Chore(deps): Bump the small-changes group across 1 directory with 7 updates

Bumps the small-changes group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [filelock](https://github.com/tox-dev/py-filelock) | `3.19.1` | `3.20.0` |
| [nltk](https://github.com/nltk/nltk) | `3.9.1` | `3.9.2` |
| [mkdocs-material](https://github.com/squidfunk/mkdocs-material) | `9.6.20` | `9.6.21` |
| [pytest-env](https://github.com/pytest-dev/pytest-env) | `1.1.5` | `1.2.0` |
| [pytest-rerunfailures](https://github.com/pytest-dev/pytest-rerunfailures) | `16.0.1` | `16.1` |
| [pre-commit-uv](https://github.com/tox-dev/pre-commit-uv) | `4.1.5` | `4.2.0` |
| [ruff](https://github.com/astral-sh/ruff) | `0.13.2` | `0.14.0` |



Updates `filelock` from 3.19.1 to 3.20.0
- [Release notes](https://github.com/tox-dev/py-filelock/releases)
- [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst)
- [Commits](https://github.com/tox-dev/py-filelock/compare/3.19.1...3.20.0)

Updates `nltk` from 3.9.1 to 3.9.2
- [Changelog](https://github.com/nltk/nltk/blob/develop/ChangeLog)
- [Commits](https://github.com/nltk/nltk/compare/3.9.1...3.9.2)

Updates `mkdocs-material` from 9.6.20 to 9.6.21
- [Release notes](https://github.com/squidfunk/mkdocs-material/releases)
- [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG)
- [Commits](https://github.com/squidfunk/mkdocs-material/compare/9.6.20...9.6.21)

Updates `pytest-env` from 1.1.5 to 1.2.0
- [Release notes](https://github.com/pytest-dev/pytest-env/releases)
- [Commits](https://github.com/pytest-dev/pytest-env/compare/1.1.5...1.2.0)

Updates `pytest-rerunfailures` from 16.0.1 to 16.1
- [Changelog](https://github.com/pytest-dev/pytest-rerunfailures/blob/master/CHANGES.rst)
- [Commits](https://github.com/pytest-dev/pytest-rerunfailures/compare/16.0.1...16.1)

Updates `pre-commit-uv` from 4.1.5 to 4.2.0
- [Release notes](https://github.com/tox-dev/pre-commit-uv/releases)
- [Commits](https://github.com/tox-dev/pre-commit-uv/compare/4.1.5...4.2.0)

Updates `ruff` from 0.13.2 to 0.14.0
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/0.13.2...0.14.0)

---
updated-dependencies:
- dependency-name: filelock
  dependency-version: 3.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: small-changes
- dependency-name: nltk
  dependency-version: 3.9.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: small-changes
- dependency-name: mkdocs-material
  dependency-version: 9.6.21
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: small-changes
- dependency-name: pytest-env
  dependency-version: 1.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: small-changes
- dependency-name: pytest-rerunfailures
  dependency-version: '16.1'
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: small-changes
- dependency-name: pre-commit-uv
  dependency-version: 4.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: small-changes
- dependency-name: ruff
  dependency-version: 0.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: small-changes
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/build-and-release.yml

@@ -1,430 +0,0 @@
-name: 'Build and Release'
-on:
-  workflow_run:
-    workflows:
-      - ci
-    types:
-      - completed
-permissions:
-  contents: write
-  packages: write
-  pull-requests: write
-env:
-  DEFAULT_UV_VERSION: "0.8.x"
-  DEFAULT_PYTHON_VERSION: "3.11"
-  NLTK_DATA: "/usr/share/nltk_data"
-jobs:
-  prepare:
-    if: >-
-      github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'push'
-    name: Prepare build context
-    runs-on: ubuntu-24.04
-    outputs:
-      should-build: ${{ steps.determine.outputs.should-build }}
-      ref: ${{ steps.determine.outputs.ref }}
-      ref-name: ${{ steps.determine.outputs.ref-name }}
-      sha: ${{ steps.determine.outputs.sha }}
-      is-tag: ${{ steps.determine.outputs.is-tag }}
-      is-release-target: ${{ steps.determine.outputs.is-release-target }}
-      is-beta-rc: ${{ steps.determine.outputs.is-beta-rc }}
-    steps:
-      - name: Determine ref information
-        id: determine
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const run = context.payload.workflow_run;
-            const owner = context.repo.owner;
-            const repo = context.repo.repo;
-            const sha = run.head_sha;
-            const branch = run.head_branch;
-
-            let ref = undefined;
-            let refName = undefined;
-
-            if (branch) {
-              ref = `refs/heads/${branch}`;
-              refName = branch;
-            } else {
-              const iterator = github.paginate.iterator(
-                github.rest.repos.listTags,
-                {
-                  owner,
-                  repo,
-                  per_page: 100,
-                },
-              );
-
-              for await (const { data } of iterator) {
-                const match = data.find((tag) => tag.commit?.sha === sha);
-                if (match) {
-                  ref = `refs/tags/${match.name}`;
-                  refName = match.name;
-                  break;
-                }
-              }
-            }
-
-            const outputs = {
-              shouldBuild: false,
-              ref: ref ?? '',
-              refName: refName ?? '',
-              sha,
-              isTag: ref?.startsWith('refs/tags/') ?? false,
-              isReleaseTarget: false,
-              isBetaRc: false,
-            };
-
-            if (!ref || !refName) {
-              core.info('No matching ref found for workflow run; skipping post-CI workflow.');
-            } else {
-              const allowed =
-                ref.startsWith('refs/heads/feature-') ||
-                ref.startsWith('refs/heads/fix-') ||
-                ref.startsWith('refs/heads/l10n_') ||
-                ref === 'refs/heads/dev' ||
-                ref === 'refs/heads/beta' ||
-                ref.includes('beta.rc') ||
-                ref.startsWith('refs/tags/v');
-
-              const isBetaRc = refName.includes('beta.rc');
-              const isReleaseTarget = outputs.isTag && (refName.startsWith('v') || isBetaRc);
-
-              outputs.shouldBuild = allowed;
-              outputs.isReleaseTarget = isReleaseTarget;
-              outputs.isBetaRc = isBetaRc;
-            }
-
-            core.setOutput('should-build', outputs.shouldBuild ? 'true' : 'false');
-            core.setOutput('ref', outputs.ref);
-            core.setOutput('ref-name', outputs.refName);
-            core.setOutput('sha', outputs.sha);
-            core.setOutput('is-tag', outputs.isTag ? 'true' : 'false');
-            core.setOutput('is-release-target', outputs.isReleaseTarget ? 'true' : 'false');
-            core.setOutput('is-beta-rc', outputs.isBetaRc ? 'true' : 'false');
-  build-docker-image:
-    needs: prepare
-    if: needs.prepare.outputs.should-build == 'true'
-    name: Build Docker image for ${{ needs.prepare.outputs.ref-name }}
-    runs-on: ubuntu-24.04
-    concurrency:
-      group: ${{ github.workflow }}-build-docker-image-${{ needs.prepare.outputs.ref-name || needs.prepare.outputs.sha }}
-      cancel-in-progress: true
-    env:
-      REF: ${{ needs.prepare.outputs.ref }}
-      REF_NAME: ${{ needs.prepare.outputs.ref-name }}
-      SHA: ${{ needs.prepare.outputs.sha }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v5
-        with:
-          ref: ${{ env.SHA }}
-      - name: Check pushing to Docker Hub
-        id: push-other-places
-        env:
-          REPOSITORY_OWNER: ${{ github.repository_owner }}
-          REF_NAME: ${{ env.REF_NAME }}
-          REF: ${{ env.REF }}
-        run: |
-          if [[ "$REPOSITORY_OWNER" == "paperless-ngx" ]] && \
-             ([[ "$REF_NAME" == "dev" ]] || [[ "$REF_NAME" == "beta" ]] || [[ "$REF" == refs/tags/v* ]]); then
-            echo "Enabling DockerHub image push"
-            echo "enable=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "Not pushing to DockerHub"
-            echo "enable=false" >> "$GITHUB_OUTPUT"
-          fi
-      - name: Set ghcr repository name
-        id: set-ghcr-repository
-        run: |
-          ghcr_name=$(echo "${{ github.repository }}" | awk '{ print tolower($0) }')
-          echo "Name is ${ghcr_name}"
-          echo "ghcr-repository=${ghcr_name}" >> "$GITHUB_OUTPUT"
-      - name: Gather Docker metadata
-        id: docker-meta
-        uses: docker/metadata-action@v5
-        env:
-          GITHUB_REF: ${{ env.REF }}
-          GITHUB_REF_NAME: ${{ env.REF_NAME }}
-          GITHUB_SHA: ${{ env.SHA }}
-        with:
-          images: |
-            ghcr.io/${{ steps.set-ghcr-repository.outputs.ghcr-repository }}
-            name=paperlessngx/paperless-ngx,enable=${{ steps.push-other-places.outputs.enable }}
-            name=quay.io/paperlessngx/paperless-ngx,enable=${{ steps.push-other-places.outputs.enable }}
-          tags: |
-            type=ref,event=branch
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-        with:
-          platforms: arm64
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Login to Docker Hub
-        if: steps.push-other-places.outputs.enable == 'true'
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to Quay.io
-        if: steps.push-other-places.outputs.enable == 'true'
-        uses: docker/login-action@v3
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_USERNAME }}
-          password: ${{ secrets.QUAY_ROBOT_TOKEN }}
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ./Dockerfile
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ steps.docker-meta.outputs.tags }}
-          labels: ${{ steps.docker-meta.outputs.labels }}
-          build-args: |
-            PNGX_TAG_VERSION=${{ steps.docker-meta.outputs.version }}
-          cache-from: |
-            type=registry,ref=ghcr.io/${{ steps.set-ghcr-repository.outputs.ghcr-repository }}/builder/cache/app:${{ env.REF_NAME }}
-            type=registry,ref=ghcr.io/${{ steps.set-ghcr-repository.outputs.ghcr-repository }}/builder/cache/app:dev
-          cache-to: |
-            type=registry,mode=max,ref=ghcr.io/${{ steps.set-ghcr-repository.outputs.ghcr-repository }}/builder/cache/app:${{ env.REF_NAME }}
-      - name: Inspect image
-        run: |
-          docker buildx imagetools inspect ${{ fromJSON(steps.docker-meta.outputs.json).tags[0] }}
-      - name: Export frontend artifact from docker
-        run: |
-          docker create --name frontend-extract ${{ fromJSON(steps.docker-meta.outputs.json).tags[0] }}
-          docker cp frontend-extract:/usr/src/paperless/src/documents/static/frontend src/documents/static/frontend/
-      - name: Upload frontend artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: frontend-compiled
-          path: src/documents/static/frontend/
-          retention-days: 7
-  build-release:
-    needs:
-      - prepare
-      - build-docker-image
-    if: needs.prepare.outputs.should-build == 'true'
-    name: Build release bundle
-    runs-on: ubuntu-24.04
-    env:
-      REF_NAME: ${{ needs.prepare.outputs.ref-name }}
-      SHA: ${{ needs.prepare.outputs.sha }}
-      CI_RUN_ID: ${{ github.event.workflow_run.id }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v5
-        with:
-          ref: ${{ env.SHA }}
-      - name: Set up Python
-        id: setup-python
-        uses: actions/setup-python@v5
-        with:
-          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
-      - name: Install uv
-        uses: astral-sh/setup-uv@v6
-        with:
-          version: ${{ env.DEFAULT_UV_VERSION }}
-          enable-cache: true
-          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
-      - name: Install Python dependencies
-        run: |
-          uv sync --python ${{ steps.setup-python.outputs.python-version }} --dev --frozen
-      - name: Install system dependencies
-        run: |
-          sudo apt-get update -qq
-          sudo apt-get install -qq --no-install-recommends gettext liblept5
-      - name: Download frontend artifact
-        uses: actions/download-artifact@v5
-        with:
-          name: frontend-compiled
-          path: src/documents/static/frontend/
-      - name: Download documentation artifact
-        uses: actions/download-artifact@v5
-        with:
-          name: documentation
-          path: docs/_build/html/
-          run-id: ${{ env.CI_RUN_ID }}
-      - name: Generate requirements file
-        run: |
-          uv export --quiet --no-dev --all-extras --format requirements-txt --output-file requirements.txt
-      - name: Compile messages
-        run: |
-          cd src/
-          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
-            manage.py compilemessages
-      - name: Collect static files
-        run: |
-          cd src/
-          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
-            manage.py collectstatic --no-input
-      - name: Move files
-        run: |
-          echo "Making dist folders"
-          for directory in dist \
-                          dist/paperless-ngx \
-                          dist/paperless-ngx/scripts;
-          do
-            mkdir --verbose --parents ${directory}
-          done
-
-          echo "Copying basic files"
-          for file_name in .dockerignore \
-                          .env \
-                          Dockerfile \
-                          pyproject.toml \
-                          uv.lock \
-                          requirements.txt \
-                          LICENSE \
-                          README.md \
-                          paperless.conf.example
-          do
-            cp --verbose ${file_name} dist/paperless-ngx/
-          done
-          mv --verbose dist/paperless-ngx/paperless.conf.example dist/paperless-ngx/paperless.conf
-
-          echo "Copying Docker related files"
-          cp --recursive docker/ dist/paperless-ngx/docker
-
-          echo "Copying startup scripts"
-          cp --verbose scripts/*.service scripts/*.sh scripts/*.socket dist/paperless-ngx/scripts/
-
-          echo "Copying source files"
-          cp --recursive src/ dist/paperless-ngx/src
-          echo "Copying documentation"
-          cp --recursive docs/_build/html/ dist/paperless-ngx/docs
-
-          mv --verbose static dist/paperless-ngx
-      - name: Make release package
-        run: |
-          echo "Creating release archive"
-          cd dist
-          sudo chown -R 1000:1000 paperless-ngx/
-          tar -cJf paperless-ngx.tar.xz paperless-ngx/
-      - name: Upload release artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: release
-          path: dist/paperless-ngx.tar.xz
-          retention-days: 7
-  publish-release:
-    needs:
-      - prepare
-      - build-release
-    if: needs.prepare.outputs.is-release-target == 'true'
-    name: Publish release
-    runs-on: ubuntu-24.04
-    outputs:
-      prerelease: ${{ steps.get_version.outputs.prerelease }}
-      changelog: ${{ steps.create-release.outputs.body }}
-      version: ${{ steps.get_version.outputs.version }}
-    steps:
-      - name: Download release artifact
-        uses: actions/download-artifact@v5
-        with:
-          name: release
-          path: ./
-      - name: Get version
-        id: get_version
-        run: |
-          echo "version=${{ needs.prepare.outputs.ref-name }}" >> "$GITHUB_OUTPUT"
-          if [[ ${{ needs.prepare.outputs.is-beta-rc }} == 'true' ]]; then
-            echo "prerelease=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "prerelease=false" >> "$GITHUB_OUTPUT"
-          fi
-      - name: Create Release and Changelog
-        id: create-release
-        uses: release-drafter/release-drafter@v6
-        with:
-          name: Paperless-ngx ${{ steps.get_version.outputs.version }}
-          tag: ${{ steps.get_version.outputs.version }}
-          version: ${{ steps.get_version.outputs.version }}
-          prerelease: ${{ steps.get_version.outputs.prerelease }}
-          publish: true
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Upload release archive
-        id: upload-release-asset
-        uses: shogo82148/actions-upload-release-asset@v1
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          upload_url: ${{ steps.create-release.outputs.upload_url }}
-          asset_path: ./paperless-ngx.tar.xz
-          asset_name: paperless-ngx-${{ steps.get_version.outputs.version }}.tar.xz
-          asset_content_type: application/x-xz
-  append-changelog:
-    needs:
-      - publish-release
-    if: needs.publish-release.outputs.prerelease == 'false'
-    name: Append changelog to docs
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v5
-        with:
-          ref: main
-      - name: Set up Python
-        id: setup-python
-        uses: actions/setup-python@v5
-        with:
-          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
-      - name: Install uv
-        uses: astral-sh/setup-uv@v6
-        with:
-          version: ${{ env.DEFAULT_UV_VERSION }}
-          enable-cache: true
-          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
-      - name: Append Changelog to docs
-        id: append-Changelog
-        working-directory: docs
-        run: |
-          git branch ${{ needs.publish-release.outputs.version }}-changelog
-          git checkout ${{ needs.publish-release.outputs.version }}-changelog
-          echo -e "# Changelog\n\n${{ needs.publish-release.outputs.changelog }}\n" > changelog-new.md
-          echo "Manually linking usernames"
-          sed -i -r 's|@([a-zA-Z0-9_]+) \(\[#|[@\1](https://github.com/\1) ([#|g' changelog-new.md
-          echo "Removing unneeded comment tags"
-          sed -i -r 's|@<!---->|@|g' changelog-new.md
-          CURRENT_CHANGELOG=`tail --lines +2 changelog.md`
-          echo -e "$CURRENT_CHANGELOG" >> changelog-new.md
-          mv changelog-new.md changelog.md
-          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
-            --dev \
-            pre-commit run --files changelog.md || true
-          git config --global user.name "github-actions"
-          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git commit -am "Changelog ${{ needs.publish-release.outputs.version }} - GHA"
-          git push origin ${{ needs.publish-release.outputs.version }}-changelog
-      - name: Create Pull Request
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const { repo, owner } = context.repo;
-            const result = await github.rest.pulls.create({
-              title: 'Documentation: Add ${{ needs.publish-release.outputs.version }} changelog',
-              owner,
-              repo,
-              head: '${{ needs.publish-release.outputs.version }}-changelog',
-              base: 'main',
-              body: 'This PR is auto-generated by CI.'
-            });
-            github.rest.issues.addLabels({
-              owner,
-              repo,
-              issue_number: result.data.number,
-              labels: ['documentation', 'skip-changelog']
-            });

.github/workflows/ci.yml

@@ -17,18 +17,59 @@ env:
   DEFAULT_PYTHON_VERSION: "3.11"
   NLTK_DATA: "/usr/share/nltk_data"
 jobs:
+  detect-duplicate:
+    name: Detect Duplicate Run
+    runs-on: ubuntu-24.04
+    outputs:
+      should_run: ${{ steps.check.outputs.should_run }}
+    steps:
+      - name: Check if workflow should run
+        id: check
+        uses: actions/github-script@v8
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            if (context.eventName !== 'push') {
+              core.info('Not a push event; running workflow.');
+              core.setOutput('should_run', 'true');
+              return;
+            }
+
+            const ref = context.ref || '';
+            if (!ref.startsWith('refs/heads/')) {
+              core.info('Push is not to a branch; running workflow.');
+              core.setOutput('should_run', 'true');
+              return;
+            }
+
+            const branch = ref.substring('refs/heads/'.length);
+            const { owner, repo } = context.repo;
+            const prs = await github.paginate(github.rest.pulls.list, {
+              owner,
+              repo,
+              state: 'open',
+              head: `${owner}:${branch}`,
+              per_page: 100,
+            });
+
+            if (prs.length === 0) {
+              core.info(`No open PR found for ${branch}; running workflow.`);
+              core.setOutput('should_run', 'true');
+            } else {
+              core.info(`Found ${prs.length} open PR(s) for ${branch}; skipping duplicate push run.`);
+              core.setOutput('should_run', 'false');
+            }
   pre-commit:
-    # We want to run on external PRs, but not on our own internal PRs as they'll be run
-    # by the push to the branch. Without this if check, checks are duplicated since
-    # internal PRs match both the push and pull_request events.
-    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
+    needs:
+      - detect-duplicate
+    if: needs.detect-duplicate.outputs.should_run == 'true'
     name: Linting Checks
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
       - name: Install python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
       - name: Check files
@@ -43,7 +84,7 @@ jobs:
         uses: actions/checkout@v5
       - name: Set up Python
         id: setup-python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
       - name: Install uv
@@ -97,7 +138,7 @@ jobs:
           docker compose --file ${{ github.workspace }}/docker/compose/docker-compose.ci-test.yml up --detach
       - name: Set up Python
         id: setup-python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "${{ matrix.python-version }}"
       - name: Install uv
@@ -142,13 +183,11 @@ jobs:
         if: always()
         uses: codecov/test-results-action@v1
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
           flags: backend-python-${{ matrix.python-version }}
           files: junit.xml
       - name: Upload backend coverage to Codecov
         uses: codecov/codecov-action@v5
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
           flags: backend-python-${{ matrix.python-version }}
           files: coverage.xml
       - name: Stop containers
@@ -168,7 +207,7 @@ jobs:
         with:
           version: 10
       - name: Use Node.js 20
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: 'pnpm'
@@ -201,7 +240,7 @@ jobs:
         with:
           version: 10
       - name: Use Node.js 20
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: 'pnpm'
@@ -224,13 +263,11 @@ jobs:
         uses: codecov/test-results-action@v1
         if: always()
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
           flags: frontend-node-${{ matrix.node-version }}
           directory: src-ui/
       - name: Upload frontend coverage to Codecov
         uses: codecov/codecov-action@v5
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
           flags: frontend-node-${{ matrix.node-version }}
           directory: src-ui/coverage/
   tests-frontend-e2e:
@@ -251,7 +288,7 @@ jobs:
         with:
           version: 10
       - name: Use Node.js 20
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: 'pnpm'
@@ -294,7 +331,7 @@ jobs:
         with:
           version: 10
       - name: Use Node.js 20
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: 'pnpm'
@@ -313,3 +350,324 @@ jobs:
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
         run: cd src-ui && pnpm run build --configuration=production
+  build-docker-image:
+    name: Build Docker image for ${{ github.ref_name }}
+    runs-on: ubuntu-24.04
+    if: github.event_name == 'push' && (startsWith(github.ref, 'refs/heads/feature-') || startsWith(github.ref, 'refs/heads/fix-') || github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/beta' || contains(github.ref, 'beta.rc') || startsWith(github.ref, 'refs/tags/v') || startsWith(github.ref, 'refs/heads/l10n_'))
+    concurrency:
+      group: ${{ github.workflow }}-build-docker-image-${{ github.ref_name }}
+      cancel-in-progress: true
+    needs:
+      - tests-backend
+      - tests-frontend
+      - tests-frontend-e2e
+    steps:
+      - name: Check pushing to Docker Hub
+        id: push-other-places
+        # Only push to Dockerhub from the main repo AND the ref is either:
+        #  main
+        #  dev
+        #  beta
+        #  a tag
+        # Otherwise forks would require a Docker Hub account and secrets setup
+        run: |
+          if [[ ${{ github.repository_owner }} == "paperless-ngx" && ( ${{ github.ref_name }} == "dev" || ${{ github.ref_name }} == "beta" || ${{ startsWith(github.ref, 'refs/tags/v') }} == "true" ) ]] ; then
+            echo "Enabling DockerHub image push"
+            echo "enable=true" >> $GITHUB_OUTPUT
+          else
+            echo "Not pushing to DockerHub"
+            echo "enable=false" >> $GITHUB_OUTPUT
+          fi
+      - name: Set ghcr repository name
+        id: set-ghcr-repository
+        run: |
+          ghcr_name=$(echo "${{ github.repository }}" | awk '{ print tolower($0) }')
+          echo "Name is ${ghcr_name}"
+          echo "ghcr-repository=${ghcr_name}" >> $GITHUB_OUTPUT
+      - name: Gather Docker metadata
+        id: docker-meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/${{ steps.set-ghcr-repository.outputs.ghcr-repository }}
+            name=paperlessngx/paperless-ngx,enable=${{ steps.push-other-places.outputs.enable }}
+            name=quay.io/paperlessngx/paperless-ngx,enable=${{ steps.push-other-places.outputs.enable }}
+          tags: |
+            # Tag branches with branch name
+            type=ref,event=branch
+            # Process semver tags
+            # For a tag x.y.z or vX.Y.Z, output an x.y.z and x.y image tag
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+      - name: Checkout
+        uses: actions/checkout@v5
+      # If https://github.com/docker/buildx/issues/1044 is resolved,
+      # the append input with a native arm64 arch could be used to
+      # significantly speed up building
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: arm64
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        # Don't attempt to login if not pushing to Docker Hub
+        if: steps.push-other-places.outputs.enable == 'true'
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to Quay.io
+        uses: docker/login-action@v3
+        # Don't attempt to login if not pushing to Quay.io
+        if: steps.push-other-places.outputs.enable == 'true'
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_ROBOT_TOKEN }}
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.docker-meta.outputs.tags }}
+          labels: ${{ steps.docker-meta.outputs.labels }}
+          build-args: |
+            PNGX_TAG_VERSION=${{ steps.docker-meta.outputs.version }}
+          # Get cache layers from this branch, then dev
+          # This allows new branches to get at least some cache benefits, generally from dev
+          cache-from: |
+            type=registry,ref=ghcr.io/${{ steps.set-ghcr-repository.outputs.ghcr-repository }}/builder/cache/app:${{ github.ref_name }}
+            type=registry,ref=ghcr.io/${{ steps.set-ghcr-repository.outputs.ghcr-repository }}/builder/cache/app:dev
+          cache-to: |
+            type=registry,mode=max,ref=ghcr.io/${{ steps.set-ghcr-repository.outputs.ghcr-repository }}/builder/cache/app:${{ github.ref_name }}
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ fromJSON(steps.docker-meta.outputs.json).tags[0] }}
+      - name: Export frontend artifact from docker
+        run: |
+          docker create --name frontend-extract ${{ fromJSON(steps.docker-meta.outputs.json).tags[0] }}
+          docker cp frontend-extract:/usr/src/paperless/src/documents/static/frontend src/documents/static/frontend/
+      - name: Upload frontend artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: frontend-compiled
+          path: src/documents/static/frontend/
+          retention-days: 7
+  build-release:
+    name: "Build Release"
+    needs:
+      - build-docker-image
+      - documentation
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+      - name: Set up Python
+        id: setup-python
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          version: ${{ env.DEFAULT_UV_VERSION }}
+          enable-cache: true
+          python-version: ${{ steps.setup-python.outputs.python-version }}
+      - name: Install Python dependencies
+        run: |
+          uv sync --python ${{ steps.setup-python.outputs.python-version }} --dev --frozen
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -qq --no-install-recommends gettext liblept5
+      - name: Download frontend artifact
+        uses: actions/download-artifact@v5
+        with:
+          name: frontend-compiled
+          path: src/documents/static/frontend/
+      - name: Download documentation artifact
+        uses: actions/download-artifact@v5
+        with:
+          name: documentation
+          path: docs/_build/html/
+      - name: Generate requirements file
+        run: |
+          uv export --quiet --no-dev --all-extras --format requirements-txt --output-file requirements.txt
+      - name: Compile messages
+        run: |
+          cd src/
+          uv run \
+            --python ${{ steps.setup-python.outputs.python-version }} \
+            manage.py compilemessages
+      - name: Collect static files
+        run: |
+          cd src/
+          uv run \
+            --python ${{ steps.setup-python.outputs.python-version }} \
+            manage.py collectstatic --no-input
+      - name: Move files
+        run: |
+          echo "Making dist folders"
+          for directory in dist \
+                          dist/paperless-ngx \
+                          dist/paperless-ngx/scripts;
+          do
+            mkdir --verbose --parents ${directory}
+          done
+
+          echo "Copying basic files"
+          for file_name in .dockerignore \
+                          .env \
+                          Dockerfile \
+                          pyproject.toml \
+                          uv.lock \
+                          requirements.txt \
+                          LICENSE \
+                          README.md \
+                          paperless.conf.example
+          do
+            cp --verbose ${file_name} dist/paperless-ngx/
+          done
+          mv --verbose dist/paperless-ngx/paperless.conf.example dist/paperless-ngx/paperless.conf
+
+          echo "Copying Docker related files"
+          cp --recursive docker/ dist/paperless-ngx/docker
+
+          echo "Copying startup scripts"
+          cp --verbose scripts/*.service scripts/*.sh scripts/*.socket dist/paperless-ngx/scripts/
+
+          echo "Copying source files"
+          cp --recursive src/ dist/paperless-ngx/src
+          echo "Copying documentation"
+          cp --recursive docs/_build/html/ dist/paperless-ngx/docs
+
+          mv --verbose static dist/paperless-ngx
+      - name: Make release package
+        run: |
+          echo "Creating release archive"
+          cd dist
+          sudo chown -R 1000:1000 paperless-ngx/
+          tar -cJf paperless-ngx.tar.xz paperless-ngx/
+      - name: Upload release artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: release
+          path: dist/paperless-ngx.tar.xz
+          retention-days: 7
+  publish-release:
+    name: "Publish Release"
+    runs-on: ubuntu-24.04
+    outputs:
+      prerelease: ${{ steps.get_version.outputs.prerelease }}
+      changelog: ${{ steps.create-release.outputs.body }}
+      version: ${{ steps.get_version.outputs.version }}
+    needs:
+      - build-release
+    if: github.ref_type == 'tag' && (startsWith(github.ref_name, 'v') || contains(github.ref_name, '-beta.rc'))
+    steps:
+      - name: Download release artifact
+        uses: actions/download-artifact@v5
+        with:
+          name: release
+          path: ./
+      - name: Get version
+        id: get_version
+        run: |
+          echo "version=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+          if [[ ${{ contains(github.ref_name, '-beta.rc') }} == 'true' ]]; then
+            echo "prerelease=true" >> $GITHUB_OUTPUT
+          else
+            echo "prerelease=false" >> $GITHUB_OUTPUT
+          fi
+      - name: Create Release and Changelog
+        id: create-release
+        uses: release-drafter/release-drafter@v6
+        with:
+          name: Paperless-ngx ${{ steps.get_version.outputs.version }}
+          tag: ${{ steps.get_version.outputs.version }}
+          version: ${{ steps.get_version.outputs.version }}
+          prerelease: ${{ steps.get_version.outputs.prerelease }}
+          publish: true # ensures release is not marked as draft
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload release archive
+        id: upload-release-asset
+        uses: shogo82148/actions-upload-release-asset@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          upload_url: ${{ steps.create-release.outputs.upload_url }}
+          asset_path: ./paperless-ngx.tar.xz
+          asset_name: paperless-ngx-${{ steps.get_version.outputs.version }}.tar.xz
+          asset_content_type: application/x-xz
+  append-changelog:
+    name: "Append Changelog"
+    runs-on: ubuntu-24.04
+    needs:
+      - publish-release
+    if: needs.publish-release.outputs.prerelease == 'false'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          ref: main
+      - name: Set up Python
+        id: setup-python
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          version: ${{ env.DEFAULT_UV_VERSION }}
+          enable-cache: true
+          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
+      - name: Append Changelog to docs
+        id: append-Changelog
+        working-directory: docs
+        run: |
+          git branch ${{ needs.publish-release.outputs.version }}-changelog
+          git checkout ${{ needs.publish-release.outputs.version }}-changelog
+          echo -e "# Changelog\n\n${{ needs.publish-release.outputs.changelog }}\n" > changelog-new.md
+          echo "Manually linking usernames"
+          sed -i -r 's|@([a-zA-Z0-9_]+) \(\[#|[@\1](https://github.com/\1) ([#|g' changelog-new.md
+          echo "Removing unneeded comment tags"
+          sed -i -r 's|@<!---->|@|g' changelog-new.md
+          CURRENT_CHANGELOG=`tail --lines +2 changelog.md`
+          echo -e "$CURRENT_CHANGELOG" >> changelog-new.md
+          mv changelog-new.md changelog.md
+          uv run \
+            --python ${{ steps.setup-python.outputs.python-version }} \
+            --dev \
+            pre-commit run --files changelog.md || true
+          git config --global user.name "github-actions"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git commit -am "Changelog ${{ needs.publish-release.outputs.version }} - GHA"
+          git push origin ${{ needs.publish-release.outputs.version }}-changelog
+      - name: Create Pull Request
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const { repo, owner } = context.repo;
+            const result = await github.rest.pulls.create({
+              title: 'Documentation: Add ${{ needs.publish-release.outputs.version }} changelog',
+              owner,
+              repo,
+              head: '${{ needs.publish-release.outputs.version }}-changelog',
+              base: 'main',
+              body: 'This PR is auto-generated by CI.'
+            });
+            github.rest.issues.addLabels({
+              owner,
+              repo,
+              issue_number: result.data.number,
+              labels: ['documentation', 'skip-changelog']
+            });

.github/workflows/cleanup-tags.yml

@@ -6,10 +6,9 @@
 # This workflow will not trigger runs on forked repos.
 name: Cleanup Image Tags
 on:
-  delete:
-  push:
-    paths:
-      - ".github/workflows/cleanup-tags.yml"
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * 0'
 concurrency:
   group: registry-tags-cleanup
   cancel-in-progress: false

.github/workflows/codecov-comment.yml

@@ -1,220 +0,0 @@
-name: Codecov PR Comment
-on:
-  workflow_run:
-    workflows:
-      - ci
-    types:
-      - completed
-permissions:
-  contents: read
-  pull-requests: write
-jobs:
-  comment:
-    if: >-
-      github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Gather pull request context
-        id: pr
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const run = context.payload.workflow_run;
-            if (!run.pull_requests || run.pull_requests.length === 0) {
-              core.info('No associated pull request. Skipping.');
-              return { shouldRun: false };
-            }
-
-            const pr = run.pull_requests[0];
-            return {
-              shouldRun: true,
-              prNumber: pr.number,
-              headSha: run.head_sha,
-            };
-      - name: Fetch Codecov coverage
-        id: coverage
-        if: steps.pr.outputs.shouldRun == 'true'
-        uses: actions/github-script@v7
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-          COMMIT_SHA: ${{ steps.pr.outputs.headSha }}
-        with:
-          script: |
-            const token = process.env.CODECOV_TOKEN;
-            if (!token) {
-              core.warning('CODECOV_TOKEN secret is not available; skipping comment.');
-              core.setOutput('shouldComment', 'false');
-              return;
-            }
-
-            const commitSha = process.env.COMMIT_SHA;
-            const owner = context.repo.owner;
-            const repo = context.repo.repo;
-            const url = `https://codecov.io/api/v2/github/${owner}/repos/${repo}/commits/${commitSha}/report`;
-            const maxAttempts = 10;
-            const waitMs = 15000;
-            const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
-
-            let data;
-            for (let attempt = 1; attempt <= maxAttempts; attempt++) {
-              core.info(`Fetching Codecov report (attempt ${attempt}/${maxAttempts})`);
-              const response = await fetch(url, {
-                headers: {
-                  Authorization: `Bearer ${token}`,
-                  'Content-Type': 'application/json',
-                  Accept: 'application/json',
-                },
-              });
-
-              if (response.status === 404) {
-                core.info('Report not ready yet (404). Waiting before retrying.');
-                await sleep(waitMs);
-                continue;
-              }
-
-              if (!response.ok) {
-                const text = await response.text();
-                throw new Error(`Codecov API returned ${response.status}: ${text}`);
-              }
-
-              data = await response.json();
-              if (data && Object.keys(data).length > 0) {
-                break;
-              }
-
-              core.info('Report payload empty. Waiting before retrying.');
-              await sleep(waitMs);
-            }
-
-            if (!data) {
-              core.warning('Unable to retrieve Codecov report after multiple attempts.');
-              core.setOutput('shouldComment', 'false');
-              return;
-            }
-
-            const totals = data.report?.totals ?? data.commit?.totals ?? data.totals;
-            if (!totals) {
-              core.warning('Codecov response does not contain coverage totals.');
-              core.setOutput('shouldComment', 'false');
-              return;
-            }
-
-            const compareTotals = data.report?.compare?.totals ?? data.compare?.totals;
-            const flagsRaw = data.report?.totals_by_flag ?? data.report?.components ?? [];
-
-            const toNumber = (value) => {
-              if (value === null || value === undefined || value === '') {
-                return undefined;
-              }
-              const num = Number(value);
-              return Number.isFinite(num) ? num : undefined;
-            };
-
-            const coverage = toNumber(totals.coverage);
-            const baseCoverage = toNumber(compareTotals?.base_coverage ?? compareTotals?.base);
-            const delta = toNumber(
-              compareTotals?.coverage_change ??
-              compareTotals?.coverage_diff ??
-              totals.delta ??
-              totals.diff ??
-              totals.change,
-            );
-
-            const formatPercent = (value) => {
-              if (value === undefined) return '—';
-              return `${value.toFixed(2)}%`;
-            };
-
-            const formatDelta = (value) => {
-              if (value === undefined) return '—';
-              const sign = value >= 0 ? '+' : '';
-              return `${sign}${value.toFixed(2)}%`;
-            };
-
-            const shortSha = commitSha.slice(0, 7);
-            const lines = [
-              '<!-- codecov-coverage-comment -->',
-              '**Codecov Coverage**',
-              '',
-              `- Head \`${shortSha}\`: ${formatPercent(coverage)}`,
-            ];
-
-            if (baseCoverage !== undefined) {
-              lines.push(`- Base: ${formatPercent(baseCoverage)}`);
-            }
-
-            if (delta !== undefined) {
-              lines.push(`- Change: ${formatDelta(delta)}`);
-            }
-
-            const flagEntries = Array.isArray(flagsRaw)
-              ? flagsRaw
-              : Object.entries(flagsRaw).map(([name, totals]) => ({ name, totals }));
-
-            const flagRows = [];
-            for (const entry of flagEntries) {
-              const label = entry.flag ?? entry.name ?? entry.component ?? entry.id;
-              const entryTotals = entry.totals ?? entry;
-              const entryCoverage = toNumber(entryTotals?.coverage);
-              const entryDelta = toNumber(
-                entryTotals?.coverage_change ??
-                entryTotals?.coverage_diff ??
-                entryTotals?.delta ??
-                entryTotals?.diff,
-              );
-              if (!label || entryCoverage === undefined) {
-                continue;
-              }
-              flagRows.push(`| ${label} | ${formatPercent(entryCoverage)} | ${formatDelta(entryDelta)} |`);
-            }
-
-            if (flagRows.length) {
-              lines.push('');
-              lines.push('| Flag | Coverage | Change |');
-              lines.push('| --- | --- | --- |');
-              lines.push(...flagRows);
-            }
-
-            const commentBody = lines.join('\n');
-            const shouldComment = coverage !== undefined;
-            core.setOutput('shouldComment', shouldComment ? 'true' : 'false');
-            if (shouldComment) {
-              core.setOutput('commentBody', commentBody);
-            }
-      - name: Upsert coverage comment
-        if: steps.pr.outputs.shouldRun == 'true' && steps.coverage.outputs.shouldComment == 'true'
-        uses: actions/github-script@v7
-        env:
-          PR_NUMBER: ${{ steps.pr.outputs.prNumber }}
-          COMMENT_BODY: ${{ steps.coverage.outputs.commentBody }}
-        with:
-          script: |
-            const prNumber = Number(process.env.PR_NUMBER);
-            const body = process.env.COMMENT_BODY;
-            const marker = '<!-- codecov-coverage-comment -->';
-
-            const { data: comments } = await github.rest.issues.listComments({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: prNumber,
-              per_page: 100,
-            });
-
-            const existing = comments.find((comment) => comment.body?.includes(marker));
-            if (existing) {
-              core.info(`Updating existing coverage comment (id: ${existing.id}).`);
-              await github.rest.issues.updateComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                comment_id: existing.id,
-                body,
-              });
-            } else {
-              core.info('Creating new coverage comment.');
-              await github.rest.issues.createComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: prNumber,
-                body,
-              });
-            }

.github/workflows/pr-bot.yml

@@ -12,7 +12,7 @@ jobs:
     steps:
       - name: Label PR by file path or branch name
         # see .github/labeler.yml for the labeler config
-        uses: actions/labeler@v5
+        uses: actions/labeler@v6
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Label by size
@@ -26,7 +26,7 @@ jobs:
           fail_if_xl: 'false'
           excluded_files: /\.lock$/ /\.txt$/ ^src-ui/pnpm-lock\.yaml$ ^src-ui/messages\.xlf$ ^src/locale/en_US/LC_MESSAGES/django\.po$
       - name: Label by PR title
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const pr = context.payload.pull_request;
@@ -52,7 +52,7 @@ jobs:
             }
       - name: Label bot-generated PRs
         if: ${{ contains(github.actor, 'dependabot') || contains(github.actor, 'crowdin-bot') }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const pr = context.payload.pull_request;
@@ -77,7 +77,7 @@ jobs:
             }
       - name: Welcome comment
         if: ${{ !contains(github.actor, 'bot') }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const pr = context.payload.pull_request;

.github/workflows/repo-maintenance.yml

@@ -15,7 +15,7 @@ jobs:
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
         with:
           days-before-stale: 7
           days-before-close: 14
@@ -57,7 +57,7 @@ jobs:
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/github-script@v7
+      - uses: actions/github-script@v8
         with:
           script: |
             function sleep(ms) {
@@ -114,7 +114,7 @@ jobs:
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/github-script@v7
+      - uses: actions/github-script@v8
         with:
           script: |
             function sleep(ms) {
@@ -206,7 +206,7 @@ jobs:
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/github-script@v7
+      - uses: actions/github-script@v8
         with:
           script: |
             function sleep(ms) {

.github/workflows/translate-strings.yml

@@ -17,7 +17,7 @@ jobs:
           ref: ${{ github.head_ref }}
       - name: Set up Python
         id: setup-python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
       - name: Install system dependencies
         run: |
           sudo apt-get update -qq
@@ -38,7 +38,7 @@ jobs:
         with:
           version: 10
       - name: Use Node.js 20
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: 'pnpm'

.pre-commit-config.yaml

@@ -49,7 +49,7 @@ repos:
           - 'prettier-plugin-organize-imports@4.1.0'
   # Python hooks
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.13.0
+    rev: v0.13.2
     hooks:
       - id: ruff-check
       - id: ruff-format
@@ -59,7 +59,7 @@ repos:
       - id: pyproject-fmt
   # Dockerfile hooks
   - repo: https://github.com/AleksaC/hadolint-py
-    rev: v2.12.1b3
+    rev: v2.14.0
     hooks:
       - id: hadolint
   # Shell script hooks

Dockerfile

@@ -32,7 +32,7 @@ RUN set -eux \
 # Purpose: Installs s6-overlay and rootfs
 # Comments:
 #  - Don't leave anything extra in here either
-FROM ghcr.io/astral-sh/uv:0.8.17-python3.12-bookworm-slim AS s6-overlay-base
+FROM ghcr.io/astral-sh/uv:0.8.22-python3.12-bookworm-slim AS s6-overlay-base
 
 WORKDIR /usr/src/s6
 

docker/compose/docker-compose.portainer.yml

@@ -32,7 +32,7 @@ services:
     volumes:
       - redisdata:/data
   db:
-    image: docker.io/library/postgres:17
+    image: docker.io/library/postgres:18
     restart: unless-stopped
     volumes:
       - pgdata:/var/lib/postgresql/data

docker/compose/docker-compose.postgres-tika.yml

@@ -35,7 +35,7 @@ services:
     volumes:
       - redisdata:/data
   db:
-    image: docker.io/library/postgres:17
+    image: docker.io/library/postgres:18
     restart: unless-stopped
     volumes:
       - pgdata:/var/lib/postgresql/data

docker/compose/docker-compose.postgres.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redisdata:/data
   db:
-    image: docker.io/library/postgres:17
+    image: docker.io/library/postgres:18
     restart: unless-stopped
     volumes:
       - pgdata:/var/lib/postgresql/data

docs/configuration.md

@@ -170,11 +170,11 @@ Available options are `postgresql` and `mariadb`.
 
     !!! note
 
-    A small pool is typically sufficient — for example, a size of 4.
-    Make sure your PostgreSQL server's max_connections setting is large enough to handle:
-    ```(Paperless workers + Celery workers) × pool size + safety margin```
-    For example, with 4 Paperless workers and 2 Celery workers, and a pool size of 4:
-    (4 + 2) × 4 + 10 = 34 connections required.
+        A small pool is typically sufficient — for example, a size of 4.
+        Make sure your PostgreSQL server's max_connections setting is large enough to handle:
+        ```(Paperless workers + Celery workers) × pool size + safety margin```
+        For example, with 4 Paperless workers and 2 Celery workers, and a pool size of 4:
+        (4 + 2) × 4 + 10 = 34 connections required.
 
 #### [`PAPERLESS_DB_READ_CACHE_ENABLED=<bool>`](#PAPERLESS_DB_READ_CACHE_ENABLED) {#PAPERLESS_DB_READ_CACHE_ENABLED}
 
@@ -184,9 +184,9 @@ Available options are `postgresql` and `mariadb`.
 
     !!! danger
 
-    **Do not modify the database outside the application while it is running.**
-    This includes actions such as restoring a backup, upgrading the database, or performing manual inserts. All external modifications must be done **only when the application is stopped**.
-    After making any such changes, you **must invalidate the DB read cache** using the `invalidate_cachalot` management command.
+        **Do not modify the database outside the application while it is running.**
+        This includes actions such as restoring a backup, upgrading the database, or performing manual inserts. All external modifications must be done **only when the application is stopped**.
+        After making any such changes, you **must invalidate the DB read cache** using the `invalidate_cachalot` management command.
 
 #### [`PAPERLESS_READ_CACHE_TTL=<int>`](#PAPERLESS_READ_CACHE_TTL) {#PAPERLESS_READ_CACHE_TTL}
 
@@ -196,7 +196,7 @@ Available options are `postgresql` and `mariadb`.
 
     !!! warning
 
-    A high TTL increases memory usage over time. Memory may be used until end of TTL, even if the cache is invalidated with the `invalidate_cachalot` command.
+        A high TTL increases memory usage over time. Memory may be used until end of TTL, even if the cache is invalidated with the `invalidate_cachalot` command.
 
 In case of an out-of-memory (OOM) situation, Redis may stop accepting new data — including cache entries, scheduled tasks, and documents to consume.
 If your system has limited RAM, consider configuring a dedicated Redis instance for the read cache, with a memory limit and the eviction policy set to `allkeys-lru`.

docs/usage.md

@@ -414,7 +414,7 @@ fields and permissions, which will be merged.
 
 #### Types {#workflow-trigger-types}
 
-Currently, there are three events that correspond to workflow trigger 'types':
+Currently, there are four events that correspond to workflow trigger 'types':
 
 1. **Consumption Started**: _before_ a document is consumed, so events can include filters by source (mail, consumption
    folder or API), file path, file name, mail rule
@@ -427,7 +427,7 @@ Currently, there are three events that correspond to workflow trigger 'types':
    added, created, updated date or you can specify a (date) custom field. You can also specify a day offset from the date (positive
    offsets will trigger after the date, negative offsets will trigger before).
 
-The following flow diagram illustrates the three document trigger types:
+The following flow diagram illustrates the four document trigger types:
 
 ```mermaid
 flowchart TD
@@ -637,7 +637,7 @@ When you first delete a document it is moved to the 'trash' until either it is e
 You can set how long documents remain in the trash before being automatically deleted with [`PAPERLESS_EMPTY_TRASH_DELAY`](configuration.md#PAPERLESS_EMPTY_TRASH_DELAY), which defaults
 to 30 days. Until the file is actually deleted (e.g. the trash is emptied), all files and database content remains intact and can be restored at any point up until that time.
 
-Additionally you may configure a directory where deleted files are moved to when they the trash is emptied with [`PAPERLESS_EMPTY_TRASH_DIR`](configuration.md#PAPERLESS_EMPTY_TRASH_DIR).
+Additionally you may configure a directory where deleted files are moved to when the trash is emptied with [`PAPERLESS_EMPTY_TRASH_DIR`](configuration.md#PAPERLESS_EMPTY_TRASH_DIR).
 Note that the empty trash directory only stores the original file, the archive file and all database information is permanently removed once a document is fully deleted.
 
 ## Best practices {#basic-searching}

pyproject.toml

@@ -30,10 +30,10 @@ dependencies = [
   "django-cachalot~=2.8.0",
   "django-celery-results~=2.6.0",
   "django-compression-middleware~=0.5.0",
-  "django-cors-headers~=4.8.0",
+  "django-cors-headers~=4.9.0",
   "django-extensions~=4.1",
   "django-filter~=25.1",
-  "django-guardian~=3.1.2",
+  "django-guardian~=3.2.0",
   "django-multiselectfield~=1.0.1",
   "django-soft-delete~=1.0.18",
   "django-treenode>=0.23.2",
@@ -42,7 +42,7 @@ dependencies = [
   "drf-spectacular~=0.28",
   "drf-spectacular-sidecar~=2025.9.1",
   "drf-writable-nested~=0.7.1",
-  "filelock~=3.19.1",
+  "filelock~=3.20.0",
   "flower~=2.0.1",
   "gotenberg-client~=0.11.0",
   "httpx-oauth~=0.16",
@@ -54,7 +54,6 @@ dependencies = [
   "ocrmypdf~=16.11.0",
   "pathvalidate~=3.3.1",
   "pdf2image~=1.17.0",
-  "psycopg-pool",
   "python-dateutil~=2.9.0",
   "python-dotenv~=1.1.0",
   "python-gnupg~=0.5.4",
@@ -116,8 +115,8 @@ testing = [
 
 lint = [
   "pre-commit~=4.3.0",
-  "pre-commit-uv~=4.1.3",
-  "ruff~=0.13.0",
+  "pre-commit-uv~=4.2.0",
+  "ruff~=0.14.0",
 ]
 
 typing = [

src-ui/e2e/document-list/document-list.spec.ts

@@ -174,7 +174,7 @@ test('bulk edit', async ({ page }) => {
   await expect(page.locator('pngx-document-list')).toHaveText(
     /Selected 61 of 61 documents/i
   )
-  await page.getByRole('button', { name: 'Cancel' }).click()
+  await page.getByRole('button', { name: 'None' }).click()
 
   await page.locator('pngx-document-card-small').nth(1).click()
   await page.locator('pngx-document-card-small').nth(2).click()

src-ui/package.json

@@ -11,17 +11,17 @@
   },
   "private": true,
   "dependencies": {
-    "@angular/cdk": "^20.2.2",
-    "@angular/common": "~20.2.4",
-    "@angular/compiler": "~20.2.4",
-    "@angular/core": "~20.2.4",
-    "@angular/forms": "~20.2.4",
-    "@angular/localize": "~20.2.4",
-    "@angular/platform-browser": "~20.2.4",
-    "@angular/platform-browser-dynamic": "~20.2.4",
-    "@angular/router": "~20.2.4",
+    "@angular/cdk": "^20.2.6",
+    "@angular/common": "~20.3.2",
+    "@angular/compiler": "~20.3.2",
+    "@angular/core": "~20.3.2",
+    "@angular/forms": "~20.3.2",
+    "@angular/localize": "~20.3.2",
+    "@angular/platform-browser": "~20.3.2",
+    "@angular/platform-browser-dynamic": "~20.3.2",
+    "@angular/router": "~20.3.2",
     "@ng-bootstrap/ng-bootstrap": "^19.0.1",
-    "@ng-select/ng-select": "^20.1.3",
+    "@ng-select/ng-select": "^20.2.2",
     "@ngneat/dirty-check-forms": "^3.0.3",
     "@popperjs/core": "^2.11.8",
     "bootstrap": "^5.3.8",
@@ -29,47 +29,48 @@
     "mime-names": "^1.0.0",
     "ng2-pdf-viewer": "^10.4.0",
     "ngx-bootstrap-icons": "^1.9.3",
-    "ngx-color": "^10.0.0",
+    "ngx-color": "^10.1.0",
     "ngx-cookie-service": "^20.1.0",
     "ngx-device-detector": "^10.1.0",
     "ngx-ui-tour-ng-bootstrap": "^17.0.1",
     "rxjs": "^7.8.2",
     "tslib": "^2.8.1",
     "utif": "^3.1.0",
-    "uuid": "^11.1.0",
+    "uuid": "^13.0.0",
     "zone.js": "^0.15.1"
   },
   "devDependencies": {
     "@angular-builders/custom-webpack": "^20.0.0",
     "@angular-builders/jest": "^20.0.0",
-    "@angular-devkit/core": "^20.2.2",
-    "@angular-devkit/schematics": "^20.2.2",
-    "@angular-eslint/builder": "20.2.0",
-    "@angular-eslint/eslint-plugin": "20.2.0",
-    "@angular-eslint/eslint-plugin-template": "20.2.0",
-    "@angular-eslint/schematics": "20.2.0",
-    "@angular-eslint/template-parser": "20.2.0",
-    "@angular/build": "^20.2.2",
-    "@angular/cli": "~20.2.2",
-    "@angular/compiler-cli": "~20.2.4",
+    "@angular-devkit/core": "^20.3.3",
+    "@angular-devkit/schematics": "^20.3.3",
+    "@angular-eslint/builder": "20.3.0",
+    "@angular-eslint/eslint-plugin": "20.3.0",
+    "@angular-eslint/eslint-plugin-template": "20.3.0",
+    "@angular-eslint/schematics": "20.3.0",
+    "@angular-eslint/template-parser": "20.3.0",
+    "@angular/build": "^20.3.3",
+    "@angular/cli": "~20.3.3",
+    "@angular/compiler-cli": "~20.3.2",
     "@codecov/webpack-plugin": "^1.9.1",
-    "@playwright/test": "^1.55.0",
+    "@playwright/test": "^1.55.1",
     "@types/jest": "^30.0.0",
-    "@types/node": "^24.3.0",
-    "@typescript-eslint/eslint-plugin": "^8.41.0",
-    "@typescript-eslint/parser": "^8.41.0",
-    "@typescript-eslint/utils": "^8.41.0",
-    "eslint": "^9.34.0",
-    "jest": "30.1.3",
-    "jest-environment-jsdom": "^30.1.2",
+    "@types/node": "^24.6.1",
+    "@typescript-eslint/eslint-plugin": "^8.45.0",
+    "@typescript-eslint/parser": "^8.45.0",
+    "@typescript-eslint/utils": "^8.45.0",
+    "eslint": "^9.36.0",
+    "jest": "30.2.0",
+    "jest-environment-jsdom": "^30.2.0",
     "jest-junit": "^16.0.0",
-    "jest-preset-angular": "^15.0.0",
+    "jest-preset-angular": "^15.0.2",
     "jest-websocket-mock": "^2.5.0",
-    "prettier-plugin-organize-imports": "^4.2.0",
+    "prettier-plugin-organize-imports": "^4.3.0",
     "ts-node": "~10.9.1",
     "typescript": "^5.8.3",
-    "webpack": "^5.101.3"
+    "webpack": "^5.102.0"
   },
+  "packageManager": "pnpm@10.17.1",
   "pnpm": {
     "onlyBuiltDependencies": [
       "@parcel/watcher",

src-ui/setup-jest.ts

@@ -145,4 +145,14 @@ HTMLCanvasElement.prototype.getContext = <
   typeof HTMLCanvasElement.prototype.getContext
 >jest.fn()
 
+jest.mock('uuid', () => ({
+  v4: jest.fn(() =>
+    'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, (char: string) => {
+      const random = Math.floor(Math.random() * 16)
+      const value = char === 'x' ? random : (random & 0x3) | 0x8
+      return value.toString(16)
+    })
+  ),
+}))
+
 jest.mock('pdfjs-dist')

src-ui/src/app/components/admin/tasks/tasks.component.spec.ts

@@ -16,6 +16,7 @@ import {
   NgbNavItem,
 } from '@ng-bootstrap/ng-bootstrap'
 import { allIcons, NgxBootstrapIconsModule } from 'ngx-bootstrap-icons'
+import { throwError } from 'rxjs'
 import { routes } from 'src/app/app-routing.module'
 import {
   PaperlessTask,
@@ -28,6 +29,7 @@ import { PermissionsGuard } from 'src/app/guards/permissions.guard'
 import { CustomDatePipe } from 'src/app/pipes/custom-date.pipe'
 import { PermissionsService } from 'src/app/services/permissions.service'
 import { TasksService } from 'src/app/services/tasks.service'
+import { ToastService } from 'src/app/services/toast.service'
 import { environment } from 'src/environments/environment'
 import { ConfirmDialogComponent } from '../../common/confirm-dialog/confirm-dialog.component'
 import { PageHeaderComponent } from '../../common/page-header/page-header.component'
@@ -123,6 +125,7 @@ describe('TasksComponent', () => {
   let router: Router
   let httpTestingController: HttpTestingController
   let reloadSpy
+  let toastService: ToastService
 
   beforeEach(async () => {
     TestBed.configureTestingModule({
@@ -157,6 +160,7 @@ describe('TasksComponent', () => {
     httpTestingController = TestBed.inject(HttpTestingController)
     modalService = TestBed.inject(NgbModal)
     router = TestBed.inject(Router)
+    toastService = TestBed.inject(ToastService)
     fixture = TestBed.createComponent(TasksComponent)
     component = fixture.componentInstance
     jest.useFakeTimers()
@@ -249,6 +253,42 @@ describe('TasksComponent', () => {
     expect(dismissSpy).toHaveBeenCalledWith(selected)
   })
 
+  it('should show an error and re-enable modal buttons when dismissing multiple tasks fails', () => {
+    component.selectedTasks = new Set([tasks[0].id, tasks[1].id])
+    const error = new Error('dismiss failed')
+    const toastSpy = jest.spyOn(toastService, 'showError')
+    const dismissSpy = jest
+      .spyOn(tasksService, 'dismissTasks')
+      .mockReturnValue(throwError(() => error))
+
+    let modal: NgbModalRef
+    modalService.activeInstances.subscribe((m) => (modal = m[m.length - 1]))
+
+    component.dismissTasks()
+    expect(modal).not.toBeUndefined()
+
+    modal.componentInstance.confirmClicked.emit()
+
+    expect(dismissSpy).toHaveBeenCalledWith(new Set([tasks[0].id, tasks[1].id]))
+    expect(toastSpy).toHaveBeenCalledWith('Error dismissing tasks', error)
+    expect(modal.componentInstance.buttonsEnabled).toBe(true)
+    expect(component.selectedTasks.size).toBe(0)
+  })
+
+  it('should show an error when dismissing a single task fails', () => {
+    const error = new Error('dismiss failed')
+    const toastSpy = jest.spyOn(toastService, 'showError')
+    const dismissSpy = jest
+      .spyOn(tasksService, 'dismissTasks')
+      .mockReturnValue(throwError(() => error))
+
+    component.dismissTask(tasks[0])
+
+    expect(dismissSpy).toHaveBeenCalledWith(new Set([tasks[0].id]))
+    expect(toastSpy).toHaveBeenCalledWith('Error dismissing task', error)
+    expect(component.selectedTasks.size).toBe(0)
+  })
+
   it('should support dismiss all tasks', () => {
     let modal: NgbModalRef
     modalService.activeInstances.subscribe((m) => (modal = m[m.length - 1]))

src-ui/src/app/components/admin/tasks/tasks.component.ts

@@ -24,6 +24,7 @@ import { PaperlessTask } from 'src/app/data/paperless-task'
 import { IfPermissionsDirective } from 'src/app/directives/if-permissions.directive'
 import { CustomDatePipe } from 'src/app/pipes/custom-date.pipe'
 import { TasksService } from 'src/app/services/tasks.service'
+import { ToastService } from 'src/app/services/toast.service'
 import { ConfirmDialogComponent } from '../../common/confirm-dialog/confirm-dialog.component'
 import { PageHeaderComponent } from '../../common/page-header/page-header.component'
 import { LoadingComponentWithPermissions } from '../../loading-component/loading.component'
@@ -72,6 +73,7 @@ export class TasksComponent
   tasksService = inject(TasksService)
   private modalService = inject(NgbModal)
   private readonly router = inject(Router)
+  private readonly toastService = inject(ToastService)
 
   public activeTab: TaskTab
   public selectedTasks: Set<number> = new Set()
@@ -154,11 +156,19 @@ export class TasksComponent
       modal.componentInstance.confirmClicked.pipe(first()).subscribe(() => {
         modal.componentInstance.buttonsEnabled = false
         modal.close()
-        this.tasksService.dismissTasks(tasks)
+        this.tasksService.dismissTasks(tasks).subscribe({
+          error: (e) => {
+            this.toastService.showError($localize`Error dismissing tasks`, e)
+            modal.componentInstance.buttonsEnabled = true
+          },
+        })
         this.clearSelection()
       })
     } else {
-      this.tasksService.dismissTasks(tasks)
+      this.tasksService.dismissTasks(tasks).subscribe({
+        error: (e) =>
+          this.toastService.showError($localize`Error dismissing task`, e),
+      })
       this.clearSelection()
     }
   }

src-ui/src/app/components/common/custom-fields-query-dropdown/custom-fields-query-dropdown.component.scss

@@ -41,9 +41,3 @@
     min-width: 140px;
   }
 }
-
-.btn-group-xs {
-  > .btn {
-    border-radius: 0.15rem;
-  }
-}

src-ui/src/app/components/common/edit-dialog/custom-field-edit-dialog/custom-field-edit-dialog.component.ts

@@ -177,10 +177,16 @@ export class CustomFieldEditDialogComponent
   }
 
   public removeSelectOption(index: number) {
-    this.selectOptions.removeAt(index)
-    this._allSelectOptions.splice(
-      index + (this.selectOptionsPage - 1) * SELECT_OPTION_PAGE_SIZE,
-      1
+    const globalIndex =
+      index + (this.selectOptionsPage - 1) * SELECT_OPTION_PAGE_SIZE
+    this._allSelectOptions.splice(globalIndex, 1)
+
+    const totalPages = Math.max(
+      1,
+      Math.ceil(this._allSelectOptions.length / SELECT_OPTION_PAGE_SIZE)
     )
+    const targetPage = Math.min(this.selectOptionsPage, totalPages)
+
+    this.selectOptionsPage = targetPage
   }
 }

src-ui/src/app/components/common/email-document-dialog/email-document-dialog.component.html

@@ -1,5 +1,9 @@
 <div class="modal-header">
-    <h4 class="modal-title" id="modal-basic-title">{{title}}</h4>
+    <h4 class="modal-title" id="modal-basic-title" i18n>{
+      documentIds.length,
+      plural,
+      =1 {Email Document} other {Email {{documentIds.length}} Documents}
+    }</h4>
     <button type="button" class="btn-close" aria-label="Close" (click)="close()"></button>
 </div>
 <div class="modal-body">
@@ -22,11 +26,14 @@
             <input class="form-check-input mt-0 me-2" type="checkbox" role="switch" id="useArchiveVersion" [disabled]="!hasArchiveVersion" [(ngModel)]="useArchiveVersion">
             <label class="form-check-label w-100 text-start" for="useArchiveVersion" i18n>Use archive version</label>
         </div>
-        <button type="submit" class="btn btn-outline-primary" (click)="emailDocument()" [disabled]="loading || emailAddress.length === 0 || emailMessage.length === 0 || emailSubject.length === 0">
+        <button type="submit" class="btn btn-outline-primary" (click)="emailDocuments()" [disabled]="loading || emailAddress.length === 0 || emailMessage.length === 0 || emailSubject.length === 0">
             @if (loading) {
                 <div class="spinner-border spinner-border-sm me-2" role="status"></div>
             }
             <ng-container i18n>Send email</ng-container>
         </button>
     </div>
+    <div class="text-light fst-italic small mt-2">
+        <ng-container i18n>Some email servers may reject messages with large attachments.</ng-container>
+    </div>
 </div>

src-ui/src/app/components/common/email-document-dialog/email-document-dialog.component.spec.ts

@@ -36,31 +36,59 @@ describe('EmailDocumentDialogComponent', () => {
     documentService = TestBed.inject(DocumentService)
     toastService = TestBed.inject(ToastService)
     component = fixture.componentInstance
+    component.documentIds = [1]
     fixture.detectChanges()
   })
 
   it('should set hasArchiveVersion and useArchiveVersion', () => {
     expect(component.hasArchiveVersion).toBeTruthy()
+    expect(component.useArchiveVersion).toBeTruthy()
+
     component.hasArchiveVersion = false
     expect(component.hasArchiveVersion).toBeFalsy()
     expect(component.useArchiveVersion).toBeFalsy()
   })
 
-  it('should support sending document via email, showing error if needed', () => {
+  it('should support sending single document via email, showing error if needed', () => {
     const toastErrorSpy = jest.spyOn(toastService, 'showError')
     const toastSuccessSpy = jest.spyOn(toastService, 'showInfo')
+    component.documentIds = [1]
     component.emailAddress = 'hello@paperless-ngx.com'
     component.emailSubject = 'Hello'
     component.emailMessage = 'World'
     jest
-      .spyOn(documentService, 'emailDocument')
+      .spyOn(documentService, 'emailDocuments')
       .mockReturnValue(throwError(() => new Error('Unable to email document')))
-    component.emailDocument()
-    expect(toastErrorSpy).toHaveBeenCalled()
+    component.emailDocuments()
+    expect(toastErrorSpy).toHaveBeenCalledWith(
+      'Error emailing document',
+      expect.any(Error)
+    )
 
-    jest.spyOn(documentService, 'emailDocument').mockReturnValue(of(true))
-    component.emailDocument()
-    expect(toastSuccessSpy).toHaveBeenCalled()
+    jest.spyOn(documentService, 'emailDocuments').mockReturnValue(of(true))
+    component.emailDocuments()
+    expect(toastSuccessSpy).toHaveBeenCalledWith('Email sent')
+  })
+
+  it('should support sending multiple documents via email, showing appropriate messages', () => {
+    const toastErrorSpy = jest.spyOn(toastService, 'showError')
+    const toastSuccessSpy = jest.spyOn(toastService, 'showInfo')
+    component.documentIds = [1, 2, 3]
+    component.emailAddress = 'hello@paperless-ngx.com'
+    component.emailSubject = 'Hello'
+    component.emailMessage = 'World'
+    jest
+      .spyOn(documentService, 'emailDocuments')
+      .mockReturnValue(throwError(() => new Error('Unable to email documents')))
+    component.emailDocuments()
+    expect(toastErrorSpy).toHaveBeenCalledWith(
+      'Error emailing documents',
+      expect.any(Error)
+    )
+
+    jest.spyOn(documentService, 'emailDocuments').mockReturnValue(of(true))
+    component.emailDocuments()
+    expect(toastSuccessSpy).toHaveBeenCalledWith('Email sent')
   })
 
   it('should close the dialog', () => {

src-ui/src/app/components/common/email-document-dialog/email-document-dialog.component.ts

@@ -18,10 +18,7 @@ export class EmailDocumentDialogComponent extends LoadingComponentWithPermission
   private toastService = inject(ToastService)
 
   @Input()
-  title = $localize`Email Document`
-
-  @Input()
-  documentId: number
+  documentIds: number[]
 
   private _hasArchiveVersion: boolean = true
 
@@ -46,11 +43,11 @@ export class EmailDocumentDialogComponent extends LoadingComponentWithPermission
     this.loading = false
   }
 
-  public emailDocument() {
+  public emailDocuments() {
     this.loading = true
     this.documentService
-      .emailDocument(
-        this.documentId,
+      .emailDocuments(
+        this.documentIds,
         this.emailAddress,
         this.emailSubject,
         this.emailMessage,
@@ -67,7 +64,11 @@ export class EmailDocumentDialogComponent extends LoadingComponentWithPermission
         },
         error: (e) => {
           this.loading = false
-          this.toastService.showError($localize`Error emailing document`, e)
+          const errorMessage =
+            this.documentIds.length > 1
+              ? $localize`Error emailing documents`
+              : $localize`Error emailing document`
+          this.toastService.showError(errorMessage, e)
         },
       })
   }

src-ui/src/app/components/common/input/color/color.component.html

@@ -1,19 +1,18 @@
 <div class="mb-3">
   @if (title) {
-    <label [for]="inputId">{{title}}</label>
+    <label class="form-label" [for]="inputId">{{title}}</label>
   }
 
   <div class="input-group" [class.is-invalid]="error">
-    <span class="input-group-text" [style.background-color]="value">&nbsp;&nbsp;&nbsp;</span>
+    <button type="button" class="input-group-text" [style.background-color]="value" (click)="colorPicker.toggle()">&nbsp;&nbsp;&nbsp;</button>
 
     <ng-template #popContent>
       <div style="min-width: 200px;" class="pb-3">
         <color-slider [color]="value" (onChangeComplete)="colorChanged($event.color.hex)"></color-slider>
       </div>
-
     </ng-template>
 
-    <input #inputField class="form-control" [class.is-invalid]="error" [id]="inputId" [(ngModel)]="value" (change)="onChange(value)" [autoClose]="'outside'" [ngbPopover]="popContent" placement="bottom" popoverClass="shadow">
+    <input #inputField class="form-control" [class.is-invalid]="error" [id]="inputId" [(ngModel)]="value" (change)="onChange(value)" [autoClose]="'outside'" [ngbPopover]="popContent" #colorPicker="ngbPopover" placement="bottom" popoverClass="shadow">
 
     <button class="btn btn-outline-secondary" type="button" (click)="randomize()">
       <i-bs name="dice5"></i-bs>

src-ui/src/app/components/common/input/color/color.component.spec.ts

@@ -42,8 +42,8 @@ describe('ColorComponent', () => {
   })
 
   it('should set swatch color', () => {
-    const swatch: HTMLSpanElement = fixture.nativeElement.querySelector(
-      'span.input-group-text'
+    const swatch: HTMLButtonElement = fixture.nativeElement.querySelector(
+      'button.input-group-text'
     )
     expect(swatch.style.backgroundColor).toEqual('')
     component.value = '#ff0000'

src-ui/src/app/components/document-detail/document-detail.component.spec.ts

@@ -1212,7 +1212,7 @@ describe('DocumentDetailComponent', () => {
   it('should support keyboard shortcuts', () => {
     initNormally()
 
-    jest.spyOn(component, 'hasNext').mockReturnValue(true)
+    const hasNextSpy = jest.spyOn(component, 'hasNext').mockReturnValue(true)
     const nextSpy = jest.spyOn(component, 'nextDoc')
     document.dispatchEvent(
       new KeyboardEvent('keydown', { key: 'arrowright', ctrlKey: true })
@@ -1226,21 +1226,32 @@ describe('DocumentDetailComponent', () => {
     )
     expect(prevSpy).toHaveBeenCalled()
 
-    jest.spyOn(openDocumentsService, 'isDirty').mockReturnValue(true)
+    const isDirtySpy = jest
+      .spyOn(openDocumentsService, 'isDirty')
+      .mockReturnValue(true)
     const saveSpy = jest.spyOn(component, 'save')
     document.dispatchEvent(
       new KeyboardEvent('keydown', { key: 's', ctrlKey: true })
     )
     expect(saveSpy).toHaveBeenCalled()
 
-    jest.spyOn(openDocumentsService, 'isDirty').mockReturnValue(true)
-    jest.spyOn(component, 'hasNext').mockReturnValue(true)
+    hasNextSpy.mockReturnValue(true)
     const saveNextSpy = jest.spyOn(component, 'saveEditNext')
     document.dispatchEvent(
       new KeyboardEvent('keydown', { key: 's', ctrlKey: true, shiftKey: true })
     )
     expect(saveNextSpy).toHaveBeenCalled()
 
+    saveSpy.mockClear()
+    saveNextSpy.mockClear()
+    isDirtySpy.mockReturnValue(true)
+    hasNextSpy.mockReturnValue(false)
+    document.dispatchEvent(
+      new KeyboardEvent('keydown', { key: 's', ctrlKey: true, shiftKey: true })
+    )
+    expect(saveNextSpy).not.toHaveBeenCalled()
+    expect(saveSpy).toHaveBeenCalledWith(true)
+
     const closeSpy = jest.spyOn(component, 'close')
     document.dispatchEvent(new KeyboardEvent('keydown', { key: 'escape' }))
     expect(closeSpy).toHaveBeenCalled()

src-ui/src/app/components/document-detail/document-detail.component.ts

@@ -615,7 +615,10 @@ export class DocumentDetailComponent
       })
       .pipe(takeUntil(this.unsubscribeNotifier))
       .subscribe(() => {
-        if (this.openDocumentService.isDirty(this.document)) this.saveEditNext()
+        if (this.openDocumentService.isDirty(this.document)) {
+          if (this.hasNext()) this.saveEditNext()
+          else this.save(true)
+        }
       })
   }
 
@@ -1478,7 +1481,7 @@ export class DocumentDetailComponent
     const modal = this.modalService.open(EmailDocumentDialogComponent, {
       backdrop: 'static',
     })
-    modal.componentInstance.documentId = this.document.id
+    modal.componentInstance.documentIds = [this.document.id]
     modal.componentInstance.hasArchiveVersion =
       !!this.document?.archived_file_name
   }

src-ui/src/app/components/document-list/bulk-editor/bulk-editor.component.html

@@ -1,161 +1,147 @@
 <div class="d-flex flex-wrap gap-4">
-  <div class="d-flex align-items-center" role="group" aria-label="Select">
-    <button class="btn btn-sm btn-outline-secondary" (click)="list.selectNone()">
-      <i-bs name="slash-circle"></i-bs>&nbsp;<ng-container i18n>Cancel</ng-container>
+  <div class="d-flex flex-wrap align-items-center gap-2" *pngxIfPermissions="{ action: PermissionAction.Change, type: PermissionType.Document }">
+    <label class="me-2" i18n>Edit:</label>
+    @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.Tag)) {
+      <pngx-filterable-dropdown title="Tags" icon="tag-fill" i18n-title
+        filterPlaceholder="Filter tags" i18n-filterPlaceholder
+        [disabled]="!userCanEditAll || disabled"
+        [editing]="true"
+        [applyOnClose]="applyOnClose"
+        [createRef]="createTag.bind(this)"
+        (opened)="openTagsDropdown()"
+        [(selectionModel)]="tagSelectionModel"
+        [documentCounts]="tagDocumentCounts"
+        (apply)="setTags($event)"
+        shortcutKey="t">
+      </pngx-filterable-dropdown>
+    }
+    @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.Correspondent)) {
+      <pngx-filterable-dropdown title="Correspondent" icon="person-fill" i18n-title
+        filterPlaceholder="Filter correspondents" i18n-filterPlaceholder
+        [disabled]="!userCanEditAll || disabled"
+        [editing]="true"
+        [applyOnClose]="applyOnClose"
+        [createRef]="createCorrespondent.bind(this)"
+        (opened)="openCorrespondentDropdown()"
+        [(selectionModel)]="correspondentSelectionModel"
+        [documentCounts]="correspondentDocumentCounts"
+        (apply)="setCorrespondents($event)"
+        shortcutKey="y">
+      </pngx-filterable-dropdown>
+    }
+    @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.DocumentType)) {
+      <pngx-filterable-dropdown title="Document type" icon="file-earmark-fill" i18n-title
+        filterPlaceholder="Filter document types" i18n-filterPlaceholder
+        [disabled]="!userCanEditAll || disabled"
+        [editing]="true"
+        [applyOnClose]="applyOnClose"
+        [createRef]="createDocumentType.bind(this)"
+        (opened)="openDocumentTypeDropdown()"
+        [(selectionModel)]="documentTypeSelectionModel"
+        [documentCounts]="documentTypeDocumentCounts"
+        (apply)="setDocumentTypes($event)"
+        shortcutKey="u">
+      </pngx-filterable-dropdown>
+    }
+    @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.StoragePath)) {
+      <pngx-filterable-dropdown title="Storage path" icon="folder-fill" i18n-title
+        filterPlaceholder="Filter storage paths" i18n-filterPlaceholder
+        [disabled]="!userCanEditAll || disabled"
+        [editing]="true"
+        [applyOnClose]="applyOnClose"
+        [createRef]="createStoragePath.bind(this)"
+        (opened)="openStoragePathDropdown()"
+        [(selectionModel)]="storagePathsSelectionModel"
+        [documentCounts]="storagePathDocumentCounts"
+        (apply)="setStoragePaths($event)"
+        shortcutKey="i">
+      </pngx-filterable-dropdown>
+    }
+    @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.CustomField)) {
+      <pngx-filterable-dropdown title="Custom fields" icon="ui-radios" i18n-title
+        filterPlaceholder="Filter custom fields" i18n-filterPlaceholder
+        [disabled]="!userCanEditAll"
+        [editing]="true"
+        [applyOnClose]="applyOnClose"
+        [createRef]="createCustomField.bind(this)"
+        (opened)="openCustomFieldsDropdown()"
+        [(selectionModel)]="customFieldsSelectionModel"
+        [documentCounts]="customFieldDocumentCounts"
+        extraButtonTitle="Set values"
+        i18n-extraButtonTitle
+        (extraButton)="setCustomFieldValues($event)"
+        (apply)="setCustomFields($event)">
+      </pngx-filterable-dropdown>
+    }
+    <div class="btn-group">
+      <button type="button" class="btn btn-sm btn-outline-primary me-2" (click)="setPermissions()" [disabled]="!userOwnsAll || !userCanEditAll">
+        <i-bs name="person-fill-lock"></i-bs><div class="d-none d-sm-inline">&nbsp;<ng-container i18n>Permissions</ng-container></div>
       </button>
     </div>
-    <div class="d-flex align-items-center gap-2" role="group" aria-label="Select">
-      <label class="me-2" i18n>Select:</label>
-      <div class="btn-group">
-        <button class="btn btn-sm btn-outline-primary" (click)="list.selectPage()">
-          <i-bs name="file-earmark-check"></i-bs>&nbsp;<ng-container i18n>Page</ng-container>
+  </div>
+  <div class="d-flex align-items-center gap-2 ms-auto">
+    <div class="btn-toolbar">
+      <div ngbDropdown>
+        <button class="btn btn-sm btn-outline-primary" id="dropdownSelect" [disabled]="!userCanEdit && !userCanAdd" ngbDropdownToggle>
+          <i-bs name="three-dots"></i-bs>
+          <div class="d-none d-sm-inline">&nbsp;<ng-container i18n>Actions</ng-container></div>
+        </button>
+        <div ngbDropdownMenu aria-labelledby="dropdownSelect" class="shadow">
+          <button ngbDropdownItem (click)="reprocessSelected()" [disabled]="!userCanEditAll && !userCanEditAll">
+            <i-bs name="body-text"></i-bs>&nbsp;<ng-container i18n>Reprocess</ng-container>
+          </button>
+          <button ngbDropdownItem (click)="rotateSelected()" [disabled]="!userOwnsAll && !userCanEditAll">
+            <i-bs name="arrow-clockwise"></i-bs>&nbsp;<ng-container i18n>Rotate</ng-container>
+          </button>
+          <button ngbDropdownItem (click)="mergeSelected()" [disabled]="!userCanAdd || list.selected.size < 2">
+            <i-bs name="journals"></i-bs>&nbsp;<ng-container i18n>Merge</ng-container>
+          </button>
+          <button ngbDropdownItem (click)="emailSelected()" [disabled]="!userCanEdit">
+            <i-bs name="envelope"></i-bs>&nbsp;<ng-container i18n>Email</ng-container>
           </button>
-          <button class="btn btn-sm btn-outline-primary" (click)="list.selectAll()">
-            <i-bs name="check-all"></i-bs>&nbsp;<ng-container i18n>All</ng-container>
-            </button>
-          </div>
         </div>
-        <div class="d-flex align-items-center gap-2" *pngxIfPermissions="{ action: PermissionAction.Change, type: PermissionType.Document }">
-          <label class="me-2" i18n>Edit:</label>
-          @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.Tag)) {
-            <pngx-filterable-dropdown title="Tags" icon="tag-fill" i18n-title
-              filterPlaceholder="Filter tags" i18n-filterPlaceholder
-              [disabled]="!userCanEditAll || disabled"
-              [editing]="true"
-              [applyOnClose]="applyOnClose"
-              [createRef]="createTag.bind(this)"
-              (opened)="openTagsDropdown()"
-              [(selectionModel)]="tagSelectionModel"
-              [documentCounts]="tagDocumentCounts"
-              (apply)="setTags($event)"
-              shortcutKey="t">
-            </pngx-filterable-dropdown>
-          }
-          @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.Correspondent)) {
-            <pngx-filterable-dropdown title="Correspondent" icon="person-fill" i18n-title
-              filterPlaceholder="Filter correspondents" i18n-filterPlaceholder
-              [disabled]="!userCanEditAll || disabled"
-              [editing]="true"
-              [applyOnClose]="applyOnClose"
-              [createRef]="createCorrespondent.bind(this)"
-              (opened)="openCorrespondentDropdown()"
-              [(selectionModel)]="correspondentSelectionModel"
-              [documentCounts]="correspondentDocumentCounts"
-              (apply)="setCorrespondents($event)"
-              shortcutKey="y">
-            </pngx-filterable-dropdown>
-          }
-          @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.DocumentType)) {
-            <pngx-filterable-dropdown title="Document type" icon="file-earmark-fill" i18n-title
-              filterPlaceholder="Filter document types" i18n-filterPlaceholder
-              [disabled]="!userCanEditAll || disabled"
-              [editing]="true"
-              [applyOnClose]="applyOnClose"
-              [createRef]="createDocumentType.bind(this)"
-              (opened)="openDocumentTypeDropdown()"
-              [(selectionModel)]="documentTypeSelectionModel"
-              [documentCounts]="documentTypeDocumentCounts"
-              (apply)="setDocumentTypes($event)"
-              shortcutKey="u">
-            </pngx-filterable-dropdown>
-          }
-          @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.StoragePath)) {
-            <pngx-filterable-dropdown title="Storage path" icon="folder-fill" i18n-title
-              filterPlaceholder="Filter storage paths" i18n-filterPlaceholder
-              [disabled]="!userCanEditAll || disabled"
-              [editing]="true"
-              [applyOnClose]="applyOnClose"
-              [createRef]="createStoragePath.bind(this)"
-              (opened)="openStoragePathDropdown()"
-              [(selectionModel)]="storagePathsSelectionModel"
-              [documentCounts]="storagePathDocumentCounts"
-              (apply)="setStoragePaths($event)"
-              shortcutKey="i">
-            </pngx-filterable-dropdown>
-          }
-          @if (permissionService.currentUserCan(PermissionAction.View, PermissionType.CustomField)) {
-            <pngx-filterable-dropdown title="Custom fields" icon="ui-radios" i18n-title
-              filterPlaceholder="Filter custom fields" i18n-filterPlaceholder
-              [disabled]="!userCanEditAll"
-              [editing]="true"
-              [applyOnClose]="applyOnClose"
-              [createRef]="createCustomField.bind(this)"
-              (opened)="openCustomFieldsDropdown()"
-              [(selectionModel)]="customFieldsSelectionModel"
-              [documentCounts]="customFieldDocumentCounts"
-              extraButtonTitle="Set values"
-              i18n-extraButtonTitle
-              (extraButton)="setCustomFieldValues($event)"
-              (apply)="setCustomFields($event)">
-            </pngx-filterable-dropdown>
-          }
+      </div>
+    </div>
+    <div class="btn-group btn-group-sm">
+      <button class="btn btn-sm btn-outline-primary" [disabled]="awaitingDownload" (click)="downloadSelected()">
+        @if (!awaitingDownload) {
+          <i-bs name="arrow-down"></i-bs>
+        }
+        @if (awaitingDownload) {
+          <div class="spinner-border spinner-border-sm" role="status">
+            <span class="visually-hidden">Preparing download...</span>
+          </div>
+        }
+        <div class="d-none d-sm-inline">&nbsp;<ng-container i18n>Download</ng-container></div>
+      </button>
+      <div ngbDropdown class="me-2 d-flex btn-group" role="group">
+        <button type="button" class="btn btn-sm btn-outline-primary dropdown-toggle-split rounded-end" ngbDropdownToggle></button>
+        <div ngbDropdownMenu aria-labelledby="dropdownSelect" class="shadow">
+          <form [formGroup]="downloadForm" class="px-3 py-1">
+            <p class="mb-1" i18n>Include:</p>
+            <div class="form-group ps-3 mb-2">
+              <div class="form-check">
+                <input type="checkbox" class="form-check-input" id="downloadFileType_archive" formControlName="downloadFileTypeArchive" />
+                <label class="form-check-label" for="downloadFileType_archive" i18n>Archived files</label>
+              </div>
+              <div class="form-check">
+                <input type="checkbox" class="form-check-input" id="downloadFileType_originals" formControlName="downloadFileTypeOriginals" />
+                <label class="form-check-label" for="downloadFileType_originals" i18n>Original files</label>
+              </div>
+            </div>
+            <div class="form-check">
+              <input type="checkbox" class="form-check-input" id="downloadUseFormatting" formControlName="downloadUseFormatting" />
+              <label class="form-check-label" for="downloadUseFormatting" i18n>Use formatted filename</label>
+            </div>
+          </form>
         </div>
-        <div class="d-flex align-items-center gap-2 ms-auto">
-          <div class="btn-toolbar">
+      </div>
+    </div>
 
-            <button type="button" class="btn btn-sm btn-outline-primary me-2" (click)="setPermissions()" [disabled]="!userOwnsAll || !userCanEditAll">
-              <i-bs name="person-fill-lock"></i-bs><div class="d-none d-sm-inline">&nbsp;<ng-container i18n>Permissions</ng-container></div>
-            </button>
-
-            <div ngbDropdown>
-              <button class="btn btn-sm btn-outline-primary" id="dropdownSelect" [disabled]="!userCanEdit && !userCanAdd" ngbDropdownToggle>
-                <i-bs name="three-dots"></i-bs>
-                <div class="d-none d-sm-inline">&nbsp;<ng-container i18n>Actions</ng-container></div>
-              </button>
-              <div ngbDropdownMenu aria-labelledby="dropdownSelect" class="shadow">
-                <button ngbDropdownItem (click)="reprocessSelected()" [disabled]="!userCanEditAll && !userCanEditAll">
-                  <i-bs name="body-text"></i-bs>&nbsp;<ng-container i18n>Reprocess</ng-container>
-                </button>
-                <button ngbDropdownItem (click)="rotateSelected()" [disabled]="!userOwnsAll && !userCanEditAll">
-                  <i-bs name="arrow-clockwise"></i-bs>&nbsp;<ng-container i18n>Rotate</ng-container>
-                </button>
-                <button ngbDropdownItem (click)="mergeSelected()" [disabled]="!userCanAdd || list.selected.size < 2">
-                  <i-bs name="journals"></i-bs>&nbsp;<ng-container i18n>Merge</ng-container>
-                </button>
-              </div>
-            </div>
-          </div>
-
-            <div class="btn-group btn-group-sm">
-              <button class="btn btn-sm btn-outline-primary" [disabled]="awaitingDownload" (click)="downloadSelected()">
-                @if (!awaitingDownload) {
-                  <i-bs name="arrow-down"></i-bs>
-                }
-                @if (awaitingDownload) {
-                  <div class="spinner-border spinner-border-sm" role="status">
-                    <span class="visually-hidden">Preparing download...</span>
-                  </div>
-                }
-                <div class="d-none d-sm-inline">&nbsp;<ng-container i18n>Download</ng-container></div>
-              </button>
-              <div ngbDropdown class="me-2 d-flex btn-group" role="group">
-                <button type="button" class="btn btn-sm btn-outline-primary dropdown-toggle-split rounded-end" ngbDropdownToggle></button>
-                <div ngbDropdownMenu aria-labelledby="dropdownSelect" class="shadow">
-                  <form [formGroup]="downloadForm" class="px-3 py-1">
-                    <p class="mb-1" i18n>Include:</p>
-                    <div class="form-group ps-3 mb-2">
-                      <div class="form-check">
-                        <input type="checkbox" class="form-check-input" id="downloadFileType_archive" formControlName="downloadFileTypeArchive" />
-                        <label class="form-check-label" for="downloadFileType_archive" i18n>Archived files</label>
-                      </div>
-                      <div class="form-check">
-                        <input type="checkbox" class="form-check-input" id="downloadFileType_originals" formControlName="downloadFileTypeOriginals" />
-                        <label class="form-check-label" for="downloadFileType_originals" i18n>Original files</label>
-                      </div>
-                    </div>
-                    <div class="form-check">
-                      <input type="checkbox" class="form-check-input" id="downloadUseFormatting" formControlName="downloadUseFormatting" />
-                      <label class="form-check-label" for="downloadUseFormatting" i18n>Use formatted filename</label>
-                    </div>
-                  </form>
-                </div>
-              </div>
-            </div>
-
-            <div class="btn-group btn-group-sm">
-              <button type="button" class="btn btn-sm btn-outline-danger" (click)="applyDelete()" *pngxIfPermissions="{ action: PermissionAction.Delete, type: PermissionType.Document }" [disabled]="!userOwnsAll">
-                <i-bs name="trash"></i-bs>&nbsp;<ng-container i18n>Delete</ng-container>
-                </button>
-              </div>
-            </div>
-          </div>
+    <div class="btn-group btn-group-sm">
+      <button type="button" class="btn btn-sm btn-outline-danger" (click)="applyDelete()" *pngxIfPermissions="{ action: PermissionAction.Delete, type: PermissionType.Document }" [disabled]="!userOwnsAll">
+        <i-bs name="trash"></i-bs>&nbsp;<ng-container i18n>Delete</ng-container>
+      </button>
+    </div>
+  </div>
+</div>

src-ui/src/app/components/document-list/bulk-editor/bulk-editor.component.scss

@@ -5,3 +5,7 @@
 .dropdown-menu{
     --bs-dropdown-min-width: 12rem;
 }
+
+.btn-group .btn {
+  white-space: nowrap;
+}

src-ui/src/app/components/document-list/bulk-editor/bulk-editor.component.ts

@@ -46,6 +46,7 @@ import { DocumentTypeEditDialogComponent } from '../../common/edit-dialog/docume
 import { EditDialogMode } from '../../common/edit-dialog/edit-dialog.component'
 import { StoragePathEditDialogComponent } from '../../common/edit-dialog/storage-path-edit-dialog/storage-path-edit-dialog.component'
 import { TagEditDialogComponent } from '../../common/edit-dialog/tag-edit-dialog/tag-edit-dialog.component'
+import { EmailDocumentDialogComponent } from '../../common/email-document-dialog/email-document-dialog.component'
 import {
   ChangedItems,
   FilterableDropdownComponent,
@@ -902,4 +903,16 @@ export class BulkEditorComponent
       )
     })
   }
+
+  emailSelected() {
+    const allHaveArchiveVersion = this.list.documents
+      .filter((d) => this.list.selected.has(d.id))
+      .every((doc) => !!doc.archived_file_name)
+
+    const modal = this.modalService.open(EmailDocumentDialogComponent, {
+      backdrop: 'static',
+    })
+    modal.componentInstance.documentIds = Array.from(this.list.selected)
+    modal.componentInstance.hasArchiveVersion = allHaveArchiveVersion
+  }
 }

src-ui/src/app/components/document-list/document-list.component.html

@@ -1,16 +1,36 @@
 <pngx-page-header [title]="getTitle()">
-
-  <div ngbDropdown class="btn-group flex-fill">
-    <button class="btn btn-sm btn-outline-primary" id="dropdownSelect" ngbDropdownToggle>
+  <div ngbDropdown class="btn-group flex-fill d-sm-none">
+    <button class="btn btn-sm btn-outline-primary" id="dropdownSelectMobile" ngbDropdownToggle>
       <i-bs name="text-indent-left"></i-bs>
       <div class="d-none d-sm-inline">&nbsp;<ng-container i18n>Select</ng-container></div>
+      @if (list.selected.size > 0) {
+        <pngx-clearable-badge [selected]="list.selected.size > 0" [number]="list.selected.size" (cleared)="list.selectNone()"></pngx-clearable-badge><span class="visually-hidden">selected</span>
+      }
     </button>
-    <div ngbDropdownMenu aria-labelledby="dropdownSelect" class="shadow">
+    <div ngbDropdownMenu aria-labelledby="dropdownSelectMobile" class="shadow">
       <button ngbDropdownItem (click)="list.selectNone()" i18n>Select none</button>
       <button ngbDropdownItem (click)="list.selectPage()" i18n>Select page</button>
       <button ngbDropdownItem (click)="list.selectAll()" i18n>Select all</button>
     </div>
   </div>
+  <div class="d-none d-sm-flex flex-fill me-3">
+    <div class="input-group input-group-sm">
+      <span class="input-group-text border-0">Select:</span>
+    </div>
+    <div class="btn-group btn-group-sm flex-nowrap">
+      @if (list.selected.size > 0) {
+        <button class="btn btn-sm btn-outline-secondary" (click)="list.selectNone()">
+          <i-bs name="slash-circle"></i-bs>&nbsp;<ng-container i18n>None</ng-container>
+        </button>
+      }
+      <button class="btn btn-sm btn-outline-primary" (click)="list.selectPage()">
+        <i-bs name="file-earmark-check"></i-bs>&nbsp;<ng-container i18n>Page</ng-container>
+      </button>
+      <button class="btn btn-sm btn-outline-primary" (click)="list.selectAll()">
+        <i-bs name="check-all"></i-bs>&nbsp;<ng-container i18n>All</ng-container>
+      </button>
+    </div>
+  </div>
   <div ngbDropdown class="btn-group flex-fill">
     <button class="btn btn-sm btn-outline-primary" id="dropdownDisplayFields" ngbDropdownToggle>
       <i-bs name="card-heading"></i-bs>
@@ -126,8 +146,13 @@
       @if (!list.isReloading && isFiltered) {
         <button class="btn btn-link py-0" (click)="resetFilters()">
           <i-bs width="1em" height="1em" name="x"></i-bs><small i18n>Reset filters</small>
-          </button>
-        }
+        </button>
+      }
+      @if (!list.isReloading && list.selected.size > 0) {
+        <button class="btn btn-link py-0" (click)="list.selectNone()">
+          <i-bs width="1em" height="1em" name="slash-circle" class="me-1"></i-bs><small i18n>Clear selection</small>
+        </button>
+      }
       </div>
       @if (list.collectionSize) {
         <ngb-pagination [pageSize]="list.pageSize" [collectionSize]="list.collectionSize" [(page)]="list.currentPage" [maxSize]="5"

src-ui/src/app/components/document-list/document-list.component.ts

@@ -56,6 +56,7 @@ import {
   filterRulesDiffer,
   isFullTextFilterRule,
 } from 'src/app/utils/filter-rules'
+import { ClearableBadgeComponent } from '../common/clearable-badge/clearable-badge.component'
 import { CustomFieldDisplayComponent } from '../common/custom-field-display/custom-field-display.component'
 import { PageHeaderComponent } from '../common/page-header/page-header.component'
 import { PreviewPopupComponent } from '../common/preview-popup/preview-popup.component'
@@ -72,6 +73,7 @@ import { SaveViewConfigDialogComponent } from './save-view-config-dialog/save-vi
   templateUrl: './document-list.component.html',
   styleUrls: ['./document-list.component.scss'],
   imports: [
+    ClearableBadgeComponent,
     CustomFieldDisplayComponent,
     PageHeaderComponent,
     BulkEditorComponent,

src-ui/src/app/services/rest/document.service.spec.ts

@@ -357,17 +357,15 @@ it('should include custom fields in sort fields if user has permission', () => {
 
 it('should call appropriate api endpoint for email document', () => {
   subscription = service
-    .emailDocument(
-      documents[0].id,
+    .emailDocuments(
+      [documents[0].id],
       'hello@paperless-ngx.com',
       'hello',
       'world',
       true
     )
     .subscribe()
-  httpTestingController.expectOne(
-    `${environment.apiBaseUrl}${endpoint}/${documents[0].id}/email/`
-  )
+  httpTestingController.expectOne(`${environment.apiBaseUrl}${endpoint}/email/`)
 })
 
 afterEach(() => {

src-ui/src/app/services/rest/document.service.ts

@@ -256,14 +256,15 @@ export class DocumentService extends AbstractPaperlessService<Document> {
     return this._searchQuery
   }
 
-  emailDocument(
-    documentId: number,
+  emailDocuments(
+    documentIds: number[],
     addresses: string,
     subject: string,
     message: string,
     useArchiveVersion: boolean
   ): Observable<any> {
-    return this.http.post(this.getResourceUrl(documentId, 'email'), {
+    return this.http.post(this.getResourceUrl(null, 'email'), {
+      documents: documentIds,
       addresses: addresses,
       subject: subject,
       message: message,

src-ui/src/app/services/tasks.service.spec.ts

@@ -51,7 +51,7 @@ describe('TasksService', () => {
   })
 
   it('calls acknowledge_tasks api endpoint on dismiss and reloads', () => {
-    tasksService.dismissTasks(new Set([1, 2, 3]))
+    tasksService.dismissTasks(new Set([1, 2, 3])).subscribe()
     const req = httpTestingController.expectOne(
       `${environment.apiBaseUrl}tasks/acknowledge/`
     )

src-ui/src/app/services/tasks.service.ts

@@ -1,7 +1,7 @@
 import { HttpClient } from '@angular/common/http'
 import { Injectable, inject } from '@angular/core'
 import { Observable, Subject } from 'rxjs'
-import { first, takeUntil } from 'rxjs/operators'
+import { first, takeUntil, tap } from 'rxjs/operators'
 import {
   PaperlessTask,
   PaperlessTaskName,
@@ -68,14 +68,17 @@ export class TasksService {
   }
 
   public dismissTasks(task_ids: Set<number>) {
-    this.http
+    return this.http
       .post(`${this.baseUrl}tasks/acknowledge/`, {
         tasks: [...task_ids],
       })
-      .pipe(first())
-      .subscribe((r) => {
-        this.reload()
-      })
+      .pipe(
+        first(),
+        takeUntil(this.unsubscribeNotifer),
+        tap(() => {
+          this.reload()
+        })
+      )
   }
 
   public cancelPending(): void {

src/documents/mail.py

@@ -10,11 +10,20 @@ def send_email(
     subject: str,
     body: str,
     to: list[str],
-    attachment: Path | None = None,
-    attachment_mime_type: str | None = None,
+    attachments: list[tuple[Path, str]],
 ) -> int:
     """
-    Send an email with an optional attachment.
+    Send an email with attachments.
+
+    Args:
+        subject: Email subject
+        body: Email body text
+        to: List of recipient email addresses
+        attachments: List of (path, mime_type) tuples for attachments (the list may be empty)
+
+    Returns:
+        Number of emails sent
+
     TODO: re-evaluate this pending https://code.djangoproject.com/ticket/35581 / https://github.com/django/django/pull/18966
     """
     email = EmailMessage(
@@ -22,17 +31,20 @@ def send_email(
         body=body,
         to=to,
     )
-    if attachment:
-        # Something could be renaming the file concurrently so it can't be attached
-        with FileLock(settings.MEDIA_LOCK), attachment.open("rb") as f:
-            content = f.read()
-            if attachment_mime_type == "message/rfc822":
-                # See https://forum.djangoproject.com/t/using-emailmessage-with-an-attached-email-file-crashes-due-to-non-ascii/37981
-                content = message_from_bytes(f.read())
 
-            email.attach(
-                filename=attachment.name,
-                content=content,
-                mimetype=attachment_mime_type,
-            )
+    # Something could be renaming the file concurrently so it can't be attached
+    with FileLock(settings.MEDIA_LOCK):
+        for attachment_path, mime_type in attachments:
+            with attachment_path.open("rb") as f:
+                content = f.read()
+                if mime_type == "message/rfc822":
+                    # See https://forum.djangoproject.com/t/using-emailmessage-with-an-attached-email-file-crashes-due-to-non-ascii/37981
+                    content = message_from_bytes(content)
+
+                email.attach(
+                    filename=attachment_path.name,
+                    content=content,
+                    mimetype=mime_type,
+                )
+
     return email.send()

src/documents/permissions.py

@@ -161,3 +161,21 @@ class PaperlessNotePermissions(BasePermission):
         perms = self.perms_map[request.method]
 
         return request.user.has_perms(perms)
+
+
+class AcknowledgeTasksPermissions(BasePermission):
+    """
+    Permissions class that checks for model permissions for acknowledging tasks.
+    """
+
+    perms_map = {
+        "POST": ["documents.change_paperlesstask"],
+    }
+
+    def has_permission(self, request, view):
+        if not request.user or not request.user.is_authenticated:  # pragma: no cover
+            return False
+
+        perms = self.perms_map.get(request.method, [])
+
+        return request.user.has_perms(perms)

src/documents/sanity_checker.py

@@ -76,7 +76,9 @@ def check_sanity(*, progress=False, scheduled=True) -> SanityCheckMessages:
     messages = SanityCheckMessages()
 
     present_files = {
-        x.resolve() for x in Path(settings.MEDIA_ROOT).glob("**/*") if not x.is_dir()
+        x.resolve()
+        for x in Path(settings.MEDIA_ROOT).glob("**/*")
+        if not x.is_dir() and x.name not in settings.IGNORABLE_FILES
     }
 
     lockfile = Path(settings.MEDIA_LOCK).resolve()

src/documents/serialisers.py

@@ -6,6 +6,7 @@ import re
 from datetime import datetime
 from decimal import Decimal
 from typing import TYPE_CHECKING
+from typing import Literal
 
 import magic
 from celery import states
@@ -15,6 +16,7 @@ from django.contrib.auth.models import User
 from django.contrib.contenttypes.models import ContentType
 from django.core.exceptions import ValidationError
 from django.core.validators import DecimalValidator
+from django.core.validators import EmailValidator
 from django.core.validators import MaxLengthValidator
 from django.core.validators import RegexValidator
 from django.core.validators import integer_validator
@@ -252,6 +254,35 @@ class OwnedObjectSerializer(
             except KeyError:
                 pass
 
+    def _get_perms(self, obj, codename: str, target: Literal["users", "groups"]):
+        """
+        Get the given permissions from context or from django-guardian.
+
+        :param codename: The permission codename, e.g. 'view' or 'change'
+        :param target: 'users' or 'groups'
+        """
+        key = f"{target}_{codename}_perms"
+        cached = self.context.get(key, {}).get(obj.pk)
+        if cached is not None:
+            return list(cached)
+
+        # Permission not found in the context, get it from guardian
+        if target == "users":
+            return list(
+                get_users_with_perms(
+                    obj,
+                    only_with_perms_in=[f"{codename}_{obj.__class__.__name__.lower()}"],
+                    with_group_users=False,
+                ).values_list("id", flat=True),
+            )
+        else:  # groups
+            return list(
+                get_groups_with_only_permission(
+                    obj,
+                    codename=f"{codename}_{obj.__class__.__name__.lower()}",
+                ).values_list("id", flat=True),
+            )
+
     @extend_schema_field(
         field={
             "type": "object",
@@ -286,31 +317,14 @@ class OwnedObjectSerializer(
         },
     )
     def get_permissions(self, obj) -> dict:
-        view_codename = f"view_{obj.__class__.__name__.lower()}"
-        change_codename = f"change_{obj.__class__.__name__.lower()}"
-
         return {
             "view": {
-                "users": get_users_with_perms(
-                    obj,
-                    only_with_perms_in=[view_codename],
-                    with_group_users=False,
-                ).values_list("id", flat=True),
-                "groups": get_groups_with_only_permission(
-                    obj,
-                    codename=view_codename,
-                ).values_list("id", flat=True),
+                "users": self._get_perms(obj, "view", "users"),
+                "groups": self._get_perms(obj, "view", "groups"),
             },
             "change": {
-                "users": get_users_with_perms(
-                    obj,
-                    only_with_perms_in=[change_codename],
-                    with_group_users=False,
-                ).values_list("id", flat=True),
-                "groups": get_groups_with_only_permission(
-                    obj,
-                    codename=change_codename,
-                ).values_list("id", flat=True),
+                "users": self._get_perms(obj, "change", "users"),
+                "groups": self._get_perms(obj, "change", "groups"),
             },
         }
 
@@ -1893,6 +1907,51 @@ class BulkDownloadSerializer(DocumentListSerializer):
         }[compression]
 
 
+class EmailSerializer(DocumentListSerializer):
+    addresses = serializers.CharField(
+        required=True,
+        label="Email addresses",
+        help_text="Comma-separated email addresses",
+    )
+
+    subject = serializers.CharField(
+        required=True,
+        label="Email subject",
+    )
+
+    message = serializers.CharField(
+        required=True,
+        label="Email message",
+    )
+
+    use_archive_version = serializers.BooleanField(
+        default=True,
+        label="Use archive version",
+        help_text="Use archive version of documents if available",
+    )
+
+    def validate_addresses(self, addresses):
+        address_list = [addr.strip() for addr in addresses.split(",")]
+        if not address_list:
+            raise serializers.ValidationError("At least one email address is required")
+
+        email_validator = EmailValidator()
+        try:
+            for address in address_list:
+                email_validator(address)
+        except ValidationError:
+            raise serializers.ValidationError(f"Invalid email address: {address}")
+
+        return ",".join(address_list)
+
+    def validate_documents(self, documents):
+        super().validate_documents(documents)
+        if not documents:
+            raise serializers.ValidationError("At least one document is required")
+
+        return documents
+
+
 class StoragePathSerializer(MatchingModelSerializer, OwnedObjectSerializer):
     class Meta:
         model = StoragePath

src/documents/signals/handlers.py

@@ -1162,12 +1162,14 @@ def run_workflows(
             else ""
         )
         try:
+            attachments = []
+            if action.email.include_document and original_file:
+                attachments = [(original_file, document.mime_type)]
             n_messages = send_email(
                 subject=subject,
                 body=body,
                 to=action.email.to.split(","),
-                attachment=original_file if action.email.include_document else None,
-                attachment_mime_type=document.mime_type,
+                attachments=attachments,
             )
             logger.debug(
                 f"Sent {n_messages} notification email(s) to {action.email.to}",

src/documents/tests/test_api_documents.py

@@ -3093,7 +3093,7 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
                 "message": "hello",
             },
         )
-        self.assertEqual(resp.status_code, status.HTTP_404_NOT_FOUND)
+        self.assertEqual(resp.status_code, status.HTTP_400_BAD_REQUEST)
 
         resp = self.client.post(
             f"/api/documents/{doc.pk}/email/",

src/documents/tests/test_api_email.py

@@ -0,0 +1,330 @@
+import json
+import shutil
+from unittest import mock
+
+from django.contrib.auth.models import Permission
+from django.contrib.auth.models import User
+from django.core import mail
+from django.test import override_settings
+from rest_framework import status
+from rest_framework.test import APITestCase
+
+from documents.models import Document
+from documents.tests.utils import DirectoriesMixin
+from documents.tests.utils import SampleDirMixin
+
+
+class TestEmail(DirectoriesMixin, SampleDirMixin, APITestCase):
+    ENDPOINT = "/api/documents/email/"
+
+    def setUp(self):
+        super().setUp()
+
+        self.user = User.objects.create_superuser(username="temp_admin")
+        self.client.force_authenticate(user=self.user)
+
+        self.doc1 = Document.objects.create(
+            title="test1",
+            mime_type="application/pdf",
+            content="this is document 1",
+            checksum="1",
+            filename="test1.pdf",
+            archive_checksum="A1",
+            archive_filename="archive1.pdf",
+        )
+        self.doc2 = Document.objects.create(
+            title="test2",
+            mime_type="application/pdf",
+            content="this is document 2",
+            checksum="2",
+            filename="test2.pdf",
+        )
+
+        # Copy sample files to document paths
+        shutil.copy(self.SAMPLE_DIR / "simple.pdf", self.doc1.archive_path)
+        shutil.copy(self.SAMPLE_DIR / "simple.pdf", self.doc1.source_path)
+        shutil.copy(self.SAMPLE_DIR / "simple.pdf", self.doc2.source_path)
+
+    @override_settings(
+        EMAIL_ENABLED=True,
+        EMAIL_BACKEND="django.core.mail.backends.locmem.EmailBackend",
+    )
+    def test_email_success(self):
+        """
+        GIVEN:
+            - Multiple existing documents
+        WHEN:
+            - API request is made to bulk email documents
+        THEN:
+            - Email is sent with all documents attached
+        """
+        response = self.client.post(
+            self.ENDPOINT,
+            json.dumps(
+                {
+                    "documents": [self.doc1.pk, self.doc2.pk],
+                    "addresses": "hello@paperless-ngx.com,test@example.com",
+                    "subject": "Bulk email test",
+                    "message": "Here are your documents",
+                },
+            ),
+            content_type="application/json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["message"], "Email sent")
+        self.assertEqual(len(mail.outbox), 1)
+
+        email = mail.outbox[0]
+        self.assertEqual(email.to, ["hello@paperless-ngx.com", "test@example.com"])
+        self.assertEqual(email.subject, "Bulk email test")
+        self.assertEqual(email.body, "Here are your documents")
+        self.assertEqual(len(email.attachments), 2)
+
+        # Check attachment names (should default to archive version for doc1, original for doc2)
+        attachment_names = [att[0] for att in email.attachments]
+        self.assertIn("archive1.pdf", attachment_names)
+        self.assertIn("test2.pdf", attachment_names)
+
+    @override_settings(
+        EMAIL_ENABLED=True,
+        EMAIL_BACKEND="django.core.mail.backends.locmem.EmailBackend",
+    )
+    def test_email_use_original_version(self):
+        """
+        GIVEN:
+            - Documents with archive versions
+        WHEN:
+            - API request is made to bulk email with use_archive_version=False
+        THEN:
+            - Original files are attached instead of archive versions
+        """
+        response = self.client.post(
+            self.ENDPOINT,
+            json.dumps(
+                {
+                    "documents": [self.doc1.pk],
+                    "addresses": "test@example.com",
+                    "subject": "Test",
+                    "message": "Test message",
+                    "use_archive_version": False,
+                },
+            ),
+            content_type="application/json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(mail.outbox[0].attachments[0][0], "test1.pdf")
+
+    def test_email_missing_required_fields(self):
+        """
+        GIVEN:
+            - Request with missing required fields
+        WHEN:
+            - API request is made to bulk email endpoint
+        THEN:
+            - Bad request response is returned
+        """
+        # Missing addresses
+        response = self.client.post(
+            self.ENDPOINT,
+            json.dumps(
+                {
+                    "documents": [self.doc1.pk],
+                    "subject": "Test",
+                    "message": "Test message",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+        # Missing subject
+        response = self.client.post(
+            self.ENDPOINT,
+            json.dumps(
+                {
+                    "documents": [self.doc1.pk],
+                    "addresses": "test@example.com",
+                    "message": "Test message",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+        # Missing message
+        response = self.client.post(
+            self.ENDPOINT,
+            json.dumps(
+                {
+                    "documents": [self.doc1.pk],
+                    "addresses": "test@example.com",
+                    "subject": "Test",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+        # Missing documents
+        response = self.client.post(
+            self.ENDPOINT,
+            json.dumps(
+                {
+                    "addresses": "test@example.com",
+                    "subject": "Test",
+                    "message": "Test message",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+    def test_email_empty_document_list(self):
+        """
+        GIVEN:
+            - Request with empty document list
+        WHEN:
+            - API request is made to bulk email endpoint
+        THEN:
+            - Bad request response is returned
+        """
+        response = self.client.post(
+            self.ENDPOINT,
+            json.dumps(
+                {
+                    "documents": [],
+                    "addresses": "test@example.com",
+                    "subject": "Test",
+                    "message": "Test message",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+    def test_email_invalid_document_id(self):
+        """
+        GIVEN:
+            - Request with non-existent document ID
+        WHEN:
+            - API request is made to bulk email endpoint
+        THEN:
+            - Bad request response is returned
+        """
+        response = self.client.post(
+            self.ENDPOINT,
+            json.dumps(
+                {
+                    "documents": [999],
+                    "addresses": "test@example.com",
+                    "subject": "Test",
+                    "message": "Test message",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+    def test_email_invalid_email_address(self):
+        """
+        GIVEN:
+            - Request with invalid email address
+        WHEN:
+            - API request is made to bulk email endpoint
+        THEN:
+            - Bad request response is returned
+        """
+        response = self.client.post(
+            self.ENDPOINT,
+            json.dumps(
+                {
+                    "documents": [self.doc1.pk],
+                    "addresses": "invalid-email",
+                    "subject": "Test",
+                    "message": "Test message",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+        # Test multiple addresses with one invalid
+        response = self.client.post(
+            self.ENDPOINT,
+            json.dumps(
+                {
+                    "documents": [self.doc1.pk],
+                    "addresses": "valid@example.com,invalid-email",
+                    "subject": "Test",
+                    "message": "Test message",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+    def test_email_insufficient_permissions(self):
+        """
+        GIVEN:
+            - User without permissions to view document
+        WHEN:
+            - API request is made to bulk email documents
+        THEN:
+            - Forbidden response is returned
+        """
+        user1 = User.objects.create_user(username="test1")
+        user1.user_permissions.add(*Permission.objects.filter(codename="view_document"))
+
+        doc_owned = Document.objects.create(
+            title="owned_doc",
+            mime_type="application/pdf",
+            checksum="owned",
+            owner=self.user,
+        )
+
+        self.client.force_authenticate(user1)
+
+        response = self.client.post(
+            self.ENDPOINT,
+            json.dumps(
+                {
+                    "documents": [self.doc1.pk, doc_owned.pk],
+                    "addresses": "test@example.com",
+                    "subject": "Test",
+                    "message": "Test message",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    @mock.patch(
+        "django.core.mail.message.EmailMessage.send",
+        side_effect=Exception("Email error"),
+    )
+    def test_email_send_error(self, mocked_send):
+        """
+        GIVEN:
+            - Existing documents
+        WHEN:
+            - API request is made to bulk email and error occurs during email send
+        THEN:
+            - Server error response is returned
+        """
+        response = self.client.post(
+            self.ENDPOINT,
+            json.dumps(
+                {
+                    "documents": [self.doc1.pk],
+                    "addresses": "test@example.com",
+                    "subject": "Test",
+                    "message": "Test message",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_500_INTERNAL_SERVER_ERROR)
+        self.assertIn("Error emailing documents", response.content.decode())

src/documents/tests/test_api_tasks.py

@@ -135,6 +135,44 @@ class TestTasks(DirectoriesMixin, APITestCase):
         response = self.client.get(self.ENDPOINT + "?acknowledged=false")
         self.assertEqual(len(response.data), 0)
 
+    def test_acknowledge_tasks_requires_change_permission(self):
+        """
+        GIVEN:
+            - A regular user initially without change permissions
+            - A regular user with change permissions
+        WHEN:
+            - API call is made to acknowledge tasks
+        THEN:
+            - The first user is forbidden from acknowledging tasks
+            - The second user is allowed to acknowledge tasks
+        """
+        regular_user = User.objects.create_user(username="test")
+        self.client.force_authenticate(user=regular_user)
+
+        task = PaperlessTask.objects.create(
+            task_id=str(uuid.uuid4()),
+            task_file_name="task_one.pdf",
+        )
+
+        response = self.client.post(
+            self.ENDPOINT + "acknowledge/",
+            {"tasks": [task.id]},
+        )
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+        regular_user2 = User.objects.create_user(username="test2")
+        regular_user2.user_permissions.add(
+            Permission.objects.get(codename="change_paperlesstask"),
+        )
+        regular_user2.save()
+        self.client.force_authenticate(user=regular_user2)
+
+        response = self.client.post(
+            self.ENDPOINT + "acknowledge/",
+            {"tasks": [task.id]},
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
     def test_tasks_owner_aware(self):
         """
         GIVEN:

src/documents/tests/test_sanity_check.py

@@ -169,6 +169,13 @@ class TestSanityCheck(DirectoriesMixin, TestCase):
         messages = check_sanity()
         self.assertFalse(messages.has_warning)
 
+    def test_ignore_ignorable_files(self):
+        self.make_test_data()
+        Path(self.dirs.media_dir, ".DS_Store").touch()
+        Path(self.dirs.media_dir, "desktop.ini").touch()
+        messages = check_sanity()
+        self.assertFalse(messages.has_warning)
+
     def test_archive_filename_no_checksum(self):
         doc = self.make_test_data()
         doc.archive_checksum = None

src/documents/tests/test_views.py

@@ -1,17 +1,23 @@
+import json
 import tempfile
 from datetime import timedelta
 from pathlib import Path
 
 from django.conf import settings
+from django.contrib.auth.models import Group
 from django.contrib.auth.models import Permission
 from django.contrib.auth.models import User
+from django.db import connection
 from django.test import TestCase
 from django.test import override_settings
+from django.test.utils import CaptureQueriesContext
 from django.utils import timezone
+from guardian.shortcuts import assign_perm
 from rest_framework import status
 
 from documents.models import Document
 from documents.models import ShareLink
+from documents.models import Tag
 from documents.tests.utils import DirectoriesMixin
 from paperless.models import ApplicationConfiguration
 
@@ -154,3 +160,113 @@ class TestViews(DirectoriesMixin, TestCase):
         response.render()
         self.assertEqual(response.request["PATH_INFO"], "/accounts/login/")
         self.assertContains(response, b"Share link has expired")
+
+    def test_list_with_full_permissions(self):
+        """
+        GIVEN:
+            - Tags with different permissions
+        WHEN:
+            - Request to get tag list with full permissions is made
+        THEN:
+            - Tag list is returned with the right permission information
+        """
+        user2 = User.objects.create(username="user2")
+        user3 = User.objects.create(username="user3")
+        group1 = Group.objects.create(name="group1")
+        group2 = Group.objects.create(name="group2")
+        group3 = Group.objects.create(name="group3")
+        t1 = Tag.objects.create(name="invoice", pk=1)
+        assign_perm("view_tag", self.user, t1)
+        assign_perm("view_tag", user2, t1)
+        assign_perm("view_tag", user3, t1)
+        assign_perm("view_tag", group1, t1)
+        assign_perm("view_tag", group2, t1)
+        assign_perm("view_tag", group3, t1)
+        assign_perm("change_tag", self.user, t1)
+        assign_perm("change_tag", user2, t1)
+        assign_perm("change_tag", group1, t1)
+        assign_perm("change_tag", group2, t1)
+
+        Tag.objects.create(name="bank statement", pk=2)
+        d1 = Document.objects.create(
+            title="Invoice 1",
+            content="This is the invoice of a very expensive item",
+            checksum="A",
+        )
+        d1.tags.add(t1)
+        d2 = Document.objects.create(
+            title="Invoice 2",
+            content="Internet invoice, I should pay it to continue contributing",
+            checksum="B",
+        )
+        d2.tags.add(t1)
+
+        view_permissions = Permission.objects.filter(
+            codename__contains="view_tag",
+        )
+        self.user.user_permissions.add(*view_permissions)
+        self.user.save()
+
+        self.client.force_login(self.user)
+        response = self.client.get("/api/tags/?page=1&full_perms=true")
+        results = json.loads(response.content)["results"]
+        for tag in results:
+            if tag["name"] == "invoice":
+                assert tag["permissions"] == {
+                    "view": {
+                        "users": [self.user.pk, user2.pk, user3.pk],
+                        "groups": [group1.pk, group2.pk, group3.pk],
+                    },
+                    "change": {
+                        "users": [self.user.pk, user2.pk],
+                        "groups": [group1.pk, group2.pk],
+                    },
+                }
+            elif tag["name"] == "bank statement":
+                assert tag["permissions"] == {
+                    "view": {"users": [], "groups": []},
+                    "change": {"users": [], "groups": []},
+                }
+            else:
+                assert False, f"Unexpected tag found: {tag['name']}"
+
+    def test_list_no_n_plus_1_queries(self):
+        """
+        GIVEN:
+            - Tags with different permissions
+        WHEN:
+            - Request to get tag list with full permissions is made
+        THEN:
+            - Permissions are not queried in database tag by tag,
+             i.e. there are no N+1 queries
+        """
+        view_permissions = Permission.objects.filter(
+            codename__contains="view_tag",
+        )
+        self.user.user_permissions.add(*view_permissions)
+        self.user.save()
+        self.client.force_login(self.user)
+
+        # Start by a small list, and count the number of SQL queries
+        for i in range(2):
+            Tag.objects.create(name=f"tag_{i}")
+
+        with CaptureQueriesContext(connection) as ctx_small:
+            response_small = self.client.get("/api/tags/?full_perms=true")
+            assert response_small.status_code == 200
+        num_queries_small = len(ctx_small.captured_queries)
+
+        # Complete the list, and count the number of SQL queries again
+        for i in range(2, 50):
+            Tag.objects.create(name=f"tag_{i}")
+
+        with CaptureQueriesContext(connection) as ctx_large:
+            response_large = self.client.get("/api/tags/?full_perms=true")
+            assert response_large.status_code == 200
+        num_queries_large = len(ctx_large.captured_queries)
+
+        # A few additional queries are allowed, but not a linear explosion
+        assert num_queries_large <= num_queries_small + 5, (
+            f"Possible N+1 queries detected: {num_queries_small} queries for 2 tags, "
+            f"but {num_queries_large} queries for 50 tags"
+        )

src/documents/views.py

@@ -5,9 +5,11 @@ import platform
 import re
 import tempfile
 import zipfile
+from collections import defaultdict
 from datetime import datetime
 from pathlib import Path
 from time import mktime
+from typing import Literal
 from unicodedata import normalize
 from urllib.parse import quote
 from urllib.parse import urlparse
@@ -19,6 +21,7 @@ from celery import states
 from django.conf import settings
 from django.contrib.auth.models import Group
 from django.contrib.auth.models import User
+from django.contrib.contenttypes.models import ContentType
 from django.db import connections
 from django.db.migrations.loader import MigrationLoader
 from django.db.migrations.recorder import MigrationRecorder
@@ -54,8 +57,11 @@ from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter
 from drf_spectacular.utils import extend_schema
+from drf_spectacular.utils import extend_schema_serializer
 from drf_spectacular.utils import extend_schema_view
 from drf_spectacular.utils import inline_serializer
+from guardian.utils import get_group_obj_perms_model
+from guardian.utils import get_user_obj_perms_model
 from langdetect import detect
 from packaging import version as packaging_version
 from redis import Redis
@@ -131,6 +137,7 @@ from documents.models import WorkflowAction
 from documents.models import WorkflowTrigger
 from documents.parsers import get_parser_class_for_mime_type
 from documents.parsers import parse_date_generator
+from documents.permissions import AcknowledgeTasksPermissions
 from documents.permissions import PaperlessAdminPermissions
 from documents.permissions import PaperlessNotePermissions
 from documents.permissions import PaperlessObjectPermissions
@@ -147,6 +154,7 @@ from documents.serialisers import CustomFieldSerializer
 from documents.serialisers import DocumentListSerializer
 from documents.serialisers import DocumentSerializer
 from documents.serialisers import DocumentTypeSerializer
+from documents.serialisers import EmailSerializer
 from documents.serialisers import NotesSerializer
 from documents.serialisers import PostDocumentSerializer
 from documents.serialisers import RunTaskViewSerializer
@@ -254,7 +262,104 @@ class PassUserMixin(GenericAPIView):
         return super().get_serializer(*args, **kwargs)
 
 
-class PermissionsAwareDocumentCountMixin(PassUserMixin):
+class BulkPermissionMixin:
+    """
+    Prefetch Django-Guardian permissions for a list before serialization, to avoid N+1 queries.
+    """
+
+    def _get_object_perms(
+        self,
+        objects: list,
+        perm_codenames: list[str],
+        actor: Literal["users", "groups"],
+    ) -> dict[int, dict[str, list[int]]]:
+        """
+        Collect object-level permissions for either users or groups.
+        """
+        model = self.queryset.model
+        obj_perm_model = (
+            get_user_obj_perms_model(model)
+            if actor == "users"
+            else get_group_obj_perms_model(model)
+        )
+        id_field = "user_id" if actor == "users" else "group_id"
+        ctype = ContentType.objects.get_for_model(model)
+        object_pks = [obj.pk for obj in objects]
+
+        perms_qs = obj_perm_model.objects.filter(
+            content_type=ctype,
+            object_pk__in=object_pks,
+            permission__codename__in=perm_codenames,
+        ).values_list("object_pk", id_field, "permission__codename")
+
+        perms: dict[int, dict[str, list[int]]] = defaultdict(lambda: defaultdict(list))
+        for object_pk, actor_id, codename in perms_qs:
+            perms[int(object_pk)][codename].append(actor_id)
+
+        # Ensure that all objects have all codenames, even if empty
+        for pk in object_pks:
+            for codename in perm_codenames:
+                perms[pk][codename]
+
+        return perms
+
+    def get_serializer_context(self):
+        """
+        Get all permissions of the current list of objects at once and pass them to the serializer.
+        This avoid fetching permissions object by object in database.
+        """
+        context = super().get_serializer_context()
+        try:
+            full_perms = get_boolean(
+                str(self.request.query_params.get("full_perms", "false")),
+            )
+        except ValueError:
+            full_perms = False
+
+        if not full_perms:
+            return context
+
+        # Check which objects are being paginated
+        page = getattr(self, "paginator", None)
+        if page and hasattr(page, "page"):
+            queryset = page.page.object_list
+        elif hasattr(self, "page"):
+            queryset = self.page
+        else:
+            queryset = self.filter_queryset(self.get_queryset())
+
+        model_name = self.queryset.model.__name__.lower()
+        permission_name_view = f"view_{model_name}"
+        permission_name_change = f"change_{model_name}"
+
+        user_perms = self._get_object_perms(
+            objects=queryset,
+            perm_codenames=[permission_name_view, permission_name_change],
+            actor="users",
+        )
+        group_perms = self._get_object_perms(
+            objects=queryset,
+            perm_codenames=[permission_name_view, permission_name_change],
+            actor="groups",
+        )
+
+        context["users_view_perms"] = {
+            pk: user_perms[pk][permission_name_view] for pk in user_perms
+        }
+        context["users_change_perms"] = {
+            pk: user_perms[pk][permission_name_change] for pk in user_perms
+        }
+        context["groups_view_perms"] = {
+            pk: group_perms[pk][permission_name_view] for pk in group_perms
+        }
+        context["groups_change_perms"] = {
+            pk: group_perms[pk][permission_name_change] for pk in group_perms
+        }
+
+        return context
+
+
+class PermissionsAwareDocumentCountMixin(BulkPermissionMixin, PassUserMixin):
     """
     Mixin to add document count to queryset, permissions-aware if needed
     """
@@ -368,6 +473,14 @@ class DocumentTypeViewSet(ModelViewSet, PermissionsAwareDocumentCountMixin):
     ordering_fields = ("name", "matching_algorithm", "match", "document_count")
 
 
+@extend_schema_serializer(
+    component_name="EmailDocumentRequest",
+    exclude_fields=("documents",),
+)
+class EmailDocumentDetailSchema(EmailSerializer):
+    pass
+
+
 @extend_schema_view(
     retrieve=extend_schema(
         description="Retrieve a single document",
@@ -535,20 +648,28 @@ class DocumentTypeViewSet(ModelViewSet, PermissionsAwareDocumentCountMixin):
             404: None,
         },
     ),
-    email=extend_schema(
+    email_document=extend_schema(
         description="Email the document to one or more recipients as an attachment.",
-        request=inline_serializer(
-            name="EmailRequest",
-            fields={
-                "addresses": serializers.CharField(),
-                "subject": serializers.CharField(),
-                "message": serializers.CharField(),
-                "use_archive_version": serializers.BooleanField(default=True),
-            },
-        ),
+        request=EmailDocumentDetailSchema,
         responses={
             200: inline_serializer(
-                name="EmailResponse",
+                name="EmailDocumentResponse",
+                fields={"message": serializers.CharField()},
+            ),
+            400: None,
+            403: None,
+            404: None,
+            500: None,
+        },
+        deprecated=True,
+    ),
+    email_documents=extend_schema(
+        operation_id="email_documents",
+        description="Email one or more documents as attachments to one or more recipients.",
+        request=EmailSerializer,
+        responses={
+            200: inline_serializer(
+                name="EmailDocumentsResponse",
                 fields={"message": serializers.CharField()},
             ),
             400: None,
@@ -1052,55 +1173,65 @@ class DocumentViewSet(
 
         return Response(sorted(entries, key=lambda x: x["timestamp"], reverse=True))
 
-    @action(methods=["post"], detail=True)
-    def email(self, request, pk=None):
-        try:
-            doc = Document.objects.select_related("owner").get(pk=pk)
+    @action(methods=["post"], detail=True, url_path="email")
+    # TODO: deprecated as of 2.19, remove in future release
+    def email_document(self, request, pk=None):
+        request_data = request.data.copy()
+        request_data.setlist("documents", [pk])
+        return self.email_documents(request, data=request_data)
+
+    @action(
+        methods=["post"],
+        detail=False,
+        url_path="email",
+        serializer_class=EmailSerializer,
+    )
+    def email_documents(self, request, data=None):
+        serializer = EmailSerializer(data=data or request.data)
+        serializer.is_valid(raise_exception=True)
+
+        validated_data = serializer.validated_data
+        document_ids = validated_data.get("documents")
+        addresses = validated_data.get("addresses").split(",")
+        addresses = [addr.strip() for addr in addresses]
+        subject = validated_data.get("subject")
+        message = validated_data.get("message")
+        use_archive_version = validated_data.get("use_archive_version", True)
+
+        documents = Document.objects.select_related("owner").filter(pk__in=document_ids)
+        for document in documents:
             if request.user is not None and not has_perms_owner_aware(
                 request.user,
                 "view_document",
-                doc,
+                document,
             ):
                 return HttpResponseForbidden("Insufficient permissions")
-        except Document.DoesNotExist:
-            raise Http404
+
+        attachments = []
+        for doc in documents:
+            attachment_path = (
+                doc.archive_path
+                if use_archive_version and doc.has_archive_version
+                else doc.source_path
+            )
+            attachments.append((attachment_path, doc.mime_type))
 
         try:
-            if (
-                "addresses" not in request.data
-                or "subject" not in request.data
-                or "message" not in request.data
-            ):
-                return HttpResponseBadRequest("Missing required fields")
-
-            use_archive_version = request.data.get("use_archive_version", True)
-
-            addresses = request.data.get("addresses").split(",")
-            if not all(
-                re.match(r"[^@]+@[^@]+\.[^@]+", address.strip())
-                for address in addresses
-            ):
-                return HttpResponseBadRequest("Invalid email address found")
-
             send_email(
-                subject=request.data.get("subject"),
-                body=request.data.get("message"),
+                subject=subject,
+                body=message,
                 to=addresses,
-                attachment=(
-                    doc.archive_path
-                    if use_archive_version and doc.has_archive_version
-                    else doc.source_path
-                ),
-                attachment_mime_type=doc.mime_type,
+                attachments=attachments,
             )
+
             logger.debug(
-                f"Sent document {doc.id} via email to {addresses}",
+                f"Sent documents {[doc.id for doc in documents]} via email to {addresses}",
             )
             return Response({"message": "Email sent"})
         except Exception as e:
-            logger.warning(f"An error occurred emailing document: {e!s}")
+            logger.warning(f"An error occurred emailing documents: {e!s}")
             return HttpResponseServerError(
-                "Error emailing document, check logs for more detail.",
+                "Error emailing documents, check logs for more detail.",
             )
 
 
@@ -2385,7 +2516,11 @@ class TasksViewSet(ReadOnlyModelViewSet):
             queryset = PaperlessTask.objects.filter(task_id=task_id)
         return queryset
 
-    @action(methods=["post"], detail=False)
+    @action(
+        methods=["post"],
+        detail=False,
+        permission_classes=[IsAuthenticated, AcknowledgeTasksPermissions],
+    )
     def acknowledge(self, request):
         serializer = AcknowledgeTasksViewSerializer(data=request.data)
         serializer.is_valid(raise_exception=True)

src/locale/en_US/LC_MESSAGES/django.po

@@ -2,7 +2,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: paperless-ngx\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-09-22 18:20+0000\n"
+"POT-Creation-Date: 2025-09-30 16:50+0000\n"
 "PO-Revision-Date: 2022-02-17 04:17\n"
 "Last-Translator: \n"
 "Language-Team: English\n"
@@ -1191,44 +1191,44 @@ msgstr ""
 msgid "workflow runs"
 msgstr ""
 
-#: documents/serialisers.py:140
+#: documents/serialisers.py:141
 #, python-format
 msgid "Invalid regular expression: %(error)s"
 msgstr ""
 
-#: documents/serialisers.py:594
+#: documents/serialisers.py:607
 msgid "Invalid color."
 msgstr ""
 
-#: documents/serialisers.py:623
+#: documents/serialisers.py:636
 msgid "Invalid parent tag."
 msgstr ""
 
-#: documents/serialisers.py:1780
+#: documents/serialisers.py:1793
 #, python-format
 msgid "File type %(type)s not supported"
 msgstr ""
 
-#: documents/serialisers.py:1824
+#: documents/serialisers.py:1837
 #, python-format
 msgid "Custom field id must be an integer: %(id)s"
 msgstr ""
 
-#: documents/serialisers.py:1831
+#: documents/serialisers.py:1844
 #, python-format
 msgid "Custom field with id %(id)s does not exist"
 msgstr ""
 
-#: documents/serialisers.py:1848 documents/serialisers.py:1858
+#: documents/serialisers.py:1861 documents/serialisers.py:1871
 msgid ""
 "Custom fields must be a list of integers or an object mapping ids to values."
 msgstr ""
 
-#: documents/serialisers.py:1853
+#: documents/serialisers.py:1866
 msgid "Some custom fields don't exist or were specified twice."
 msgstr ""
 
-#: documents/serialisers.py:1923
+#: documents/serialisers.py:1936
 msgid "Invalid variable detected."
 msgstr ""
 

src/paperless/settings.py

@@ -1003,6 +1003,18 @@ THREADS_PER_WORKER = os.getenv(
 # Paperless Specific Settings                                                 #
 ###############################################################################
 
+IGNORABLE_FILES: Final[list[str]] = [
+    ".DS_Store",
+    ".DS_STORE",
+    "._*",
+    ".stfolder/*",
+    ".stversions/*",
+    ".localized/*",
+    "desktop.ini",
+    "@eaDir/*",
+    "Thumbs.db",
+]
+
 CONSUMER_POLLING = int(os.getenv("PAPERLESS_CONSUMER_POLLING", 0))
 
 CONSUMER_POLLING_DELAY = int(os.getenv("PAPERLESS_CONSUMER_POLLING_DELAY", 5))
@@ -1025,7 +1037,7 @@ CONSUMER_IGNORE_PATTERNS = list(
     json.loads(
         os.getenv(
             "PAPERLESS_CONSUMER_IGNORE_PATTERNS",
-            '[".DS_Store", ".DS_STORE", "._*", ".stfolder/*", ".stversions/*", ".localized/*", "desktop.ini", "@eaDir/*", "Thumbs.db"]',
+            json.dumps(IGNORABLE_FILES),
         ),
     ),
 )