Stage (#9459)

* chore: increase GitHub actions timeout to 300

* fix(theme): resolve tabler icons module configuration

* fix(theme): resolve tabler icons module configuration

* fix: swagger

* fix: Tabler Icon Module import

* Merge pull request #9456 from ever-co/fix/sharper-tray-icon

Fix/sharper tray icon

* fix: add secondary lib entry point for icons

* Apply suggestion from @greptile-apps[bot]

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* Apply suggestion from @greptile-apps[bot]

* [Feat] Windows data sync (#9454)

* Expose internal storage engines and logger utilities
│ Files: packages/desktop-core/src/index.ts
│ Rationale: Reorganizes and expands the public API of the core package to provide necessary Akita storage engines and helper types to dependent packages.

* Enhance ElectronService with Observable-based IPC and export storage services
│ Files: packages/desktop-ui-lib/src/lib/electron/services/electron/electron.service.ts, packages/desktop-ui-lib/src/lib/services/index.ts
│ Rationale: Adds robust IPC invocation and event listening capabilities using Observables and NgZone, providing the necessary frontend infrastructure for synchronized storage.

* feat: Implement Akita storage IPC handler and perform code cleanup
│ Files: packages/desktop-lib/src/lib/desktop-ipc.ts
│ Rationale: Adds the AkitaStorageHandler to manage IPC communication for state persistence. Includes formatting improvements and improved cleanup logic for power management handlers.

* feat: Initialize Akita storage handler in the desktop main process
│ Files: apps/desktop-timer/src/index.ts
│ Rationale: Wires up the main process storage handler during the app is ready state and performs minor cleanup of imports and formatting.

* feat: Configure Akita state persistence using GauzyStorageService in the renderer
│ Files: apps/desktop-timer/src/main.ts
│ Rationale: Migrates the application bootstrap process to use the custom GauzyStorageService within a provideAppInitializer, ensuring state is persisted via the new IPC-based mechanism.

* feat(desktop): implement akita storage engine and ipc handlers

Introduce a persistent storage solution for Akita in the desktop
application. This implementation includes:
- A core AkitaStorageEngine leveraging electron-store for data
persistence.
- IPC handlers in the main process to bridge storage operations between
processes.
- An Angular GauzyStorageService to provide a clean interface for the UI
to interact with the storage engine via Electron IPC.

* refactor: migrate akita state persistence to gauzystorageservice

Move Akita's `persistState` and `akitaConfig` from top-level execution
to `provideAppInitializer` during the application bootstrap process.
This allows the use of `GauzyStorageService` through Angular's
dependency injection and enables `enableInNonBrowser: true` to ensure
state persistence works correctly across different environments.

* feat(desktop): initialize akita storage handler

Initialize the setupAkitaStorageHandler in the agent, desktop, server,
and server-api applications. This ensures that Akita state management
is correctly synchronized and handled via IPC communication across all
electron-based components.

* refactor(desktop-ui-lib): add missing await and types to storage service

Update GauzyStorageService methods to properly await electron service
invocations and include explicit Promise return types for improved
type safety.

* refactor(desktop-ui-lib): make electronService private in GauzyStorageService

Change the visibility of the injected ElectronService from public to
private to improve encapsulation within the GauzyStorageService.

* fix(akita-storage): update default store name to 'window-state'

* fix(electron-service): enhance API availability checks for Electron and ContextBridge

* refactor(store.service): update state interfaces to use nullable types and improve initial state creation

* refactor(language):  ensure preferredLanguage is typed correctly

* refactor(auth): enhance token validation and expand auth endpoints

Implement robust JWT validation within the authentication strategy to
ensure tokens received from refresh operations are well-formed and
contain valid claims. This includes checks for expiration, issued-at,
and not-before times using a 60-second clock skew buffer.
Expand the list of authentication endpoints to include various sign-in
and logout paths, ensuring they are excluded from automatic refresh
logic to prevent potential infinite loops. Refine token expiry logic in
the store to better handle missing or invalid expiry data by providing
sane defaults and improved logging.

* feat(auth): implement circuit breaker and improve token refresh synchronization

Introduce a circuit breaker in the proactive refresh service to prevent
infinite retry loops after multiple consecutive failures. The breaker
automatically attempts recovery after a cooldown period.
Improve synchronization across the authentication stack:
- Replace ReplaySubject with a tracked Subject in RefreshStateManager
using unique refresh IDs to ensure requests only resolve with the
result of the specific refresh cycle they joined.
- Add an atomic execution lock in SessionExpiredHandler to prevent race
conditions when multiple concurrent requests return 401 status codes.
- Ensure RefreshStateManager state is explicitly reset during logout
flows to clear pending operations.
- Standardize error handling and state notification in the refresh
executor to prevent stalled request queues.

* refactor(auth): simplify guards and improve offline mode support

Simplify AuthGuard and NoAuthGuard by removing the AuthService dependency
and relying on stored state (token and userId). This makes guards more
lightweight and delegates token validation and refresh responsibilities
to HTTP interceptors.
Improve offline support by allowing authenticated users to access routes
when the server is unreachable. Clean up redirection logic and remove
redundant logout calls from within the guard components.

* refactor(routing): reorganize application routes and update guard logic

Reorganize routes into logical sections (Public, Auth, Protected, and
Utility) to improve maintainability and clarity. Update route guards to
consistently enforce authentication across internal pages and utility
components.
Key changes include:
- Replace deprecated AppModuleGuard with specific Auth/NoAuth guards
- Add AuthGuard to utility routes (updater, viewer, etc.)
- Clarify guard execution order via documentation
- Group public routes like splash-screen and server-down together

* refactor(auth): centralize authentication data storage and enhance security

- Extract authentication data storage logic into reusable `storeAuthenticationData()` method
- Make `setTokenExpiry()` public to allow reuse across login components
- Add `validateEmployeeUser()` public method to ensure user has employee record
- Implement employee validation in offline login flow with proper error handling
- Schedule electron authentication callback with 3-second delay using asyncScheduler
- Pass full auth response to electron authentication instead of individual parameters
- Update magic login component to use router state instead of query params for sensitive code
- Improve code formatting and documentation in login components
- Enhance security by preventing authentication codes from appearing in browser history

* refactor(desktop-timer): remove unused AppModuleGuard import

- Remove unused AppModuleGuard import from app-routing.module.ts
- Simplify routing module dependencies and reduce unnecessary imports
- Clean up module structure for better maintainability

* refactor(server-down): enhance navigation and capture redirect URL

- Add ActivatedRoute import to access query parameters
- Capture original URL from query parameters on component initialization
- Update navigation logic to redirect to original URL when server connection restored
- Replace router.navigate with router.navigateByUrl for proper URL handling
- Fix component decorator indentation to use tabs consistently
- Add redirectUrl property to store the original navigation target
- Improve logging to track server connection restoration and navigation flow

* refactor(auth): enhance token management and improve offline access handling

* refactor(auth.guard): update stored auth check logic to allow access with userId

* refactor(auth): convert class-based guards to functional guards

Migrate AuthGuard, NoAuthGuard, and AuthConnectionGuard from class-based implementations to functional guards using the Angular inject function. This aligns with modern Angular best practices and simplifies the routing configuration.
Additional changes:
- Update app routing to use the new functional guards.
- Refactor tray icon initialization to use TrayIconFactory.
- Clean up redundant guard providers and initializers in main.ts.
- Update recap routing to utilize lazy-loaded child routes.

* refactor(screen-capture): clean up imports and streamline code formatting

* fix(auth): improve electron authentication flow and user validation

Refactor the authentication process to use RxJS observables instead of
manual delays when communicating with the Electron main process. This
ensures more reliable state synchronization between the UI and the
backend.
Additional changes:
- Add stricter validation for user records, including remote ID and
employee status checks.
- Update the IPC event listener from 'auth_success_tray_init' to
'timer_tracker_show'.
- Implement defensive null checks in the user service retrieval logic.

* refactor(desktop-lib): modularize tray icon using design patterns

The monolithic TrayIcon class in desktop-tray.ts has been refactored into a more maintainable structure using several design patterns:
- Strategy Pattern: for switching between authenticated and unauthenticated menu states.
- Command Pattern: to encapsulate tray menu actions.
- Observer Pattern: to handle language changes without recreating the tray.
- Adapter Pattern: to decouple the tray logic from core services.
- Builder Pattern: for fluent menu item construction.
This restructuring improves testability and separates IPC handling, menu management, and authentication logic into dedicated classes.

* feat(auth): enhance connection guard and refactor login flow

Update `authConnectionGuard` to verify server connectivity via
`ServerConnectionService` before allowing access. Refactor
`AuthStrategy` and workspace login to utilize RxJS `switchMap` for
better handling of asynchronous authentication processes, removing
manual delays and improving code consistency.

* refactor(auth): improve reactive state management and auth flow

Convert authentication guards, interceptors, and services to use RxJS
observable streams instead of synchronous property checks. This ensures
that auth state is correctly evaluated after Akita state persistence
has initialized.
Changes include:
- Update auth and no-auth guards to return Observables.
- Integrate Akita persistence initialization checks in guards.
- Refactor server ping logic using RxJS operators for better reliability.
- Clean up logout and IPC handling logic in the desktop library.
- Introduce a shared `isAuthenticated$` stream in the store service.
- Update token refresh logic to be fully reactive.

* refactor(desktop): migrate to functional guards and TrayIconFactory

Update routing configuration to use the functional authConnectionGuard and ensure the time-tracker route is protected. Refactor the desktop tray icon creation to use TrayIconFactory for better abstraction and remove unused guard providers from the application bootstrap.

* refactor(routing): replace AppModuleGuard with noAuthGuard and update route guards

* refactor(tray): update tray icon creation to use variable assignment

* refactor(magic-login): remove unused Store import and clean up constructor

* refactor(auth-connection.guard): update access condition to use logical OR for connection state

* refactor(auth-ipc-handler): improve type annotations and clean up logging

* refactor(app.component): ensure proper cleanup of subscriptions with untilDestroyed

* refactor: improve setting window initialization and event handling

* refactor(start-timer-command): enhance execute method for better window handling

* refactor(auth): streamline authentication success logging and improve error handling in command execution

* fix(auth.guard): correct typo in isAuthenticated variable name

* refactor(login): enhance change detection strategy and streamline imports across components

* refactor(desktop-ui-lib): update screen capture component to use observables

Switch the component to OnPush change detection and replace manual IPC
listeners with observable streams. Implement proper subscription
cleanup using untilDestroyed and remove the unused NgZone dependency.

* refactor(tray): improve handling of time tracker window in logout and tray interactions

* fix(tray): improve menu command execution and auth flow

- Properly await command execution in the tray menu item builder.
- Ensure the timer window is visible when attempting to start the timer
via the tray while unauthenticated.
- Delay auth IPC handler setup until tray icon initialization.
- Add safety checks to the login response and remove the strict refresh
token requirement during token refresh.
- Remove an unused auth variable in the desktop-timer entry point.

* refactor: update TablerIconsModule import path across multiple files

* Update unauthenticated-menu-strategy.ts

* Update packages/desktop-lib/src/lib/tray/strategies/authenticated-menu-strategy.ts

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update packages/desktop-lib/src/lib/tray/observer/language-subject.ts

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

---------

Co-authored-by: Ruslan Konviser <evereq@gmail.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

---------

Co-authored-by: Rahul R. <rahulrathore576@gmail.com>
Co-authored-by: Rahul R. <41804588+rahul-rocket@users.noreply.github.com>
Co-authored-by: syns2191 <sutralian@gmail.com>
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
Co-authored-by: Kifungo A <45813955+adkif@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Author: 6 people

.github/workflows/agent-prod.yml

@@ -14,7 +14,7 @@ concurrency:
 jobs:
   release-linux:
     runs-on: ${{ matrix.os }}
-    timeout-minutes: 150
+    timeout-minutes: 300
 
     strategy:
       matrix:
@@ -105,7 +105,7 @@ jobs:
 
   release-linux-arm64:
     runs-on: ${{ matrix.os }}
-    timeout-minutes: 150
+    timeout-minutes: 300
 
     strategy:
       matrix:
@@ -204,7 +204,7 @@ jobs:
 
   release-mac:
     runs-on: ${{ matrix.os }}
-    timeout-minutes: 150
+    timeout-minutes: 300
 
     strategy:
       matrix:
@@ -298,7 +298,7 @@ jobs:
 
   release-windows:
     runs-on: ${{ matrix.os }}
-    timeout-minutes: 150
+    timeout-minutes: 300
 
     strategy:
       matrix:
@@ -427,7 +427,7 @@ jobs:
 
   release-windows-arm64:
     runs-on: ${{ matrix.os }}
-    timeout-minutes: 150
+    timeout-minutes: 300
 
     strategy:
       matrix:

.github/workflows/agent-stage.yml

@@ -14,7 +14,7 @@ concurrency:
 jobs:
   release-linux:
     runs-on: ${{ matrix.os }}
-    timeout-minutes: 150
+    timeout-minutes: 300
 
     strategy:
       matrix:
@@ -105,7 +105,7 @@ jobs:
 
   release-linux-arm64:
     runs-on: ${{ matrix.os }}
-    timeout-minutes: 150
+    timeout-minutes: 300
 
     strategy:
       matrix:
@@ -204,7 +204,7 @@ jobs:
 
   release-mac:
     runs-on: ${{ matrix.os }}
-    timeout-minutes: 150
+    timeout-minutes: 300
 
     strategy:
       matrix:
@@ -298,7 +298,7 @@ jobs:
 
   release-windows:
     runs-on: ${{ matrix.os }}
-    timeout-minutes: 150
+    timeout-minutes: 300
 
     strategy:
       matrix:
@@ -427,7 +427,7 @@ jobs:
 
   release-windows-arm64:
     runs-on: ${{ matrix.os }}
-    timeout-minutes: 150
+    timeout-minutes: 300
 
     strategy:
       matrix:

.github/workflows/deploy-civo-demo.yml

@@ -2,15 +2,15 @@ name: Deploy to Civo Demo
 
 on:
   workflow_run:
-    workflows: ["Build and Publish Docker Images Demo"]
+    workflows: ['Build and Publish Docker Images Demo']
     branches: [civo]
     types:
       - completed
 
 jobs:
   deploy-demo:
     runs-on: ubicloud-standard-4
-    timeout-minutes: 150
+    timeout-minutes: 300
 
     environment: demo
 
@@ -38,19 +38,19 @@ jobs:
           envsubst < $GITHUB_WORKSPACE/.deploy/k8s/k8s-manifest.civo.demo.yaml | kubectl --context ever apply -f -
         env:
           # below we are using GitHub secrets for both frontend and backend
-          DB_NAME: "${{ secrets.DB_NAME }}"
-          CLOUD_PROVIDER: "CIVO"
-          SENTRY_DSN: "${{ secrets.SENTRY_DSN }}"
-          SENTRY_TRACES_SAMPLE_RATE: "${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}"
-          SENTRY_PROFILE_SAMPLE_RATE: "${{ secrets.SENTRY_PROFILE_SAMPLE_RATE }}"
-          SENTRY_HTTP_TRACING_ENABLED: "${{ secrets.SENTRY_HTTP_TRACING_ENABLED }}"
-          SENTRY_POSTGRES_TRACKING_ENABLED: "${{ secrets.SENTRY_POSTGRES_TRACKING_ENABLED }}"
-          SENTRY_PROFILING_ENABLED: "${{ secrets.SENTRY_PROFILING_ENABLED }}"
-          OTEL_ENABLED: "${{ secrets.OTEL_ENABLED }}"
-          OTEL_PROVIDER: "${{ secrets.OTEL_PROVIDER }}"
-          OTEL_EXPORTER_OTLP_TRACES_ENDPOINT: "${{ secrets.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT }}"
-          OTEL_EXPORTER_OTLP_HEADERS: "${{ secrets.OTEL_EXPORTER_OTLP_HEADERS }}"
-          FEATURE_OPEN_STATS: "${{ vars.FEATURE_OPEN_STATS }}"
+          DB_NAME: '${{ secrets.DB_NAME }}'
+          CLOUD_PROVIDER: 'CIVO'
+          SENTRY_DSN: '${{ secrets.SENTRY_DSN }}'
+          SENTRY_TRACES_SAMPLE_RATE: '${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}'
+          SENTRY_PROFILE_SAMPLE_RATE: '${{ secrets.SENTRY_PROFILE_SAMPLE_RATE }}'
+          SENTRY_HTTP_TRACING_ENABLED: '${{ secrets.SENTRY_HTTP_TRACING_ENABLED }}'
+          SENTRY_POSTGRES_TRACKING_ENABLED: '${{ secrets.SENTRY_POSTGRES_TRACKING_ENABLED }}'
+          SENTRY_PROFILING_ENABLED: '${{ secrets.SENTRY_PROFILING_ENABLED }}'
+          OTEL_ENABLED: '${{ secrets.OTEL_ENABLED }}'
+          OTEL_PROVIDER: '${{ secrets.OTEL_PROVIDER }}'
+          OTEL_EXPORTER_OTLP_TRACES_ENDPOINT: '${{ secrets.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT }}'
+          OTEL_EXPORTER_OTLP_HEADERS: '${{ secrets.OTEL_EXPORTER_OTLP_HEADERS }}'
+          FEATURE_OPEN_STATS: '${{ vars.FEATURE_OPEN_STATS }}'
 
       # we need this step because for now we just use :latest tag
       # note: for production we will use different strategy later

.github/workflows/deploy-civo-prod.yml

@@ -2,15 +2,15 @@ name: Deploy to Civo Prod
 
 on:
   workflow_run:
-    workflows: ["Build and Publish Docker Images Prod"]
+    workflows: ['Build and Publish Docker Images Prod']
     branches: [civo]
     types:
       - completed
 
 jobs:
   deploy-prod:
     runs-on: ubicloud-standard-4
-    timeout-minutes: 150
+    timeout-minutes: 300
 
     environment: prod
 
@@ -37,117 +37,117 @@ jobs:
         run: |
           echo "$DB_CA_CERT" | base64 --decode > ${HOME}/ca-certificate.crt
         env:
-          DB_CA_CERT: "${{ secrets.DB_CA_CERT }}"
+          DB_CA_CERT: '${{ secrets.DB_CA_CERT }}'
 
       - name: Apply k8s manifests changes in DigitalOcean k8s cluster (if any)
         run: |
           envsubst < $GITHUB_WORKSPACE/.deploy/k8s/k8s-manifest.civo.prod.yaml | kubectl --context ever apply -f -
         env:
           # below we are using GitHub secrets for both frontend and backend
-          DB_TYPE: "${{ secrets.DB_TYPE }}"
-          DB_URI: "${{ secrets.DB_URI }}"
+          DB_TYPE: '${{ secrets.DB_TYPE }}'
+          DB_URI: '${{ secrets.DB_URI }}'
           # Note: for now we are using DB in different provider, so we have to use public hostname
-          DB_HOST: "${{ secrets.DB_HOST_CIVO }}"
-          DB_USER: "${{ secrets.DB_USER }}"
-          DB_PASS: "${{ secrets.DB_PASS }}"
-          DB_NAME: "${{ secrets.DB_NAME }}"
-          DB_PORT: "${{ secrets.DB_PORT }}"
-          DB_CA_CERT: "${{ secrets.DB_CA_CERT }}"
-          DB_SSL_MODE: "${{ secrets.DB_SSL_MODE }}"
-          DB_POOL_SIZE: "${{ secrets.DB_POOL_SIZE }}"
-          DB_POOL_SIZE_KNEX: "${{ secrets.DB_POOL_SIZE_KNEX }}"
-          REDIS_ENABLED: "${{ secrets.REDIS_ENABLED }}"
-          REDIS_URL: "${{ secrets.REDIS_URL }}"
-          REDIS_HOST: "${{ secrets.REDIS_HOST }}"
-          REDIS_PASSWORD: "${{ secrets.REDIS_PASSWORD }}"
-          REDIS_PORT: "${{ secrets.REDIS_PORT }}"
-          REDIS_USER: "${{ secrets.REDIS_USER }}"
-          REDIS_TLS: "${{ secrets.REDIS_TLS }}"
-          CLOUD_PROVIDER: "CIVO"
-          SENTRY_DSN: "${{ secrets.SENTRY_DSN }}"
-          SENTRY_TRACES_SAMPLE_RATE: "${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}"
-          SENTRY_PROFILE_SAMPLE_RATE: "${{ secrets.SENTRY_PROFILE_SAMPLE_RATE }}"
-          SENTRY_HTTP_TRACING_ENABLED: "${{ secrets.SENTRY_HTTP_TRACING_ENABLED }}"
-          SENTRY_POSTGRES_TRACKING_ENABLED: "${{ secrets.SENTRY_POSTGRES_TRACKING_ENABLED }}"
-          SENTRY_PROFILING_ENABLED: "${{ secrets.SENTRY_PROFILING_ENABLED }}"
-          AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
-          AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
-          AWS_REGION: "${{ secrets.AWS_REGION }}"
-          AWS_S3_BUCKET: "${{ secrets.AWS_S3_BUCKET }}"
-          WASABI_ACCESS_KEY_ID: "${{ secrets.WASABI_ACCESS_KEY_ID }}"
-          WASABI_SECRET_ACCESS_KEY: "${{ secrets.WASABI_SECRET_ACCESS_KEY }}"
-          WASABI_REGION: "${{ secrets.WASABI_REGION }}"
-          WASABI_SERVICE_URL: "${{ secrets.WASABI_SERVICE_URL }}"
-          WASABI_S3_BUCKET: "${{ secrets.WASABI_S3_BUCKET }}"
-          WASABI_S3_FORCE_PATH_STYLE: "${{ secrets.WASABI_S3_FORCE_PATH_STYLE }}"
-          DIGITALOCEAN_ACCESS_KEY_ID: "${{ secrets.DIGITALOCEAN_ACCESS_KEY_ID }}"
-          DIGITALOCEAN_SECRET_ACCESS_KEY: "${{ secrets.DIGITALOCEAN_SECRET_ACCESS_KEY }}"
-          DIGITALOCEAN_REGION: "${{ secrets.DIGITALOCEAN_REGION }}"
-          DIGITALOCEAN_SERVICE_URL: "${{ secrets.DIGITALOCEAN_SERVICE_URL }}"
-          DIGITALOCEAN_CDN_URL: "${{ secrets.DIGITALOCEAN_CDN_URL }}"
-          DIGITALOCEAN_S3_BUCKET: "${{ secrets.DIGITALOCEAN_S3_BUCKET }}"
-          DIGITALOCEAN_S3_FORCE_PATH_STYLE: "${{ secrets.DIGITALOCEAN_S3_FORCE_PATH_STYLE }}"
-          EXPRESS_SESSION_SECRET: "${{ secrets.EXPRESS_SESSION_SECRET }}"
-          JWT_SECRET: "${{ secrets.JWT_SECRET }}"
-          JWT_REFRESH_TOKEN_SECRET: "${{ secrets.JWT_REFRESH_TOKEN_SECRET }}"
-          JWT_REFRESH_TOKEN_EXPIRATION_TIME: "${{ secrets.JWT_REFRESH_TOKEN_EXPIRATION_TIME }}"
-          CLOUDINARY_API_KEY: "${{ secrets.CLOUDINARY_API_KEY }}"
-          CLOUDINARY_API_SECRET: "${{ secrets.CLOUDINARY_API_SECRET }}"
-          CLOUDINARY_CLOUD_NAME: "${{ secrets.CLOUDINARY_CLOUD_NAME }}"
-          MAIL_FROM_ADDRESS: "${{ secrets.MAIL_FROM_ADDRESS }}"
-          MAIL_HOST: "${{ secrets.MAIL_HOST }}"
-          MAIL_PORT: "${{ secrets.MAIL_PORT }}"
-          MAIL_USERNAME: "${{ secrets.MAIL_USERNAME }}"
-          MAIL_PASSWORD: "${{ secrets.MAIL_PASSWORD }}"
-          ALLOW_SUPER_ADMIN_ROLE: "${{ secrets.ALLOW_SUPER_ADMIN_ROLE }}"
-          GOOGLE_CLIENT_ID: "${{ secrets.GOOGLE_CLIENT_ID }}"
-          GOOGLE_CLIENT_SECRET: "${{ secrets.GOOGLE_CLIENT_SECRET }}"
-          GOOGLE_CALLBACK_URL: "${{ secrets.GOOGLE_CALLBACK_URL }}"
-          FACEBOOK_CLIENT_ID: "${{ secrets.FACEBOOK_CLIENT_ID }}"
-          FACEBOOK_CLIENT_SECRET: "${{ secrets.FACEBOOK_CLIENT_SECRET }}"
-          FACEBOOK_GRAPH_VERSION: "${{ secrets.FACEBOOK_GRAPH_VERSION }}"
-          FACEBOOK_CALLBACK_URL: "${{ secrets.FACEBOOK_CALLBACK_URL }}"
-          INTEGRATED_USER_DEFAULT_PASS: "${{ secrets.INTEGRATED_USER_DEFAULT_PASS }}"
-          UPWORK_REDIRECT_URL: "${{ secrets.UPWORK_REDIRECT_URL }}"
-          FILE_PROVIDER: "${{ secrets.FILE_PROVIDER }}"
-          GAUZY_AI_GRAPHQL_ENDPOINT: "${{ secrets.GAUZY_AI_GRAPHQL_ENDPOINT }}"
-          GAUZY_AI_REST_ENDPOINT: "${{ secrets.GAUZY_AI_REST_ENDPOINT }}"
-          UNLEASH_APP_NAME: "${{ secrets.UNLEASH_APP_NAME }}"
-          UNLEASH_API_URL: "${{ secrets.UNLEASH_API_URL }}"
-          UNLEASH_INSTANCE_ID: "${{ secrets.UNLEASH_INSTANCE_ID }}"
-          UNLEASH_REFRESH_INTERVAL: "${{ secrets.UNLEASH_REFRESH_INTERVAL }}"
-          UNLEASH_METRICS_INTERVAL: "${{ secrets.UNLEASH_METRICS_INTERVAL }}"
-          UNLEASH_API_KEY: "${{ secrets.UNLEASH_API_KEY }}"
-          JITSU_SERVER_URL: "${{ secrets.JITSU_SERVER_URL }}"
-          JITSU_SERVER_WRITE_KEY: "${{ secrets.JITSU_SERVER_WRITE_KEY }}"
-          OTEL_ENABLED: "${{ secrets.OTEL_ENABLED }}"
-          OTEL_PROVIDER: "${{ secrets.OTEL_PROVIDER }}"
-          OTEL_EXPORTER_OTLP_TRACES_ENDPOINT: "${{ secrets.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT }}"
-          OTEL_EXPORTER_OTLP_HEADERS: "${{ secrets.OTEL_EXPORTER_OTLP_HEADERS }}"
-          GAUZY_GITHUB_CLIENT_ID: "${{ secrets.GAUZY_GITHUB_CLIENT_ID }}"
-          GAUZY_GITHUB_CLIENT_SECRET: "${{ secrets.GAUZY_GITHUB_CLIENT_SECRET }}"
-          GAUZY_GITHUB_APP_PRIVATE_KEY: "${{ secrets.GAUZY_GITHUB_APP_PRIVATE_KEY }}"
-          GAUZY_GITHUB_WEBHOOK_URL: "${{ secrets.GAUZY_GITHUB_WEBHOOK_URL }}"
-          GAUZY_GITHUB_WEBHOOK_SECRET: "${{ secrets.GAUZY_GITHUB_WEBHOOK_SECRET }}"
-          GAUZY_GITHUB_APP_NAME: "${{ secrets.GAUZY_GITHUB_APP_NAME }}"
-          GAUZY_GITHUB_REDIRECT_URL: "${{ secrets.GAUZY_GITHUB_REDIRECT_URL }}"
-          GAUZY_GITHUB_POST_INSTALL_URL: "${{ secrets.GAUZY_GITHUB_POST_INSTALL_URL }}"
-          GAUZY_GITHUB_APP_ID: "${{ secrets.GAUZY_GITHUB_APP_ID }}"
-          GAUZY_GITHUB_OAUTH_CLIENT_ID: "${{ secrets.GAUZY_GITHUB_OAUTH_CLIENT_ID }}"
-          GAUZY_GITHUB_OAUTH_CLIENT_SECRET: "${{ secrets.GAUZY_GITHUB_OAUTH_CLIENT_SECRET }}"
-          GAUZY_GITHUB_OAUTH_CALLBACK_URL: "${{ secrets.GAUZY_GITHUB_OAUTH_CALLBACK_URL }}"
-          JITSU_BROWSER_URL: "${{ secrets.JITSU_BROWSER_URL }}"
-          JITSU_BROWSER_WRITE_KEY: "${{ secrets.JITSU_BROWSER_WRITE_KEY }}"
-          MAGIC_CODE_EXPIRATION_TIME: "${{ secrets.MAGIC_CODE_EXPIRATION_TIME }}"
-          APP_NAME: "${{ secrets.APP_NAME }}"
-          APP_LOGO: "${{ secrets.APP_LOGO }}"
-          APP_SIGNATURE: "${{ secrets.APP_SIGNATURE }}"
-          APP_LINK: "${{ secrets.APP_LINK }}"
-          APP_EMAIL_CONFIRMATION_URL: "${{ secrets.APP_EMAIL_CONFIRMATION_URL }}"
-          APP_MAGIC_SIGN_URL: "${{ secrets.APP_MAGIC_SIGN_URL }}"
-          COMPANY_LINK: "${{ secrets.COMPANY_LINK }}"
-          COMPANY_NAME: "${{ secrets.COMPANY_NAME }}"
-          FEATURE_OPEN_STATS: "${{ vars.FEATURE_OPEN_STATS }}"
+          DB_HOST: '${{ secrets.DB_HOST_CIVO }}'
+          DB_USER: '${{ secrets.DB_USER }}'
+          DB_PASS: '${{ secrets.DB_PASS }}'
+          DB_NAME: '${{ secrets.DB_NAME }}'
+          DB_PORT: '${{ secrets.DB_PORT }}'
+          DB_CA_CERT: '${{ secrets.DB_CA_CERT }}'
+          DB_SSL_MODE: '${{ secrets.DB_SSL_MODE }}'
+          DB_POOL_SIZE: '${{ secrets.DB_POOL_SIZE }}'
+          DB_POOL_SIZE_KNEX: '${{ secrets.DB_POOL_SIZE_KNEX }}'
+          REDIS_ENABLED: '${{ secrets.REDIS_ENABLED }}'
+          REDIS_URL: '${{ secrets.REDIS_URL }}'
+          REDIS_HOST: '${{ secrets.REDIS_HOST }}'
+          REDIS_PASSWORD: '${{ secrets.REDIS_PASSWORD }}'
+          REDIS_PORT: '${{ secrets.REDIS_PORT }}'
+          REDIS_USER: '${{ secrets.REDIS_USER }}'
+          REDIS_TLS: '${{ secrets.REDIS_TLS }}'
+          CLOUD_PROVIDER: 'CIVO'
+          SENTRY_DSN: '${{ secrets.SENTRY_DSN }}'
+          SENTRY_TRACES_SAMPLE_RATE: '${{ secrets.SENTRY_TRACES_SAMPLE_RATE }}'
+          SENTRY_PROFILE_SAMPLE_RATE: '${{ secrets.SENTRY_PROFILE_SAMPLE_RATE }}'
+          SENTRY_HTTP_TRACING_ENABLED: '${{ secrets.SENTRY_HTTP_TRACING_ENABLED }}'
+          SENTRY_POSTGRES_TRACKING_ENABLED: '${{ secrets.SENTRY_POSTGRES_TRACKING_ENABLED }}'
+          SENTRY_PROFILING_ENABLED: '${{ secrets.SENTRY_PROFILING_ENABLED }}'
+          AWS_ACCESS_KEY_ID: '${{ secrets.AWS_ACCESS_KEY_ID }}'
+          AWS_SECRET_ACCESS_KEY: '${{ secrets.AWS_SECRET_ACCESS_KEY }}'
+          AWS_REGION: '${{ secrets.AWS_REGION }}'
+          AWS_S3_BUCKET: '${{ secrets.AWS_S3_BUCKET }}'
+          WASABI_ACCESS_KEY_ID: '${{ secrets.WASABI_ACCESS_KEY_ID }}'
+          WASABI_SECRET_ACCESS_KEY: '${{ secrets.WASABI_SECRET_ACCESS_KEY }}'
+          WASABI_REGION: '${{ secrets.WASABI_REGION }}'
+          WASABI_SERVICE_URL: '${{ secrets.WASABI_SERVICE_URL }}'
+          WASABI_S3_BUCKET: '${{ secrets.WASABI_S3_BUCKET }}'
+          WASABI_S3_FORCE_PATH_STYLE: '${{ secrets.WASABI_S3_FORCE_PATH_STYLE }}'
+          DIGITALOCEAN_ACCESS_KEY_ID: '${{ secrets.DIGITALOCEAN_ACCESS_KEY_ID }}'
+          DIGITALOCEAN_SECRET_ACCESS_KEY: '${{ secrets.DIGITALOCEAN_SECRET_ACCESS_KEY }}'
+          DIGITALOCEAN_REGION: '${{ secrets.DIGITALOCEAN_REGION }}'
+          DIGITALOCEAN_SERVICE_URL: '${{ secrets.DIGITALOCEAN_SERVICE_URL }}'
+          DIGITALOCEAN_CDN_URL: '${{ secrets.DIGITALOCEAN_CDN_URL }}'
+          DIGITALOCEAN_S3_BUCKET: '${{ secrets.DIGITALOCEAN_S3_BUCKET }}'
+          DIGITALOCEAN_S3_FORCE_PATH_STYLE: '${{ secrets.DIGITALOCEAN_S3_FORCE_PATH_STYLE }}'
+          EXPRESS_SESSION_SECRET: '${{ secrets.EXPRESS_SESSION_SECRET }}'
+          JWT_SECRET: '${{ secrets.JWT_SECRET }}'
+          JWT_REFRESH_TOKEN_SECRET: '${{ secrets.JWT_REFRESH_TOKEN_SECRET }}'
+          JWT_REFRESH_TOKEN_EXPIRATION_TIME: '${{ secrets.JWT_REFRESH_TOKEN_EXPIRATION_TIME }}'
+          CLOUDINARY_API_KEY: '${{ secrets.CLOUDINARY_API_KEY }}'
+          CLOUDINARY_API_SECRET: '${{ secrets.CLOUDINARY_API_SECRET }}'
+          CLOUDINARY_CLOUD_NAME: '${{ secrets.CLOUDINARY_CLOUD_NAME }}'
+          MAIL_FROM_ADDRESS: '${{ secrets.MAIL_FROM_ADDRESS }}'
+          MAIL_HOST: '${{ secrets.MAIL_HOST }}'
+          MAIL_PORT: '${{ secrets.MAIL_PORT }}'
+          MAIL_USERNAME: '${{ secrets.MAIL_USERNAME }}'
+          MAIL_PASSWORD: '${{ secrets.MAIL_PASSWORD }}'
+          ALLOW_SUPER_ADMIN_ROLE: '${{ secrets.ALLOW_SUPER_ADMIN_ROLE }}'
+          GOOGLE_CLIENT_ID: '${{ secrets.GOOGLE_CLIENT_ID }}'
+          GOOGLE_CLIENT_SECRET: '${{ secrets.GOOGLE_CLIENT_SECRET }}'
+          GOOGLE_CALLBACK_URL: '${{ secrets.GOOGLE_CALLBACK_URL }}'
+          FACEBOOK_CLIENT_ID: '${{ secrets.FACEBOOK_CLIENT_ID }}'
+          FACEBOOK_CLIENT_SECRET: '${{ secrets.FACEBOOK_CLIENT_SECRET }}'
+          FACEBOOK_GRAPH_VERSION: '${{ secrets.FACEBOOK_GRAPH_VERSION }}'
+          FACEBOOK_CALLBACK_URL: '${{ secrets.FACEBOOK_CALLBACK_URL }}'
+          INTEGRATED_USER_DEFAULT_PASS: '${{ secrets.INTEGRATED_USER_DEFAULT_PASS }}'
+          UPWORK_REDIRECT_URL: '${{ secrets.UPWORK_REDIRECT_URL }}'
+          FILE_PROVIDER: '${{ secrets.FILE_PROVIDER }}'
+          GAUZY_AI_GRAPHQL_ENDPOINT: '${{ secrets.GAUZY_AI_GRAPHQL_ENDPOINT }}'
+          GAUZY_AI_REST_ENDPOINT: '${{ secrets.GAUZY_AI_REST_ENDPOINT }}'
+          UNLEASH_APP_NAME: '${{ secrets.UNLEASH_APP_NAME }}'
+          UNLEASH_API_URL: '${{ secrets.UNLEASH_API_URL }}'
+          UNLEASH_INSTANCE_ID: '${{ secrets.UNLEASH_INSTANCE_ID }}'
+          UNLEASH_REFRESH_INTERVAL: '${{ secrets.UNLEASH_REFRESH_INTERVAL }}'
+          UNLEASH_METRICS_INTERVAL: '${{ secrets.UNLEASH_METRICS_INTERVAL }}'
+          UNLEASH_API_KEY: '${{ secrets.UNLEASH_API_KEY }}'
+          JITSU_SERVER_URL: '${{ secrets.JITSU_SERVER_URL }}'
+          JITSU_SERVER_WRITE_KEY: '${{ secrets.JITSU_SERVER_WRITE_KEY }}'
+          OTEL_ENABLED: '${{ secrets.OTEL_ENABLED }}'
+          OTEL_PROVIDER: '${{ secrets.OTEL_PROVIDER }}'
+          OTEL_EXPORTER_OTLP_TRACES_ENDPOINT: '${{ secrets.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT }}'
+          OTEL_EXPORTER_OTLP_HEADERS: '${{ secrets.OTEL_EXPORTER_OTLP_HEADERS }}'
+          GAUZY_GITHUB_CLIENT_ID: '${{ secrets.GAUZY_GITHUB_CLIENT_ID }}'
+          GAUZY_GITHUB_CLIENT_SECRET: '${{ secrets.GAUZY_GITHUB_CLIENT_SECRET }}'
+          GAUZY_GITHUB_APP_PRIVATE_KEY: '${{ secrets.GAUZY_GITHUB_APP_PRIVATE_KEY }}'
+          GAUZY_GITHUB_WEBHOOK_URL: '${{ secrets.GAUZY_GITHUB_WEBHOOK_URL }}'
+          GAUZY_GITHUB_WEBHOOK_SECRET: '${{ secrets.GAUZY_GITHUB_WEBHOOK_SECRET }}'
+          GAUZY_GITHUB_APP_NAME: '${{ secrets.GAUZY_GITHUB_APP_NAME }}'
+          GAUZY_GITHUB_REDIRECT_URL: '${{ secrets.GAUZY_GITHUB_REDIRECT_URL }}'
+          GAUZY_GITHUB_POST_INSTALL_URL: '${{ secrets.GAUZY_GITHUB_POST_INSTALL_URL }}'
+          GAUZY_GITHUB_APP_ID: '${{ secrets.GAUZY_GITHUB_APP_ID }}'
+          GAUZY_GITHUB_OAUTH_CLIENT_ID: '${{ secrets.GAUZY_GITHUB_OAUTH_CLIENT_ID }}'
+          GAUZY_GITHUB_OAUTH_CLIENT_SECRET: '${{ secrets.GAUZY_GITHUB_OAUTH_CLIENT_SECRET }}'
+          GAUZY_GITHUB_OAUTH_CALLBACK_URL: '${{ secrets.GAUZY_GITHUB_OAUTH_CALLBACK_URL }}'
+          JITSU_BROWSER_URL: '${{ secrets.JITSU_BROWSER_URL }}'
+          JITSU_BROWSER_WRITE_KEY: '${{ secrets.JITSU_BROWSER_WRITE_KEY }}'
+          MAGIC_CODE_EXPIRATION_TIME: '${{ secrets.MAGIC_CODE_EXPIRATION_TIME }}'
+          APP_NAME: '${{ secrets.APP_NAME }}'
+          APP_LOGO: '${{ secrets.APP_LOGO }}'
+          APP_SIGNATURE: '${{ secrets.APP_SIGNATURE }}'
+          APP_LINK: '${{ secrets.APP_LINK }}'
+          APP_EMAIL_CONFIRMATION_URL: '${{ secrets.APP_EMAIL_CONFIRMATION_URL }}'
+          APP_MAGIC_SIGN_URL: '${{ secrets.APP_MAGIC_SIGN_URL }}'
+          COMPANY_LINK: '${{ secrets.COMPANY_LINK }}'
+          COMPANY_NAME: '${{ secrets.COMPANY_NAME }}'
+          FEATURE_OPEN_STATS: '${{ vars.FEATURE_OPEN_STATS }}'
 
       # we need this step because for now we just use :latest tag
       # note: for production we will use different strategy later