Sync for first alpha release

.github/workflows/build-docker.yml

@@ -1,12 +1,17 @@
 name: Build Docker Image
 
 on:
+  workflow_call:
+    inputs:
+      version:
+        description: Docker image tag to publish alongside latest.
+        required: true
+        type: string
   release:
-    # Run this workflow when a release or pre-release is published
-    types: [published, released, prereleased]
+    # Use the release tag as the single source of truth for published image tags.
+    types: [published, prereleased]
 
 env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
@@ -19,25 +24,47 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
+
+      - name: Prepare image name
+        id: image
+        run: |
+          IMAGE_NAME_LOWER="$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]')"
+          echo "name=${IMAGE_NAME_LOWER}" >> "$GITHUB_OUTPUT"
+          echo "uri=${{ env.REGISTRY }}/${IMAGE_NAME_LOWER}" >> "$GITHUB_OUTPUT"
+
+      - name: Resolve image version tag
+        id: version
+        run: |
+          IMAGE_TAG="${{ inputs.version || github.event.release.tag_name }}"
+          if [ -z "${IMAGE_TAG}" ]; then
+            echo "Image tag is required but was not provided."
+            exit 1
+          fi
+          echo "tag=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
 
       - name: Log in to the Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          images: ${{ steps.image.outputs.uri }}
+          tags: |
+            type=raw,value=latest
+            type=raw,value=${{ steps.version.outputs.tag }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
+          push: true
+          tags: |
+            ${{ steps.image.outputs.uri }}:latest
+            ${{ steps.image.outputs.uri }}:${{ steps.version.outputs.tag }}
           labels: ${{ steps.meta.outputs.labels }}

.github/workflows/code-quality.yml

@@ -10,9 +10,9 @@ jobs:
   backend-checks:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v6
       with:
         python-version: '3.12'
     - name: Install dependencies
@@ -36,9 +36,9 @@ jobs:
   frontend-checks:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
     - name: Set up Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v6
       with:
         node-version: '24'
         cache: 'npm'

.github/workflows/codeql-analysis.yml

@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3

.github/workflows/create-release.yml

@@ -21,15 +21,14 @@ permissions:
   contents: write
 
 env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
   RELEASE_VERSION: ${{ github.event.inputs.version }}
 
 jobs:
   pre-check:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Ensure workflow is running on allowed branches
         run: |
@@ -47,13 +46,13 @@ jobs:
       matrix:
         os: [ubuntu-latest, windows-latest]
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.12"
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: '24'
       - name: Install dependencies
@@ -73,7 +72,7 @@ jobs:
           tar -czf dist/release/backend-onedir-${{ runner.os }}.tar.gz -C dist run_app
 
       - name: Upload Backend Artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: backend-onedir-${{ runner.os }}
           path: dist/release/backend-onedir-${{ runner.os }}.tar.gz
@@ -85,13 +84,13 @@ jobs:
       matrix:
         os: [ubuntu-latest, windows-latest]
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: '24'
       - name: Download Backend Artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           name: backend-onedir-${{ runner.os }}
           path: dist/run_app
@@ -110,7 +109,7 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload Electron Artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: electron-assets-${{ runner.os }}
           path: |
@@ -128,13 +127,13 @@ jobs:
       matrix:
         os: [ubuntu-latest, windows-latest]
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.12"
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: '24'
       - name: Install dependencies
@@ -148,7 +147,7 @@ jobs:
       - name: Build Backend (onefile)
         run: python build_backend.py onefile
       - name: Upload Onefile Artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: backend-onefile-${{ runner.os }}
           path: dist/AugmentedQuill*
@@ -158,14 +157,22 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Download all artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           path: all-assets
           merge-multiple: true
 
+      - name: Collect release assets
+        run: |
+          mkdir -p release-assets
+          # Keep only final application installer artifacts, not intermediate backend-only packages
+          find all-assets -type f \( -name '*Setup*.exe' -o -name '*.AppImage' -o -name '*.dmg' -o -name '*.zip' \) -exec cp {} release-assets/ \;
+          echo "Release asset candidates:"
+          ls -la release-assets
+
       - name: Create GitHub Release
         uses: ncipollo/release-action@v1
         with:
@@ -176,6 +183,16 @@ jobs:
           prerelease: ${{ github.event.inputs.prerelease }}
           commit: ${{ github.ref_name }}
           token: ${{ secrets.GITHUB_TOKEN }}
-          artifacts: "all-assets/**/*.{tar.gz,exe,dmg,AppImage,zip}"
+          artifacts: "release-assets/*"
           allowUpdates: true
           replacesArtifacts: true
+
+  publish-docker:
+    needs: create-release
+    permissions:
+      contents: read
+      packages: write
+    uses: ./.github/workflows/build-docker.yml
+    with:
+      version: ${{ github.event.inputs.version }}
+    secrets: inherit

.github/workflows/dependency-review.yml

@@ -15,7 +15,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Dependency review
         uses: actions/dependency-review-action@v4