Add human friendly labels to tasks.

Fix styling

.github/actions/docker-push-variables/action.yml

@@ -1,6 +1,5 @@
 ---
 name: "Prepare docker environment variables"
-description: "Prepare docker environment variables"
 
 inputs:
   image-name:

.github/actions/setup/action.yml

@@ -1,4 +1,4 @@
-name: "Setup authentik testing environment"
+name: Setup authentik testing environment
 description: "Setup authentik testing environment"
 
 inputs:

.github/workflows/_reusable-docker-build-single.yaml

@@ -42,7 +42,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: docker/setup-qemu-action@v3.6.0
       - uses: docker/setup-buildx-action@v3
-      - name: prepare variables
+      - name: Prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
@@ -64,12 +64,12 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: make empty clients
+      - name: Make empty clients
         if: ${{ inputs.release }}
         run: |
           mkdir -p ./gen-ts-api
           mkdir -p ./gen-go-api
-      - name: generate ts client
+      - name: Generate TypeScript API Client
         if: ${{ !inputs.release }}
         run: make gen-client-ts
       - name: Build Docker Image

.github/workflows/_reusable-docker-build.yaml

@@ -49,7 +49,7 @@ jobs:
       shouldPush: ${{ steps.ev.outputs.shouldPush }}
     steps:
       - uses: actions/checkout@v4
-      - name: prepare variables
+      - name: Prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
@@ -69,7 +69,7 @@ jobs:
         tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
     steps:
       - uses: actions/checkout@v4
-      - name: prepare variables
+      - name: Prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:

.github/workflows/api-py-publish.yml

@@ -7,6 +7,7 @@ on:
   workflow_dispatch:
 jobs:
   build:
+    name: Build and Publish
     if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     permissions:
@@ -14,6 +15,7 @@ jobs:
     steps:
       - id: generate_token
         uses: tibdex/github-app-token@v2
+        name: Generate token
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -30,7 +32,7 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version-file: "pyproject.toml"
-      - name: Generate API Client
+      - name: Generate Python API Client
         run: make gen-client-py
       - name: Publish package
         working-directory: gen-py-api/

.github/workflows/api-ts-publish.yml

@@ -7,6 +7,7 @@ on:
   workflow_dispatch:
 jobs:
   build:
+    name: Build and Publish
     if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
@@ -22,7 +23,7 @@ jobs:
         with:
           node-version-file: web/package.json
           registry-url: "https://registry.npmjs.org"
-      - name: Generate API Client
+      - name: Generate TypeScript API Client
         run: make gen-client-ts
       - name: Publish package
         working-directory: gen-ts-api/

.github/workflows/ci-aws-cfn.yml

@@ -18,6 +18,7 @@ env:
 
 jobs:
   check-changes-applied:
+    name: Check changes applied
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -36,6 +37,7 @@ jobs:
           uv run make aws-cfn
           git diff --exit-code
   ci-aws-cfn-mark:
+    name: CI AWS CloudFormation Mark
     if: always()
     needs:
       - check-changes-applied

.github/workflows/ci-main-daily.yml

@@ -9,6 +9,7 @@ on:
 
 jobs:
   test-container:
+    name: Test Container ${{ matrix.version }}
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -19,6 +20,7 @@ jobs:
           - version-2024-12
     steps:
       - uses: actions/checkout@v4
+        name: ${{ matrix.version }} Setup
       - run: |
           current="$(pwd)"
           dir="/tmp/authentik/${{ matrix.version }}"

.github/workflows/ci-main.yml

@@ -19,6 +19,7 @@ env:
 
 jobs:
   lint:
+    name: Lint
     strategy:
       fail-fast: false
       matrix:
@@ -33,9 +34,10 @@ jobs:
       - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - name: run job
+      - name: Run job ${{ matrix.job }}
         run: uv run make ci-${{ matrix.job }}
   test-migrations:
+    name: Test Migrations
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -44,6 +46,7 @@ jobs:
       - name: run migrations
         run: uv run python -m lifecycle.migrate
   test-make-seed:
+    name: Test Make Seed
     runs-on: ubuntu-latest
     steps:
       - id: seed
@@ -52,7 +55,7 @@ jobs:
     outputs:
       seed: ${{ steps.seed.outputs.seed }}
   test-migrations-from-stable:
-    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: Test Migrations From Stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
     runs-on: ubuntu-latest
     timeout-minutes: 20
     needs: test-make-seed
@@ -67,7 +70,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: checkout stable
+      - name: Checkout Stable
         run: |
           # Copy current, latest config to local
           # Temporarly comment the .github backup while migrating to uv
@@ -84,9 +87,9 @@ jobs:
         with:
           postgresql_version: ${{ matrix.psql }}
         continue-on-error: true
-      - name: run migrations to stable
+      - name: Run migrations to stable
         run: poetry run python -m lifecycle.migrate
-      - name: checkout current code
+      - name: Checkout current code
         run: |
           set -x
           git fetch
@@ -97,10 +100,10 @@ jobs:
         uses: ./.github/actions/setup
         with:
           postgresql_version: ${{ matrix.psql }}
-      - name: migrate to latest
+      - name: Migrate to latest
         run: |
           uv run python -m lifecycle.migrate
-      - name: run tests
+      - name: Run tests
         env:
           # Test in the main database that we just migrated from the previous stable version
           AUTHENTIK_POSTGRESQL__TEST__NAME: authentik
@@ -110,7 +113,7 @@ jobs:
         run: |
           uv run make ci-test
   test-unittest:
-    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: Unit tests - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
     runs-on: ubuntu-latest
     timeout-minutes: 20
     needs: test-make-seed
@@ -123,7 +126,7 @@ jobs:
         run_id: [1, 2, 3, 4, 5]
     steps:
       - uses: actions/checkout@v4
-      - name: Setup authentik env
+      - name: Setup authentik env (${{ matrix.psql }})
         uses: ./.github/actions/setup
         with:
           postgresql_version: ${{ matrix.psql }}
@@ -146,6 +149,7 @@ jobs:
           file: unittest.xml
           token: ${{ secrets.CODECOV_TOKEN }}
   test-integration:
+    name: Integration tests
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
@@ -154,7 +158,7 @@ jobs:
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
         uses: helm/kind-action@v1.12.0
-      - name: run integration
+      - name: Run integration
         run: |
           uv run coverage run manage.py test tests/integration
           uv run coverage xml
@@ -170,34 +174,34 @@ jobs:
           file: unittest.xml
           token: ${{ secrets.CODECOV_TOKEN }}
   test-e2e:
-    name: test-e2e (${{ matrix.job.name }})
+    name: Test E2E (${{ matrix.job.name }})
     runs-on: ubuntu-latest
     timeout-minutes: 30
     strategy:
       fail-fast: false
       matrix:
         job:
-          - name: proxy
+          - name: Proxy Provider
             glob: tests/e2e/test_provider_proxy*
-          - name: oauth
+          - name: OAuth2 Provider
             glob: tests/e2e/test_provider_oauth2* tests/e2e/test_source_oauth*
-          - name: oauth-oidc
+          - name: OIDC Provider
             glob: tests/e2e/test_provider_oidc*
-          - name: saml
+          - name: SAML Provider
             glob: tests/e2e/test_provider_saml* tests/e2e/test_source_saml*
-          - name: ldap
+          - name: LDAP Provider
             glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
-          - name: radius
+          - name: RADIUS Provider
             glob: tests/e2e/test_provider_radius*
-          - name: scim
+          - name: SCIM Source
             glob: tests/e2e/test_source_scim*
-          - name: flows
+          - name: Flows
             glob: tests/e2e/test_flows*
     steps:
       - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - name: Setup e2e env (chrome, etc)
+      - name: Setup E2E env (chrome, etc)
         run: |
           docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
       - id: cache-web
@@ -205,14 +209,14 @@ jobs:
         with:
           path: web/dist
           key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
-      - name: prepare web ui
+      - name: Prepare Web UI
         if: steps.cache-web.outputs.cache-hit != 'true'
         working-directory: web
         run: |
           npm ci
           make -C .. gen-client-ts
           npm run build
-      - name: run e2e
+      - name: Run E2E tests
         run: |
           uv run coverage run manage.py test ${{ matrix.job.glob }}
           uv run coverage xml
@@ -228,6 +232,7 @@ jobs:
           file: unittest.xml
           token: ${{ secrets.CODECOV_TOKEN }}
   ci-core-mark:
+    name: CI Core Mark
     if: always()
     needs:
       - lint
@@ -242,6 +247,7 @@ jobs:
         with:
           jobs: ${{ toJSON(needs) }}
   build:
+    name: Build
     permissions:
       # Needed to upload container images to ghcr.io
       packages: write
@@ -255,6 +261,7 @@ jobs:
       image_name: ghcr.io/goauthentik/dev-server
       release: false
   pr-comment:
+    name: PR Comment
     needs:
       - build
     runs-on: ubuntu-latest
@@ -267,7 +274,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - name: prepare variables
+      - name: Prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:

.github/workflows/ci-outpost.yml

@@ -14,6 +14,7 @@ on:
 
 jobs:
   lint-golint:
+    name: Lint Go
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -26,7 +27,7 @@ jobs:
           mkdir -p web/dist
           mkdir -p website/help
           touch web/dist/test website/help/test
-      - name: Generate API
+      - name: Generate Go API Client
         run: make gen-client-go
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v7
@@ -35,6 +36,7 @@ jobs:
           args: --timeout 5000s --verbose
           skip-cache: true
   test-unittest:
+    name: Unit Test Go
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -43,12 +45,13 @@ jobs:
           go-version-file: "go.mod"
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - name: Generate API
+      - name: Generate Go API Client
         run: make gen-client-go
       - name: Go unittests
         run: |
           go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./...
   ci-outpost-mark:
+    name: CI Outpost Mark
     if: always()
     needs:
       - lint-golint
@@ -59,6 +62,7 @@ jobs:
         with:
           jobs: ${{ toJSON(needs) }}
   build-container:
+    name: Build Container
     timeout-minutes: 120
     needs:
       - ci-outpost-mark
@@ -85,7 +89,7 @@ jobs:
         uses: docker/setup-qemu-action@v3.6.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      - name: prepare variables
+      - name: Prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
@@ -99,7 +103,7 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Generate API
+      - name: Generate Go API Client
         run: make gen-client-go
       - name: Build Docker Image
         id: push
@@ -122,6 +126,7 @@ jobs:
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
   build-binary:
+    name: Build Binary
     timeout-minutes: 120
     needs:
       - ci-outpost-mark
@@ -140,7 +145,6 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
       - uses: actions/setup-node@v4
@@ -148,7 +152,7 @@ jobs:
           node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
-      - name: Generate API
+      - name: Generate Go API Client
         run: make gen-client-go
       - name: Build web
         working-directory: web/

.github/workflows/ci-web.yml

@@ -13,6 +13,7 @@ on:
 
 jobs:
   lint:
+    name: Lint
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -39,12 +40,13 @@ jobs:
       - working-directory: ${{ matrix.project }}/
         run: |
           npm ci
-      - name: Generate API
+      - name: Generate TypeScript API
         run: make gen-client-ts
       - name: Lint
         working-directory: ${{ matrix.project }}/
         run: npm run ${{ matrix.command }}
   build:
+    name: Build
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -61,6 +63,7 @@ jobs:
         working-directory: web/
         run: npm run build
   ci-web-mark:
+    name: CI Web Mark
     if: always()
     needs:
       - build

.github/workflows/ci-website.yml

@@ -13,6 +13,7 @@ on:
 
 jobs:
   lint:
+    name: Lint
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -24,10 +25,11 @@ jobs:
       - uses: actions/checkout@v4
       - working-directory: website/
         run: npm ci
-      - name: Lint
+      - name: Lint ${{ matrix.command }}
         working-directory: website/
         run: npm run ${{ matrix.command }}
   test:
+    name: Test
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -37,18 +39,14 @@ jobs:
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/
+        name: Install dependencies
         run: npm ci
-      - name: test
+      - name: Documentation test
         working-directory: website/
         run: npm test
   build:
+    name: Build Docs
     runs-on: ubuntu-latest
-    name: ${{ matrix.job }}
-    strategy:
-      fail-fast: false
-      matrix:
-        job:
-          - build
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -58,10 +56,11 @@ jobs:
           cache-dependency-path: website/package-lock.json
       - working-directory: website/
         run: npm ci
-      - name: build
+      - name: Build Docusaurus
         working-directory: website/
-        run: npm run ${{ matrix.job }}
+        run: npm run build
   ci-website-mark:
+    name: Mark CI Website
     if: always()
     needs:
       - lint

.github/workflows/codeql-analysis.yml

@@ -1,4 +1,4 @@
-name: "CodeQL"
+name: CodeQL
 
 on:
   push:

.github/workflows/gen-update-webauthn-mds.yml

@@ -11,6 +11,7 @@ env:
 
 jobs:
   build:
+    name: Update WebAuthn MDS
     if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:

.github/workflows/gha-cache-cleanup.yml

@@ -12,6 +12,7 @@ permissions:
 
 jobs:
   cleanup:
+    name: Cleanup Cache
     runs-on: ubuntu-latest
     steps:
       - name: Check out code

.github/workflows/image-compress.yml

@@ -20,7 +20,7 @@ on:
 
 jobs:
   compress:
-    name: compress
+    name: Compress Docker images
     runs-on: ubuntu-latest
     # Don't run on forks. Token will not be available. Will run on main and open a PR anyway
     if: |

.github/workflows/packages-npm-publish.yml

@@ -25,16 +25,17 @@ jobs:
         with:
           fetch-depth: 2
       - uses: actions/setup-node@v4
+        name: Setup Node.js
         with:
           node-version-file: packages/${{ matrix.package }}/package.json
           registry-url: "https://registry.npmjs.org"
-      - name: Get changed files
+      - name: Changed files (${{ matrix.package }})
         id: changed-files
         uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
         with:
           files: |
             packages/${{ matrix.package }}/package.json
-      - name: Publish package
+      - name: Publish package (${{ matrix.package }})
         if: steps.changed-files.outputs.any_changed == 'true'
         working-directory: packages/${{ matrix.package}}
         run: |

.github/workflows/publish-source-docs.yml

@@ -12,6 +12,7 @@ env:
 
 jobs:
   publish-source-docs:
+    name: Publish
     if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     timeout-minutes: 120
@@ -19,11 +20,11 @@ jobs:
       - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - name: generate docs
+      - name: Generate docs
         run: |
           uv run make migrate
           uv run ak build_source_docs
-      - name: Publish
+      - name: Deploy to Netlify
         uses: netlify/actions/cli@master
         with:
           args: deploy --dir=source_docs --prod

.github/workflows/release-next-branch.yml

@@ -11,6 +11,7 @@ permissions:
 
 jobs:
   update-next:
+    name: Update Next Branch
     if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     environment: internal-production

.github/workflows/release-publish.yml

@@ -7,6 +7,7 @@ on:
 
 jobs:
   build-server:
+    name: Build server
     uses: ./.github/workflows/_reusable-docker-build.yaml
     secrets: inherit
     permissions:
@@ -21,6 +22,7 @@ jobs:
       registry_dockerhub: true
       registry_ghcr: true
   build-outpost:
+    name: Build outpost
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload container images to ghcr.io
@@ -45,14 +47,14 @@ jobs:
         uses: docker/setup-qemu-action@v3.6.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      - name: prepare variables
+      - name: Prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/${{ matrix.type }},beryju/authentik-${{ matrix.type }}
-      - name: make empty clients
+      - name: Make empty clients
         run: |
           mkdir -p ./gen-ts-api
           mkdir -p ./gen-go-api
@@ -85,6 +87,7 @@ jobs:
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
   build-outpost-binary:
+    name: Build outpost binary
     timeout-minutes: 120
     runs-on: ubuntu-latest
     permissions:
@@ -129,6 +132,7 @@ jobs:
           asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
           tag: ${{ github.ref }}
   upload-aws-cfn-template:
+    name: Upload AWS CloudFormation template
     permissions:
       # Needed for AWS login
       id-token: write
@@ -150,6 +154,7 @@ jobs:
           aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
           aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
   test-release:
+    name: Test release
     needs:
       - build-server
       - build-outpost
@@ -166,6 +171,7 @@ jobs:
           docker compose start postgresql redis
           docker compose run -u root server test-all
   sentry-release:
+    name: Sentry release
     needs:
       - build-server
       - build-outpost
@@ -173,7 +179,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: prepare variables
+      - name: Prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:

.github/workflows/release-tag.yml

@@ -20,7 +20,7 @@ jobs:
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - name: prepare variables
+      - name: Prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:

.github/workflows/repo-mirror.yml

@@ -4,6 +4,7 @@ on: [push, delete]
 
 jobs:
   to_internal:
+    name: Mirror to internal repository
     if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:

.github/workflows/repo-stale.yml

@@ -11,6 +11,7 @@ permissions:
 
 jobs:
   stale:
+    name: Stale Issues
     if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:

.github/workflows/translation-advice.yml

@@ -16,6 +16,7 @@ permissions:
 
 jobs:
   post-comment:
+    name: Post Comment
     runs-on: ubuntu-latest
     steps:
       - name: Find Comment

.github/workflows/translation-extract-compile.yml

@@ -16,6 +16,7 @@ env:
 
 jobs:
   compile:
+    name: Compile Translations
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
@@ -32,12 +33,12 @@ jobs:
         if: ${{ github.event_name == 'pull_request' }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - name: Generate API
+      - name: Generate TypeScript API
         run: make gen-client-ts
-      - name: run extract
+      - name: Extract Translations
         run: |
           uv run make i18n-extract
-      - name: run compile
+      - name: Compile Messages
         run: |
           uv run ak compilemessages
           make web-check-compile

.github/workflows/translation-rename.yml

@@ -12,6 +12,7 @@ permissions:
 
 jobs:
   rename_pr:
+    name: Rename PR
     runs-on: ubuntu-latest
     if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
     steps:

Dockerfile

@@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.6.16 AS uv
+FROM ghcr.io/astral-sh/uv:0.6.17 AS uv
 # Stage 6: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.12.10-slim-bookworm-fips AS python-base
 

authentik/rbac/api/rbac.py

@@ -99,6 +99,7 @@ class RBACPermissionViewSet(ReadOnlyModelViewSet):
     filterset_class = PermissionFilter
     permission_classes = [IsAuthenticated]
     search_fields = [
+        "name",
         "codename",
         "content_type__model",
         "content_type__app_label",

lifecycle/ak

@@ -62,7 +62,8 @@ function prepare_debug {
     export DEBIAN_FRONTEND=noninteractive
     apt-get update
     apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server libkrb5-dev gcc
-    VIRTUAL_ENV=/ak-root/.venv uv sync --frozen
+    source "${VENV_PATH}/bin/activate"
+    uv sync --active --frozen
     touch /unittest.xml
     chown authentik:authentik /unittest.xml
 }

web/src/elements/charts/Chart.ts

@@ -85,7 +85,6 @@ export abstract class AKChart<T> extends AKElement {
                 .container {
                     height: 100%;
                     width: 100%;
-                    aspect-ratio: 1 / 1;
 
                     display: flex;
                     justify-content: center;

web/src/elements/sidebar/SidebarBrand.ts

@@ -1,10 +1,11 @@
 import { EVENT_SIDEBAR_TOGGLE } from "@goauthentik/common/constants";
+import { globalAK } from "@goauthentik/common/global";
 import { AKElement } from "@goauthentik/elements/Base";
 import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
 import { themeImage } from "@goauthentik/elements/utils/images";
 
 import { msg } from "@lit/localize";
-import { CSSResult, TemplateResult, css, html } from "lit";
+import { CSSResult, TemplateResult, css, html, nothing } from "lit";
 import { customElement } from "lit/decorators.js";
 
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
@@ -70,7 +71,10 @@ export class SidebarBrand extends WithBrandConfig(AKElement) {
     }
 
     render(): TemplateResult {
-        return html` ${window.innerWidth <= MIN_WIDTH
+        const logoUrl =
+            globalAK().brand.brandingLogo || this.brand?.brandingLogo || DefaultBrand.brandingLogo;
+
+        return html`${window.innerWidth <= MIN_WIDTH
                 ? html`
                       <button
                           class="sidebar-trigger pf-c-button"
@@ -86,14 +90,10 @@ export class SidebarBrand extends WithBrandConfig(AKElement) {
                           <i class="fas fa-bars"></i>
                       </button>
                   `
-                : html``}
+                : nothing}
             <a href="#/" class="pf-c-page__header-brand-link">
                 <div class="pf-c-brand ak-brand">
-                    <img
+                    <img src=${themeImage(logoUrl)} alt="${msg("authentik Logo")}" loading="lazy" />
-                        src=${themeImage(this.brand?.brandingLogo ?? DefaultBrand.brandingLogo)}
-                        alt="${msg("authentik Logo")}"
-                        loading="lazy"
-                    />
                 </div>
             </a>`;
     }

website/docs/add-secure-apps/providers/oauth2/device_code.md

@@ -49,3 +49,17 @@ device_code=device_code_from_above
 If the user has not opened the link above yet, or has not finished the authentication and authorization yet, the response will contain an `error` element set to `authorization_pending`. The device should re-send the request in the interval set above.
 
 If the user _has_ finished the authentication and authorization, the response will be similar to any other generic OAuth2 Token request, containing `access_token` and `id_token`.
+
+### Creating and applying a device code flow
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Flows and Stages** > **Flows** and click **Create**.
+3. Set the following required configurations:
+    - **Name**: provide a name (e.g. `default-device-code-flow`)
+    - **Title**: provide a title (e.g. `Device code flow`)
+    - **Slug**: provide a slug (e.g `default-device-code-flow`)
+    - **Designation**: `Stage Configuration`
+    - **Authentication**: `Require authentication`
+4. Click **Create**.
+5. Navigate to **System** > **Brands** and click the **Edit** icon on the default brand.
+6. Set **Default code flow** to the newly created device code flow and click **Update**.

website/docs/releases/2025/v2025.4.md

@@ -6,20 +6,20 @@ slug: "/releases/2025.4"
 :::::note
 2025.4 has not been released yet! We're publishing these release notes as a preview of what's to come, and for our awesome beta testers trying out release candidates.
 
-To try out the release candidate, replace your Docker image tag with the latest release candidate number, such as 2025.4.0-rc1. You can find the latest one in [the latest releases on GitHub](https://github.com/goauthentik/authentik/releases). If you don't find any, it means we haven't released one yet.
+To try out the release candidate, replace your Docker image tag with the latest release candidate number, such as 2025.4.0-rc2. You can find the latest one in [the latest releases on GitHub](https://github.com/goauthentik/authentik/releases). If you don't find any, it means we haven't released one yet.
 :::::
 
 ## Highlights
 
-- **Improve membership resolution for the LDAP Source**: Allow lookups of LDAP group memberships from user attributes as an alternative to lookups from group attributes. This also allows for nested group lookups in Active Directory.
+- **Improve membership resolution for the LDAP Source** Allow lookups of LDAP group memberships from user attributes as an alternative to lookups from group attributes. This also allows for nested group lookups in Active Directory.
 
-- **Support for PostgreSQL Connection Pools**: PostgreSQL Connection Pools provides a set of open connections in order to reduce latency.
+- **Support for PostgreSQL Connection Pools** PostgreSQL Connection Pools provides a set of open connections in order to reduce latency.
 
-- **RBAC: Initial Permissions** (Preview): Provides more flexible access control by assigning permissions to the user/role creating a new object in authentik. Use **Initial Permissions** as a pragmatic way to implement the principle of least privilege.
+- **RBAC: Initial Permissions** :ak-preview Provides more flexible access control by assigning permissions to the user/role creating a new object in authentik. Use **Initial Permissions** as a pragmatic way to implement the principle of least privilege.
 
-- **Password History Policy** (Enterprise): A new policy can prevent users from reusing previous passwords; admins are able to configure how many previous password hashes the system will store and evaluate. This new policy makes it easier to enforce password reuse requirements, such as for fedRAMP compliance.
+- **Password History Policy** :ak-enterprise A new policy can prevent users from reusing previous passwords; admins are able to configure how many previous password hashes the system will store and evaluate. This new policy makes it easier to enforce password reuse requirements, such as for fedRAMP compliance.
 
-- **Source Sync Dry Run** (:ak-preview): Add the option for dry-run syncs for SCIM, Google Workspace, and Entra to preview the results of a sync without affecting live accounts.
+- **Source Sync Dry Run** :ak-preview Add the option for dry-run syncs for SCIM, Google Workspace, and Entra to preview the results of a sync without affecting live accounts.
 
 ## Breaking changes
 

website/integrations/services/homarr/index.md

@@ -48,7 +48,7 @@ Add the following environment variables to your Homarr configuration. Make sure
 AUTH_PROVIDERS="oidc,credentials"
 AUTH_OIDC_CLIENT_ID=<Client ID from authentik>
 AUTH_OIDC_CLIENT_SECRET=<Client secret from authentik>
-AUTH_OIDC_ISSUER=https://authentik.company/application/o/<slug from authentik>
+AUTH_OIDC_ISSUER=https://authentik.company/application/o/<slug from authentik>/
 AUTH_OIDC_URI=https://authentik.company/application/o/authorize
 AUTH_OIDC_CLIENT_NAME=authentik
 OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING=true