release: 2025.4.0-rc1

2025-04-25 01:53:53 -03:00
46 changed files with 92 additions and 142 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.2.4
+current_version = 2025.4.0-rc1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@ -1,5 +1,6 @@
 ---
 name: "Prepare docker environment variables"
+description: "Prepare docker environment variables"

 inputs:
  image-name:
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -1,4 +1,4 @@
-name: Setup authentik testing environment
+name: "Setup authentik testing environment"
 description: "Setup authentik testing environment"

 inputs:
--- a/.github/workflows/_reusable-docker-build-single.yaml
+++ b/.github/workflows/_reusable-docker-build-single.yaml
@ -42,7 +42,7 @@ jobs:
      - uses: actions/checkout@v4
      - uses: docker/setup-qemu-action@v3.6.0
      - uses: docker/setup-buildx-action@v3
-      - name: Prepare variables
+      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
@ -64,12 +64,12 @@ jobs:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Make empty clients
+      - name: make empty clients
        if: ${{ inputs.release }}
        run: |
          mkdir -p ./gen-ts-api
          mkdir -p ./gen-go-api
-      - name: Generate TypeScript API Client
+      - name: generate ts client
        if: ${{ !inputs.release }}
        run: make gen-client-ts
      - name: Build Docker Image
--- a/.github/workflows/_reusable-docker-build.yaml
+++ b/.github/workflows/_reusable-docker-build.yaml
@ -49,7 +49,7 @@ jobs:
      shouldPush: ${{ steps.ev.outputs.shouldPush }}
    steps:
      - uses: actions/checkout@v4
-      - name: Prepare variables
+      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
@ -69,7 +69,7 @@ jobs:
        tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
    steps:
      - uses: actions/checkout@v4
-      - name: Prepare variables
+      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
--- a/.github/workflows/api-py-publish.yml
+++ b/.github/workflows/api-py-publish.yml
@ -7,7 +7,6 @@ on:
  workflow_dispatch:
 jobs:
  build:
-    name: Build and Publish
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    permissions:
@ -15,7 +14,6 @@ jobs:
    steps:
      - id: generate_token
        uses: tibdex/github-app-token@v2
-        name: Generate token
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@ -32,7 +30,7 @@ jobs:
        uses: actions/setup-python@v5
        with:
          python-version-file: "pyproject.toml"
-      - name: Generate Python API Client
+      - name: Generate API Client
        run: make gen-client-py
      - name: Publish package
        working-directory: gen-py-api/
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@ -7,7 +7,6 @@ on:
  workflow_dispatch:
 jobs:
  build:
-    name: Build and Publish
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
@ -23,7 +22,7 @@ jobs:
        with:
          node-version-file: web/package.json
          registry-url: "https://registry.npmjs.org"
-      - name: Generate TypeScript API Client
+      - name: Generate API Client
        run: make gen-client-ts
      - name: Publish package
        working-directory: gen-ts-api/
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@ -18,7 +18,6 @@ env:

 jobs:
  check-changes-applied:
-    name: Check changes applied
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@ -37,7 +36,6 @@ jobs:
          uv run make aws-cfn
          git diff --exit-code
  ci-aws-cfn-mark:
-    name: CI AWS CloudFormation Mark
    if: always()
    needs:
      - check-changes-applied
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@ -9,7 +9,6 @@ on:

 jobs:
  test-container:
-    name: Test Container ${{ matrix.version }}
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
@ -20,7 +19,6 @@ jobs:
          - version-2024-12
    steps:
      - uses: actions/checkout@v4
-        name: ${{ matrix.version }} Setup
      - run: |
          current="$(pwd)"
          dir="/tmp/authentik/${{ matrix.version }}"
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -19,7 +19,6 @@ env:

 jobs:
  lint:
-    name: Lint
    strategy:
      fail-fast: false
      matrix:
@ -34,10 +33,9 @@ jobs:
      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: Run job ${{ matrix.job }}
+      - name: run job
        run: uv run make ci-${{ matrix.job }}
  test-migrations:
-    name: Test Migrations
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@ -46,7 +44,6 @@ jobs:
      - name: run migrations
        run: uv run python -m lifecycle.migrate
  test-make-seed:
-    name: Test Make Seed
    runs-on: ubuntu-latest
    steps:
      - id: seed
@ -55,7 +52,7 @@ jobs:
    outputs:
      seed: ${{ steps.seed.outputs.seed }}
  test-migrations-from-stable:
-    name: Test Migrations From Stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
    runs-on: ubuntu-latest
    timeout-minutes: 20
    needs: test-make-seed
@ -70,7 +67,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
-      - name: Checkout Stable
+      - name: checkout stable
        run: |
          # Copy current, latest config to local
          # Temporarly comment the .github backup while migrating to uv
@ -87,9 +84,9 @@ jobs:
        with:
          postgresql_version: ${{ matrix.psql }}
        continue-on-error: true
-      - name: Run migrations to stable
+      - name: run migrations to stable
        run: poetry run python -m lifecycle.migrate
-      - name: Checkout current code
+      - name: checkout current code
        run: |
          set -x
          git fetch
@ -100,10 +97,10 @@ jobs:
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
-      - name: Migrate to latest
+      - name: migrate to latest
        run: |
          uv run python -m lifecycle.migrate
-      - name: Run tests
+      - name: run tests
        env:
          # Test in the main database that we just migrated from the previous stable version
          AUTHENTIK_POSTGRESQL__TEST__NAME: authentik
@ -113,7 +110,7 @@ jobs:
        run: |
          uv run make ci-test
  test-unittest:
-    name: Unit tests - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
    runs-on: ubuntu-latest
    timeout-minutes: 20
    needs: test-make-seed
@ -126,7 +123,7 @@ jobs:
        run_id: [1, 2, 3, 4, 5]
    steps:
      - uses: actions/checkout@v4
-      - name: Setup authentik env (${{ matrix.psql }})
+      - name: Setup authentik env
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
@ -149,7 +146,6 @@ jobs:
          file: unittest.xml
          token: ${{ secrets.CODECOV_TOKEN }}
  test-integration:
-    name: Integration tests
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
@ -158,7 +154,7 @@ jobs:
        uses: ./.github/actions/setup
      - name: Create k8s Kind Cluster
        uses: helm/kind-action@v1.12.0
-      - name: Run integration
+      - name: run integration
        run: |
          uv run coverage run manage.py test tests/integration
          uv run coverage xml
@ -174,34 +170,34 @@ jobs:
          file: unittest.xml
          token: ${{ secrets.CODECOV_TOKEN }}
  test-e2e:
-    name: Test E2E (${{ matrix.job.name }})
+    name: test-e2e (${{ matrix.job.name }})
    runs-on: ubuntu-latest
    timeout-minutes: 30
    strategy:
      fail-fast: false
      matrix:
        job:
-          - name: Proxy Provider
+          - name: proxy
            glob: tests/e2e/test_provider_proxy*
-          - name: OAuth2 Provider
+          - name: oauth
            glob: tests/e2e/test_provider_oauth2* tests/e2e/test_source_oauth*
-          - name: OIDC Provider
+          - name: oauth-oidc
            glob: tests/e2e/test_provider_oidc*
-          - name: SAML Provider
+          - name: saml
            glob: tests/e2e/test_provider_saml* tests/e2e/test_source_saml*
-          - name: LDAP Provider
+          - name: ldap
            glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
-          - name: RADIUS Provider
+          - name: radius
            glob: tests/e2e/test_provider_radius*
-          - name: SCIM Source
+          - name: scim
            glob: tests/e2e/test_source_scim*
-          - name: Flows
+          - name: flows
            glob: tests/e2e/test_flows*
    steps:
      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: Setup E2E env (chrome, etc)
+      - name: Setup e2e env (chrome, etc)
        run: |
          docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
      - id: cache-web
@ -209,14 +205,14 @@ jobs:
        with:
          path: web/dist
          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
-      - name: Prepare Web UI
+      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        working-directory: web
        run: |
          npm ci
          make -C .. gen-client-ts
          npm run build
-      - name: Run E2E tests
+      - name: run e2e
        run: |
          uv run coverage run manage.py test ${{ matrix.job.glob }}
          uv run coverage xml
@ -232,7 +228,6 @@ jobs:
          file: unittest.xml
          token: ${{ secrets.CODECOV_TOKEN }}
  ci-core-mark:
-    name: CI Core Mark
    if: always()
    needs:
      - lint
@ -247,7 +242,6 @@ jobs:
        with:
          jobs: ${{ toJSON(needs) }}
  build:
-    name: Build
    permissions:
      # Needed to upload container images to ghcr.io
      packages: write
@ -261,7 +255,6 @@ jobs:
      image_name: ghcr.io/goauthentik/dev-server
      release: false
  pr-comment:
-    name: PR Comment
    needs:
      - build
    runs-on: ubuntu-latest
@ -274,7 +267,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Prepare variables
+      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -14,7 +14,6 @@ on:

 jobs:
  lint-golint:
-    name: Lint Go
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@ -27,7 +26,7 @@ jobs:
          mkdir -p web/dist
          mkdir -p website/help
          touch web/dist/test website/help/test
-      - name: Generate Go API Client
+      - name: Generate API
        run: make gen-client-go
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v7
@ -36,7 +35,6 @@ jobs:
          args: --timeout 5000s --verbose
          skip-cache: true
  test-unittest:
-    name: Unit Test Go
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@ -45,13 +43,12 @@ jobs:
          go-version-file: "go.mod"
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: Generate Go API Client
+      - name: Generate API
        run: make gen-client-go
      - name: Go unittests
        run: |
          go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./...
  ci-outpost-mark:
-    name: CI Outpost Mark
    if: always()
    needs:
      - lint-golint
@ -62,7 +59,6 @@ jobs:
        with:
          jobs: ${{ toJSON(needs) }}
  build-container:
-    name: Build Container
    timeout-minutes: 120
    needs:
      - ci-outpost-mark
@ -89,7 +85,7 @@ jobs:
        uses: docker/setup-qemu-action@v3.6.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-      - name: Prepare variables
+      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
@ -103,7 +99,7 @@ jobs:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Generate Go API Client
+      - name: Generate API
        run: make gen-client-go
      - name: Build Docker Image
        id: push
@ -126,7 +122,6 @@ jobs:
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  build-binary:
-    name: Build Binary
    timeout-minutes: 120
    needs:
      - ci-outpost-mark
@ -145,6 +140,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
+      - uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
      - uses: actions/setup-node@v4
@ -152,7 +148,7 @@ jobs:
          node-version-file: web/package.json
          cache: "npm"
          cache-dependency-path: web/package-lock.json
-      - name: Generate Go API Client
+      - name: Generate API
        run: make gen-client-go
      - name: Build web
        working-directory: web/
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -13,7 +13,6 @@ on:

 jobs:
  lint:
-    name: Lint
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
@ -40,13 +39,12 @@ jobs:
      - working-directory: ${{ matrix.project }}/
        run: |
          npm ci
-      - name: Generate TypeScript API
+      - name: Generate API
        run: make gen-client-ts
      - name: Lint
        working-directory: ${{ matrix.project }}/
        run: npm run ${{ matrix.command }}
  build:
-    name: Build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@ -63,7 +61,6 @@ jobs:
        working-directory: web/
        run: npm run build
  ci-web-mark:
-    name: CI Web Mark
    if: always()
    needs:
      - build
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -13,7 +13,6 @@ on:

 jobs:
  lint:
-    name: Lint
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
@ -25,11 +24,10 @@ jobs:
      - uses: actions/checkout@v4
      - working-directory: website/
        run: npm ci
-      - name: Lint ${{ matrix.command }}
+      - name: Lint
        working-directory: website/
        run: npm run ${{ matrix.command }}
  test:
-    name: Test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@ -39,14 +37,18 @@ jobs:
          cache: "npm"
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
-        name: Install dependencies
        run: npm ci
-      - name: Documentation test
+      - name: test
        working-directory: website/
        run: npm test
  build:
-    name: Build Docs
    runs-on: ubuntu-latest
+    name: ${{ matrix.job }}
+    strategy:
+      fail-fast: false
+      matrix:
+        job:
+          - build
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
@ -56,11 +58,10 @@ jobs:
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
        run: npm ci
-      - name: Build Docusaurus
+      - name: build
        working-directory: website/
-        run: npm run build
+        run: npm run ${{ matrix.job }}
  ci-website-mark:
-    name: Mark CI Website
    if: always()
    needs:
      - lint
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -1,4 +1,4 @@
-name: CodeQL
+name: "CodeQL"

 on:
  push:
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@ -11,7 +11,6 @@ env:

 jobs:
  build:
-    name: Update WebAuthn MDS
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/gha-cache-cleanup.yml
+++ b/.github/workflows/gha-cache-cleanup.yml
@ -12,7 +12,6 @@ permissions:

 jobs:
  cleanup:
-    name: Cleanup Cache
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
--- a/.github/workflows/image-compress.yml
+++ b/.github/workflows/image-compress.yml
@ -20,7 +20,7 @@ on:

 jobs:
  compress:
-    name: Compress Docker images
+    name: compress
    runs-on: ubuntu-latest
    # Don't run on forks. Token will not be available. Will run on main and open a PR anyway
    if: |
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@ -25,17 +25,16 @@ jobs:
        with:
          fetch-depth: 2
      - uses: actions/setup-node@v4
-        name: Setup Node.js
        with:
          node-version-file: packages/${{ matrix.package }}/package.json
          registry-url: "https://registry.npmjs.org"
-      - name: Changed files (${{ matrix.package }})
+      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
        with:
          files: |
            packages/${{ matrix.package }}/package.json
-      - name: Publish package (${{ matrix.package }})
+      - name: Publish package
        if: steps.changed-files.outputs.any_changed == 'true'
        working-directory: packages/${{ matrix.package}}
        run: |
--- a/.github/workflows/publish-source-docs.yml
+++ b/.github/workflows/publish-source-docs.yml
@ -12,7 +12,6 @@ env:

 jobs:
  publish-source-docs:
-    name: Publish
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    timeout-minutes: 120
@ -20,11 +19,11 @@ jobs:
      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: Generate docs
+      - name: generate docs
        run: |
          uv run make migrate
          uv run ak build_source_docs
-      - name: Deploy to Netlify
+      - name: Publish
        uses: netlify/actions/cli@master
        with:
          args: deploy --dir=source_docs --prod
--- a/.github/workflows/release-next-branch.yml
+++ b/.github/workflows/release-next-branch.yml
@ -11,7 +11,6 @@ permissions:

 jobs:
  update-next:
-    name: Update Next Branch
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    environment: internal-production
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -7,7 +7,6 @@ on:

 jobs:
  build-server:
-    name: Build server
    uses: ./.github/workflows/_reusable-docker-build.yaml
    secrets: inherit
    permissions:
@ -22,7 +21,6 @@ jobs:
      registry_dockerhub: true
      registry_ghcr: true
  build-outpost:
-    name: Build outpost
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload container images to ghcr.io
@ -47,14 +45,14 @@ jobs:
        uses: docker/setup-qemu-action@v3.6.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-      - name: Prepare variables
+      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/${{ matrix.type }},beryju/authentik-${{ matrix.type }}
-      - name: Make empty clients
+      - name: make empty clients
        run: |
          mkdir -p ./gen-ts-api
          mkdir -p ./gen-go-api
@ -87,7 +85,6 @@ jobs:
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  build-outpost-binary:
-    name: Build outpost binary
    timeout-minutes: 120
    runs-on: ubuntu-latest
    permissions:
@ -132,7 +129,6 @@ jobs:
          asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
          tag: ${{ github.ref }}
  upload-aws-cfn-template:
-    name: Upload AWS CloudFormation template
    permissions:
      # Needed for AWS login
      id-token: write
@ -154,7 +150,6 @@ jobs:
          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
  test-release:
-    name: Test release
    needs:
      - build-server
      - build-outpost
@ -171,7 +166,6 @@ jobs:
          docker compose start postgresql redis
          docker compose run -u root server test-all
  sentry-release:
-    name: Sentry release
    needs:
      - build-server
      - build-outpost
@ -179,7 +173,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-      - name: Prepare variables
+      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -20,7 +20,7 @@ jobs:
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - name: Prepare variables
+      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
--- a/.github/workflows/repo-mirror.yml
+++ b/.github/workflows/repo-mirror.yml
@ -4,7 +4,6 @@ on: [push, delete]

 jobs:
  to_internal:
-    name: Mirror to internal repository
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/repo-stale.yml
+++ b/.github/workflows/repo-stale.yml
@ -11,7 +11,6 @@ permissions:

 jobs:
  stale:
-    name: Stale Issues
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/translation-advice.yml
+++ b/.github/workflows/translation-advice.yml
@ -16,7 +16,6 @@ permissions:

 jobs:
  post-comment:
-    name: Post Comment
    runs-on: ubuntu-latest
    steps:
      - name: Find Comment
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@ -16,7 +16,6 @@ env:

 jobs:
  compile:
-    name: Compile Translations
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
@ -33,12 +32,12 @@ jobs:
        if: ${{ github.event_name == 'pull_request' }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: Generate TypeScript API
+      - name: Generate API
        run: make gen-client-ts
-      - name: Extract Translations
+      - name: run extract
        run: |
          uv run make i18n-extract
-      - name: Compile Messages
+      - name: run compile
        run: |
          uv run ak compilemessages
          make web-check-compile
--- a/.github/workflows/translation-rename.yml
+++ b/.github/workflows/translation-rename.yml
@ -12,7 +12,6 @@ permissions:

 jobs:
  rename_pr:
-    name: Rename PR
    runs-on: ubuntu-latest
    if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
    steps:
--- a/2
+++ b/2
@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

 # Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.6.17 AS uv
+FROM ghcr.io/astral-sh/uv:0.6.16 AS uv
 # Stage 6: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.12.10-slim-bookworm-fips AS python-base

--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2025.2.4"
+__version__ = "2025.4.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/rbac/api/rbac.py
+++ b/authentik/rbac/api/rbac.py
@ -99,7 +99,6 @@ class RBACPermissionViewSet(ReadOnlyModelViewSet):
    filterset_class = PermissionFilter
    permission_classes = [IsAuthenticated]
    search_fields = [
-        "name",
        "codename",
        "content_type__model",
        "content_type__app_label",
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2025.2.4 Blueprint schema",
+    "title": "authentik 2025.4.0 Blueprint schema",
    "required": [
        "version",
        "entries"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.0}
    restart: unless-stopped
    command: server
    environment:
@ -55,7 +55,7 @@ services:
      redis:
        condition: service_healthy
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.0}
    restart: unless-stopped
    command: worker
    environment:
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }

-const VERSION = "2025.2.4"
+const VERSION = "2025.4.0"
--- a/lifecycle/ak
+++ b/lifecycle/ak
@ -62,8 +62,7 @@ function prepare_debug {
    export DEBIAN_FRONTEND=noninteractive
    apt-get update
    apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server libkrb5-dev gcc
-    source "${VENV_PATH}/bin/activate"
-    uv sync --active --frozen
+    VIRTUAL_ENV=/ak-root/.venv uv sync --frozen
    touch /unittest.xml
    chown authentik:authentik /unittest.xml
 }
--- a/lifecycle/aws/template.yaml
+++ b/lifecycle/aws/template.yaml
@ -26,7 +26,7 @@ Parameters:
    Description: authentik Docker image
  AuthentikVersion:
    Type: String
-    Default: 2025.2.4
+    Default: 2025.4.0
    Description: authentik Docker image tag
  AuthentikServerCPU:
    Type: Number
--- a/locale/zh-Hans/LC_MESSAGES/django.mo
+++ b/locale/zh-Hans/LC_MESSAGES/django.mo
--- a/package.json
+++ b/package.json
@ -1,5 +1,5 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2025.2.4",
+    "version": "2025.4.0",
    "private": true
 }
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,6 +1,6 @@
 [project]
 name = "authentik"
-version = "2025.2.4"
+version = "2025.4.0"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
 requires-python = "==3.12.*"
--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2025.2.4
+  version: 2025.4.0
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
--- a/uv.lock
+++ b/uv.lock
@ -165,7 +165,7 @@ wheels = [

 [[package]]
 name = "authentik"
-version = "2025.2.4"
+version = "2025.4.0"
 source = { editable = "." }
 dependencies = [
    { name = "argon2-cffi" },
--- a/web/src/common/constants.ts
+++ b/web/src/common/constants.ts
@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2025.2.4";
+export const VERSION = "2025.4.0";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";

--- a/web/src/elements/charts/Chart.ts
+++ b/web/src/elements/charts/Chart.ts
@ -85,6 +85,7 @@ export abstract class AKChart<T> extends AKElement {
                .container {
                    height: 100%;
                    width: 100%;
+                    aspect-ratio: 1 / 1;

                    display: flex;
                    justify-content: center;
--- a/web/src/elements/sidebar/SidebarBrand.ts
+++ b/web/src/elements/sidebar/SidebarBrand.ts
@ -1,11 +1,10 @@
 import { EVENT_SIDEBAR_TOGGLE } from "@goauthentik/common/constants";
-import { globalAK } from "@goauthentik/common/global";
 import { AKElement } from "@goauthentik/elements/Base";
 import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
 import { themeImage } from "@goauthentik/elements/utils/images";

 import { msg } from "@lit/localize";
-import { CSSResult, TemplateResult, css, html, nothing } from "lit";
+import { CSSResult, TemplateResult, css, html } from "lit";
 import { customElement } from "lit/decorators.js";

 import PFButton from "@patternfly/patternfly/components/Button/button.css";
@ -71,10 +70,7 @@ export class SidebarBrand extends WithBrandConfig(AKElement) {
    }

    render(): TemplateResult {
-        const logoUrl =
-            globalAK().brand.brandingLogo || this.brand?.brandingLogo || DefaultBrand.brandingLogo;
-
-        return html`${window.innerWidth <= MIN_WIDTH
+        return html` ${window.innerWidth <= MIN_WIDTH
                ? html`
                      <button
                          class="sidebar-trigger pf-c-button"
@ -90,10 +86,14 @@ export class SidebarBrand extends WithBrandConfig(AKElement) {
                          <i class="fas fa-bars"></i>
                      </button>
                  `
-                : nothing}
+                : html``}
            <a href="#/" class="pf-c-page__header-brand-link">
                <div class="pf-c-brand ak-brand">
-                    <img src=${themeImage(logoUrl)} alt="${msg("authentik Logo")}" loading="lazy" />
+                    <img
+                        src=${themeImage(this.brand?.brandingLogo ?? DefaultBrand.brandingLogo)}
+                        alt="${msg("authentik Logo")}"
+                        loading="lazy"
+                    />
                </div>
            </a>`;
    }
--- a/website/docs/add-secure-apps/providers/oauth2/device_code.md
+++ b/website/docs/add-secure-apps/providers/oauth2/device_code.md
@ -49,17 +49,3 @@ device_code=device_code_from_above
 If the user has not opened the link above yet, or has not finished the authentication and authorization yet, the response will contain an `error` element set to `authorization_pending`. The device should re-send the request in the interval set above.

 If the user _has_ finished the authentication and authorization, the response will be similar to any other generic OAuth2 Token request, containing `access_token` and `id_token`.
-
-### Creating and applying a device code flow
-
-1. Log in to authentik as an admin, and open the authentik Admin interface.
-2. Navigate to **Flows and Stages** > **Flows** and click **Create**.
-3. Set the following required configurations:
-    - **Name**: provide a name (e.g. `default-device-code-flow`)
-    - **Title**: provide a title (e.g. `Device code flow`)
-    - **Slug**: provide a slug (e.g `default-device-code-flow`)
-    - **Designation**: `Stage Configuration`
-    - **Authentication**: `Require authentication`
-4. Click **Create**.
-5. Navigate to **System** > **Brands** and click the **Edit** icon on the default brand.
-6. Set **Default code flow** to the newly created device code flow and click **Update**.
--- a/website/docs/releases/2025/v2025.4.md
+++ b/website/docs/releases/2025/v2025.4.md
@ -6,20 +6,20 @@ slug: "/releases/2025.4"
 :::::note
 2025.4 has not been released yet! We're publishing these release notes as a preview of what's to come, and for our awesome beta testers trying out release candidates.

-To try out the release candidate, replace your Docker image tag with the latest release candidate number, such as 2025.4.0-rc2. You can find the latest one in [the latest releases on GitHub](https://github.com/goauthentik/authentik/releases). If you don't find any, it means we haven't released one yet.
+To try out the release candidate, replace your Docker image tag with the latest release candidate number, such as 2025.4.0-rc1. You can find the latest one in [the latest releases on GitHub](https://github.com/goauthentik/authentik/releases). If you don't find any, it means we haven't released one yet.
 :::::

 ## Highlights

- **Improve membership resolution for the LDAP Source** Allow lookups of LDAP group memberships from user attributes as an alternative to lookups from group attributes. This also allows for nested group lookups in Active Directory.
+- **Improve membership resolution for the LDAP Source**: Allow lookups of LDAP group memberships from user attributes as an alternative to lookups from group attributes. This also allows for nested group lookups in Active Directory.

- **Support for PostgreSQL Connection Pools** PostgreSQL Connection Pools provides a set of open connections in order to reduce latency.
+- **Support for PostgreSQL Connection Pools**: PostgreSQL Connection Pools provides a set of open connections in order to reduce latency.

- **RBAC: Initial Permissions** :ak-preview Provides more flexible access control by assigning permissions to the user/role creating a new object in authentik. Use **Initial Permissions** as a pragmatic way to implement the principle of least privilege.
+- **RBAC: Initial Permissions** (Preview): Provides more flexible access control by assigning permissions to the user/role creating a new object in authentik. Use **Initial Permissions** as a pragmatic way to implement the principle of least privilege.

- **Password History Policy** :ak-enterprise A new policy can prevent users from reusing previous passwords; admins are able to configure how many previous password hashes the system will store and evaluate. This new policy makes it easier to enforce password reuse requirements, such as for fedRAMP compliance.
+- **Password History Policy** (Enterprise): A new policy can prevent users from reusing previous passwords; admins are able to configure how many previous password hashes the system will store and evaluate. This new policy makes it easier to enforce password reuse requirements, such as for fedRAMP compliance.

- **Source Sync Dry Run** :ak-preview Add the option for dry-run syncs for SCIM, Google Workspace, and Entra to preview the results of a sync without affecting live accounts.
+- **Source Sync Dry Run** (:ak-preview): Add the option for dry-run syncs for SCIM, Google Workspace, and Entra to preview the results of a sync without affecting live accounts.

 ## Breaking changes

--- a/website/integrations/services/homarr/index.md
+++ b/website/integrations/services/homarr/index.md
@ -48,7 +48,7 @@ Add the following environment variables to your Homarr configuration. Make sure
 AUTH_PROVIDERS="oidc,credentials"
 AUTH_OIDC_CLIENT_ID=<Client ID from authentik>
 AUTH_OIDC_CLIENT_SECRET=<Client secret from authentik>
-AUTH_OIDC_ISSUER=https://authentik.company/application/o/<slug from authentik>/
+AUTH_OIDC_ISSUER=https://authentik.company/application/o/<slug from authentik>
 AUTH_OIDC_URI=https://authentik.company/application/o/authorize
 AUTH_OIDC_CLIENT_NAME=authentik
 OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING=true