update next-breaking (#11999)

2026-05-28 03:49:20 +00:00 · 2026-05-24 02:36:24 +02:00
parent f631eeb245
commit 8db9e29f61
661 changed files with 232019 additions and 191250 deletions
@@ -13,5 +13,5 @@ runs:
          invoke export-records -f data.json
          python3 ./src/backend/InvenTree/manage.py flush --noinput
          invoke migrate
-          invoke import-records -c -f data.json
-          invoke import-records -c -f data.json
+          invoke import-records -c -f data.json --strict
+          invoke import-records -c -f data.json --strict
@@ -15,6 +15,10 @@ inputs:
        required: false
        description: 'Install the InvenTree requirements?'
        default: 'false'
+    static:
+        required: false
+        description: 'Should the static files be built?'
+        default: 'false'
    dev-install:
        required: false
        description: 'Install the InvenTree development requirements?'
@@ -103,3 +107,7 @@ runs:
        if: ${{ inputs.update == 'true' }}
        shell: bash
        run: invoke update --skip-backup --skip-static
+      - name: Collect static files
+        if: ${{ inputs.static == 'true' }}
+        shell: bash
+        run: invoke static --skip-plugins
@@ -0,0 +1,101 @@
+"""Script to check a data file exported using the 'export-records' command.
+
+This script is intended to be used as part of the CI workflow,
+in conjunction with the "workflows/import_export.yaml" workflow.
+
+In reads the exported data file, to ensure that:
+
+- The file can be read and parsed as JSON
+- The file contains the expected metadata
+- The file contains the expected plugin configuration
+- The file contains the expected plugin database records
+
+"""
+
+PLUGIN_KEY = 'dummy_app_plugin'
+PLUGIN_SLUG = 'dummy-app-plugin'
+
+import argparse
+import json
+import os
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Check exported data file')
+    parser.add_argument('datafile', help='Path to the exported data file (JSON)')
+
+    args = parser.parse_args()
+
+    if not os.path.isfile(args.datafile):
+        print(f'Error: File not found: {args.datafile}')
+        exit(1)
+
+    with open(args.datafile, encoding='utf-8') as f:
+        try:
+            data = json.load(f)
+            print(f'Successfully loaded data from {args.datafile}')
+            print(f'Number of records: {len(data)}')
+        except json.JSONDecodeError as e:
+            print(f'Error: Failed to parse JSON file: {e}')
+            exit(1)
+
+    found_metadata = False
+    found_installed_apps = False
+    found_plugin_config = False
+    plugin_data_records = {}
+
+    # Inspect the data and check that it has the expected structure and content.
+    for entry in data:
+        # Check metadata entry for expected values
+        if entry.get('metadata', False):
+            print('Found metadata entry')
+            found_metadata = True
+
+            expected_apps = ['InvenTree', 'allauth', 'dbbackup', PLUGIN_KEY]
+
+            apps = entry.get('installed_apps', [])
+
+            for app in expected_apps:
+                if app not in apps:
+                    print(f'- Expected app "{app}" not found in installed apps list')
+                    exit(1)
+
+            found_installed_apps = True
+
+        elif entry.get('model', None) == 'plugin.pluginconfig':
+            key = entry['fields']['key']
+
+            if key == PLUGIN_SLUG:
+                print(f'Found plugin configuration for plugin "{PLUGIN_KEY}"')
+                found_plugin_config = True
+
+        elif entry.get('model', None) == f'{PLUGIN_KEY}.examplemodel':
+            key = entry['fields']['key']
+            value = entry['fields']['value']
+
+            plugin_data_records[key] = value
+
+    if not found_metadata:
+        print('Error: No metadata entry found in exported data')
+        exit(1)
+
+    if not found_installed_apps:
+        print(
+            f'Error: Plugin "{PLUGIN_KEY}" not found in installed apps list in metadata'
+        )
+        exit(1)
+
+    if not found_plugin_config:
+        print(f'Error: No plugin configuration found for plugin "{PLUGIN_KEY}"')
+        exit(1)
+
+    # Check the extracted plugin records
+    expected_keys = ['alpha', 'beta', 'gamma', 'delta']
+
+    for key in expected_keys:
+        if key not in plugin_data_records:
+            print(
+                f'Error: Expected plugin record with key "{key}" not found in exported data'
+            )
+            exit(1)
+
+    print('All checks passed successfully!')
@@ -42,7 +42,7 @@ jobs:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # pin@v6.0.2
        with:
          persist-credentials: false
-      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # pin@v3.0.2
+      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # pin@v4.0.1
        id: filter
        with:
          filters: |
@@ -168,13 +168,13 @@ jobs:
          echo "git_commit_date=$(git show -s --format=%ci)" >> $GITHUB_ENV
      - name: Set up QEMU
        if: github.event_name != 'pull_request'
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # pin@v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # pin@v4.0.0
      - name: Set up Docker Buildx
        if: github.event_name != 'pull_request'
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # pin@v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # pin@v4.0.0
      - name: Set up cosign
        if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # pin@v4.0.0
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # pin@v4.1.2
      - name: Check if Dockerhub login is required
        id: docker_login
        run: |
@@ -185,14 +185,14 @@ jobs:
          fi
      - name: Login to Dockerhub
        if: github.event_name != 'pull_request' && steps.docker_login.outputs.skip_dockerhub_login != 'true'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # pin@v3.7.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # pin@v4.1.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Log into registry ghcr.io
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # pin@v3.7.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # pin@v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -201,7 +201,7 @@ jobs:
      - name: Extract Docker metadata
        if: github.event_name != 'pull_request'
        id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # pin@v5.10.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # pin@v6.0.0
        with:
          images: |
            inventree/inventree
@@ -0,0 +1,120 @@
+# Ensure that data import / export functionality works as expected.
+# - Create a dataset in a Postgres database (including plugin data)
+# - Export the dataset to an agnostic format (JSON)
+# - Import the dataset into a Sqlite database
+
+name: Import / Export
+
+on:
+  push:
+    branches-ignore: ["l10*"]
+  pull_request:
+    branches-ignore: ["l10*"]
+
+permissions:
+  contents: read
+
+env:
+  python_version: 3.11
+
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  INVENTREE_DEBUG: false
+  INVENTREE_LOG_LEVEL: WARNING
+  INVENTREE_MEDIA_ROOT: /home/runner/work/InvenTree/test_inventree_media
+  INVENTREE_STATIC_ROOT: /home/runner/work/InvenTree/test_inventree_static
+  INVENTREE_BACKUP_DIR: /home/runner/work/InvenTree/test_inventree_backup
+  INVENTREE_SITE_URL: http://localhost:8000
+
+  INVENTREE_PLUGINS_ENABLED: true
+  INVENTREE_AUTO_UPDATE: true
+  INVENTREE_PLUGINS_MANDATORY: "dummy-app-plugin"
+  INVENTREE_GLOBAL_SETTINGS: '{"ENABLE_PLUGINS_APP": true}'
+
+  DATA_FILE: /home/runner/work/InvenTree/test_inventree_data.json
+
+  INVENTREE_DB_ENGINE: postgresql
+  INVENTREE_DB_NAME: inventree
+  INVENTREE_DB_USER: inventree
+  INVENTREE_DB_PASSWORD: password
+  INVENTREE_DB_HOST: "127.0.0.1"
+  INVENTREE_DB_PORT: 5432
+
+jobs:
+
+  paths-filter:
+    name: filter
+    runs-on: ubuntu-latest
+    outputs:
+      server: ${{ steps.filter.outputs.server }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # pin@v6.0.2
+        with:
+          persist-credentials: false
+      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # pin@v4.0.1
+        id: filter
+        with:
+          filters: |
+            server:
+              - .github/workflows/import_export.yaml
+              - .github/scripts/check_exported_data.py
+              - 'src/backend/**'
+              - 'tasks.py'
+  test:
+    runs-on: ubuntu-latest
+    needs: paths-filter
+    if: needs.paths-filter.outputs.server == 'true' || contains(github.event.pull_request.labels.*.name, 'full-run')
+
+    services:
+      postgres:
+        image: postgres:17
+        env:
+          POSTGRES_USER: inventree
+          POSTGRES_PASSWORD: password
+        ports:
+          - 5432:5432
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # pin@v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Environment Setup
+        uses: ./.github/actions/setup
+        with:
+          apt-dependency: gettext poppler-utils libpq-dev
+          pip-dependency: psycopg
+          update: true
+          static: false
+      - name: Setup Postgres Database
+        run: |
+          invoke migrate
+          invoke dev.setup-test -i
+      - name: Create Plugin Data
+        run: |
+          pip install -U inventree-dummy-app-plugin==0.1.0
+          invoke migrate
+          cd src/backend/InvenTree && python manage.py create_dummy_data
+      - name: Export Postgres Dataset
+        run: |
+          invoke export-records -o -f ${{ env.DATA_FILE }}
+          python .github/scripts/check_exported_data.py ${{ env.DATA_FILE }}
+          invoke dev.delete-data --force
+      - name: Update Environment Variables for Sqlite
+        run: |
+          echo "Updating environment variables for Sqlite"
+          echo "INVENTREE_DB_ENGINE=sqlite" >> $GITHUB_ENV
+          echo "INVENTREE_DB_NAME=/home/runner/work/InvenTree/test_inventree_db.sqlite3" >> $GITHUB_ENV
+      - name: Setup Sqlite Database
+        run: |
+          invoke migrate
+          test -f /home/runner/work/InvenTree/test_inventree_db.sqlite3 || (echo "Sqlite database not created" && exit 1)
+      - name: Import Sqlite Dataset
+        run: |
+          invoke import-records -c -f ${{ env.DATA_FILE }} --strict
+          cd src/backend/InvenTree && python manage.py check_dummy_data
+      - name: Export Sqlite Dataset
+        run: |
+          invoke export-records -o -f ${{ env.DATA_FILE }}
+          python .github/scripts/check_exported_data.py ${{ env.DATA_FILE }}
@@ -10,7 +10,7 @@ on:

 env:
  python_version: 3.11
-  node_version: 20
+  node_version: 24
  # The OS version must be set per job
  server_start_sleep: 60

@@ -23,8 +23,6 @@ env:
  INVENTREE_SITE_URL: http://localhost:8000
  INVENTREE_DEBUG: true

-  use_performance: false
-
 permissions:
  contents: read

@@ -42,12 +40,14 @@ jobs:
      cicd: ${{ steps.filter.outputs.cicd }}
      requirements: ${{ steps.filter.outputs.requirements }}
      runner-perf: ${{ steps.runner-perf.outputs.runner }}
+      performance: ${{ steps.performance.outputs.force-performance }}
+      submit-performance: ${{ steps.runner-perf.outputs.submit-performance }}

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # pin@v6.0.2
        with:
          persist-credentials: false
-      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # pin@v3.0.2
+      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # pin@v4.0.1
        id: filter
        with:
          filters: |
@@ -77,13 +77,32 @@ jobs:
        if: |
          contains(github.event.pull_request.labels.*.name, 'dependency') ||
          contains(github.event.pull_request.labels.*.name, 'full-run')
+      - name: Is performance testing being forced?
+        run: echo "force-performance=true" >> $GITHUB_OUTPUT
+        id: performance
+        if: |
+          contains(github.event.pull_request.labels.*.name, 'performance-run')
      - name: Which runner to use?
+        env:
+          GITHUB_REF: ${{ github.ref }}
+          PERFORMANCE: ${{ steps.performance.outputs.force-performance }}
        id: runner-perf
        # decide if we are running in inventree/inventree -> use codspeed-macro runner else ubuntu-24.04
-        run: echo "runner=$([[ '${{ github.repository }}' == 'inventree/InvenTree' && '${{ env.use_performance }}' == 'true' ]] && echo 'codspeed-macro' || echo 'ubuntu-24.04')" >> $GITHUB_OUTPUT
+        run: |
+          is_main_push=false
+          if [[ '${{ github.event_name }}' == 'push' && "$GITHUB_REF" == 'refs/heads/master' ]]; then
+            is_main_push=true
+          fi
+          if [[ '${{ github.repository }}' == 'inventree/InvenTree' && ( "$is_main_push" == 'true' || "$PERFORMANCE" == 'true' ) ]]; then
+            echo "runner=codspeed-macro" >> "$GITHUB_OUTPUT"
+            echo "submit-performance=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "runner=ubuntu-24.04" >> "$GITHUB_OUTPUT"
+            echo "submit-performance=false" >> "$GITHUB_OUTPUT"
+          fi

-  pre-commit:
-    name: Style [pre-commit]
+  code-style:
+    name: Style [prek]
    runs-on: ubuntu-24.04
    needs: paths-filter
    if: needs.paths-filter.outputs.cicd == 'true' || needs.paths-filter.outputs.server == 'true' || needs.paths-filter.outputs.frontend == 'true' || needs.paths-filter.outputs.requirements == 'true' || needs.paths-filter.outputs.force == 'true'
@@ -97,8 +116,8 @@ jobs:
        with:
          python-version: ${{ env.python_version }}
          cache: "pip"
-      - name: Run pre-commit Checks
-        uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # pin@v3.0.1
+      - name: Run pre commit hook Checks
+        uses: j178/prek-action@6ad80277337ad479fe43bd70701c3f7f8aa74db3 # pin@v2
      - name: Check Version
        run: |
          pip install --require-hashes -r contrib/dev_reqs/requirements.txt
@@ -107,7 +126,7 @@ jobs:
  typecheck:
    name: Style [Typecheck]
    runs-on: ubuntu-24.04
-    needs: [paths-filter, pre-commit]
+    needs: [code-style, paths-filter]
    if: needs.paths-filter.outputs.server == 'true' || needs.paths-filter.outputs.requirements == 'true' || needs.paths-filter.outputs.force == 'true'

    steps:
@@ -183,7 +202,7 @@ jobs:
      - name: Export API Documentation
        run: invoke dev.schema --ignore-warnings --filename src/backend/InvenTree/schema.yml
      - name: Upload schema
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # pin@v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # pin@v7.0.1
        with:
          name: schema.yml
          path: src/backend/InvenTree/schema.yml
@@ -203,7 +222,7 @@ jobs:
          echo "Downloaded api.yaml"
      - name: Running OpenAPI Spec diff action
        id: breaking_changes
-        uses: oasdiff/oasdiff-action/diff@1c611ffb1253a72924624aa4fb662e302b3565d3 # pin@main
+        uses: oasdiff/oasdiff-action/diff@6147a58e5d1249a12f42fc864ab791d571a30015 # pin@main
        with:
          base: "api.yaml"
          revision: "src/backend/InvenTree/schema.yml"
@@ -232,17 +251,17 @@ jobs:
      - name: Extract settings / tags
        run: invoke int.export-definitions --basedir docs
      - name: Upload settings
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # pin@v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # pin@v7.0.1
        with:
          name: inventree_settings.json
          path: docs/generated/inventree_settings.json
      - name: Upload tags
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # pin@v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # pin@v7.0.1
        with:
          name: inventree_tags.yml
          path: docs/generated/inventree_tags.yml
      - name: Upload filters
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # pin@v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # pin@v7.0.1
        with:
          name: inventree_filters.yml
          path: docs/generated/inventree_filters.yml
@@ -265,7 +284,7 @@ jobs:
      - name: Create artifact directory
        run: mkdir -p artifact
      - name: Download schema artifact
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # pin@v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # pin@v8.0.1
        with:
          path: artifact
          merge-multiple: true
@@ -291,8 +310,8 @@ jobs:
    name: Tests - inventree-python
    runs-on: ${{ needs.paths-filter.outputs.runner-perf }}

-    needs: ["pre-commit", "paths-filter"]
-    if: needs.paths-filter.outputs.server == 'true' || needs.paths-filter.outputs.force == 'true'
+    needs: ["code-style", "paths-filter"]
+    if: needs.paths-filter.outputs.server == 'true' || needs.paths-filter.outputs.force == 'true' || needs.paths-filter.outputs.performance == 'true'
    permissions:
      contents: read
      id-token: write
@@ -310,7 +329,7 @@ jobs:
      INVENTREE_SITE_URL: http://127.0.0.1:12345
      INVENTREE_DEBUG: true
      INVENTREE_LOG_LEVEL: WARNING
-      node_version: '>=20.19.6'
+      node_version: '>=24'

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # pin@v6.0.2
@@ -322,6 +341,7 @@ jobs:
          apt-dependency: gettext poppler-utils
          dev-install: true
          update: true
+          static: true
          npm: true
      - name: Download Python Code For `${WRAPPER_NAME}`
        run: git clone --depth 1 https://github.com/inventree/${WRAPPER_NAME} ./${WRAPPER_NAME}
@@ -341,10 +361,11 @@ jobs:
          pip uninstall pytest-django -y
          cd ${WRAPPER_NAME}
          pip install .
+        if: needs.paths-filter.outputs.submit-performance == 'true'
      - name: Performance Reporting
-        uses: CodSpeedHQ/action@dbda7111f8ac363564b0c51b992d4ce76bb89f2f # pin@v4
+        uses: CodSpeedHQ/action@3194d9a39c4d46684cb44bf7207fc56626aad8fd # pin@v4.15.1
        # check if we are in inventree/inventree - reporting only works in that OIDC context
-        if: github.repository == 'inventree/InvenTree'
+        if: github.repository == 'inventree/InvenTree' && needs.paths-filter.outputs.submit-performance == 'true'
        with:
          mode: walltime
          run: pytest ./src/performance --codspeed
@@ -353,7 +374,7 @@ jobs:
    name: Tests - DB [SQLite] + Coverage ${{ matrix.python_version }}
    runs-on: ubuntu-24.04

-    needs: ["pre-commit", "paths-filter"]
+    needs: ["code-style", "paths-filter"]
    if: needs.paths-filter.outputs.server == 'true' || needs.paths-filter.outputs.force == 'true'
    continue-on-error: true # continue if a step fails so that coverage gets pushed
    strategy:
@@ -378,6 +399,7 @@ jobs:
          apt-dependency: gettext poppler-utils
          dev-install: true
          update: true
+          static: true
      - name: Data Export Test
        uses: ./.github/actions/migration
      - name: Test Translations
@@ -387,13 +409,13 @@ jobs:
      - name: Coverage Tests
        run: invoke dev.test --check --coverage --translations
      - name: Upload raw coverage to artifacts
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # pin@v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # pin@v7.0.1
        with:
          name: coverage
          path: .coverage
          retention-days: 14
      - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # pin@v5.5.2
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # pin@v6.0.0
        if: always()
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
@@ -404,9 +426,9 @@ jobs:
    name: Tests - Performance
    runs-on: ${{ needs.paths-filter.outputs.runner-perf }}

-    needs: ["pre-commit", "paths-filter"]
+    needs: ["code-style", "paths-filter"]
    # check if we are in inventree/inventree - reporting only works in that OIDC context
-    if: (needs.paths-filter.outputs.server == 'true' || needs.paths-filter.outputs.force == 'true') && github.repository == 'inventree/InvenTree'
+    if: (needs.paths-filter.outputs.server == 'true' || needs.paths-filter.outputs.force == 'true') && github.repository == 'inventree/InvenTree' && needs.paths-filter.outputs.submit-performance == 'true'
    permissions:
      contents: read
      id-token: write
@@ -430,9 +452,9 @@ jobs:
          update: true
          npm: true
        env:
-          node_version: '>=20.19.0'
+          node_version: '>=24'
      - name: Performance Reporting
-        uses: CodSpeedHQ/action@dbda7111f8ac363564b0c51b992d4ce76bb89f2f # pin@v4
+        uses: CodSpeedHQ/action@3194d9a39c4d46684cb44bf7207fc56626aad8fd # pin@v4.15.1
        with:
          mode: walltime
          run: inv dev.test --pytest
@@ -440,7 +462,7 @@ jobs:
  postgres:
    name: Tests - DB [PostgreSQL]
    runs-on: ubuntu-24.04
-    needs: ["pre-commit", "paths-filter"]
+    needs: ["code-style", "paths-filter"]
    if: needs.paths-filter.outputs.server == 'true' || needs.paths-filter.outputs.force == 'true'

    env:
@@ -480,6 +502,7 @@ jobs:
          pip-dependency: psycopg django-redis>=5.0.0
          dev-install: true
          update: true
+          static: true
      - name: Run Tests
        run: invoke dev.test --check --translations
      - name: Data Export Test
@@ -489,7 +512,7 @@ jobs:
    name: Tests - DB [MySQL]
    runs-on: ubuntu-24.04

-    needs: ["pre-commit", "paths-filter"]
+    needs: ["code-style", "paths-filter"]
    if: needs.paths-filter.outputs.server == 'true' || needs.paths-filter.outputs.force == 'true'

    env:
@@ -528,6 +551,7 @@ jobs:
          pip-dependency: mysqlclient
          dev-install: true
          update: true
+          static: true
      - name: Run Tests
        run: invoke dev.test --check --translations
      - name: Data Export Test
@@ -573,7 +597,7 @@ jobs:
      - name: Run Tests
        run: invoke dev.test --check --migrations --report --coverage --translations
      - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # pin@v5.5.2
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # pin@v6.0.0
        if: always()
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
@@ -644,7 +668,7 @@ jobs:
    name: Tests - Web UI
    runs-on: ubuntu-24.04
    timeout-minutes: 60
-    needs: ["pre-commit", "paths-filter"]
+    needs: ["code-style", "paths-filter"]
    if: needs.paths-filter.outputs.frontend == 'true' || needs.paths-filter.outputs.force == 'true'
    services:
      postgres:
@@ -682,7 +706,7 @@ jobs:
          npm: true
          install: true
          update: true
-          apt-dependency: postgresql-client libpq-dev
+          apt-dependency: gettext postgresql-client libpq-dev
          pip-dependency: psycopg2
      - name: Set up test data
        run: |
@@ -701,7 +725,7 @@ jobs:
          invoke static
          env INVENTREE_CUSTOM_SPLASH="img/playwright_custom_splash.png" INVENTREE_CUSTOM_LOGO="img/playwright_custom_logo.png" npx nyc playwright test --project=customization
          npx nyc playwright test --project=chromium --project=firefox
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # pin@v6.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # pin@v7.0.1
        if: ${{ !cancelled() && steps.tests.outcome == 'failure' }}
        with:
          name: playwright-report
@@ -710,7 +734,7 @@ jobs:
      - name: Report coverage
        run: cd src/frontend && npx nyc report --report-dir ./coverage --temp-dir .nyc_output --reporter=lcov --exclude-after-remap false
      - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # pin@v5.5.2
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # pin@v6.0.0
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: inventree/InvenTree
@@ -739,14 +763,14 @@ jobs:
      - name: Install dependencies
        run: cd src/frontend && yarn install
      - name: Build frontend
-        run: cd src/frontend && yarn run compile && yarn run build
+        run: cd src/frontend && yarn run compile && yarn run lib && yarn run build
      - name: Write version file - SHA
        run: cd src/backend/InvenTree/web/static/web/.vite && echo "$GITHUB_SHA" > sha.txt
      - name: Zip frontend
        run: |
          cd src/backend/InvenTree/web/static
          zip -r frontend-build.zip web/ web/.vite
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # pin@v6.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # pin@v7.0.1
        with:
          name: frontend-build
          path: src/backend/InvenTree/web/static/web
@@ -755,7 +779,7 @@ jobs:
  zizmor:
    name: Security [Zizmor]
    runs-on: ubuntu-24.04
-    needs: ["pre-commit", "paths-filter"]
+    needs: ["code-style", "paths-filter"]
    if: needs.paths-filter.outputs.cicd == 'true' || needs.paths-filter.outputs.force == 'true'

    permissions:
@@ -765,13 +789,5 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # pin@v6.0.2
        with:
          persist-credentials: false
-      - uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # pin@v2
-      - name: Run zizmor
-        run: uvx zizmor --format sarif . > results.sarif
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # pin@v3
-        with:
-          sarif_file: results.sarif
-          category: zizmor
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
@@ -28,7 +28,7 @@ jobs:
          pip install --require-hashes -r contrib/dev_reqs/requirements.txt
          python3 .github/scripts/version_check.py
      - name: Push to Stable Branch
-        uses: ad-m/github-push-action@77c5b412c50b723d2a4fbc6d71fb5723bcd439aa # pin@v1.0.0
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # pin@v1.1.0
        if: env.stable_release == 'true'
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -55,7 +55,7 @@ jobs:
      - name: Build frontend
        run: cd src/frontend && npm run compile && npm run build
      - name: Create SBOM for frontend
-        uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # pin@v0
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # pin@v0
        with:
          artifact-name: frontend-build.spdx
          path: src/frontend
@@ -73,31 +73,26 @@ jobs:
          zip -r ../frontend-build.zip * .vite
      - name: Attest Build Provenance
        id: attest
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # pin@v1
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # pin@v1
        with:
          subject-path: "${{ github.workspace }}/src/backend/InvenTree/web/static/frontend-build.zip"

      - name: Upload frontend
-        uses: svenstaro/upload-release-action@6b7fa9f267e90b50a19fef07b3596790bb941741 # pin@2.11.3
-        with:
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: src/backend/InvenTree/web/static/frontend-build.zip
-          asset_name: frontend-build.zip
-          tag: ${{ github.ref }}
-          overwrite: true
+        run: gh release upload ${REF} src/backend/InvenTree/web/static/frontend-build.zip#frontend-build.zip
+        env:
+          REF: ${{ github.ref_name }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Upload frontend to artifacts
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # pin@v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # pin@v7.0.1
        with:
          name: frontend-build
          path: src/backend/InvenTree/web/static/frontend-build.zip
      - name: Upload Attestation
-        uses: svenstaro/upload-release-action@6b7fa9f267e90b50a19fef07b3596790bb941741 # pin@2.11.3
-        with:
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          asset_name: frontend-build.intoto.jsonl
-          file: ${{ steps.attest.outputs.bundle-path}}
-          tag: ${{ github.ref }}
-          overwrite: true
+        run: gh release upload ${REF} ${BUNDLE_PATH}#frontend-build.intoto.jsonl
+        env:
+          REF: ${{ github.ref_name }}
+          BUNDLE_PATH: ${{ steps.attest.outputs.bundle-path}}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  docs:
    runs-on: ubuntu-24.04
@@ -134,13 +129,10 @@ jobs:
          cd docs/site
          zip -r docs-html.zip *
      - name: Publish documentation
-        uses: svenstaro/upload-release-action@6b7fa9f267e90b50a19fef07b3596790bb941741 # pin@2.11.3
-        with:
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: docs/site/docs-html.zip
-          asset_name: docs-html.zip
-          tag: ${{ github.ref }}
-          overwrite: true
+        run: gh release upload ${REF} docs/site/docs-html.zip#docs-html.zip
+        env:
+          REF: ${{ github.ref_name }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  build-pkgr:
    if: github.repository == 'inventree/InvenTree'
@@ -163,7 +155,7 @@ jobs:
          persist-credentials: false

      - name: Get frontend artifact
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # pin@v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # pin@v8.0.1
        with:
          name: frontend-build
      - name: Setup
@@ -244,10 +236,9 @@ jobs:
          channel: ${{ env.pkg_channel }}
          file: ${{ steps.package.outputs.package_path }}
      - name: Publish to artifact
-        uses: svenstaro/upload-release-action@6b7fa9f267e90b50a19fef07b3596790bb941741 # pin@2.11.3
-        with:
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: ${{ steps.package.outputs.package_path }}
-          asset_name: ${{ matrix.target }}-{{ steps.setup.outputs.version }}.tar.gz
-          tag: ${{ github.ref }}
-          overwrite: true
+        run: gh release upload ${REF} ${PACKAGE_PATH}#${PACKAGE_NAME}
+        env:
+          REF: ${{ github.ref_name }}
+          PACKAGE_PATH: ${{ steps.package.outputs.package_path }}
+          PACKAGE_NAME: ${{ matrix.target }}-{{ steps.setup.outputs.version }}.tar.gz
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -59,7 +59,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: SARIF file
          path: results.sarif
@@ -67,6 +67,6 @@ jobs:

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
+        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
        with:
          sarif_file: results.sarif
@@ -7,7 +7,7 @@ on:

 env:
  python_version: 3.11
-  node_version: 20
+  node_version: 24

 permissions:
  contents: read
@@ -56,7 +56,7 @@ jobs:
          echo "Resetting to HEAD~"
          git reset HEAD~ || true
      - name: crowdin action
-        uses: crowdin/github-action@b4b468cffefb50bdd99dd83e5d2eaeb63c880380 # pin@v2
+        uses: crowdin/github-action@8868a33591d21088edfc398968173a3b98d51706 # pin@v2
        with:
          upload_sources: true
          upload_translations: false