed -i -r 's|@<!---->|@|g' changelog-new.md
+          CURRENT_CHANGELOG=`tail --lines +2 changelog.md`
+          echo -e "$CURRENT_CHANGELOG" >> changelog-new.md
+          mv changelog-new.md changelog.md
+          uv run \
+            --python ${{ steps.setup-python.outputs.python-version }} \
+            --dev \
+            pre-commit run --files changelog.md || true
+          git config --global user.name "github-actions"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git commit -am "Changelog ${{ needs.publish-release.outputs.version }} - GHA"
+          git push origin ${{ needs.publish-release.outputs.version }}-changelog
+      - name: Create Pull Request
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { repo, owner } = context.repo;
+            const result = await github.rest.pulls.create({
+              title: 'Documentation: Add ${{ needs.publish-release.outputs.version }} changelog',
+              owner,
+              repo,
+              head: '${{ needs.publish-release.outputs.version }}-changelog',
+              base: 'main',
+              body: 'This PR is auto-generated by CI.'
+            });
+            github.rest.issues.addLabels({
+              owner,
+              repo,
+              issue_number: result.data.number,
+              labels: ['documentation', 'skip-changelog']
+            });

.github/workflows/ci.yml

@@ -17,59 +17,18 @@ env:
   DEFAULT_PYTHON_VERSION: "3.11"
   NLTK_DATA: "/usr/share/nltk_data"
 jobs:
-  detect-duplicate:
-    name: Detect Duplicate Run
-    runs-on: ubuntu-24.04
-    outputs:
-      should_run: ${{ steps.check.outputs.should_run }}
-    steps:
-      - name: Check if workflow should run
-        id: check
-        uses: actions/github-script@v8
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            if (context.eventName !== 'push') {
-              core.info('Not a push event; running workflow.');
-              core.setOutput('should_run', 'true');
-              return;
-            }
-
-            const ref = context.ref || '';
-            if (!ref.startsWith('refs/heads/')) {
-              core.info('Push is not to a branch; running workflow.');
-              core.setOutput('should_run', 'true');
-              return;
-            }
-
-            const branch = ref.substring('refs/heads/'.length);
-            const { owner, repo } = context.repo;
-            const prs = await github.paginate(github.rest.pulls.list, {
-              owner,
-              repo,
-              state: 'open',
-              head: `${owner}:${branch}`,
-              per_page: 100,
-            });
-
-            if (prs.length === 0) {
-              core.info(`No open PR found for ${branch}; running workflow.`);
-              core.setOutput('should_run', 'true');
-            } else {
-              core.info(`Found ${prs.length} open PR(s) for ${branch}; skipping duplicate push run.`);
-              core.setOutput('should_run', 'false');
-            }
   pre-commit:
-    needs:
-      - detect-duplicate
-    if: needs.detect-duplicate.outputs.should_run == 'true'
+    # We want to run on external PRs, but not on our own internal PRs as they'll be run
+    # by the push to the branch. Without this if check, checks are duplicated since
+    # internal PRs match both the push and pull_request events.
+    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
     name: Linting Checks
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
       - name: Install python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
       - name: Check files
@@ -84,7 +43,7 @@ jobs:
         uses: actions/checkout@v5
       - name: Set up Python
         id: setup-python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
       - name: Install uv
@@ -138,7 +97,7 @@ jobs:
           docker compose --file ${{ github.workspace }}/docker/compose/docker-compose.ci-test.yml up --detach
       - name: Set up Python
         id: setup-python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@v5
         with:
           python-version: "${{ matrix.python-version }}"
       - name: Install uv
@@ -183,11 +142,13 @@ jobs:
         if: always()
         uses: codecov/test-results-action@v1
         with:
+          token: ${{ secrets.CODECOV_TOKEN }}
           flags: backend-python-${{ matrix.python-version }}
           files: junit.xml
       - name: Upload backend coverage to Codecov
         uses: codecov/codecov-action@v5
         with:
+          token: ${{ secrets.CODECOV_TOKEN }}
           flags: backend-python-${{ matrix.python-version }}
           files: coverage.xml
       - name: Stop containers
@@ -207,7 +168,7 @@ jobs:
         with:
           version: 10
       - name: Use Node.js 20
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v4
         with:
           node-version: 20.x
           cache: 'pnpm'
@@ -240,7 +201,7 @@ jobs:
         with:
           version: 10
       - name: Use Node.js 20
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v4
         with:
           node-version: 20.x
           cache: 'pnpm'
@@ -263,11 +224,13 @@ jobs:
         uses: codecov/test-results-action@v1
         if: always()
         with:
+          token: ${{ secrets.CODECOV_TOKEN }}
           flags: frontend-node-${{ matrix.node-version }}
           directory: src-ui/
       - name: Upload frontend coverage to Codecov
         uses: codecov/codecov-action@v5
         with:
+          token: ${{ secrets.CODECOV_TOKEN }}
           flags: frontend-node-${{ matrix.node-version }}
           directory: src-ui/coverage/
   tests-frontend-e2e:
@@ -288,7 +251,7 @@ jobs:
         with:
           version: 10
       - name: Use Node.js 20
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v4
         with:
           node-version: 20.x
           cache: 'pnpm'
@@ -331,7 +294,7 @@ jobs:
         with:
           version: 10
       - name: Use Node.js 20
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v4
         with:
           node-version: 20.x
           cache: 'pnpm'
@@ -350,324 +313,3 @@ jobs:
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
         run: cd src-ui && pnpm run build --configuration=production
-  build-docker-image:
-    name: Build Docker image for ${{ github.ref_name }}
-    runs-on: ubuntu-24.04
-    if: github.event_name == 'push' && (startsWith(github.ref, 'refs/heads/feature-') || startsWith(github.ref, 'refs/heads/fix-') || github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/beta' || contains(github.ref, 'beta.rc') || startsWith(github.ref, 'refs/tags/v') || startsWith(github.ref, 'refs/heads/l10n_'))
-    concurrency:
-      group: ${{ github.workflow }}-build-docker-image-${{ github.ref_name }}
-      cancel-in-progress: true
-    needs:
-      - tests-backend
-      - tests-frontend
-      - tests-frontend-e2e
-    steps:
-      - name: Check pushing to Docker Hub
-        id: push-other-places
-        # Only push to Dockerhub from the main repo AND the ref is either:
-        #  main
-        #  dev
-        #  beta
-        #  a tag
-        # Otherwise forks would require a Docker Hub account and secrets setup
-        run: |
-          if [[ ${{ github.repository_owner }} == "paperless-ngx" && ( ${{ github.ref_name }} == "dev" || ${{ github.ref_name }} == "beta" || ${{ startsWith(github.ref, 'refs/tags/v') }} == "true" ) ]] ; then
-            echo "Enabling DockerHub image push"
-            echo "enable=true" >> $GITHUB_OUTPUT
-          else
-            echo "Not pushing to DockerHub"
-            echo "enable=false" >> $GITHUB_OUTPUT
-          fi
-      - name: Set ghcr repository name
-        id: set-ghcr-repository
-        run: |
-          ghcr_name=$(echo "${{ github.repository }}" | awk '{ print tolower($0) }')
-          echo "Name is ${ghcr_name}"
-          echo "ghcr-repository=${ghcr_name}" >> $GITHUB_OUTPUT
-      - name: Gather Docker metadata
-        id: docker-meta
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ghcr.io/${{ steps.set-ghcr-repository.outputs.ghcr-repository }}
-            name=paperlessngx/paperless-ngx,enable=${{ steps.push-other-places.outputs.enable }}
-            name=quay.io/paperlessngx/paperless-ngx,enable=${{ steps.push-other-places.outputs.enable }}
-          tags: |
-            # Tag branches with branch name
-            type=ref,event=branch
-            # Process semver tags
-            # For a tag x.y.z or vX.Y.Z, output an x.y.z and x.y image tag
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-      - name: Checkout
-        uses: actions/checkout@v5
-      # If https://github.com/docker/buildx/issues/1044 is resolved,
-      # the append input with a native arm64 arch could be used to
-      # significantly speed up building
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-        with:
-          platforms: arm64
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        # Don't attempt to login if not pushing to Docker Hub
-        if: steps.push-other-places.outputs.enable == 'true'
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to Quay.io
-        uses: docker/login-action@v3
-        # Don't attempt to login if not pushing to Quay.io
-        if: steps.push-other-places.outputs.enable == 'true'
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_USERNAME }}
-          password: ${{ secrets.QUAY_ROBOT_TOKEN }}
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ./Dockerfile
-          platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.docker-meta.outputs.tags }}
-          labels: ${{ steps.docker-meta.outputs.labels }}
-          build-args: |
-            PNGX_TAG_VERSION=${{ steps.docker-meta.outputs.version }}
-          # Get cache layers from this branch, then dev
-          # This allows new branches to get at least some cache benefits, generally from dev
-          cache-from: |
-            type=registry,ref=ghcr.io/${{ steps.set-ghcr-repository.outputs.ghcr-repository }}/builder/cache/app:${{ github.ref_name }}
-            type=registry,ref=ghcr.io/${{ steps.set-ghcr-repository.outputs.ghcr-repository }}/builder/cache/app:dev
-          cache-to: |
-            type=registry,mode=max,ref=ghcr.io/${{ steps.set-ghcr-repository.outputs.ghcr-repository }}/builder/cache/app:${{ github.ref_name }}
-      - name: Inspect image
-        run: |
-          docker buildx imagetools inspect ${{ fromJSON(steps.docker-meta.outputs.json).tags[0] }}
-      - name: Export frontend artifact from docker
-        run: |
-          docker create --name frontend-extract ${{ fromJSON(steps.docker-meta.outputs.json).tags[0] }}
-          docker cp frontend-extract:/usr/src/paperless/src/documents/static/frontend src/documents/static/frontend/
-      - name: Upload frontend artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: frontend-compiled
-          path: src/documents/static/frontend/
-          retention-days: 7
-  build-release:
-    name: "Build Release"
-    needs:
-      - build-docker-image
-      - documentation
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v5
-      - name: Set up Python
-        id: setup-python
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
-      - name: Install uv
-        uses: astral-sh/setup-uv@v6
-        with:
-          version: ${{ env.DEFAULT_UV_VERSION }}
-          enable-cache: true
-          python-version: ${{ steps.setup-python.outputs.python-version }}
-      - name: Install Python dependencies
-        run: |
-          uv sync --python ${{ steps.setup-python.outputs.python-version }} --dev --frozen
-      - name: Install system dependencies
-        run: |
-          sudo apt-get update -qq
-          sudo apt-get install -qq --no-install-recommends gettext liblept5
-      - name: Download frontend artifact
-        uses: actions/download-artifact@v5
-        with:
-          name: frontend-compiled
-          path: src/documents/static/frontend/
-      - name: Download documentation artifact
-        uses: actions/download-artifact@v5
-        with:
-          name: documentation
-          path: docs/_build/html/
-      - name: Generate requirements file
-        run: |
-          uv export --quiet --no-dev --all-extras --format requirements-txt --output-file requirements.txt
-      - name: Compile messages
-        run: |
-          cd src/
-          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
-            manage.py compilemessages
-      - name: Collect static files
-        run: |
-          cd src/
-          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
-            manage.py collectstatic --no-input
-      - name: Move files
-        run: |
-          echo "Making dist folders"
-          for directory in dist \
-                          dist/paperless-ngx \
-                          dist/paperless-ngx/scripts;
-          do
-            mkdir --verbose --parents ${directory}
-          done
-
-          echo "Copying basic files"
-          for file_name in .dockerignore \
-                          .env \
-                          Dockerfile \
-                          pyproject.toml \
-                          uv.lock \
-                          requirements.txt \
-                          LICENSE \
-                          README.md \
-                          paperless.conf.example
-          do
-            cp --verbose ${file_name} dist/paperless-ngx/
-          done
-          mv --verbose dist/paperless-ngx/paperless.conf.example dist/paperless-ngx/paperless.conf
-
-          echo "Copying Docker related files"
-          cp --recursive docker/ dist/paperless-ngx/docker
-
-          echo "Copying startup scripts"
-          cp --verbose scripts/*.service scripts/*.sh scripts/*.socket dist/paperless-ngx/scripts/
-
-          echo "Copying source files"
-          cp --recursive src/ dist/paperless-ngx/src
-          echo "Copying documentation"
-          cp --recursive docs/_build/html/ dist/paperless-ngx/docs
-
-          mv --verbose static dist/paperless-ngx
-      - name: Make release package
-        run: |
-          echo "Creating release archive"
-          cd dist
-          sudo chown -R 1000:1000 paperless-ngx/
-          tar -cJf paperless-ngx.tar.xz paperless-ngx/
-      - name: Upload release artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: release
-          path: dist/paperless-ngx.tar.xz
-          retention-days: 7
-  publish-release:
-    name: "Publish Release"
-    runs-on: ubuntu-24.04
-    outputs:
-      prerelease: ${{ steps.get_version.outputs.prerelease }}
-      changelog: ${{ steps.create-release.outputs.body }}
-      version: ${{ steps.get_version.outputs.version }}
-    needs:
-      - build-release
-    if: github.ref_type == 'tag' && (startsWith(github.ref_name, 'v') || contains(github.ref_name, '-beta.rc'))
-    steps:
-      - name: Download release artifact
-        uses: actions/download-artifact@v5
-        with:
-          name: release
-          path: ./
-      - name: Get version
-        id: get_version
-        run: |
-          echo "version=${{ github.ref_name }}" >> $GITHUB_OUTPUT
-          if [[ ${{ contains(github.ref_name, '-beta.rc') }} == 'true' ]]; then
-            echo "prerelease=true" >> $GITHUB_OUTPUT
-          else
-            echo "prerelease=false" >> $GITHUB_OUTPUT
-          fi
-      - name: Create Release and Changelog
-        id: create-release
-        uses: release-drafter/release-drafter@v6
-        with:
-          name: Paperless-ngx ${{ steps.get_version.outputs.version }}
-          tag: ${{ steps.get_version.outputs.version }}
-          version: ${{ steps.get_version.outputs.version }}
-          prerelease: ${{ steps.get_version.outputs.prerelease }}
-          publish: true # ensures release is not marked as draft
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Upload release archive
-        id: upload-release-asset
-        uses: shogo82148/actions-upload-release-asset@v1
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          upload_url: ${{ steps.create-release.outputs.upload_url }}
-          asset_path: ./paperless-ngx.tar.xz
-          asset_name: paperless-ngx-${{ steps.get_version.outputs.version }}.tar.xz
-          asset_content_type: application/x-xz
-  append-changelog:
-    name: "Append Changelog"
-    runs-on: ubuntu-24.04
-    needs:
-      - publish-release
-    if: needs.publish-release.outputs.prerelease == 'false'
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v5
-        with:
-          ref: main
-      - name: Set up Python
-        id: setup-python
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
-      - name: Install uv
-        uses: astral-sh/setup-uv@v6
-        with:
-          version: ${{ env.DEFAULT_UV_VERSION }}
-          enable-cache: true
-          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
-      - name: Append Changelog to docs
-        id: append-Changelog
-        working-directory: docs
-        run: |
-          git branch ${{ needs.publish-release.outputs.version }}-changelog
-          git checkout ${{ needs.publish-release.outputs.version }}-changelog
-          echo -e "# Changelog\n\n${{ needs.publish-release.outputs.changelog }}\n" > changelog-new.md
-          echo "Manually linking usernames"
-          sed -i -r 's|@([a-zA-Z0-9_]+) \(\[#|[@\1](https://github.com/\1) ([#|g' changelog-new.md
-          echo "Removing unneeded comment tags"
-          sed -i -r 's|@<!---->|@|g' changelog-new.md
-          CURRENT_CHANGELOG=`tail --lines +2 changelog.md`
-          echo -e "$CURRENT_CHANGELOG" >> changelog-new.md
-          mv changelog-new.md changelog.md
-          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
-            --dev \
-            pre-commit run --files changelog.md || true
-          git config --global user.name "github-actions"
-          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git commit -am "Changelog ${{ needs.publish-release.outputs.version }} - GHA"
-          git push origin ${{ needs.publish-release.outputs.version }}-changelog
-      - name: Create Pull Request
-        uses: actions/github-script@v8
-        with:
-          script: |
-            const { repo, owner } = context.repo;
-            const result = await github.rest.pulls.create({
-              title: 'Documentation: Add ${{ needs.publish-release.outputs.version }} changelog',
-              owner,
-              repo,
-              head: '${{ needs.publish-release.outputs.version }}-changelog',
-              base: 'main',
-              body: 'This PR is auto-generated by CI.'
-            });
-            github.rest.issues.addLabels({
-              owner,
-              repo,
-              issue_number: result.data.number,
-              labels: ['documentation', 'skip-changelog']
-            });

.github/workflows/cleanup-tags.yml

@@ -6,9 +6,10 @@
 # This workflow will not trigger runs on forked repos.
 name: Cleanup Image Tags
 on:
-  workflow_dispatch:
-  schedule:
-    - cron: '0 0 * * 0'
+  delete:
+  push:
+    paths:
+      - ".github/workflows/cleanup-tags.yml"
 concurrency:
   group: registry-tags-cleanup
   cancel-in-progress: false

.github/workflows/codecov-comment.yml

@@ -0,0 +1,220 @@
+name: Codecov PR Comment
+on:
+  workflow_run:
+    workflows:
+      - ci
+    types:
+      - completed
+permissions:
+  contents: read
+  pull-requests: write
+jobs:
+  comment:
+    if: >-
+      github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Gather pull request context
+        id: pr
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const run = context.payload.workflow_run;
+            if (!run.pull_requests || run.pull_requests.length === 0) {
+              core.info('No associated pull request. Skipping.');
+              return { shouldRun: false };
+            }
+
+            const pr = run.pull_requests[0];
+            return {
+              shouldRun: true,
+              prNumber: pr.number,
+              headSha: run.head_sha,
+            };
+      - name: Fetch Codecov coverage
+        id: coverage
+        if: steps.pr.outputs.shouldRun == 'true'
+        uses: actions/github-script@v7
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+          COMMIT_SHA: ${{ steps.pr.outputs.headSha }}
+        with:
+          script: |
+            const token = process.env.CODECOV_TOKEN;
+            if (!token) {
+              core.warning('CODECOV_TOKEN secret is not available; skipping comment.');
+              core.setOutput('shouldComment', 'false');
+              return;
+            }
+
+            const commitSha = process.env.COMMIT_SHA;
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+            const url = `https://codecov.io/api/v2/github/${owner}/repos/${repo}/commits/${commitSha}/report`;
+            const maxAttempts = 10;
+            const waitMs = 15000;
+            const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+
+            let data;
+            for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+              core.info(`Fetching Codecov report (attempt ${attempt}/${maxAttempts})`);
+              const response = await fetch(url, {
+                headers: {
+                  Authorization: `Bearer ${token}`,
+                  'Content-Type': 'application/json',
+                  Accept: 'application/json',
+                },
+              });
+
+              if (response.status === 404) {
+                core.info('Report not ready yet (404). Waiting before retrying.');
+                await sleep(waitMs);
+                continue;
+              }
+
+              if (!response.ok) {
+                const text = await response.text();
+                throw new Error(`Codecov API returned ${response.status}: ${text}`);
+              }
+
+              data = await response.json();
+              if (data && Object.keys(data).length > 0) {
+                break;
+              }
+
+              core.info('Report payload empty. Waiting before retrying.');
+              await sleep(waitMs);
+            }
+
+            if (!data) {
+              core.warning('Unable to retrieve Codecov report after multiple attempts.');
+              core.setOutput('shouldComment', 'false');
+              return;
+            }
+
+            const totals = data.report?.totals ?? data.commit?.totals ?? data.totals;
+            if (!totals) {
+              core.warning('Codecov response does not contain coverage totals.');
+              core.setOutput('shouldComment', 'false');
+              return;
+            }
+
+            const compareTotals = data.report?.compare?.totals ?? data.compare?.totals;
+            const flagsRaw = data.report?.totals_by_flag ?? data.report?.components ?? [];
+
+            const toNumber = (value) => {
+              if (value === null || value === undefined || value === '') {
+                return undefined;
+              }
+              const num = Number(value);
+              return Number.isFinite(num) ? num : undefined;
+            };
+
+            const coverage = toNumber(totals.coverage);
+            const baseCoverage = toNumber(compareTotals?.base_coverage ?? compareTotals?.base);
+            const delta = toNumber(
+              compareTotals?.coverage_change ??
+              compareTotals?.coverage_diff ??
+              totals.delta ??
+              totals.diff ??
+              totals.change,
+            );
+
+            const formatPercent = (value) => {
+              if (value === undefined) return '—';
+              return `${value.toFixed(2)}%`;
+            };
+
+            const formatDelta = (value) => {
+              if (value === undefined) return '—';
+              const sign = value >= 0 ? '+' : '';
+              return `${sign}${value.toFixed(2)}%`;
+            };
+
+            const shortSha = commitSha.slice(0, 7);
+            const lines = [
+              '<!-- codecov-coverage-comment -->',
+              '**Codecov Coverage**',
+              '',
+              `- Head \`${shortSha}\`: ${formatPercent(coverage)}`,
+            ];
+
+            if (baseCoverage !== undefined) {
+              lines.push(`- Base: ${formatPercent(baseCoverage)}`);
+            }
+
+            if (delta !== undefined) {
+              lines.push(`- Change: ${formatDelta(delta)}`);
+            }
+
+            const flagEntries = Array.isArray(flagsRaw)
+              ? flagsRaw
+              : Object.entries(flagsRaw).map(([name, totals]) => ({ name, totals }));
+
+            const flagRows = [];
+            for (const entry of flagEntries) {
+              const label = entry.flag ?? entry.name ?? entry.component ?? entry.id;
+              const entryTotals = entry.totals ?? entry;
+              const entryCoverage = toNumber(entryTotals?.coverage);
+              const entryDelta = toNumber(
+                entryTotals?.coverage_change ??
+                entryTotals?.coverage_diff ??
+                entryTotals?.delta ??
+                entryTotals?.diff,
+              );
+              if (!label || entryCoverage === undefined) {
+                continue;
+              }
+              flagRows.push(`| ${label} | ${formatPercent(entryCoverage)} | ${formatDelta(entryDelta)} |`);
+            }
+
+            if (flagRows.length) {
+              lines.push('');
+              lines.push('| Flag | Coverage | Change |');
+              lines.push('| --- | --- | --- |');
+              lines.push(...flagRows);
+            }
+
+            const commentBody = lines.join('\n');
+            const shouldComment = coverage !== undefined;
+            core.setOutput('shouldComment', shouldComment ? 'true' : 'false');
+            if (shouldComment) {
+              core.setOutput('commentBody', commentBody);
+            }
+      - name: Upsert coverage comment
+        if: steps.pr.outputs.shouldRun == 'true' && steps.coverage.outputs.shouldComment == 'true'
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ steps.pr.outputs.prNumber }}
+          COMMENT_BODY: ${{ steps.coverage.outputs.commentBody }}
+        with:
+          script: |
+            const prNumber = Number(process.env.PR_NUMBER);
+            const body = process.env.COMMENT_BODY;
+            const marker = '<!-- codecov-coverage-comment -->';
+
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+              per_page: 100,
+            });
+
+            const existing = comments.find((comment) => comment.body?.includes(marker));
+            if (existing) {
+              core.info(`Updating existing coverage comment (id: ${existing.id}).`);
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existing.id,
+                body,
+              });
+            } else {
+              core.info('Creating new coverage comment.');
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                body,
+              });
+            }

.github/workflows/pr-bot.yml

@@ -12,7 +12,7 @@ jobs:
     steps:
       - name: Label PR by file path or branch name
         # see .github/labeler.yml for the labeler config
-        uses: actions/labeler@v6
+        uses: actions/labeler@v5
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Label by size
@@ -26,7 +26,7 @@ jobs:
           fail_if_xl: 'false'
           excluded_files: /\.lock$/ /\.txt$/ ^src-ui/pnpm-lock\.yaml$ ^src-ui/messages\.xlf$ ^src/locale/en_US/LC_MESSAGES/django\.po$
       - name: Label by PR title
-        uses: actions/github-script@v8
+        uses: actions/github-script@v7
         with:
           script: |
             const pr = context.payload.pull_request;
@@ -52,7 +52,7 @@ jobs:
             }
       - name: Label bot-generated PRs
         if: ${{ contains(github.actor, 'dependabot') || contains(github.actor, 'crowdin-bot') }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@v7
         with:
           script: |
             const pr = context.payload.pull_request;
@@ -77,7 +77,7 @@ jobs:
             }
       - name: Welcome comment
         if: ${{ !contains(github.actor, 'bot') }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@v7
         with:
           script: |
             const pr = context.payload.pull_request;

.github/workflows/repo-maintenance.yml

@@ -15,7 +15,7 @@ jobs:
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/stale@v10
+      - uses: actions/stale@v9
         with:
           days-before-stale: 7
           days-before-close: 14
@@ -57,7 +57,7 @@ jobs:
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/github-script@v8
+      - uses: actions/github-script@v7
         with:
           script: |
             function sleep(ms) {
@@ -114,7 +114,7 @@ jobs:
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/github-script@v8
+      - uses: actions/github-script@v7
         with:
           script: |
             function sleep(ms) {
@@ -206,7 +206,7 @@ jobs:
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/github-script@v8
+      - uses: actions/github-script@v7
         with:
           script: |
             function sleep(ms) {

.github/workflows/translate-strings.yml

@@ -17,7 +17,7 @@ jobs:
           ref: ${{ github.head_ref }}
       - name: Set up Python
         id: setup-python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@v5
       - name: Install system dependencies
         run: |
           sudo apt-get update -qq
@@ -38,7 +38,7 @@ jobs:
         with:
           version: 10
       - name: Use Node.js 20
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v4
         with:
           node-version: 20.x
           cache: 'pnpm'

.pre-commit-config.yaml

@@ -49,7 +49,7 @@ repos:
           - 'prettier-plugin-organize-imports@4.1.0'
   # Python hooks
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.13.2
+    rev: v0.13.0
     hooks:
       - id: ruff-check
       - id: ruff-format
@@ -59,7 +59,7 @@ repos:
       - id: pyproject-fmt
   # Dockerfile hooks
   - repo: https://github.com/AleksaC/hadolint-py
-    rev: v2.14.0
+    rev: v2.12.1b3
     hooks:
       - id: hadolint
   # Shell script hooks

Dockerfile

@@ -32,7 +32,7 @@ RUN set -eux \
 # Purpose: Installs s6-overlay and rootfs
 # Comments:
 #  - Don't leave anything extra in here either
-FROM ghcr.io/astral-sh/uv:0.8.22-python3.12-bookworm-slim AS s6-overlay-base
+FROM ghcr.io/astral-sh/uv:0.8.17-python3.12-bookworm-slim AS s6-overlay-base
 
 WORKDIR /usr/src/s6
 

docker/compose/docker-compose.portainer.yml

@@ -32,7 +32,7 @@ services:
     volumes:
       - redisdata:/data
   db:
-    image: docker.io/library/postgres:18
+    image: docker.io/library/postgres:17
     restart: unless-stopped
     volumes:
       - pgdata:/var/lib/postgresql/data

docker/compose/docker-compose.postgres-tika.yml

@@ -35,7 +35,7 @@ services:
     volumes:
       - redisdata:/data
   db:
-    image: docker.io/library/postgres:18
+    image: docker.io/library/postgres:17
     restart: unless-stopped
     volumes:
       - pgdata:/var/lib/postgresql/data

docker/compose/docker-compose.postgres.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redisdata:/data
   db:
-    image: docker.io/library/postgres:18
+    image: docker.io/library/postgres:17
     restart: unless-stopped
     volumes:
       - pgdata:/var/lib/postgresql/data

docs/configuration.md

@@ -170,11 +170,11 @@ Available options are `postgresql` and `mariadb`.
 
     !!! note
 
-        A small pool is typically sufficient — for example, a size of 4.
-        Make sure your PostgreSQL server's max_connections setting is large enough to handle:
-        ```(Paperless workers + Celery workers) × pool size + safety margin```
-        For example, with 4 Paperless workers and 2 Celery workers, and a pool size of 4:
-        (4 + 2) × 4 + 10 = 34 connections required.
+    A small pool is typically sufficient — for example, a size of 4.
+    Make sure your PostgreSQL server's max_connections setting is large enough to handle:
+    ```(Paperless workers + Celery workers) × pool size + safety margin```
+    For example, with 4 Paperless workers and 2 Celery workers, and a pool size of 4:
+    (4 + 2) × 4 + 10 = 34 connections required.
 
 #### [`PAPERLESS_DB_READ_CACHE_ENABLED=<bool>`](#PAPERLESS_DB_READ_CACHE_ENABLED) {#PAPERLESS_DB_READ_CACHE_ENABLED}
 
@@ -184,9 +184,9 @@ Available options are `postgresql` and `mariadb`.
 
     !!! danger
 
-        **Do not modify the database outside the application while it is running.**
-        This includes actions such as restoring a backup, upgrading the database, or performing manual inserts. All external modifications must be done **only when the application is stopped**.
-        After making any such changes, you **must invalidate the DB read cache** using the `invalidate_cachalot` management command.
+    **Do not modify the database outside the application while it is running.**
+    This includes actions such as restoring a backup, upgrading the database, or performing manual inserts. All external modifications must be done **only when the application is stopped**.
+    After making any such changes, you **must invalidate the DB read cache** using the `invalidate_cachalot` management command.
 
 #### [`PAPERLESS_READ_CACHE_TTL=<int>`](#PAPERLESS_READ_CACHE_TTL) {#PAPERLESS_READ_CACHE_TTL}
 
@@ -196,7 +196,7 @@ Available options are `postgresql` and `mariadb`.
 
     !!! warning
 
-        A high TTL increases memory usage over time. Memory may be used until end of TTL, even if the cache is invalidated with the `invalidate_cachalot` command.
+    A high TTL increases memory usage over time. Memory may be used until end of TTL, even if the cache is invalidated with the `invalidate_cachalot` command.
 
 In case of an out-of-memory (OOM) situation, Redis may stop accepting new data — including cache entries, scheduled tasks, and documents to consume.
 If your system has limited RAM, consider configuring a dedicated Redis instance for the read cache, with a memory limit and the eviction policy set to `allkeys-lru`.

docs/usage.md

@@ -414,7 +414,7 @@ fields and permissions, which will be merged.
 
 #### Types {#workflow-trigger-types}
 
-Currently, there are four events that correspond to workflow trigger 'types':
+Currently, there are three events that correspond to workflow trigger 'types':
 
 1. **Consumption Started**: _before_ a document is consumed, so events can include filters by source (mail, consumption
    folder or API), file path, file name, mail rule
@@ -427,7 +427,7 @@ Currently, there are four events that correspond to workflow trigger 'types':
    added, created, updated date or you can specify a (date) custom field. You can also specify a day offset from the date (positive
    offsets will trigger after the date, negative offsets will trigger before).
 
-The following flow diagram illustrates the four document trigger types:
+The following flow diagram illustrates the three document trigger types:
 
 ```mermaid
 flowchart TD
@@ -637,7 +637,7 @@ When you first delete a document it is moved to the 'trash' until either it is e
 You can set how long documents remain in the trash before being automatically deleted with [`PAPERLESS_EMPTY_TRASH_DELAY`](configuration.md#PAPERLESS_EMPTY_TRASH_DELAY), which defaults
 to 30 days. Until the file is actually deleted (e.g. the trash is emptied), all files and database content remains intact and can be restored at any point up until that time.
 
-Additionally you may configure a directory where deleted files are moved to when the trash is emptied with [`PAPERLESS_EMPTY_TRASH_DIR`](configuration.md#PAPERLESS_EMPTY_TRASH_DIR).
+Additionally you may configure a directory where deleted files are moved to when they the trash is emptied with [`PAPERLESS_EMPTY_TRASH_DIR`](configuration.md#PAPERLESS_EMPTY_TRASH_DIR).
 Note that the empty trash directory only stores the original file, the archive file and all database information is permanently removed once a document is fully deleted.
 
 ## Best practices {#basic-searching}

pyproject.toml

@@ -30,10 +30,10 @@ dependencies = [
   "django-cachalot~=2.8.0",
   "django-celery-results~=2.6.0",
   "django-compression-middleware~=0.5.0",
-  "django-cors-headers~=4.9.0",
+  "django-cors-headers~=4.8.0",
   "django-extensions~=4.1",
   "django-filter~=25.1",
-  "django-guardian~=3.2.0",
+  "django-guardian~=3.1.2",
   "django-multiselectfield~=1.0.1",
   "django-soft-delete~=1.0.18",
   "django-treenode>=0.23.2",
@@ -54,6 +54,7 @@ dependencies = [
   "ocrmypdf~=16.11.0",
   "pathvalidate~=3.3.1",
   "pdf2image~=1.17.0",
+  "psycopg-pool",
   "python-dateutil~=2.9.0",
   "python-dotenv~=1.1.0",
   "python-gnupg~=0.5.4",

src-ui/e2e/document-list/document-list.spec.ts

@@ -174,7 +174,7 @@ test('bulk edit', async ({ page }) => {
   await expect(page.locator('pngx-document-list')).toHaveText(
     /Selected 61 of 61 documents/i
   )
-  await page.getByRole('button', { name: 'None' }).click()
+  await page.getByRole('button', { name: 'Cancel' }).click()
 
   await page.locator('pngx-document-card-small').nth(1).click()
   await page.locator('pngx-document-card-small').nth(2).click()

src-ui/package.json

@@ -11,17 +11,17 @@
   },
   "private": true,
   "dependencies": {
-    "@angular/cdk": "^20.2.6",
-    "@angular/common": "~20.3.2",
-    "@angular/compiler": "~20.3.2",
-    "@angular/core": "~20.3.2",
-    "@angular/forms": "~20.3.2",
-    "@angular/localize": "~20.3.2",
-    "@angular/platform-browser": "~20.3.2",
-    "@angular/platform-browser-dynamic": "~20.3.2",
-    "@angular/router": "~20.3.2",
+    "@angular/cdk": "^20.2.2",
+    "@angular/common": "~20.2.4",
+    "@angular/compiler": "~20.2.4",
+    "@angular/core": "~20.2.4",
+    "@angular/forms": "~20.2.4",
+    "@angular/localize": "~20.2.4",
+    "@angular/platform-browser": "~20.2.4",
+    "@angular/platform-browser-dynamic": "~20.2.4",
+    "@angular/router": "~20.2.4",
     "@ng-bootstrap/ng-bootstrap": "^19.0.1",
-    "@ng-select/ng-select": "^20.2.2",
+    "@ng-select/ng-select": "^20.1.3",
     "@ngneat/dirty-check-forms": "^3.0.3",
     "@popperjs/core": "^2.11.8",
     "bootstrap": "^5.3.8",
@@ -29,48 +29,47 @@
     "mime-names": "^1.0.0",
     "ng2-pdf-viewer": "^10.4.0",
     "ngx-bootstrap-icons": "^1.9.3",
-    "ngx-color": "^10.1.0",
+    "ngx-color": "^10.0.0",
     "ngx-cookie-service": "^20.1.0",
     "ngx-device-detector": "^10.1.0",
     "ngx-ui-tour-ng-bootstrap": "^17.0.1",
     "rxjs": "^7.8.2",
     "tslib": "^2.8.1",
     "utif": "^3.1.0",
-    "uuid": "^13.0.0",
+    "uuid": "^11.1.0",
     "zone.js": "^0.15.1"
   },
   "devDependencies": {
     "@angular-builders/custom-webpack": "^20.0.0",
     "@angular-builders/jest": "^20.0.0",
-    "@angular-devkit/core": "^20.3.3",
-    "@angular-devkit/schematics": "^20.3.3",
-    "@angular-eslint/builder": "20.3.0",
-    "@angular-eslint/eslint-plugin": "20.3.0",
-    "@angular-eslint/eslint-plugin-template": "20.3.0",
-    "@angular-eslint/schematics": "20.3.0",
-    "@angular-eslint/template-parser": "20.3.0",
-    "@angular/build": "^20.3.3",
-    "@angular/cli": "~20.3.3",
-    "@angular/compiler-cli": "~20.3.2",
+    "@angular-devkit/core": "^20.2.2",
+    "@angular-devkit/schematics": "^20.2.2",
+    "@angular-eslint/builder": "20.2.0",
+    "@angular-eslint/eslint-plugin": "20.2.0",
+    "@angular-eslint/eslint-plugin-template": "20.2.0",
+    "@angular-eslint/schematics": "20.2.0",
+    "@angular-eslint/template-parser": "20.2.0",
+    "@angular/build": "^20.2.2",
+    "@angular/cli": "~20.2.2",
+    "@angular/compiler-cli": "~20.2.4",
     "@codecov/webpack-plugin": "^1.9.1",
-    "@playwright/test": "^1.55.1",
+    "@playwright/test": "^1.55.0",
     "@types/jest": "^30.0.0",
-    "@types/node": "^24.6.1",
-    "@typescript-eslint/eslint-plugin": "^8.45.0",
-    "@typescript-eslint/parser": "^8.45.0",
-    "@typescript-eslint/utils": "^8.45.0",
-    "eslint": "^9.36.0",
-    "jest": "30.2.0",
-    "jest-environment-jsdom": "^30.2.0",
+    "@types/node": "^24.3.0",
+    "@typescript-eslint/eslint-plugin": "^8.41.0",
+    "@typescript-eslint/parser": "^8.41.0",
+    "@typescript-eslint/utils": "^8.41.0",
+    "eslint": "^9.34.0",
+    "jest": "30.1.3",
+    "jest-environment-jsdom": "^30.1.2",
     "jest-junit": "^16.0.0",
-    "jest-preset-angular": "^15.0.2",
+    "jest-preset-angular": "^15.0.0",
     "jest-websocket-mock": "^2.5.0",
-    "prettier-plugin-organize-imports": "^4.3.0",
+    "prettier-plugin-organize-imports": "^4.2.0",
     "ts-node": "~10.9.1",
     "typescript": "^5.8.3",
-    "webpack": "^5.102.0"
+    "webpack": "^5.101.3"
   },
-  "packageManager": "pnpm@10.17.1",
   "pnpm": {
     "onlyBuiltDependencies": [
       "@parcel/watcher",

src-ui/setup-jest.ts

@@ -145,14 +145,4 @@ HTMLCanvasElement.prototype.getContext = <
   typeof HTMLCanvasElement.prototype.getContext
 >jest.fn()
 
-jest.mock('uuid', () => ({
-  v4: jest.fn(() =>
-    'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, (char: string) => {
-      const random = Math.floor(Math.random() * 16)
-      const value = char === 'x' ? random : (random & 0x3) | 0x8
-      return value.toString(16)
-    })
-  ),
-}))
-
 jest.mock('pdfjs-dist')

src-ui/src/app/components/admin/tasks/tasks.component.spec.ts

@@ -16,7 +16,6 @@ import {
   NgbNavItem,
 } from '@ng-bootstrap/ng-bootstrap'
 import { allIcons, NgxBootstrapIconsModule } from 'ngx-bootstrap-icons'
-import { throwError } from 'rxjs'
 import { routes } from 'src/app/app-routing.module'
 import {
   PaperlessTask,
@@ -29,7 +28,6 @@ import { PermissionsGuard } from 'src/app/guards/permissions.guard'
 import { CustomDatePipe } from 'src/app/pipes/custom-date.pipe'
 import { PermissionsService } from 'src/app/services/permissions.service'
 import { TasksService } from 'src/app/services/tasks.service'
-import { ToastService } from 'src/app/services/toast.service'
 import { environment } from 'src/environments/environment'
 import { ConfirmDialogComponent } from '../../common/confirm-dialog/confirm-dialog.component'
 import { PageHeaderComponent } from '../../common/page-header/page-header.component'
@@ -125,7 +123,6 @@ describe('TasksComponent', () => {
   let router: Router
   let httpTestingController: HttpTestingController
   let reloadSpy
-  let toastService: ToastService
 
   beforeEach(async () => {
     TestBed.configureTestingModule({
@@ -160,7 +157,6 @@ describe('TasksComponent', () => {
     httpTestingController = TestBed.inject(HttpTestingController)
     modalService = TestBed.inject(NgbModal)
     router = TestBed.inject(Router)
-    toastService = TestBed.inject(ToastService)
     fixture = TestBed.createComponent(TasksComponent)
     component = fixture.componentInstance
     jest.useFakeTimers()
@@ -253,42 +249,6 @@ describe('TasksComponent', () => {
     expect(dismissSpy).toHaveBeenCalledWith(selected)
   })
 
-  it('should show an error and re-enable modal buttons when dismissing multiple tasks fails', () => {
-    component.selectedTasks = new Set([tasks[0].id, tasks[1].id])
-    const error = new Error('dismiss failed')
-    const toastSpy = jest.spyOn(toastService, 'showError')
-    const dismissSpy = jest
-      .spyOn(tasksService, 'dismissTasks')
-      .mockReturnValue(throwError(() => error))
-
-    let modal: NgbModalRef
-    modalService.activeInstances.subscribe((m) => (modal = m[m.length - 1]))
-
-    component.dismissTasks()
-    expect(modal).not.toBeUndefined()
-
-    modal.componentInstance.confirmClicked.emit()
-
-    expect(dismissSpy).toHaveBeenCalledWith(new Set([tasks[0].id, tasks[1].id]))
-    expect(toastSpy).toHaveBeenCalledWith('Error dismissing tasks', error)
-    expect(modal.componentInstance.buttonsEnabled).toBe(true)
-    expect(component.selectedTasks.size).toBe(0)
-  })
-
-  it('should show an error when dismissing a single task fails', () => {
-    const error = new Error('dismiss failed')
-    const toastSpy = jest.spyOn(toastService, 'showError')
-    const dismissSpy = jest
-      .spyOn(tasksService, 'dismissTasks')
-      .mockReturnValue(throwError(() => error))
-
-    component.dismissTask(tasks[0])
-
-    expect(dismissSpy).toHaveBeenCalledWith(new Set([tasks[0].id]))
-    expect(toastSpy).toHaveBeenCalledWith('Error dismissing task', error)
-    expect(component.selectedTasks.size).toBe(0)
-  })
-
   it('should support dismiss all tasks', () => {
     let modal: NgbModalRef
     modalService.activeInstances.subscribe((m) => (modal = m[m.length - 1]))

src-ui/src/app/components/admin/tasks/tasks.component.ts

@@ -24,7 +24,6 @@ import { PaperlessTask } from 'src/app/data/paperless-task'
 import { IfPermissionsDirective } from 'src/app/directives/if-permissions.directive'
 import { CustomDatePipe } from 'src/app/pipes/custom-date.pipe'
 import { TasksService } from 'src/app/services/tasks.service'
-import { ToastService } from 'src/app/services/toast.service'
 import { ConfirmDialogComponent } from '../../common/confirm-dialog/confirm-dialog.component'
 import { PageHeaderComponent } from '../../common/page-header/page-header.component'
 import { LoadingComponentWithPermissions } from '../../loading-component/loading.component'
@@ -73,7 +72,6 @@ export class TasksComponent
   tasksService = inject(TasksService)
   private modalService = inject(NgbModal)
   private readonly router = inject(Router)
-  private readonly toastService = inject(ToastService)
 
   public activeTab: TaskTab
   public selectedTasks: Set<number> = new Set()
@@ -156,19 +154,11 @@ export class TasksComponent
       modal.componentInstance.confirmClicked.pipe(first()).subscribe(() => {
         modal.componentInstance.buttonsEnabled = false
         modal.close()
-        this.tasksService.dismissTasks(tasks).subscribe({
-          error: (e) => {
-            this.toastService.showError($localize`Error dismissing tasks`, e)
-            modal.componentInstance.buttonsEnabled = true
-          },
-        })
+        this.tasksService.dismissTasks(tasks)
         this.clearSelection()
       })
     } else {
-      this.tasksService.dismissTasks(tasks).subscribe({
-        error: (e) =>
-          this.toastService.showError($localize`Error dismissing task`, e),
-      })
+      this.tasksService.dismissTasks(tasks)
       this.clearSelection()
     }
   }

src-ui/src/app/components/common/custom-fields-query-dropdown/custom-fields-query-dropdown.component.scss

@@ -41,3 +41,9 @@
     min-width: 140px;
   }
 }
+
+.btn-group-xs {
+  > .btn {
+    border-radius: 0.15rem;
+  }
+}

src-ui/src/app/components/common/edit-dialog/custom-field-edit-dialog/custom-field-edit-dialog.component.ts

@@ -177,16 +177,10 @@ export class CustomFieldEditDialogComponent
   }
 
   public removeSelectOption(index: number) {
-    const globalIndex =
-      index + (this.selectOptionsPage - 1) * SELECT_OPTION_PAGE_SIZE
-    this._allSelectOptions.splice(globalIndex, 1)
-
-    const totalPages = Math.max(
-      1,
-      Math.ceil(this._allSelectOptions.length / SELECT_OPTION_PAGE_SIZE)
+    this.selectOptions.removeAt(index)
+    this._allSelectOptions.splice(
+      index + (this.selectOptionsPage - 1) * SELECT_OPTION_PAGE_SIZE,
+      1
     )
-    const targetPage = Math.min(this.selectOptionsPage, totalPages)
-
-    this.selectOptionsPage = targetPage
   }
 }

src-ui/src/app/components/common/input/color/color.component.html

@@ -1,18 +1,19 @@
 <div class="mb-3">
   @if (title) {
-    <label class="form-label" [for]="inputId">{{title}}</label>
+    <label [for]="inputId">{{title}}</label>
   }
 
   <div class="input-group" [class.is-invalid]="error">
-    <button type="button" class="input-group-text" [style.background-color]="value" (click)="colorPicker.toggle()">&nbsp;&nbsp;&nbsp;</button>
+    <span class="input-group-text" [style.background-color]="value">&nbsp;&nbsp;&nbsp;</span>
 
     <ng-template #popContent>
       <div style="min-width: 200px;" class="pb-3">
         <color-slider [color]="value" (onChangeComplete)="colorChanged($event.color.hex)"></color-slider>
       </div>
+
     </ng-template>
 
-    <input #inputField class="form-control" [class.is-invalid]="error" [id]="inputId" [(ngModel)]="value" (change)="onChange(value)" [autoClose]="'outside'" [ngbPopover]="popContent" #colorPicker="ngbPopover" placement="bottom" popoverClass="shadow">
+    <input #inputField class="form-control" [class.is-invalid]="error" [id]="inputId" [(ngModel)]="value" (change)="onChange(value)" [autoClose]="'outside'" [ngbPopover]="popContent" placement="bottom" popoverClass="shadow">
 
     <button class="btn btn-outline-secondary" type="button" (click)="randomize()">
       <i-bs name="dice5"></i-bs>

src-ui/src/app/components/common/input/color/color.component.spec.ts

@@ -42,8 +42,8 @@ describe('ColorComponent', () => {
   })
 
   it('should set swatch color', () => {
-    const swatch: HTMLButtonElement = fixture.nativeElement.querySelector(
-      'button.input-group-text'
+    const swatch: HTMLSpanElement = fixture.nativeElement.querySelector(
+      'span.input-group-text'
     )
     expect(swatch.style.backgroundColor).toEqual('')
     component.value = '#ff0000'

src-ui/src/app/components/common/page-header/page-header.component.html

@@ -1,10 +1,7 @@
 <div class="row pt-3 pb-3 pb-md-2 align-items-center">
   <div class="col-md text-truncate">
-    <h3 class="text-truncate d-flex align-items-center" style="line-height: 1.4">
+    <h3 class="text-truncate" style="line-height: 1.4">
       {{title}}
-      @if (id) {
-        <span class="badge bg-primary text-primary-text-contrast ms-2 small fs-normal">ID: {{id}}</span>
-      }
       @if (subTitle) {
         <span class="h6 mb-0 d-block d-md-inline fw-normal ms-md-3 text-truncate" style="line-height: 1.4">{{subTitle}}</span>
       }

src-ui/src/app/components/common/page-header/page-header.component.scss

@@ -1,10 +1,5 @@
 h3 {
     min-height: calc(1.325rem + 0.9vw);
-
-    .badge {
-        font-size: 0.65rem;
-        line-height: 1;
-    }
 }
 
 @media (min-width: 1200px) {

src-ui/src/app/components/common/page-header/page-header.component.ts

@@ -26,9 +26,6 @@ export class PageHeaderComponent {
     return this._title
   }
 
-  @Input()
-  id: number
-
   @Input()
   subTitle: string = ''
 

src-ui/src/app/components/document-detail/document-detail.component.html

@@ -1,4 +1,4 @@
-<pngx-page-header [(title)]="title" [id]="documentId">
+<pngx-page-header [(title)]="title">
   @if (archiveContentRenderType === ContentRenderType.PDF && !useNativePdfViewer) {
     @if (previewNumPages) {
       <div class="input-group input-group-sm d-none d-md-flex">

src-ui/src/app/components/document-detail/document-detail.component.spec.ts

@@ -1212,7 +1212,7 @@ describe('DocumentDetailComponent', () => {
   it('should support keyboard shortcuts', () => {
     initNormally()
 
-    const hasNextSpy = jest.spyOn(component, 'hasNext').mockReturnValue(true)
+    jest.spyOn(component, 'hasNext').mockReturnValue(true)
     const nextSpy = jest.spyOn(component, 'nextDoc')
     document.dispatchEvent(
       new KeyboardEvent('keydown', { key: 'arrowright', ctrlKey: true })
@@ -1226,32 +1226,21 @@ describe('DocumentDetailComponent', () => {
     )
     expect(prevSpy).toHaveBeenCalled()
 
-    const isDirtySpy = jest
-      .spyOn(openDocumentsService, 'isDirty')
-      .mockReturnValue(true)
+    jest.spyOn(openDocumentsService, 'isDirty').mockReturnValue(true)
     const saveSpy = jest.spyOn(component, 'save')
     document.dispatchEvent(
       new KeyboardEvent('keydown', { key: 's', ctrlKey: true })
     )
     expect(saveSpy).toHaveBeenCalled()
 
-    hasNextSpy.mockReturnValue(true)
+    jest.spyOn(openDocumentsService, 'isDirty').mockReturnValue(true)
+    jest.spyOn(component, 'hasNext').mockReturnValue(true)
     const saveNextSpy = jest.spyOn(component, 'saveEditNext')
     document.dispatchEvent(
       new KeyboardEvent('keydown', { key: 's', ctrlKey: true, shiftKey: true })
     )
     expect(saveNextSpy).toHaveBeenCalled()
 
-    saveSpy.mockClear()
-    saveNextSpy.mockClear()
-    isDirtySpy.mockReturnValue(true)
-    hasNextSpy.mockReturnValue(false)
-    document.dispatchEvent(
-      new KeyboardEvent('keydown', { key: 's', ctrlKey: true, shiftKey: true })
-    )
-    expect(saveNextSpy).not.toHaveBeenCalled()
-    expect(saveSpy).toHaveBeenCalledWith(true)
-
     const closeSpy = jest.spyOn(component, 'close')
     document.dispatchEvent(new KeyboardEvent('keydown', { key: 'escape' }))
     expect(closeSpy).toHaveBeenCalled()

src-ui/src/app/components/document-detail/document-detail.component.ts

@@ -615,10 +615,7 @@ export class DocumentDetailComponent
       })
       .pipe(takeUntil(this.unsubscribeNotifier))
       .subscribe(() => {
-        if (this.openDocumentService.isDirty(this.document)) {
-          if (this.hasNext()) this.saveEditNext()
-          else this.save(true)
-        }
+        if (this.openDocumentService.isDirty(this.document)) this.saveEditNext()
       })
   }
 

src-ui/src/app/components/document-list/bulk-editor/bulk-editor.component.html

@@ -1,144 +1,161 @@
 <div class="d-flex flex-wrap gap-4">
-  <div class="d-flex flex-wrap align-items-center gap-2" *pngxIfPermissions="{ action: PermissionAction.Change, type: PermissionType.Document }">
-    <label class="me-2" i18n>Edit:</label>
-    @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.Tag)) {
-      <pngx-filterable-dropdown title="Tags" icon="tag-fill" i18n-title
-        filterPlaceholder="Filter tags" i18n-filterPlaceholder
-        [disabled]="!userCanEditAll || disabled"
-        [editing]="true"
-        [applyOnClose]="applyOnClose"
-        [createRef]="createTag.bind(this)"
-        (opened)="openTagsDropdown()"
-        [(selectionModel)]="tagSelectionModel"
-        [documentCounts]="tagDocumentCounts"
-        (apply)="setTags($event)"
-        shortcutKey="t">
-      </pngx-filterable-dropdown>
-    }
-    @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.Correspondent)) {
-      <pngx-filterable-dropdown title="Correspondent" icon="person-fill" i18n-title
-        filterPlaceholder="Filter correspondents" i18n-filterPlaceholder
-        [disabled]="!userCanEditAll || disabled"
-        [editing]="true"
-        [applyOnClose]="applyOnClose"
-        [createRef]="createCorrespondent.bind(this)"
-        (opened)="openCorrespondentDropdown()"
-        [(selectionModel)]="correspondentSelectionModel"
-        [documentCounts]="correspondentDocumentCounts"
-        (apply)="setCorrespondents($event)"
-        shortcutKey="y">
-      </pngx-filterable-dropdown>
-    }
-    @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.DocumentType)) {
-      <pngx-filterable-dropdown title="Document type" icon="file-earmark-fill" i18n-title
-        filterPlaceholder="Filter document types" i18n-filterPlaceholder
-        [disabled]="!userCanEditAll || disabled"
-        [editing]="true"
-        [applyOnClose]="applyOnClose"
-        [createRef]="createDocumentType.bind(this)"
-        (opened)="openDocumentTypeDropdown()"
-        [(selectionModel)]="documentTypeSelectionModel"
-        [documentCounts]="documentTypeDocumentCounts"
-        (apply)="setDocumentTypes($event)"
-        shortcutKey="u">
-      </pngx-filterable-dropdown>
-    }
-    @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.StoragePath)) {
-      <pngx-filterable-dropdown title="Storage path" icon="folder-fill" i18n-title
-        filterPlaceholder="Filter storage paths" i18n-filterPlaceholder
-        [disabled]="!userCanEditAll || disabled"
-        [editing]="true"
-        [applyOnClose]="applyOnClose"
-        [createRef]="createStoragePath.bind(this)"
-        (opened)="openStoragePathDropdown()"
-        [(selectionModel)]="storagePathsSelectionModel"
-        [documentCounts]="storagePathDocumentCounts"
-        (apply)="setStoragePaths($event)"
-        shortcutKey="i">
-      </pngx-filterable-dropdown>
-    }
-    @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.CustomField)) {
-      <pngx-filterable-dropdown title="Custom fields" icon="ui-radios" i18n-title
-        filterPlaceholder="Filter custom fields" i18n-filterPlaceholder
-        [disabled]="!userCanEditAll"
-        [editing]="true"
-        [applyOnClose]="applyOnClose"
-        [createRef]="createCustomField.bind(this)"
-        (opened)="openCustomFieldsDropdown()"
-        [(selectionModel)]="customFieldsSelectionModel"
-        [documentCounts]="customFieldDocumentCounts"
-        extraButtonTitle="Set values"
-        i18n-extraButtonTitle
-        (extraButton)="setCustomFieldValues($event)"
-        (apply)="setCustomFields($event)">
-      </pngx-filterable-dropdown>
-    }
-    <div class="btn-group">
-      <button type="button" class="btn btn-sm btn-outline-primary me-2" (click)="setPermissions()" [disabled]="!userOwnsAll || !userCanEditAll">
-        <i-bs name="person-fill-lock"></i-bs><div class="d-none d-sm-inline">&nbsp;<ng-container i18n>Permissions</ng-container></div>
+  <div class="d-flex align-items-center" role="group" aria-label="Select">
+    <button class="btn btn-sm btn-outline-secondary" (click)="list.selectNone()">
+      <i-bs name="slash-circle"></i-bs>&nbsp;<ng-container i18n>Cancel</ng-container>
       </button>
     </div>
-  </div>
-  <div class="d-flex align-items-center gap-2 ms-auto">
-    <div class="btn-toolbar">
-      <div ngbDropdown>
-        <button class="btn btn-sm btn-outline-primary" id="dropdownSelect" [disabled]="!userCanEdit && !userCanAdd" ngbDropdownToggle>
-          <i-bs name="three-dots"></i-bs>
-          <div class="d-none d-sm-inline">&nbsp;<ng-container i18n>Actions</ng-container></div>
-        </button>
-        <div ngbDropdownMenu aria-labelledby="dropdownSelect" class="shadow">
-          <button ngbDropdownItem (click)="reprocessSelected()" [disabled]="!userCanEditAll && !userCanEditAll">
-            <i-bs name="body-text"></i-bs>&nbsp;<ng-container i18n>Reprocess</ng-container>
+    <div class="d-flex align-items-center gap-2" role="group" aria-label="Select">
+      <label class="me-2" i18n>Select:</label>
+      <div class="btn-group">
+        <button class="btn btn-sm btn-outline-primary" (click)="list.selectPage()">
+          <i-bs name="file-earmark-check"></i-bs>&nbsp;<ng-container i18n>Page</ng-container>
           </button>
-          <button ngbDropdownItem (click)="rotateSelected()" [disabled]="!userOwnsAll && !userCanEditAll">
-            <i-bs name="arrow-clockwise"></i-bs>&nbsp;<ng-container i18n>Rotate</ng-container>
-          </button>
-          <button ngbDropdownItem (click)="mergeSelected()" [disabled]="!userCanAdd || list.selected.size < 2">
-            <i-bs name="journals"></i-bs>&nbsp;<ng-container i18n>Merge</ng-container>
-          </button>
-        </div>
-      </div>
-    </div>
-    <div class="btn-group btn-group-sm">
-      <button class="btn btn-sm btn-outline-primary" [disabled]="awaitingDownload" (click)="downloadSelected()">
-        @if (!awaitingDownload) {
-          <i-bs name="arrow-down"></i-bs>
-        }
-        @if (awaitingDownload) {
-          <div class="spinner-border spinner-border-sm" role="status">
-            <span class="visually-hidden">Preparing download...</span>
+          <button class="btn btn-sm btn-outline-primary" (click)="list.selectAll()">
+            <i-bs name="check-all"></i-bs>&nbsp;<ng-container i18n>All</ng-container>
+            </button>
           </div>
-        }
-        <div class="d-none d-sm-inline">&nbsp;<ng-container i18n>Download</ng-container></div>
-      </button>
-      <div ngbDropdown class="me-2 d-flex btn-group" role="group">
-        <button type="button" class="btn btn-sm btn-outline-primary dropdown-toggle-split rounded-end" ngbDropdownToggle></button>
-        <div ngbDropdownMenu aria-labelledby="dropdownSelect" class="shadow">
-          <form [formGroup]="downloadForm" class="px-3 py-1">
-            <p class="mb-1" i18n>Include:</p>
-            <div class="form-group ps-3 mb-2">
-              <div class="form-check">
-                <input type="checkbox" class="form-check-input" id="downloadFileType_archive" formControlName="downloadFileTypeArchive" />
-                <label class="form-check-label" for="downloadFileType_archive" i18n>Archived files</label>
-              </div>
-              <div class="form-check">
-                <input type="checkbox" class="form-check-input" id="downloadFileType_originals" formControlName="downloadFileTypeOriginals" />
-                <label class="form-check-label" for="downloadFileType_originals" i18n>Original files</label>
-              </div>
-            </div>
-            <div class="form-check">
-              <input type="checkbox" class="form-check-input" id="downloadUseFormatting" formControlName="downloadUseFormatting" />
-              <label class="form-check-label" for="downloadUseFormatting" i18n>Use formatted filename</label>
-            </div>
-          </form>
         </div>
-      </div>
-    </div>
+        <div class="d-flex align-items-center gap-2" *pngxIfPermissions="{ action: PermissionAction.Change, type: PermissionType.Document }">
+          <label class="me-2" i18n>Edit:</label>
+          @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.Tag)) {
+            <pngx-filterable-dropdown title="Tags" icon="tag-fill" i18n-title
+              filterPlaceholder="Filter tags" i18n-filterPlaceholder
+              [disabled]="!userCanEditAll || disabled"
+              [editing]="true"
+              [applyOnClose]="applyOnClose"
+              [createRef]="createTag.bind(this)"
+              (opened)="openTagsDropdown()"
+              [(selectionModel)]="tagSelectionModel"
+              [documentCounts]="tagDocumentCounts"
+              (apply)="setTags($event)"
+              shortcutKey="t">
+            </pngx-filterable-dropdown>
+          }
+          @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.Correspondent)) {
+            <pngx-filterable-dropdown title="Correspondent" icon="person-fill" i18n-title
+              filterPlaceholder="Filter correspondents" i18n-filterPlaceholder
+              [disabled]="!userCanEditAll || disabled"
+              [editing]="true"
+              [applyOnClose]="applyOnClose"
+              [createRef]="createCorrespondent.bind(this)"
+              (opened)="openCorrespondentDropdown()"
+              [(selectionModel)]="correspondentSelectionModel"
+              [documentCounts]="correspondentDocumentCounts"
+              (apply)="setCorrespondents($event)"
+              shortcutKey="y">
+            </pngx-filterable-dropdown>
+          }
+          @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.DocumentType)) {
+            <pngx-filterable-dropdown title="Document type" icon="file-earmark-fill" i18n-title
+              filterPlaceholder="Filter document types" i18n-filterPlaceholder
+              [disabled]="!userCanEditAll || disabled"
+              [editing]="true"
+              [applyOnClose]="applyOnClose"
+              [createRef]="createDocumentType.bind(this)"
+              (opened)="openDocumentTypeDropdown()"
+              [(selectionModel)]="documentTypeSelectionModel"
+              [documentCounts]="documentTypeDocumentCounts"
+              (apply)="setDocumentTypes($event)"
+              shortcutKey="u">
+            </pngx-filterable-dropdown>
+          }
+          @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.StoragePath)) {
+            <pngx-filterable-dropdown title="Storage path" icon="folder-fill" i18n-title
+              filterPlaceholder="Filter storage paths" i18n-filterPlaceholder
+              [disabled]="!userCanEditAll || disabled"
+              [editing]="true"
+              [applyOnClose]="applyOnClose"
+              [createRef]="createStoragePath.bind(this)"
+              (opened)="openStoragePathDropdown()"
+              [(selectionModel)]="storagePathsSelectionModel"
+              [documentCounts]="storagePathDocumentCounts"
+              (apply)="setStoragePaths($event)"
+              shortcutKey="i">
+            </pngx-filterable-dropdown>
+          }
+          @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.CustomField)) {
+            <pngx-filterable-dropdown title="Custom fields" icon="ui-radios" i18n-title
+              filterPlaceholder="Filter custom fields" i18n-filterPlaceholder
+              [disabled]="!userCanEditAll"
+              [editing]="true"
+              [applyOnClose]="applyOnClose"
+              [createRef]="createCustomField.bind(this)"
+              (opened)="openCustomFieldsDropdown()"
+              [(selectionModel)]="customFieldsSelectionModel"
+              [documentCounts]="customFieldDocumentCounts"
+              extraButtonTitle="Set values"
+              i18n-extraButtonTitle
+              (extraButton)="setCustomFieldValues($event)"
+              (apply)="setCustomFields($event)">
+            </pngx-filterable-dropdown>
+          }
+        </div>
+        <div class="d-flex align-items-center gap-2 ms-auto">
+          <div class="btn-toolbar">
 
-    <div class="btn-group btn-group-sm">
-      <button type="button" class="btn btn-sm btn-outline-danger" (click)="applyDelete()" *pngxIfPermissions="{ action: PermissionAction.Delete, type: PermissionType.Document }" [disabled]="!userOwnsAll">
-        <i-bs name="trash"></i-bs>&nbsp;<ng-container i18n>Delete</ng-container>
-      </button>
-    </div>
-  </div>
-</div>
+            <button type="button" class="btn btn-sm btn-outline-primary me-2" (click)="setPermissions()" [disabled]="!userOwnsAll || !userCanEditAll">
+              <i-bs name="person-fill-lock"></i-bs><div class="d-none d-sm-inline">&nbsp;<ng-container i18n>Permissions</ng-container></div>
+            </button>
+
+            <div ngbDropdown>
+              <button class="btn btn-sm btn-outline-primary" id="dropdownSelect" [disabled]="!userCanEdit && !userCanAdd" ngbDropdownToggle>
+                <i-bs name="three-dots"></i-bs>
+                <div class="d-none d-sm-inline">&nbsp;<ng-container i18n>Actions</ng-container></div>
+              </button>
+              <div ngbDropdownMenu aria-labelledby="dropdownSelect" class="shadow">
+                <button ngbDropdownItem (click)="reprocessSelected()" [disabled]="!userCanEditAll && !userCanEditAll">
+                  <i-bs name="body-text"></i-bs>&nbsp;<ng-container i18n>Reprocess</ng-container>
+                </button>
+                <button ngbDropdownItem (click)="rotateSelected()" [disabled]="!userOwnsAll && !userCanEditAll">
+                  <i-bs name="arrow-clockwise"></i-bs>&nbsp;<ng-container i18n>Rotate</ng-container>
+                </button>
+                <button ngbDropdownItem (click)="mergeSelected()" [disabled]="!userCanAdd || list.selected.size < 2">
+                  <i-bs name="journals"></i-bs>&nbsp;<ng-container i18n>Merge</ng-container>
+                </button>
+              </div>
+            </div>
+          </div>
+
+            <div class="btn-group btn-group-sm">
+              <button class="btn btn-sm btn-outline-primary" [disabled]="awaitingDownload" (click)="downloadSelected()">
+                @if (!awaitingDownload) {
+                  <i-bs name="arrow-down"></i-bs>
+                }
+                @if (awaitingDownload) {
+                  <div class="spinner-border spinner-border-sm" role="status">
+                    <span class="visually-hidden">Preparing download...</span>
+                  </div>
+                }
+                <div class="d-none d-sm-inline">&nbsp;<ng-container i18n>Download</ng-container></div>
+              </button>
+              <div ngbDropdown class="me-2 d-flex btn-group" role="group">
+                <button type="button" class="btn btn-sm btn-outline-primary dropdown-toggle-split rounded-end" ngbDropdownToggle></button>
+                <div ngbDropdownMenu aria-labelledby="dropdownSelect" class="shadow">
+                  <form [formGroup]="downloadForm" class="px-3 py-1">
+                    <p class="mb-1" i18n>Include:</p>
+                    <div class="form-group ps-3 mb-2">
+                      <div class="form-check">
+                        <input type="checkbox" class="form-check-input" id="downloadFileType_archive" formControlName="downloadFileTypeArchive" />
+                        <label class="form-check-label" for="downloadFileType_archive" i18n>Archived files</label>
+                      </div>
+                      <div class="form-check">
+                        <input type="checkbox" class="form-check-input" id="downloadFileType_originals" formControlName="downloadFileTypeOriginals" />
+                        <label class="form-check-label" for="downloadFileType_originals" i18n>Original files</label>
+                      </div>
+                    </div>
+                    <div class="form-check">
+                      <input type="checkbox" class="form-check-input" id="downloadUseFormatting" formControlName="downloadUseFormatting" />
+                      <label class="form-check-label" for="downloadUseFormatting" i18n>Use formatted filename</label>
+                    </div>
+                  </form>
+                </div>
+              </div>
+            </div>
+
+            <div class="btn-group btn-group-sm">
+              <button type="button" class="btn btn-sm btn-outline-danger" (click)="applyDelete()" *pngxIfPermissions="{ action: PermissionAction.Delete, type: PermissionType.Document }" [disabled]="!userOwnsAll">
+                <i-bs name="trash"></i-bs>&nbsp;<ng-container i18n>Delete</ng-container>
+                </button>
+              </div>
+            </div>
+          </div>

src-ui/src/app/components/document-list/bulk-editor/bulk-editor.component.scss

@@ -5,7 +5,3 @@
 .dropdown-menu{
     --bs-dropdown-min-width: 12rem;
 }
-
-.btn-group .btn {
-  white-space: nowrap;
-}

src-ui/src/app/components/document-list/document-list.component.html

@@ -1,36 +1,16 @@
 <pngx-page-header [title]="getTitle()">
-  <div ngbDropdown class="btn-group flex-fill d-sm-none">
-    <button class="btn btn-sm btn-outline-primary" id="dropdownSelectMobile" ngbDropdownToggle>
+
+  <div ngbDropdown class="btn-group flex-fill">
+    <button class="btn btn-sm btn-outline-primary" id="dropdownSelect" ngbDropdownToggle>
       <i-bs name="text-indent-left"></i-bs>
       <div class="d-none d-sm-inline">&nbsp;<ng-container i18n>Select</ng-container></div>
-      @if (list.selected.size > 0) {
-        <pngx-clearable-badge [selected]="list.selected.size > 0" [number]="list.selected.size" (cleared)="list.selectNone()"></pngx-clearable-badge><span class="visually-hidden">selected</span>
-      }
     </button>
-    <div ngbDropdownMenu aria-labelledby="dropdownSelectMobile" class="shadow">
+    <div ngbDropdownMenu aria-labelledby="dropdownSelect" class="shadow">
       <button ngbDropdownItem (click)="list.selectNone()" i18n>Select none</button>
       <button ngbDropdownItem (click)="list.selectPage()" i18n>Select page</button>
       <button ngbDropdownItem (click)="list.selectAll()" i18n>Select all</button>
     </div>
   </div>
-  <div class="d-none d-sm-flex flex-fill me-3">
-    <div class="input-group input-group-sm">
-      <span class="input-group-text border-0">Select:</span>
-    </div>
-    <div class="btn-group btn-group-sm flex-nowrap">
-      @if (list.selected.size > 0) {
-        <button class="btn btn-sm btn-outline-secondary" (click)="list.selectNone()">
-          <i-bs name="slash-circle"></i-bs>&nbsp;<ng-container i18n>None</ng-container>
-        </button>
-      }
-      <button class="btn btn-sm btn-outline-primary" (click)="list.selectPage()">
-        <i-bs name="file-earmark-check"></i-bs>&nbsp;<ng-container i18n>Page</ng-container>
-      </button>
-      <button class="btn btn-sm btn-outline-primary" (click)="list.selectAll()">
-        <i-bs name="check-all"></i-bs>&nbsp;<ng-container i18n>All</ng-container>
-      </button>
-    </div>
-  </div>
   <div ngbDropdown class="btn-group flex-fill">
     <button class="btn btn-sm btn-outline-primary" id="dropdownDisplayFields" ngbDropdownToggle>
       <i-bs name="card-heading"></i-bs>
@@ -146,13 +126,8 @@
       @if (!list.isReloading && isFiltered) {
         <button class="btn btn-link py-0" (click)="resetFilters()">
           <i-bs width="1em" height="1em" name="x"></i-bs><small i18n>Reset filters</small>
-        </button>
-      }
-      @if (!list.isReloading && list.selected.size > 0) {
-        <button class="btn btn-link py-0" (click)="list.selectNone()">
-          <i-bs width="1em" height="1em" name="slash-circle" class="me-1"></i-bs><small i18n>Clear selection</small>
-        </button>
-      }
+          </button>
+        }
       </div>
       @if (list.collectionSize) {
         <ngb-pagination [pageSize]="list.pageSize" [collectionSize]="list.collectionSize" [(page)]="list.currentPage" [maxSize]="5"

src-ui/src/app/components/document-list/document-list.component.ts

@@ -56,7 +56,6 @@ import {
   filterRulesDiffer,
   isFullTextFilterRule,
 } from 'src/app/utils/filter-rules'
-import { ClearableBadgeComponent } from '../common/clearable-badge/clearable-badge.component'
 import { CustomFieldDisplayComponent } from '../common/custom-field-display/custom-field-display.component'
 import { PageHeaderComponent } from '../common/page-header/page-header.component'
 import { PreviewPopupComponent } from '../common/preview-popup/preview-popup.component'
@@ -73,7 +72,6 @@ import { SaveViewConfigDialogComponent } from './save-view-config-dialog/save-vi
   templateUrl: './document-list.component.html',
   styleUrls: ['./document-list.component.scss'],
   imports: [
-    ClearableBadgeComponent,
     CustomFieldDisplayComponent,
     PageHeaderComponent,
     BulkEditorComponent,

src-ui/src/app/services/tasks.service.spec.ts

@@ -51,7 +51,7 @@ describe('TasksService', () => {
   })
 
   it('calls acknowledge_tasks api endpoint on dismiss and reloads', () => {
-    tasksService.dismissTasks(new Set([1, 2, 3])).subscribe()
+    tasksService.dismissTasks(new Set([1, 2, 3]))
     const req = httpTestingController.expectOne(
       `${environment.apiBaseUrl}tasks/acknowledge/`
     )

src-ui/src/app/services/tasks.service.ts

@@ -1,7 +1,7 @@
 import { HttpClient } from '@angular/common/http'
 import { Injectable, inject } from '@angular/core'
 import { Observable, Subject } from 'rxjs'
-import { first, takeUntil, tap } from 'rxjs/operators'
+import { first, takeUntil } from 'rxjs/operators'
 import {
   PaperlessTask,
   PaperlessTaskName,
@@ -68,17 +68,14 @@ export class TasksService {
   }
 
   public dismissTasks(task_ids: Set<number>) {
-    return this.http
+    this.http
       .post(`${this.baseUrl}tasks/acknowledge/`, {
         tasks: [...task_ids],
       })
-      .pipe(
-        first(),
-        takeUntil(this.unsubscribeNotifer),
-        tap(() => {
-          this.reload()
-        })
-      )
+      .pipe(first())
+      .subscribe((r) => {
+        this.reload()
+      })
   }
 
   public cancelPending(): void {

src/documents/permissions.py

@@ -161,21 +161,3 @@ class PaperlessNotePermissions(BasePermission):
         perms = self.perms_map[request.method]
 
         return request.user.has_perms(perms)
-
-
-class AcknowledgeTasksPermissions(BasePermission):
-    """
-    Permissions class that checks for model permissions for acknowledging tasks.
-    """
-
-    perms_map = {
-        "POST": ["documents.change_paperlesstask"],
-    }
-
-    def has_permission(self, request, view):
-        if not request.user or not request.user.is_authenticated:  # pragma: no cover
-            return False
-
-        perms = self.perms_map.get(request.method, [])
-
-        return request.user.has_perms(perms)

src/documents/sanity_checker.py

@@ -76,9 +76,7 @@ def check_sanity(*, progress=False, scheduled=True) -> SanityCheckMessages:
     messages = SanityCheckMessages()
 
     present_files = {
-        x.resolve()
-        for x in Path(settings.MEDIA_ROOT).glob("**/*")
-        if not x.is_dir() and x.name not in settings.IGNORABLE_FILES
+        x.resolve() for x in Path(settings.MEDIA_ROOT).glob("**/*") if not x.is_dir()
     }
 
     lockfile = Path(settings.MEDIA_LOCK).resolve()

src/documents/serialisers.py

@@ -6,7 +6,6 @@ import re
 from datetime import datetime
 from decimal import Decimal
 from typing import TYPE_CHECKING
-from typing import Literal
 
 import magic
 from celery import states
@@ -253,35 +252,6 @@ class OwnedObjectSerializer(
             except KeyError:
                 pass
 
-    def _get_perms(self, obj, codename: str, target: Literal["users", "groups"]):
-        """
-        Get the given permissions from context or from django-guardian.
-
-        :param codename: The permission codename, e.g. 'view' or 'change'
-        :param target: 'users' or 'groups'
-        """
-        key = f"{target}_{codename}_perms"
-        cached = self.context.get(key, {}).get(obj.pk)
-        if cached is not None:
-            return list(cached)
-
-        # Permission not found in the context, get it from guardian
-        if target == "users":
-            return list(
-                get_users_with_perms(
-                    obj,
-                    only_with_perms_in=[f"{codename}_{obj.__class__.__name__.lower()}"],
-                    with_group_users=False,
-                ).values_list("id", flat=True),
-            )
-        else:  # groups
-            return list(
-                get_groups_with_only_permission(
-                    obj,
-                    codename=f"{codename}_{obj.__class__.__name__.lower()}",
-                ).values_list("id", flat=True),
-            )
-
     @extend_schema_field(
         field={
             "type": "object",
@@ -316,14 +286,31 @@ class OwnedObjectSerializer(
         },
     )
     def get_permissions(self, obj) -> dict:
+        view_codename = f"view_{obj.__class__.__name__.lower()}"
+        change_codename = f"change_{obj.__class__.__name__.lower()}"
+
         return {
             "view": {
-                "users": self._get_perms(obj, "view", "users"),
-                "groups": self._get_perms(obj, "view", "groups"),
+                "users": get_users_with_perms(
+                    obj,
+                    only_with_perms_in=[view_codename],
+                    with_group_users=False,
+                ).values_list("id", flat=True),
+                "groups": get_groups_with_only_permission(
+                    obj,
+                    codename=view_codename,
+                ).values_list("id", flat=True),
             },
             "change": {
-                "users": self._get_perms(obj, "change", "users"),
-                "groups": self._get_perms(obj, "change", "groups"),
+                "users": get_users_with_perms(
+                    obj,
+                    only_with_perms_in=[change_codename],
+                    with_group_users=False,
+                ).values_list("id", flat=True),
+                "groups": get_groups_with_only_permission(
+                    obj,
+                    codename=change_codename,
+                ).values_list("id", flat=True),
             },
         }
 

src/documents/tests/test_api_tasks.py

@@ -135,44 +135,6 @@ class TestTasks(DirectoriesMixin, APITestCase):
         response = self.client.get(self.ENDPOINT + "?acknowledged=false")
         self.assertEqual(len(response.data), 0)
 
-    def test_acknowledge_tasks_requires_change_permission(self):
-        """
-        GIVEN:
-            - A regular user initially without change permissions
-            - A regular user with change permissions
-        WHEN:
-            - API call is made to acknowledge tasks
-        THEN:
-            - The first user is forbidden from acknowledging tasks
-            - The second user is allowed to acknowledge tasks
-        """
-        regular_user = User.objects.create_user(username="test")
-        self.client.force_authenticate(user=regular_user)
-
-        task = PaperlessTask.objects.create(
-            task_id=str(uuid.uuid4()),
-            task_file_name="task_one.pdf",
-        )
-
-        response = self.client.post(
-            self.ENDPOINT + "acknowledge/",
-            {"tasks": [task.id]},
-        )
-        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
-
-        regular_user2 = User.objects.create_user(username="test2")
-        regular_user2.user_permissions.add(
-            Permission.objects.get(codename="change_paperlesstask"),
-        )
-        regular_user2.save()
-        self.client.force_authenticate(user=regular_user2)
-
-        response = self.client.post(
-            self.ENDPOINT + "acknowledge/",
-            {"tasks": [task.id]},
-        )
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
-
     def test_tasks_owner_aware(self):
         """
         GIVEN:

src/documents/tests/test_sanity_check.py

@@ -169,13 +169,6 @@ class TestSanityCheck(DirectoriesMixin, TestCase):
         messages = check_sanity()
         self.assertFalse(messages.has_warning)
 
-    def test_ignore_ignorable_files(self):
-        self.make_test_data()
-        Path(self.dirs.media_dir, ".DS_Store").touch()
-        Path(self.dirs.media_dir, "desktop.ini").touch()
-        messages = check_sanity()
-        self.assertFalse(messages.has_warning)
-
     def test_archive_filename_no_checksum(self):
         doc = self.make_test_data()
         doc.archive_checksum = None

src/documents/tests/test_views.py

@@ -1,23 +1,17 @@
-import json
 import tempfile
 from datetime import timedelta
 from pathlib import Path
 
 from django.conf import settings
-from django.contrib.auth.models import Group
 from django.contrib.auth.models import Permission
 from django.contrib.auth.models import User
-from django.db import connection
 from django.test import TestCase
 from django.test import override_settings
-from django.test.utils import CaptureQueriesContext
 from django.utils import timezone
-from guardian.shortcuts import assign_perm
 from rest_framework import status
 
 from documents.models import Document
 from documents.models import ShareLink
-from documents.models import Tag
 from documents.tests.utils import DirectoriesMixin
 from paperless.models import ApplicationConfiguration
 
@@ -160,113 +154,3 @@ class TestViews(DirectoriesMixin, TestCase):
         response.render()
         self.assertEqual(response.request["PATH_INFO"], "/accounts/login/")
         self.assertContains(response, b"Share link has expired")
-
-    def test_list_with_full_permissions(self):
-        """
-        GIVEN:
-            - Tags with different permissions
-        WHEN:
-            - Request to get tag list with full permissions is made
-        THEN:
-            - Tag list is returned with the right permission information
-        """
-        user2 = User.objects.create(username="user2")
-        user3 = User.objects.create(username="user3")
-        group1 = Group.objects.create(name="group1")
-        group2 = Group.objects.create(name="group2")
-        group3 = Group.objects.create(name="group3")
-        t1 = Tag.objects.create(name="invoice", pk=1)
-        assign_perm("view_tag", self.user, t1)
-        assign_perm("view_tag", user2, t1)
-        assign_perm("view_tag", user3, t1)
-        assign_perm("view_tag", group1, t1)
-        assign_perm("view_tag", group2, t1)
-        assign_perm("view_tag", group3, t1)
-        assign_perm("change_tag", self.user, t1)
-        assign_perm("change_tag", user2, t1)
-        assign_perm("change_tag", group1, t1)
-        assign_perm("change_tag", group2, t1)
-
-        Tag.objects.create(name="bank statement", pk=2)
-        d1 = Document.objects.create(
-            title="Invoice 1",
-            content="This is the invoice of a very expensive item",
-            checksum="A",
-        )
-        d1.tags.add(t1)
-        d2 = Document.objects.create(
-            title="Invoice 2",
-            content="Internet invoice, I should pay it to continue contributing",
-            checksum="B",
-        )
-        d2.tags.add(t1)
-
-        view_permissions = Permission.objects.filter(
-            codename__contains="view_tag",
-        )
-        self.user.user_permissions.add(*view_permissions)
-        self.user.save()
-
-        self.client.force_login(self.user)
-        response = self.client.get("/api/tags/?page=1&full_perms=true")
-        results = json.loads(response.content)["results"]
-        for tag in results:
-            if tag["name"] == "invoice":
-                assert tag["permissions"] == {
-                    "view": {
-                        "users": [self.user.pk, user2.pk, user3.pk],
-                        "groups": [group1.pk, group2.pk, group3.pk],
-                    },
-                    "change": {
-                        "users": [self.user.pk, user2.pk],
-                        "groups": [group1.pk, group2.pk],
-                    },
-                }
-            elif tag["name"] == "bank statement":
-                assert tag["permissions"] == {
-                    "view": {"users": [], "groups": []},
-                    "change": {"users": [], "groups": []},
-                }
-            else:
-                assert False, f"Unexpected tag found: {tag['name']}"
-
-    def test_list_no_n_plus_1_queries(self):
-        """
-        GIVEN:
-            - Tags with different permissions
-        WHEN:
-            - Request to get tag list with full permissions is made
-        THEN:
-            - Permissions are not queried in database tag by tag,
-             i.e. there are no N+1 queries
-        """
-        view_permissions = Permission.objects.filter(
-            codename__contains="view_tag",
-        )
-        self.user.user_permissions.add(*view_permissions)
-        self.user.save()
-        self.client.force_login(self.user)
-
-        # Start by a small list, and count the number of SQL queries
-        for i in range(2):
-            Tag.objects.create(name=f"tag_{i}")
-
-        with CaptureQueriesContext(connection) as ctx_small:
-            response_small = self.client.get("/api/tags/?full_perms=true")
-            assert response_small.status_code == 200
-        num_queries_small = len(ctx_small.captured_queries)
-
-        # Complete the list, and count the number of SQL queries again
-        for i in range(2, 50):
-            Tag.objects.create(name=f"tag_{i}")
-
-        with CaptureQueriesContext(connection) as ctx_large:
-            response_large = self.client.get("/api/tags/?full_perms=true")
-            assert response_large.status_code == 200
-        num_queries_large = len(ctx_large.captured_queries)
-
-        # A few additional queries are allowed, but not a linear explosion
-        assert num_queries_large <= num_queries_small + 5, (
-            f"Possible N+1 queries detected: {num_queries_small} queries for 2 tags, "
-            f"but {num_queries_large} queries for 50 tags"
-        )

src/documents/views.py

@@ -5,11 +5,9 @@ import platform
 import re
 import tempfile
 import zipfile
-from collections import defaultdict
 from datetime import datetime
 from pathlib import Path
 from time import mktime
-from typing import Literal
 from unicodedata import normalize
 from urllib.parse import quote
 from urllib.parse import urlparse
@@ -21,7 +19,6 @@ from celery import states
 from django.conf import settings
 from django.contrib.auth.models import Group
 from django.contrib.auth.models import User
-from django.contrib.contenttypes.models import ContentType
 from django.db import connections
 from django.db.migrations.loader import MigrationLoader
 from django.db.migrations.recorder import MigrationRecorder
@@ -59,8 +56,6 @@ from drf_spectacular.utils import OpenApiParameter
 from drf_spectacular.utils import extend_schema
 from drf_spectacular.utils import extend_schema_view
 from drf_spectacular.utils import inline_serializer
-from guardian.utils import get_group_obj_perms_model
-from guardian.utils import get_user_obj_perms_model
 from langdetect import detect
 from packaging import version as packaging_version
 from redis import Redis
@@ -136,7 +131,6 @@ from documents.models import WorkflowAction
 from documents.models import WorkflowTrigger
 from documents.parsers import get_parser_class_for_mime_type
 from documents.parsers import parse_date_generator
-from documents.permissions import AcknowledgeTasksPermissions
 from documents.permissions import PaperlessAdminPermissions
 from documents.permissions import PaperlessNotePermissions
 from documents.permissions import PaperlessObjectPermissions
@@ -260,104 +254,7 @@ class PassUserMixin(GenericAPIView):
         return super().get_serializer(*args, **kwargs)
 
 
-class BulkPermissionMixin:
-    """
-    Prefetch Django-Guardian permissions for a list before serialization, to avoid N+1 queries.
-    """
-
-    def _get_object_perms(
-        self,
-        objects: list,
-        perm_codenames: list[str],
-        actor: Literal["users", "groups"],
-    ) -> dict[int, dict[str, list[int]]]:
-        """
-        Collect object-level permissions for either users or groups.
-        """
-        model = self.queryset.model
-        obj_perm_model = (
-            get_user_obj_perms_model(model)
-            if actor == "users"
-            else get_group_obj_perms_model(model)
-        )
-        id_field = "user_id" if actor == "users" else "group_id"
-        ctype = ContentType.objects.get_for_model(model)
-        object_pks = [obj.pk for obj in objects]
-
-        perms_qs = obj_perm_model.objects.filter(
-            content_type=ctype,
-            object_pk__in=object_pks,
-            permission__codename__in=perm_codenames,
-        ).values_list("object_pk", id_field, "permission__codename")
-
-        perms: dict[int, dict[str, list[int]]] = defaultdict(lambda: defaultdict(list))
-        for object_pk, actor_id, codename in perms_qs:
-            perms[int(object_pk)][codename].append(actor_id)
-
-        # Ensure that all objects have all codenames, even if empty
-        for pk in object_pks:
-            for codename in perm_codenames:
-                perms[pk][codename]
-
-        return perms
-
-    def get_serializer_context(self):
-        """
-        Get all permissions of the current list of objects at once and pass them to the serializer.
-        This avoid fetching permissions object by object in database.
-        """
-        context = super().get_serializer_context()
-        try:
-            full_perms = get_boolean(
-                str(self.request.query_params.get("full_perms", "false")),
-            )
-        except ValueError:
-            full_perms = False
-
-        if not full_perms:
-            return context
-
-        # Check which objects are being paginated
-        page = getattr(self, "paginator", None)
-        if page and hasattr(page, "page"):
-            queryset = page.page.object_list
-        elif hasattr(self, "page"):
-            queryset = self.page
-        else:
-            queryset = self.filter_queryset(self.get_queryset())
-
-        model_name = self.queryset.model.__name__.lower()
-        permission_name_view = f"view_{model_name}"
-        permission_name_change = f"change_{model_name}"
-
-        user_perms = self._get_object_perms(
-            objects=queryset,
-            perm_codenames=[permission_name_view, permission_name_change],
-            actor="users",
-        )
-        group_perms = self._get_object_perms(
-            objects=queryset,
-            perm_codenames=[permission_name_view, permission_name_change],
-            actor="groups",
-        )
-
-        context["users_view_perms"] = {
-            pk: user_perms[pk][permission_name_view] for pk in user_perms
-        }
-        context["users_change_perms"] = {
-            pk: user_perms[pk][permission_name_change] for pk in user_perms
-        }
-        context["groups_view_perms"] = {
-            pk: group_perms[pk][permission_name_view] for pk in group_perms
-        }
-        context["groups_change_perms"] = {
-            pk: group_perms[pk][permission_name_change] for pk in group_perms
-        }
-
-        return context
-
-
-class PermissionsAwareDocumentCountMixin(BulkPermissionMixin, PassUserMixin):
+class PermissionsAwareDocumentCountMixin(PassUserMixin):
     """
     Mixin to add document count to queryset, permissions-aware if needed
     """
@@ -2488,11 +2385,7 @@ class TasksViewSet(ReadOnlyModelViewSet):
             queryset = PaperlessTask.objects.filter(task_id=task_id)
         return queryset
 
-    @action(
-        methods=["post"],
-        detail=False,
-        permission_classes=[IsAuthenticated, AcknowledgeTasksPermissions],
-    )
+    @action(methods=["post"], detail=False)
     def acknowledge(self, request):
         serializer = AcknowledgeTasksViewSerializer(data=request.data)
         serializer.is_valid(raise_exception=True)

src/locale/en_US/LC_MESSAGES/django.po

@@ -2,7 +2,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: paperless-ngx\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-09-30 16:50+0000\n"
+"POT-Creation-Date: 2025-09-22 18:20+0000\n"
 "PO-Revision-Date: 2022-02-17 04:17\n"
 "Last-Translator: \n"
 "Language-Team: English\n"
@@ -1191,44 +1191,44 @@ msgstr ""
 msgid "workflow runs"
 msgstr ""
 
-#: documents/serialisers.py:141
+#: documents/serialisers.py:140
 #, python-format
 msgid "Invalid regular expression: %(error)s"
 msgstr ""
 
-#: documents/serialisers.py:607
+#: documents/serialisers.py:594
 msgid "Invalid color."
 msgstr ""
 
-#: documents/serialisers.py:636
+#: documents/serialisers.py:623
 msgid "Invalid parent tag."
 msgstr ""
 
-#: documents/serialisers.py:1793
+#: documents/serialisers.py:1780
 #, python-format
 msgid "File type %(type)s not supported"
 msgstr ""
 
-#: documents/serialisers.py:1837
+#: documents/serialisers.py:1824
 #, python-format
 msgid "Custom field id must be an integer: %(id)s"
 msgstr ""
 
-#: documents/serialisers.py:1844
+#: documents/serialisers.py:1831
 #, python-format
 msgid "Custom field with id %(id)s does not exist"
 msgstr ""
 
-#: documents/serialisers.py:1861 documents/serialisers.py:1871
+#: documents/serialisers.py:1848 documents/serialisers.py:1858
 msgid ""
 "Custom fields must be a list of integers or an object mapping ids to values."
 msgstr ""
 
-#: documents/serialisers.py:1866
+#: documents/serialisers.py:1853
 msgid "Some custom fields don't exist or were specified twice."
 msgstr ""
 
-#: documents/serialisers.py:1936
+#: documents/serialisers.py:1923
 msgid "Invalid variable detected."
 msgstr ""
 

src/paperless/settings.py

@@ -1003,18 +1003,6 @@ THREADS_PER_WORKER = os.getenv(
 # Paperless Specific Settings                                                 #
 ###############################################################################
 
-IGNORABLE_FILES: Final[list[str]] = [
-    ".DS_Store",
-    ".DS_STORE",
-    "._*",
-    ".stfolder/*",
-    ".stversions/*",
-    ".localized/*",
-    "desktop.ini",
-    "@eaDir/*",
-    "Thumbs.db",
-]
-
 CONSUMER_POLLING = int(os.getenv("PAPERLESS_CONSUMER_POLLING", 0))
 
 CONSUMER_POLLING_DELAY = int(os.getenv("PAPERLESS_CONSUMER_POLLING_DELAY", 5))
@@ -1037,7 +1025,7 @@ CONSUMER_IGNORE_PATTERNS = list(
     json.loads(
         os.getenv(
             "PAPERLESS_CONSUMER_IGNORE_PATTERNS",
-            json.dumps(IGNORABLE_FILES),
+            '[".DS_Store", ".DS_STORE", "._*", ".stfolder/*", ".stversions/*", ".localized/*", "desktop.ini", "@eaDir/*", "Thumbs.db"]',
         ),
     ),
 )