openapi

bulk dedupe server endpoints
fix: supporter badge (#18357 )
2025-12-06 21:01:24 -08:00 · 2025-05-19 15:20:18 -04:00 · 2025-05-19 15:19:55 -04:00 · 2025-05-18 18:26:24 +00:00 · 2025-05-18 13:51:33 +00:00 · 2025-05-18 13:05:16 +02:00
1297 changed files with 79476 additions and 65803 deletions
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,4 +1,4 @@
-ARG BASEIMAGE=mcr.microsoft.com/devcontainers/typescript-node:22@sha256:2ef23730ec68d8511ec8e6e0b82550ca728b256805d81f60ed890f3bfb21cfb9
+ARG BASEIMAGE=mcr.microsoft.com/devcontainers/typescript-node:22@sha256:a20b8a3538313487ac9266875bbf733e544c1aa2091df2bb99ab592a6d4f7399
 FROM ${BASEIMAGE}

 # Flutter SDK
--- a/.github/.nvmrc
+++ b/.github/.nvmrc
@@ -1 +1 @@
-22.14.0
+22.15.0
--- a/.github/actions/image-build/action.yml
+++ b/.github/actions/image-build/action.yml
@@ -0,0 +1,118 @@
+name: 'Single arch image build'
+description: 'Build single-arch image on platform appropriate runner'
+inputs:
+  image:
+    description: 'Name of the image to build'
+    required: true
+  ghcr-token:
+    description: 'GitHub Container Registry token'
+    required: true
+  platform:
+    description: 'Platform to build for'
+    required: true
+  artifact-key-base:
+    description: 'Base key for artifact name'
+    required: true
+  context:
+    description: 'Path to build context'
+    required: true
+  dockerfile:
+    description: 'Path to Dockerfile'
+    required: true
+  build-args:
+    description: 'Docker build arguments'
+    required: false
+runs:
+  using: 'composite'
+  steps:
+    - name: Prepare
+      id: prepare
+      shell: bash
+      env:
+        PLATFORM: ${{ inputs.platform }}
+      run: |
+        echo "platform-pair=${PLATFORM//\//-}" >> $GITHUB_OUTPUT
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
+      if: ${{ !github.event.pull_request.head.repo.fork }}
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ inputs.ghcr-token }}
+
+    - name: Generate cache key suffix
+      id: cache-key-suffix
+      shell: bash
+      env:
+        REF: ${{ github.ref_name }}
+      run: |
+        if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+          echo "cache-key-suffix=pr-${{ github.event.number }}" >> $GITHUB_OUTPUT
+        else
+          SUFFIX=$(echo "${REF}" | sed 's/[^a-zA-Z0-9]/-/g')
+          echo "suffix=${SUFFIX}" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Generate cache target
+      id: cache-target
+      shell: bash
+      env:
+        BUILD_ARGS: ${{ inputs.build-args }}
+        IMAGE: ${{ inputs.image }}
+        SUFFIX: ${{ steps.cache-key-suffix.outputs.suffix }}
+        PLATFORM_PAIR: ${{ steps.prepare.outputs.platform-pair }}
+      run: |
+        HASH=$(sha256sum <<< "${BUILD_ARGS}" | cut -d' ' -f1)
+        CACHE_KEY="${PLATFORM_PAIR}-${HASH}"
+        echo "cache-key-base=${CACHE_KEY}" >> $GITHUB_OUTPUT
+        if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then
+          # Essentially just ignore the cache output (forks can't write to registry cache)
+          echo "cache-to=type=local,dest=/tmp/discard,ignore-error=true" >> $GITHUB_OUTPUT
+        else
+          echo "cache-to=type=registry,ref=${IMAGE}-build-cache:${CACHE_KEY}-${SUFFIX},mode=max,compression=zstd" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Generate docker image tags
+      id: meta
+      uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
+      env:
+        DOCKER_METADATA_PR_HEAD_SHA: 'true'
+
+    - name: Build and push image
+      id: build
+      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+      with:
+        context: ${{ inputs.context }}
+        file: ${{ inputs.dockerfile }}
+        platforms: ${{ inputs.platform }}
+        labels: ${{ steps.meta.outputs.labels }}
+        cache-to: ${{ steps.cache-target.outputs.cache-to }}
+        cache-from: |
+          type=registry,ref=${{ inputs.image }}-build-cache:${{ steps.cache-target.outputs.cache-key-base }}-${{ steps.cache-key-suffix.outputs.suffix }}
+          type=registry,ref=${{ inputs.image }}-build-cache:${{ steps.cache-target.outputs.cache-key-base }}-main
+        outputs: type=image,"name=${{ inputs.image }}",push-by-digest=true,name-canonical=true,push=${{ !github.event.pull_request.head.repo.fork }}
+        build-args: |
+          BUILD_ID=${{ github.run_id }}
+          BUILD_IMAGE=${{ github.event_name == 'release' && github.ref_name || steps.meta.outputs.tags }}
+          BUILD_SOURCE_REF=${{ github.ref_name }}
+          BUILD_SOURCE_COMMIT=${{ github.sha }}
+          ${{ inputs.build-args }}
+
+    - name: Export digest
+      shell: bash
+      run: | # zizmor: ignore[template-injection]
+        mkdir -p ${{ runner.temp }}/digests
+        digest="${{ steps.build.outputs.digest }}"
+        touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+    - name: Upload digest
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+      with:
+        name: ${{ inputs.artifact-key-base }}-${{ steps.cache-target.outputs.cache-key-base }}
+        path: ${{ runner.temp }}/digests/*
+        if-no-files-found: error
+        retention-days: 1
--- a/.github/workflows/build-mobile.yml
+++ b/.github/workflows/build-mobile.yml
@@ -7,6 +7,15 @@ on:
      ref:
        required: false
        type: string
+    secrets:
+      KEY_JKS:
+        required: true
+      ALIAS:
+        required: true
+      ANDROID_KEY_PASSWORD:
+        required: true
+      ANDROID_STORE_PASSWORD:
+        required: true
  pull_request:
  push:
    branches: [main]
@@ -15,16 +24,23 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions: {}
+
 jobs:
  pre-job:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    outputs:
      should_run: ${{ steps.found_paths.outputs.mobile == 'true' || steps.should_force.outputs.should_force == 'true' }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
      - id: found_paths
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        with:
          filters: |
            mobile:
@@ -38,31 +54,26 @@ jobs:
  build-sign-android:
    name: Build and sign Android
    needs: pre-job
+    permissions:
+      contents: read
    # Skip when PR from a fork
    if: ${{ !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.pre-job.outputs.should_run == 'true' }}
    runs-on: macos-14

    steps:
-      - name: Determine ref
-        id: get-ref
-        run: |
-          input_ref="${{ inputs.ref }}"
-          github_ref="${{ github.sha }}"
-          ref="${input_ref:-$github_ref}"
-          echo "ref=$ref" >> $GITHUB_OUTPUT
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          ref: ${{ steps.get-ref.outputs.ref }}
+          ref: ${{ inputs.ref || github.sha }}
+          persist-credentials: false

-      - uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4
+      - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
        with:
          distribution: 'zulu'
          java-version: '17'
          cache: 'gradle'

      - name: Setup Flutter SDK
-        uses: subosito/flutter-action@e938fdf56512cc96ef2f93601a5a40bde3801046 # v2
+        uses: subosito/flutter-action@e938fdf56512cc96ef2f93601a5a40bde3801046 # v2.19.0
        with:
          channel: 'stable'
          flutter-version-file: ./mobile/pubspec.yaml
@@ -78,6 +89,10 @@ jobs:
        working-directory: ./mobile
        run: flutter pub get

+      - name: Generate translation file
+        run: make translation
+        working-directory: ./mobile
+
      - name: Build Android App Bundle
        working-directory: ./mobile
        env:
@@ -89,7 +104,7 @@ jobs:
          flutter build apk --release --split-per-abi --target-platform android-arm,android-arm64,android-x64

      - name: Publish Android Artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: release-apk-signed
          path: mobile/build/app/outputs/flutter-apk/*.apk
--- a/.github/workflows/cache-cleanup.yml
+++ b/.github/workflows/cache-cleanup.yml
@@ -8,31 +8,38 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions: {}
+
 jobs:
  cleanup:
    name: Cleanup
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
    steps:
      - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Cleanup
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REF: ${{ github.ref }}
        run: |
          gh extension install actions/gh-actions-cache

          REPO=${{ github.repository }}
-          BRANCH=${{ github.ref }}

          echo "Fetching list of cache keys"
-          cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH -L 100 | cut -f 1 )
+          cacheKeysForPR=$(gh actions-cache list -R $REPO -B ${REF} -L 100 | cut -f 1 )

          ## Setting this to not fail the workflow while deleting cache keys.
          set +e
          echo "Deleting caches..."
          for cacheKey in $cacheKeysForPR
          do
-              gh actions-cache delete $cacheKey -R $REPO -B $BRANCH --confirm
+              gh actions-cache delete $cacheKey -R "$REPO" -B "${REF}" --confirm
          done
          echo "Done"
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/cli.yml
+++ b/.github/workflows/cli.yml
@@ -16,21 +16,25 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions:
-  packages: write
+permissions: {}

 jobs:
  publish:
    name: CLI Publish
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    defaults:
      run:
        working-directory: ./cli

    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
      # Setup .npmrc file to publish to npm
-      - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: './cli/.nvmrc'
          registry-url: 'https://registry.npmjs.org'
@@ -48,11 +52,16 @@ jobs:
  docker:
    name: Docker
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
    needs: publish

    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Set up QEMU
        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
@@ -61,7 +70,7 @@ jobs:
        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        if: ${{ !github.event.pull_request.head.repo.fork }}
        with:
          registry: ghcr.io
@@ -76,7 +85,7 @@ jobs:

      - name: Generate docker image tags
        id: metadata
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
        with:
          flavor: |
            latest=false
@@ -87,7 +96,7 @@ jobs:
            type=raw,value=latest,enable=${{ github.event_name == 'release' }}

      - name: Build and push image
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
        with:
          file: cli/Dockerfile
          platforms: linux/amd64,linux/arm64
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -24,6 +24,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions: {}
+
 jobs:
  analyze:
    name: Analyze
@@ -42,11 +44,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3
+        uses: github/codeql-action/init@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
@@ -59,7 +63,7 @@ jobs:
      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
      # If this step fails, then you should remove it and run the build manually (see below)
      - name: Autobuild
-        uses: github/codeql-action/autobuild@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3
+        uses: github/codeql-action/autobuild@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17

      # ℹ️ Command-line programs to run using the OS shell.
      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -72,6 +76,6 @@ jobs:
      #   ./location_of_script_within_repo/buildscript.sh

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3
+        uses: github/codeql-action/analyze@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
        with:
          category: '/language:${{matrix.language}}'
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -12,20 +12,23 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions:
-  packages: write
+permissions: {}

 jobs:
  pre-job:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    outputs:
      should_run_server: ${{ steps.found_paths.outputs.server == 'true' || steps.should_force.outputs.should_force == 'true' }}
      should_run_ml: ${{ steps.found_paths.outputs.machine-learning == 'true' || steps.should_force.outputs.should_force == 'true' }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
      - id: found_paths
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        with:
          filters: |
            server:
@@ -37,6 +40,8 @@ jobs:
              - 'machine-learning/**'
            workflow:
              - '.github/workflows/docker.yml'
+              - '.github/workflows/multi-runner-build.yml'
+              - '.github/actions/image-build'

      - name: Check if we should force jobs to run
        id: should_force
@@ -45,6 +50,9 @@ jobs:
  retag_ml:
    name: Re-Tag ML
    needs: pre-job
+    permissions:
+      contents: read
+      packages: write
    if: ${{ needs.pre-job.outputs.should_run_ml == 'false' && !github.event.pull_request.head.repo.fork }}
    runs-on: ubuntu-latest
    strategy:
@@ -52,24 +60,28 @@ jobs:
        suffix: ['', '-cuda', '-rocm', '-openvino', '-armnn', '-rknn']
    steps:
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Re-tag image
+        env:
+          REGISTRY_NAME: 'ghcr.io'
+          REPOSITORY: ${{ github.repository_owner }}/immich-machine-learning
+          TAG_OLD: main${{ matrix.suffix }}
+          TAG_PR: ${{ github.event.number == 0 && github.ref_name || format('pr-{0}', github.event.number) }}${{ matrix.suffix }}
+          TAG_COMMIT: commit-${{ github.event_name != 'pull_request' && github.sha || github.event.pull_request.head.sha }}${{ matrix.suffix }}
        run: |
-          REGISTRY_NAME="ghcr.io"
-          REPOSITORY=${{ github.repository_owner }}/immich-machine-learning
-          TAG_OLD=main${{ matrix.suffix }}
-          TAG_PR=${{ github.event.number == 0 && github.ref_name ||  format('pr-{0}', github.event.number)  }}${{ matrix.suffix }}
-          TAG_COMMIT=commit-${{ github.event_name != 'pull_request' && github.sha || github.event.pull_request.head.sha }}${{ matrix.suffix }}
-          docker buildx imagetools create -t $REGISTRY_NAME/$REPOSITORY:$TAG_PR $REGISTRY_NAME/$REPOSITORY:$TAG_OLD
-          docker buildx imagetools create -t $REGISTRY_NAME/$REPOSITORY:$TAG_COMMIT $REGISTRY_NAME/$REPOSITORY:$TAG_OLD
+          docker buildx imagetools create -t "${REGISTRY_NAME}/${REPOSITORY}:${TAG_PR}" "${REGISTRY_NAME}/${REPOSITORY}:${TAG_OLD}"
+          docker buildx imagetools create -t "${REGISTRY_NAME}/${REPOSITORY}:${TAG_COMMIT}" "${REGISTRY_NAME}/${REPOSITORY}:${TAG_OLD}"

  retag_server:
    name: Re-Tag Server
    needs: pre-job
+    permissions:
+      contents: read
+      packages: write
    if: ${{ needs.pre-job.outputs.should_run_server == 'false' && !github.event.pull_request.head.repo.fork }}
    runs-on: ubuntu-latest
    strategy:
@@ -77,376 +89,91 @@ jobs:
        suffix: ['']
    steps:
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Re-tag image
+        env:
+          REGISTRY_NAME: 'ghcr.io'
+          REPOSITORY: ${{ github.repository_owner }}/immich-server
+          TAG_OLD: main${{ matrix.suffix }}
+          TAG_PR: ${{ github.event.number == 0 && github.ref_name || format('pr-{0}', github.event.number) }}${{ matrix.suffix }}
+          TAG_COMMIT: commit-${{ github.event_name != 'pull_request' && github.sha || github.event.pull_request.head.sha }}${{ matrix.suffix }}
        run: |
-          REGISTRY_NAME="ghcr.io"
-          REPOSITORY=${{ github.repository_owner }}/immich-server
-          TAG_OLD=main${{ matrix.suffix }}
-          TAG_PR=${{ github.event.number == 0 && github.ref_name ||  format('pr-{0}', github.event.number)  }}${{ matrix.suffix }}
-          TAG_COMMIT=commit-${{ github.event_name != 'pull_request' && github.sha || github.event.pull_request.head.sha }}${{ matrix.suffix }}
-          docker buildx imagetools create -t $REGISTRY_NAME/$REPOSITORY:$TAG_PR $REGISTRY_NAME/$REPOSITORY:$TAG_OLD
-          docker buildx imagetools create -t $REGISTRY_NAME/$REPOSITORY:$TAG_COMMIT $REGISTRY_NAME/$REPOSITORY:$TAG_OLD
+          docker buildx imagetools create -t "${REGISTRY_NAME}/${REPOSITORY}:${TAG_PR}" "${REGISTRY_NAME}/${REPOSITORY}:${TAG_OLD}"
+          docker buildx imagetools create -t "${REGISTRY_NAME}/${REPOSITORY}:${TAG_COMMIT}" "${REGISTRY_NAME}/${REPOSITORY}:${TAG_OLD}"

-  build_and_push_ml:
+  machine-learning:
    name: Build and Push ML
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_ml == 'true' }}
-    runs-on: ${{ matrix.runner }}
-    env:
-      image: immich-machine-learning
-      context: machine-learning
-      file: machine-learning/Dockerfile
-      GHCR_REPO: ghcr.io/${{ github.repository_owner }}/immich-machine-learning
    strategy:
-      # Prevent a failure in one image from stopping the other builds
      fail-fast: false
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            device: cpu
-
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            device: cpu
-
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            device: cuda
-            suffix: -cuda
-
-          - platform: linux/amd64
-            runner: mich
-            device: rocm
-            suffix: -rocm
-
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            device: openvino
-            suffix: -openvino
-
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            device: armnn
-            suffix: -armnn
-
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            device: rknn
-            suffix: -rknn
-
-    steps:
-      - name: Prepare
-        run: |
-          platform=${{ matrix.platform }}
-          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
-
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
-        if: ${{ !github.event.pull_request.head.repo.fork }}
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Generate cache key suffix
-        run: |
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            echo "CACHE_KEY_SUFFIX=pr-${{ github.event.number }}" >> $GITHUB_ENV
-          else
-            echo "CACHE_KEY_SUFFIX=$(echo ${{ github.ref_name }} | sed 's/[^a-zA-Z0-9]/-/g')" >> $GITHUB_ENV
-          fi
-
-      - name: Generate cache target
-        id: cache-target
-        run: |
-          if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then
-            # Essentially just ignore the cache output (forks can't write to registry cache)
-            echo "cache-to=type=local,dest=/tmp/discard,ignore-error=true" >> $GITHUB_OUTPUT
-          else
-            echo "cache-to=type=registry,ref=${{ env.GHCR_REPO }}-build-cache:${{ env.PLATFORM_PAIR }}-${{ matrix.device }}-${{ env.CACHE_KEY_SUFFIX }},mode=max,compression=zstd" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Build and push image
-        id: build
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
-        with:
-          context: ${{ env.context }}
-          file: ${{ env.file }}
-          platforms: ${{ matrix.platforms }}
-          labels: ${{ steps.metadata.outputs.labels }}
-          cache-to: ${{ steps.cache-target.outputs.cache-to }}
-          cache-from: |
-            type=registry,ref=${{ env.GHCR_REPO }}-build-cache:${{ env.PLATFORM_PAIR }}-${{ matrix.device }}-${{ env.CACHE_KEY_SUFFIX }}
-            type=registry,ref=${{ env.GHCR_REPO }}-build-cache:${{ env.PLATFORM_PAIR }}-${{ matrix.device }}-main
-          outputs: type=image,"name=${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=${{ !github.event.pull_request.head.repo.fork }}
-          build-args: |
-            DEVICE=${{ matrix.device }}
-            BUILD_ID=${{ github.run_id }}
-            BUILD_IMAGE=${{ github.event_name == 'release' && github.ref_name || steps.metadata.outputs.tags }}
-            BUILD_SOURCE_REF=${{ github.ref_name }}
-            BUILD_SOURCE_COMMIT=${{ github.sha }}
-
-      - name: Export digest
-        run: |
-          mkdir -p ${{ runner.temp }}/digests
-          digest="${{ steps.build.outputs.digest }}"
-          touch "${{ runner.temp }}/digests/${digest#sha256:}"
-
-      - name: Upload digest
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
-        with:
-          name: ml-digests-${{ matrix.device }}-${{ env.PLATFORM_PAIR }}
-          path: ${{ runner.temp }}/digests/*
-          if-no-files-found: error
-          retention-days: 1
-
-  merge_ml:
-    name: Merge & Push ML
-    runs-on: ubuntu-latest
-    if: ${{ needs.pre-job.outputs.should_run_ml == 'true' && !github.event.pull_request.head.repo.fork }}
-    env:
-      GHCR_REPO: ghcr.io/${{ github.repository_owner }}/immich-machine-learning
-      DOCKER_REPO: altran1502/immich-machine-learning
-    strategy:
      matrix:
        include:
          - device: cpu
+            tag-suffix: ''
          - device: cuda
-            suffix: -cuda
-          - device: rocm
-            suffix: -rocm
+            tag-suffix: '-cuda'
+            platforms: linux/amd64
          - device: openvino
-            suffix: -openvino
+            tag-suffix: '-openvino'
+            platforms: linux/amd64
          - device: armnn
-            suffix: -armnn
+            tag-suffix: '-armnn'
+            platforms: linux/arm64
          - device: rknn
-            suffix: -rknn
-    needs:
-      - build_and_push_ml
-    steps:
-      - name: Download digests
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
-        with:
-          path: ${{ runner.temp }}/digests
-          pattern: ml-digests-${{ matrix.device }}-*
-          merge-multiple: true
+            tag-suffix: '-rknn'
+            platforms: linux/arm64
+          - device: rocm
+            tag-suffix: '-rocm'
+            platforms: linux/amd64
+            runner-mapping: '{"linux/amd64": "mich"}'
+    uses: ./.github/workflows/multi-runner-build.yml
+    permissions:
+      contents: read
+      actions: read
+      packages: write
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+    with:
+      image: immich-machine-learning
+      context: machine-learning
+      dockerfile: machine-learning/Dockerfile
+      platforms: ${{ matrix.platforms }}
+      runner-mapping: ${{ matrix.runner-mapping }}
+      tag-suffix: ${{ matrix.tag-suffix }}
+      dockerhub-push: ${{ github.event_name == 'release' }}
+      build-args: |
+        DEVICE=${{ matrix.device }}

-      - name: Login to Docker Hub
-        if: ${{ github.event_name == 'release' }}
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to GHCR
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
-
-      - name: Generate docker image tags
-        id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
-        env:
-          DOCKER_METADATA_PR_HEAD_SHA: 'true'
-        with:
-          flavor: |
-            # Disable latest tag
-            latest=false
-            suffix=${{ matrix.suffix }}
-          images: |
-            name=${{ env.GHCR_REPO }}
-            name=${{ env.DOCKER_REPO }},enable=${{ github.event_name == 'release' }}
-          tags: |
-            # Tag with branch name
-            type=ref,event=branch
-            # Tag with pr-number
-            type=ref,event=pr
-            # Tag with long commit sha hash
-            type=sha,format=long,prefix=commit-
-            # Tag with git tag on release
-            type=ref,event=tag
-            type=raw,value=release,enable=${{ github.event_name == 'release' }}
-
-      - name: Create manifest list and push
-        working-directory: ${{ runner.temp }}/digests
-        run: |
-          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.GHCR_REPO }}@sha256:%s ' *)
-
-  build_and_push_server:
+  server:
    name: Build and Push Server
-    runs-on: ${{ matrix.runner }}
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_server == 'true' }}
-    env:
+    uses: ./.github/workflows/multi-runner-build.yml
+    permissions:
+      contents: read
+      actions: read
+      packages: write
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+    with:
      image: immich-server
      context: .
-      file: server/Dockerfile
-      GHCR_REPO: ghcr.io/${{ github.repository_owner }}/immich-server
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-    steps:
-      - name: Prepare
-        run: |
-          platform=${{ matrix.platform }}
-          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
-
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
-        if: ${{ !github.event.pull_request.head.repo.fork }}
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Generate cache key suffix
-        run: |
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            echo "CACHE_KEY_SUFFIX=pr-${{ github.event.number }}" >> $GITHUB_ENV
-          else
-            echo "CACHE_KEY_SUFFIX=$(echo ${{ github.ref_name }} | sed 's/[^a-zA-Z0-9]/-/g')" >> $GITHUB_ENV
-          fi
-
-      - name: Generate cache target
-        id: cache-target
-        run: |
-          if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then
-            # Essentially just ignore the cache output (forks can't write to registry cache)
-            echo "cache-to=type=local,dest=/tmp/discard,ignore-error=true" >> $GITHUB_OUTPUT
-          else
-            echo "cache-to=type=registry,ref=${{ env.GHCR_REPO }}-build-cache:${{ env.PLATFORM_PAIR }}-${{ matrix.device }}-${{ env.CACHE_KEY_SUFFIX }},mode=max,compression=zstd" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Build and push image
-        id: build
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
-        with:
-          context: ${{ env.context }}
-          file: ${{ env.file }}
-          platforms: ${{ matrix.platform }}
-          labels: ${{ steps.metadata.outputs.labels }}
-          cache-to: ${{ steps.cache-target.outputs.cache-to }}
-          cache-from: |
-            type=registry,ref=${{ env.GHCR_REPO }}-build-cache:${{ env.PLATFORM_PAIR }}-${{ env.CACHE_KEY_SUFFIX }}
-            type=registry,ref=${{ env.GHCR_REPO }}-build-cache:${{ env.PLATFORM_PAIR }}-main
-          outputs: type=image,"name=${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=${{ !github.event.pull_request.head.repo.fork }}
-          build-args: |
-            DEVICE=cpu
-            BUILD_ID=${{ github.run_id }}
-            BUILD_IMAGE=${{ github.event_name == 'release' && github.ref_name || steps.metadata.outputs.tags }}
-            BUILD_SOURCE_REF=${{ github.ref_name }}
-            BUILD_SOURCE_COMMIT=${{ github.sha }}
-
-      - name: Export digest
-        run: |
-          mkdir -p ${{ runner.temp }}/digests
-          digest="${{ steps.build.outputs.digest }}"
-          touch "${{ runner.temp }}/digests/${digest#sha256:}"
-
-      - name: Upload digest
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
-        with:
-          name: server-digests-${{ env.PLATFORM_PAIR }}
-          path: ${{ runner.temp }}/digests/*
-          if-no-files-found: error
-          retention-days: 1
-
-  merge_server:
-    name: Merge & Push Server
-    runs-on: ubuntu-latest
-    if: ${{ needs.pre-job.outputs.should_run_server == 'true' && !github.event.pull_request.head.repo.fork }}
-    env:
-      GHCR_REPO: ghcr.io/${{ github.repository_owner }}/immich-server
-      DOCKER_REPO: altran1502/immich-server
-    needs:
-      - build_and_push_server
-    steps:
-      - name: Download digests
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
-        with:
-          path: ${{ runner.temp }}/digests
-          pattern: server-digests-*
-          merge-multiple: true
-
-      - name: Login to Docker Hub
-        if: ${{ github.event_name == 'release' }}
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to GHCR
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
-
-      - name: Generate docker image tags
-        id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
-        env:
-          DOCKER_METADATA_PR_HEAD_SHA: 'true'
-        with:
-          flavor: |
-            # Disable latest tag
-            latest=false
-            suffix=${{ matrix.suffix }}
-          images: |
-            name=${{ env.GHCR_REPO }}
-            name=${{ env.DOCKER_REPO }},enable=${{ github.event_name == 'release' }}
-          tags: |
-            # Tag with branch name
-            type=ref,event=branch
-            # Tag with pr-number
-            type=ref,event=pr
-            # Tag with long commit sha hash
-            type=sha,format=long,prefix=commit-
-            # Tag with git tag on release
-            type=ref,event=tag
-            type=raw,value=release,enable=${{ github.event_name == 'release' }}
-
-      - name: Create manifest list and push
-        working-directory: ${{ runner.temp }}/digests
-        run: |
-          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.GHCR_REPO }}@sha256:%s ' *)
+      dockerfile: server/Dockerfile
+      dockerhub-push: ${{ github.event_name == 'release' }}
+      build-args: |
+        DEVICE=cpu

  success-check-server:
    name: Docker Build & Push Server Success
-    needs: [merge_server, retag_server]
+    needs: [server, retag_server]
+    permissions: {}
    runs-on: ubuntu-latest
    if: always()
    steps:
@@ -455,11 +182,13 @@ jobs:
        run: exit 1
      - name: All jobs passed or skipped
        if: ${{ !(contains(needs.*.result, 'failure')) }}
+        # zizmor: ignore[template-injection]
        run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}"

  success-check-ml:
    name: Docker Build & Push ML Success
-    needs: [merge_ml, retag_ml]
+    needs: [machine-learning, retag_ml]
+    permissions: {}
    runs-on: ubuntu-latest
    if: always()
    steps:
@@ -468,4 +197,5 @@ jobs:
        run: exit 1
      - name: All jobs passed or skipped
        if: ${{ !(contains(needs.*.result, 'failure')) }}
+        # zizmor: ignore[template-injection]
        run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}"
--- a/.github/workflows/docs-build.yml
+++ b/.github/workflows/docs-build.yml
@@ -10,16 +10,22 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions: {}
+
 jobs:
  pre-job:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    outputs:
      should_run: ${{ steps.found_paths.outputs.docs == 'true' ||  steps.should_force.outputs.should_force == 'true' }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
      - id: found_paths
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        with:
          filters: |
            docs:
@@ -33,6 +39,8 @@ jobs:
  build:
    name: Docs Build
    needs: pre-job
+    permissions:
+      contents: read
    if: ${{ needs.pre-job.outputs.should_run == 'true' }}
    runs-on: ubuntu-latest
    defaults:
@@ -41,10 +49,12 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Setup Node
-        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: './docs/.nvmrc'

@@ -58,8 +68,9 @@ jobs:
        run: npm run build

      - name: Upload build output
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: docs-build-output
          path: docs/build/
+          include-hidden-files: true
          retention-days: 1
--- a/.github/workflows/docs-deploy.yml
+++ b/.github/workflows/docs-deploy.yml
@@ -1,6 +1,6 @@
 name: Docs deploy
 on:
-  workflow_run:
+  workflow_run: # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
    workflows: ['Docs build']
    types:
      - completed
@@ -9,6 +9,9 @@ jobs:
  checks:
    name: Docs Deploy Checks
    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      pull-requests: read
    outputs:
      parameters: ${{ steps.parameters.outputs.result }}
      artifact: ${{ steps.get-artifact.outputs.result }}
@@ -17,7 +20,7 @@ jobs:
        run: echo 'The triggering workflow did not succeed' && exit 1
      - name: Get artifact
        id: get-artifact
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
@@ -35,7 +38,9 @@ jobs:
            return { found: true, id: matchArtifact.id };
      - name: Determine deploy parameters
        id: parameters
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        env:
+          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
        with:
          script: |
            const eventType = context.payload.workflow_run.event;
@@ -57,7 +62,8 @@ jobs:
            } else if (eventType == "pull_request") {
              let pull_number = context.payload.workflow_run.pull_requests[0]?.number;
              if(!pull_number) {
-                const response = await github.rest.search.issuesAndPullRequests({q: 'repo:${{ github.repository }} is:pr sha:${{ github.event.workflow_run.head_sha }}',per_page: 1,})
+                const {HEAD_SHA} = process.env;
+                const response = await github.rest.search.issuesAndPullRequests({q: `repo:${{ github.repository }} is:pr sha:${HEAD_SHA}`,per_page: 1,})
                const items = response.data.items
                if (items.length < 1) {
                  throw new Error("No pull request found for the commit")
@@ -95,30 +101,36 @@ jobs:
    name: Docs Deploy
    runs-on: ubuntu-latest
    needs: checks
+    permissions:
+      contents: read
+      actions: read
+      pull-requests: write
    if: ${{ fromJson(needs.checks.outputs.artifact).found && fromJson(needs.checks.outputs.parameters).shouldDeploy }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Load parameters
        id: parameters
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        env:
+          PARAM_JSON: ${{ needs.checks.outputs.parameters }}
        with:
          script: |
-            const json = `${{ needs.checks.outputs.parameters }}`;
-            const parameters = JSON.parse(json);
+            const parameters = JSON.parse(process.env.PARAM_JSON);
            core.setOutput("event", parameters.event);
            core.setOutput("name", parameters.name);
            core.setOutput("shouldDeploy", parameters.shouldDeploy);

-      - run: |
-          echo "Starting docs deployment for ${{ steps.parameters.outputs.event }} ${{ steps.parameters.outputs.name }}"
-
      - name: Download artifact
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        env:
+          ARTIFACT_JSON: ${{ needs.checks.outputs.artifact }}
        with:
          script: |
-            let artifact = ${{ needs.checks.outputs.artifact }};
+            let artifact = JSON.parse(process.env.ARTIFACT_JSON);
            let download = await github.rest.actions.downloadArtifact({
               owner: context.repo.owner,
               repo: context.repo.repo,
@@ -138,7 +150,7 @@ jobs:
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }}
-        uses: gruntwork-io/terragrunt-action@9559e51d05873b0ea467c42bbabcb5c067642ccc # v2
+        uses: gruntwork-io/terragrunt-action@9559e51d05873b0ea467c42bbabcb5c067642ccc # v2.1.5
        with:
          tg_version: '0.58.12'
          tofu_version: '1.7.1'
@@ -153,7 +165,7 @@ jobs:
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }}
-        uses: gruntwork-io/terragrunt-action@9559e51d05873b0ea467c42bbabcb5c067642ccc # v2
+        uses: gruntwork-io/terragrunt-action@9559e51d05873b0ea467c42bbabcb5c067642ccc # v2.1.5
        with:
          tg_version: '0.58.12'
          tofu_version: '1.7.1'
@@ -162,12 +174,15 @@ jobs:

      - name: Output Cleaning
        id: clean
+        env:
+          TG_OUTPUT: ${{ steps.docs-output.outputs.tg_action_output }}
        run: |
-          TG_OUT=$(echo '${{ steps.docs-output.outputs.tg_action_output }}' | sed 's|%0A|\n|g ; s|%3C|<|g' | jq -c .)
-          echo "output=$TG_OUT" >> $GITHUB_OUTPUT
+          CLEANED=$(echo "$TG_OUTPUT" | sed 's|%0A|\n|g ; s|%3C|<|g' | jq -c .)
+          echo "output=$CLEANED" >> $GITHUB_OUTPUT

      - name: Publish to Cloudflare Pages
-        uses: cloudflare/pages-action@f0a1cd58cd66095dee69bfa18fa5efd1dde93bca # v1
+        # TODO: Action is deprecated
+        uses: cloudflare/pages-action@f0a1cd58cd66095dee69bfa18fa5efd1dde93bca # v1.5.0
        with:
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN_PAGES_UPLOAD }}
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
@@ -184,7 +199,7 @@ jobs:
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }}
-        uses: gruntwork-io/terragrunt-action@9559e51d05873b0ea467c42bbabcb5c067642ccc # v2
+        uses: gruntwork-io/terragrunt-action@9559e51d05873b0ea467c42bbabcb5c067642ccc # v2.1.5
        with:
          tg_version: '0.58.12'
          tofu_version: '1.7.1'
@@ -192,7 +207,7 @@ jobs:
          tg_command: 'apply'

      - name: Comment
-        uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3
+        uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3.2.0
        if: ${{ steps.parameters.outputs.event == 'pr' }}
        with:
          number: ${{ fromJson(needs.checks.outputs.parameters).pr_number }}
--- a/.github/workflows/docs-destroy.yml
+++ b/.github/workflows/docs-destroy.yml
@@ -1,15 +1,22 @@
 name: Docs destroy
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
    types: [closed]

+permissions: {}
+
 jobs:
  deploy:
    name: Docs Destroy
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Destroy Docs Subdomain
        env:
@@ -18,7 +25,7 @@ jobs:
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }}
-        uses: gruntwork-io/terragrunt-action@9559e51d05873b0ea467c42bbabcb5c067642ccc # v2
+        uses: gruntwork-io/terragrunt-action@9559e51d05873b0ea467c42bbabcb5c067642ccc # v2.1.5
        with:
          tg_version: '0.58.12'
          tofu_version: '1.7.1'
@@ -26,7 +33,7 @@ jobs:
          tg_command: 'destroy -refresh=false'

      - name: Comment
-        uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3
+        uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3.2.0
        with:
          number: ${{ github.event.number }}
          delete: true
--- a/.github/workflows/fix-format.yml
+++ b/.github/workflows/fix-format.yml
@@ -4,28 +4,32 @@ on:
  pull_request:
    types: [labeled]

+permissions: {}
+
 jobs:
  fix-formatting:
    runs-on: ubuntu-latest
    if: ${{ github.event.label.name == 'fix:formatting' }}
    permissions:
+      contents: write
      pull-requests: write
    steps:
      - name: Generate a token
        id: generate-token
-        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: 'Checkout'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          token: ${{ steps.generate-token.outputs.token }}
+          persist-credentials: true

      - name: Setup Node
-        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: './server/.nvmrc'

@@ -33,13 +37,13 @@ jobs:
        run: make install-all && make format-all

      - name: Commit and push
-        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9
+        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
        with:
          default_author: github_actions
          message: 'chore: fix formatting'

      - name: Remove label
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        if: always()
        with:
          script: |
--- a/.github/workflows/multi-runner-build.yml
+++ b/.github/workflows/multi-runner-build.yml
@@ -0,0 +1,185 @@
+name: 'Multi-runner container image build'
+on:
+  workflow_call:
+    inputs:
+      image:
+        description: 'Name of the image'
+        type: string
+        required: true
+      context:
+        description: 'Path to build context'
+        type: string
+        required: true
+      dockerfile:
+        description: 'Path to Dockerfile'
+        type: string
+        required: true
+      tag-suffix:
+        description: 'Suffix to append to the image tag'
+        type: string
+        default: ''
+      dockerhub-push:
+        description: 'Push to Docker Hub'
+        type: boolean
+        default: false
+      build-args:
+        description: 'Docker build arguments'
+        type: string
+        required: false
+      platforms:
+        description: 'Platforms to build for'
+        type: string
+      runner-mapping:
+        description: 'Mapping from platforms to runners'
+        type: string
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: false
+      DOCKERHUB_TOKEN:
+        required: false
+
+env:
+  GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ inputs.image }}
+  DOCKERHUB_IMAGE: altran1502/${{ inputs.image }}
+
+jobs:
+  matrix:
+    name: 'Generate matrix'
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.matrix.outputs.matrix }}
+      key: ${{ steps.artifact-key.outputs.base }}
+    steps:
+      - name: Generate build matrix
+        id: matrix
+        shell: bash
+        env:
+          PLATFORMS: ${{ inputs.platforms || 'linux/amd64,linux/arm64' }}
+          RUNNER_MAPPING: ${{ inputs.runner-mapping || '{"linux/amd64":"ubuntu-latest","linux/arm64":"ubuntu-24.04-arm"}' }}
+        run: |
+          matrix=$(jq -R -c \
+            --argjson runner_mapping "${RUNNER_MAPPING}" \
+            'split(",") | map({platform: ., runner: $runner_mapping[.]})' \
+            <<< "${PLATFORMS}")
+          echo "${matrix}"
+          echo "matrix=${matrix}" >> $GITHUB_OUTPUT
+
+      - name: Determine artifact key
+        id: artifact-key
+        shell: bash
+        env:
+          IMAGE: ${{ inputs.image }}
+          SUFFIX: ${{ inputs.tag-suffix }}
+        run: |
+          if [[ -n "${SUFFIX}" ]]; then
+              base="${IMAGE}${SUFFIX}-digests"
+          else
+              base="${IMAGE}-digests"
+          fi
+          echo "${base}"
+          echo "base=${base}" >> $GITHUB_OUTPUT
+
+  build:
+    needs: matrix
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJson(needs.matrix.outputs.matrix) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
+      - uses: ./.github/actions/image-build
+        with:
+          context: ${{ inputs.context }}
+          dockerfile: ${{ inputs.dockerfile }}
+          image: ${{ env.GHCR_IMAGE }}
+          ghcr-token: ${{ secrets.GITHUB_TOKEN }}
+          platform: ${{ matrix.platform }}
+          artifact-key-base: ${{ needs.matrix.outputs.key }}
+          build-args: ${{ inputs.build-args }}
+
+  merge:
+    needs: [matrix, build]
+    runs-on: ubuntu-latest
+    if: ${{ !github.event.pull_request.head.repo.fork }}
+    permissions:
+      contents: read
+      actions: read
+      packages: write
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: ${{ needs.matrix.outputs.key }}-*
+          merge-multiple: true
+
+      - name: Login to Docker Hub
+        if: ${{ inputs.dockerhub-push }}
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GHCR
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
+
+      - name: Generate docker image tags
+        id: meta
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
+        env:
+          DOCKER_METADATA_PR_HEAD_SHA: 'true'
+        with:
+          flavor: |
+            # Disable latest tag
+            latest=false
+            suffix=${{ inputs.tag-suffix }}
+          images: |
+            name=${{ env.GHCR_IMAGE }}
+            name=${{ env.DOCKERHUB_IMAGE }},enable=${{ inputs.dockerhub-push }}
+          tags: |
+            # Tag with branch name
+            type=ref,event=branch
+            # Tag with pr-number
+            type=ref,event=pr
+            # Tag with long commit sha hash
+            type=sha,format=long,prefix=commit-
+            # Tag with git tag on release
+            type=ref,event=tag
+            type=raw,value=release,enable=${{ github.event_name == 'release' }}
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          # Process annotations
+          declare -a ANNOTATIONS=()
+          if [[ -n "$DOCKER_METADATA_OUTPUT_JSON" ]]; then
+            while IFS= read -r annotation; do
+              # Extract key and value by removing the manifest: prefix
+              if [[ "$annotation" =~ ^manifest:(.+)=(.+)$ ]]; then
+                key="${BASH_REMATCH[1]}"
+                value="${BASH_REMATCH[2]}"
+                # Use array to properly handle arguments with spaces
+                ANNOTATIONS+=(--annotation "index:$key=$value")
+              fi
+            done < <(jq -r '.annotations[]' <<< "$DOCKER_METADATA_OUTPUT_JSON")
+          fi
+
+          TAGS=$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+          SOURCE_ARGS=$(printf "${GHCR_IMAGE}@sha256:%s " *)
+
+          docker buildx imagetools create $TAGS "${ANNOTATIONS[@]}" $SOURCE_ARGS
--- a/.github/workflows/pr-label-validation.yml
+++ b/.github/workflows/pr-label-validation.yml
@@ -1,9 +1,11 @@
 name: PR Label Validation

 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
    types: [opened, labeled, unlabeled, synchronize]

+permissions: {}
+
 jobs:
  validate-release-label:
    runs-on: ubuntu-latest
@@ -12,7 +14,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Require PR to have a changelog label
-        uses: mheap/github-action-required-labels@388fd6af37b34cdfe5a23b37060e763217e58b03 # v5
+        uses: mheap/github-action-required-labels@388fd6af37b34cdfe5a23b37060e763217e58b03 # v5.5.0
        with:
          mode: exactly
          count: 1
--- a/.github/workflows/pr-labeler.yml
+++ b/.github/workflows/pr-labeler.yml
@@ -1,6 +1,8 @@
 name: 'Pull Request Labeler'
 on:
-  - pull_request_target
+  - pull_request_target # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
+
+permissions: {}

 jobs:
  labeler:
@@ -9,4 +11,4 @@ jobs:
      pull-requests: write
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
--- a/.github/workflows/pr-require-conventional-commit.yml
+++ b/.github/workflows/pr-require-conventional-commit.yml
@@ -4,9 +4,13 @@ on:
  pull_request:
    types: [opened, synchronize, reopened, edited]

+permissions: {}
+
 jobs:
  validate-pr-title:
    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
    steps:
      - name: PR Conventional Commit Validation
        uses: ytanikin/PRConventionalCommits@b628c5a234cc32513014b7bfdd1e47b532124d98 # 1.3.0
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -21,35 +21,40 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-root
  cancel-in-progress: true

+permissions: {}
+
 jobs:
  bump_version:
    runs-on: ubuntu-latest
-
    outputs:
      ref: ${{ steps.push-tag.outputs.commit_long_sha }}
-
+    permissions: {} # No job-level permissions are needed because it uses the app-token
    steps:
      - name: Generate a token
        id: generate-token
-        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          token: ${{ steps.generate-token.outputs.token }}
+          persist-credentials: true

      - name: Install uv
-        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5
+        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2

      - name: Bump version
-        run: misc/release/pump-version.sh -s "${{ inputs.serverBump }}" -m "${{ inputs.mobileBump }}"
+        env:
+          SERVER_BUMP: ${{ inputs.serverBump }}
+          MOBILE_BUMP: ${{ inputs.mobileBump }}
+        run: misc/release/pump-version.sh -s "${SERVER_BUMP}" -m "${MOBILE_BUMP}"

      - name: Commit and tag
        id: push-tag
-        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9
+        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
        with:
          default_author: github_actions
          message: 'chore: version ${{ env.IMMICH_VERSION }}'
@@ -59,37 +64,47 @@ jobs:
  build_mobile:
    uses: ./.github/workflows/build-mobile.yml
    needs: bump_version
-    secrets: inherit
+    permissions:
+      contents: read
+    secrets:
+      KEY_JKS: ${{ secrets.KEY_JKS }}
+      ALIAS: ${{ secrets.ALIAS }}
+      ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
+      ANDROID_STORE_PASSWORD: ${{ secrets.ANDROID_STORE_PASSWORD }}
    with:
      ref: ${{ needs.bump_version.outputs.ref }}

  prepare_release:
    runs-on: ubuntu-latest
    needs: build_mobile
-
+    permissions:
+      actions: read # To download the app artifact
+      # No content permissions are needed because it uses the app-token
    steps:
      - name: Generate a token
        id: generate-token
-        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
        with:
          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          token: ${{ steps.generate-token.outputs.token }}
+          persist-credentials: false

      - name: Download APK
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: release-apk-signed

      - name: Create draft release
-        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
        with:
          draft: true
          tag_name: ${{ env.IMMICH_VERSION }}
+          token: ${{ steps.generate-token.outputs.token }}
          generate_release_notes: true
          body_path: misc/release/notes.tmpl
          files: |
--- a/.github/workflows/preview-label.yaml
+++ b/.github/workflows/preview-label.yaml
@@ -4,6 +4,8 @@ on:
  pull_request:
    types: [labeled, closed]

+permissions: {}
+
 jobs:
  comment-status:
    runs-on: ubuntu-latest
@@ -11,7 +13,7 @@ jobs:
    permissions:
      pull-requests: write
    steps:
-      - uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2
+      - uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2
        with:
          message-id: 'preview-status'
          message: 'Deploying preview environment to https://pr-${{ github.event.pull_request.number }}.preview.internal.immich.cloud/'
@@ -22,7 +24,7 @@ jobs:
    permissions:
      pull-requests: write
    steps:
-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            github.rest.issues.removeLabel({
--- a/.github/workflows/sdk.yml
+++ b/.github/workflows/sdk.yml
@@ -4,20 +4,24 @@ on:
  release:
    types: [published]

-permissions:
-  packages: write
+permissions: {}

 jobs:
  publish:
    name: Publish `@immich/sdk`
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    defaults:
      run:
        working-directory: ./open-api/typescript-sdk
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
      # Setup .npmrc file to publish to npm
-      - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: './open-api/typescript-sdk/.nvmrc'
          registry-url: 'https://registry.npmjs.org'
--- a/.github/workflows/static_analysis.yml
+++ b/.github/workflows/static_analysis.yml
@@ -9,16 +9,22 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions: {}
+
 jobs:
  pre-job:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    outputs:
      should_run: ${{ steps.found_paths.outputs.mobile == 'true' || steps.should_force.outputs.should_force == 'true' }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
      - id: found_paths
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        with:
          filters: |
            mobile:
@@ -33,15 +39,17 @@ jobs:
    name: Run Dart Code Analysis
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run == 'true' }}
-
    runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Setup Flutter SDK
-        uses: subosito/flutter-action@e938fdf56512cc96ef2f93601a5a40bde3801046 # v2
+        uses: subosito/flutter-action@e938fdf56512cc96ef2f93601a5a40bde3801046 # v2.19.0
        with:
          channel: 'stable'
          flutter-version-file: ./mobile/pubspec.yaml
@@ -50,12 +58,16 @@ jobs:
        run: dart pub get
        working-directory: ./mobile

+      - name: Generate translation file
+        run: make translation; dart format lib/generated/codegen_loader.g.dart
+        working-directory: ./mobile
+
      - name: Run Build Runner
        run: make build
        working-directory: ./mobile

      - name: Find file changes
-        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20
+        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-files
        with:
          files: |
@@ -65,9 +77,11 @@ jobs:

      - name: Verify files have not changed
        if: steps.verify-changed-files.outputs.files_changed == 'true'
+        env:
+          CHANGED_FILES: ${{ steps.verify-changed-files.outputs.changed_files }}
        run: |
          echo "ERROR: Generated files not up to date! Run make_build inside the mobile directory"
-          echo "Changed files: ${{ steps.verify-changed-files.outputs.changed_files }}"
+          echo "Changed files: ${CHANGED_FILES}"
          exit 1

      - name: Run dart analyze
@@ -81,3 +95,30 @@ jobs:
      - name: Run dart custom_lint
        run: dart run custom_lint
        working-directory: ./mobile
+
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2
+
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format=sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
+        with:
+          sarif_file: results.sarif
+          category: zizmor
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -9,10 +9,15 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions: {}
+
 jobs:
  pre-job:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    outputs:
+      should_run_i18n: ${{ steps.found_paths.outputs.i18n == 'true' || steps.should_force.outputs.should_force == 'true' }}
      should_run_web: ${{ steps.found_paths.outputs.web == 'true' || steps.should_force.outputs.should_force == 'true' }}
      should_run_server: ${{ steps.found_paths.outputs.server == 'true' || steps.should_force.outputs.should_force == 'true' }}
      should_run_cli: ${{ steps.found_paths.outputs.cli == 'true' || steps.should_force.outputs.should_force == 'true' }}
@@ -24,11 +29,16 @@ jobs:
      should_run_.github: ${{ steps.found_paths.outputs['.github'] == 'true' || steps.should_force.outputs.should_force == 'true' }} # redundant to have should_force but if someone changes the trigger then this won't have to be changed
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
      - id: found_paths
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        with:
          filters: |
+            i18n:
+              - 'i18n/**'
            web:
              - 'web/**'
              - 'i18n/**'
@@ -58,16 +68,20 @@ jobs:
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_server == 'true' }}
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    defaults:
      run:
        working-directory: ./server

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Setup Node
-        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: './server/.nvmrc'

@@ -95,16 +109,20 @@ jobs:
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_cli == 'true' }}
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    defaults:
      run:
        working-directory: ./cli

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Setup Node
-        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: './cli/.nvmrc'

@@ -136,16 +154,20 @@ jobs:
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_cli == 'true' }}
    runs-on: windows-latest
+    permissions:
+      contents: read
    defaults:
      run:
        working-directory: ./cli

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Setup Node
-        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: './cli/.nvmrc'

@@ -165,21 +187,25 @@ jobs:
        run: npm run test:cov
        if: ${{ !cancelled() }}

-  web-unit-tests:
-    name: Test & Lint Web
+  web-lint:
+    name: Lint Web
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_web == 'true' }}
-    runs-on: ubuntu-latest
+    runs-on: mich
+    permissions:
+      contents: read
    defaults:
      run:
        working-directory: ./web

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Setup Node
-        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: './web/.nvmrc'

@@ -191,7 +217,7 @@ jobs:
        run: npm ci

      - name: Run linter
-        run: npm run lint
+        run: npm run lint:p
        if: ${{ !cancelled() }}

      - name: Run formatter
@@ -202,6 +228,35 @@ jobs:
        run: npm run check:svelte
        if: ${{ !cancelled() }}

+  web-unit-tests:
+    name: Test Web
+    needs: pre-job
+    if: ${{ needs.pre-job.outputs.should_run_web == 'true' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    defaults:
+      run:
+        working-directory: ./web
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version-file: './web/.nvmrc'
+
+      - name: Run setup typescript-sdk
+        run: npm ci && npm run build
+        working-directory: ./open-api/typescript-sdk
+
+      - name: Run npm install
+        run: npm ci
+
      - name: Run tsc
        run: npm run check:typescript
        if: ${{ !cancelled() }}
@@ -210,21 +265,65 @@ jobs:
        run: npm run test:cov
        if: ${{ !cancelled() }}

+  i18n-tests:
+    name: Test i18n
+    needs: pre-job
+    if: ${{ needs.pre-job.outputs.should_run_i18n == 'true' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version-file: './web/.nvmrc'
+
+      - name: Install dependencies
+        run: npm --prefix=web ci
+
+      - name: Format
+        run: npm --prefix=web run format:i18n
+
+      - name: Find file changes
+        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
+        id: verify-changed-files
+        with:
+          files: |
+            i18n/**
+
+      - name: Verify files have not changed
+        if: steps.verify-changed-files.outputs.files_changed == 'true'
+        env:
+          CHANGED_FILES: ${{ steps.verify-changed-files.outputs.changed_files }}
+        run: |
+          echo "ERROR: i18n files not up to date!"
+          echo "Changed files: ${CHANGED_FILES}"
+          exit 1
+
  e2e-tests-lint:
    name: End-to-End Lint
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_e2e == 'true' }}
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    defaults:
      run:
        working-directory: ./e2e

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Setup Node
-        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: './e2e/.nvmrc'

@@ -254,16 +353,20 @@ jobs:
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_server == 'true' }}
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    defaults:
      run:
        working-directory: ./server

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Setup Node
-        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: './server/.nvmrc'

@@ -278,19 +381,25 @@ jobs:
    name: End-to-End Tests (Server & CLI)
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_e2e_server_cli == 'true' }}
-    runs-on: mich
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
    defaults:
      run:
        working-directory: ./e2e
+    strategy:
+      matrix:
+        runner: [ubuntu-latest, ubuntu-24.04-arm]

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: 'recursive'

      - name: Setup Node
-        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: './e2e/.nvmrc'

@@ -320,19 +429,25 @@ jobs:
    name: End-to-End Tests (Web)
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_e2e_web == 'true' }}
-    runs-on: mich
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
    defaults:
      run:
        working-directory: ./e2e
+    strategy:
+      matrix:
+        runner: [ubuntu-latest, ubuntu-24.04-arm]

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: 'recursive'

      - name: Setup Node
-        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: './e2e/.nvmrc'

@@ -357,15 +472,35 @@ jobs:
        run: npx playwright test
        if: ${{ !cancelled() }}

+  success-check-e2e:
+    name: End-to-End Tests Success
+    needs: [e2e-tests-server-cli, e2e-tests-web]
+    permissions: {}
+    runs-on: ubuntu-latest
+    if: always()
+    steps:
+      - name: Any jobs failed?
+        if: ${{ contains(needs.*.result, 'failure') }}
+        run: exit 1
+      - name: All jobs passed or skipped
+        if: ${{ !(contains(needs.*.result, 'failure')) }}
+        # zizmor: ignore[template-injection]
+        run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}"
+
  mobile-unit-tests:
    name: Unit Test Mobile
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_mobile == 'true' }}
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
      - name: Setup Flutter SDK
-        uses: subosito/flutter-action@e938fdf56512cc96ef2f93601a5a40bde3801046 # v2
+        uses: subosito/flutter-action@e938fdf56512cc96ef2f93601a5a40bde3801046 # v2.19.0
        with:
          channel: 'stable'
          flutter-version-file: ./mobile/pubspec.yaml
@@ -378,14 +513,19 @@ jobs:
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run_ml == 'true' }}
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    defaults:
      run:
        working-directory: ./machine-learning
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
      - name: Install uv
-        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5
-      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5
+        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        # TODO: add caching when supported (https://github.com/actions/setup-python/pull/818)
        # with:
        #   python-version: 3.11
@@ -411,16 +551,20 @@ jobs:
    needs: pre-job
    if: ${{ needs.pre-job.outputs['should_run_.github'] == 'true' }}
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    defaults:
      run:
        working-directory: ./.github

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Setup Node
-        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: './.github/.nvmrc'

@@ -434,25 +578,34 @@ jobs:
  shellcheck:
    name: ShellCheck
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
      - name: Run ShellCheck
        uses: ludeeus/action-shellcheck@master
        with:
          ignore_paths: >-
            **/open-api/**
-            **/openapi/**
+            **/openapi**
            **/node_modules/**

  generated-api-up-to-date:
    name: OpenAPI Clients
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Setup Node
-        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: './server/.nvmrc'

@@ -466,7 +619,7 @@ jobs:
        run: make open-api

      - name: Find file changes
-        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20
+        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-files
        with:
          files: |
@@ -476,14 +629,18 @@ jobs:

      - name: Verify files have not changed
        if: steps.verify-changed-files.outputs.files_changed == 'true'
+        env:
+          CHANGED_FILES: ${{ steps.verify-changed-files.outputs.changed_files }}
        run: |
          echo "ERROR: Generated files not up to date!"
-          echo "Changed files: ${{ steps.verify-changed-files.outputs.changed_files }}"
+          echo "Changed files: ${CHANGED_FILES}"
          exit 1

-  generated-typeorm-migrations-up-to-date:
-    name: TypeORM Checks
+  sql-schema-up-to-date:
+    name: SQL Schema Checks
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    services:
      postgres:
        image: tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52
@@ -504,10 +661,12 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Setup Node
-        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: './server/.nvmrc'

@@ -518,26 +677,28 @@ jobs:
        run: npm run build

      - name: Run existing migrations
-        run: npm run typeorm:migrations:run
+        run: npm run migrations:run

      - name: Test npm run schema:reset command works
-        run: npm run typeorm:schema:reset
+        run: npm run schema:reset

      - name: Generate new migrations
        continue-on-error: true
-        run: npm run migrations:generate TestMigration
+        run: npm run migrations:generate src/TestMigration

      - name: Find file changes
-        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20
+        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-files
        with:
          files: |
-            server/src/migrations/
+            server/src
      - name: Verify migration files have not changed
        if: steps.verify-changed-files.outputs.files_changed == 'true'
+        env:
+          CHANGED_FILES: ${{ steps.verify-changed-files.outputs.changed_files }}
        run: |
          echo "ERROR: Generated migration files not up to date!"
-          echo "Changed files: ${{ steps.verify-changed-files.outputs.changed_files }}"
+          echo "Changed files: ${CHANGED_FILES}"
          cat ./src/*-TestMigration.ts
          exit 1

@@ -547,7 +708,7 @@ jobs:
          DB_URL: postgres://postgres:postgres@localhost:5432/immich

      - name: Find file changes
-        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20
+        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-sql-files
        with:
          files: |
@@ -555,9 +716,11 @@ jobs:

      - name: Verify SQL files have not changed
        if: steps.verify-changed-sql-files.outputs.files_changed == 'true'
+        env:
+          CHANGED_FILES: ${{ steps.verify-changed-sql-files.outputs.changed_files }}
        run: |
          echo "ERROR: Generated SQL files not up to date!"
-          echo "Changed files: ${{ steps.verify-changed-sql-files.outputs.changed_files }}"
+          echo "Changed files: ${CHANGED_FILES}"
          exit 1

  # mobile-integration-tests:
--- a/.github/workflows/weblate-lock.yml
+++ b/.github/workflows/weblate-lock.yml
@@ -4,30 +4,32 @@ on:
  pull_request:
    branches: [main]

+permissions: {}
+
 jobs:
  pre-job:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    outputs:
      should_run: ${{ steps.found_paths.outputs.i18n == 'true' && github.head_ref != 'chore/translations'}}
    steps:
      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
      - id: found_paths
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        with:
          filters: |
            i18n:
              - 'i18n/!(en)**\.json'
-      - name: Debug
-        run: |
-          echo "Should run: ${{ steps.found_paths.outputs.i18n == 'true' && github.head_ref != 'chore/translations'}}"
-          echo "Found i18n paths: ${{ steps.found_paths.outputs.i18n }}"
-          echo "Head ref: ${{ github.head_ref }}"

  enforce-lock:
    name: Check Weblate Lock
    needs: [pre-job]
    runs-on: ubuntu-latest
+    permissions: {}
    if: ${{ needs.pre-job.outputs.should_run == 'true' }}
    steps:
      - name: Check weblate lock
@@ -36,7 +38,7 @@ jobs:
            exit 1
          fi
      - name: Find Pull Request
-        uses: juliangruber/find-pull-request-action@48b6133aa6c826f267ebd33aa2d29470f9d9e7d0 # v1
+        uses: juliangruber/find-pull-request-action@48b6133aa6c826f267ebd33aa2d29470f9d9e7d0 # v1.9.0
        id: find-pr
        with:
          branch: chore/translations
@@ -47,6 +49,7 @@ jobs:
    name: Weblate Lock Check Success
    needs: [enforce-lock]
    runs-on: ubuntu-latest
+    permissions: {}
    if: always()
    steps:
      - name: Any jobs failed?
@@ -54,4 +57,5 @@ jobs:
        run: exit 1
      - name: All jobs passed or skipped
        if: ${{ !(contains(needs.*.result, 'failure')) }}
+        # zizmor: ignore[template-injection]
        run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}"
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,45 +1,63 @@
 {
-  "editor.formatOnSave": true,
-  "[javascript]": {
-    "editor.defaultFormatter": "esbenp.prettier-vscode",
-    "editor.tabSize": 2,
-    "editor.formatOnSave": true
-  },
-  "[typescript]": {
-    "editor.defaultFormatter": "esbenp.prettier-vscode",
-    "editor.tabSize": 2,
-    "editor.formatOnSave": true
-  },
  "[css]": {
    "editor.defaultFormatter": "esbenp.prettier-vscode",
-    "editor.tabSize": 2,
-    "editor.formatOnSave": true
-  },
-  "[svelte]": {
-    "editor.defaultFormatter": "svelte.svelte-vscode",
+    "editor.formatOnSave": true,
    "editor.tabSize": 2
  },
-  "svelte.enable-ts-plugin": true,
-  "eslint.validate": [
-    "javascript",
-    "svelte"
-  ],
-  "typescript.preferences.importModuleSpecifier": "non-relative",
  "[dart]": {
+    "editor.defaultFormatter": "Dart-Code.dart-code",
    "editor.formatOnSave": true,
    "editor.selectionHighlight": false,
    "editor.suggest.snippetsPreventQuickSuggestions": false,
    "editor.suggestSelection": "first",
    "editor.tabCompletion": "onlySnippets",
-    "editor.wordBasedSuggestions": "off",
-    "editor.defaultFormatter": "Dart-Code.dart-code"
+    "editor.wordBasedSuggestions": "off"
  },
-  "cSpell.words": [
-    "immich"
-  ],
+  "[javascript]": {
+    "editor.codeActionsOnSave": {
+      "source.organizeImports": "explicit",
+      "source.removeUnusedImports": "explicit"
+    },
+    "editor.defaultFormatter": "esbenp.prettier-vscode",
+    "editor.formatOnSave": true,
+    "editor.tabSize": 2
+  },
+  "[json]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode",
+    "editor.formatOnSave": true,
+    "editor.tabSize": 2
+  },
+  "[jsonc]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode",
+    "editor.formatOnSave": true,
+    "editor.tabSize": 2
+  },
+  "[svelte]": {
+    "editor.codeActionsOnSave": {
+      "source.organizeImports": "explicit",
+      "source.removeUnusedImports": "explicit"
+    },
+    "editor.defaultFormatter": "svelte.svelte-vscode",
+    "editor.formatOnSave": true,
+    "editor.tabSize": 2
+  },
+  "[typescript]": {
+    "editor.codeActionsOnSave": {
+      "source.organizeImports": "explicit",
+      "source.removeUnusedImports": "explicit"
+    },
+    "editor.defaultFormatter": "esbenp.prettier-vscode",
+    "editor.formatOnSave": true,
+    "editor.tabSize": 2
+  },
+  "cSpell.words": ["immich"],
+  "editor.formatOnSave": true,
+  "eslint.validate": ["javascript", "svelte"],
  "explorer.fileNesting.enabled": true,
  "explorer.fileNesting.patterns": {
-    "*.ts": "${capture}.spec.ts,${capture}.mock.ts",
-    "*.dart": "${capture}.g.dart,${capture}.gr.dart,${capture}.drift.dart"
-  }
-}
+    "*.dart": "${capture}.g.dart,${capture}.gr.dart,${capture}.drift.dart",
+    "*.ts": "${capture}.spec.ts,${capture}.mock.ts"
+  },
+  "svelte.enable-ts-plugin": true,
+  "typescript.preferences.importModuleSpecifier": "non-relative"
+}
--- a/3
+++ b/3
@@ -17,6 +17,9 @@ e2e:
 prod:
 	docker compose -f ./docker/docker-compose.prod.yml up --build -V --remove-orphans

+prod-down:
+	docker compose -f ./docker/docker-compose.prod.yml down --remove-orphans
+
 prod-scale:
 	docker compose -f ./docker/docker-compose.prod.yml up --build -V --scale immich-server=3 --scale immich-microservices=3 --remove-orphans

--- a/README.md
+++ b/README.md
@@ -61,9 +61,7 @@

 ## Demo

-Access the demo [here](https://demo.immich.app). The demo is running on a Free-tier Oracle VM in Amsterdam with a 2.4Ghz quad-core ARM64 CPU and 24GB RAM.
-
-For the mobile app, you can use `https://demo.immich.app` for the `Server Endpoint URL`
+Access the demo [here](https://demo.immich.app). For the mobile app, you can use `https://demo.immich.app` for the `Server Endpoint URL`.

 ### Login credentials

--- a/cli/.nvmrc
+++ b/cli/.nvmrc
@@ -1 +1 @@
-22.14.0
+22.15.0
--- a/cli/Dockerfile
+++ b/cli/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:22.14.0-alpine3.20@sha256:40be979442621049f40b1d51a26b55e281246b5de4e5f51a18da7beb6e17e3f9 AS core
+FROM node:22.15.0-alpine3.20@sha256:686b8892b69879ef5bfd6047589666933508f9a5451c67320df3070ba0e9807b AS core

 WORKDIR /usr/src/open-api/typescript-sdk
 COPY open-api/typescript-sdk/package*.json open-api/typescript-sdk/tsconfig*.json ./
--- a/cli/package-lock.json
+++ b/cli/package-lock.json
--- a/cli/package.json
+++ b/cli/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@immich/cli",
-  "version": "2.2.61",
+  "version": "2.2.65",
  "description": "Command Line Interface (CLI) for Immich",
  "type": "module",
  "exports": "./dist/index.js",
@@ -21,7 +21,7 @@
    "@types/lodash-es": "^4.17.12",
    "@types/micromatch": "^4.0.9",
    "@types/mock-fs": "^4.13.1",
-    "@types/node": "^22.13.14",
+    "@types/node": "^22.15.16",
    "@vitest/coverage-v8": "^3.0.0",
    "byte-size": "^9.0.0",
    "cli-progress": "^3.12.0",
@@ -69,6 +69,6 @@
    "micromatch": "^4.0.8"
  },
  "volta": {
-    "node": "22.14.0"
+    "node": "22.15.0"
  }
 }
--- a/docker/docker-compose.dev.yml
+++ b/docker/docker-compose.dev.yml
@@ -116,7 +116,7 @@ services:

  redis:
    container_name: immich_redis
-    image: redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8
+    image: docker.io/valkey/valkey:8-bookworm@sha256:ff21bc0f8194dc9c105b769aeabf9585fea6a8ed649c0781caeac5cb3c247884
    healthcheck:
      test: redis-cli ping || exit 1

--- a/docker/docker-compose.prod.yml
+++ b/docker/docker-compose.prod.yml
@@ -56,7 +56,7 @@ services:

  redis:
    container_name: immich_redis
-    image: redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8
+    image: docker.io/valkey/valkey:8-bookworm@sha256:ff21bc0f8194dc9c105b769aeabf9585fea6a8ed649c0781caeac5cb3c247884
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always
@@ -90,7 +90,7 @@ services:
    container_name: immich_prometheus
    ports:
      - 9090:9090
-    image: prom/prometheus@sha256:502ad90314c7485892ce696cb14a99fceab9fc27af29f4b427f41bd39701a199
+    image: prom/prometheus@sha256:e2b8aa62b64855956e3ec1e18b4f9387fb6203174a4471936f4662f437f04405
    volumes:
      - ./prometheus.yml:/etc/prometheus/prometheus.yml
      - prometheus-data:/prometheus
@@ -102,7 +102,7 @@ services:
    command: [ './run.sh', '-disable-reporting' ]
    ports:
      - 3000:3000
-    image: grafana/grafana:11.5.2-ubuntu@sha256:8b5858c447e06fd7a89006b562ba7bba7c4d5813600c7982374c41852adefaeb
+    image: grafana/grafana:11.6.1-ubuntu@sha256:6fc273288470ef499dd3c6b36aeade093170d4f608f864c5dd3a7fabeae77b50
    volumes:
      - grafana-data:/var/lib/grafana

--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -49,7 +49,7 @@ services:

  redis:
    container_name: immich_redis
-    image: docker.io/redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8
+    image: docker.io/valkey/valkey:8-bookworm@sha256:ff21bc0f8194dc9c105b769aeabf9585fea6a8ed649c0781caeac5cb3c247884
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always
--- a/docker/example.env
+++ b/docker/example.env
@@ -2,7 +2,8 @@

 # The location where your uploaded files are stored
 UPLOAD_LOCATION=./library
-# The location where your database files are stored
+
+# The location where your database files are stored. Network shares are not supported for the database
 DB_DATA_LOCATION=./postgres

 # To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
--- a/docs/.nvmrc
+++ b/docs/.nvmrc
@@ -1 +1 @@
-22.14.0
+22.15.0
--- a/docs/docs/administration/backup-and-restore.md
+++ b/docs/docs/administration/backup-and-restore.md
@@ -23,23 +23,32 @@ Refer to the official [postgres documentation](https://www.postgresql.org/docs/c
 It is not recommended to directly backup the `DB_DATA_LOCATION` folder. Doing so while the database is running can lead to a corrupted backup that cannot be restored.
 :::

-### Automatic Database Backups
+### Automatic Database Dumps

-For convenience, Immich will automatically create database backups by default. The backups are stored in `UPLOAD_LOCATION/backups`.  
-As mentioned above, you should make your own backup of these together with the asset folders as noted below.  
-You can adjust the schedule and amount of kept backups in the [admin settings](http://my.immich.app/admin/system-settings?isOpen=backup).  
-By default, Immich will keep the last 14 backups and create a new backup every day at 2:00 AM.
+:::warning
+The automatic database dumps can be used to restore the database in the event of damage to the Postgres database files.
+There is no monitoring for these dumps and you will not be notified if they are unsuccessful.
+:::

-#### Trigger Backup
+:::caution
+The database dumps do **NOT** contain any pictures or videos, only metadata. They are only usable with a copy of the other files in `UPLOAD_LOCATION` as outlined below.
+:::

-You are able to trigger a backup in the [admin job status page](http://my.immich.app/admin/jobs-status).
-Visit the page, open the "Create job" modal from the top right, select "Backup Database" and click "Confirm".
-A job will run and trigger a backup, you can verify this worked correctly by checking the logs or the backup folder.
-This backup will count towards the last X backups that will be kept based on your settings.
+For disaster-recovery purposes, Immich will automatically create database dumps. The dumps are stored in `UPLOAD_LOCATION/backups`.
+Please be sure to make your own, independent backup of the database together with the asset folders as noted below.
+You can adjust the schedule and amount of kept database dumps in the [admin settings](http://my.immich.app/admin/system-settings?isOpen=backup).
+By default, Immich will keep the last 14 database dumps and create a new dump every day at 2:00 AM.
+
+#### Trigger Dump
+
+You are able to trigger a database dump in the [admin job status page](http://my.immich.app/admin/jobs-status).
+Visit the page, open the "Create job" modal from the top right, select "Create Database Dump" and click "Confirm".
+A job will run and trigger a dump, you can verify this worked correctly by checking the logs or the `backups/` folder.
+This dumps will count towards the last `X` dumps that will be kept based on your settings.

 #### Restoring

-We hope to make restoring simpler in future versions, for now you can find the backups in the `UPLOAD_LOCATION/backups` folder on your host.  
+We hope to make restoring simpler in future versions, for now you can find the database dumps in the `UPLOAD_LOCATION/backups` folder on your host.
 Then please follow the steps in the following section for restoring the database.

 ### Manual Backup and Restore
--- a/docs/docs/administration/img/user-quota-size.webp
+++ b/docs/docs/administration/img/user-quota-size.webp
--- a/docs/docs/administration/reverse-proxy.md
+++ b/docs/docs/administration/reverse-proxy.md
@@ -22,7 +22,7 @@ server {
    client_max_body_size 50000M;

    # Set headers
-    proxy_set_header Host              $http_host;
+    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
--- a/docs/docs/administration/user-management.mdx
+++ b/docs/docs/administration/user-management.mdx
@@ -31,7 +31,7 @@ Admin can send a welcome email if the Email option is set, you can learn here ho

 Admin can specify the storage quota for the user as the instance's admin; once the limit is reached, the user won't be able to upload to the instance anymore.

-In order to select a storage quota, click on the pencil icon and enter the storage quota in GiB. You can choose an unlimited quota using the value 0 (default).
+In order to select a storage quota, click on the pencil icon and enter the storage quota in GiB. You can choose an unlimited quota by leaving it empty (default).

 :::tip
 The system administrator can see the usage quota percentage of all users in Server Stats page.
--- a/docs/docs/developer/database-migrations.md
+++ b/docs/docs/developer/database-migrations.md
@@ -1,14 +1,14 @@
 # Database Migrations

-After making any changes in the `server/src/entities`, a database migration need to run in order to register the changes in the database. Follow the steps below to create a new migration.
+After making any changes in the `server/src/schema`, a database migration need to run in order to register the changes in the database. Follow the steps below to create a new migration.

 1. Run the command

 ```bash
-npm run typeorm:migrations:generate <migration-name>
+npm run migrations:generate <migration-name>
 ```

 2. Check if the migration file makes sense.
-3. Move the migration file to folder `./server/src/migrations` in your code editor.
+3. Move the migration file to folder `./server/src/schema/migrations` in your code editor.

 The server will automatically detect `*.ts` file changes and restart. Part of the server start-up process includes running any new migrations, so it will be applied immediately.
--- a/docs/docs/developer/setup.md
+++ b/docs/docs/developer/setup.md
@@ -63,6 +63,13 @@ If you only want to do web development connected to an existing, remote backend,
 IMMICH_SERVER_URL=https://demo.immich.app/ npm run dev
 ```

+If you're using PowerShell on Windows you may need to set the env var separately like so:
+
+```powershell
+$env:IMMICH_SERVER_URL = "https://demo.immich.app/"
+npm run dev
+```
+
 #### `@immich/ui`

 To see local changes to `@immich/ui` in Immich, do the following:
@@ -76,9 +83,20 @@ To see local changes to `@immich/ui` in Immich, do the following:

 ### Mobile app

-The mobile app `(/mobile)` will required Flutter toolchain 3.13.x and FVM to be installed on your system.
+#### Setup

-Please refer to the [Flutter's official documentation](https://flutter.dev/docs/get-started/install) for more information on setting up the toolchain on your machine.
+1. Setup Flutter toolchain using FVM.
+2. Run `flutter pub get` to install the dependencies.
+3. Run `make translation` to generate the translation file.
+4. Run `fvm flutter run` to start the app.
+
+#### Translation
+
+To add a new translation text, enter the key-value pair in the `i18n/en.json` in the root of the immich project. Then, from the `mobile/` directory, run
+
+```bash
+make translation
+```

 The mobile app asks you what backend to connect to. You can utilize the demo backend (https://demo.immich.app/) if you don't need to change server code or upload photos. Alternatively, you can run the server yourself per the instructions above.

--- a/docs/docs/features/command-line-interface.md
+++ b/docs/docs/features/command-line-interface.md
@@ -42,6 +42,12 @@ docker run -it -v "$(pwd)":/import:ro -e IMMICH_INSTANCE_URL=https://your-immich

 Please modify the `IMMICH_INSTANCE_URL` and `IMMICH_API_KEY` environment variables as suitable. You can also use a Docker env file to store your sensitive API key.

+This `docker run` command will directly run the command `immich` inside the container. You can directly append the desired parameters (see under "usage") to the commandline like this:
+
+```bash
+docker run -it -v "$(pwd)":/import:ro -e IMMICH_INSTANCE_URL=https://your-immich-instance/api -e IMMICH_API_KEY=your-api-key ghcr.io/immich-app/immich-cli:latest upload -a -c 5 --recursive directory/
+```
+
 ## Usage

 <details>
@@ -112,7 +118,7 @@ You begin by authenticating to your Immich server. For instance:
 immich login http://192.168.1.216:2283/api HFEJ38DNSDUEG
 ```

-This will store your credentials in a `auth.yml` file in the configuration directory which defaults to `~/.config/`. The directory can be set with the `-d` option or the environment variable `IMMICH_CONFIG_DIR`. Please keep the file secure, either by performing the logout command after you are done, or deleting it manually.
+This will store your credentials in a `auth.yml` file in the configuration directory which defaults to `~/.config/immich/`. The directory can be set with the `-d` option or the environment variable `IMMICH_CONFIG_DIR`. Please keep the file secure, either by performing the logout command after you are done, or deleting it manually.

 Once you are authenticated, you can upload assets to your Immich server.

--- a/docs/docs/features/hardware-transcoding.md
+++ b/docs/docs/features/hardware-transcoding.md
@@ -121,6 +121,6 @@ Once this is done, you can continue to step 3 of "Basic Setup".

 [hw-file]: https://github.com/immich-app/immich/releases/latest/download/hwaccel.transcoding.yml
 [nvct]: https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/install-guide.html
-[jellyfin-lp]: https://jellyfin.org/docs/general/administration/hardware-acceleration/intel/#configure-and-verify-lp-mode-on-linux
-[jellyfin-kernel-bug]: https://jellyfin.org/docs/general/administration/hardware-acceleration/intel/#known-issues-and-limitations
+[jellyfin-lp]: https://jellyfin.org/docs/general/post-install/transcoding/hardware-acceleration/intel#low-power-encoding
+[jellyfin-kernel-bug]: https://jellyfin.org/docs/general/post-install/transcoding/hardware-acceleration/intel#known-issues-and-limitations-on-linux
 [libmali-rockchip]: https://github.com/tsukumijima/libmali-rockchip/releases
--- a/docs/docs/features/libraries.md
+++ b/docs/docs/features/libraries.md
@@ -72,7 +72,7 @@ In rare cases, the library watcher can hang, preventing Immich from starting up.

 ### Nightly job

-There is an automatic scan job that is scheduled to run once a day. This job also cleans up any libraries stuck in deletion. It is possible to trigger the cleanup by clicking "Scan all libraries" in the library managment page.
+There is an automatic scan job that is scheduled to run once a day. This job also cleans up any libraries stuck in deletion. It is possible to trigger the cleanup by clicking "Scan all libraries" in the library management page.

 ## Usage

--- a/docs/docs/features/ml-hardware-acceleration.md
+++ b/docs/docs/features/ml-hardware-acceleration.md
@@ -42,7 +42,7 @@ You do not need to redo any machine learning jobs after enabling hardware accele

 - The GPU must have compute capability 5.2 or greater.
 - The server must have the official NVIDIA driver installed.
- The installed driver must be >= 535 (it must support CUDA 12.2).
+- The installed driver must be >= 545 (it must support CUDA 12.3).
 - On Linux (except for WSL2), you also need to have [NVIDIA Container Toolkit][nvct] installed.

 #### ROCm
--- a/docs/docs/features/searching.md
+++ b/docs/docs/features/searching.md
@@ -92,7 +92,7 @@ Memory and execution time estimates were obtained without acceleration on a 7800

 **Execution Time (ms)**: After warming up the model with one pass, the mean execution time of 100 passes with the same input.

-**Memory (MiB)**: The peak RSS usage of the process afer performing the above timing benchmark. Does not include image decoding, concurrent processing, the web server, etc., which are relatively constant factors.
+**Memory (MiB)**: The peak RSS usage of the process after performing the above timing benchmark. Does not include image decoding, concurrent processing, the web server, etc., which are relatively constant factors.

 **Recall (%)**: Evaluated on Crossmodal-3600, the average of the recall@1, recall@5 and recall@10 results for zeroshot image retrieval. Chinese (Simplified), English, French, German, Italian, Japanese, Korean, Polish, Russian, Spanish and Turkish are additionally tested on XTD-10. Chinese (Simplified) and English are additionally tested on Flickr30k. The recall metrics are the average across all tested datasets.

--- a/docs/docs/guides/custom-map-styles.md
+++ b/docs/docs/guides/custom-map-styles.md
@@ -14,14 +14,14 @@ online generators you can use.
 2. Paste the link to your JSON style in either the **Light Style** or **Dark Style**. (You can add different styles which will help make the map style more appropriate depending on whether you set **Immich** to Light or Dark mode.)
 3. Save your selections. Reload the map, and enjoy your custom map style!

-## Use Maptiler to build a custom style
+## Use MapTiler to build a custom style

-Customizing the map style can be done easily using Maptiler, if you do not want to write an entire JSON document by hand.
+Customizing the map style can be done easily using MapTiler, if you do not want to write an entire JSON document by hand.

 1. Create a free account at https://cloud.maptiler.com
 2. Once logged in, you can either create a brand new map by clicking on **New Map**, selecting a starter map, and then clicking **Customize**, OR by selecting a **Standard Map** and customizing it from there.
 3. The **editor** interface is self-explanatory. You can change colors, remove visible layers, or add optional layers (e.g., administrative, topo, hydro, etc.) in the composer.
 4. Once you have your map composed, click on **Save** at the top right. Give it a unique name to save it to your account.
-5. Next, **Publish** your style using the **Publish** button at the top right. This will deploy it to production, which means it is able to be exposed over the Internet. Maptiler will present an interactive side-by-side map with the original and your changes prior to publication.<br/>![Maptiler Publication Settings](img/immich_map_styles_publish.webp)
-6. Maptiler will warn you that changing the map will change it across all apps using the map. Since no apps are using the map yet, this is okay.
-7. Clicking on the name of your new map at the top left will bring you to the item's **details** page. From here, copy the link to the JSON style under **Use vector style**. This link will automatically contain your personal API key to Maptiler.
+5. Next, **Publish** your style using the **Publish** button at the top right. This will deploy it to production, which means it is able to be exposed over the Internet. MapTiler will present an interactive side-by-side map with the original and your changes prior to publication.<br/>![MapTiler Publication Settings](img/immich_map_styles_publish.webp)
+6. MapTiler will warn you that changing the map will change it across all apps using the map. Since no apps are using the map yet, this is okay.
+7. Clicking on the name of your new map at the top left will bring you to the item's **details** page. From here, copy the link to the JSON style under **Use vector style**. This link will automatically contain your personal API key to MapTiler.
--- a/docs/docs/guides/database-queries.md
+++ b/docs/docs/guides/database-queries.md
@@ -1,7 +1,7 @@
 # Database Queries

 :::danger
-Keep in mind that mucking around in the database might set the moon on fire. Avoid modifying the database directly when possible, and always have current backups.
+Keep in mind that mucking around in the database might set the Moon on fire. Avoid modifying the database directly when possible, and always have current backups.
 :::

 :::tip
--- a/docs/docs/install/docker-compose.mdx
+++ b/docs/docs/install/docker-compose.mdx
@@ -2,53 +2,13 @@
 sidebar_position: 30
 ---

-import CodeBlock from '@theme/CodeBlock';
-import ExampleEnv from '!!raw-loader!../../../docker/example.env';
-
 # Docker Compose [Recommended]

 Docker Compose is the recommended method to run Immich in production. Below are the steps to deploy Immich with Docker Compose.

-## Step 1 - Download the required files
+import DockerComposeSteps from '/docs/partials/_docker-compose-install-steps.mdx';

-Create a directory of your choice (e.g. `./immich-app`) to hold the `docker-compose.yml` and `.env` files.
-
-```bash title="Move to the directory you created"
-mkdir ./immich-app
-cd ./immich-app
-```
-
-Download [`docker-compose.yml`][compose-file] and [`example.env`][env-file] by running the following commands:
-
-```bash title="Get docker-compose.yml file"
-wget -O docker-compose.yml https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
-```
-
-```bash title="Get .env file"
-wget -O .env https://github.com/immich-app/immich/releases/latest/download/example.env
-```
-
-You can alternatively download these two files from your browser and move them to the directory that you created, in which case ensure that you rename `example.env` to `.env`.
-
-## Step 2 - Populate the .env file with custom values
-
-<CodeBlock language="bash" title="Default environmental variable content">
-  {ExampleEnv}
-</CodeBlock>
-
- Populate `UPLOAD_LOCATION` with your preferred location for storing backup assets. It should be a new directory on the server with enough free space.
- Consider changing `DB_PASSWORD` to a custom value. Postgres is not publicly exposed, so this password is only used for local authentication.
-  To avoid issues with Docker parsing this value, it is best to use only the characters `A-Za-z0-9`. `pwgen` is a handy utility for this.
- Set your timezone by uncommenting the `TZ=` line.
- Populate custom database information if necessary.
-
-## Step 3 - Start the containers
-
-From the directory you created in Step 1 (which should now contain your customized `docker-compose.yml` and `.env` files), run the following command to start Immich as a background service:
-
-```bash title="Start the containers"
-docker compose up -d
-```
+<DockerComposeSteps />

 :::info Docker version
 If you get an error such as `unknown shorthand flag: 'd' in -d` or `open <location of your .env file>: permission denied`, you are probably running the wrong Docker version. (This happens, for example, with the docker.io package in Ubuntu 22.04.3 LTS.) You can correct the problem by following the complete [Docker Engine install](https://docs.docker.com/engine/install/) procedure for your distribution, crucially the "Uninstall old versions" and "Install using the apt/rpm repository" sections. These replace the distro's Docker packages with Docker's official ones.
--- a/docs/docs/install/environment-variables.md
+++ b/docs/docs/install/environment-variables.md
@@ -80,6 +80,7 @@ Information on the current workers can be found [here](/docs/administration/jobs
 | `DB_USERNAME`                       | Database user                                                            |  `postgres`  | server, database<sup>\*1</sup> |
 | `DB_PASSWORD`                       | Database password                                                        |  `postgres`  | server, database<sup>\*1</sup> |
 | `DB_DATABASE_NAME`                  | Database name                                                            |   `immich`   | server, database<sup>\*1</sup> |
+| `DB_SSL_MODE`                       | Database SSL mode                                                        |              | server                         |
 | `DB_VECTOR_EXTENSION`<sup>\*2</sup> | Database vector extension (one of [`pgvector`, `pgvecto.rs`])            | `pgvecto.rs` | server                         |
 | `DB_SKIP_MIGRATIONS`                | Whether to skip running migrations on startup (one of [`true`, `false`]) |   `false`    | server                         |

--- a/docs/docs/install/synology.md
+++ b/docs/docs/install/synology.md
@@ -29,7 +29,7 @@ Download [`docker-compose.yml`](https://github.com/immich-app/immich/releases/la

 ## Step 2 - Populate the .env file with custom values

-Follow [Step 2 in Docker Compose](./docker-compose#step-2---populate-the-env-file-with-custom-values) for instructions on customizing the `.env` file, and then return back to this guide to continue.
+Follow [Step 2 in Docker Compose](/docs/install/docker-compose#step-2---populate-the-env-file-with-custom-values) for instructions on customizing the `.env` file, and then return back to this guide to continue.

 ## Step 3 - Create a new project in Container Manager

--- a/docs/docs/install/truenas.md
+++ b/docs/docs/install/truenas.md
@@ -2,7 +2,7 @@
 sidebar_position: 80
 ---

-# TrueNAS SCALE [Community]
+# TrueNAS [Community]

 :::note
 This is a community contribution and not officially supported by the Immich team, but included here for convenience.
@@ -12,17 +12,17 @@ Community support can be found in the dedicated channel on the [Discord Server](
 **Please report app issues to the corresponding [Github Repository](https://github.com/truenas/charts/tree/master/community/immich).**
 :::

-Immich can easily be installed on TrueNAS SCALE via the **Community** train application.
-Consider reviewing the TrueNAS [Apps tutorial](https://www.truenas.com/docs/scale/scaletutorials/apps/) if you have not previously configured applications on your system.
+Immich can easily be installed on TrueNAS Community Edition via the **Community** train application.
+Consider reviewing the TrueNAS [Apps resources](https://apps.truenas.com/getting-started/) if you have not previously configured applications on your system.

-TrueNAS SCALE makes installing and updating Immich easy, but you must use the Immich web portal and mobile app to configure accounts and access libraries.
+TrueNAS Community Edition makes installing and updating Immich easy, but you must use the Immich web portal and mobile app to configure accounts and access libraries.

 ## First Steps

-The Immich app in TrueNAS SCALE installs, completes the initial configuration, then starts the Immich web portal.
-When updates become available, SCALE alerts and provides easy updates.
+The Immich app in TrueNAS Community Edition installs, completes the initial configuration, then starts the Immich web portal.
+When updates become available, TrueNAS alerts and provides easy updates.

-Before installing the Immich app in SCALE, review the [Environment Variables](#environment-variables) documentation to see if you want to configure any during installation.
+Before installing the Immich app in TrueNAS, review the [Environment Variables](#environment-variables) documentation to see if you want to configure any during installation.
 You may also configure environment variables at any time after deploying the application.

 ### Setting up Storage Datasets
@@ -126,9 +126,9 @@ className="border rounded-xl"

 Accept the default port `30041` in **WebUI Port** or enter a custom port number.
 :::info Allowed Port Numbers
-Only numbers within the range 9000-65535 may be used on SCALE versions below TrueNAS Scale 24.10 Electric Eel.
+Only numbers within the range 9000-65535 may be used on TrueNAS versions below TrueNAS Community Edition 24.10 Electric Eel.

-Regardless of version, to avoid port conflicts, don't use [ports on this list](https://www.truenas.com/docs/references/defaultports/).
+Regardless of version, to avoid port conflicts, don't use [ports on this list](https://www.truenas.com/docs/solutions/optimizations/security/#truenas-default-ports).
 :::

 ### Storage Configuration
@@ -173,7 +173,7 @@ className="border rounded-xl"

 You may configure [External Libraries](/docs/features/libraries) by mounting them using **Additional Storage**.
 The **Mount Path** is the location you will need to copy and paste into the External Library settings within Immich.
-The **Host Path** is the location on the TrueNAS SCALE server where your external library is located.
+The **Host Path** is the location on the TrueNAS Community Edition server where your external library is located.

 <!-- A section for Labels would go here but I don't know what they do. -->

@@ -188,17 +188,17 @@ className="border rounded-xl"

 Accept the default **CPU** limit of `2` threads or specify the number of threads (CPUs with Multi-/Hyper-threading have 2 threads per core).

-Accept the default **Memory** limit of `4096` MB or specify the number of MB of RAM. If you're using Machine Learning you should probably set this above 8000 MB.
+Specify the **Memory** limit in MB of RAM. Immich recommends at least 6000 MB (6GB). If you selected **Enable Machine Learning** in **Immich Configuration**, you should probably set this above 8000 MB.

-:::info Older SCALE Versions
-Before TrueNAS SCALE version 24.10 Electric Eel:
+:::info Older TrueNAS Versions
+Before TrueNAS Community Edition version 24.10 Electric Eel:

 The **CPU** value was specified in a different format with a default of `4000m` which is 4 threads.

 The **Memory** value was specified in a different format with a default of `8Gi` which is 8 GiB of RAM. The value was specified in bytes or a number with a measurement suffix. Examples: `129M`, `123Mi`, `1000000000`
 :::

-Enable **GPU Configuration** options if you have a GPU that you will use for [Hardware Transcoding](/docs/features/hardware-transcoding) and/or [Hardware-Accelerated Machine Learning](/docs/features/ml-hardware-acceleration.md). More info: [GPU Passthrough Docs for TrueNAS Apps](https://www.truenas.com/docs/truenasapps/#gpu-passthrough)
+Enable **GPU Configuration** options if you have a GPU that you will use for [Hardware Transcoding](/docs/features/hardware-transcoding) and/or [Hardware-Accelerated Machine Learning](/docs/features/ml-hardware-acceleration.md). More info: [GPU Passthrough Docs for TrueNAS Apps](https://apps.truenas.com/managing-apps/installing-apps/#gpu-passthrough)

 ### Install

@@ -240,7 +240,7 @@ className="border rounded-xl"
 />

 :::info
-Some Environment Variables are not available for the TrueNAS SCALE app. This is mainly because they can be configured through GUI options in the [Edit Immich screen](#edit-app-settings).
+Some Environment Variables are not available for the TrueNAS Community Edition app. This is mainly because they can be configured through GUI options in the [Edit Immich screen](#edit-app-settings).

 Some examples are: `IMMICH_VERSION`, `UPLOAD_LOCATION`, `DB_DATA_LOCATION`, `TZ`, `IMMICH_LOG_LEVEL`, `DB_PASSWORD`, `REDIS_PASSWORD`.
 :::
@@ -251,7 +251,7 @@ Some examples are: `IMMICH_VERSION`, `UPLOAD_LOCATION`, `DB_DATA_LOCATION`, `TZ`
 Make sure to read the general [upgrade instructions](/docs/install/upgrading.md).
 :::

-When updates become available, SCALE alerts and provides easy updates.
+When updates become available, TrueNAS alerts and provides easy updates.
 To update the app to the latest version:

 - Go to the **Installed Applications** screen and select Immich from the list of installed applications.
--- a/docs/docs/install/upgrading.md
+++ b/docs/docs/install/upgrading.md
@@ -24,9 +24,6 @@ To clean up disk space, the old version's obsolete container images can be delet
 docker image prune
 ```

-[compose-file]: https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
-[env-file]: https://github.com/immich-app/immich/releases/latest/download/example.env
 [watchtower]: https://containrrr.dev/watchtower/
 [breaking]: https://github.com/immich-app/immich/discussions?discussions_q=label%3Achangelog%3Abreaking-change+sort%3Adate_created
-[container-auth]: https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#authenticating-to-the-container-registry
 [releases]: https://github.com/immich-app/immich/releases
--- a/docs/docs/overview/comparison.md
+++ b/docs/docs/overview/comparison.md
@@ -1,5 +1,5 @@
 ---
-sidebar_position: 2
+sidebar_position: 3
 ---

 # Comparison
--- a/docs/docs/overview/img/social-preview-light.webp
+++ b/docs/docs/overview/img/social-preview-light.webp
--- a/docs/docs/overview/quick-start.mdx
+++ b/docs/docs/overview/quick-start.mdx
@@ -1,5 +1,5 @@
 ---
-sidebar_position: 3
+sidebar_position: 2
 ---

 # Quick start
@@ -10,11 +10,20 @@ to install and use it.

 ## Requirements

-Check the [requirements page](/docs/install/requirements) to get started.
+- A system with at least 4GB of RAM and 2 CPU cores.
+- [Docker](https://docs.docker.com/engine/install/)
+
+> For a more detailed list of requirements, see the [requirements page](/docs/install/requirements).
+
+---

 ## Set up the server

-Follow the [Docker Compose (Recommended)](/docs/install/docker-compose) instructions to install the server.
+import DockerComposeSteps from '/docs/partials/_docker-compose-install-steps.mdx';
+
+<DockerComposeSteps />
+
+---

 ## Try the web app

@@ -26,6 +35,8 @@ Try uploading a picture from your browser.

 <img src={require('./img/upload-button.webp').default} title="Upload button" />

+---
+
 ## Try the mobile app

 ### Download the Mobile App
@@ -56,6 +67,8 @@ You can select the **Jobs** tab to see Immich processing your photos.

 <img src={require('/docs/guides/img/jobs-tab.webp').default} title="Jobs tab" width={300} />

+---
+
 ## Review the database backup and restore process

 Immich has built-in database backups. You can refer to the
@@ -65,6 +78,8 @@ Immich has built-in database backups. You can refer to the
 The database only contains metadata and user information. You must setup manual backups of the images and videos stored in `UPLOAD_LOCATION`.
 :::

+---
+
 ## Where to go from here?

 You may decide you'd like to install the server a different way; the Install category on the left menu provides many options.
--- a/docs/docs/overview/introduction.mdx
+++ b/docs/docs/overview/introduction.mdx
@@ -2,9 +2,13 @@
 sidebar_position: 1
 ---

-# Introduction
+# Welcome to Immich

-<img src={require('./img/feature-panel.webp').default} alt="Immich - Self-hosted photos and videos backup tool" />
+<img
+  src={require('./img/social-preview-light.webp').default}
+  alt="Immich - Self-hosted photos and videos backup tool"
+  data-theme="light"
+/>

 ## Welcome!

--- a/docs/docs/partials/_docker-compose-install-steps.mdx
+++ b/docs/docs/partials/_docker-compose-install-steps.mdx
@@ -0,0 +1,43 @@
+import CodeBlock from '@theme/CodeBlock';
+import ExampleEnv from '!!raw-loader!../../../docker/example.env';
+
+### Step 1 - Download the required files
+
+Create a directory of your choice (e.g. `./immich-app`) to hold the `docker-compose.yml` and `.env` files.
+
+```bash title="Move to the directory you created"
+mkdir ./immich-app
+cd ./immich-app
+```
+
+Download [`docker-compose.yml`](https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml) and [`example.env`](https://github.com/immich-app/immich/releases/latest/download/example.env) by running the following commands:
+
+```bash title="Get docker-compose.yml file"
+wget -O docker-compose.yml https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
+```
+
+```bash title="Get .env file"
+wget -O .env https://github.com/immich-app/immich/releases/latest/download/example.env
+```
+
+You can alternatively download these two files from your browser and move them to the directory that you created, in which case ensure that you rename `example.env` to `.env`.
+
+### Step 2 - Populate the .env file with custom values
+
+<CodeBlock language="bash" title="Default environmental variable content">
+  {ExampleEnv}
+</CodeBlock>
+
+- Populate `UPLOAD_LOCATION` with your preferred location for storing backup assets. It should be a new directory on the server with enough free space.
+- Consider changing `DB_PASSWORD` to a custom value. Postgres is not publicly exposed, so this password is only used for local authentication.
+  To avoid issues with Docker parsing this value, it is best to use only the characters `A-Za-z0-9`. `pwgen` is a handy utility for this.
+- Set your timezone by uncommenting the `TZ=` line.
+- Populate custom database information if necessary.
+
+### Step 3 - Start the containers
+
+From the directory you created in Step 1 (which should now contain your customized `docker-compose.yml` and `.env` files), run the following command to start Immich as a background service:
+
+```bash title="Start the containers"
+docker compose up -d
+```
--- a/docs/docusaurus.config.js
+++ b/docs/docusaurus.config.js
@@ -95,7 +95,7 @@ const config = {
            position: 'right',
          },
          {
-            to: '/docs/overview/introduction',
+            to: '/docs/overview/welcome',
            position: 'right',
            label: 'Docs',
          },
@@ -124,6 +124,12 @@ const config = {
            label: 'Discord',
            position: 'right',
          },
+          {
+            type: 'html',
+            position: 'right',
+            value:
+              '<a href="https://buy.immich.app" target="_blank" class="no-underline hover:no-underline"><button class="buy-button bg-immich-primary dark:bg-immich-dark-primary text-white dark:text-black rounded-xl">Buy Immich</button></a>',
+          },
        ],
      },
      footer: {
@@ -134,7 +140,7 @@ const config = {
            items: [
              {
                label: 'Welcome',
-                to: '/docs/overview/introduction',
+                to: '/docs/overview/welcome',
              },
              {
                label: 'Installation',
--- a/docs/package-lock.json
+++ b/docs/package-lock.json
--- a/docs/package.json
+++ b/docs/package.json
@@ -57,6 +57,6 @@
    "node": ">=20"
  },
  "volta": {
-    "node": "22.14.0"
+    "node": "22.15.0"
  }
 }
--- a/docs/src/components/community-projects.tsx
+++ b/docs/src/components/community-projects.tsx
@@ -40,8 +40,9 @@ const projects: CommunityProjectProps[] = [
  },
  {
    title: 'Lightroom Immich Plugin: lrc-immich-plugin',
-    description: 'Another Lightroom plugin to publish or export photos from Lightroom to Immich.',
-    url: 'https://github.com/bmachek/lrc-immich-plugin',
+    description:
+      'Lightroom plugin to publish, export photos from Lightroom to Immich. Import from Immich to Lightroom is also supported.',
+    url: 'https://blog.fokuspunk.de/lrc-immich-plugin/',
  },
  {
    title: 'Immich Duplicate Finder',
--- a/docs/src/css/custom.css
+++ b/docs/src/css/custom.css
@@ -7,14 +7,22 @@
@tailwind components;
@tailwind utilities;

-@import url('https://fonts.googleapis.com/css2?family=Be+Vietnam+Pro:ital,wght@0,100;0,200;0,300;0,400;0,500;0,600;0,700;0,800;0,900;1,100;1,200;1,300;1,400;1,500;1,600;1,700;1,800;1,900&display=swap');
-
-body {
-  font-family: 'Be Vietnam Pro', serif;
-  font-optical-sizing: auto;
-  /* font-size: 1.125rem;
+@font-face {
+  font-family: 'Overpass';
+  src: url('/fonts/overpass/Overpass.ttf') format('truetype-variations');
+  font-weight: 1 999;
+  font-style: normal;
  ascent-override: 106.25%;
-  size-adjust: 106.25%; */
+  size-adjust: 106.25%;
+}
+
+@font-face {
+  font-family: 'Overpass Mono';
+  src: url('/fonts/overpass/OverpassMono.ttf') format('truetype-variations');
+  font-weight: 1 999;
+  font-style: normal;
+  ascent-override: 106.25%;
+  size-adjust: 106.25%;
 }

 .breadcrumbs__link {
@@ -29,6 +37,7 @@ img {

 /* You can override the default Infima variables here. */
 :root {
+  font-family: 'Overpass', sans-serif;
  --ifm-color-primary: #4250af;
  --ifm-color-primary-dark: #4250af;
  --ifm-color-primary-darker: #4250af;
@@ -59,14 +68,12 @@ div[class^='announcementBar_'] {
 }

 .menu__link {
-  padding: 10px;
-  padding-left: 16px;
+  padding: 10px 10px 10px 16px;
  border-radius: 24px;
  margin-right: 16px;
 }

 .menu__list-item-collapsible {
-  border-radius: 10px;
  margin-right: 16px;
  border-radius: 24px;
 }
@@ -83,3 +90,12 @@ div[class*='navbar__items'] > li:has(a[class*='version-switcher-34ab39']) {
 code {
  font-weight: 600;
 }
+
+.buy-button {
+  padding: 8px 14px;
+  border: 1px solid transparent;
+  font-family: 'Overpass', sans-serif;
+  font-weight: 500;
+  cursor: pointer;
+  box-shadow: 0 0 5px 2px rgba(181, 206, 254, 0.4);
+}
--- a/docs/src/pages/cursed-knowledge.tsx
+++ b/docs/src/pages/cursed-knowledge.tsx
@@ -2,6 +2,7 @@ import {
  mdiBug,
  mdiCalendarToday,
  mdiCrosshairsOff,
+  mdiCrop,
  mdiDatabase,
  mdiLeadPencil,
  mdiLockOff,
@@ -22,6 +23,18 @@ const withLanguage = (date: Date) => (language: string) => date.toLocaleDateStri
 type Item = Omit<TimelineItem, 'done' | 'getDateLabel'> & { date: Date };

 const items: Item[] = [
+  {
+    icon: mdiCrop,
+    iconColor: 'tomato',
+    title: 'Image dimensions in EXIF metadata are cursed',
+    description:
+      'The dimensions in EXIF metadata can be different from the actual dimensions of the image, causing issues with cropping and resizing.',
+    link: {
+      url: 'https://github.com/immich-app/immich/pull/17974',
+      text: '#17974',
+    },
+    date: new Date(2025, 5, 5),
+  },
  {
    icon: mdiMicrosoftWindows,
    iconColor: '#357EC7',
--- a/docs/src/pages/errors.md
+++ b/docs/src/pages/errors.md
@@ -0,0 +1,5 @@
+# Errors
+
+## TypeORM Upgrade
+
+The upgrade to Immich `v2.x.x` has a required upgrade path to `v1.132.0+`. This means it is required to start up the application at least once on version `1.132.0` (or later). Doing so will complete database schema upgrades that are required for `v2.0.0`. After Immich has successfully booted on this version, shut the system down and try the `v2.x.x` upgrade again.
--- a/docs/src/pages/index.tsx
+++ b/docs/src/pages/index.tsx
@@ -4,6 +4,7 @@ import Layout from '@theme/Layout';
 import { discordPath, discordViewBox } from '@site/src/components/svg-paths';
 import ThemedImage from '@theme/ThemedImage';
 import Icon from '@mdi/react';
+
 function HomepageHeader() {
  return (
    <header>
@@ -12,11 +13,14 @@ function HomepageHeader() {
        <div className="w-full h-[120vh] absolute left-0 top-0 backdrop-blur-3xl bg-immich-bg/40 dark:bg-transparent"></div>
      </div>
      <section className="text-center pt-12 sm:pt-24 bg-immich-bg/50 dark:bg-immich-dark-bg/80">
-        <ThemedImage
-          sources={{ dark: 'img/logomark-dark.svg', light: 'img/logomark-light.svg' }}
-          className="h-[115px] w-[115px] mb-2 antialiased rounded-none"
-          alt="Immich logo"
-        />
+        <a href="https://futo.org" target="_blank" rel="noopener noreferrer">
+          <ThemedImage
+            sources={{ dark: 'img/logomark-dark-with-futo.svg', light: 'img/logomark-light-with-futo.svg' }}
+            className="h-[125px] w-[125px] mb-2 antialiased rounded-none"
+            alt="Immich logo"
+          />
+        </a>
+
        <div className="mt-8">
          <p className="text-3xl md:text-5xl sm:leading-tight mb-1 font-extrabold text-black/90 dark:text-white px-4">
            Self-hosted{' '}
@@ -27,7 +31,7 @@ function HomepageHeader() {
            solution<span className="block"></span>
          </p>

-          <p className="max-w-1/4 m-auto mt-4 px-4">
+          <p className="max-w-1/4 m-auto mt-4 px-4 text-lg text-gray-700 dark:text-gray-100">
            Easily back up, organize, and manage your photos on your own server. Immich helps you
            <span className="sm:block"></span> browse, search and organize your photos and videos with ease, without
            sacrificing your privacy.
@@ -35,27 +39,21 @@ function HomepageHeader() {
        </div>
        <div className="flex flex-col sm:flex-row place-items-center place-content-center mt-9 gap-4 ">
          <Link
-            className="flex place-items-center place-content-center py-3 px-8 border bg-immich-primary dark:bg-immich-dark-primary rounded-xl no-underline hover:no-underline text-white hover:text-gray-50 dark:text-immich-dark-bg font-bold uppercase"
-            to="docs/overview/introduction"
+            className="flex place-items-center place-content-center py-3 px-8 border bg-immich-primary dark:bg-immich-dark-primary rounded-xl no-underline hover:no-underline text-white hover:text-gray-50 dark:text-immich-dark-bg font-bold"
+            to="docs/overview/quick-start"
          >
-            Get started
+            Get Started
          </Link>

          <Link
-            className="flex place-items-center place-content-center py-3 px-8 border bg-immich-primary/10 dark:bg-gray-300  rounded-xl hover:no-underline text-immich-primary dark:text-immich-dark-bg font-bold uppercase"
+            className="flex place-items-center place-content-center py-3 px-8 border bg-white/90 dark:bg-gray-300  rounded-xl hover:no-underline text-immich-primary dark:text-immich-dark-bg font-bold"
            to="https://demo.immich.app/"
          >
-            Demo
-          </Link>
-
-          <Link
-            className="flex place-items-center place-content-center py-3 px-8 border bg-immich-primary/10 dark:bg-gray-300  rounded-xl hover:no-underline text-immich-primary dark:text-immich-dark-bg font-bold uppercase"
-            to="https://immich.store"
-          >
-            Buy Merch
+            Open Demo
          </Link>
        </div>
-        <div className="my-12 flex gap-1 font-medium place-items-center place-content-center text-immich-primary dark:text-immich-dark-primary">
+
+        <div className="my-8 flex gap-1 font-medium place-items-center place-content-center text-immich-primary dark:text-immich-dark-primary">
          <Icon
            path={discordPath}
            viewBox={discordViewBox} /* viewBox may show an error in your IDE but it is normal. */
@@ -88,11 +86,18 @@ function HomepageHeader() {
              <img className="h-24" alt="Get it on Google Play" src="/img/google-play-badge.png" />
            </a>
          </div>
+
          <div className="h-24">
            <a href="https://apps.apple.com/sg/app/immich/id1613945652">
              <img className="h-24 sm:p-3.5 p-3" alt="Download on the App Store" src="/img/ios-app-store-badge.svg" />
            </a>
          </div>
+
+          <div className="h-24">
+            <a href="https://github.com/immich-app/immich/releases/latest">
+              <img className="h-24 sm:p-3.5 p-3" alt="Download APK" src="/img/download-apk-github.svg" />
+            </a>
+          </div>
        </div>
        <ThemedImage
          sources={{ dark: '/img/app-qr-code-dark.svg', light: '/img/app-qr-code-light.svg' }}
@@ -111,7 +116,7 @@ export default function Home(): JSX.Element {
      <HomepageHeader />
      <div className="flex flex-col place-items-center text-center place-content-center dark:bg-immich-dark-bg py-8">
        <p>This project is available under GNU AGPL v3 license.</p>
-        <p className="text-xs">Privacy should not be a luxury</p>
+        <p className="text-sm">Privacy should not be a luxury</p>
      </div>
    </Layout>
  );
--- a/docs/src/pages/privacy-policy.tsx
+++ b/docs/src/pages/privacy-policy.tsx
@@ -1,5 +1,4 @@
 import React from 'react';
-import Link from '@docusaurus/Link';
 import Layout from '@theme/Layout';
 function HomepageHeader() {
  return (
--- a/docs/src/pages/roadmap.tsx
+++ b/docs/src/pages/roadmap.tsx
@@ -76,6 +76,7 @@ import {
  mdiWeb,
  mdiDatabaseOutline,
  mdiLinkEdit,
+  mdiTagFaces,
  mdiMovieOpenPlayOutline,
 } from '@mdi/js';
 import Layout from '@theme/Layout';
@@ -83,6 +84,8 @@ import React from 'react';
 import { Item, Timeline } from '../components/timeline';

 const releases = {
+  'v1.130.0': new Date(2025, 2, 25),
+  'v1.127.0': new Date(2025, 1, 26),
  'v1.122.0': new Date(2024, 11, 5),
  'v1.120.0': new Date(2024, 10, 6),
  'v1.114.0': new Date(2024, 8, 6),
@@ -242,6 +245,13 @@ const roadmap: Item[] = [
 ];

 const milestones: Item[] = [
+  withRelease({
+    icon: mdiFolderMultiple,
+    iconColor: 'brown',
+    title: 'Folders view in the mobile app',
+    description: 'Browse your photos and videos in their folder structure inside the mobile app',
+    release: 'v1.130.0',
+  }),
  {
    icon: mdiStar,
    iconColor: 'gold',
@@ -249,6 +259,14 @@ const milestones: Item[] = [
    description: 'Reached 60K Stars on GitHub!',
    getDateLabel: withLanguage(new Date(2025, 2, 4)),
  },
+  withRelease({
+    icon: mdiTagFaces,
+    iconColor: 'teal',
+    title: 'Manual face tagging',
+    description:
+      'Manually tag or remove faces in photos and videos, even when automatic detection misses or misidentifies them.',
+    release: 'v1.127.0',
+  }),
  withRelease({
    icon: mdiLinkEdit,
    iconColor: 'crimson',
@@ -266,8 +284,8 @@ const milestones: Item[] = [
  withRelease({
    icon: mdiDatabaseOutline,
    iconColor: 'brown',
-    title: 'Automatic database backups',
-    description: 'Database backups are now integrated into the Immich server',
+    title: 'Automatic database dumps',
+    description: 'Database dumps are now integrated into the Immich server',
    release: 'v1.120.0',
  }),
  {
@@ -300,7 +318,7 @@ const milestones: Item[] = [
  withRelease({
    icon: mdiFolderMultiple,
    iconColor: 'brown',
-    title: 'Folders',
+    title: 'Folders view',
    description: 'Browse your photos and videos in their folder structure',
    release: 'v1.113.0',
  }),
--- a/docs/static/.well-known/security.txt
+++ b/docs/static/.well-known/security.txt
@@ -0,0 +1,5 @@
+Policy: https://github.com/immich-app/immich/blob/main/SECURITY.md
+Contact: mailto:security@immich.app
+Preferred-Languages: en
+Expires: 2026-05-01T23:59:00.000Z
+Canonical: https://immich.app/.well-known/security.txt
--- a/docs/static/_redirects
+++ b/docs/static/_redirects
@@ -30,3 +30,4 @@
 /docs/guides/api-album-sync /docs/community-projects 307
 /docs/guides/remove-offline-files /docs/community-projects 307
 /milestones /roadmap 307
+/docs/overview/introduction /docs/overview/welcome 307
--- a/docs/static/archived-versions.json
+++ b/docs/static/archived-versions.json
@@ -1,36 +1,16 @@
 [
+  {
+    "label": "v1.132.3",
+    "url": "https://v1.132.3.archive.immich.app"
+  },
  {
    "label": "v1.131.3",
    "url": "https://v1.131.3.archive.immich.app"
  },
-  {
-    "label": "v1.131.2",
-    "url": "https://v1.131.2.archive.immich.app"
-  },
-  {
-    "label": "v1.131.1",
-    "url": "https://v1.131.1.archive.immich.app"
-  },
-  {
-    "label": "v1.131.0",
-    "url": "https://v1.131.0.archive.immich.app"
-  },
  {
    "label": "v1.130.3",
    "url": "https://v1.130.3.archive.immich.app"
  },
-  {
-    "label": "v1.130.2",
-    "url": "https://v1.130.2.archive.immich.app"
-  },
-  {
-    "label": "v1.130.1",
-    "url": "https://v1.130.1.archive.immich.app"
-  },
-  {
-    "label": "v1.130.0",
-    "url": "https://v1.130.0.archive.immich.app"
-  },
  {
    "label": "v1.129.0",
    "url": "https://v1.129.0.archive.immich.app"
@@ -47,46 +27,14 @@
    "label": "v1.126.1",
    "url": "https://v1.126.1.archive.immich.app"
  },
-  {
-    "label": "v1.126.0",
-    "url": "https://v1.126.0.archive.immich.app"
-  },
  {
    "label": "v1.125.7",
    "url": "https://v1.125.7.archive.immich.app"
  },
-  {
-    "label": "v1.125.6",
-    "url": "https://v1.125.6.archive.immich.app"
-  },
-  {
-    "label": "v1.125.5",
-    "url": "https://v1.125.5.archive.immich.app"
-  },
-  {
-    "label": "v1.125.3",
-    "url": "https://v1.125.3.archive.immich.app"
-  },
-  {
-    "label": "v1.125.2",
-    "url": "https://v1.125.2.archive.immich.app"
-  },
-  {
-    "label": "v1.125.1",
-    "url": "https://v1.125.1.archive.immich.app"
-  },
  {
    "label": "v1.124.2",
    "url": "https://v1.124.2.archive.immich.app"
  },
-  {
-    "label": "v1.124.1",
-    "url": "https://v1.124.1.archive.immich.app"
-  },
-  {
-    "label": "v1.124.0",
-    "url": "https://v1.124.0.archive.immich.app"
-  },
  {
    "label": "v1.123.0",
    "url": "https://v1.123.0.archive.immich.app"
@@ -95,18 +43,6 @@
    "label": "v1.122.3",
    "url": "https://v1.122.3.archive.immich.app"
  },
-  {
-    "label": "v1.122.2",
-    "url": "https://v1.122.2.archive.immich.app"
-  },
-  {
-    "label": "v1.122.1",
-    "url": "https://v1.122.1.archive.immich.app"
-  },
-  {
-    "label": "v1.122.0",
-    "url": "https://v1.122.0.archive.immich.app"
-  },
  {
    "label": "v1.121.0",
    "url": "https://v1.121.0.archive.immich.app"
@@ -115,34 +51,14 @@
    "label": "v1.120.2",
    "url": "https://v1.120.2.archive.immich.app"
  },
-  {
-    "label": "v1.120.1",
-    "url": "https://v1.120.1.archive.immich.app"
-  },
-  {
-    "label": "v1.120.0",
-    "url": "https://v1.120.0.archive.immich.app"
-  },
  {
    "label": "v1.119.1",
    "url": "https://v1.119.1.archive.immich.app"
  },
-  {
-    "label": "v1.119.0",
-    "url": "https://v1.119.0.archive.immich.app"
-  },
  {
    "label": "v1.118.2",
    "url": "https://v1.118.2.archive.immich.app"
  },
-  {
-    "label": "v1.118.1",
-    "url": "https://v1.118.1.archive.immich.app"
-  },
-  {
-    "label": "v1.118.0",
-    "url": "https://v1.118.0.archive.immich.app"
-  },
  {
    "label": "v1.117.0",
    "url": "https://v1.117.0.archive.immich.app"
@@ -151,14 +67,6 @@
    "label": "v1.116.2",
    "url": "https://v1.116.2.archive.immich.app"
  },
-  {
-    "label": "v1.116.1",
-    "url": "https://v1.116.1.archive.immich.app"
-  },
-  {
-    "label": "v1.116.0",
-    "url": "https://v1.116.0.archive.immich.app"
-  },
  {
    "label": "v1.115.0",
    "url": "https://v1.115.0.archive.immich.app"
@@ -171,18 +79,10 @@
    "label": "v1.113.1",
    "url": "https://v1.113.1.archive.immich.app"
  },
-  {
-    "label": "v1.113.0",
-    "url": "https://v1.113.0.archive.immich.app"
-  },
  {
    "label": "v1.112.1",
    "url": "https://v1.112.1.archive.immich.app"
  },
-  {
-    "label": "v1.112.0",
-    "url": "https://v1.112.0.archive.immich.app"
-  },
  {
    "label": "v1.111.0",
    "url": "https://v1.111.0.archive.immich.app"
@@ -195,14 +95,6 @@
    "label": "v1.109.2",
    "url": "https://v1.109.2.archive.immich.app"
  },
-  {
-    "label": "v1.109.1",
-    "url": "https://v1.109.1.archive.immich.app"
-  },
-  {
-    "label": "v1.109.0",
-    "url": "https://v1.109.0.archive.immich.app"
-  },
  {
    "label": "v1.108.0",
    "url": "https://v1.108.0.archive.immich.app"
@@ -211,38 +103,14 @@
    "label": "v1.107.2",
    "url": "https://v1.107.2.archive.immich.app"
  },
-  {
-    "label": "v1.107.1",
-    "url": "https://v1.107.1.archive.immich.app"
-  },
-  {
-    "label": "v1.107.0",
-    "url": "https://v1.107.0.archive.immich.app"
-  },
  {
    "label": "v1.106.4",
    "url": "https://v1.106.4.archive.immich.app"
  },
-  {
-    "label": "v1.106.3",
-    "url": "https://v1.106.3.archive.immich.app"
-  },
-  {
-    "label": "v1.106.2",
-    "url": "https://v1.106.2.archive.immich.app"
-  },
-  {
-    "label": "v1.106.1",
-    "url": "https://v1.106.1.archive.immich.app"
-  },
  {
    "label": "v1.105.1",
    "url": "https://v1.105.1.archive.immich.app"
  },
-  {
-    "label": "v1.105.0",
-    "url": "https://v1.105.0.archive.immich.app"
-  },
  {
    "label": "v1.104.0",
    "url": "https://v1.104.0.archive.immich.app"
@@ -251,26 +119,10 @@
    "label": "v1.103.1",
    "url": "https://v1.103.1.archive.immich.app"
  },
-  {
-    "label": "v1.103.0",
-    "url": "https://v1.103.0.archive.immich.app"
-  },
  {
    "label": "v1.102.3",
    "url": "https://v1.102.3.archive.immich.app"
  },
-  {
-    "label": "v1.102.2",
-    "url": "https://v1.102.2.archive.immich.app"
-  },
-  {
-    "label": "v1.102.1",
-    "url": "https://v1.102.1.archive.immich.app"
-  },
-  {
-    "label": "v1.102.0",
-    "url": "https://v1.102.0.archive.immich.app"
-  },
  {
    "label": "v1.101.0",
    "url": "https://v1.101.0.archive.immich.app"
--- a/docs/static/fonts/overpass/Overpass-Italic.ttf
+++ b/docs/static/fonts/overpass/Overpass-Italic.ttf
--- a/docs/static/fonts/overpass/Overpass.ttf
+++ b/docs/static/fonts/overpass/Overpass.ttf
--- a/docs/static/fonts/overpass/OverpassMono.ttf
+++ b/docs/static/fonts/overpass/OverpassMono.ttf
--- a/docs/static/img/download-apk-github.svg
+++ b/docs/static/img/download-apk-github.svg
--- a/docs/static/img/logomark-dark-with-futo.svg
+++ b/docs/static/img/logomark-dark-with-futo.svg
--- a/docs/static/img/logomark-light-with-futo.svg
+++ b/docs/static/img/logomark-light-with-futo.svg
--- a/e2e/.nvmrc
+++ b/e2e/.nvmrc
@@ -1 +1 @@
-22.14.0
+22.15.0
--- a/e2e/docker-compose.yml
+++ b/e2e/docker-compose.yml
@@ -34,7 +34,7 @@ services:
      - 2285:2285

  redis:
-    image: redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8
+    image: redis:6.2-alpine@sha256:3211c33a618c457e5d241922c975dbc4f446d0bdb2dc75694f5573ef8e2d01fa

  database:
    image: tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52
--- a/e2e/package-lock.json
+++ b/e2e/package-lock.json
--- a/e2e/package.json
+++ b/e2e/package.json
@@ -1,6 +1,6 @@
 {
  "name": "immich-e2e",
-  "version": "1.131.3",
+  "version": "1.132.3",
  "description": "",
  "main": "index.js",
  "type": "module",
@@ -25,9 +25,9 @@
    "@immich/sdk": "file:../open-api/typescript-sdk",
    "@playwright/test": "^1.44.1",
    "@types/luxon": "^3.4.2",
-    "@types/node": "^22.13.14",
+    "@types/node": "^22.15.16",
    "@types/oidc-provider": "^8.5.1",
-    "@types/pg": "^8.11.0",
+    "@types/pg": "^8.15.1",
    "@types/pngjs": "^6.0.4",
    "@types/supertest": "^6.0.2",
    "@vitest/coverage-v8": "^3.0.0",
@@ -52,6 +52,6 @@
    "vitest": "^3.0.0"
  },
  "volta": {
-    "node": "22.14.0"
+    "node": "22.15.0"
  }
 }
--- a/e2e/src/api/specs/activity.e2e-spec.ts
+++ b/e2e/src/api/specs/activity.e2e-spec.ts
@@ -46,38 +46,6 @@ describe('/activities', () => {
  });

  describe('GET /activities', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get('/activities');
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
-    it('should require an albumId', async () => {
-      const { status, body } = await request(app)
-        .get('/activities')
-        .set('Authorization', `Bearer ${admin.accessToken}`);
-      expect(status).toEqual(400);
-      expect(body).toEqual(errorDto.badRequest(expect.arrayContaining(['albumId must be a UUID'])));
-    });
-
-    it('should reject an invalid albumId', async () => {
-      const { status, body } = await request(app)
-        .get('/activities')
-        .query({ albumId: uuidDto.invalid })
-        .set('Authorization', `Bearer ${admin.accessToken}`);
-      expect(status).toEqual(400);
-      expect(body).toEqual(errorDto.badRequest(expect.arrayContaining(['albumId must be a UUID'])));
-    });
-
-    it('should reject an invalid assetId', async () => {
-      const { status, body } = await request(app)
-        .get('/activities')
-        .query({ albumId: uuidDto.notFound, assetId: uuidDto.invalid })
-        .set('Authorization', `Bearer ${admin.accessToken}`);
-      expect(status).toEqual(400);
-      expect(body).toEqual(errorDto.badRequest(expect.arrayContaining(['assetId must be a UUID'])));
-    });
-
    it('should start off empty', async () => {
      const { status, body } = await request(app)
        .get('/activities')
@@ -192,30 +160,6 @@ describe('/activities', () => {
  });

  describe('POST /activities', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).post('/activities');
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
-    it('should require an albumId', async () => {
-      const { status, body } = await request(app)
-        .post('/activities')
-        .set('Authorization', `Bearer ${admin.accessToken}`)
-        .send({ albumId: uuidDto.invalid });
-      expect(status).toEqual(400);
-      expect(body).toEqual(errorDto.badRequest(expect.arrayContaining(['albumId must be a UUID'])));
-    });
-
-    it('should require a comment when type is comment', async () => {
-      const { status, body } = await request(app)
-        .post('/activities')
-        .set('Authorization', `Bearer ${admin.accessToken}`)
-        .send({ albumId: uuidDto.notFound, type: 'comment', comment: null });
-      expect(status).toEqual(400);
-      expect(body).toEqual(errorDto.badRequest(['comment must be a string', 'comment should not be empty']));
-    });
-
    it('should add a comment to an album', async () => {
      const { status, body } = await request(app)
        .post('/activities')
@@ -330,20 +274,6 @@ describe('/activities', () => {
  });

  describe('DELETE /activities/:id', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).delete(`/activities/${uuidDto.notFound}`);
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
-    it('should require a valid uuid', async () => {
-      const { status, body } = await request(app)
-        .delete(`/activities/${uuidDto.invalid}`)
-        .set('Authorization', `Bearer ${admin.accessToken}`);
-      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['id must be a UUID']));
-    });
-
    it('should remove a comment from an album', async () => {
      const reaction = await createActivity({
        albumId: album.id,
--- a/e2e/src/api/specs/album.e2e-spec.ts
+++ b/e2e/src/api/specs/album.e2e-spec.ts
@@ -9,7 +9,7 @@ import {
  LoginResponseDto,
  SharedLinkType,
 } from '@immich/sdk';
-import { createUserDto, uuidDto } from 'src/fixtures';
+import { createUserDto } from 'src/fixtures';
 import { errorDto } from 'src/responses';
 import { app, asBearerAuth, utils } from 'src/utils';
 import request from 'supertest';
@@ -128,28 +128,6 @@ describe('/albums', () => {
  });

  describe('GET /albums', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get('/albums');
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
-    it('should reject an invalid shared param', async () => {
-      const { status, body } = await request(app)
-        .get('/albums?shared=invalid')
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-      expect(status).toEqual(400);
-      expect(body).toEqual(errorDto.badRequest(['shared must be a boolean value']));
-    });
-
-    it('should reject an invalid assetId param', async () => {
-      const { status, body } = await request(app)
-        .get('/albums?assetId=invalid')
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-      expect(status).toEqual(400);
-      expect(body).toEqual(errorDto.badRequest(['assetId must be a UUID']));
-    });
-
    it("should not show other users' favorites", async () => {
      const { status, body } = await request(app)
        .get(`/albums/${user1Albums[0].id}?withoutAssets=false`)
@@ -323,12 +301,6 @@ describe('/albums', () => {
  });

  describe('GET /albums/:id', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get(`/albums/${user1Albums[0].id}`);
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should return album info for own album', async () => {
      const { status, body } = await request(app)
        .get(`/albums/${user1Albums[0].id}?withoutAssets=false`)
@@ -421,12 +393,6 @@ describe('/albums', () => {
  });

  describe('GET /albums/statistics', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get('/albums/statistics');
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should return total count of albums the user has access to', async () => {
      const { status, body } = await request(app)
        .get('/albums/statistics')
@@ -438,12 +404,6 @@ describe('/albums', () => {
  });

  describe('POST /albums', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).post('/albums').send({ albumName: 'New album' });
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should create an album', async () => {
      const { status, body } = await request(app)
        .post('/albums')
@@ -471,12 +431,6 @@ describe('/albums', () => {
  });

  describe('PUT /albums/:id/assets', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).put(`/albums/${user1Albums[0].id}/assets`);
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should be able to add own asset to own album', async () => {
      const asset = await utils.createAsset(user1.accessToken);
      const { status, body } = await request(app)
@@ -526,14 +480,6 @@ describe('/albums', () => {
  });

  describe('PATCH /albums/:id', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app)
-        .patch(`/albums/${uuidDto.notFound}`)
-        .send({ albumName: 'New album name' });
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should update an album', async () => {
      const album = await utils.createAlbum(user1.accessToken, {
        albumName: 'New album',
@@ -576,15 +522,6 @@ describe('/albums', () => {
  });

  describe('DELETE /albums/:id/assets', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app)
-        .delete(`/albums/${user1Albums[0].id}/assets`)
-        .send({ ids: [user1Asset1.id] });
-
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should require authorization', async () => {
      const { status, body } = await request(app)
        .delete(`/albums/${user1Albums[1].id}/assets`)
@@ -679,13 +616,6 @@ describe('/albums', () => {
      });
    });

-    it('should require authentication', async () => {
-      const { status, body } = await request(app).put(`/albums/${user1Albums[0].id}/users`).send({ sharedUserIds: [] });
-
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should be able to add user to own album', async () => {
      const { status, body } = await request(app)
        .put(`/albums/${album.id}/users`)
--- a/e2e/src/api/specs/api-key.e2e-spec.ts
+++ b/e2e/src/api/specs/api-key.e2e-spec.ts
@@ -1,5 +1,5 @@
 import { LoginResponseDto, Permission, createApiKey } from '@immich/sdk';
-import { createUserDto, uuidDto } from 'src/fixtures';
+import { createUserDto } from 'src/fixtures';
 import { errorDto } from 'src/responses';
 import { app, asBearerAuth, utils } from 'src/utils';
 import request from 'supertest';
@@ -24,12 +24,6 @@ describe('/api-keys', () => {
  });

  describe('POST /api-keys', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).post('/api-keys').send({ name: 'API Key' });
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should not work without permission', async () => {
      const { secret } = await create(user.accessToken, [Permission.ApiKeyRead]);
      const { status, body } = await request(app).post('/api-keys').set('x-api-key', secret).send({ name: 'API Key' });
@@ -99,12 +93,6 @@ describe('/api-keys', () => {
  });

  describe('GET /api-keys', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get('/api-keys');
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should start off empty', async () => {
      const { status, body } = await request(app).get('/api-keys').set('Authorization', `Bearer ${admin.accessToken}`);
      expect(body).toEqual([]);
@@ -125,12 +113,6 @@ describe('/api-keys', () => {
  });

  describe('GET /api-keys/:id', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get(`/api-keys/${uuidDto.notFound}`);
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should require authorization', async () => {
      const { apiKey } = await create(user.accessToken, [Permission.All]);
      const { status, body } = await request(app)
@@ -140,14 +122,6 @@ describe('/api-keys', () => {
      expect(body).toEqual(errorDto.badRequest('API Key not found'));
    });

-    it('should require a valid uuid', async () => {
-      const { status, body } = await request(app)
-        .get(`/api-keys/${uuidDto.invalid}`)
-        .set('Authorization', `Bearer ${admin.accessToken}`);
-      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['id must be a UUID']));
-    });
-
    it('should get api key details', async () => {
      const { apiKey } = await create(user.accessToken, [Permission.All]);
      const { status, body } = await request(app)
@@ -165,12 +139,6 @@ describe('/api-keys', () => {
  });

  describe('PUT /api-keys/:id', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).put(`/api-keys/${uuidDto.notFound}`).send({ name: 'new name' });
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should require authorization', async () => {
      const { apiKey } = await create(user.accessToken, [Permission.All]);
      const { status, body } = await request(app)
@@ -181,15 +149,6 @@ describe('/api-keys', () => {
      expect(body).toEqual(errorDto.badRequest('API Key not found'));
    });

-    it('should require a valid uuid', async () => {
-      const { status, body } = await request(app)
-        .put(`/api-keys/${uuidDto.invalid}`)
-        .send({ name: 'new name' })
-        .set('Authorization', `Bearer ${admin.accessToken}`);
-      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['id must be a UUID']));
-    });
-
    it('should update api key details', async () => {
      const { apiKey } = await create(user.accessToken, [Permission.All]);
      const { status, body } = await request(app)
@@ -208,12 +167,6 @@ describe('/api-keys', () => {
  });

  describe('DELETE /api-keys/:id', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).delete(`/api-keys/${uuidDto.notFound}`);
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should require authorization', async () => {
      const { apiKey } = await create(user.accessToken, [Permission.All]);
      const { status, body } = await request(app)
@@ -223,14 +176,6 @@ describe('/api-keys', () => {
      expect(body).toEqual(errorDto.badRequest('API Key not found'));
    });

-    it('should require a valid uuid', async () => {
-      const { status, body } = await request(app)
-        .delete(`/api-keys/${uuidDto.invalid}`)
-        .set('Authorization', `Bearer ${admin.accessToken}`);
-      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['id must be a UUID']));
-    });
-
    it('should delete an api key', async () => {
      const { apiKey } = await create(user.accessToken, [Permission.All]);
      const { status } = await request(app)
--- a/e2e/src/api/specs/asset.e2e-spec.ts
+++ b/e2e/src/api/specs/asset.e2e-spec.ts
@@ -3,6 +3,7 @@ import {
  AssetMediaStatus,
  AssetResponseDto,
  AssetTypeEnum,
+  AssetVisibility,
  getAssetInfo,
  getMyUser,
  LoginResponseDto,
@@ -22,27 +23,9 @@ import { app, asBearerAuth, tempDir, TEN_TIMES, testAssetDir, utils } from 'src/
 import request from 'supertest';
 import { afterAll, beforeAll, describe, expect, it } from 'vitest';

-const makeUploadDto = (options?: { omit: string }): Record<string, any> => {
-  const dto: Record<string, any> = {
-    deviceAssetId: 'example-image',
-    deviceId: 'TEST',
-    fileCreatedAt: new Date().toISOString(),
-    fileModifiedAt: new Date().toISOString(),
-    isFavorite: 'testing',
-    duration: '0:00:00.000000',
-  };
-
-  const omit = options?.omit;
-  if (omit) {
-    delete dto[omit];
-  }
-
-  return dto;
-};
-
 const locationAssetFilepath = `${testAssetDir}/metadata/gps-position/thompson-springs.jpg`;
 const ratingAssetFilepath = `${testAssetDir}/metadata/rating/mongolels.jpg`;
-const facesAssetFilepath = `${testAssetDir}/metadata/faces/portrait.jpg`;
+const facesAssetDir = `${testAssetDir}/metadata/faces`;

 const readTags = async (bytes: Buffer, filename: string) => {
  const filepath = join(tempDir, filename);
@@ -137,9 +120,9 @@ describe('/asset', () => {
      // stats
      utils.createAsset(statsUser.accessToken),
      utils.createAsset(statsUser.accessToken, { isFavorite: true }),
-      utils.createAsset(statsUser.accessToken, { isArchived: true }),
+      utils.createAsset(statsUser.accessToken, { visibility: AssetVisibility.Archive }),
      utils.createAsset(statsUser.accessToken, {
-        isArchived: true,
+        visibility: AssetVisibility.Archive,
        isFavorite: true,
        assetData: { filename: 'example.mp4' },
      }),
@@ -160,13 +143,6 @@ describe('/asset', () => {
  });

  describe('GET /assets/:id/original', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get(`/assets/${uuidDto.notFound}/original`);
-
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should download the file', async () => {
      const response = await request(app)
        .get(`/assets/${user1Assets[0].id}/original`)
@@ -178,20 +154,6 @@ describe('/asset', () => {
  });

  describe('GET /assets/:id', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get(`/assets/${uuidDto.notFound}`);
-      expect(body).toEqual(errorDto.unauthorized);
-      expect(status).toBe(401);
-    });
-
-    it('should require a valid id', async () => {
-      const { status, body } = await request(app)
-        .get(`/assets/${uuidDto.invalid}`)
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['id must be a UUID']));
-    });
-
    it('should require access', async () => {
      const { status, body } = await request(app)
        .get(`/assets/${user2Assets[0].id}`)
@@ -224,31 +186,22 @@ describe('/asset', () => {
      });
    });

-    it('should get the asset faces', async () => {
-      const config = await utils.getSystemConfig(admin.accessToken);
-      config.metadata.faces.import = true;
-      await updateConfig({ systemConfigDto: config }, { headers: asBearerAuth(admin.accessToken) });
-
-      // asset faces
-      const facesAsset = await utils.createAsset(admin.accessToken, {
-        assetData: {
+    describe('faces', () => {
+      const metadataFaceTests = [
+        {
+          description: 'without orientation',
          filename: 'portrait.jpg',
-          bytes: await readFile(facesAssetFilepath),
        },
-      });
-
-      await utils.waitForWebsocketEvent({ event: 'assetUpload', id: facesAsset.id });
-
-      const { status, body } = await request(app)
-        .get(`/assets/${facesAsset.id}`)
-        .set('Authorization', `Bearer ${admin.accessToken}`);
-      expect(status).toBe(200);
-      expect(body.id).toEqual(facesAsset.id);
-      expect(body.people).toMatchObject([
+        {
+          description: 'adjusting face regions to orientation',
+          filename: 'portrait-orientation-6.jpg',
+        },
+      ];
+      // should produce same resulting face region coordinates for any orientation
+      const expectedFaces = [
        {
          name: 'Marie Curie',
          birthDate: null,
-          thumbnailPath: '',
          isHidden: false,
          faces: [
            {
@@ -265,7 +218,6 @@ describe('/asset', () => {
        {
          name: 'Pierre Curie',
          birthDate: null,
-          thumbnailPath: '',
          isHidden: false,
          faces: [
            {
@@ -279,7 +231,30 @@ describe('/asset', () => {
            },
          ],
        },
-      ]);
+      ];
+
+      it.each(metadataFaceTests)('should get the asset faces from $filename $description', async ({ filename }) => {
+        const config = await utils.getSystemConfig(admin.accessToken);
+        config.metadata.faces.import = true;
+        await updateConfig({ systemConfigDto: config }, { headers: asBearerAuth(admin.accessToken) });
+
+        const facesAsset = await utils.createAsset(admin.accessToken, {
+          assetData: {
+            filename,
+            bytes: await readFile(`${facesAssetDir}/${filename}`),
+          },
+        });
+
+        await utils.waitForWebsocketEvent({ event: 'assetUpload', id: facesAsset.id });
+
+        const { status, body } = await request(app)
+          .get(`/assets/${facesAsset.id}`)
+          .set('Authorization', `Bearer ${admin.accessToken}`);
+
+        expect(status).toBe(200);
+        expect(body.id).toEqual(facesAsset.id);
+        expect(body.people).toMatchObject(expectedFaces);
+      });
    });

    it('should work with a shared link', async () => {
@@ -333,7 +308,7 @@ describe('/asset', () => {
      });

      it('disallows viewing archived assets', async () => {
-        const asset = await utils.createAsset(user1.accessToken, { isArchived: true });
+        const asset = await utils.createAsset(user1.accessToken, { visibility: AssetVisibility.Archive });

        const { status } = await request(app)
          .get(`/assets/${asset.id}`)
@@ -354,13 +329,6 @@ describe('/asset', () => {
  });

  describe('GET /assets/statistics', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get('/assets/statistics');
-
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should return stats of all assets', async () => {
      const { status, body } = await request(app)
        .get('/assets/statistics')
@@ -384,7 +352,7 @@ describe('/asset', () => {
      const { status, body } = await request(app)
        .get('/assets/statistics')
        .set('Authorization', `Bearer ${statsUser.accessToken}`)
-        .query({ isArchived: true });
+        .query({ visibility: AssetVisibility.Archive });

      expect(status).toBe(200);
      expect(body).toEqual({ images: 1, videos: 1, total: 2 });
@@ -394,7 +362,7 @@ describe('/asset', () => {
      const { status, body } = await request(app)
        .get('/assets/statistics')
        .set('Authorization', `Bearer ${statsUser.accessToken}`)
-        .query({ isFavorite: true, isArchived: true });
+        .query({ isFavorite: true, visibility: AssetVisibility.Archive });

      expect(status).toBe(200);
      expect(body).toEqual({ images: 0, videos: 1, total: 1 });
@@ -404,7 +372,7 @@ describe('/asset', () => {
      const { status, body } = await request(app)
        .get('/assets/statistics')
        .set('Authorization', `Bearer ${statsUser.accessToken}`)
-        .query({ isFavorite: false, isArchived: false });
+        .query({ isFavorite: false, visibility: AssetVisibility.Timeline });

      expect(status).toBe(200);
      expect(body).toEqual({ images: 1, videos: 0, total: 1 });
@@ -425,13 +393,6 @@ describe('/asset', () => {
      await utils.waitForQueueFinish(admin.accessToken, 'thumbnailGeneration');
    });

-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get('/assets/random');
-
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it.each(TEN_TIMES)('should return 1 random assets', async () => {
      const { status, body } = await request(app)
        .get('/assets/random')
@@ -467,31 +428,9 @@ describe('/asset', () => {
      expect(status).toBe(200);
      expect(body).toEqual([expect.objectContaining({ id: user2Assets[0].id })]);
    });
-
-    it('should return error', async () => {
-      const { status } = await request(app)
-        .get('/assets/random?count=ABC')
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-
-      expect(status).toBe(400);
-    });
  });

  describe('PUT /assets/:id', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).put(`/assets/:${uuidDto.notFound}`);
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
-    it('should require a valid id', async () => {
-      const { status, body } = await request(app)
-        .put(`/assets/${uuidDto.invalid}`)
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['id must be a UUID']));
-    });
-
    it('should require access', async () => {
      const { status, body } = await request(app)
        .put(`/assets/${user2Assets[0].id}`)
@@ -519,7 +458,7 @@ describe('/asset', () => {
      const { status, body } = await request(app)
        .put(`/assets/${user1Assets[0].id}`)
        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({ isArchived: true });
+        .send({ visibility: AssetVisibility.Archive });
      expect(body).toMatchObject({ id: user1Assets[0].id, isArchived: true });
      expect(status).toEqual(200);
    });
@@ -619,28 +558,6 @@ describe('/asset', () => {
      expect(status).toEqual(200);
    });

-    it('should reject invalid gps coordinates', async () => {
-      for (const test of [
-        { latitude: 12 },
-        { longitude: 12 },
-        { latitude: 12, longitude: 'abc' },
-        { latitude: 'abc', longitude: 12 },
-        { latitude: null, longitude: 12 },
-        { latitude: 12, longitude: null },
-        { latitude: 91, longitude: 12 },
-        { latitude: -91, longitude: 12 },
-        { latitude: 12, longitude: -181 },
-        { latitude: 12, longitude: 181 },
-      ]) {
-        const { status, body } = await request(app)
-          .put(`/assets/${user1Assets[0].id}`)
-          .send(test)
-          .set('Authorization', `Bearer ${user1.accessToken}`);
-        expect(status).toBe(400);
-        expect(body).toEqual(errorDto.badRequest());
-      }
-    });
-
    it('should update gps data', async () => {
      const { status, body } = await request(app)
        .put(`/assets/${user1Assets[0].id}`)
@@ -712,17 +629,6 @@ describe('/asset', () => {
      expect(status).toEqual(200);
    });

-    it('should reject invalid rating', async () => {
-      for (const test of [{ rating: 7 }, { rating: 3.5 }, { rating: null }]) {
-        const { status, body } = await request(app)
-          .put(`/assets/${user1Assets[0].id}`)
-          .send(test)
-          .set('Authorization', `Bearer ${user1.accessToken}`);
-        expect(status).toBe(400);
-        expect(body).toEqual(errorDto.badRequest());
-      }
-    });
-
    it('should return tagged people', async () => {
      const { status, body } = await request(app)
        .put(`/assets/${user1Assets[0].id}`)
@@ -746,25 +652,6 @@ describe('/asset', () => {
  });

  describe('DELETE /assets', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app)
-        .delete(`/assets`)
-        .send({ ids: [uuidDto.notFound] });
-
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
-    it('should require a valid uuid', async () => {
-      const { status, body } = await request(app)
-        .delete(`/assets`)
-        .send({ ids: [uuidDto.invalid] })
-        .set('Authorization', `Bearer ${admin.accessToken}`);
-
-      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['each value in ids must be a UUID']));
-    });
-
    it('should throw an error when the id is not found', async () => {
      const { status, body } = await request(app)
        .delete(`/assets`)
@@ -877,13 +764,6 @@ describe('/asset', () => {
  });

  describe('GET /assets/:id/thumbnail', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get(`/assets/${locationAsset.id}/thumbnail`);
-
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should not include gps data for webp thumbnails', async () => {
      await utils.waitForWebsocketEvent({
        event: 'assetUpload',
@@ -919,13 +799,6 @@ describe('/asset', () => {
  });

  describe('GET /assets/:id/original', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get(`/assets/${locationAsset.id}/original`);
-
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should download the original', async () => {
      const { status, body, type } = await request(app)
        .get(`/assets/${locationAsset.id}/original`)
@@ -946,43 +819,9 @@ describe('/asset', () => {
    });
  });

-  describe('PUT /assets', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).put('/assets');
-
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-  });
-
  describe('POST /assets', () => {
    beforeAll(setupTests, 30_000);

-    it('should require authentication', async () => {
-      const { status, body } = await request(app).post(`/assets`);
-      expect(body).toEqual(errorDto.unauthorized);
-      expect(status).toBe(401);
-    });
-
-    it.each([
-      { should: 'require `deviceAssetId`', dto: { ...makeUploadDto({ omit: 'deviceAssetId' }) } },
-      { should: 'require `deviceId`', dto: { ...makeUploadDto({ omit: 'deviceId' }) } },
-      { should: 'require `fileCreatedAt`', dto: { ...makeUploadDto({ omit: 'fileCreatedAt' }) } },
-      { should: 'require `fileModifiedAt`', dto: { ...makeUploadDto({ omit: 'fileModifiedAt' }) } },
-      { should: 'require `duration`', dto: { ...makeUploadDto({ omit: 'duration' }) } },
-      { should: 'throw if `isFavorite` is not a boolean', dto: { ...makeUploadDto(), isFavorite: 'not-a-boolean' } },
-      { should: 'throw if `isVisible` is not a boolean', dto: { ...makeUploadDto(), isVisible: 'not-a-boolean' } },
-      { should: 'throw if `isArchived` is not a boolean', dto: { ...makeUploadDto(), isArchived: 'not-a-boolean' } },
-    ])('should $should', async ({ dto }) => {
-      const { status, body } = await request(app)
-        .post('/assets')
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .attach('assetData', makeRandomImage(), 'example.png')
-        .field(dto);
-      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest());
-    });
-
    const tests = [
      {
        input: 'formats/avif/8bit-sRGB.avif',
@@ -1141,7 +980,7 @@ describe('/asset', () => {
            fNumber: 8,
            focalLength: 97,
            iso: 100,
-            lensModel: 'E PZ 18-105mm F4 G OSS',
+            lensModel: 'Sony E PZ 18-105mm F4 G OSS',
            fileSizeInByte: 25_001_984,
            dateTimeOriginal: '2016-09-27T10:51:44+00:00',
            orientation: '1',
@@ -1163,7 +1002,7 @@ describe('/asset', () => {
            fNumber: 22,
            focalLength: 25,
            iso: 100,
-            lensModel: 'E 25mm F2',
+            lensModel: 'Zeiss Batis 25mm F2',
            fileSizeInByte: 49_512_448,
            dateTimeOriginal: '2016-01-08T14:08:01+00:00',
            orientation: '1',
@@ -1234,7 +1073,7 @@ describe('/asset', () => {
            focalLength: 18.3,
            iso: 100,
            latitude: 36.613_24,
-            lensModel: 'GR LENS 18.3mm F2.8',
+            lensModel: '18.3mm F2.8',
            longitude: -121.897_85,
            make: 'RICOH IMAGING COMPANY, LTD.',
            model: 'RICOH GR III',
@@ -1244,31 +1083,21 @@ describe('/asset', () => {
      },
    ];

-    it(`should upload and generate a thumbnail for different file types`, async () => {
-      // upload in parallel
-      const assets = await Promise.all(
-        tests.map(async ({ input }) => {
-          const filepath = join(testAssetDir, input);
-          return utils.createAsset(admin.accessToken, {
-            assetData: { bytes: await readFile(filepath), filename: basename(filepath) },
-          });
-        }),
-      );
+    it.each(tests)(`should upload and generate a thumbnail for different file types`, async ({ input, expected }) => {
+      const filepath = join(testAssetDir, input);
+      const response = await utils.createAsset(admin.accessToken, {
+        assetData: { bytes: await readFile(filepath), filename: basename(filepath) },
+      });

-      for (const { id, status } of assets) {
-        expect(status).toBe(AssetMediaStatus.Created);
-        // longer timeout as the thumbnail generation from full-size raw files can take a while
-        await utils.waitForWebsocketEvent({ event: 'assetUpload', id });
-      }
+      expect(response.status).toBe(AssetMediaStatus.Created);
+      const id = response.id;
+      // longer timeout as the thumbnail generation from full-size raw files can take a while
+      await utils.waitForWebsocketEvent({ event: 'assetUpload', id });

-      for (const [i, { id }] of assets.entries()) {
-        const { expected } = tests[i];
-        const asset = await utils.getAssetInfo(admin.accessToken, id);
-
-        expect(asset.exifInfo).toBeDefined();
-        expect(asset.exifInfo).toMatchObject(expected.exifInfo);
-        expect(asset).toMatchObject(expected);
-      }
+      const asset = await utils.getAssetInfo(admin.accessToken, id);
+      expect(asset.exifInfo).toBeDefined();
+      expect(asset.exifInfo).toMatchObject(expected.exifInfo);
+      expect(asset).toMatchObject(expected);
    });

    it('should handle a duplicate', async () => {
--- a/e2e/src/api/specs/audit.e2e-spec.ts
+++ b/e2e/src/api/specs/audit.e2e-spec.ts
@@ -1,43 +0,0 @@
-import { deleteAssets, getAuditFiles, updateAsset, type LoginResponseDto } from '@immich/sdk';
-import { asBearerAuth, utils } from 'src/utils';
-import { beforeAll, describe, expect, it } from 'vitest';
-
-describe('/audits', () => {
-  let admin: LoginResponseDto;
-
-  beforeAll(async () => {
-    await utils.resetDatabase();
-    await utils.resetFilesystem();
-
-    admin = await utils.adminSetup();
-  });
-
-  // TODO: Enable these tests again once #7436 is resolved as these were flaky
-  describe.skip('GET :/file-report', () => {
-    it('excludes assets without issues from report', async () => {
-      const [trashedAsset, archivedAsset] = await Promise.all([
-        utils.createAsset(admin.accessToken),
-        utils.createAsset(admin.accessToken),
-        utils.createAsset(admin.accessToken),
-      ]);
-
-      await Promise.all([
-        deleteAssets({ assetBulkDeleteDto: { ids: [trashedAsset.id] } }, { headers: asBearerAuth(admin.accessToken) }),
-        updateAsset(
-          {
-            id: archivedAsset.id,
-            updateAssetDto: { isArchived: true },
-          },
-          { headers: asBearerAuth(admin.accessToken) },
-        ),
-      ]);
-
-      const body = await getAuditFiles({
-        headers: asBearerAuth(admin.accessToken),
-      });
-
-      expect(body.orphans).toHaveLength(0);
-      expect(body.extras).toHaveLength(0);
-    });
-  });
-});
--- a/e2e/src/api/specs/auth.e2e-spec.ts
+++ b/e2e/src/api/specs/auth.e2e-spec.ts
@@ -5,7 +5,7 @@ import { app, utils } from 'src/utils';
 import request from 'supertest';
 import { beforeEach, describe, expect, it } from 'vitest';

-const { name, email, password } = signupDto.admin;
+const { email, password } = signupDto.admin;

 describe(`/auth/admin-sign-up`, () => {
  beforeEach(async () => {
@@ -13,58 +13,12 @@ describe(`/auth/admin-sign-up`, () => {
  });

  describe('POST /auth/admin-sign-up', () => {
-    const invalid = [
-      {
-        should: 'require an email address',
-        data: { name, password },
-      },
-      {
-        should: 'require a password',
-        data: { name, email },
-      },
-      {
-        should: 'require a name',
-        data: { email, password },
-      },
-      {
-        should: 'require a valid email',
-        data: { name, email: 'immich', password },
-      },
-    ];
-
-    for (const { should, data } of invalid) {
-      it(`should ${should}`, async () => {
-        const { status, body } = await request(app).post('/auth/admin-sign-up').send(data);
-        expect(status).toEqual(400);
-        expect(body).toEqual(errorDto.badRequest());
-      });
-    }
-
    it(`should sign up the admin`, async () => {
      const { status, body } = await request(app).post('/auth/admin-sign-up').send(signupDto.admin);
      expect(status).toBe(201);
      expect(body).toEqual(signupResponseDto.admin);
    });

-    it('should sign up the admin with a local domain', async () => {
-      const { status, body } = await request(app)
-        .post('/auth/admin-sign-up')
-        .send({ ...signupDto.admin, email: 'admin@local' });
-      expect(status).toEqual(201);
-      expect(body).toEqual({
-        ...signupResponseDto.admin,
-        email: 'admin@local',
-      });
-    });
-
-    it('should transform email to lower case', async () => {
-      const { status, body } = await request(app)
-        .post('/auth/admin-sign-up')
-        .send({ ...signupDto.admin, email: 'aDmIn@IMMICH.cloud' });
-      expect(status).toEqual(201);
-      expect(body).toEqual(signupResponseDto.admin);
-    });
-
    it('should not allow a second admin to sign up', async () => {
      await signUpAdmin({ signUpDto: signupDto.admin });

@@ -92,22 +46,6 @@ describe('/auth/*', () => {
      expect(body).toEqual(errorDto.incorrectLogin);
    });

-    for (const key of Object.keys(loginDto.admin)) {
-      it(`should not allow null ${key}`, async () => {
-        const { status, body } = await request(app)
-          .post('/auth/login')
-          .send({ ...loginDto.admin, [key]: null });
-        expect(status).toBe(400);
-        expect(body).toEqual(errorDto.badRequest());
-      });
-
-      it('should reject an invalid email', async () => {
-        const { status, body } = await request(app).post('/auth/login').send({ email: [], password });
-        expect(status).toBe(400);
-        expect(body).toEqual(errorDto.invalidEmail);
-      });
-    }
-
    it('should accept a correct password', async () => {
      const { status, body, headers } = await request(app).post('/auth/login').send({ email, password });
      expect(status).toBe(201);
@@ -162,14 +100,6 @@ describe('/auth/*', () => {
  });

  describe('POST /auth/change-password', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app)
-        .post(`/auth/change-password`)
-        .send({ password, newPassword: 'Password1234' });
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should require the current password', async () => {
      const { status, body } = await request(app)
        .post(`/auth/change-password`)
--- a/e2e/src/api/specs/download.e2e-spec.ts
+++ b/e2e/src/api/specs/download.e2e-spec.ts
@@ -1,6 +1,5 @@
 import { AssetMediaResponseDto, LoginResponseDto } from '@immich/sdk';
 import { readFile, writeFile } from 'node:fs/promises';
-import { errorDto } from 'src/responses';
 import { app, tempDir, utils } from 'src/utils';
 import request from 'supertest';
 import { beforeAll, describe, expect, it } from 'vitest';
@@ -17,15 +16,6 @@ describe('/download', () => {
  });

  describe('POST /download/info', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app)
-        .post(`/download/info`)
-        .send({ assetIds: [asset1.id] });
-
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should download info', async () => {
      const { status, body } = await request(app)
        .post('/download/info')
@@ -42,15 +32,6 @@ describe('/download', () => {
  });

  describe('POST /download/archive', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app)
-        .post(`/download/archive`)
-        .send({ assetIds: [asset1.id, asset2.id] });
-
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should download an archive', async () => {
      const { status, body } = await request(app)
        .post('/download/archive')
--- a/e2e/src/api/specs/map.e2e-spec.ts
+++ b/e2e/src/api/specs/map.e2e-spec.ts
@@ -1,4 +1,4 @@
-import { LoginResponseDto } from '@immich/sdk';
+import { AssetVisibility, LoginResponseDto } from '@immich/sdk';
 import { readFile } from 'node:fs/promises';
 import { basename, join } from 'node:path';
 import { Socket } from 'socket.io-client';
@@ -44,7 +44,7 @@ describe('/map', () => {
    it('should get map markers for all non-archived assets', async () => {
      const { status, body } = await request(app)
        .get('/map/markers')
-        .query({ isArchived: false })
+        .query({ visibility: AssetVisibility.Timeline })
        .set('Authorization', `Bearer ${admin.accessToken}`);

      expect(status).toBe(200);
--- a/e2e/src/api/specs/oauth.e2e-spec.ts
+++ b/e2e/src/api/specs/oauth.e2e-spec.ts
@@ -6,6 +6,7 @@ import {
  startOAuth,
  updateConfig,
 } from '@immich/sdk';
+import { createHash, randomBytes } from 'node:crypto';
 import { errorDto } from 'src/responses';
 import { OAuthClient, OAuthUser } from 'src/setup/auth-server';
 import { app, asBearerAuth, baseUrl, utils } from 'src/utils';
@@ -21,18 +22,30 @@ const mobileOverrideRedirectUri = 'https://photos.immich.app/oauth/mobile-redire

 const redirect = async (url: string, cookies?: string[]) => {
  const { headers } = await request(url)
-    .get('/')
+    .get('')
    .set('Cookie', cookies || []);
  return { cookies: (headers['set-cookie'] as unknown as string[]) || [], location: headers.location };
 };

+// Function to generate a code challenge from the verifier
+const generateCodeChallenge = async (codeVerifier: string): Promise<string> => {
+  const hashed = createHash('sha256').update(codeVerifier).digest();
+  return hashed.toString('base64url');
+};
+
 const loginWithOAuth = async (sub: OAuthUser | string, redirectUri?: string) => {
-  const { url } = await startOAuth({ oAuthConfigDto: { redirectUri: redirectUri ?? `${baseUrl}/auth/login` } });
+  const state = randomBytes(16).toString('base64url');
+  const codeVerifier = randomBytes(64).toString('base64url');
+  const codeChallenge = await generateCodeChallenge(codeVerifier);
+
+  const { url } = await startOAuth({
+    oAuthConfigDto: { redirectUri: redirectUri ?? `${baseUrl}/auth/login`, state, codeChallenge },
+  });

  // login
  const response1 = await redirect(url.replace(authServer.internal, authServer.external));
  const response2 = await request(authServer.external + response1.location)
-    .post('/')
+    .post('')
    .set('Cookie', response1.cookies)
    .type('form')
    .send({ prompt: 'login', login: sub, password: 'password' });
@@ -40,7 +53,7 @@ const loginWithOAuth = async (sub: OAuthUser | string, redirectUri?: string) =>
  // approve
  const response3 = await redirect(response2.header.location, response1.cookies);
  const response4 = await request(authServer.external + response3.location)
-    .post('/')
+    .post('')
    .type('form')
    .set('Cookie', response3.cookies)
    .send({ prompt: 'consent' });
@@ -51,9 +64,9 @@ const loginWithOAuth = async (sub: OAuthUser | string, redirectUri?: string) =>
  expect(redirectUrl).toBeDefined();
  const params = new URL(redirectUrl).searchParams;
  expect(params.get('code')).toBeDefined();
-  expect(params.get('state')).toBeDefined();
+  expect(params.get('state')).toBe(state);

-  return redirectUrl;
+  return { url: redirectUrl, state, codeVerifier };
 };

 const setupOAuth = async (token: string, dto: Partial<SystemConfigOAuthDto>) => {
@@ -119,9 +132,42 @@ describe(`/oauth`, () => {
      expect(body).toEqual(errorDto.badRequest(['url should not be empty']));
    });

-    it('should auto register the user by default', async () => {
-      const url = await loginWithOAuth('oauth-auto-register');
+    it(`should throw an error if the state is not provided`, async () => {
+      const { url } = await loginWithOAuth('oauth-auto-register');
      const { status, body } = await request(app).post('/oauth/callback').send({ url });
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest('OAuth state is missing'));
+    });
+
+    it(`should throw an error if the state mismatches`, async () => {
+      const callbackParams = await loginWithOAuth('oauth-auto-register');
+      const { state } = await loginWithOAuth('oauth-auto-register');
+      const { status } = await request(app)
+        .post('/oauth/callback')
+        .send({ ...callbackParams, state });
+      expect(status).toBeGreaterThanOrEqual(400);
+    });
+
+    it(`should throw an error if the codeVerifier is not provided`, async () => {
+      const { url, state } = await loginWithOAuth('oauth-auto-register');
+      const { status, body } = await request(app).post('/oauth/callback').send({ url, state });
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest('OAuth code verifier is missing'));
+    });
+
+    it(`should throw an error if the codeVerifier doesn't match the challenge`, async () => {
+      const callbackParams = await loginWithOAuth('oauth-auto-register');
+      const { codeVerifier } = await loginWithOAuth('oauth-auto-register');
+      const { status, body } = await request(app)
+        .post('/oauth/callback')
+        .send({ ...callbackParams, codeVerifier });
+      console.log(body);
+      expect(status).toBeGreaterThanOrEqual(400);
+    });
+
+    it('should auto register the user by default', async () => {
+      const callbackParams = await loginWithOAuth('oauth-auto-register');
+      const { status, body } = await request(app).post('/oauth/callback').send(callbackParams);
      expect(status).toBe(201);
      expect(body).toMatchObject({
        accessToken: expect.any(String),
@@ -132,16 +178,30 @@ describe(`/oauth`, () => {
      });
    });

+    it('should allow passing state and codeVerifier via cookies', async () => {
+      const { url, state, codeVerifier } = await loginWithOAuth('oauth-auto-register');
+      const { status, body } = await request(app)
+        .post('/oauth/callback')
+        .set('Cookie', [`immich_oauth_state=${state}`, `immich_oauth_code_verifier=${codeVerifier}`])
+        .send({ url });
+      expect(status).toBe(201);
+      expect(body).toMatchObject({
+        accessToken: expect.any(String),
+        userId: expect.any(String),
+        userEmail: 'oauth-auto-register@immich.app',
+      });
+    });
+
    it('should handle a user without an email', async () => {
-      const url = await loginWithOAuth(OAuthUser.NO_EMAIL);
-      const { status, body } = await request(app).post('/oauth/callback').send({ url });
+      const callbackParams = await loginWithOAuth(OAuthUser.NO_EMAIL);
+      const { status, body } = await request(app).post('/oauth/callback').send(callbackParams);
      expect(status).toBe(400);
      expect(body).toEqual(errorDto.badRequest('OAuth profile does not have an email address'));
    });

    it('should set the quota from a claim', async () => {
-      const url = await loginWithOAuth(OAuthUser.WITH_QUOTA);
-      const { status, body } = await request(app).post('/oauth/callback').send({ url });
+      const callbackParams = await loginWithOAuth(OAuthUser.WITH_QUOTA);
+      const { status, body } = await request(app).post('/oauth/callback').send(callbackParams);
      expect(status).toBe(201);
      expect(body).toMatchObject({
        accessToken: expect.any(String),
@@ -154,8 +214,8 @@ describe(`/oauth`, () => {
    });

    it('should set the storage label from a claim', async () => {
-      const url = await loginWithOAuth(OAuthUser.WITH_USERNAME);
-      const { status, body } = await request(app).post('/oauth/callback').send({ url });
+      const callbackParams = await loginWithOAuth(OAuthUser.WITH_USERNAME);
+      const { status, body } = await request(app).post('/oauth/callback').send(callbackParams);
      expect(status).toBe(201);
      expect(body).toMatchObject({
        accessToken: expect.any(String),
@@ -176,8 +236,8 @@ describe(`/oauth`, () => {
        buttonText: 'Login with Immich',
        signingAlgorithm: 'RS256',
      });
-      const url = await loginWithOAuth('oauth-RS256-token');
-      const { status, body } = await request(app).post('/oauth/callback').send({ url });
+      const callbackParams = await loginWithOAuth('oauth-RS256-token');
+      const { status, body } = await request(app).post('/oauth/callback').send(callbackParams);
      expect(status).toBe(201);
      expect(body).toMatchObject({
        accessToken: expect.any(String),
@@ -196,8 +256,8 @@ describe(`/oauth`, () => {
        buttonText: 'Login with Immich',
        profileSigningAlgorithm: 'RS256',
      });
-      const url = await loginWithOAuth('oauth-signed-profile');
-      const { status, body } = await request(app).post('/oauth/callback').send({ url });
+      const callbackParams = await loginWithOAuth('oauth-signed-profile');
+      const { status, body } = await request(app).post('/oauth/callback').send(callbackParams);
      expect(status).toBe(201);
      expect(body).toMatchObject({
        userId: expect.any(String),
@@ -213,8 +273,8 @@ describe(`/oauth`, () => {
        buttonText: 'Login with Immich',
        signingAlgorithm: 'something-that-does-not-work',
      });
-      const url = await loginWithOAuth('oauth-signed-bad');
-      const { status, body } = await request(app).post('/oauth/callback').send({ url });
+      const callbackParams = await loginWithOAuth('oauth-signed-bad');
+      const { status, body } = await request(app).post('/oauth/callback').send(callbackParams);
      expect(status).toBe(500);
      expect(body).toMatchObject({
        error: 'Internal Server Error',
@@ -235,8 +295,8 @@ describe(`/oauth`, () => {
      });

      it('should not auto register the user', async () => {
-        const url = await loginWithOAuth('oauth-no-auto-register');
-        const { status, body } = await request(app).post('/oauth/callback').send({ url });
+        const callbackParams = await loginWithOAuth('oauth-no-auto-register');
+        const { status, body } = await request(app).post('/oauth/callback').send(callbackParams);
        expect(status).toBe(400);
        expect(body).toEqual(errorDto.badRequest('User does not exist and auto registering is disabled.'));
      });
@@ -247,8 +307,8 @@ describe(`/oauth`, () => {
          email: 'oauth-user3@immich.app',
          password: 'password',
        });
-        const url = await loginWithOAuth('oauth-user3');
-        const { status, body } = await request(app).post('/oauth/callback').send({ url });
+        const callbackParams = await loginWithOAuth('oauth-user3');
+        const { status, body } = await request(app).post('/oauth/callback').send(callbackParams);
        expect(status).toBe(201);
        expect(body).toMatchObject({
          userId,
@@ -286,13 +346,15 @@ describe(`/oauth`, () => {
    });

    it('should auto register the user by default', async () => {
-      const url = await loginWithOAuth('oauth-mobile-override', 'app.immich:///oauth-callback');
-      expect(url).toEqual(expect.stringContaining(mobileOverrideRedirectUri));
+      const callbackParams = await loginWithOAuth('oauth-mobile-override', 'app.immich:///oauth-callback');
+      expect(callbackParams.url).toEqual(expect.stringContaining(mobileOverrideRedirectUri));

      // simulate redirecting back to mobile app
-      const redirectUri = url.replace(mobileOverrideRedirectUri, 'app.immich:///oauth-callback');
+      const url = callbackParams.url.replace(mobileOverrideRedirectUri, 'app.immich:///oauth-callback');

-      const { status, body } = await request(app).post('/oauth/callback').send({ url: redirectUri });
+      const { status, body } = await request(app)
+        .post('/oauth/callback')
+        .send({ ...callbackParams, url });
      expect(status).toBe(201);
      expect(body).toMatchObject({
        accessToken: expect.any(String),
--- a/e2e/src/api/specs/person.e2e-spec.ts
+++ b/e2e/src/api/specs/person.e2e-spec.ts
@@ -5,22 +5,6 @@ import { app, asBearerAuth, utils } from 'src/utils';
 import request from 'supertest';
 import { beforeAll, beforeEach, describe, expect, it } from 'vitest';

-const invalidBirthday = [
-  {
-    birthDate: 'false',
-    response: ['birthDate must be a string in the format yyyy-MM-dd', 'Birth date cannot be in the future'],
-  },
-  {
-    birthDate: '123567',
-    response: ['birthDate must be a string in the format yyyy-MM-dd', 'Birth date cannot be in the future'],
-  },
-  {
-    birthDate: 123_567,
-    response: ['birthDate must be a string in the format yyyy-MM-dd', 'Birth date cannot be in the future'],
-  },
-  { birthDate: '9999-01-01', response: ['Birth date cannot be in the future'] },
-];
-
 describe('/people', () => {
  let admin: LoginResponseDto;
  let visiblePerson: PersonResponseDto;
@@ -58,14 +42,6 @@ describe('/people', () => {

  describe('GET /people', () => {
    beforeEach(async () => {});
-
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get('/people');
-
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should return all people (including hidden)', async () => {
      const { status, body } = await request(app)
        .get('/people')
@@ -117,13 +93,6 @@ describe('/people', () => {
  });

  describe('GET /people/:id', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get(`/people/${uuidDto.notFound}`);
-
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should throw error if person with id does not exist', async () => {
      const { status, body } = await request(app)
        .get(`/people/${uuidDto.notFound}`)
@@ -144,13 +113,6 @@ describe('/people', () => {
  });

  describe('GET /people/:id/statistics', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get(`/people/${multipleAssetsPerson.id}/statistics`);
-
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should throw error if person with id does not exist', async () => {
      const { status, body } = await request(app)
        .get(`/people/${uuidDto.notFound}/statistics`)
@@ -171,23 +133,6 @@ describe('/people', () => {
  });

  describe('POST /people', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).post(`/people`);
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
-    for (const { birthDate, response } of invalidBirthday) {
-      it(`should not accept an invalid birth date [${birthDate}]`, async () => {
-        const { status, body } = await request(app)
-          .post(`/people`)
-          .set('Authorization', `Bearer ${admin.accessToken}`)
-          .send({ birthDate });
-        expect(status).toBe(400);
-        expect(body).toEqual(errorDto.badRequest(response));
-      });
-    }
-
    it('should create a person', async () => {
      const { status, body } = await request(app)
        .post(`/people`)
@@ -223,39 +168,6 @@ describe('/people', () => {
  });

  describe('PUT /people/:id', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).put(`/people/${uuidDto.notFound}`);
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
-    for (const { key, type } of [
-      { key: 'name', type: 'string' },
-      { key: 'featureFaceAssetId', type: 'string' },
-      { key: 'isHidden', type: 'boolean value' },
-      { key: 'isFavorite', type: 'boolean value' },
-    ]) {
-      it(`should not allow null ${key}`, async () => {
-        const { status, body } = await request(app)
-          .put(`/people/${visiblePerson.id}`)
-          .set('Authorization', `Bearer ${admin.accessToken}`)
-          .send({ [key]: null });
-        expect(status).toBe(400);
-        expect(body).toEqual(errorDto.badRequest([`${key} must be a ${type}`]));
-      });
-    }
-
-    for (const { birthDate, response } of invalidBirthday) {
-      it(`should not accept an invalid birth date [${birthDate}]`, async () => {
-        const { status, body } = await request(app)
-          .put(`/people/${visiblePerson.id}`)
-          .set('Authorization', `Bearer ${admin.accessToken}`)
-          .send({ birthDate });
-        expect(status).toBe(400);
-        expect(body).toEqual(errorDto.badRequest(response));
-      });
-    }
-
    it('should update a date of birth', async () => {
      const { status, body } = await request(app)
        .put(`/people/${visiblePerson.id}`)
@@ -312,12 +224,6 @@ describe('/people', () => {
  });

  describe('POST /people/:id/merge', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).post(`/people/${uuidDto.notFound}/merge`);
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should not supporting merging a person into themselves', async () => {
      const { status, body } = await request(app)
        .post(`/people/${visiblePerson.id}/merge`)
--- a/e2e/src/api/specs/search.e2e-spec.ts
+++ b/e2e/src/api/specs/search.e2e-spec.ts
@@ -1,9 +1,15 @@
-import { AssetMediaResponseDto, AssetResponseDto, deleteAssets, LoginResponseDto, updateAsset } from '@immich/sdk';
+import {
+  AssetMediaResponseDto,
+  AssetResponseDto,
+  AssetVisibility,
+  deleteAssets,
+  LoginResponseDto,
+  updateAsset,
+} from '@immich/sdk';
 import { DateTime } from 'luxon';
 import { readFile } from 'node:fs/promises';
 import { join } from 'node:path';
 import { Socket } from 'socket.io-client';
-import { errorDto } from 'src/responses';
 import { app, asBearerAuth, TEN_TIMES, testAssetDir, utils } from 'src/utils';
 import request from 'supertest';
 import { afterAll, beforeAll, describe, expect, it } from 'vitest';
@@ -50,7 +56,7 @@ describe('/search', () => {
      { filename: '/formats/motionphoto/samsung-one-ui-6.heic' },
      { filename: '/formats/motionphoto/samsung-one-ui-5.jpg' },

-      { filename: '/metadata/gps-position/thompson-springs.jpg', dto: { isArchived: true } },
+      { filename: '/metadata/gps-position/thompson-springs.jpg', dto: { visibility: AssetVisibility.Archive } },

      // used for search suggestions
      { filename: '/formats/png/density_plot.png' },
@@ -141,65 +147,6 @@ describe('/search', () => {
  });

  describe('POST /search/metadata', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).post('/search/metadata');
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
-    const badTests = [
-      {
-        should: 'should reject page as a string',
-        dto: { page: 'abc' },
-        expected: ['page must not be less than 1', 'page must be an integer number'],
-      },
-      {
-        should: 'should reject page as a decimal',
-        dto: { page: 1.5 },
-        expected: ['page must be an integer number'],
-      },
-      {
-        should: 'should reject page as a negative number',
-        dto: { page: -10 },
-        expected: ['page must not be less than 1'],
-      },
-      {
-        should: 'should reject page as 0',
-        dto: { page: 0 },
-        expected: ['page must not be less than 1'],
-      },
-      {
-        should: 'should reject size as a string',
-        dto: { size: 'abc' },
-        expected: [
-          'size must not be greater than 1000',
-          'size must not be less than 1',
-          'size must be an integer number',
-        ],
-      },
-      {
-        should: 'should reject an invalid size',
-        dto: { size: -1.5 },
-        expected: ['size must not be less than 1', 'size must be an integer number'],
-      },
-      ...['isArchived', 'isFavorite', 'isEncoded', 'isOffline', 'isMotion', 'isVisible'].map((value) => ({
-        should: `should reject ${value} not a boolean`,
-        dto: { [value]: 'immich' },
-        expected: [`${value} must be a boolean value`],
-      })),
-    ];
-
-    for (const { should, dto, expected } of badTests) {
-      it(should, async () => {
-        const { status, body } = await request(app)
-          .post('/search/metadata')
-          .set('Authorization', `Bearer ${admin.accessToken}`)
-          .send(dto);
-        expect(status).toBe(400);
-        expect(body).toEqual(errorDto.badRequest(expected));
-      });
-    }
-
    const searchTests = [
      {
        should: 'should get my assets',
@@ -231,12 +178,12 @@ describe('/search', () => {
        deferred: () => ({ dto: { size: 1, isFavorite: false }, assets: [assetLast] }),
      },
      {
-        should: 'should search by isArchived (true)',
-        deferred: () => ({ dto: { isArchived: true }, assets: [assetSprings] }),
+        should: 'should search by visibility (AssetVisibility.Archive)',
+        deferred: () => ({ dto: { visibility: AssetVisibility.Archive }, assets: [assetSprings] }),
      },
      {
-        should: 'should search by isArchived (false)',
-        deferred: () => ({ dto: { size: 1, isArchived: false }, assets: [assetLast] }),
+        should: 'should search by visibility (AssetVisibility.Timeline)',
+        deferred: () => ({ dto: { size: 1, visibility: AssetVisibility.Timeline }, assets: [assetLast] }),
      },
      {
        should: 'should search by type (image)',
@@ -245,7 +192,7 @@ describe('/search', () => {
      {
        should: 'should search by type (video)',
        deferred: () => ({
-          dto: { type: 'VIDEO' },
+          dto: { type: 'VIDEO', visibility: AssetVisibility.Hidden },
          assets: [
            // the three live motion photos
            { id: expect.any(String) },
@@ -289,13 +236,6 @@ describe('/search', () => {
        should: 'should search by takenAfter (no results)',
        deferred: () => ({ dto: { takenAfter: today.plus({ hour: 1 }).toJSDate() }, assets: [] }),
      },
-      //   {
-      //     should: 'should search by originalPath',
-      //     deferred: () => ({
-      //       dto: { originalPath: asset1.originalPath },
-      //       assets: [asset1],
-      //     }),
-      //   },
      {
        should: 'should search by originalFilename',
        deferred: () => ({
@@ -325,7 +265,7 @@ describe('/search', () => {
        deferred: () => ({
          dto: {
            city: '',
-            isVisible: true,
+            visibility: AssetVisibility.Timeline,
            includeNull: true,
          },
          assets: [assetLast],
@@ -336,7 +276,7 @@ describe('/search', () => {
        deferred: () => ({
          dto: {
            city: null,
-            isVisible: true,
+            visibility: AssetVisibility.Timeline,
            includeNull: true,
          },
          assets: [assetLast],
@@ -357,7 +297,7 @@ describe('/search', () => {
        deferred: () => ({
          dto: {
            state: '',
-            isVisible: true,
+            visibility: AssetVisibility.Timeline,
            withExif: true,
            includeNull: true,
          },
@@ -369,7 +309,7 @@ describe('/search', () => {
        deferred: () => ({
          dto: {
            state: null,
-            isVisible: true,
+            visibility: AssetVisibility.Timeline,
            includeNull: true,
          },
          assets: [assetLast, assetNotocactus],
@@ -390,7 +330,7 @@ describe('/search', () => {
        deferred: () => ({
          dto: {
            country: '',
-            isVisible: true,
+            visibility: AssetVisibility.Timeline,
            includeNull: true,
          },
          assets: [assetLast],
@@ -401,7 +341,7 @@ describe('/search', () => {
        deferred: () => ({
          dto: {
            country: null,
-            isVisible: true,
+            visibility: AssetVisibility.Timeline,
            includeNull: true,
          },
          assets: [assetLast],
@@ -454,14 +394,6 @@ describe('/search', () => {
    }
  });

-  describe('POST /search/smart', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).post('/search/smart');
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-  });
-
  describe('POST /search/random', () => {
    beforeAll(async () => {
      await Promise.all([
@@ -476,13 +408,6 @@ describe('/search', () => {
      await utils.waitForQueueFinish(admin.accessToken, 'thumbnailGeneration');
    });

-    it('should require authentication', async () => {
-      const { status, body } = await request(app).post('/search/random').send({ size: 1 });
-
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it.each(TEN_TIMES)('should return 1 random assets', async () => {
      const { status, body } = await request(app)
        .post('/search/random')
@@ -512,12 +437,6 @@ describe('/search', () => {
  });

  describe('GET /search/explore', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get('/search/explore');
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should get explore data', async () => {
      const { status, body } = await request(app)
        .get('/search/explore')
@@ -528,12 +447,6 @@ describe('/search', () => {
  });

  describe('GET /search/places', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get('/search/places');
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should get relevant places', async () => {
      const name = 'Paris';

@@ -552,12 +465,6 @@ describe('/search', () => {
  });

  describe('GET /search/cities', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get('/search/cities');
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should get all cities', async () => {
      const { status, body } = await request(app)
        .get('/search/cities')
@@ -576,12 +483,6 @@ describe('/search', () => {
  });

  describe('GET /search/suggestions', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get('/search/suggestions');
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should get suggestions for country (including null)', async () => {
      const { status, body } = await request(app)
        .get('/search/suggestions?type=country&includeNull=true')
--- a/e2e/src/api/specs/shared-link.e2e-spec.ts
+++ b/e2e/src/api/specs/shared-link.e2e-spec.ts
@@ -246,15 +246,7 @@ describe('/shared-links', () => {
      const { status, body } = await request(app).get('/shared-links/me').query({ key: linkWithMetadata.key });

      expect(status).toBe(200);
-      expect(body.assets).toHaveLength(1);
-      expect(body.assets[0]).toEqual(
-        expect.objectContaining({
-          originalFileName: 'example.png',
-          localDateTime: expect.any(String),
-          fileCreatedAt: expect.any(String),
-          exifInfo: expect.any(Object),
-        }),
-      );
+      expect(body.assets).toHaveLength(0);
      expect(body.album).toBeDefined();
    });

--- a/e2e/src/api/specs/timeline.e2e-spec.ts
+++ b/e2e/src/api/specs/timeline.e2e-spec.ts
@@ -1,4 +1,4 @@
-import { AssetMediaResponseDto, LoginResponseDto, SharedLinkType, TimeBucketSize } from '@immich/sdk';
+import { AssetMediaResponseDto, AssetVisibility, LoginResponseDto, SharedLinkType, TimeBucketSize } from '@immich/sdk';
 import { DateTime } from 'luxon';
 import { createUserDto } from 'src/fixtures';
 import { errorDto } from 'src/responses';
@@ -104,7 +104,7 @@ describe('/timeline', () => {
      const req1 = await request(app)
        .get('/timeline/buckets')
        .set('Authorization', `Bearer ${timeBucketUser.accessToken}`)
-        .query({ size: TimeBucketSize.Month, withPartners: true, isArchived: true });
+        .query({ size: TimeBucketSize.Month, withPartners: true, visibility: AssetVisibility.Archive });

      expect(req1.status).toBe(400);
      expect(req1.body).toEqual(errorDto.badRequest());
@@ -112,7 +112,7 @@ describe('/timeline', () => {
      const req2 = await request(app)
        .get('/timeline/buckets')
        .set('Authorization', `Bearer ${user.accessToken}`)
-        .query({ size: TimeBucketSize.Month, withPartners: true, isArchived: undefined });
+        .query({ size: TimeBucketSize.Month, withPartners: true, visibility: undefined });

      expect(req2.status).toBe(400);
      expect(req2.body).toEqual(errorDto.badRequest());
--- a/e2e/src/api/specs/user-admin.e2e-spec.ts
+++ b/e2e/src/api/specs/user-admin.e2e-spec.ts
@@ -215,6 +215,19 @@ describe('/admin/users', () => {
      const user = await getMyUser({ headers: asBearerAuth(token.accessToken) });
      expect(user).toMatchObject({ email: nonAdmin.userEmail });
    });
+
+    it('should update the avatar color', async () => {
+      const { status, body } = await request(app)
+        .put(`/admin/users/${admin.userId}`)
+        .send({ avatarColor: 'orange' })
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+
+      expect(status).toBe(200);
+      expect(body).toMatchObject({ avatarColor: 'orange' });
+
+      const after = await getUserAdmin({ id: admin.userId }, { headers: asBearerAuth(admin.accessToken) });
+      expect(after).toMatchObject({ avatarColor: 'orange' });
+    });
  });

  describe('PUT /admin/users/:id/preferences', () => {
@@ -240,19 +253,6 @@ describe('/admin/users', () => {
      expect(after).toMatchObject({ memories: { enabled: false } });
    });

-    it('should update the avatar color', async () => {
-      const { status, body } = await request(app)
-        .put(`/admin/users/${admin.userId}/preferences`)
-        .send({ avatar: { color: 'orange' } })
-        .set('Authorization', `Bearer ${admin.accessToken}`);
-
-      expect(status).toBe(200);
-      expect(body).toMatchObject({ avatar: { color: 'orange' } });
-
-      const after = await getUserPreferencesAdmin({ id: admin.userId }, { headers: asBearerAuth(admin.accessToken) });
-      expect(after).toMatchObject({ avatar: { color: 'orange' } });
-    });
-
    it('should update download archive size', async () => {
      const { status, body } = await request(app)
        .put(`/admin/users/${admin.userId}/preferences`)
--- a/e2e/src/api/specs/user.e2e-spec.ts
+++ b/e2e/src/api/specs/user.e2e-spec.ts
@@ -31,33 +31,7 @@ describe('/users', () => {
    );
  });

-  describe('GET /users', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get('/users');
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
-    it('should get users', async () => {
-      const { status, body } = await request(app).get('/users').set('Authorization', `Bearer ${admin.accessToken}`);
-      expect(status).toEqual(200);
-      expect(body).toHaveLength(2);
-      expect(body).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({ email: 'admin@immich.cloud' }),
-          expect.objectContaining({ email: 'user2@immich.cloud' }),
-        ]),
-      );
-    });
-  });
-
  describe('GET /users/me', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get(`/users/me`);
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should not work for shared links', async () => {
      const album = await utils.createAlbum(admin.accessToken, { albumName: 'Album' });
      const sharedLink = await utils.createSharedLink(admin.accessToken, {
@@ -99,24 +73,6 @@ describe('/users', () => {
  });

  describe('PUT /users/me', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).put(`/users/me`);
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
-    for (const key of ['email', 'name']) {
-      it(`should not allow null ${key}`, async () => {
-        const dto = { [key]: null };
-        const { status, body } = await request(app)
-          .put(`/users/me`)
-          .set('Authorization', `Bearer ${admin.accessToken}`)
-          .send(dto);
-        expect(status).toBe(400);
-        expect(body).toEqual(errorDto.badRequest());
-      });
-    }
-
    it('should update first and last name', async () => {
      const before = await getMyUser({ headers: asBearerAuth(admin.accessToken) });

@@ -183,6 +139,19 @@ describe('/users', () => {
        profileChangedAt: expect.anything(),
      });
    });
+
+    it('should update avatar color', async () => {
+      const { status, body } = await request(app)
+        .put(`/users/me`)
+        .send({ avatarColor: 'blue' })
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+
+      expect(status).toBe(200);
+      expect(body).toMatchObject({ avatarColor: 'blue' });
+
+      const after = await getMyUser({ headers: asBearerAuth(admin.accessToken) });
+      expect(after).toMatchObject({ avatarColor: 'blue' });
+    });
  });

  describe('PUT /users/me/preferences', () => {
@@ -202,19 +171,6 @@ describe('/users', () => {
      expect(after).toMatchObject({ memories: { enabled: false } });
    });

-    it('should update avatar color', async () => {
-      const { status, body } = await request(app)
-        .put(`/users/me/preferences`)
-        .send({ avatar: { color: 'blue' } })
-        .set('Authorization', `Bearer ${admin.accessToken}`);
-
-      expect(status).toBe(200);
-      expect(body).toMatchObject({ avatar: { color: 'blue' } });
-
-      const after = await getMyPreferences({ headers: asBearerAuth(admin.accessToken) });
-      expect(after).toMatchObject({ avatar: { color: 'blue' } });
-    });
-
    it('should require an integer for download archive size', async () => {
      const { status, body } = await request(app)
        .put(`/users/me/preferences`)
@@ -269,11 +225,6 @@ describe('/users', () => {
  });

  describe('GET /users/:id', () => {
-    it('should require authentication', async () => {
-      const { status } = await request(app).get(`/users/${admin.userId}`);
-      expect(status).toEqual(401);
-    });
-
    it('should get the user', async () => {
      const { status, body } = await request(app)
        .get(`/users/${admin.userId}`)
@@ -292,12 +243,6 @@ describe('/users', () => {
  });

  describe('GET /server/license', () => {
-    it('should require authentication', async () => {
-      const { status, body } = await request(app).get('/users/me/license');
-      expect(status).toBe(401);
-      expect(body).toEqual(errorDto.unauthorized);
-    });
-
    it('should return the user license', async () => {
      await request(app)
        .put('/users/me/license')
@@ -315,11 +260,6 @@ describe('/users', () => {
  });

  describe('PUT /users/me/license', () => {
-    it('should require authentication', async () => {
-      const { status } = await request(app).put(`/users/me/license`);
-      expect(status).toEqual(401);
-    });
-
    it('should set the user license', async () => {
      const { status, body } = await request(app)
        .put(`/users/me/license`)
--- a/e2e/src/utils.ts
+++ b/e2e/src/utils.ts
@@ -3,6 +3,7 @@ import {
  AssetMediaCreateDto,
  AssetMediaResponseDto,
  AssetResponseDto,
+  AssetVisibility,
  CheckExistingAssetsDto,
  CreateAlbumDto,
  CreateLibraryDto,
@@ -429,7 +430,10 @@ export const utils = {
  },

  archiveAssets: (accessToken: string, ids: string[]) =>
-    updateAssets({ assetBulkUpdateDto: { ids, isArchived: true } }, { headers: asBearerAuth(accessToken) }),
+    updateAssets(
+      { assetBulkUpdateDto: { ids, visibility: AssetVisibility.Archive } },
+      { headers: asBearerAuth(accessToken) },
+    ),

  deleteAssets: (accessToken: string, ids: string[]) =>
    deleteAssets({ assetBulkDeleteDto: { ids } }, { headers: asBearerAuth(accessToken) }),
--- a/e2e/src/web/specs/auth.e2e-spec.ts
+++ b/e2e/src/web/specs/auth.e2e-spec.ts
@@ -25,7 +25,7 @@ test.describe('Registration', () => {

    // login
    await expect(page).toHaveTitle(/Login/);
-    await page.goto('/auth/login');
+    await page.goto('/auth/login?autoLaunch=0');
    await page.getByLabel('Email').fill('admin@immich.app');
    await page.getByLabel('Password').fill('password');
    await page.getByRole('button', { name: 'Login' }).click();
@@ -59,7 +59,7 @@ test.describe('Registration', () => {
    await context.clearCookies();

    // login
-    await page.goto('/auth/login');
+    await page.goto('/auth/login?autoLaunch=0');
    await page.getByLabel('Email').fill('user@immich.cloud');
    await page.getByLabel('Password').fill('password');
    await page.getByRole('button', { name: 'Login' }).click();
@@ -72,7 +72,7 @@ test.describe('Registration', () => {
    await page.getByRole('button', { name: 'Change password' }).click();

    // login with new password
-    await expect(page).toHaveURL('/auth/login');
+    await expect(page).toHaveURL('/auth/login?autoLaunch=0');
    await page.getByLabel('Email').fill('user@immich.cloud');
    await page.getByLabel('Password').fill('new-password');
    await page.getByRole('button', { name: 'Login' }).click();
--- a/e2e/src/web/specs/photo-viewer.e2e-spec.ts
+++ b/e2e/src/web/specs/photo-viewer.e2e-spec.ts
@@ -8,36 +8,35 @@ function imageLocator(page: Page) {
 test.describe('Photo Viewer', () => {
  let admin: LoginResponseDto;
  let asset: AssetMediaResponseDto;
+  let rawAsset: AssetMediaResponseDto;

  test.beforeAll(async () => {
    utils.initSdk();
    await utils.resetDatabase();
    admin = await utils.adminSetup();
    asset = await utils.createAsset(admin.accessToken);
+    rawAsset = await utils.createAsset(admin.accessToken, { assetData: { filename: 'test.arw' } });
  });

  test.beforeEach(async ({ context, page }) => {
    // before each test, login as user
    await utils.setAuthCookies(context, admin.accessToken);
-    await page.goto('/photos');
    await page.waitForLoadState('networkidle');
  });

-  test('initially shows a loading spinner', async ({ page }) => {
-    await page.route(`/api/assets/${asset.id}/thumbnail**`, async (route) => {
-      // slow down the request for thumbnail, so spinner has chance to show up
-      await new Promise((f) => setTimeout(f, 2000));
-      await route.continue();
-    });
+  test('loads original photo when zoomed', async ({ page }) => {
    await page.goto(`/photos/${asset.id}`);
-    await page.waitForLoadState('load');
-    // this is the spinner
-    await page.waitForSelector('svg[role=status]');
-    await expect(page.getByTestId('loading-spinner')).toBeVisible();
+    await expect.poll(async () => await imageLocator(page).getAttribute('src')).toContain('thumbnail');
+    const box = await imageLocator(page).boundingBox();
+    expect(box).toBeTruthy();
+    const { x, y, width, height } = box!;
+    await page.mouse.move(x + width / 2, y + height / 2);
+    await page.mouse.wheel(0, -1);
+    await expect.poll(async () => await imageLocator(page).getAttribute('src')).toContain('original');
  });

-  test('loads high resolution photo when zoomed', async ({ page }) => {
-    await page.goto(`/photos/${asset.id}`);
+  test('loads fullsize image when zoomed and original is web-incompatible', async ({ page }) => {
+    await page.goto(`/photos/${rawAsset.id}`);
    await expect.poll(async () => await imageLocator(page).getAttribute('src')).toContain('thumbnail');
    const box = await imageLocator(page).boundingBox();
    expect(box).toBeTruthy();
--- a/e2e/src/web/specs/shared-link.e2e-spec.ts
+++ b/e2e/src/web/specs/shared-link.e2e-spec.ts
@@ -47,15 +47,13 @@ test.describe('Shared Links', () => {
    await page.locator(`[data-asset-id="${asset.id}"]`).hover();
    await page.waitForSelector('[data-group] svg');
    await page.getByRole('checkbox').click();
-    await page.getByRole('button', { name: 'Download' }).click();
-    await page.getByText('DOWNLOADING', { exact: true }).waitFor();
+    await Promise.all([page.waitForEvent('download'), page.getByRole('button', { name: 'Download' }).click()]);
  });

  test('download all from shared link', async ({ page }) => {
    await page.goto(`/share/${sharedLink.key}`);
    await page.getByRole('heading', { name: 'Test Album' }).waitFor();
-    await page.getByRole('button', { name: 'Download' }).click();
-    await page.getByText('DOWNLOADING', { exact: true }).waitFor();
+    await Promise.all([page.waitForEvent('download'), page.getByRole('button', { name: 'Download' }).click()]);
  });

  test('enter password for a shared link', async ({ page }) => {
--- a/e2e/test-assets
+++ b/e2e/test-assets
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .14.0
 .15.0