Add release notes for PR #7384

This reverts commit 2ccdf0f6e8.

.coderabbit.yaml

@@ -1,6 +1,6 @@
 issue_enrichment:
   auto_enrich:
-    enabled: true
+    enabled: false
 reviews:
   request_changes_workflow: true
   review_status: false

.devcontainer/devcontainer.json

@@ -1,7 +1,7 @@
 // For format details, see https://aka.ms/devcontainer.json. For config options, see the
 // README at: https://github.com/devcontainers/templates/tree/main/src/docker-existing-docker-compose
 {
-  "name": "Actual Devcontainer",
+  "name": "Actual development",
   "dockerComposeFile": ["../docker-compose.yml", "docker-compose.yml"],
   // Alternatively:
   // "image": "mcr.microsoft.com/devcontainers/typescript-node:0-16",

.github/ISSUE_TEMPLATE/config.yml

@@ -3,6 +3,9 @@ contact_links:
   - name: Bank-sync issues
     url: https://discord.gg/pRYNYr4W5A
     about: Is bank-sync not working? Returning too much or too few information? Reach out to the community on Discord.
+  - name: Support
+    url: https://discord.gg/pRYNYr4W5A
+    about: Need help with something? Having troubles setting up? Or perhaps issues using the API? Reach out to the community on Discord.
   - name: Translations
     url: https://hosted.weblate.org/projects/actualbudget/actual/
     about: Found a string that needs a better translation? Add your suggestion or upvote an existing one in Weblate.

.github/ISSUE_TEMPLATE/tech-support.yml

@@ -1,17 +0,0 @@
-name: Tech Support
-description: Need help with something? Having troubles setting up? Or perhaps issues using the API?
-title: '[Support]: '
-labels: ['tech-support']
-body:
-  - type: markdown
-    attributes:
-      value: |
-        > ⚠️ **Tech support tickets opened here are automatically closed.** GitHub Issues are reserved for bug reports and feature requests. The fastest way to get help is to ask the community on [Discord](https://discord.gg/pRYNYr4W5A) — that's where most of the community lives and can help you in real time.
-  - type: textarea
-    id: problem
-    attributes:
-      label: Describe your problem
-      description: Please describe, in as much detail as you can, what you need help with.
-      placeholder: I'm trying to [...] but [...]
-    validations:
-      required: true

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,4 +1,4 @@
-<!-- Thank you for submitting a pull request! Make sure to follow the instructions to write release notes for your PR — it should only take a minute or two: https://actualbudget.org/docs/contributing/#writing-good-release-notes. Try running yarn generate:release-notes *before* pushing your PR for an interactive experience. -->
+<!-- Thank you for submitting a pull request! Make sure to follow the instructions to write release notes for your PR — it should only take a minute or two: https://github.com/actualbudget/docs#writing-good-release-notes. Try running yarn generate:release-notes *before* pushing your PR for an interactive experience. -->
 
 ## Description
 

.github/actions/ai-generated-release-notes/create-release-notes-file.js

@@ -16,19 +16,14 @@ if (!token || !repo || !issueNumber || !summaryDataJson || !category) {
 const [owner, repoName] = repo.split('/');
 const octokit = new Octokit({ auth: token });
 
-const VALID_CATEGORIES = [
-  'Features',
-  'Bugfixes',
-  'Enhancements',
-  'Maintenance',
-];
-const GITHUB_USERNAME_RE =
-  /^[a-zA-Z0-9](?:[a-zA-Z0-9]|-(?=[a-zA-Z0-9])){0,38}$/;
-
 async function createReleaseNotesFile() {
   try {
     const summaryData = JSON.parse(summaryDataJson);
 
+    console.log('Debug - Category value:', category);
+    console.log('Debug - Category type:', typeof category);
+    console.log('Debug - Category JSON stringified:', JSON.stringify(category));
+
     if (!summaryData) {
       console.log('No summary data available, cannot create file');
       return;
@@ -39,62 +34,26 @@ async function createReleaseNotesFile() {
       return;
     }
 
-    // Normalize category - strip surrounding quotes and validate against allow-list
+    // Create file content - ensure category is not quoted
     const cleanCategory =
       typeof category === 'string'
         ? category.replace(/^["']|["']$/g, '')
         : category;
-
-    if (!VALID_CATEGORIES.includes(cleanCategory)) {
-      console.log(
-        `Invalid category "${cleanCategory}". Must be one of: ${VALID_CATEGORIES.join(', ')}`,
-      );
-      return;
-    }
-
-    // Validate author is a plausible GitHub username
-    const author = String(summaryData.author || '');
-    if (!GITHUB_USERNAME_RE.test(author)) {
-      console.log(
-        `Invalid author "${author}", aborting release notes creation`,
-      );
-      return;
-    }
-
-    // Normalize summary: collapse whitespace to a single line so it cannot
-    // introduce extra YAML frontmatter or break the markdown structure.
-    const cleanSummary = String(summaryData.summary || '')
-      .replace(/\s+/g, ' ')
-      .trim();
-    if (!cleanSummary) {
-      console.log('Empty summary, aborting release notes creation');
-      return;
-    }
-
-    // Validate PR number - must be a positive integer. The value comes from
-    // the GitHub API, but we harden it because it's used to build a file path
-    // and a commit message.
-    const validatedPrNumber = Number(summaryData.prNumber);
-    if (!Number.isInteger(validatedPrNumber) || validatedPrNumber <= 0) {
-      console.log(
-        `Invalid PR number "${summaryData.prNumber}", aborting release notes creation`,
-      );
-      return;
-    }
+    console.log('Debug - Clean category:', cleanCategory);
 
     const fileContent = `---
 category: ${cleanCategory}
-authors: [${author}]
+authors: [${summaryData.author}]
 ---
 
-${cleanSummary}
+${summaryData.summary}
 `;
 
-    const fileName = `upcoming-release-notes/${validatedPrNumber}.md`;
+    const fileName = `upcoming-release-notes/${summaryData.prNumber}.md`;
 
-    console.log(
-      `Creating release notes file: ${fileName} (category: ${cleanCategory}, author: ${author})`,
-    );
+    console.log(`Creating release notes file: ${fileName}`);
+    console.log('File content:');
+    console.log(fileContent);
 
     // Get PR info
     const { data: pr } = await octokit.rest.pulls.get({
@@ -116,7 +75,7 @@ ${cleanSummary}
       owner: headOwner,
       repo: headRepo,
       path: fileName,
-      message: `Add release notes for PR #${validatedPrNumber}`,
+      message: `Add release notes for PR #${summaryData.prNumber}`,
       content: Buffer.from(fileContent).toString('base64'),
       branch: prBranch,
       committer: {

.github/actions/ai-generated-release-notes/generate-summary.js

@@ -25,6 +25,8 @@ try {
     process.exit(0);
   }
 
+  console.log('CodeRabbit comment body:', commentBody);
+
   const data = JSON.stringify({
     model: 'gpt-4o-mini',
     messages: [

.github/actions/ai-generated-release-notes/pr-details.js

@@ -39,22 +39,6 @@ async function getPRDetails() {
     console.log('- Base Branch:', pr.base.ref);
     console.log('- Head Branch:', pr.head.ref);
 
-    // Fetch all changed files to detect docs-only PRs
-    const files = await octokit.paginate(octokit.rest.pulls.listFiles, {
-      owner,
-      repo: repoName,
-      pull_number: issueNumber,
-      per_page: 100,
-    });
-
-    const changedFiles = files.map(f => f.filename);
-    const isDocsOnly =
-      changedFiles.length > 0 &&
-      changedFiles.every(file => file.startsWith('packages/docs/'));
-
-    console.log('- Changed Files:', changedFiles.length);
-    console.log('- Is Docs Only:', isDocsOnly);
-
     const result = {
       number: pr.number,
       author: pr.user.login,
@@ -63,31 +47,11 @@ async function getPRDetails() {
       headBranch: pr.head.ref,
     };
 
-    let eligible = true;
-    if (pr.base.ref !== 'master') {
-      console.log(
-        'PR does not target master branch, skipping release notes generation',
-      );
-      eligible = false;
-    } else if (pr.head.ref.startsWith('release/')) {
-      console.log(
-        'PR head branch is a release branch, skipping release notes generation',
-      );
-      eligible = false;
-    } else if (isDocsOnly) {
-      console.log(
-        'PR only changes documentation, skipping release notes generation',
-      );
-      eligible = false;
-    }
-
     setOutput('result', JSON.stringify(result));
-    setOutput('eligible', JSON.stringify(eligible));
   } catch (error) {
     console.log('Error getting PR details:', error.message);
     console.log('Stack:', error.stack);
     setOutput('result', 'null');
-    setOutput('eligible', 'false');
     process.exit(1);
   }
 }
@@ -96,6 +60,5 @@ getPRDetails().catch(error => {
   console.log('Unhandled error:', error.message);
   console.log('Stack:', error.stack);
   setOutput('result', 'null');
-  setOutput('eligible', 'false');
   process.exit(1);
 });

.github/actions/docs-spelling/excludes.txt

@@ -1,16 +1,13 @@
 # See https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-excludes
-(?:^|/)(?i).nojekyll
 (?:^|/)(?i)COPYRIGHT
-(?:^|/)(?i)docusaurus.config.js
 (?:^|/)(?i)LICEN[CS]E
-(?:^|/)(?i)README.md
 (?:^|/)3rdparty/
 (?:^|/)go\.sum$
 (?:^|/)package(?:-lock|)\.json$
 (?:^|/)pyproject.toml
 (?:^|/)requirements(?:-dev|-doc|-test|)\.txt$
 (?:^|/)vendor/
-(?:^|/)yarn\.lock$
+ignore$
 \.a$
 \.ai$
 \.avi$
@@ -56,7 +53,6 @@
 \.svgz?$
 \.tar$
 \.tiff?$
-\.tsx$
 \.ttf$
 \.wav$
 \.webm$
@@ -66,12 +62,16 @@
 \.zip$
 ^\.github/actions/spelling/
 ^\.github/ISSUE_TEMPLATE/
-^\.yarn/
-^\Q.github/\E$
 ^\Q.github/workflows/spelling.yml\E$
+^\.yarn/
 ^\Qnode_modules/\E$
 ^\Qsrc/\E$
 ^\Qstatic/\E$
+^\Q.github/\E$
+(?:^|/)package(?:-lock|)\.json$
+(?:^|/)yarn\.lock$
+(?:^|/)(?i)docusaurus.config.js
+(?:^|/)(?i)README.md
+(?:^|/)(?i).nojekyll
 ^\static/
-^packages/docs/docs/releases\.md$
-ignore$
+\.tsx$

.github/actions/docs-spelling/expect.txt

@@ -4,7 +4,6 @@ ABNANL
 Activo
 actualrc
 AESUDEF
-ajv
 ALZEY
 Anglais
 ANZ
@@ -38,13 +37,10 @@ Cetelem
 cimode
 Citi
 Citibank
-claude
 Cloudflare
-CLP
 CMCIFRPAXXX
 COBADEFF
 CODEOWNERS
-Codespaces
 COEP
 commerzbank
 Copiar
@@ -56,7 +52,6 @@ crt
 CZK
 Danske
 datadir
-datamodel
 DATEDIF
 Depositos
 deselection
@@ -86,7 +81,6 @@ Globecard
 GLS
 gocardless
 Grafana
-Gruvbox
 HABAL
 Hampel
 HELADEF
@@ -94,7 +88,6 @@ HLOOKUP
 HUF
 IFERROR
 IFNA
-Ilavenil
 INDUSTRIEL
 INGBPLPW
 Ingo
@@ -132,8 +125,6 @@ Moldovan
 murmurhash
 NETWORKDAYS
 nginx
-nodenext
-nord
 OIDC
 Okabe
 overbudgeted
@@ -141,19 +132,18 @@ overbudgeting
 oxc
 Paribas
 passwordless
-PAYPAL
-picomatch
 pluggyai
 Poste
 PPABPLPK
 prefs
+Primoco
+Priotecs
 proactively
 Qatari
 QNTOFRP
 QONTO
 Raiffeisen
 REGEXREPLACE
-relinking
 revolut
 RIED
 RSchedule
@@ -178,15 +168,13 @@ SWEDBANK
 SWEDNOKK
 Synology
 systemctl
+tada
 taskbar
 templating
 THB
 TIMEFRAME
 touchscreen
 triaging
-tsgo
-tsgolint
-TWD
 UAH
 ubuntu
 undici
@@ -201,6 +189,4 @@ websecure
 WEEKNUM
 Widiba
 WOR
-worktree
 youngcw
-zizmor

.github/actions/release-notes/check/action.yml

@@ -1,17 +0,0 @@
-name: Check release notes
-description: Validate that a PR includes a properly formatted release note file
-
-runs:
-  using: composite
-  steps:
-    - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
-      with:
-        node-version: 22
-    - name: Install dependencies
-      shell: bash
-      run: yarn workspaces focus @actual-app/ci-actions
-    - name: Check release notes
-      env:
-        PR_NUMBER: ${{ github.event.pull_request.number }}
-      shell: bash
-      run: node packages/ci-actions/bin/release-notes-check.mjs

.github/actions/release-notes/generate/action.yml

@@ -1,17 +0,0 @@
-name: Generate release notes
-description: Generate release documentation from release note files
-
-runs:
-  using: composite
-  steps:
-    - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
-      with:
-        node-version: 22
-    - name: Install dependencies
-      shell: bash
-      run: yarn workspaces focus actual @actual-app/ci-actions
-    - name: Generate release notes
-      shell: bash
-      env:
-        GITHUB_TOKEN: ${{ github.token }}
-      run: node packages/ci-actions/bin/release-notes-generate.mjs

.github/actions/setup/action.yml

@@ -10,10 +10,6 @@ inputs:
     description: 'Whether to download translations as part of setup, default true'
     required: false
     default: 'true'
-  cache:
-    description: 'Whether to restore and save dependency and Lage caches, default true'
-    required: false
-    default: 'true'
 
 runs:
   using: composite
@@ -22,7 +18,6 @@ runs:
       uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
       with:
         node-version: 22
-        package-manager-cache: ${{ inputs.cache }}
     - name: Install yarn
       run: npm install -g yarn
       shell: bash
@@ -33,7 +28,6 @@ runs:
       shell: bash
     - name: Cache
       uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
-      if: ${{ inputs.cache == 'true' }}
       id: cache
       with:
         path: ${{ format('{0}/**/node_modules', inputs.working-directory) }}
@@ -43,7 +37,6 @@ runs:
       shell: bash
     - name: Cache Lage
       uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
-      if: ${{ inputs.cache == 'true' }}
       with:
         path: ${{ format('{0}/.lage', inputs.working-directory) }}
         key: lage-${{ runner.os }}-${{ github.sha }}
@@ -59,9 +52,8 @@ runs:
       with:
         repository: actualbudget/translations
         path: ${{ inputs.working-directory }}/packages/desktop-client/locale
-        persist-credentials: false
-      if: ${{ inputs.download-translations == 'true' && !env.ACT }}
+      if: ${{ inputs.download-translations == 'true' }}
     - name: Remove untranslated languages
       run: packages/desktop-client/bin/remove-untranslated-languages
       shell: bash
-      if: ${{ inputs.download-translations == 'true' && !env.ACT }}
+      if: ${{ inputs.download-translations == 'true' }}

.github/workflows/ai-generated-label.yml

@@ -1,27 +0,0 @@
-name: Add 'AI generated' label to '[AI]' PRs
-
-##########################################################################################
-# This workflow uses the 'pull_request_target' event so it has a token that can add a    #
-# label to PRs from forks. It does NOT check out or execute any code from the PR, so it   #
-# is not vulnerable to the usual 'pull_request_target' code-injection concerns. Keep it   #
-# that way - do not add a checkout step or run any PR-provided scripts here.              #
-##########################################################################################
-
-on:
-  # This workflow never checks out or runs PR code; it only reads the PR title and adds a label.
-  pull_request_target: # zizmor: ignore[dangerous-triggers]
-    types: [opened, reopened, edited]
-
-permissions:
-  pull-requests: write
-
-jobs:
-  add-ai-generated-label:
-    name: Add 'AI generated' label
-    runs-on: ubuntu-latest
-    if: startsWith(github.event.pull_request.title, '[AI]')
-    steps:
-      - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 # v1.1.0
-        with:
-          labels: AI generated
-          github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ai-generated-release-notes.yml

@@ -18,8 +18,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
         with:
@@ -44,7 +42,11 @@ jobs:
           GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
 
       - name: Check if release notes file already exists
-        if: steps.pr-details.outputs.eligible == 'true'
+        if: >-
+          steps.check-first-comment.outputs.result == 'true' &&
+          steps.pr-details.outputs.result != 'null' &&
+          fromJSON(steps.pr-details.outputs.result).baseBranch == 'master' &&
+          !startsWith(fromJSON(steps.pr-details.outputs.result).headBranch, 'release/')
         id: check-release-notes-exists
         run: node .github/actions/ai-generated-release-notes/check-release-notes-exists.js
         env:
@@ -54,7 +56,7 @@ jobs:
           PR_DETAILS: ${{ steps.pr-details.outputs.result }}
 
       - name: Generate summary with OpenAI
-        if: steps.check-release-notes-exists.outputs.result == 'false'
+        if: steps.check-first-comment.outputs.result == 'true' && steps.check-release-notes-exists.outputs.result == 'false'
         id: generate-summary
         run: node .github/actions/ai-generated-release-notes/generate-summary.js
         env:
@@ -63,7 +65,7 @@ jobs:
           PR_DETAILS: ${{ steps.pr-details.outputs.result }}
 
       - name: Determine category with OpenAI
-        if: steps.generate-summary.outputs.result != 'null' && steps.generate-summary.outputs.result != ''
+        if: steps.check-first-comment.outputs.result == 'true' && steps.check-release-notes-exists.outputs.result == 'false' && steps.generate-summary.outputs.result != 'null'
         id: determine-category
         run: node .github/actions/ai-generated-release-notes/determine-category.js
         env:
@@ -73,7 +75,7 @@ jobs:
           SUMMARY_DATA: ${{ steps.generate-summary.outputs.result }}
 
       - name: Create and commit release notes file via GitHub API
-        if: steps.determine-category.outputs.result != 'null' && steps.determine-category.outputs.result != ''
+        if: steps.check-first-comment.outputs.result == 'true' && steps.check-release-notes-exists.outputs.result == 'false' && steps.generate-summary.outputs.result != 'null' && steps.determine-category.outputs.result != 'null' && steps.determine-category.outputs.result != ''
         run: node .github/actions/ai-generated-release-notes/create-release-notes-file.js
         env:
           GITHUB_TOKEN: ${{ secrets.ACTIONS_UPDATE_TOKEN }}
@@ -83,7 +85,7 @@ jobs:
           CATEGORY: ${{ steps.determine-category.outputs.result }}
 
       - name: Comment on PR
-        if: steps.determine-category.outputs.result != 'null' && steps.determine-category.outputs.result != ''
+        if: steps.check-first-comment.outputs.result == 'true' && steps.check-release-notes-exists.outputs.result == 'false' && steps.generate-summary.outputs.result != 'null' && steps.determine-category.outputs.result != 'null' && steps.determine-category.outputs.result != ''
         run: node .github/actions/ai-generated-release-notes/comment-on-pr.js
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/autofix.yml

@@ -16,8 +16,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
         with:

.github/workflows/build.yml

@@ -14,62 +14,40 @@ on:
   pull_request:
   merge_group:
 
-permissions:
-  contents: read
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
 
 jobs:
-  setup:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      - name: Set up environment
-        uses: ./.github/actions/setup
-        with:
-          download-translations: 'false'
-
   api:
-    needs: setup
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
         with:
           download-translations: 'false'
       - name: Build API
-        run: yarn build:api
+        run: cd packages/api && yarn build
       - name: Create package tgz
         run: cd packages/api && yarn pack && mv package.tgz actual-api.tgz
       - name: Prepare bundle stats artifact
         run: cp packages/api/app/stats.json api-stats.json
       - name: Upload Build
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: actual-api
           path: packages/api/actual-api.tgz
       - name: Upload API bundle stats
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: api-build-stats
           path: api-stats.json
 
   crdt:
-    needs: setup
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
         with:
@@ -78,48 +56,35 @@ jobs:
         run: cd packages/crdt && yarn build
       - name: Create package tgz
         run: cd packages/crdt && yarn pack && mv package.tgz actual-crdt.tgz
-      - name: Prepare bundle stats artifact
-        run: cp packages/crdt/dist/stats.json crdt-stats.json
       - name: Upload Build
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: actual-crdt
           path: packages/crdt/actual-crdt.tgz
-      - name: Upload CRDT bundle stats
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          name: crdt-build-stats
-          path: crdt-stats.json
 
   web:
-    needs: setup
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
       - name: Build Web
         run: yarn build:browser
       - name: Upload Build
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: actual-web
           path: packages/desktop-client/build
       - name: Upload Build Stats
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: build-stats
           path: packages/desktop-client/build-stats
 
   cli:
-    needs: setup
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
         with:
@@ -131,23 +96,20 @@ jobs:
       - name: Prepare bundle stats artifact
         run: cp packages/cli/dist/stats.json cli-stats.json
       - name: Upload Build
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: actual-cli
           path: packages/cli/actual-cli.tgz
       - name: Upload CLI bundle stats
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: cli-build-stats
           path: cli-stats.json
 
   server:
-    needs: setup
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
         with:
@@ -155,7 +117,7 @@ jobs:
       - name: Build Server
         run: yarn workspace @actual-app/sync-server build
       - name: Upload Build
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: sync-server
           path: packages/sync-server/build

.github/workflows/check.yml

@@ -7,48 +7,25 @@ on:
   pull_request:
   merge_group:
 
-permissions:
-  contents: read
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
 
 jobs:
-  setup:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      - name: Set up environment
-        uses: ./.github/actions/setup
-        with:
-          download-translations: 'false'
   constraints:
-    needs: setup
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
         with:
           download-translations: 'false'
       - name: Check dependency version consistency
         run: yarn constraints
-      - name: Check tsconfig project references are in sync
-        run: yarn check:tsconfig-references
   lint:
-    needs: setup
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
         with:
@@ -56,12 +33,9 @@ jobs:
       - name: Lint
         run: yarn lint
   typecheck:
-    needs: setup
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
         with:
@@ -69,12 +43,9 @@ jobs:
       - name: Typecheck
         run: yarn typecheck
   validate-cli:
-    needs: setup
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
         with:
@@ -84,36 +55,21 @@ jobs:
       - name: Check that the built CLI works
         run: node packages/sync-server/build/bin/actual-server.js --version
   test:
-    needs: setup
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
         with:
           download-translations: 'false'
       - name: Test
         run: yarn test
-  check-gh-actions:
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      - uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
 
   migrations:
-    needs: setup
     if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
         with:

.github/workflows/codeql.yml

@@ -23,15 +23,13 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
         with:
           languages: javascript
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
         with:
           category: '/language:javascript'

.github/workflows/count-points.yml

@@ -11,19 +11,12 @@ on:
         required: true
         type: string
 
-permissions:
-  contents: read
-  issues: read
-  pull-requests: read
-
 jobs:
   count-points:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
         with:

.github/workflows/crdt-version-check.yml

@@ -1,48 +0,0 @@
-name: CRDT version bump check
-
-on:
-  pull_request:
-    paths:
-      - 'packages/crdt/**'
-
-permissions:
-  contents: read
-
-jobs:
-  check-version-bump:
-    runs-on: ubuntu-latest
-    name: Ensure @actual-app/crdt version is bumped
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Verify version bump
-        env:
-          BASE_REF: ${{ github.base_ref }}
-        run: |
-          set -euo pipefail
-
-          if ! git cat-file -e "origin/${BASE_REF}:packages/crdt/package.json" 2>/dev/null; then
-            echo "packages/crdt/package.json does not exist on the base branch; skipping."
-            exit 0
-          fi
-
-          BASE_VERSION=$(git show "origin/${BASE_REF}:packages/crdt/package.json" | jq -r .version)
-          HEAD_VERSION=$(jq -r .version packages/crdt/package.json)
-          echo "Base version: $BASE_VERSION"
-          echo "Head version: $HEAD_VERSION"
-
-          if [ "$BASE_VERSION" = "$HEAD_VERSION" ]; then
-            echo "::error file=packages/crdt/package.json::Files in packages/crdt/ were modified but the @actual-app/crdt version was not bumped. Please update the \"version\" field in packages/crdt/package.json."
-            exit 1
-          fi
-
-          HIGHEST=$(printf '%s\n%s\n' "$BASE_VERSION" "$HEAD_VERSION" | sort -V | tail -n1)
-          if [ "$HIGHEST" != "$HEAD_VERSION" ]; then
-            echo "::error file=packages/crdt/package.json::The @actual-app/crdt version ($HEAD_VERSION) must be greater than the base version ($BASE_VERSION)."
-            exit 1
-          fi
-
-          echo "Version bumped from $BASE_VERSION to $HEAD_VERSION."

.github/workflows/cut-release-branch.yml

@@ -1,104 +0,0 @@
-name: Cut release branch
-
-on:
-  schedule:
-    # 17:00 UTC on the 25th of each month
-    - cron: '0 17 25 * *'
-  workflow_dispatch:
-    inputs:
-      ref:
-        description: 'Commit or branch to release'
-        required: true
-        default: 'master'
-      version:
-        description: 'Version number for the release (optional)'
-        required: false
-        default: ''
-      release-date:
-        description: 'Expected release date, YYYY-MM-DD (optional)'
-        required: false
-        default: ''
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  cut-release-branch:
-    runs-on: ubuntu-latest
-    environment: release
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event.inputs.ref || 'master' }}
-          persist-credentials: false
-
-      - name: Set up environment
-        uses: ./.github/actions/setup
-        with:
-          # Avoid restoring potentially poisoned caches in release jobs.
-          cache: 'false'
-          download-translations: 'false'
-
-      - name: Bump package versions
-        id: bump_package_versions
-        shell: bash
-        env:
-          INPUT_VERSION: ${{ github.event.inputs.version }}
-        run: |
-          declare -A packages=(
-            [web]="desktop-client"
-            [electron]="desktop-electron"
-            [sync]="sync-server"
-            [api]="api"
-            [cli]="cli"
-            [core]="loot-core"
-          )
-          declare -A new_versions
-
-          for key in "${!packages[@]}"; do
-            pkg="${packages[$key]}"
-
-            if [[ -n "$INPUT_VERSION" ]]; then
-              version=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts \
-                --package-json "./packages/$pkg/package.json" \
-                --version "$INPUT_VERSION" \
-                --update)
-            else
-              version=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts \
-                --package-json "./packages/$pkg/package.json" \
-                --type auto \
-                --update)
-            fi
-
-            new_versions[$key]="$version"
-          done
-
-          echo "version=${new_versions[web]}" >> "$GITHUB_OUTPUT"
-
-      - name: Compute release date
-        id: release_date
-        shell: bash
-        env:
-          INPUT_DATE: ${{ github.event.inputs['release-date'] }}
-        run: |
-          if [[ -n "$INPUT_DATE" ]]; then
-            echo "date=$INPUT_DATE" >> "$GITHUB_OUTPUT"
-          else
-            # default to the 1st of next month
-            echo "date=$(date -d '+1 month' '+%Y-%m-01')" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Create release branch and PR
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
-        with:
-          token: ${{ secrets.ACTIONS_UPDATE_TOKEN }}
-          commit-message: '🔖 (${{ steps.bump_package_versions.outputs.version }})'
-          title: '🔖 (${{ steps.bump_package_versions.outputs.version }})'
-          body: |
-            Generated by [cut-release-branch.yml](../tree/master/.github/workflows/cut-release-branch.yml)
-
-            <!-- release-date:${{ steps.release_date.outputs.date }} -->
-          branch: 'release/${{ steps.bump_package_versions.outputs.version }}'
-          base: master

.github/workflows/docker-edge.yml

@@ -32,14 +32,11 @@ jobs:
     if: github.event_name == 'workflow_dispatch' || !github.event.repository.fork
     name: Build Docker image
     runs-on: ubuntu-latest
-    environment: release
     strategy:
       matrix:
         os: [ubuntu, alpine]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
@@ -57,14 +54,14 @@ jobs:
           tags: ${{ env.TAGS }}
 
       - name: Login to Docker Hub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         if: github.event_name != 'pull_request' && !github.event.repository.fork
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         if: github.event_name != 'pull_request'
         with:
           registry: ghcr.io
@@ -75,14 +72,11 @@ jobs:
       # This is faster and avoids yarn memory issues
       - name: Set up environment
         uses: ./.github/actions/setup
-        with:
-          # Avoid restoring potentially poisoned caches in release jobs.
-          cache: 'false'
       - name: Build Web
         run: yarn build:server
 
       - name: Build image for testing
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: .
           push: false
@@ -91,20 +85,15 @@ jobs:
           tags: actualbudget/actual-server-testing
 
       - name: Test that the docker image boots
-        timeout-minutes: 1
         run: |
-          docker run --detach --network=host --name actual-server actualbudget/actual-server-testing
-          HEALTHCMD=$(yq -r '.services.actual_server.healthcheck.test[1]' packages/sync-server/docker-compose.yml)
-          until docker exec actual-server sh -c "$HEALTHCMD"; do sleep 1; done
-
-      - name: Dump container logs on failure
-        if: failure()
-        run: docker logs actual-server || true
+          docker run --detach --network=host actualbudget/actual-server-testing
+          sleep 10
+          curl --fail -sS -LI -w '%{http_code}\n' --retry 20 --retry-delay 1 --retry-connrefused localhost:5006
 
       # This will use the cache from the earlier build step and not rebuild the image
       # https://docs.docker.com/build/ci/github-actions/test-before-push/
       - name: Build and push images
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}

.github/workflows/docker-release.yml

@@ -23,19 +23,12 @@ env:
   TAGS: |
     type=semver,pattern={{version}}
 
-permissions:
-  contents: read
-  packages: write
-
 jobs:
   build:
     name: Build Docker image
     runs-on: ubuntu-latest
-    environment: release
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
@@ -65,13 +58,13 @@ jobs:
           tags: ${{ env.TAGS }}
 
       - name: Login to Docker Hub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -81,31 +74,11 @@ jobs:
       # This is faster and avoids yarn memory issues
       - name: Set up environment
         uses: ./.github/actions/setup
-        with:
-          # Avoid restoring potentially poisoned caches in release jobs.
-          cache: 'false'
       - name: Build Web
         run: yarn build:server
 
-      - name: Build ubuntu image for testing
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
-        with:
-          context: .
-          push: false
-          load: true
-          file: packages/sync-server/docker/ubuntu.Dockerfile
-          tags: actualbudget/actual-server-testing
-
-      - name: Test that the ubuntu image boots
-        timeout-minutes: 1
-        run: |
-          docker rm -f actual-server 2>/dev/null || true
-          docker run --detach --network=host --name actual-server actualbudget/actual-server-testing
-          HEALTHCMD=$(yq -r '.services.actual_server.healthcheck.test[1]' packages/sync-server/docker-compose.yml)
-          until docker exec actual-server sh -c "$HEALTHCMD"; do sleep 1; done
-
       - name: Build and push ubuntu image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: .
           push: true
@@ -113,32 +86,11 @@ jobs:
           platforms: linux/amd64,linux/arm64,linux/arm/v7
           tags: ${{ steps.meta.outputs.tags }}
 
-      - name: Build alpine image for testing
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
-        with:
-          context: .
-          push: false
-          load: true
-          file: packages/sync-server/docker/alpine.Dockerfile
-          tags: actualbudget/actual-server-testing
-
-      - name: Test that the alpine image boots
-        timeout-minutes: 1
-        run: |
-          docker rm -f actual-server 2>/dev/null || true
-          docker run --detach --network=host --name actual-server actualbudget/actual-server-testing
-          HEALTHCMD=$(yq -r '.services.actual_server.healthcheck.test[1]' packages/sync-server/docker-compose.yml)
-          until docker exec actual-server sh -c "$HEALTHCMD"; do sleep 1; done
-
       - name: Build and push alpine image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: .
           push: true
           file: packages/sync-server/docker/alpine.Dockerfile
           platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6
           tags: ${{ steps.alpine-meta.outputs.tags }}
-
-      - name: Dump container logs on failure
-        if: failure()
-        run: docker logs actual-server || true

.github/workflows/docs-spelling.yml

@@ -79,12 +79,12 @@ jobs:
     steps:
       - name: check-spelling
         id: spelling
-        uses: check-spelling/check-spelling@cfb6f7e75bbfc89c71eaa30366d0c166f1bd9c8c # main
+        uses: check-spelling/check-spelling@main
         with:
           suppress_push_for_open_pull_request: 1
           checkout: true
           check_file_names: 1
-          spell_check_this: check-spelling/spell-check-this@92453f59cac8985482dfc301a8ece4c6d7de8a0c # prerelease
+          spell_check_this: check-spelling/spell-check-this@prerelease
           post_comment: 0
           use_magic_file: 1
           experimental_apply_changes_via_bot: 1
@@ -114,10 +114,10 @@ jobs:
     if: (success() || failure()) && needs.spelling.outputs.followup && github.event_name == 'push'
     steps:
       - name: comment
-        uses: check-spelling/check-spelling@cfb6f7e75bbfc89c71eaa30366d0c166f1bd9c8c # main
+        uses: check-spelling/check-spelling@main
         with:
           checkout: true
-          spell_check_this: check-spelling/spell-check-this@92453f59cac8985482dfc301a8ece4c6d7de8a0c # prerelease
+          spell_check_this: check-spelling/spell-check-this@prerelease
           task: ${{ needs.spelling.outputs.followup }}
           config: .github/actions/docs-spelling
 
@@ -131,10 +131,10 @@ jobs:
     if: (success() || failure()) && needs.spelling.outputs.followup && contains(github.event_name, 'pull_request')
     steps:
       - name: comment
-        uses: check-spelling/check-spelling@cfb6f7e75bbfc89c71eaa30366d0c166f1bd9c8c # main
+        uses: check-spelling/check-spelling@main
         with:
           checkout: true
-          spell_check_this: check-spelling/spell-check-this@92453f59cac8985482dfc301a8ece4c6d7de8a0c # prerelease
+          spell_check_this: check-spelling/spell-check-this@prerelease
           task: ${{ needs.spelling.outputs.followup }}
           experimental_apply_changes_via_bot: 1
           config: .github/actions/docs-spelling
@@ -156,7 +156,7 @@ jobs:
       cancel-in-progress: false
     steps:
       - name: apply spelling updates
-        uses: check-spelling/check-spelling@cfb6f7e75bbfc89c71eaa30366d0c166f1bd9c8c # main
+        uses: check-spelling/check-spelling@main
         with:
           experimental_apply_changes_via_bot: 1
           checkout: true

.github/workflows/e2e-test.yml

@@ -17,80 +17,32 @@ on:
 env:
   GITHUB_PR_NUMBER: ${{github.event.pull_request.number}}
 
-permissions:
-  contents: read
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
 jobs:
-  build-web:
-    name: Build web bundle
-    runs-on: ubuntu-latest
-    container:
-      image: mcr.microsoft.com/playwright:v1.59.1-jammy
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      - name: Set up environment
-        uses: ./.github/actions/setup
-        with:
-          download-translations: 'false'
-      - name: Trust the repository directory
-        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
-      - name: Build browser bundle
-        # REACT_APP_NETLIFY=true flips isNonProductionEnvironment() on in the
-        # bundle so the "Create test file" button (used by every e2e beforeEach
-        # via ConfigurationPage.createTestFile()) is still rendered in a
-        # production build. Without it, e2e tests would time out waiting for
-        # a button that was tree-shaken out.
-        # --skip-translations keeps VRT screenshots deterministic by rendering
-        # source-code English instead of upstream Weblate en.json (which can
-        # drift between snapshot capture and test runs).
-        env:
-          REACT_APP_NETLIFY: 'true'
-        run: yarn build:browser --skip-translations
-      - name: Upload build artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          name: desktop-client-build
-          path: packages/desktop-client/build/
-          retention-days: 1
-          overwrite: true
-
   functional:
-    name: Functional (shard ${{ matrix.shard }}/3)
+    name: Functional (shard ${{ matrix.shard }}/5)
     runs-on: ubuntu-latest
-    needs: build-web
     strategy:
       fail-fast: false
       matrix:
-        shard: [1, 2, 3]
+        shard: [1, 2, 3, 4, 5]
     container:
-      image: mcr.microsoft.com/playwright:v1.59.1-jammy
-    env:
-      E2E_USE_BUILD: '1'
+      image: mcr.microsoft.com/playwright:v1.58.2-jammy
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
         with:
           download-translations: 'false'
       - name: Trust the repository directory
         run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
-      - name: Download web build
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: desktop-client-build
-          path: packages/desktop-client/build/
       - name: Run E2E Tests
-        run: yarn e2e --shard=${{ matrix.shard }}/3
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        if: failure()
+        run: yarn e2e --shard=${{ matrix.shard }}/5
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        if: always()
         with:
           name: desktop-client-test-results-shard-${{ matrix.shard }}
           path: packages/desktop-client/test-results/
@@ -101,27 +53,19 @@ jobs:
     name: Functional Desktop App
     runs-on: ubuntu-latest
     container:
-      image: mcr.microsoft.com/playwright:v1.59.1-jammy
+      image: mcr.microsoft.com/playwright:v1.58.2-jammy
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
         with:
           download-translations: 'false'
       - name: Trust the repository directory
         run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
-
-      # Build tools are needed to rebuild native modules like better-sqlite3 used by the Desktop app, which is required to run E2E tests on the Desktop app.
-      - name: Install build tools
-        run: apt-get update && apt-get install -y build-essential python3
-
       - name: Run Desktop app E2E Tests
         run: |
-          yarn rebuild-electron
           xvfb-run --auto-servernum --server-args="-screen 0 1920x1080x24" -- yarn e2e:desktop
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: always()
         with:
           name: desktop-app-test-results
@@ -130,35 +74,23 @@ jobs:
           overwrite: true
 
   vrt:
-    name: Visual regression (shard ${{ matrix.shard }}/3)
+    name: Visual regression (shard ${{ matrix.shard }}/5)
     runs-on: ubuntu-latest
-    needs: build-web
     strategy:
       fail-fast: false
       matrix:
-        shard: [1, 2, 3]
+        shard: [1, 2, 3, 4, 5]
     container:
-      image: mcr.microsoft.com/playwright:v1.59.1-jammy
-    env:
-      E2E_USE_BUILD: '1'
+      image: mcr.microsoft.com/playwright:v1.58.2-jammy
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
         with:
           download-translations: 'false'
-      - name: Trust the repository directory
-        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
-      - name: Download web build
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: desktop-client-build
-          path: packages/desktop-client/build/
       - name: Run VRT Tests
-        run: yarn vrt --shard=${{ matrix.shard }}/3
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        run: yarn vrt --shard=${{ matrix.shard }}/5
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: always()
         with:
           name: vrt-blob-report-${{ matrix.shard }}
@@ -172,11 +104,9 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ !cancelled() }}
     container:
-      image: mcr.microsoft.com/playwright:v1.59.1-jammy
+      image: mcr.microsoft.com/playwright:v1.58.2-jammy
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
       - name: Download all blob reports
@@ -188,7 +118,7 @@ jobs:
       - name: Merge reports
         id: merge-reports
         run: yarn workspace @actual-app/web run playwright merge-reports --reporter html ./all-blob-reports
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         id: playwright-report-vrt
         with:
           name: html-report--attempt-${{ github.run_attempt }}
@@ -199,16 +129,12 @@ jobs:
         if: github.event_name == 'pull_request'
         run: |
           mkdir -p vrt-metadata
-          echo "${PR_NUMBER}" > vrt-metadata/pr-number.txt
-          echo "${VRT_RESULT}" > vrt-metadata/vrt-result.txt
-          echo "${STEPS_PLAYWRIGHT_REPORT_VRT_OUTPUTS_ARTIFACT_URL}" > vrt-metadata/artifact-url.txt
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          STEPS_PLAYWRIGHT_REPORT_VRT_OUTPUTS_ARTIFACT_URL: ${{ steps.playwright-report-vrt.outputs.artifact-url }}
-          VRT_RESULT: ${{ needs.vrt.result }}
+          echo "${{ github.event.pull_request.number }}" > vrt-metadata/pr-number.txt
+          echo "${{ needs.vrt.result }}" > vrt-metadata/vrt-result.txt
+          echo "${{ steps.playwright-report-vrt.outputs.artifact-url }}" > vrt-metadata/artifact-url.txt
       - name: Upload VRT metadata
         if: github.event_name == 'pull_request'
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: vrt-comment-metadata
           path: vrt-metadata/

.github/workflows/e2e-vrt-comment.yml

@@ -53,7 +53,7 @@ jobs:
 
       - name: Comment on PR with VRT report link
         if: steps.metadata.outputs.should_comment == 'true'
-        uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0 # v3.0.4
+        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 # v3.0.2
         with:
           number: ${{ steps.metadata.outputs.pr_number }}
           header: vrt-comment

.github/workflows/electron-master.yml

@@ -21,9 +21,7 @@ jobs:
     # this is so the assets can be added to the release
     permissions:
       contents: write
-    environment: release
     strategy:
-      fail-fast: false
       matrix:
         os:
           - ubuntu-22.04
@@ -32,8 +30,6 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - if: ${{ startsWith(matrix.os, 'windows') }}
         run: pip.exe install setuptools
       - if: ${{ ! startsWith(matrix.os, 'windows') }}
@@ -60,16 +56,11 @@ jobs:
 
           METAINFO_FILE="packages/desktop-electron/extra-resources/linux/com.actualbudget.actual.metainfo.xml"
           TODAY=$(date +%Y-%m-%d)
-          VERSION=${STEPS_PROCESS_VERSION_OUTPUTS_VERSION}
+          VERSION=${{ steps.process_version.outputs.version }}
           sed -i "s/%RELEASE_VERSION%/$VERSION/g; s/%RELEASE_DATE%/$TODAY/g" "$METAINFO_FILE"
           flatpak run --command=flatpak-builder-lint org.flatpak.Builder appstream "$METAINFO_FILE"
-        env:
-          STEPS_PROCESS_VERSION_OUTPUTS_VERSION: ${{ steps.process_version.outputs.version }}
       - name: Set up environment
         uses: ./.github/actions/setup
-        with:
-          # Avoid restoring potentially poisoned caches in release jobs.
-          cache: 'false'
       - name: Build Electron for Mac
         if: ${{ startsWith(matrix.os, 'macos') }}
         run: ./bin/package-electron
@@ -83,7 +74,7 @@ jobs:
         if: ${{ ! startsWith(matrix.os, 'macos') }}
         run: ./bin/package-electron
       - name: Upload Build
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: actual-electron-${{ matrix.os }}
           path: |
@@ -94,7 +85,7 @@ jobs:
             packages/desktop-electron/dist/*.flatpak
       - name: Upload Windows Store Build
         if: ${{ startsWith(matrix.os, 'windows') }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: actual-electron-${{ matrix.os }}-appx
           path: |
@@ -120,7 +111,48 @@ jobs:
             !packages/desktop-electron/dist/Actual-windows.exe
             packages/desktop-electron/dist/*.AppImage
             packages/desktop-electron/dist/*.flatpak
-            packages/desktop-electron/dist/*.appx
 
     outputs:
       version: ${{ steps.process_version.outputs.version }}
+
+  publish-microsoft-store:
+    needs: build
+    runs-on: windows-latest
+    if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }}
+    steps:
+      - name: Install StoreBroker
+        shell: powershell
+        run: |
+          Install-Module -Name StoreBroker -AcceptLicense -Force -Scope CurrentUser -Verbose
+
+      - name: Download Microsoft Store artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: actual-electron-windows-latest-appx
+
+      - name: Submit to Microsoft Store
+        shell: powershell
+        run: |
+          # Disable telemetry
+          $global:SBDisableTelemetry = $true
+
+          # Authenticate against the store
+          $pass = ConvertTo-SecureString -String '${{ secrets.MICROSOFT_STORE_CLIENT_SECRET }}' -AsPlainText -Force
+          $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ${{ secrets.MICROSOFT_STORE_CLIENT_ID }},$pass
+          Set-StoreBrokerAuthentication -TenantId '${{ secrets.MICROSOFT_STORE_TENANT_ID }}' -Credential $cred
+
+          # Zip and create metadata files
+          $artifacts = Get-ChildItem -Path . -Filter *.appx | Select-Object -ExpandProperty FullName
+          New-StoreBrokerConfigFile -Path "$PWD/config.json" -AppId ${{ secrets.MICROSOFT_STORE_PRODUCT_ID }}
+          New-SubmissionPackage -ConfigPath "$PWD/config.json" -DisableAutoPackageNameFormatting -AppxPath $artifacts -OutPath "$PWD" -OutName submission
+
+          # Submit the app
+          # See https://github.com/microsoft/StoreBroker/blob/master/Documentation/USAGE.md#the-easy-way
+          Update-ApplicationSubmission `
+            -AppId ${{ secrets.MICROSOFT_STORE_PRODUCT_ID }} `
+            -SubmissionDataPath "submission.json" `
+            -PackagePath "submission.zip" `
+            -ReplacePackages `
+            -NoStatus `
+            -AutoCommit `
+            -Force

.github/workflows/electron-pr.yml

@@ -19,9 +19,6 @@ on:
       - '!packages/docs/**' # Docs changes don't affect Electron
       - '!packages/eslint-plugin-actual/**' # Eslint plugin changes don't affect Electron
 
-permissions:
-  contents: read
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
@@ -29,7 +26,6 @@ concurrency:
 jobs:
   build:
     strategy:
-      fail-fast: false
       matrix:
         os:
           - ubuntu-22.04
@@ -38,8 +34,6 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - if: ${{ startsWith(matrix.os, 'windows') }}
         run: pip.exe install setuptools
       - if: ${{ ! startsWith(matrix.os, 'windows') }}
@@ -71,56 +65,56 @@ jobs:
         run: ./bin/package-electron
 
       - name: Upload Linux x64 AppImage
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: Actual-linux-x86_64.AppImage
           if-no-files-found: ignore
           path: packages/desktop-electron/dist/Actual-linux-x86_64.AppImage
 
       - name: Upload Linux arm64 AppImage
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: Actual-linux-arm64.AppImage
           if-no-files-found: ignore
           path: packages/desktop-electron/dist/Actual-linux-arm64.AppImage
 
       - name: Upload Linux x64 flatpak
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: Actual-linux-x86_64.flatpak
           if-no-files-found: ignore
           path: packages/desktop-electron/dist/Actual-linux-x86_64.flatpak
 
       - name: Upload Windows x32 exe
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: Actual-windows-ia32.exe
           if-no-files-found: ignore
           path: packages/desktop-electron/dist/Actual-windows-ia32.exe
 
       - name: Upload Windows x64 exe
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: Actual-windows-x64.exe
           if-no-files-found: ignore
           path: packages/desktop-electron/dist/Actual-windows-x64.exe
 
       - name: Upload Windows arm64 exe
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: Actual-windows-arm64.exe
           if-no-files-found: ignore
           path: packages/desktop-electron/dist/Actual-windows-arm64.exe
 
       - name: Upload Mac x64 dmg
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: Actual-mac-x64.dmg
           if-no-files-found: ignore
           path: packages/desktop-electron/dist/Actual-mac-x64.dmg
 
       - name: Upload Mac arm64 dmg
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: Actual-mac-arm64.dmg
           if-no-files-found: ignore
@@ -128,7 +122,7 @@ jobs:
 
       - name: Upload Windows Store Build
         if: ${{ startsWith(matrix.os, 'windows') }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: actual-electron-${{ matrix.os }}-appx
           path: |

.github/workflows/fork-pr-welcome.yml

@@ -25,7 +25,7 @@ jobs:
     if: github.event.pull_request.head.repo.full_name != github.repository
     steps:
       - name: Post welcome comment
-        uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0 # v3.0.4
+        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 # v3.0.2
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           number: ${{ github.event.pull_request.number }}

.github/workflows/generate-release-pr.yml

@@ -0,0 +1,64 @@
+name: Generate release PR
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: 'Commit or branch to release'
+        required: true
+        default: 'master'
+      version:
+        description: 'Version number for the release (optional)'
+        required: false
+        default: ''
+
+jobs:
+  generate-release-pr:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.event.inputs.ref }}
+      - name: Set up environment
+        uses: ./.github/actions/setup
+        with:
+          download-translations: 'false'
+      - name: Bump package versions
+        id: bump_package_versions
+        shell: bash
+        run: |
+          declare -A packages=(
+            [web]="desktop-client"
+            [electron]="desktop-electron"
+            [sync]="sync-server"
+            [api]="api"
+          )
+
+          for key in "${!packages[@]}"; do
+            pkg="${packages[$key]}"
+
+            if [[ -n "${{ github.event.inputs.version }}" ]]; then
+              version=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts \
+                --package-json "./packages/$pkg/package.json" \
+                --version "${{ github.event.inputs.version }}" \
+                --update)
+            else
+              version=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts \
+                --package-json "./packages/$pkg/package.json" \
+                --type auto \
+                --update)
+            fi
+
+            eval "NEW_${key^^}_VERSION=\"$version\""
+          done
+
+          echo "version=$NEW_WEB_VERSION" >> "$GITHUB_OUTPUT"
+      - name: Create PR
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          token: ${{ secrets.ACTIONS_UPDATE_TOKEN }}
+          commit-message: '🔖 (${{ steps.bump_package_versions.outputs.version }})'
+          title: '🔖 (${{ steps.bump_package_versions.outputs.version }})'
+          body: 'Generated by [generate-release-pr.yml](../tree/master/.github/workflows/generate-release-pr.yml)'
+          branch: 'release/v${{ steps.bump_package_versions.outputs.version }}'

.github/workflows/i18n-string-extract-master.yml

@@ -6,9 +6,6 @@ on:
     - cron: '0 4 * * *'
   workflow_dispatch:
 
-permissions:
-  contents: read
-
 jobs:
   extract-and-upload-i18n-strings:
     runs-on: ubuntu-latest
@@ -18,7 +15,6 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           path: actual
-          persist-credentials: false
       - name: Set up environment
         uses: ./actual/.github/actions/setup
         with:
@@ -31,23 +27,12 @@ jobs:
       - name: Configure i18n client
         run: |
           pip install wlc
-      - name: Configure Weblate API credentials
-        env:
-          WEBLATE_API_KEY: ${{ secrets.WEBLATE_API_KEY_CI_STRINGS }}
-        run: |
-          # Write the API key to wlc's config file instead of passing it on
-          # the command line, so the secret doesn't appear in process listings.
-          mkdir -p "$HOME/.config"
-          umask 077
-          cat > "$HOME/.config/weblate" <<EOF
-          [keys]
-          https://hosted.weblate.org/api/ = ${WEBLATE_API_KEY}
-          EOF
 
       - name: Lock translations
         run: |
           wlc \
             --url https://hosted.weblate.org/api/ \
+            --key "${{ secrets.WEBLATE_API_KEY_CI_STRINGS }}" \
             lock \
             actualbudget/actual
 
@@ -55,6 +40,7 @@ jobs:
         run: |
           wlc \
             --url https://hosted.weblate.org/api/ \
+            --key "${{ secrets.WEBLATE_API_KEY_CI_STRINGS }}" \
             push \
             actualbudget/actual
       - name: Check out updated translations
@@ -63,8 +49,6 @@ jobs:
           ssh-key: ${{ secrets.STRING_IMPORT_DEPLOY_KEY }}
           repository: actualbudget/translations
           path: translations
-          # Need to be able to push back extracted strings
-          persist-credentials: true
       - name: Generate i18n strings
         working-directory: actual
         run: |
@@ -89,6 +73,7 @@ jobs:
         run: |
           wlc \
             --url https://hosted.weblate.org/api/ \
+            --key "${{ secrets.WEBLATE_API_KEY_CI_STRINGS }}" \
             pull \
             actualbudget/actual
 
@@ -97,5 +82,6 @@ jobs:
         run: |
           wlc \
             --url https://hosted.weblate.org/api/ \
+            --key "${{ secrets.WEBLATE_API_KEY_CI_STRINGS }}" \
             unlock \
             actualbudget/actual

.github/workflows/issues-close-feature-requests.yml

@@ -4,9 +4,6 @@ on:
   issues:
     types: [labeled]
 
-permissions:
-  issues: write
-
 jobs:
   needs-votes:
     if: ${{ github.event.label.name == 'feature' }}

.github/workflows/issues-close-tech-support.yml

@@ -1,26 +0,0 @@
-name: Close tech support issues with automated message
-
-on:
-  issues:
-    types: [labeled]
-
-permissions:
-  issues: write
-
-jobs:
-  tech-support:
-    if: ${{ github.event.label.name == 'tech-support' }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: Create comment and close issue
-        run: |
-          gh issue comment "$ISSUE_URL" --body ":wave: Thanks for reaching out!
-
-          GitHub Issues are reserved for bug reports and feature requests, so tech support tickets are automatically closed. The fastest way to get help is to ask the community on [Discord](https://discord.gg/pRYNYr4W5A) — that's where most of the community lives and can help you in real time.
-
-          <!-- tech-support-auto-close-comment -->"
-
-          gh issue close "$ISSUE_URL"
-        env:
-          ISSUE_URL: https://github.com/actualbudget/actual/issues/${{ github.event.issue.number }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/issues-feature-implemented.yml

@@ -25,8 +25,6 @@ jobs:
     steps:
       # This is not a security concern because we have approved & merged the PR
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 22

.github/workflows/issues-remove-help-wanted.yml

@@ -4,9 +4,6 @@ on:
   issues:
     types: [closed]
 
-permissions:
-  issues: write
-
 jobs:
   remove-help-wanted:
     if: ${{ !contains(github.event.issue.labels.*.name, 'feature') && contains(github.event.issue.labels.*.name, 'help wanted') }}

.github/workflows/merge-freeze-unfreeze.yml

@@ -0,0 +1,37 @@
+# When the "unfreeze" label is added to a PR, add that PR to Merge Freeze's unblocked list
+# so it can be merged during a freeze. Uses pull_request_target so the workflow runs in
+# the base repo and has access to MERGEFREEZE_ACCESS_TOKEN for fork PRs; it does not
+# checkout or run any PR code. Requires MERGEFREEZE_ACCESS_TOKEN repo secret
+# (project-specific token from Merge Freeze Web API panel for actualbudget/actual / master).
+# See: https://docs.mergefreeze.com/web-api#post-freeze-status
+
+name: Merge Freeze – add PR to unblocked list
+
+on:
+  pull_request_target:
+    types: [labeled]
+
+jobs:
+  unfreeze:
+    if: ${{ github.event.label.name == 'unfreeze' }}
+    runs-on: ubuntu-latest
+    permissions: {}
+    concurrency:
+      group: merge-freeze-unfreeze-${{ github.ref }}-labels
+      cancel-in-progress: false
+    steps:
+      - name: POST to Merge Freeze – add PR to unblocked list
+        env:
+          MERGEFREEZE_ACCESS_TOKEN: ${{ secrets.MERGEFREEZE_ACCESS_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          USER_NAME: ${{ github.actor }}
+        run: |
+          set -e
+          if [ -z "$MERGEFREEZE_ACCESS_TOKEN" ]; then
+            echo "::error::MERGEFREEZE_ACCESS_TOKEN secret is not set"
+            exit 1
+          fi
+          url="https://www.mergefreeze.com/api/branches/actualbudget/actual/master/?access_token=${MERGEFREEZE_ACCESS_TOKEN}"
+          payload=$(jq -n --arg user_name "$USER_NAME" --argjson pr "$PR_NUMBER" '{frozen: true, user_name: $user_name, unblocked_prs: [$pr]}')
+          curl -sf -X POST "$url" -H "Content-Type: application/json" -d "$payload"
+          echo "Merge Freeze updated: PR #$PR_NUMBER added to unblocked list."

.github/workflows/netlify-release.yml

@@ -12,9 +12,6 @@ on:
     tags:
       - v**
 
-permissions:
-  contents: read
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
@@ -22,18 +19,12 @@ concurrency:
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
-    environment: release
     steps:
       - name: Repository Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
 
       - name: Set up environment
         uses: ./.github/actions/setup
-        with:
-          # Avoid restoring potentially poisoned caches in release jobs.
-          cache: 'false'
 
       - name: Install Netlify
         run: npm install netlify-cli@17.10.1 -g
@@ -43,11 +34,10 @@ jobs:
 
       - name: Deploy to Netlify
         id: netlify_deploy
-        env:
-          NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
-          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_API_TOKEN }}
         run: |
           netlify deploy \
             --dir packages/desktop-client/build \
+            --site ${{ secrets.NETLIFY_SITE_ID }} \
+            --auth ${{ secrets.NETLIFY_API_TOKEN }} \
             --filter @actual-app/web \
             --prod

.github/workflows/nightly-theme-catalog-scan.yml

@@ -1,47 +0,0 @@
-name: Nightly theme catalog scan
-
-on:
-  schedule:
-    # 05:15 UTC daily — runs after the i18n extract job (04:00) and well
-    # before the nightly Electron/npm publishes (00:00 UTC the next day).
-    - cron: '15 5 * * *'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-  validate-theme-catalog:
-    name: Validate custom theme catalog
-    runs-on: ubuntu-latest
-    if: github.repository == 'actualbudget/actual'
-    timeout-minutes: 10
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      - name: Set up environment
-        uses: ./.github/actions/setup
-        with:
-          download-translations: 'false'
-      - name: Validate themes
-        run: yarn workspace @actual-app/web validate:theme-catalog
-
-  notify-failure:
-    name: Notify Discord on failure
-    needs: validate-theme-catalog
-    if: failure() && github.repository == 'actualbudget/actual'
-    runs-on: ubuntu-latest
-    environment: nightly-alerts
-    timeout-minutes: 5
-    steps:
-      - name: Notify Discord
-        uses: sarisia/actions-status-discord@eb045afee445dc055c18d3d90bd0f244fd062708 # v1.16.0
-        with:
-          webhook: ${{ secrets.DISCORD_WEBHOOK_URL }}
-          status: Failure
-          title: Nightly theme catalog scan failed
-          description: The nightly scan failed. One or more themes may be broken, or the scan itself did not complete.
-          username: Actual Nightly
-          nofail: true

.github/workflows/publish-crdt.yml

@@ -1,86 +0,0 @@
-name: Publish @actual-app/crdt
-
-# Automatically publishes @actual-app/crdt when its package.json version
-# changes on master (typically via a merged PR that bumped the version).
-on:
-  push:
-    branches:
-      - master
-    paths:
-      - 'packages/crdt/package.json'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-concurrency:
-  group: publish-crdt
-  cancel-in-progress: false
-
-jobs:
-  check-version:
-    runs-on: ubuntu-latest
-    name: Check if publish is needed
-    outputs:
-      should-publish: ${{ steps.check.outputs.should-publish }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Compare local version against npm registry
-        id: check
-        run: |
-          set -euo pipefail
-
-          LOCAL_VERSION=$(jq -r .version packages/crdt/package.json)
-          echo "Local version: $LOCAL_VERSION"
-
-          PUBLISHED_VERSION=$(npm view @actual-app/crdt version 2>/dev/null || echo "")
-          echo "Published version: ${PUBLISHED_VERSION:-<none>}"
-
-          if [ "$LOCAL_VERSION" = "$PUBLISHED_VERSION" ]; then
-            echo "Versions match - nothing to publish."
-            echo "should-publish=false" >> "$GITHUB_OUTPUT"
-          else
-            echo "Version changed - publish required."
-            echo "should-publish=true" >> "$GITHUB_OUTPUT"
-          fi
-
-  publish:
-    needs: check-version
-    if: needs.check-version.outputs.should-publish == 'true'
-    runs-on: ubuntu-latest
-    name: Publish @actual-app/crdt to npm
-    permissions:
-      contents: read
-      id-token: write # Required for npm OIDC provenance
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Set up environment
-        uses: ./.github/actions/setup
-        with:
-          # Avoid restoring potentially poisoned caches in release jobs.
-          cache: 'false'
-          download-translations: 'false'
-
-      - name: Build @actual-app/crdt
-        run: yarn workspace @actual-app/crdt build
-
-      - name: Pack @actual-app/crdt
-        run: yarn workspace @actual-app/crdt pack --filename @actual-app/crdt.tgz
-
-      - name: Setup node and npm registry
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
-        with:
-          node-version: 24
-          check-latest: true
-          # Avoid restoring potentially poisoned caches in release jobs.
-          package-manager-cache: false
-          registry-url: 'https://registry.npmjs.org'
-
-      - name: Publish to npm
-        run: npm publish packages/crdt/@actual-app/crdt.tgz --access public --provenance

.github/workflows/publish-flathub.yml

@@ -18,13 +18,9 @@ concurrency:
   group: publish-flathub
   cancel-in-progress: false
 
-permissions:
-  contents: read
-
 jobs:
   publish-flathub:
     runs-on: ubuntu-22.04
-    environment: release
     steps:
       - name: Resolve version
         id: resolve_version
@@ -58,9 +54,8 @@ jobs:
       - name: Verify release assets exist
         env:
           GH_TOKEN: ${{ github.token }}
-          STEPS_RESOLVE_VERSION_OUTPUTS_TAG: ${{ steps.resolve_version.outputs.tag }}
         run: |
-          TAG="${STEPS_RESOLVE_VERSION_OUTPUTS_TAG}"
+          TAG="${{ steps.resolve_version.outputs.tag }}"
 
           echo "Checking release assets for tag $TAG..."
           ASSETS=$(gh api "repos/${{ github.repository }}/releases/tags/$TAG" --jq '.assets[].name')
@@ -82,7 +77,7 @@ jobs:
 
       - name: Calculate AppImage SHA256 (streamed)
         run: |
-          VERSION="${STEPS_RESOLVE_VERSION_OUTPUTS_VERSION}"
+          VERSION="${{ steps.resolve_version.outputs.version }}"
           BASE_URL="https://github.com/${{ github.repository }}/releases/download/v${VERSION}"
 
           echo "Streaming x86_64 AppImage to compute SHA256..."
@@ -95,35 +90,30 @@ jobs:
 
           echo "APPIMAGE_X64_SHA256=$APPIMAGE_X64_SHA256" >> "$GITHUB_ENV"
           echo "APPIMAGE_ARM64_SHA256=$APPIMAGE_ARM64_SHA256" >> "$GITHUB_ENV"
-        env:
-          STEPS_RESOLVE_VERSION_OUTPUTS_VERSION: ${{ steps.resolve_version.outputs.version }}
 
       - name: Checkout Flathub repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: flathub/com.actualbudget.actual
           token: ${{ secrets.FLATHUB_GITHUB_TOKEN }}
-          persist-credentials: false
 
       - name: Update manifest with new version
         run: |
-          VERSION="${STEPS_RESOLVE_VERSION_OUTPUTS_VERSION}"
+          VERSION="${{ steps.resolve_version.outputs.version }}"
 
           # Replace x86_64 entry
-          sed -i "/x86_64.AppImage/{n;s|sha256:.*|sha256: ${APPIMAGE_X64_SHA256}|}" com.actualbudget.actual.yml
+          sed -i "/x86_64.AppImage/{n;s|sha256:.*|sha256: ${{ env.APPIMAGE_X64_SHA256 }}|}" com.actualbudget.actual.yml
           sed -i "/x86_64.AppImage/s|url:.*|url: https://github.com/actualbudget/actual/releases/download/v${VERSION}/Actual-linux-x86_64.AppImage|" com.actualbudget.actual.yml
 
           # Replace arm64 entry
-          sed -i "/arm64.AppImage/{n;s|sha256:.*|sha256: ${APPIMAGE_ARM64_SHA256}|}" com.actualbudget.actual.yml
+          sed -i "/arm64.AppImage/{n;s|sha256:.*|sha256: ${{ env.APPIMAGE_ARM64_SHA256 }}|}" com.actualbudget.actual.yml
           sed -i "/arm64.AppImage/s|url:.*|url: https://github.com/actualbudget/actual/releases/download/v${VERSION}/Actual-linux-arm64.AppImage|" com.actualbudget.actual.yml
 
           echo "Updated manifest:"
           cat com.actualbudget.actual.yml
-        env:
-          STEPS_RESOLVE_VERSION_OUTPUTS_VERSION: ${{ steps.resolve_version.outputs.version }}
 
       - name: Create PR in Flathub repo
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:
           token: ${{ secrets.FLATHUB_GITHUB_TOKEN }}
           commit-message: 'Update Actual flatpak to version ${{ steps.resolve_version.outputs.version }}'

.github/workflows/publish-microsoft-store.yml

@@ -1,116 +0,0 @@
-name: Publish Microsoft Store
-
-defaults:
-  run:
-    shell: bash
-
-on:
-  release:
-    types: [published]
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: 'Release tag (e.g. v25.3.0)'
-        required: true
-        type: string
-
-concurrency:
-  group: publish-microsoft-store
-  cancel-in-progress: false
-
-permissions:
-  contents: read
-
-jobs:
-  publish-microsoft-store:
-    runs-on: windows-latest
-    environment: release
-    steps:
-      - name: Resolve version
-        id: resolve_version
-        env:
-          EVENT_NAME: ${{ github.event_name }}
-          RELEASE_TAG: ${{ github.event.release.tag_name }}
-          INPUT_TAG: ${{ inputs.tag }}
-        run: |
-          if [[ "$EVENT_NAME" == "release" ]]; then
-            TAG="$RELEASE_TAG"
-          else
-            TAG="$INPUT_TAG"
-          fi
-
-          if [[ -z "$TAG" ]]; then
-            echo "::error::No tag provided"
-            exit 1
-          fi
-
-          # Validate tag format (v-prefixed semver, e.g. v25.3.0 or v1.2.3-beta.1)
-          if [[ ! "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$ ]]; then
-            echo "::error::Invalid tag format: $TAG (expected v-prefixed semver, e.g. v25.3.0)"
-            exit 1
-          fi
-
-          VERSION="${TAG#v}"
-          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
-          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
-          echo "Resolved tag=$TAG version=$VERSION"
-
-      - name: Verify release assets exist
-        env:
-          GH_TOKEN: ${{ github.token }}
-          STEPS_RESOLVE_VERSION_OUTPUTS_TAG: ${{ steps.resolve_version.outputs.tag }}
-        run: |
-          TAG="${STEPS_RESOLVE_VERSION_OUTPUTS_TAG}"
-
-          echo "Checking release assets for tag $TAG..."
-          ASSETS=$(gh api "repos/${{ github.repository }}/releases/tags/$TAG" --jq '.assets[].name')
-
-          echo "Found assets:"
-          echo "$ASSETS"
-
-          if ! echo "$ASSETS" | grep -q "\.appx$"; then
-            echo "::error::No .appx assets found in release $TAG"
-            exit 1
-          fi
-
-          echo "Required .appx assets found."
-
-      - name: Download Microsoft Store artifacts
-        env:
-          GH_TOKEN: ${{ github.token }}
-          STEPS_RESOLVE_VERSION_OUTPUTS_TAG: ${{ steps.resolve_version.outputs.tag }}
-        run: |
-          TAG="${STEPS_RESOLVE_VERSION_OUTPUTS_TAG}"
-          gh release download "$TAG" --repo "${{ github.repository }}" --pattern "*.appx"
-
-      - name: Install StoreBroker
-        shell: powershell
-        run: |
-          Install-Module -Name StoreBroker -AcceptLicense -Force -Scope CurrentUser -Verbose
-
-      - name: Submit to Microsoft Store
-        shell: powershell
-        run: |
-          # Disable telemetry
-          $global:SBDisableTelemetry = $true
-
-          # Authenticate against the store
-          $pass = ConvertTo-SecureString -String '${{ secrets.MICROSOFT_STORE_CLIENT_SECRET }}' -AsPlainText -Force
-          $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ${{ secrets.MICROSOFT_STORE_CLIENT_ID }},$pass
-          Set-StoreBrokerAuthentication -TenantId '${{ secrets.MICROSOFT_STORE_TENANT_ID }}' -Credential $cred
-
-          # Zip and create metadata files
-          $artifacts = Get-ChildItem -Path . -Filter *.appx | Select-Object -ExpandProperty FullName
-          New-StoreBrokerConfigFile -Path "$PWD/config.json" -AppId ${{ secrets.MICROSOFT_STORE_PRODUCT_ID }}
-          New-SubmissionPackage -ConfigPath "$PWD/config.json" -DisableAutoPackageNameFormatting -AppxPath $artifacts -OutPath "$PWD" -OutName submission
-
-          # Submit the app
-          # See https://github.com/microsoft/StoreBroker/blob/master/Documentation/USAGE.md#the-easy-way
-          Update-ApplicationSubmission `
-            -AppId ${{ secrets.MICROSOFT_STORE_PRODUCT_ID }} `
-            -SubmissionDataPath "submission.json" `
-            -PackagePath "submission.zip" `
-            -ReplacePackages `
-            -NoStatus `
-            -AutoCommit `
-            -Force

.github/workflows/publish-nightly-electron.yml

@@ -13,9 +13,6 @@ defaults:
 env:
   CI: true
 
-permissions:
-  contents: read
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
@@ -23,19 +20,15 @@ concurrency:
 jobs:
   build:
     strategy:
-      fail-fast: false
       matrix:
         os:
           - ubuntu-22.04
           - windows-latest
           - macos-latest
     runs-on: ${{ matrix.os }}
-    environment: release
     if: github.event.repository.fork == false
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
       - if: ${{ startsWith(matrix.os, 'windows') }}
         run: pip.exe install setuptools
 
@@ -48,9 +41,6 @@ jobs:
 
       - name: Set up environment
         uses: ./.github/actions/setup
-        with:
-          # Avoid restoring potentially poisoned caches in release jobs.
-          cache: 'false'
 
       - if: ${{ startsWith(matrix.os, 'ubuntu') }}
         name: Setup Flatpak dependencies
@@ -93,49 +83,49 @@ jobs:
         run: ./bin/package-electron
 
       - name: Upload Linux x64 AppImage
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: Actual-linux-x86_64.AppImage
           if-no-files-found: ignore
           path: packages/desktop-electron/dist/Actual-linux-x86_64.AppImage
 
       - name: Upload Linux arm64 AppImage
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: Actual-linux-arm64.AppImage
           if-no-files-found: ignore
           path: packages/desktop-electron/dist/Actual-linux-arm64.AppImage
 
       - name: Upload Windows x32 exe
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: Actual-windows-ia32.exe
           if-no-files-found: ignore
           path: packages/desktop-electron/dist/Actual-windows-ia32.exe
 
       - name: Upload Windows x64 exe
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: Actual-windows-x64.exe
           if-no-files-found: ignore
           path: packages/desktop-electron/dist/Actual-windows-x64.exe
 
       - name: Upload Windows arm64 exe
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: Actual-windows-arm64.exe
           if-no-files-found: ignore
           path: packages/desktop-electron/dist/Actual-windows-arm64.exe
 
       - name: Upload Mac x64 dmg
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: Actual-mac-x64.dmg
           if-no-files-found: ignore
           path: packages/desktop-electron/dist/Actual-mac-x64.dmg
 
       - name: Upload Mac arm64 dmg
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: Actual-mac-arm64.dmg
           if-no-files-found: ignore
@@ -143,7 +133,7 @@ jobs:
 
       - name: Upload Windows Store Build
         if: ${{ startsWith(matrix.os, 'windows') }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: actual-electron-${{ matrix.os }}-appx
           path: |

.github/workflows/publish-nightly-npm-packages.yml

@@ -0,0 +1,124 @@
+name: Publish nightly npm packages
+
+# Nightly npm packages are built daily at midnight UTC
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  build-and-pack:
+    runs-on: ubuntu-latest
+    name: Build and pack npm packages
+    if: github.event.repository.fork == false
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up environment
+        uses: ./.github/actions/setup
+
+      - name: Update package versions
+        run: |
+          # Get new nightly versions
+          NEW_CORE_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/loot-core/package.json --type nightly)
+          NEW_WEB_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/desktop-client/package.json --type nightly)
+          NEW_SYNC_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/sync-server/package.json --type nightly)
+          NEW_API_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/api/package.json --type nightly)
+          NEW_CLI_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/cli/package.json --type nightly)
+
+          # Set package versions
+          npm version $NEW_CORE_VERSION --no-git-tag-version --workspace=@actual-app/core --no-workspaces-update
+          npm version $NEW_WEB_VERSION --no-git-tag-version --workspace=@actual-app/web --no-workspaces-update
+          npm version $NEW_SYNC_VERSION --no-git-tag-version --workspace=@actual-app/sync-server --no-workspaces-update
+          npm version $NEW_API_VERSION --no-git-tag-version --workspace=@actual-app/api --no-workspaces-update
+          npm version $NEW_CLI_VERSION --no-git-tag-version --workspace=@actual-app/cli --no-workspaces-update
+
+      - name: Yarn install
+        run: |
+          yarn install
+
+      - name: Pack the core package
+        run: |
+          yarn workspace @actual-app/core pack --filename @actual-app/core.tgz
+
+      - name: Build Server & Web
+        run: yarn build:server
+
+      - name: Pack the web and server packages
+        run: |
+          yarn workspace @actual-app/web pack --filename @actual-app/web.tgz
+          yarn workspace @actual-app/sync-server pack --filename @actual-app/sync-server.tgz
+
+      - name: Build API
+        run: yarn build:api
+
+      - name: Pack the api package
+        run: |
+          yarn workspace @actual-app/api pack --filename @actual-app/api.tgz
+
+      - name: Build CLI
+        run: yarn workspace @actual-app/cli build
+
+      - name: Pack the cli package
+        run: |
+          yarn workspace @actual-app/cli pack --filename @actual-app/cli.tgz
+
+      - name: Upload package artifacts
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: npm-packages
+          path: |
+            packages/loot-core/@actual-app/core.tgz
+            packages/desktop-client/@actual-app/web.tgz
+            packages/sync-server/@actual-app/sync-server.tgz
+            packages/api/@actual-app/api.tgz
+            packages/cli/@actual-app/cli.tgz
+
+  publish:
+    runs-on: ubuntu-latest
+    name: Publish Nightly npm packages
+    needs: build-and-pack
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Download the artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: npm-packages
+
+      - name: Setup node and npm registry
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: 22
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Publish Core
+        run: |
+          npm publish loot-core/@actual-app/core.tgz --access public --tag nightly
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Publish Web
+        run: |
+          npm publish desktop-client/@actual-app/web.tgz --access public --tag nightly
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Publish Sync-Server
+        run: |
+          npm publish sync-server/@actual-app/sync-server.tgz --access public --tag nightly
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Publish API
+        run: |
+          npm publish api/@actual-app/api.tgz --access public --tag nightly
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Publish CLI
+        run: |
+          npm publish cli/@actual-app/cli.tgz --access public --tag nightly
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/publish-npm-packages.yml

@@ -1,61 +1,26 @@
 name: Publish npm packages
 
-# Npm packages are published for every new tag and nightly schedule
+# # Npm packages are published for every new tag
 on:
   push:
     tags:
       - 'v*.*.*'
-  schedule:
-    - cron: '0 0 * * *'
-  workflow_dispatch:
-
-permissions:
-  contents: read
 
 jobs:
   build-and-pack:
     runs-on: ubuntu-latest
     name: Build and pack npm packages
-    if: github.event_name == 'push' || (github.event.repository.fork == false)
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
 
       - name: Set up environment
         uses: ./.github/actions/setup
-        with:
-          # Avoid restoring potentially poisoned caches in release jobs.
-          cache: 'false'
-
-      - name: Update package versions
-        if: github.event_name != 'push'
-        run: |
-          # Get new nightly versions
-          NEW_CORE_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/loot-core/package.json --type nightly)
-          NEW_WEB_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/desktop-client/package.json --type nightly)
-          NEW_SYNC_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/sync-server/package.json --type nightly)
-          NEW_API_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/api/package.json --type nightly)
-          NEW_CLI_VERSION=$(yarn workspace @actual-app/ci-actions tsx bin/get-next-package-version.ts --package-json ./packages/cli/package.json --type nightly)
-
-          # Set package versions
-          npm version $NEW_CORE_VERSION --no-git-tag-version --workspace=@actual-app/core --no-workspaces-update
-          npm version $NEW_WEB_VERSION --no-git-tag-version --workspace=@actual-app/web --no-workspaces-update
-          npm version $NEW_SYNC_VERSION --no-git-tag-version --workspace=@actual-app/sync-server --no-workspaces-update
-          npm version $NEW_API_VERSION --no-git-tag-version --workspace=@actual-app/api --no-workspaces-update
-          npm version $NEW_CLI_VERSION --no-git-tag-version --workspace=@actual-app/cli --no-workspaces-update
-
-      - name: Yarn install
-        if: github.event_name != 'push'
-        run: |
-          # Required after nightly `npm version` updates workspace manifests.
-          yarn install
 
       - name: Pack the core package
         run: |
           yarn workspace @actual-app/core pack --filename @actual-app/core.tgz
 
-      - name: Build Server & Web
+      - name: Build Web
         run: yarn build:server
 
       - name: Pack the web and server packages
@@ -78,8 +43,7 @@ jobs:
           yarn workspace @actual-app/cli pack --filename @actual-app/cli.tgz
 
       - name: Upload package artifacts
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        if: ${{ !env.ACT }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: npm-packages
           path: |
@@ -93,13 +57,9 @@ jobs:
     runs-on: ubuntu-latest
     name: Publish npm packages
     needs: build-and-pack
-    environment: release
     permissions:
       contents: read
       packages: write
-      id-token: write # Required for OIDC
-    env:
-      NPM_DIST_TAG: ${{ github.event_name != 'push' && 'nightly' || '' }}
     steps:
       - name: Download the artifacts
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
@@ -109,28 +69,35 @@ jobs:
       - name: Setup node and npm registry
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: 24
-          check-latest: true
-          # Avoid restoring potentially poisoned caches in release jobs.
-          package-manager-cache: false
+          node-version: 22
           registry-url: 'https://registry.npmjs.org'
 
       - name: Publish Core
         run: |
-          npm publish loot-core/@actual-app/core.tgz --access public ${NPM_DIST_TAG:+--tag "$NPM_DIST_TAG"}
+          npm publish loot-core/@actual-app/core.tgz --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Publish Web
         run: |
-          npm publish desktop-client/@actual-app/web.tgz --access public ${NPM_DIST_TAG:+--tag "$NPM_DIST_TAG"}
+          npm publish desktop-client/@actual-app/web.tgz --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Publish Sync-Server
         run: |
-          npm publish sync-server/@actual-app/sync-server.tgz --access public ${NPM_DIST_TAG:+--tag "$NPM_DIST_TAG"}
+          npm publish sync-server/@actual-app/sync-server.tgz --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Publish API
         run: |
-          npm publish api/@actual-app/api.tgz --access public ${NPM_DIST_TAG:+--tag "$NPM_DIST_TAG"}
+          npm publish api/@actual-app/api.tgz --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Publish CLI
         run: |
-          npm publish cli/@actual-app/cli.tgz --access public ${NPM_DIST_TAG:+--tag "$NPM_DIST_TAG"}
+          npm publish cli/@actual-app/cli.tgz --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/release-notes.yml

@@ -3,10 +3,6 @@ name: Release notes
 on:
   pull_request:
 
-permissions:
-  contents: write
-  pull-requests: read
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -15,37 +11,15 @@ jobs:
   release-notes:
     runs-on: ubuntu-latest
     steps:
-      - name: Check if triggered by bot
-        id: bot-check
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        with:
-          script: |
-            const { data: commit } = await github.rest.git.getCommit({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              commit_sha: context.payload.pull_request.head.sha,
-            });
-            const skip = commit.author.name === 'github-actions[bot]'
-              && commit.message.startsWith('Generate release notes');
-            console.log(`Head commit by "${commit.author.name}": ${commit.message.split('\n')[0]}`);
-            console.log(`Skip: ${skip}`);
-            core.setOutput('skip', String(skip));
-
       - name: Checkout
-        if: steps.bot-check.outputs.skip != 'true'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-          token: ${{ secrets.ACTIONS_UPDATE_TOKEN || github.token }}
-          # Need to be able to commit release notes after generation
-          persist-credentials: true
-
       - name: Get changed files
-        if: steps.bot-check.outputs.skip != 'true'
         id: changed-files
         run: |
-          git fetch origin ${GITHUB_BASE_REF}
-          CHANGED_FILES=$(git diff --name-only origin/${GITHUB_BASE_REF}...HEAD)
+          git fetch origin ${{ github.base_ref }}
+          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD)
           NON_DOCS_FILES=$(echo "$CHANGED_FILES" | grep -v -e "^packages/docs/" -e "^\.github/actions/docs-spelling/" || true)
 
           if [ -z "$NON_DOCS_FILES" ] && [ -n "$CHANGED_FILES" ]; then
@@ -54,17 +28,9 @@ jobs:
           else
             echo "only_docs=false" >> $GITHUB_OUTPUT
           fi
-
       - name: Check release notes
-        if: >-
-          steps.bot-check.outputs.skip != 'true'
-          && startsWith(github.head_ref, 'release/') == false
-          && steps.changed-files.outputs.only_docs != 'true'
-        uses: ./.github/actions/release-notes/check
-
+        if: startsWith(github.head_ref, 'release/') == false && steps.changed-files.outputs.only_docs != 'true'
+        uses: actualbudget/actions/release-notes/check@main
       - name: Generate release notes
-        if: >-
-          steps.bot-check.outputs.skip != 'true'
-          && startsWith(github.head_ref, 'release/') == true
-          && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
-        uses: ./.github/actions/release-notes/generate
+        if: startsWith(github.head_ref, 'release/') == true
+        uses: actualbudget/actions/release-notes/generate@main

.github/workflows/size-compare.yml

@@ -33,132 +33,119 @@ jobs:
     permissions:
       pull-requests: write
       contents: read
-      actions: read
     steps:
       - name: Checkout base branch
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.base_ref }}
-          persist-credentials: false
       - name: Set up environment
         uses: ./.github/actions/setup
         with:
           download-translations: 'false'
 
-      # Resolve one successful `build.yml` run for each side (master and PR
-      # head) up front, then pin every download below to its `run_id`. This
-      # ensures artifact downloads are consistent and prevents race conditions.
-      - name: Resolve build runs
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        id: build-runs
-        env:
-          BASE_REF: ${{ github.base_ref }}
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+      - name: Wait for ${{github.base_ref}} web build to succeed
+        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
+        id: master-web-build
         with:
-          script: |
-            const TIMEOUT_MS = 30 * 60 * 1000;
-            const SLEEP_MS = 15000;
+          token: ${{ secrets.GITHUB_TOKEN }}
+          checkName: web
+          ref: ${{github.base_ref}}
+      - name: Wait for ${{github.base_ref}} API build to succeed
+        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
+        id: master-api-build
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          checkName: api
+          ref: ${{github.base_ref}}
+      - name: Wait for ${{github.base_ref}} CLI build to succeed
+        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
+        id: master-cli-build
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          checkName: cli
+          ref: ${{github.base_ref}}
 
-            async function resolveRun({ label, filter, notFoundHint }) {
-              const deadline = Date.now() + TIMEOUT_MS;
-              while (true) {
-                const { data } = await github.rest.actions.listWorkflowRuns({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  workflow_id: 'build.yml',
-                  ...filter,
-                  status: 'success',
-                  per_page: 1,
-                });
-                if (data.workflow_runs.length > 0) {
-                  const run = data.workflow_runs[0];
-                  core.info(`Found ${label} build run ${run.id} (${run.html_url})`);
-                  return run.id;
-                }
-                if (Date.now() > deadline) {
-                  throw new Error(
-                    `No successful build.yml run found for ${label} within 30 min — ${notFoundHint}.`,
-                  );
-                }
-                core.info(`No successful ${label} build run yet — sleeping 15s.`);
-                await new Promise(r => setTimeout(r, SLEEP_MS));
-              }
-            }
+      - name: Wait for PR build to succeed
+        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
+        id: wait-for-web-build
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          checkName: web
+          ref: ${{github.event.pull_request.head.sha}}
+      - name: Wait for API PR build to succeed
+        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
+        id: wait-for-api-build
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          checkName: api
+          ref: ${{github.event.pull_request.head.sha}}
+      - name: Wait for CLI PR build to succeed
+        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
+        id: wait-for-cli-build
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          checkName: cli
+          ref: ${{github.event.pull_request.head.sha}}
 
-            const baseRef = process.env.BASE_REF;
-            const headSha = process.env.HEAD_SHA;
-            const [masterRunId, headRunId] = await Promise.all([
-              resolveRun({
-                label: baseRef,
-                filter: { branch: baseRef },
-                notFoundHint: `${baseRef} may be broken`,
-              }),
-              resolveRun({
-                label: `PR head ${headSha}`,
-                filter: { head_sha: headSha },
-                notFoundHint:
-                  'build may still be running, have failed, or the branch may have been force-pushed',
-              }),
-            ]);
-            core.setOutput('master_run_id', masterRunId);
-            core.setOutput('head_run_id', headRunId);
+      - name: Report build failure
+        if: steps.wait-for-web-build.outputs.conclusion == 'failure' || steps.wait-for-api-build.outputs.conclusion == 'failure' || steps.wait-for-cli-build.outputs.conclusion == 'failure'
+        run: |
+          echo "Build failed on PR branch or ${{github.base_ref}}"
+          exit 1
 
       - name: Download web build artifact from ${{github.base_ref}}
-        uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
+        uses: dawidd6/action-download-artifact@1f8785ff7a5130826f848e7f72725c85d241860f # v18
+        id: pr-web-build
         with:
-          run_id: ${{ steps.build-runs.outputs.master_run_id }}
+          branch: ${{github.base_ref}}
           workflow: build.yml
+          workflow_conclusion: '' # ignore the conclusion of the workflow, since we already checked it
           name: build-stats
           path: base
       - name: Download API build artifact from ${{github.base_ref}}
-        uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
+        uses: dawidd6/action-download-artifact@1f8785ff7a5130826f848e7f72725c85d241860f # v18
+        id: pr-api-build
         with:
-          run_id: ${{ steps.build-runs.outputs.master_run_id }}
+          branch: ${{github.base_ref}}
           workflow: build.yml
+          workflow_conclusion: '' # ignore the conclusion of the workflow, since we already checked it
           name: api-build-stats
           path: base
       - name: Download build stats from PR
-        uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
+        uses: dawidd6/action-download-artifact@1f8785ff7a5130826f848e7f72725c85d241860f # v18
         with:
-          run_id: ${{ steps.build-runs.outputs.head_run_id }}
+          pr: ${{github.event.pull_request.number}}
           workflow: build.yml
+          workflow_conclusion: '' # ignore the conclusion of the workflow, since we already checked it
           name: build-stats
           path: head
+          allow_forks: true
       - name: Download API stats from PR
-        uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
+        uses: dawidd6/action-download-artifact@1f8785ff7a5130826f848e7f72725c85d241860f # v18
         with:
-          run_id: ${{ steps.build-runs.outputs.head_run_id }}
+          pr: ${{github.event.pull_request.number}}
           workflow: build.yml
+          workflow_conclusion: '' # ignore the conclusion of the workflow, since we already checked it
           name: api-build-stats
           path: head
+          allow_forks: true
       - name: Download CLI build artifact from ${{github.base_ref}}
-        uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
+        uses: dawidd6/action-download-artifact@1f8785ff7a5130826f848e7f72725c85d241860f # v18
         with:
-          run_id: ${{ steps.build-runs.outputs.master_run_id }}
+          branch: ${{github.base_ref}}
           workflow: build.yml
+          workflow_conclusion: '' # ignore the conclusion of the workflow, since we already checked it
           name: cli-build-stats
           path: base
       - name: Download CLI stats from PR
-        uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
+        uses: dawidd6/action-download-artifact@1f8785ff7a5130826f848e7f72725c85d241860f # v18
         with:
-          run_id: ${{ steps.build-runs.outputs.head_run_id }}
+          pr: ${{github.event.pull_request.number}}
           workflow: build.yml
+          workflow_conclusion: '' # ignore the conclusion of the workflow, since we already checked it
           name: cli-build-stats
           path: head
-      - name: Download CRDT build artifact from ${{github.base_ref}}
-        uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
-        with:
-          run_id: ${{ steps.build-runs.outputs.master_run_id }}
-          workflow: build.yml
-          name: crdt-build-stats
-          path: base
-      - name: Download CRDT stats from PR
-        uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
-        with:
-          run_id: ${{ steps.build-runs.outputs.head_run_id }}
-          workflow: build.yml
-          name: crdt-build-stats
-          path: head
+          allow_forks: true
       - name: Strip content hashes from stats files
         run: |
           if [ -f ./head/web-stats.json ]; then
@@ -181,12 +168,10 @@ jobs:
             --base loot-core=./base/loot-core-stats.json \
             --base api=./base/api-stats.json \
             --base cli=./base/cli-stats.json \
-            --base crdt=./base/crdt-stats.json \
             --head desktop-client=./head/web-stats.json \
             --head loot-core=./head/loot-core-stats.json \
             --head api=./head/api-stats.json \
             --head cli=./head/cli-stats.json \
-            --head crdt=./head/crdt-stats.json \
             --identifier combined \
             --format pr-body > bundle-stats-comment.md
       - name: Post combined bundle stats comment

.github/workflows/stale.yml

@@ -3,12 +3,9 @@ on:
   schedule:
     - cron: '30 1 * * *'
   workflow_dispatch: # Allow manual triggering
-permissions: {}
 
 jobs:
   stale:
-    permissions:
-      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
@@ -19,8 +16,6 @@ jobs:
           days-before-close: 5
           days-before-issue-stale: -1
   stale-wip:
-    permissions:
-      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
@@ -32,8 +27,6 @@ jobs:
           days-before-issue-stale: -1
 
   stale-needs-info:
-    permissions:
-      issues: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0

.github/workflows/vrt-update-apply.yml

@@ -75,12 +75,9 @@ jobs:
 
           echo "Found patch file: $PATCH_FILE"
 
-          # Validate patch only contains PNG files. `git format-patch` emits a
-          # `GIT binary patch` block for PNGs (no +++/--- lines), so check
-          # `diff --git` headers — those are present for both text and binary.
+          # Validate patch only contains PNG files
           echo "Validating patch contains only PNG files..."
-          if grep -E '^diff --git ' "$PATCH_FILE" \
-               | grep -vE '^diff --git a/[^[:space:]]+\.png b/[^[:space:]]+\.png$'; then
+          if grep -E '^(\+\+\+|---) [ab]/' "$PATCH_FILE" | grep -v '\.png$'; then
             echo "ERROR: Patch contains non-PNG files! Rejecting for security."
             echo "applied=false" >> "$GITHUB_OUTPUT"
             echo "error=Patch validation failed: contains non-PNG files" >> "$GITHUB_OUTPUT"
@@ -88,7 +85,7 @@ jobs:
           fi
 
           # Extract file list for verification
-          FILES_CHANGED=$(grep -cE '^diff --git ' "$PATCH_FILE")
+          FILES_CHANGED=$(grep -E '^\+\+\+ b/' "$PATCH_FILE" | sed 's/^+++ b\///' | wc -l)
           echo "Patch modifies $FILES_CHANGED PNG file(s)"
 
           # Configure git
@@ -110,7 +107,7 @@ jobs:
             fi
 
             # Commit
-            git commit -m "Update VRT screenshots" -m "Auto-generated by VRT workflow" -m "PR: #${STEPS_METADATA_OUTPUTS_PR_NUMBER}"
+            git commit -m "Update VRT screenshots" -m "Auto-generated by VRT workflow" -m "PR: #${{ steps.metadata.outputs.pr_number }}"
 
             echo "applied=true" >> "$GITHUB_OUTPUT"
           else
@@ -119,8 +116,6 @@ jobs:
             echo "error=Patch conflicts with current branch state" >> "$GITHUB_OUTPUT"
             exit 1
           fi
-        env:
-          STEPS_METADATA_OUTPUTS_PR_NUMBER: ${{ steps.metadata.outputs.pr_number }}
 
       - name: Push changes
         if: steps.apply.outputs.applied == 'true'
@@ -138,15 +133,12 @@ jobs:
 
       - name: Comment on PR - Failure
         if: failure() && steps.metadata.outputs.pr_number != ''
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        env:
-          APPLY_ERROR: ${{ steps.apply.outputs.error }}
-          PR_NUMBER: ${{ steps.metadata.outputs.pr_number }}
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
-            const error = process.env.APPLY_ERROR || 'Unknown error occurred';
+            const error = `${{ steps.apply.outputs.error }}` || 'Unknown error occurred';
             await github.rest.issues.createComment({
-              issue_number: parseInt(process.env.PR_NUMBER, 10),
+              issue_number: ${{ steps.metadata.outputs.pr_number }},
               owner: context.repo.owner,
               repo: context.repo.repo,
               body: `❌ Failed to apply VRT updates: ${error}\n\nPlease check the workflow logs for details.`

.github/workflows/vrt-update-generate.yml

@@ -26,7 +26,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Add 👀 reaction to comment
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             await github.rest.reactions.createForIssueComment({
@@ -36,20 +36,19 @@ jobs:
               content: 'eyes'
             });
 
-  get-pr:
-    name: Resolve PR details
+  generate-vrt-updates:
+    name: Generate VRT Updates
     runs-on: ubuntu-latest
+    # Only run on PR comments containing /update-vrt
     if: >
       github.event.issue.pull_request &&
       startsWith(github.event.comment.body, '/update-vrt')
-    outputs:
-      head_sha: ${{ steps.pr.outputs.head_sha }}
-      head_ref: ${{ steps.pr.outputs.head_ref }}
-      head_repo: ${{ steps.pr.outputs.head_repo }}
+    container:
+      image: mcr.microsoft.com/playwright:v1.58.2-jammy
     steps:
       - name: Get PR details
         id: pr
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const { data: pr } = await github.rest.pulls.get({
@@ -61,263 +60,60 @@ jobs:
             core.setOutput('head_ref', pr.head.ref);
             core.setOutput('head_repo', pr.head.repo.full_name);
 
-  build-web:
-    name: Build web bundle
-    runs-on: ubuntu-latest
-    needs: get-pr
-    container:
-      image: mcr.microsoft.com/playwright:v1.59.1-jammy
-    steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          ref: ${{ needs.get-pr.outputs.head_sha }}
-          persist-credentials: false
-
-      - name: Trust workspace directory
-        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
-        shell: bash
-
-      - name: Set up environment
-        uses: ./.github/actions/setup
-        with:
-          download-translations: 'false'
-      - name: Build browser bundle
-        # REACT_APP_NETLIFY=true flips isNonProductionEnvironment() on in the
-        # bundle so the "Create test file" button (used by every e2e beforeEach
-        # via ConfigurationPage.createTestFile()) is still rendered in a
-        # production build. Without it, e2e tests would time out waiting for
-        # a button that was tree-shaken out.
-        # --skip-translations keeps VRT screenshots deterministic by rendering
-        # source-code English instead of upstream Weblate en.json (which can
-        # drift between snapshot capture and test runs).
-        env:
-          REACT_APP_NETLIFY: 'true'
-        run: yarn build:browser --skip-translations
-      - name: Upload build artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          name: desktop-client-build
-          path: packages/desktop-client/build/
-          retention-days: 1
-          overwrite: true
-
-  browser-vrt:
-    name: Browser VRT (shard ${{ matrix.shard }}/3)
-    runs-on: ubuntu-latest
-    needs: [get-pr, build-web]
-    strategy:
-      fail-fast: false
-      matrix:
-        shard: [1, 2, 3]
-    container:
-      image: mcr.microsoft.com/playwright:v1.59.1-jammy
-    env:
-      E2E_USE_BUILD: '1'
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ needs.get-pr.outputs.head_sha }}
-          persist-credentials: false
-
-      - name: Trust workspace directory
-        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
-        shell: bash
-
-      - name: Set up environment
-        uses: ./.github/actions/setup
-        with:
-          download-translations: 'false'
-      - name: Download web build
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: desktop-client-build
-          path: packages/desktop-client/build/
-      - name: Run VRT Tests
-        continue-on-error: true
-        run: yarn vrt --update-snapshots --shard=${{ matrix.shard }}/3
-      - name: Create shard patch with PNG changes only
-        id: create-patch
-        run: |
-          git config --global user.name "github-actions[bot]"
-          git config --global user.email "github-actions[bot]@users.noreply.github.com"
-
-          git add "**/*.png"
-
-          if git diff --staged --quiet; then
-            echo "has_changes=false" >> "$GITHUB_OUTPUT"
-            echo "No VRT changes in this shard"
-            exit 0
-          fi
-
-          echo "has_changes=true" >> "$GITHUB_OUTPUT"
-
-          git commit -m "Update VRT screenshots (browser shard ${{ matrix.shard }})"
-          git format-patch -1 HEAD --stdout > vrt-shard.patch
-
-          # Validate patch only contains PNG files. `git format-patch` emits a
-          # `GIT binary patch` block for PNGs (no +++/--- lines), so check
-          # `diff --git` headers — those are present for both text and binary.
-          if grep -E '^diff --git ' vrt-shard.patch \
-               | grep -vE '^diff --git a/[^[:space:]]+\.png b/[^[:space:]]+\.png$'; then
-            echo "ERROR: Shard patch contains non-PNG files!"
-            exit 1
-          fi
-      - name: Upload shard patch
-        if: steps.create-patch.outputs.has_changes == 'true'
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          name: vrt-shard-browser-${{ matrix.shard }}
-          path: vrt-shard.patch
-          retention-days: 1
-          overwrite: true
-
-  desktop-vrt:
-    name: Desktop VRT
-    runs-on: ubuntu-latest
-    needs: get-pr
-    container:
-      image: mcr.microsoft.com/playwright:v1.59.1-jammy
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ needs.get-pr.outputs.head_sha }}
-          persist-credentials: false
-
-      - name: Trust workspace directory
-        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
-        shell: bash
+          ref: ${{ steps.pr.outputs.head_sha }}
 
       - name: Set up environment
         uses: ./.github/actions/setup
         with:
           download-translations: 'false'
 
-      # Build tools are needed to rebuild native modules like better-sqlite3 used by the Desktop app, which is required to run VRT tests on the Desktop app and generate updated snapshots.
-      - name: Install build tools
-        run: apt-get update && apt-get install -y build-essential python3
-
-      - name: Run Desktop VRT Tests
+      - name: Run VRT Tests on Desktop app
         continue-on-error: true
         run: |
-          yarn rebuild-electron
           xvfb-run --auto-servernum --server-args="-screen 0 1920x1080x24" -- yarn e2e:desktop --update-snapshots
 
-      - name: Create shard patch with PNG changes only
+      - name: Run VRT Tests
+        continue-on-error: true
+        run: yarn vrt --update-snapshots
+
+      - name: Create patch with PNG changes only
         id: create-patch
         run: |
+          # Trust the repository directory (required for container environments)
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
           git config --global user.name "github-actions[bot]"
           git config --global user.email "github-actions[bot]@users.noreply.github.com"
 
+          # Stage only PNG files
           git add "**/*.png"
 
+          # Check if there are any changes
           if git diff --staged --quiet; then
             echo "has_changes=false" >> "$GITHUB_OUTPUT"
-            echo "No VRT changes in desktop shard"
-            exit 0
-          fi
-
-          echo "has_changes=true" >> "$GITHUB_OUTPUT"
-
-          git commit -m "Update VRT screenshots (desktop)"
-          git format-patch -1 HEAD --stdout > vrt-shard.patch
-
-          # See validation note in browser-vrt above.
-          if grep -E '^diff --git ' vrt-shard.patch \
-               | grep -vE '^diff --git a/[^[:space:]]+\.png b/[^[:space:]]+\.png$'; then
-            echo "ERROR: Desktop shard patch contains non-PNG files!"
-            exit 1
-          fi
-
-      - name: Upload shard patch
-        if: steps.create-patch.outputs.has_changes == 'true'
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          name: vrt-shard-desktop
-          path: vrt-shard.patch
-          retention-days: 1
-          overwrite: true
-
-  merge-patch:
-    name: Merge VRT Patches
-    runs-on: ubuntu-latest
-    needs: [get-pr, browser-vrt, desktop-vrt]
-    if: ${{ !cancelled() && needs.get-pr.result == 'success' }}
-    container:
-      image: mcr.microsoft.com/playwright:v1.59.1-jammy
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ needs.get-pr.outputs.head_sha }}
-          persist-credentials: false
-
-      - name: Download all shard patches
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          path: /tmp/shard-patches
-          pattern: vrt-shard-*
-
-      - name: Merge shard patches
-        id: create-patch
-        shell: bash
-        run: |
-          git config --global --add safe.directory "$GITHUB_WORKSPACE"
-          git config --global user.name "github-actions[bot]"
-          git config --global user.email "github-actions[bot]@users.noreply.github.com"
-
-          # actions/download-artifact puts a lone matched artifact directly in
-          # `path` but gives each of several its own `path/<name>/` subdir, so
-          # recurse instead of globbing `*/vrt-shard.patch` (which would miss
-          # the common single-shard case).
-          mapfile -t patches < <(find /tmp/shard-patches -type f -name 'vrt-shard.patch' | sort)
-
-          if [ ${#patches[@]} -eq 0 ]; then
-            echo "has_changes=false" >> "$GITHUB_OUTPUT"
-            echo "No shard patches to merge"
-            exit 0
-          fi
-
-          # Defense in depth: re-validate every shard patch before applying.
-          # See validation note in browser-vrt above for why we match
-          # `diff --git` headers instead of +++/--- lines.
-          for patch in "${patches[@]}"; do
-            echo "Validating $patch"
-            if grep -E '^diff --git ' "$patch" \
-                 | grep -vE '^diff --git a/[^[:space:]]+\.png b/[^[:space:]]+\.png$'; then
-              echo "ERROR: $patch contains non-PNG files!"
-              exit 1
-            fi
-          done
-
-          # Apply each shard patch. Shards touch disjoint PNG files so
-          # order does not matter. --index stages the applied changes.
-          for patch in "${patches[@]}"; do
-            echo "Applying $patch"
-            git apply --index "$patch"
-          done
-
-          if git diff --staged --quiet; then
-            echo "has_changes=false" >> "$GITHUB_OUTPUT"
-            echo "No VRT changes after merge"
+            echo "No VRT changes to commit"
             exit 0
           fi
 
           echo "has_changes=true" >> "$GITHUB_OUTPUT"
 
+          # Create commit and patch
           git commit -m "Update VRT screenshots"
           git format-patch -1 HEAD --stdout > vrt-update.patch
 
-          # Final guard on the combined patch.
-          if grep -E '^diff --git ' vrt-update.patch \
-               | grep -vE '^diff --git a/[^[:space:]]+\.png b/[^[:space:]]+\.png$'; then
-            echo "ERROR: Merged patch contains non-PNG files!"
+          # Validate patch only contains PNG files
+          if grep -E '^(\+\+\+|---) [ab]/' vrt-update.patch | grep -v '\.png$'; then
+            echo "ERROR: Patch contains non-PNG files!"
             exit 1
           fi
 
-          echo "Merged patch created successfully with PNG changes only"
+          echo "Patch created successfully with PNG changes only"
 
       - name: Upload patch artifact
         if: steps.create-patch.outputs.has_changes == 'true'
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: vrt-patch-${{ github.event.issue.number }}
           path: vrt-update.patch
@@ -328,15 +124,12 @@ jobs:
         run: |
           mkdir -p pr-metadata
           echo "${{ github.event.issue.number }}" > pr-metadata/pr-number.txt
-          echo "${NEEDS_GET_PR_OUTPUTS_HEAD_REF}" > pr-metadata/head-ref.txt
-          echo "${NEEDS_GET_PR_OUTPUTS_HEAD_REPO}" > pr-metadata/head-repo.txt
-        env:
-          NEEDS_GET_PR_OUTPUTS_HEAD_REF: ${{ needs.get-pr.outputs.head_ref }}
-          NEEDS_GET_PR_OUTPUTS_HEAD_REPO: ${{ needs.get-pr.outputs.head_repo }}
+          echo "${{ steps.pr.outputs.head_ref }}" > pr-metadata/head-ref.txt
+          echo "${{ steps.pr.outputs.head_repo }}" > pr-metadata/head-repo.txt
 
       - name: Upload PR metadata
         if: steps.create-patch.outputs.has_changes == 'true'
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: vrt-metadata-${{ github.event.issue.number }}
           path: pr-metadata/

.gitignore

@@ -42,9 +42,6 @@ bundle.desktop.js.map
 bundle.mobile.js
 bundle.mobile.js.map
 
-# Python virtualenv (Electron CI provisions one at the repo root for setuptools)
-.venv/
-
 # Yarn
 .pnp.*
 .yarn/*
@@ -61,10 +58,6 @@ bundle.mobile.js.map
 # IntelliJ IDEA
 .idea
 
-# Claude Code
-.claude/worktrees/*
-.claude/settings.local.json
-
 # Misc
 .#*
 

.husky/post-checkout

@@ -1,19 +1,11 @@
 #!/bin/sh
 # Run yarn install when switching branches (if yarn.lock changed)
-# or when creating a new worktree (node_modules won't exist yet)
 
 # $3 is 1 for branch checkout, 0 for file checkout
 if [ "$3" != "1" ]; then
   exit 0
 fi
 
-# Worktree creation: node_modules doesn't exist yet, always install
-if [ ! -d "node_modules" ]; then
-  echo "New worktree detected — running yarn install..."
-  yarn install || exit 1
-  exit 0
-fi
-
 # Check if yarn.lock changed between the old and new HEAD
 if git diff --name-only "$1" "$2" | grep -q "^yarn.lock$"; then
   echo "yarn.lock changed — running yarn install..."

.oxfmtrc.json

@@ -9,14 +9,24 @@
       "react",
       "builtin",
       "external",
+      "loot-core",
       ["parent", "subpath"],
       "sibling",
-      "index"
+      "index",
+      "desktop-client"
     ],
     "customGroups": [
       {
         "groupName": "react",
         "elementNamePattern": ["react", "react-dom/*", "react-*"]
+      },
+      {
+        "groupName": "loot-core",
+        "elementNamePattern": ["loot-core/**", "@actual-app/core/**"]
+      },
+      {
+        "groupName": "desktop-client",
+        "elementNamePattern": ["@desktop-client/**"]
       }
     ],
     "newlinesBetween": true

.oxlintrc.json

@@ -15,8 +15,7 @@
     "vi": "readonly",
     "backend": "readonly",
     "importScripts": "readonly",
-    "FS": "readonly",
-    "__APP_VERSION__": "readonly"
+    "FS": "readonly"
   },
   "rules": {
     // Import sorting
@@ -37,9 +36,6 @@
     "actual/prefer-const": "error",
     "actual/no-anchor-tag": "error",
     "actual/no-react-default-import": "error",
-    "actual/prefer-subpath-imports": "error",
-    "actual/enforce-boundaries": "error",
-    "actual/no-extraneous-dependencies": "error",
 
     // JSX A11y rules
     "jsx-a11y/no-autofocus": [
@@ -124,6 +120,9 @@
     "import/no-amd": "error",
     "import/no-default-export": "error",
     "import/no-webpack-loader-syntax": "error",
+    "import/no-useless-path-segments": "error",
+    "import/no-unresolved": "error",
+    "import/no-unused-modules": "error",
     "import/no-duplicates": [
       "error",
       {
@@ -161,6 +160,7 @@
     "react/no-danger-with-children": "error",
     "react/no-direct-mutation-state": "error",
     "react/no-is-mounted": "error",
+    "react/no-unstable-nested-components": "error",
     "react/require-render-return": "error",
     "react/rules-of-hooks": "error",
     "react/self-closing-comp": "error",
@@ -234,7 +234,7 @@
     "eslint/require-yield": "error",
     "eslint/getter-return": "error",
     "eslint/unicode-bom": ["error", "never"],
-    "eslint/use-isnan": "error",
+    "eslint/no-use-isnan": "error",
     "eslint/valid-typeof": "error",
     "eslint/no-useless-rename": [
       "error",
@@ -335,7 +335,7 @@
         ],
         "patterns": [
           {
-            "group": ["**/*.api", "**/*.electron"],
+            "group": ["**/*.api", "**/*.web", "**/*.electron"],
             "message": "Don't directly reference imports from other platforms"
           },
           {
@@ -361,9 +361,7 @@
     ],
     "eslint/no-useless-constructor": "error",
     "eslint/no-undef": "error",
-    "eslint/no-unused-expressions": "error",
-    "eslint/no-return-assign": "error",
-    "eslint/no-unused-vars": "error"
+    "eslint/no-unused-expressions": "error"
   },
   "overrides": [
     {
@@ -376,14 +374,7 @@
       "files": ["**/*.test.{js,ts,jsx,tsx}", "packages/docs/**/*"],
       "rules": {
         "actual/no-untranslated-strings": "off",
-        "actual/prefer-logger-over-console": "off",
-        "typescript/unbound-method": "off"
-      }
-    },
-    {
-      "files": ["packages/eslint-plugin-actual/lib/rules/__tests__/**/*"],
-      "rules": {
-        "actual/enforce-boundaries": "off"
+        "actual/prefer-logger-over-console": "off"
       }
     },
     {
@@ -430,16 +421,6 @@
       "rules": {
         "eslint/no-empty-function": "off"
       }
-    },
-    // crdt enforces the repo's "TODO: enable this" typescript rules as errors
-    {
-      "files": ["packages/crdt/**/*"],
-      "rules": {
-        "typescript/no-misused-spread": "error",
-        "typescript/no-base-to-string": "error",
-        "typescript/no-unsafe-unary-minus": "error",
-        "typescript/no-unsafe-type-assertion": "error"
-      }
     }
   ]
 }

.yarnrc.yml

@@ -6,8 +6,4 @@ enableTransparentWorkspaces: false
 
 nodeLinker: node-modules
 
-yarnPath: .yarn/releases/yarn-4.13.0.cjs
-
-# Secure default: don't run postinstall scripts.
-# If a new package requires them, add it to dependenciesMeta in package.json.
-enableScripts: false
+yarnPath: .yarn/releases/yarn-4.10.3.cjs

AGENTS.md

@@ -281,6 +281,7 @@ Always run `yarn typecheck` before committing.
 - Avoid `any` or `unknown` unless absolutely necessary
 - Look for existing type definitions in the codebase
 - Avoid type assertions (`as`, `!`) - prefer `satisfies`
+- Use inline type imports: `import { type MyType } from '...'`
 
 **Naming:**
 
@@ -330,7 +331,7 @@ Always maintain newlines between import groups.
 
 ### Platform-Specific Code
 
-- Don't directly reference platform-specific imports (`.api`, `.electron`)
+- Don't directly reference platform-specific imports (`.api`, `.web`, `.electron`)
 - Use conditional exports in `loot-core` for platform-specific code
 - Platform resolution happens at build time via package.json exports
 
@@ -500,7 +501,7 @@ Icons in `packages/component-library/src/icons/` are auto-generated. Don't manua
 
 1. Check `tsconfig.json` for path mappings
 2. Check package.json `exports` field (especially for loot-core)
-3. Verify platform-specific imports (`.electron`, `.api`)
+3. Verify platform-specific imports (`.web`, `.electron`, `.api`)
 4. Use absolute imports in `desktop-client` (enforced by ESLint)
 
 ### Build Failures

CONTRIBUTING.md

@@ -1,3 +1 @@
 Please review the contributing documentation on our website: https://actualbudget.org/docs/contributing/
-
-If you plan to use AI tools when contributing, please also read our [AI Usage Policy](https://actualbudget.org/docs/contributing/ai-usage-policy).

bin/__tests__/validate-publish-imports.test.ts

@@ -1,218 +0,0 @@
-import fs from 'node:fs';
-import os from 'node:os';
-import path from 'node:path';
-
-import { afterEach, beforeEach, describe, expect, it } from 'vitest';
-
-import {
-  derivePublishImports,
-  validatePackage,
-} from '../validate-publish-imports.js';
-
-describe('derivePublishImports', () => {
-  it('prepends ./build/ to .js paths', () => {
-    const imports = {
-      '#account-db': './src/account-db.js',
-    };
-    expect(derivePublishImports(imports)).toEqual({
-      '#account-db': './build/src/account-db.js',
-    });
-  });
-
-  it('converts .ts extension to .js and prepends ./build/', () => {
-    const imports = {
-      '#migrations': './src/migrations.ts',
-    };
-    expect(derivePublishImports(imports)).toEqual({
-      '#migrations': './build/src/migrations.js',
-    });
-  });
-
-  it('converts .tsx extension to .js and prepends ./build/', () => {
-    const imports = {
-      '#component': './src/component.tsx',
-    };
-    expect(derivePublishImports(imports)).toEqual({
-      '#component': './build/src/component.js',
-    });
-  });
-
-  it('preserves wildcard patterns', () => {
-    const imports = {
-      '#accounts/*': './src/accounts/*.js',
-      '#services/*': './src/app-gocardless/services/*.ts',
-    };
-    expect(derivePublishImports(imports)).toEqual({
-      '#accounts/*': './build/src/accounts/*.js',
-      '#services/*': './build/src/app-gocardless/services/*.js',
-    });
-  });
-
-  it('handles multiple entries with mixed extensions', () => {
-    const imports = {
-      '#account-db': './src/account-db.js',
-      '#migrations': './src/migrations.ts',
-      '#app-gocardless/errors': './src/app-gocardless/errors.ts',
-      '#util/*': './src/util/*.ts',
-      '#scripts/*': './src/scripts/*.js',
-    };
-    expect(derivePublishImports(imports)).toEqual({
-      '#account-db': './build/src/account-db.js',
-      '#migrations': './build/src/migrations.js',
-      '#app-gocardless/errors': './build/src/app-gocardless/errors.js',
-      '#util/*': './build/src/util/*.js',
-      '#scripts/*': './build/src/scripts/*.js',
-    });
-  });
-
-  it('returns empty object for empty imports', () => {
-    expect(derivePublishImports({})).toEqual({});
-  });
-
-  it('throws error for non-string imports values', () => {
-    const imports = {
-      '#foo': './src/foo.js',
-      '#conditional': {
-        browser: './src/browser.js',
-        node: './src/node.js',
-      },
-    };
-    expect(() => derivePublishImports(imports)).toThrow(
-      'Unsupported imports target for "#conditional". Expected a string path.',
-    );
-  });
-
-  it('handles paths with /index.js suffix', () => {
-    const imports = {
-      '#util/title': './src/util/title/index.js',
-    };
-    expect(derivePublishImports(imports)).toEqual({
-      '#util/title': './build/src/util/title/index.js',
-    });
-  });
-});
-
-describe('validatePackage', () => {
-  let tmpDir: string;
-
-  beforeEach(() => {
-    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'validate-imports-'));
-  });
-
-  afterEach(() => {
-    fs.rmSync(tmpDir, { recursive: true, force: true });
-  });
-
-  function writePackageJson(content: Record<string, unknown>) {
-    const filePath = path.join(tmpDir, 'package.json');
-    fs.writeFileSync(filePath, JSON.stringify(content, null, 2) + '\n');
-    return filePath;
-  }
-
-  it('skips packages with no publishConfig', () => {
-    const filePath = writePackageJson({
-      name: 'test-pkg',
-      imports: { '#foo': './src/foo.js' },
-    });
-    const { result, warnings } = validatePackage(filePath);
-    expect(result).toBeNull();
-    expect(warnings).toEqual([]);
-  });
-
-  it('skips packages with publishConfig but no publishConfig.imports', () => {
-    const filePath = writePackageJson({
-      name: 'test-pkg',
-      imports: { '#foo': './src/foo.js' },
-      publishConfig: { access: 'public' },
-    });
-    const { result, warnings } = validatePackage(filePath);
-    expect(result).toBeNull();
-    expect(warnings).toEqual([]);
-  });
-
-  it('warns when publishConfig.imports exists but imports does not', () => {
-    const filePath = writePackageJson({
-      name: 'test-pkg',
-      publishConfig: {
-        imports: { '#foo': './build/src/foo.js' },
-      },
-    });
-    const { result, warnings } = validatePackage(filePath);
-    expect(result).toBeNull();
-    expect(warnings).toHaveLength(1);
-    expect(warnings[0]).toContain('orphaned');
-  });
-
-  it('returns no errors when publishConfig.imports matches', () => {
-    const filePath = writePackageJson({
-      name: 'test-pkg',
-      imports: {
-        '#foo': './src/foo.js',
-        '#bar': './src/bar.ts',
-      },
-      publishConfig: {
-        imports: {
-          '#foo': './build/src/foo.js',
-          '#bar': './build/src/bar.js',
-        },
-      },
-    });
-    const { result } = validatePackage(filePath);
-    expect(result).not.toBeNull();
-    expect(result!.missingKeys).toEqual([]);
-    expect(result!.extraKeys).toEqual([]);
-    expect(result!.wrongValues).toEqual([]);
-  });
-
-  it('detects missing keys in publishConfig.imports', () => {
-    const filePath = writePackageJson({
-      name: 'test-pkg',
-      imports: {
-        '#foo': './src/foo.js',
-        '#bar': './src/bar.ts',
-      },
-      publishConfig: {
-        imports: {
-          '#foo': './build/src/foo.js',
-        },
-      },
-    });
-    const { result } = validatePackage(filePath);
-    expect(result!.missingKeys).toEqual(['#bar']);
-  });
-
-  it('detects extra keys in publishConfig.imports', () => {
-    const filePath = writePackageJson({
-      name: 'test-pkg',
-      imports: {
-        '#foo': './src/foo.js',
-      },
-      publishConfig: {
-        imports: {
-          '#foo': './build/src/foo.js',
-          '#orphan': './build/src/orphan.js',
-        },
-      },
-    });
-    const { result } = validatePackage(filePath);
-    expect(result!.extraKeys).toEqual(['#orphan']);
-  });
-
-  it('detects wrong values in publishConfig.imports', () => {
-    const filePath = writePackageJson({
-      name: 'test-pkg',
-      imports: {
-        '#foo': './src/foo.ts',
-      },
-      publishConfig: {
-        imports: {
-          '#foo': './src/foo.ts',
-        },
-      },
-    });
-    const { result } = validatePackage(filePath);
-    expect(result!.wrongValues).toEqual([
-      { key: '#foo', expected: './build/src/foo.js', actual: './src/foo.ts' },
-    ]);
-  });
-});

bin/package-browser

@@ -4,30 +4,20 @@ ROOT=`dirname $0`
 
 cd "$ROOT/.."
 
-SKIP_TRANSLATIONS=false
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    --skip-translations)
-      SKIP_TRANSLATIONS=true
-      shift
-      ;;
-    *)
-      echo "Unknown argument: $1" >&2
-      exit 1
-      ;;
-  esac
-done
-
-if [ "$SKIP_TRANSLATIONS" = false ]; then
-  echo "Updating translations..."
-  if ! [ -d packages/desktop-client/locale ]; then
-      git clone https://github.com/actualbudget/translations packages/desktop-client/locale
-  fi
-  pushd packages/desktop-client/locale > /dev/null
-  git checkout .
-  git pull
-  popd > /dev/null
-  packages/desktop-client/bin/remove-untranslated-languages
+echo "Updating translations..."
+if ! [ -d packages/desktop-client/locale ]; then
+    git clone https://github.com/actualbudget/translations packages/desktop-client/locale
 fi
+pushd packages/desktop-client/locale > /dev/null
+git checkout .
+git pull
+popd > /dev/null
+packages/desktop-client/bin/remove-untranslated-languages
 
-lage build:browser --to=@actual-app/web
+export NODE_OPTIONS="--max-old-space-size=4096"
+
+yarn workspace plugins-service build
+yarn workspace @actual-app/core build:browser
+yarn workspace @actual-app/web build:browser
+
+echo "packages/desktop-client/build"

bin/package-electron

@@ -43,7 +43,6 @@ if [ $SKIP_TRANSLATIONS == false ]; then
 
   pushd packages/desktop-client/locale > /dev/null
 
-  git checkout .
   git pull
   popd > /dev/null
   packages/desktop-client/bin/remove-untranslated-languages
@@ -51,13 +50,13 @@ fi
 
 export NODE_OPTIONS="--max-old-space-size=4096"
 
-yarn workspace @actual-app/crdt build
 yarn workspace plugins-service build
 yarn workspace @actual-app/core build:node
 yarn workspace @actual-app/web build --mode=desktop # electron specific build
 
 # required for running the sync-server server
-yarn build:browser
+yarn workspace @actual-app/core build:browser
+yarn workspace @actual-app/web build:browser
 yarn workspace @actual-app/sync-server build
 
 # Emit @actual-app/core declarations so desktop-electron (which includes typings/window.ts) can build

bin/run-vrt

@@ -28,5 +28,5 @@ echo "Running VRT tests with the following parameters:"
 echo "E2E_START_URL: $E2E_START_URL"
 echo "VRT_ARGS: $VRT_ARGS"
 
-MSYS_NO_PATHCONV=1 docker run --rm --network host -v "$(pwd)":/work/ -w /work/ -it mcr.microsoft.com/playwright:v1.59.1-jammy /bin/bash \
+MSYS_NO_PATHCONV=1 docker run --rm --network host -v "$(pwd)":/work/ -w /work/ -it mcr.microsoft.com/playwright:v1.58.2-jammy /bin/bash \
   -c "E2E_START_URL=$E2E_START_URL yarn vrt $VRT_ARGS"

bin/validate-publish-imports.ts

@@ -1,216 +0,0 @@
-import fs from 'node:fs';
-import path from 'node:path';
-
-/**
- * Derives publishConfig.imports from imports by:
- * 1. Prepending ./build/ to each value path
- * 2. Replacing .ts/.tsx extensions with .js
- */
-export function derivePublishImports(
-  imports: Record<string, string | object>,
-): Record<string, string> {
-  const result: Record<string, string> = {};
-  for (const [key, value] of Object.entries(imports)) {
-    if (typeof value !== 'string') {
-      throw new Error(
-        `Unsupported imports target for "${key}". Expected a string path.`,
-      );
-    }
-    const withBuildPrefix = value.replace(/^\.\//, './build/');
-    const withJsExtension = withBuildPrefix.replace(/\.tsx?$/, '.js');
-    result[key] = withJsExtension;
-  }
-  return result;
-}
-
-export type ValidationResult = {
-  packagePath: string;
-  packageName: string;
-  missingKeys: string[];
-  extraKeys: string[];
-  wrongValues: Array<{ key: string; expected: string; actual: string }>;
-};
-
-/**
- * Validates publishConfig.imports against imports for a single package.json.
- * Returns null if the package should be skipped (no publishConfig.imports).
- * Returns a ValidationResult if the package has both fields.
- */
-export function validatePackage(packageJsonPath: string): {
-  result: ValidationResult | null;
-  warnings: string[];
-} {
-  const warnings: string[] = [];
-  const content = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
-  const packageName: string = content.name ?? packageJsonPath;
-
-  const imports: Record<string, string | object> | undefined = content.imports;
-  const publishImports: Record<string, string> | undefined =
-    content.publishConfig?.imports;
-
-  // No publishConfig.imports → skip
-  if (!publishImports) {
-    return { result: null, warnings };
-  }
-
-  // Has publishConfig.imports but no imports → warn
-  if (!imports) {
-    warnings.push(
-      `${packageName}: orphaned publishConfig.imports (no imports field)`,
-    );
-    return { result: null, warnings };
-  }
-
-  const expected = derivePublishImports(imports);
-  const expectedKeys = new Set(Object.keys(expected));
-  const actualKeys = new Set(Object.keys(publishImports));
-
-  const missingKeys = [...expectedKeys].filter(k => !actualKeys.has(k));
-  const extraKeys = [...actualKeys].filter(k => !expectedKeys.has(k));
-  const wrongValues: ValidationResult['wrongValues'] = [];
-
-  for (const key of expectedKeys) {
-    if (actualKeys.has(key) && publishImports[key] !== expected[key]) {
-      wrongValues.push({
-        key,
-        expected: expected[key],
-        actual: publishImports[key],
-      });
-    }
-  }
-
-  return {
-    result: {
-      packagePath: packageJsonPath,
-      packageName,
-      missingKeys,
-      extraKeys,
-      wrongValues,
-    },
-    warnings,
-  };
-}
-
-export function fixPackage(packageJsonPath: string): boolean {
-  const raw = fs.readFileSync(packageJsonPath, 'utf-8');
-  const content = JSON.parse(raw);
-
-  if (!content.imports || !content.publishConfig?.imports) {
-    return false;
-  }
-
-  const expected = derivePublishImports(content.imports);
-
-  // Check if already correct
-  if (
-    JSON.stringify(content.publishConfig.imports) === JSON.stringify(expected)
-  ) {
-    return false;
-  }
-
-  content.publishConfig.imports = expected;
-  fs.writeFileSync(packageJsonPath, JSON.stringify(content, null, 2) + '\n');
-  return true;
-}
-
-function findPackageJsonFiles(): string[] {
-  const packagesDir = path.resolve(__dirname, '..', 'packages');
-  const entries = fs.readdirSync(packagesDir, { withFileTypes: true });
-  const results: string[] = [];
-  for (const entry of entries) {
-    if (entry.isDirectory()) {
-      const pkgPath = path.join(packagesDir, entry.name, 'package.json');
-      if (fs.existsSync(pkgPath)) {
-        results.push(pkgPath);
-      }
-    }
-  }
-  return results;
-}
-
-function resolvePackageJsonPaths(filePaths: string[]): string[] {
-  const packagesRoot = path.resolve(__dirname, '..', 'packages');
-  const seen = new Set<string>();
-  for (const filePath of filePaths) {
-    const resolvedPath = path.resolve(filePath);
-    let dir = path.dirname(resolvedPath);
-    while (dir.startsWith(packagesRoot + path.sep)) {
-      const candidate = path.join(dir, 'package.json');
-      if (
-        fs.existsSync(candidate) &&
-        candidate.startsWith(packagesRoot + path.sep)
-      ) {
-        seen.add(candidate);
-        break;
-      }
-      dir = path.dirname(dir);
-    }
-  }
-  return [...seen];
-}
-
-function main() {
-  const args = process.argv.slice(2);
-  const fixMode = args.includes('--fix');
-  const filePaths = args.filter(arg => !arg.startsWith('--'));
-
-  const packageJsonFiles =
-    filePaths.length > 0
-      ? resolvePackageJsonPaths(filePaths)
-      : findPackageJsonFiles();
-
-  let hasErrors = false;
-  const allWarnings: string[] = [];
-
-  for (const pkgPath of packageJsonFiles) {
-    if (fixMode) {
-      const fixed = fixPackage(pkgPath);
-      if (fixed) {
-        const name = JSON.parse(fs.readFileSync(pkgPath, 'utf-8')).name;
-        console.log(`Fixed publishConfig.imports in ${name}`);
-      }
-    } else {
-      const { result, warnings } = validatePackage(pkgPath);
-      allWarnings.push(...warnings);
-
-      if (result) {
-        const hasIssues =
-          result.missingKeys.length > 0 ||
-          result.extraKeys.length > 0 ||
-          result.wrongValues.length > 0;
-
-        if (hasIssues) {
-          hasErrors = true;
-          console.error(`\n${result.packageName}:`);
-
-          for (const key of result.missingKeys) {
-            console.error(`  Missing key: ${key}`);
-          }
-          for (const key of result.extraKeys) {
-            console.error(`  Extra key: ${key}`);
-          }
-          for (const { key, expected, actual } of result.wrongValues) {
-            console.error(`  Wrong value for ${key}:`);
-            console.error(`    expected: ${expected}`);
-            console.error(`    actual:   ${actual}`);
-          }
-        }
-      }
-    }
-  }
-
-  for (const warning of allWarnings) {
-    console.warn(`Warning: ${warning}`);
-  }
-
-  if (hasErrors) {
-    console.error(
-      '\npublishConfig.imports is out of sync. Run with --fix to auto-fix.',
-    );
-    process.exit(1);
-  }
-}
-
-if (require.main === module) {
-  main();
-}

bin/vitest.config.mts

@@ -1,9 +0,0 @@
-import { defineConfig } from 'vitest/config';
-
-export default defineConfig({
-  test: {
-    globals: true,
-    include: ['__tests__/**/*.test.ts'],
-    environment: 'node',
-  },
-});

lage.config.js

@@ -1,5 +1,3 @@
-const BUILD_OUTPUT_GLOBS = ['lib-dist/**', 'dist/**', 'build/**', '@types/**'];
-
 /** @type {import('lage').ConfigOptions} */
 module.exports = {
   pipeline: {
@@ -22,22 +20,14 @@ module.exports = {
       dependsOn: ['^build'],
       cache: true,
       options: {
-        outputGlob: BUILD_OUTPUT_GLOBS,
+        outputGlob: ['lib-dist/**', 'dist/**', 'build/**'],
       },
     },
-    // Not cached: the script stages files into public/ and build-stats/ that
-    // fall outside BUILD_OUTPUT_GLOBS, so a cache hit would skip the side
-    // effects.
-    'build:browser': {
-      type: 'npmScript',
-      dependsOn: ['^build'],
-      cache: false,
-    },
   },
   cacheOptions: {
     cacheStorageConfig: {
       provider: 'local',
-      outputGlob: BUILD_OUTPUT_GLOBS,
+      outputGlob: ['lib-dist/**', 'dist/**', 'build/**'],
     },
   },
   npmClient: 'yarn',

package.json

@@ -24,21 +24,23 @@
     "start:server-dev": "NODE_ENV=development BROWSER_OPEN=localhost:5006 yarn npm-run-all --parallel 'start:server-monitor' 'start'",
     "start:desktop": "yarn desktop-dependencies && npm-run-all --parallel 'start:desktop-*'",
     "start:docs": "yarn workspace docs start",
-    "desktop-dependencies": "npm-run-all --parallel rebuild-electron build:plugins-service",
+    "desktop-dependencies": "npm-run-all --parallel rebuild-electron build:browser-backend build:plugins-service",
     "start:desktop-node": "yarn workspace @actual-app/core watch:node",
     "start:desktop-client": "yarn workspace @actual-app/web watch",
     "start:desktop-server-client": "yarn workspace @actual-app/web build:browser",
     "start:desktop-electron": "yarn workspace desktop-electron watch",
-    "start:browser": "npm-run-all --parallel 'start:browser-*' 'start:service-plugins'",
+    "start:browser": "yarn workspace plugins-service build-dev && npm-run-all --parallel 'start:browser-*'",
     "start:service-plugins": "yarn workspace plugins-service watch",
+    "start:browser-backend": "yarn workspace @actual-app/core watch:browser",
     "start:browser-frontend": "yarn workspace @actual-app/web start:browser",
     "start:storybook": "yarn workspace @actual-app/components start:storybook",
     "build": "lage build",
+    "build:browser-backend": "yarn workspace @actual-app/core build:browser",
     "build:server": "yarn build:browser && yarn workspace @actual-app/sync-server build",
     "build:browser": "./bin/package-browser",
     "build:desktop": "./bin/package-electron",
     "build:plugins-service": "yarn workspace plugins-service build",
-    "build:api": "yarn build --scope=@actual-app/api",
+    "build:api": "yarn workspace @actual-app/api build",
     "build:cli": "yarn build --scope=@actual-app/cli",
     "build:docs": "yarn workspace docs build",
     "build:storybook": "yarn workspace @actual-app/components build:storybook",
@@ -52,74 +54,46 @@
     "playwright": "yarn workspace @actual-app/web run playwright",
     "vrt": "yarn workspace @actual-app/web run vrt",
     "vrt:docker": "./bin/run-vrt",
-    "rebuild-electron": "./node_modules/.bin/electron-rebuild -m ./packages/desktop-electron -o better-sqlite3,bcrypt --build-from-source -f",
+    "rebuild-electron": "./node_modules/.bin/electron-rebuild -m ./packages/loot-core",
     "rebuild-node": "yarn workspace @actual-app/core rebuild",
     "lint": "oxfmt --check . && oxlint --type-aware --quiet",
     "lint:fix": "oxfmt . && oxlint --fix --type-aware --quiet",
     "install:server": "yarn workspaces focus @actual-app/sync-server --production",
     "constraints": "yarn constraints",
     "typecheck": "tsgo -p tsconfig.root.json --noEmit && lage typecheck",
-    "check:tsconfig-references": "workspaces-to-typescript-project-references --check",
-    "sync:tsconfig-references": "workspaces-to-typescript-project-references",
     "prepare": "husky"
   },
   "devDependencies": {
-    "@monorepo-utils/workspaces-to-typescript-project-references": "^2.10.3",
     "@octokit/rest": "^22.0.1",
-    "@types/node": "^22.19.17",
+    "@types/node": "^22.19.15",
     "@types/prompts": "^2.4.9",
-    "@typescript/native-preview": "beta",
+    "@typescript/native-preview": "^7.0.0-dev.20260309.1",
     "@yarnpkg/types": "^4.0.1",
-    "eslint": "^10.2.0",
-    "eslint-plugin-perfectionist": "^5.8.0",
+    "cross-env": "^10.1.0",
+    "eslint": "^9.39.3",
+    "eslint-plugin-perfectionist": "^5.6.0",
     "eslint-plugin-typescript-paths": "^0.0.33",
+    "html-to-image": "^1.11.13",
     "husky": "^9.1.7",
-    "lage": "^2.15.5",
-    "lint-staged": "^16.4.0",
-    "minimatch": "^10.2.5",
+    "lage": "^2.14.19",
+    "lint-staged": "^16.3.2",
+    "minimatch": "^10.2.4",
     "npm-run-all": "^4.1.5",
-    "oxfmt": "^0.44.0",
-    "oxlint": "^1.59.0",
-    "oxlint-tsgolint": "^0.20.0",
+    "oxfmt": "^0.32.0",
+    "oxlint": "^1.51.0",
+    "oxlint-tsgolint": "^0.13.0",
     "p-limit": "^7.3.0",
     "prompts": "^2.4.2",
     "ts-node": "^10.9.2",
-    "typescript": "^6.0.2",
-    "vitest": "^4.1.2"
-  },
-  "dependenciesMeta": {
-    "bcrypt": {
-      "built": true
-    },
-    "better-sqlite3": {
-      "built": true
-    },
-    "electron": {
-      "built": true
-    },
-    "esbuild": {
-      "built": true
-    },
-    "sharp": {
-      "built": true
-    }
+    "typescript": "^5.9.3"
   },
   "resolutions": {
     "adm-zip": "patch:adm-zip@npm%3A0.5.16#~/.yarn/patches/adm-zip-npm-0.5.16-4556fea098.patch",
-    "minimatch@10.2.1": "10.2.5",
-    "minimatch@3.1.2": "3.1.5",
-    "minimatch@>=10.0.0 <11.0.0": "10.2.5",
-    "minimatch@>=3.0.0 <4.0.0": "3.1.5",
-    "minimatch@>=5.0.0 <6.0.0": "5.1.9",
-    "minimatch@>=9.0.0 <10.0.0": "9.0.9",
+    "axios": "1.14.0",
     "rollup": "4.40.1",
     "socks": ">=2.8.3"
   },
   "lint-staged": {
-    "packages/*/{package.json,tsconfig.json}": [
-      "ts-node ./bin/validate-publish-imports.ts --fix",
-      "yarn sync:tsconfig-references"
-    ],
     "*.{js,mjs,jsx,ts,tsx,md,json,yml,yaml}": [
       "oxfmt --no-error-on-unmatched-pattern"
     ],
@@ -135,5 +109,5 @@
     "node": ">=22",
     "yarn": "^4.9.1"
   },
-  "packageManager": "yarn@4.13.0"
+  "packageManager": "yarn@4.10.3"
 }

packages/api/README.md

@@ -3,7 +3,3 @@ npm install @actual-app/api
 ```
 
 View docs here: https://actualbudget.org/docs/api/
-
-## TypeScript
-
-`@actual-app/api` publishes TypeScript declarations. Consumers using TypeScript must set `moduleResolution` to `"bundler"`, `"nodenext"`, or `"node16"` in their `tsconfig.json`. Legacy `"node"` / `"node10"` / `"classic"` resolution is not supported in strict mode — the published declarations rely on package.json `exports` conditions that older resolvers don't honor.

packages/api/app/query.js

@@ -1,5 +1,5 @@
 class Query {
-  /** @type {import('@actual-app/core/shared/query').QueryState} */
+  /** @type {import('loot-core/shared/query').QueryState} */
   state;
 
   constructor(state) {

packages/api/methods.test.ts

@@ -1,15 +1,11 @@
 import * as fs from 'fs/promises';
 import * as path from 'path';
 
-import type { RuleEntity } from '@actual-app/core/types/models';
 import { vi } from 'vitest';
 
-import * as api from './index';
+import type { RuleEntity } from '@actual-app/core/types/models';
 
-declare global {
-  var IS_TESTING: boolean;
-  var currentMonth: string | null;
-}
+import * as api from './index';
 
 // In tests we run from source; loot-core's API fs uses __dirname (for the built dist/).
 // Mock the fs so path constants point at loot-core package root where migrations live.
@@ -516,29 +512,6 @@ describe('API CRUD operations', () => {
     );
   });
 
-  // apis: getNote, updateNote
-  test('Notes: successfully get and update note', async () => {
-    const categories = await api.getCategories();
-    const categoryId = categories[0].id;
-
-    // No note exists initially
-    const initial = await api.getNote(categoryId);
-    expect(initial).toBeNull();
-
-    // Set a note
-    await api.updateNote(categoryId, 'Test note content');
-    const afterSet = await api.getNote(categoryId);
-    expect(afterSet).toEqual({ id: categoryId, note: 'Test note content' });
-
-    // Update the note
-    await api.updateNote(categoryId, 'Updated note content');
-    const afterUpdate = await api.getNote(categoryId);
-    expect(afterUpdate).toEqual({
-      id: categoryId,
-      note: 'Updated note content',
-    });
-  });
-
   // apis: getRules, getPayeeRules, createRule, updateRule, deleteRule
   test('Rules: successfully update rules', async () => {
     await api.createPayee({ name: 'test-payee' });

packages/api/methods.ts

@@ -13,7 +13,6 @@ import type { ImportTransactionsOpts } from '@actual-app/core/types/api-handlers
 import type { Handlers } from '@actual-app/core/types/handlers';
 import type {
   ImportTransactionEntity,
-  NoteEntity,
   RuleEntity,
   TransactionEntity,
 } from '@actual-app/core/types/models';
@@ -204,8 +203,8 @@ export function getAccountBalance(id: APIAccountEntity['id'], cutoff?: Date) {
   return send('api/account-balance', { id, cutoff });
 }
 
-export function getCategoryGroups(options: { hidden?: boolean } = {}) {
-  return send('api/category-groups-get', options);
+export function getCategoryGroups() {
+  return send('api/category-groups-get');
 }
 
 export function createCategoryGroup(group: Omit<APICategoryGroupEntity, 'id'>) {
@@ -226,8 +225,8 @@ export function deleteCategoryGroup(
   return send('api/category-group-delete', { id, transferCategoryId });
 }
 
-export function getCategories(options: { hidden?: boolean } = {}) {
-  return send('api/categories-get', { grouped: false, ...options });
+export function getCategories() {
+  return send('api/categories-get', { grouped: false });
 }
 
 export function createCategory(category: Omit<APICategoryEntity, 'id'>) {
@@ -248,14 +247,6 @@ export function deleteCategory(
   return send('api/category-delete', { id, transferCategoryId });
 }
 
-export function getNote(id: NoteEntity['id']) {
-  return send('api/note-get', { id });
-}
-
-export function updateNote(id: NoteEntity['id'], note: NoteEntity['note']) {
-  return send('api/note-update', { id, note });
-}
-
 export function getCommonPayees() {
   return send('api/common-payees-get');
 }

packages/api/models.ts

@@ -1 +0,0 @@
-export type * from '@actual-app/core/server/api-models';

packages/api/package.json

@@ -1,31 +1,18 @@
 {
   "name": "@actual-app/api",
-  "version": "26.5.2",
+  "version": "26.3.0",
   "description": "An API for Actual",
   "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/actualbudget/actual.git",
-    "directory": "packages/api"
-  },
   "files": [
     "@types",
-    "dist",
-    "!@types/**/*.test.d.ts",
-    "!@types/**/*.test.d.ts.map"
+    "dist"
   ],
   "main": "dist/index.js",
   "types": "@types/index.d.ts",
   "exports": {
     ".": {
-      "types": "./@types/index.d.ts",
       "development": "./index.ts",
       "default": "./dist/index.js"
-    },
-    "./models": {
-      "types": "./@types/models.d.ts",
-      "development": "./models.ts",
-      "default": "./dist/models.js"
     }
   },
   "publishConfig": {
@@ -33,32 +20,29 @@
       ".": {
         "types": "./@types/index.d.ts",
         "default": "./dist/index.js"
-      },
-      "./models": {
-        "types": "./@types/models.d.ts",
-        "default": "./dist/models.js"
       }
     }
   },
   "scripts": {
-    "build": "vite build && tsgo --emitDeclarationOnly",
+    "build": "vite build",
     "test": "vitest --run",
     "typecheck": "tsgo -b && tsc-strict"
   },
   "dependencies": {
     "@actual-app/core": "workspace:*",
     "@actual-app/crdt": "workspace:*",
-    "better-sqlite3": "^12.8.0",
+    "better-sqlite3": "^12.6.2",
     "compare-versions": "^6.1.1",
-    "uuid": "^14.0.0"
+    "uuid": "^13.0.0"
   },
   "devDependencies": {
-    "@typescript/native-preview": "beta",
-    "rollup-plugin-visualizer": "^7.0.1",
+    "@typescript/native-preview": "^7.0.0-dev.20260309.1",
+    "rollup-plugin-visualizer": "^6.0.11",
     "typescript-strict-plugin": "^2.4.4",
-    "vite": "^8.0.5",
+    "vite": "^8.0.0",
+    "vite-plugin-dts": "^4.5.4",
     "vite-plugin-peggy-loader": "^2.0.1",
-    "vitest": "^4.1.2"
+    "vitest": "^4.1.0"
   },
   "engines": {
     "node": ">=20"

packages/api/tsconfig.json

@@ -7,7 +7,6 @@
     "target": "ES2021",
     "module": "es2022",
     "moduleResolution": "bundler",
-    "customConditions": ["api"],
     "noEmit": false,
     "declaration": true,
     "declarationMap": true,
@@ -15,27 +14,9 @@
     "rootDir": ".",
     "declarationDir": "@types",
     "tsBuildInfoFile": "dist/.tsbuildinfo",
-    "plugins": [
-      {
-        "name": "typescript-strict-plugin",
-        "paths": ["."]
-      }
-    ]
+    "plugins": [{ "name": "typescript-strict-plugin", "paths": ["."] }]
   },
-  "references": [
-    {
-      "path": "../loot-core"
-    },
-    {
-      "path": "../crdt"
-    }
-  ],
+  "references": [{ "path": "../crdt" }, { "path": "../loot-core" }],
   "include": ["."],
-  "exclude": [
-    "**/node_modules/*",
-    "dist",
-    "@types",
-    "*.config.ts",
-    "*.config.mts"
-  ]
+  "exclude": ["**/node_modules/*", "dist", "@types", "*.test.ts", "*.config.ts"]
 }

packages/api/vite.config.ts

@@ -3,6 +3,7 @@ import path from 'path';
 
 import { visualizer } from 'rollup-plugin-visualizer';
 import { defineConfig } from 'vite';
+import dts from 'vite-plugin-dts';
 import peggyLoader from 'vite-plugin-peggy-loader';
 
 const lootCoreRoot = path.resolve(__dirname, '../loot-core');
@@ -54,11 +55,7 @@ function copyMigrationsAndDefaultDb() {
 }
 
 export default defineConfig({
-  ssr: {
-    noExternal: true,
-    external: ['better-sqlite3'],
-    resolve: { conditions: ['api'] },
-  },
+  ssr: { noExternal: true, external: ['better-sqlite3'] },
   build: {
     ssr: true,
     target: 'node20',
@@ -66,31 +63,27 @@ export default defineConfig({
     emptyOutDir: true,
     sourcemap: true,
     lib: {
-      entry: {
-        index: path.resolve(__dirname, 'index.ts'),
-        models: path.resolve(__dirname, 'models.ts'),
-      },
+      entry: path.resolve(__dirname, 'index.ts'),
       formats: ['cjs'],
-      fileName: (_format, entryName) => `${entryName}.js`,
+      fileName: () => 'index.js',
     },
   },
   plugins: [
     cleanOutputDirs(),
     peggyLoader(),
+    dts({
+      tsconfigPath: path.resolve(__dirname, 'tsconfig.json'),
+      outDir: path.resolve(__dirname, '@types'),
+      rollupTypes: true,
+    }),
     copyMigrationsAndDefaultDb(),
     visualizer({ template: 'raw-data', filename: 'app/stats.json' }),
   ],
   resolve: {
-    conditions: ['api'],
+    extensions: ['.api.ts', '.js', '.ts', '.tsx', '.json'],
   },
   test: {
     globals: true,
-    // Each test loads a budget file and runs all DB migrations, which can be
-    // slow on busy CI runners; the default 5s timeout is too tight and causes
-    // flaky timeouts (and a cascade of unhandled rejections from in-flight work
-    // continuing after teardown).
-    testTimeout: 20_000,
-    hookTimeout: 20_000,
     onConsoleLog(log: string, type: 'stdout' | 'stderr'): boolean | void {
       // print only console.error
       return type === 'stderr';

packages/ci-actions/bin/release-notes-check.mjs

@@ -1,68 +0,0 @@
-import * as fs from 'node:fs';
-
-import matter from 'gray-matter';
-
-import {
-  categoryAutocorrections,
-  categoryOrder,
-} from '../src/release-notes/util.mjs';
-
-console.log('Looking in ' + fs.realpathSync('upcoming-release-notes'));
-
-const expectedPath = `upcoming-release-notes/${process.env.PR_NUMBER}.md`;
-
-function reportError(message) {
-  console.log(`::error::${message}`);
-
-  process.stdout.write('::notice::');
-  fs.createReadStream('upcoming-release-notes/README.md').pipe(process.stdout);
-
-  fs.createReadStream('upcoming-release-notes/README.md')
-    .pipe(fs.createWriteStream(process.env.GITHUB_STEP_SUMMARY))
-    .on('close', () => {
-      process.exit(1);
-    });
-}
-
-(() => {
-  if (!fs.existsSync(expectedPath)) {
-    reportError(`Release note file ${expectedPath} not found`);
-    return;
-  }
-
-  const { data, content } = matter(fs.readFileSync(expectedPath, 'utf-8'));
-
-  if (!data.category) {
-    reportError(`Release note is missing a category.`);
-    return;
-  }
-  if (categoryAutocorrections[data.category]) {
-    data.category = categoryAutocorrections[data.category];
-  }
-  if (!categoryOrder.includes(data.category)) {
-    reportError(
-      `Release note category "${data.category}" is not one of ${categoryOrder
-        .map(JSON.stringify)
-        .join(', ')}`,
-    );
-    return;
-  }
-
-  if (!data.authors) {
-    reportError(`Release note is missing authors.`);
-    return;
-  }
-  if (!Array.isArray(data.authors)) {
-    reportError(`Release note authors should be a list.`);
-    return;
-  }
-
-  if (content.trim().split('\n').length !== 1) {
-    reportError(
-      `Release note file ${expectedPath} body should contain exactly one line`,
-    );
-    return;
-  }
-
-  console.log('Everything looks good! \u{1f389}');
-})();

packages/ci-actions/bin/release-notes-generate.mjs

@@ -1,312 +0,0 @@
-import * as childProcess from 'node:child_process';
-import * as fs from 'node:fs/promises';
-import { join } from 'node:path';
-import { inspect, promisify } from 'node:util';
-
-import matter from 'gray-matter';
-import listify from 'listify';
-
-import {
-  categoryAutocorrections,
-  categoryOrder,
-} from '../src/release-notes/util.mjs';
-
-const exec = promisify(childProcess.exec);
-
-const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/');
-
-const apiResult = await fetch('https://api.github.com/graphql', {
-  method: 'POST',
-  headers: {
-    Authorization: `bearer ${process.env.GITHUB_TOKEN}`,
-    'Content-Type': 'application/json',
-  },
-  body: JSON.stringify({
-    query: /* GraphQL */ `
-      query GetPRMetadata(
-        $name: String!
-        $owner: String!
-        $headRefName: String!
-      ) {
-        repository(name: $name, owner: $owner) {
-          pullRequests(headRefName: $headRefName, first: 1) {
-            edges {
-              node {
-                number
-                headRefName
-                body
-              }
-            }
-          }
-        }
-      }
-    `,
-    variables: {
-      name: repo,
-      owner,
-      headRefName: process.env.GITHUB_HEAD_REF || process.env.GITHUB_REF_NAME,
-    },
-  }),
-}).then(res => res.json());
-
-await collapsedLog('API Response', apiResult);
-
-const prData = apiResult.data.repository.pullRequests.edges[0].node;
-
-const version = prData.headRefName.split('/')[1].replace(/^v/, '');
-const slug = version.replace(/\./g, '-');
-const author = process.env.GITHUB_ACTOR || 'TODO';
-const commitMessage = `Generate release notes for v${version}`;
-
-const releaseDateMatch = (prData.body || '').match(
-  /<!-- release-date:(\d{4}-\d{2}-\d{2}) -->/,
-);
-const releaseDate = releaseDateMatch ? releaseDateMatch[1] : 'TODO';
-
-const botName = 'github-actions[bot]';
-const botEmail = '41898282+github-actions[bot]@users.noreply.github.com';
-
-await exec(`git config user.name '${botName}'`);
-await exec(`git config user.email '${botEmail}'`);
-
-const AUTOGEN_MARKER = '<!-- release-notes:auto-generated -->';
-
-await group('Prepare branch', async () => {
-  if (process.env.GITHUB_HEAD_REF) {
-    await exec(`git fetch origin ${process.env.GITHUB_HEAD_REF}`, {
-      stdio: 'inherit',
-    });
-    await exec(`git checkout ${process.env.GITHUB_HEAD_REF}`, {
-      stdio: 'inherit',
-    });
-  }
-
-  // recover deleted release note files from previous generation commits
-  const baseRef = process.env.GITHUB_BASE_REF || 'master';
-  await exec(`git fetch origin ${baseRef}`, { stdio: 'inherit' });
-  const { stdout: mergeBase } = await exec(
-    `git merge-base HEAD origin/${baseRef}`,
-  );
-  const base = mergeBase.trim();
-  const { stdout: genLog } = await exec(
-    `git log --grep='${commitMessage}' --format=%H ${base}..HEAD`,
-  );
-  const genCommits = genLog.split('\n').filter(Boolean);
-  console.log(
-    `Reversing upcoming-release-notes deletions from ${genCommits.length} prior generation commit(s)`,
-  );
-  const tmpDir = process.env.RUNNER_TEMP || '/tmp';
-  for (const sha of genCommits) {
-    const patchPath = join(tmpDir, `revert-${sha}.patch`);
-    try {
-      await exec(
-        `git diff --diff-filter=D ${sha}~1..${sha} -- upcoming-release-notes > ${patchPath}`,
-      );
-      const { size } = await fs.stat(patchPath);
-      if (size > 0) {
-        await exec(`git apply -R --3way ${patchPath}`, { stdio: 'inherit' });
-      }
-    } finally {
-      await fs.unlink(patchPath).catch(() => undefined);
-    }
-  }
-});
-
-const { notesByCategory, files } = await parseReleaseNotes(
-  'upcoming-release-notes',
-);
-const categorizedNotes = formatNotes(notesByCategory);
-
-await collapsedLog('Release Notes', categorizedNotes);
-
-if (files.length === 0) {
-  console.log('No release notes found, nothing to generate');
-  process.exit(0);
-}
-
-const highlights = '- TODO: Add release highlights';
-
-const blogPath = join(
-  'packages/docs/blog',
-  `${releaseDate}-release-${slug}.md`,
-);
-const releasesPath = 'packages/docs/docs/releases.md';
-
-await group('Generate blog post', async () => {
-  const template = `---
-title: Release ${version}
-description: New release of Actual.
-date: ${releaseDate}T10:00
-slug: release-${version}
-tags: [announcement, release]
-hide_table_of_contents: false
-authors: ${author}
----
-
-${highlights}
-
-<!--truncate-->
-
-**Docker Tag: ${version}**
-
-${AUTOGEN_MARKER}
-
-${categorizedNotes}
-`;
-
-  let blogContent;
-  try {
-    const existing = await fs.readFile(blogPath, 'utf-8');
-    const idx = existing.indexOf(AUTOGEN_MARKER);
-    if (idx === -1) {
-      console.log(
-        `WARNING: ${blogPath} missing ${AUTOGEN_MARKER}, rewriting from template`,
-      );
-      blogContent = template;
-    } else {
-      blogContent =
-        existing.slice(0, idx + AUTOGEN_MARKER.length) +
-        '\n' +
-        categorizedNotes +
-        '\n';
-    }
-  } catch (e) {
-    if (e.code !== 'ENOENT') throw e;
-    blogContent = template;
-  }
-
-  await fs.writeFile(blogPath, blogContent);
-  console.log(`Wrote ${blogPath}`);
-});
-
-await group('Update releases.md', async () => {
-  const existing = await fs.readFile(releasesPath, 'utf-8');
-
-  const sectionRe = new RegExp(
-    `(^|\\n)## ${escapeRegExp(version)}\\n[\\s\\S]*?(?=\\n## |$)`,
-  );
-  const match = existing.match(sectionRe);
-
-  let updated;
-  if (match) {
-    const section = match[0];
-    const idx = section.indexOf(AUTOGEN_MARKER);
-    if (idx === -1) {
-      console.log(
-        `WARNING: section for ${version} in ${releasesPath} missing ${AUTOGEN_MARKER}, leaving as-is`,
-      );
-      updated = existing;
-    } else {
-      const newSection =
-        section.slice(0, idx + AUTOGEN_MARKER.length) + '\n' + categorizedNotes;
-      updated = existing.replace(section, newSection);
-    }
-  } else {
-    const newSection = `## ${version}
-
-Release date: ${releaseDate}
-
-${highlights}
-
-**Docker Tag: ${version}**
-
-${AUTOGEN_MARKER}
-
-${categorizedNotes}`;
-    updated = existing.replace(
-      '# Release Notes\n',
-      `# Release Notes\n\n${newSection}\n`,
-    );
-  }
-
-  await fs.writeFile(releasesPath, updated);
-  console.log(`Updated ${releasesPath}`);
-});
-
-await group('Remove used release notes', async () => {
-  await Promise.all(
-    files.map(f => fs.unlink(join('upcoming-release-notes', f))),
-  );
-});
-
-await group('Format generated files', async () => {
-  await exec(`yarn exec oxfmt ${blogPath} ${releasesPath}`, {
-    stdio: 'inherit',
-  });
-});
-
-await group('Commit and push', async () => {
-  await exec(
-    'git add upcoming-release-notes packages/docs/blog packages/docs/docs/releases.md',
-    { stdio: 'inherit' },
-  );
-
-  try {
-    await exec('git diff --cached --quiet');
-    console.log('No changes to commit');
-    return;
-  } catch {
-    // there are staged changes
-  }
-
-  await exec(`git commit -m '${commitMessage}'`);
-  await exec('git push origin', { stdio: 'inherit' });
-});
-
-async function parseReleaseNotes(dir) {
-  const files = (await fs.readdir(dir)).filter(f => f.match(/^\d+\.md$/));
-  const notes = files.map(async name => {
-    const content = await fs.readFile(join(dir, name), 'utf-8');
-    const { data, content: body } = matter(content);
-    const number = name.replace('.md', '');
-    const authors = listify(
-      data.authors.map(a => `@${a}`),
-      { finalWord: '&' },
-    );
-    return {
-      category: categoryAutocorrections[data.category] ?? data.category,
-      value: `- [#${number}](https://github.com/actualbudget/${repo}/pull/${number}) ${body.trim()} — thanks ${authors}`,
-    };
-  });
-
-  const notesByCategory = (await Promise.all(notes)).reduce(
-    (acc, note) => {
-      if (!acc[note.category]) {
-        console.log(`WARNING: Unrecognized category "${note.category}"`);
-        acc[note.category] = [];
-      }
-      acc[note.category].push(note.value);
-      return acc;
-    },
-    Object.fromEntries(categoryOrder.map(c => [c, []])),
-  );
-
-  return { notesByCategory, files };
-}
-
-function escapeRegExp(str) {
-  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-}
-
-function formatNotes(notes) {
-  return Object.entries(notes)
-    .filter(([_, values]) => values.length > 0)
-    .map(([category, values]) => `#### ${category}\n\n${values.join('\n')}`)
-    .join('\n\n');
-}
-
-async function collapsedLog(name, value) {
-  await group(name, () => {
-    if (typeof value === 'string') {
-      console.log(value);
-    } else {
-      console.log(inspect(value, { depth: null }));
-    }
-  });
-}
-
-async function group(name, cb) {
-  console.log(`::group::${name}`);
-  await cb();
-  console.log('::endgroup::');
-}

packages/ci-actions/package.json

@@ -8,12 +8,9 @@
     "typecheck": "tsgo -b"
   },
   "devDependencies": {
-    "@octokit/rest": "^22.0.1",
-    "@typescript/native-preview": "beta",
+    "@typescript/native-preview": "^7.0.0-dev.20260309.1",
     "extensionless": "^2.0.6",
-    "gray-matter": "^4.0.3",
-    "listify": "^1.0.3",
-    "vitest": "^4.1.2"
+    "vitest": "^4.1.0"
   },
   "extensionless": {
     "lookFor": [

packages/ci-actions/src/release-notes/util.mjs

@@ -1,12 +0,0 @@
-export const categoryAutocorrections = {
-  Feature: 'Features',
-  Enhancement: 'Enhancements',
-  Bugfix: 'Bugfixes',
-};
-
-export const categoryOrder = [
-  'Features',
-  'Enhancements',
-  'Bugfixes',
-  'Maintenance',
-];

packages/ci-actions/src/versions/get-next-package-version.ts

@@ -60,7 +60,7 @@ function resolveType(
     currentDate.getFullYear() === 2000 + versionYear &&
     currentDate.getMonth() + 1 === versionMonth;
 
-  if (inPatchMonth && currentDate.getDate() < 25) {
+  if (inPatchMonth && currentDate.getDate() <= 25) {
     return 'hotfix';
   }
 

packages/cli/README.md

@@ -43,16 +43,13 @@ Configuration is resolved in this order (highest priority first):
 
 ### Environment Variables
 
-| Variable               | Description                                           |
-| ---------------------- | ----------------------------------------------------- |
-| `ACTUAL_SERVER_URL`    | URL of the Actual sync server (required)              |
-| `ACTUAL_PASSWORD`      | Server password (required unless using token)         |
-| `ACTUAL_SESSION_TOKEN` | Session token (alternative to password)               |
-| `ACTUAL_SYNC_ID`       | Budget Sync ID (required for most commands)           |
-| `ACTUAL_DATA_DIR`      | Local directory for cached budget data                |
-| `ACTUAL_CACHE_TTL`     | Cache TTL in seconds (default: 60)                    |
-| `ACTUAL_LOCK_TIMEOUT`  | Budget-dir lock wait timeout in seconds (default: 10) |
-| `ACTUAL_NO_LOCK`       | Set to `1` to disable budget-dir locking              |
+| Variable               | Description                                   |
+| ---------------------- | --------------------------------------------- |
+| `ACTUAL_SERVER_URL`    | URL of the Actual sync server (required)      |
+| `ACTUAL_PASSWORD`      | Server password (required unless using token) |
+| `ACTUAL_SESSION_TOKEN` | Session token (alternative to password)       |
+| `ACTUAL_SYNC_ID`       | Budget Sync ID (required for most commands)   |
+| `ACTUAL_DATA_DIR`      | Local directory for cached budget data        |
 
 ### Config File
 
@@ -62,10 +59,7 @@ Create an `.actualrc.json` (or `.actualrc`, `.actualrc.yaml`, `actual.config.js`
 {
   "serverUrl": "http://localhost:5006",
   "password": "your-password",
-  "syncId": "1cfdbb80-6274-49bf-b0c2-737235a4c81f",
-  "cacheTtl": 60,
-  "lockTimeout": 10,
-  "noLock": false
+  "syncId": "1cfdbb80-6274-49bf-b0c2-737235a4c81f"
 }
 ```
 
@@ -80,11 +74,6 @@ Create an `.actualrc.json` (or `.actualrc`, `.actualrc.yaml`, `actual.config.js`
 | `--session-token <token>` | Session token                                   |
 | `--sync-id <id>`          | Budget Sync ID                                  |
 | `--data-dir <path>`       | Data directory                                  |
-| `--cache-ttl <seconds>`   | Cache TTL; `0` disables caching (default: 60)   |
-| `--refresh`               | Force a sync on this call, ignoring the cache   |
-| `--no-cache`              | Alias for `--refresh`                           |
-| `--lock-timeout <secs>`   | Lock wait timeout (default: 10)                 |
-| `--no-lock`               | Disable budget-dir locking (use with care)      |
 | `--format <format>`       | Output format: `json` (default), `table`, `csv` |
 | `--verbose`               | Show informational messages                     |
 
@@ -103,15 +92,14 @@ Create an `.actualrc.json` (or `.actualrc`, `.actualrc.yaml`, `actual.config.js`
 | `schedules`       | Manage scheduled transactions  |
 | `query`           | Run an ActualQL query          |
 | `server`          | Server utilities and lookups   |
-| `sync`            | Refresh or inspect local cache |
 
 Run `actual <command> --help` for subcommands and options.
 
 ### Examples
 
 ```bash
-# List all accounts (as a table; excludes closed by default)
-actual accounts list [--include-closed] --format table
+# List all accounts (as a table)
+actual accounts list --format table
 
 # Find an entity ID by name
 actual server get-id --type accounts --name "Checking"
@@ -134,45 +122,13 @@ actual query run --table transactions \
 
 ### Amount Convention
 
-All monetary amounts are **integer cents** when passed as input (flags, JSON):
+All monetary amounts are **integer cents**:
 
 | CLI Value | Dollar Amount |
 | --------- | ------------- |
 | `5000`    | $50.00        |
 | `-12350`  | -$123.50      |
 
-**Output formatting:** Table (`--format table`) and CSV (`--format csv`) output automatically converts cent values to decimal (e.g. `1665.00` instead of `166500`). JSON output always returns raw cents for programmatic use.
-
-### Tips & Common Pitfalls
-
-- **Split transactions:** When summing or counting transactions, filter `"is_parent": false` to avoid double-counting. A split parent holds the total amount, and its children hold the individual parts — including both would count the total twice.
-
-- **Rapid sequential requests:** The CLI caches the budget locally (see [Caching](#caching)), so read-heavy scripts no longer need a single-query workaround by default. For very chatty scripts, run `actual sync` once and then use a long `--cache-ttl` for reads:
-
-  ```bash
-  actual sync
-  actual --cache-ttl 3600 query run ...
-  actual --cache-ttl 3600 accounts list
-  ```
-
-- **Uncategorized transactions:** `category.name` is `null` for transactions without a category. Account for this when filtering or grouping by category.
-
-- **No date sub-fields in AQL:** `date.month`, `date.year`, etc. are not supported as query fields. To group by month, fetch raw transactions with a date range filter and aggregate locally in a script.
-
-## Caching
-
-The CLI keeps a local copy of your budget so repeated commands don't hit the sync server on every call. Within the TTL (default `60` seconds), read commands (`list`, `balance`, `query run`, …) reuse the cached budget without a network round-trip. Write commands (`add`, `update`, `set-amount`, …) always sync with the server before and after the write.
-
-- `actual sync` — refresh the cache now.
-- `actual sync --status` — show how stale the local cache is.
-- `actual sync --clear` — delete the local cache; the next command re-downloads.
-- `--refresh` (or `--no-cache`) — force a sync on a single call.
-- `--cache-ttl <seconds>` — override the TTL for a single call (use `0` to disable caching).
-
-### Concurrency
-
-The CLI takes a shared lock for reads and an exclusive lock for writes on the per-budget cache directory. Many parallel reads are safe; writes serialize. If another CLI process is holding the lock, subsequent invocations wait up to `--lock-timeout` seconds (default `10`) before failing with an error. Pass `--no-lock` to opt out in trusted single-process setups.
-
 ## Running Locally (Development)
 
 If you're working on the CLI within the monorepo:

packages/cli/package.json

@@ -1,13 +1,8 @@
 {
   "name": "@actual-app/cli",
-  "version": "26.5.2",
+  "version": "26.3.0",
   "description": "CLI for Actual Budget",
   "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/actualbudget/actual.git",
-    "directory": "packages/cli"
-  },
   "bin": {
     "actual": "./dist/cli.js",
     "actual-cli": "./dist/cli.js"
@@ -16,16 +11,6 @@
     "dist"
   ],
   "type": "module",
-  "imports": {
-    "#cache": "./src/cache.ts",
-    "#commands/*": "./src/commands/*.ts",
-    "#config": "./src/config.ts",
-    "#connection": "./src/connection.ts",
-    "#input": "./src/input.ts",
-    "#lock": "./src/lock.ts",
-    "#output": "./src/output.ts",
-    "#utils": "./src/utils.ts"
-  },
   "scripts": {
     "build": "vite build",
     "test": "vitest --run",
@@ -34,17 +19,15 @@
   "dependencies": {
     "@actual-app/api": "workspace:*",
     "cli-table3": "^0.6.5",
-    "commander": "^14.0.3",
-    "cosmiconfig": "^9.0.1",
-    "proper-lockfile": "^4.1.2"
+    "commander": "^13.0.0",
+    "cosmiconfig": "^9.0.0"
   },
   "devDependencies": {
-    "@types/node": "^22.19.17",
-    "@types/proper-lockfile": "^4",
-    "@typescript/native-preview": "beta",
-    "rollup-plugin-visualizer": "^7.0.1",
-    "vite": "^8.0.5",
-    "vitest": "^4.1.2"
+    "@types/node": "^22.19.15",
+    "@typescript/native-preview": "^7.0.0-dev.20260309.1",
+    "rollup-plugin-visualizer": "^6.0.11",
+    "vite": "^8.0.0",
+    "vitest": "^4.1.0"
   },
   "engines": {
     "node": ">=22"

packages/cli/src/cache.test.ts

@@ -1,206 +0,0 @@
-import {
-  existsSync,
-  mkdtempSync,
-  readFileSync,
-  rmSync,
-  writeFileSync,
-} from 'node:fs';
-import { tmpdir } from 'node:os';
-import { join } from 'node:path';
-
-import {
-  CACHE_FILE_NAME,
-  decideSyncAction,
-  readCacheState,
-  writeCacheState,
-} from './cache';
-
-describe('readCacheState', () => {
-  let dir: string;
-
-  beforeEach(() => {
-    dir = mkdtempSync(join(tmpdir(), 'actual-cli-cache-'));
-  });
-
-  afterEach(() => {
-    rmSync(dir, { recursive: true, force: true });
-  });
-
-  it('returns null when the file does not exist', () => {
-    expect(readCacheState(dir)).toBeNull();
-  });
-
-  it('returns null when the file is corrupt', () => {
-    writeFileSync(join(dir, CACHE_FILE_NAME), 'not json');
-    expect(readCacheState(dir)).toBeNull();
-  });
-
-  it('returns null when the file has the wrong version', () => {
-    writeFileSync(
-      join(dir, CACHE_FILE_NAME),
-      JSON.stringify({
-        version: 999,
-        syncId: 'a',
-        budgetId: 'b',
-        serverUrl: 'c',
-        lastSyncedAt: 1,
-        lastDownloadedAt: 1,
-      }),
-    );
-    expect(readCacheState(dir)).toBeNull();
-  });
-
-  it('returns the parsed state when the file is valid', () => {
-    writeFileSync(
-      join(dir, CACHE_FILE_NAME),
-      JSON.stringify({
-        version: 1,
-        syncId: 'a',
-        budgetId: 'b',
-        serverUrl: 'c',
-        lastSyncedAt: 1234,
-        lastDownloadedAt: 5678,
-      }),
-    );
-    expect(readCacheState(dir)).toEqual({
-      version: 1,
-      syncId: 'a',
-      budgetId: 'b',
-      serverUrl: 'c',
-      lastSyncedAt: 1234,
-      lastDownloadedAt: 5678,
-    });
-  });
-});
-
-describe('writeCacheState', () => {
-  let dir: string;
-
-  beforeEach(() => {
-    dir = mkdtempSync(join(tmpdir(), 'actual-cli-cache-'));
-  });
-
-  afterEach(() => {
-    rmSync(dir, { recursive: true, force: true });
-  });
-
-  it('writes the state to the cache file', () => {
-    writeCacheState(dir, {
-      version: 1,
-      syncId: 'a',
-      budgetId: 'b',
-      serverUrl: 'c',
-      lastSyncedAt: 1,
-      lastDownloadedAt: 1,
-    });
-    const raw = readFileSync(join(dir, CACHE_FILE_NAME), 'utf-8');
-    expect(JSON.parse(raw).syncId).toBe('a');
-  });
-
-  it('is atomic: removes the tmp file after rename', () => {
-    writeCacheState(dir, {
-      version: 1,
-      syncId: 'a',
-      budgetId: 'b',
-      serverUrl: 'c',
-      lastSyncedAt: 1,
-      lastDownloadedAt: 1,
-    });
-    expect(existsSync(join(dir, `${CACHE_FILE_NAME}.tmp`))).toBe(false);
-  });
-
-  it('does not throw when the filesystem refuses the write', () => {
-    // Force ENOTDIR by pointing writeCacheState at a path whose parent is a
-    // regular file — no OS-specific pseudo-filesystem semantics needed.
-    const file = join(dir, 'not-a-dir');
-    writeFileSync(file, '');
-    expect(() =>
-      writeCacheState(join(file, 'nested'), {
-        version: 1,
-        syncId: 'a',
-        budgetId: 'b',
-        serverUrl: 'c',
-        lastSyncedAt: 1,
-        lastDownloadedAt: 1,
-      }),
-    ).not.toThrow();
-  });
-});
-
-describe('decideSyncAction', () => {
-  const base = {
-    state: {
-      version: 1 as const,
-      syncId: 'sync-1',
-      budgetId: 'bud-1',
-      serverUrl: 'http://s',
-      lastSyncedAt: 1_000_000,
-      lastDownloadedAt: 1_000_000,
-    },
-    config: { syncId: 'sync-1', serverUrl: 'http://s' },
-    now: 1_000_000,
-    ttlMs: 60_000,
-    mutates: false,
-    refresh: false,
-    encrypted: false,
-  };
-
-  it('returns "download" when state is null', () => {
-    expect(decideSyncAction({ ...base, state: null }).action).toBe('download');
-  });
-
-  it('returns "download" when syncId changed', () => {
-    expect(
-      decideSyncAction({
-        ...base,
-        config: { ...base.config, syncId: 'other' },
-      }).action,
-    ).toBe('download');
-  });
-
-  it('returns "download" when serverUrl changed', () => {
-    expect(
-      decideSyncAction({
-        ...base,
-        config: { ...base.config, serverUrl: 'http://other' },
-      }).action,
-    ).toBe('download');
-  });
-
-  it('returns "skip" for a read within the TTL', () => {
-    expect(decideSyncAction({ ...base, now: 1_000_000 + 30_000 }).action).toBe(
-      'skip',
-    );
-  });
-
-  it('returns "sync" for a read past the TTL', () => {
-    expect(decideSyncAction({ ...base, now: 1_000_000 + 61_000 }).action).toBe(
-      'sync',
-    );
-  });
-
-  it('returns "sync" for a write even when fresh', () => {
-    expect(decideSyncAction({ ...base, mutates: true }).action).toBe('sync');
-  });
-
-  it('returns "sync" when refresh is true', () => {
-    expect(decideSyncAction({ ...base, refresh: true }).action).toBe('sync');
-  });
-
-  it('returns "sync" when ttlMs is 0', () => {
-    expect(decideSyncAction({ ...base, ttlMs: 0 }).action).toBe('sync');
-  });
-
-  it('returns "sync" for encrypted budgets within the TTL', () => {
-    expect(decideSyncAction({ ...base, encrypted: true }).action).toBe('sync');
-  });
-
-  it('treats clock skew (negative age) as stale', () => {
-    expect(decideSyncAction({ ...base, now: 999_999 }).action).toBe('sync');
-  });
-
-  it('carries cached state on non-download actions', () => {
-    const decision = decideSyncAction({ ...base, mutates: true });
-    expect(decision).toEqual({ action: 'sync', state: base.state });
-  });
-});

packages/cli/src/cache.ts

@@ -1,107 +0,0 @@
-import { randomBytes } from 'node:crypto';
-import { mkdirSync, readFileSync, renameSync, writeFileSync } from 'node:fs';
-import { join } from 'node:path';
-
-import { isRecord } from './utils';
-
-export const CACHE_FILE_NAME = 'state.json';
-export const CACHE_VERSION = 1;
-export const META_ROOT_DIR = '.actual-cli';
-
-export type CacheState = {
-  version: typeof CACHE_VERSION;
-  syncId: string;
-  budgetId: string;
-  serverUrl: string;
-  lastSyncedAt: number;
-  lastDownloadedAt: number;
-};
-
-export function getMetaDir(dataDir: string, syncId: string): string {
-  return join(dataDir, META_ROOT_DIR, syncId);
-}
-
-function cachePath(metaDir: string): string {
-  return join(metaDir, CACHE_FILE_NAME);
-}
-
-function isCacheState(value: unknown): value is CacheState {
-  if (!isRecord(value)) return false;
-  return (
-    value.version === CACHE_VERSION &&
-    typeof value.syncId === 'string' &&
-    typeof value.budgetId === 'string' &&
-    typeof value.serverUrl === 'string' &&
-    typeof value.lastSyncedAt === 'number' &&
-    typeof value.lastDownloadedAt === 'number'
-  );
-}
-
-export function readCacheState(metaDir: string): CacheState | null {
-  let raw: string;
-  try {
-    raw = readFileSync(cachePath(metaDir), 'utf-8');
-  } catch {
-    return null;
-  }
-  let parsed: unknown;
-  try {
-    parsed = JSON.parse(raw);
-  } catch {
-    return null;
-  }
-  return isCacheState(parsed) ? parsed : null;
-}
-
-export function writeCacheState(metaDir: string, state: CacheState): void {
-  try {
-    mkdirSync(metaDir, { recursive: true });
-    const target = cachePath(metaDir);
-    // Unique tmp name per writer: concurrent shared-lock commands (encrypted
-    // budgets, --refresh, stale TTL) can both publish, and a shared tmp path
-    // lets the second writer's truncate destroy the first writer's bytes
-    // before either renames into place.
-    const tmp = `${target}.${process.pid}-${randomBytes(4).toString('hex')}.tmp`;
-    writeFileSync(tmp, JSON.stringify(state));
-    renameSync(tmp, target);
-  } catch {
-    // Cache persistence is best-effort. A read-only or unreachable dir must
-    // not crash the CLI; the next invocation simply won't find a cache.
-  }
-}
-
-export type SyncDecision =
-  | { action: 'download' }
-  | { action: 'skip'; state: CacheState }
-  | { action: 'sync'; state: CacheState };
-
-export type DecideSyncArgs = {
-  state: CacheState | null;
-  config: { syncId: string; serverUrl: string };
-  now: number;
-  ttlMs: number;
-  mutates: boolean;
-  refresh: boolean;
-  encrypted: boolean;
-};
-
-export function decideSyncAction({
-  state,
-  config,
-  now,
-  ttlMs,
-  mutates,
-  refresh,
-  encrypted,
-}: DecideSyncArgs): SyncDecision {
-  if (state === null) return { action: 'download' };
-  if (state.syncId !== config.syncId) return { action: 'download' };
-  if (state.serverUrl !== config.serverUrl) return { action: 'download' };
-  if (mutates || refresh || ttlMs === 0 || encrypted) {
-    return { action: 'sync', state };
-  }
-  const age = now - state.lastSyncedAt;
-  if (age < 0) return { action: 'sync', state };
-  if (age < ttlMs) return { action: 'skip', state };
-  return { action: 'sync', state };
-}

packages/cli/src/commands/accounts.test.ts

@@ -1,7 +1,7 @@
 import * as api from '@actual-app/api';
 import { Command } from 'commander';
 
-import { printOutput } from '#output';
+import { printOutput } from '../output';
 
 import { registerAccountsCommand } from './accounts';
 
@@ -15,11 +15,11 @@ vi.mock('@actual-app/api', () => ({
   getAccountBalance: vi.fn().mockResolvedValue(10000),
 }));
 
-vi.mock('#connection', () => ({
+vi.mock('../connection', () => ({
   withConnection: vi.fn((_opts, fn) => fn()),
 }));
 
-vi.mock('#output', () => ({
+vi.mock('../output', () => ({
   printOutput: vi.fn(),
 }));
 
@@ -62,28 +62,14 @@ describe('accounts commands', () => {
   });
 
   describe('list', () => {
-    it('calls api.getAccounts and prints result with computed balance', async () => {
-      const accounts = [
-        { id: '1', name: 'Checking', offbudget: false, closed: false },
-      ];
+    it('calls api.getAccounts and prints result', async () => {
+      const accounts = [{ id: '1', name: 'Checking' }];
       vi.mocked(api.getAccounts).mockResolvedValue(accounts);
 
       await run(['accounts', 'list']);
 
       expect(api.getAccounts).toHaveBeenCalled();
-      expect(api.getAccountBalance).toHaveBeenCalledWith('1');
-      expect(printOutput).toHaveBeenCalledWith(
-        [
-          {
-            id: '1',
-            name: 'Checking',
-            offbudget: false,
-            closed: false,
-            balance: 10000,
-          },
-        ],
-        undefined,
-      );
+      expect(printOutput).toHaveBeenCalledWith(accounts, undefined);
     });
 
     it('passes format option to printOutput', async () => {
@@ -93,59 +79,6 @@ describe('accounts commands', () => {
 
       expect(printOutput).toHaveBeenCalledWith([], 'csv');
     });
-
-    it('filters out closed accounts by default', async () => {
-      vi.mocked(api.getAccounts).mockResolvedValue([
-        { id: '1', name: 'Open', offbudget: false, closed: false },
-        { id: '2', name: 'Closed', offbudget: false, closed: true },
-      ]);
-
-      await run(['accounts', 'list']);
-
-      expect(printOutput).toHaveBeenCalledWith(
-        [
-          {
-            id: '1',
-            name: 'Open',
-            offbudget: false,
-            closed: false,
-            balance: 10000,
-          },
-        ],
-        undefined,
-      );
-    });
-
-    it('includes closed accounts when --include-closed is passed', async () => {
-      vi.mocked(api.getAccounts).mockResolvedValue([
-        { id: '1', name: 'Open', offbudget: false, closed: false },
-        { id: '2', name: 'Closed', offbudget: false, closed: true },
-      ]);
-
-      await run(['accounts', 'list', '--include-closed']);
-
-      expect(printOutput).toHaveBeenCalledWith(
-        expect.arrayContaining([
-          expect.objectContaining({ id: '2', closed: true }),
-        ]),
-        undefined,
-      );
-    });
-
-    it('sorts on-budget accounts before off-budget', async () => {
-      vi.mocked(api.getAccounts).mockResolvedValue([
-        { id: '1', name: 'OffBudget', offbudget: true, closed: false },
-        { id: '2', name: 'OnBudget', offbudget: false, closed: false },
-      ]);
-
-      await run(['accounts', 'list']);
-
-      const output = vi.mocked(printOutput).mock.calls[0][0] as Array<{
-        id: string;
-      }>;
-      expect(output[0].id).toBe('2'); // on-budget first
-      expect(output[1].id).toBe('1'); // off-budget second
-    });
   });
 
   describe('create', () => {

packages/cli/src/commands/accounts.ts

@@ -1,9 +1,9 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';
 
-import { withConnection } from '#connection';
-import { printOutput } from '#output';
-import { parseBoolFlag, parseIntFlag } from '#utils';
+import { withConnection } from '../connection';
+import { printOutput } from '../output';
+import { parseBoolFlag, parseIntFlag } from '../utils';
 
 export function registerAccountsCommand(program: Command) {
   const accounts = program.command('accounts').description('Manage accounts');
@@ -11,33 +11,12 @@ export function registerAccountsCommand(program: Command) {
   accounts
     .command('list')
     .description('List all accounts')
-    .option('--include-closed', 'Include closed accounts', false)
-    .action(async cmdOpts => {
+    .action(async () => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const allAccounts = await api.getAccounts();
-          const accounts = allAccounts.filter(
-            a => cmdOpts.includeClosed || !a.closed,
-          );
-          // Stable sort: on-budget first, off-budget second
-          // (preserves API sort_order within each group)
-          accounts.sort((a, b) => Number(a.offbudget) - Number(b.offbudget));
-          const balances = await Promise.all(
-            accounts.map(a => api.getAccountBalance(a.id)),
-          );
-          const output = accounts.map((a, i) => ({
-            id: a.id,
-            name: a.name,
-            offbudget: a.offbudget,
-            closed: a.closed,
-            balance: balances[i],
-          }));
-          printOutput(output, opts.format);
-        },
-        { mutates: false },
-      );
+      await withConnection(opts, async () => {
+        const result = await api.getAccounts();
+        printOutput(result, opts.format);
+      });
     });
 
   accounts
@@ -45,25 +24,17 @@ export function registerAccountsCommand(program: Command) {
     .description('Create a new account')
     .requiredOption('--name <name>', 'Account name')
     .option('--offbudget', 'Create as off-budget account', false)
-    .option(
-      '--balance <amount>',
-      'Initial balance in cents (e.g. 50000 = 500.00)',
-      '0',
-    )
+    .option('--balance <amount>', 'Initial balance in cents', '0')
     .action(async cmdOpts => {
       const balance = parseIntFlag(cmdOpts.balance, '--balance');
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const id = await api.createAccount(
-            { name: cmdOpts.name, offbudget: cmdOpts.offbudget },
-            balance,
-          );
-          printOutput({ id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        const id = await api.createAccount(
+          { name: cmdOpts.name, offbudget: cmdOpts.offbudget },
+          balance,
+        );
+        printOutput({ id }, opts.format);
+      });
     });
 
   accounts
@@ -89,14 +60,10 @@ export function registerAccountsCommand(program: Command) {
           'No update fields provided. Use --name or --offbudget.',
         );
       }
-      await withConnection(
-        opts,
-        async () => {
-          await api.updateAccount(id, fields);
-          printOutput({ success: true, id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.updateAccount(id, fields);
+        printOutput({ success: true, id }, opts.format);
+      });
     });
 
   accounts
@@ -112,18 +79,14 @@ export function registerAccountsCommand(program: Command) {
     )
     .action(async (id: string, cmdOpts) => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          await api.closeAccount(
-            id,
-            cmdOpts.transferAccount,
-            cmdOpts.transferCategory,
-          );
-          printOutput({ success: true, id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.closeAccount(
+          id,
+          cmdOpts.transferAccount,
+          cmdOpts.transferCategory,
+        );
+        printOutput({ success: true, id }, opts.format);
+      });
     });
 
   accounts
@@ -131,14 +94,10 @@ export function registerAccountsCommand(program: Command) {
     .description('Reopen a closed account')
     .action(async (id: string) => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          await api.reopenAccount(id);
-          printOutput({ success: true, id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.reopenAccount(id);
+        printOutput({ success: true, id }, opts.format);
+      });
     });
 
   accounts
@@ -146,14 +105,10 @@ export function registerAccountsCommand(program: Command) {
     .description('Delete an account')
     .action(async (id: string) => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          await api.deleteAccount(id);
-          printOutput({ success: true, id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.deleteAccount(id);
+        printOutput({ success: true, id }, opts.format);
+      });
     });
 
   accounts
@@ -172,13 +127,9 @@ export function registerAccountsCommand(program: Command) {
         cutoff = cutoffDate;
       }
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const balance = await api.getAccountBalance(id, cutoff);
-          printOutput({ id, balance }, opts.format);
-        },
-        { mutates: false },
-      );
+      await withConnection(opts, async () => {
+        const balance = await api.getAccountBalance(id, cutoff);
+        printOutput({ id, balance }, opts.format);
+      });
     });
 }

packages/cli/src/commands/budgets.ts

@@ -1,9 +1,10 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';
 
-import { withConnection } from '#connection';
-import { printOutput } from '#output';
-import { parseBoolFlag, parseIntFlag } from '#utils';
+import { resolveConfig } from '../config';
+import { withConnection } from '../connection';
+import { printOutput } from '../output';
+import { parseBoolFlag, parseIntFlag } from '../utils';
 
 export function registerBudgetsCommand(program: Command) {
   const budgets = program.command('budgets').description('Manage budgets');
@@ -19,7 +20,7 @@ export function registerBudgetsCommand(program: Command) {
           const result = await api.getBudgets();
           printOutput(result, opts.format);
         },
-        { mutates: false, skipBudget: true },
+        { loadBudget: false },
       );
     });
 
@@ -29,33 +30,40 @@ export function registerBudgetsCommand(program: Command) {
     .option('--encryption-password <password>', 'Encryption password')
     .action(async (syncId: string, cmdOpts) => {
       const opts = program.opts();
+      const config = await resolveConfig(opts);
+      const password = config.encryptionPassword ?? cmdOpts.encryptionPassword;
       await withConnection(
         opts,
-        async config => {
-          const password =
-            cmdOpts.encryptionPassword ?? config.encryptionPassword;
+        async () => {
           await api.downloadBudget(syncId, {
             password,
           });
           printOutput({ success: true, syncId }, opts.format);
         },
-        { mutates: false, skipBudget: true },
+        { loadBudget: false },
       );
     });
 
+  budgets
+    .command('sync')
+    .description('Sync the current budget')
+    .action(async () => {
+      const opts = program.opts();
+      await withConnection(opts, async () => {
+        await api.sync();
+        printOutput({ success: true }, opts.format);
+      });
+    });
+
   budgets
     .command('months')
     .description('List available budget months')
     .action(async () => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const result = await api.getBudgetMonths();
-          printOutput(result, opts.format);
-        },
-        { mutates: false },
-      );
+      await withConnection(opts, async () => {
+        const result = await api.getBudgetMonths();
+        printOutput(result, opts.format);
+      });
     });
 
   budgets
@@ -63,14 +71,10 @@ export function registerBudgetsCommand(program: Command) {
     .description('Get budget data for a specific month (YYYY-MM)')
     .action(async (month: string) => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const result = await api.getBudgetMonth(month);
-          printOutput(result, opts.format);
-        },
-        { mutates: false },
-      );
+      await withConnection(opts, async () => {
+        const result = await api.getBudgetMonth(month);
+        printOutput(result, opts.format);
+      });
     });
 
   budgets
@@ -78,21 +82,14 @@ export function registerBudgetsCommand(program: Command) {
     .description('Set budget amount for a category in a month')
     .requiredOption('--month <month>', 'Budget month (YYYY-MM)')
     .requiredOption('--category <id>', 'Category ID')
-    .requiredOption(
-      '--amount <amount>',
-      'Amount in cents (e.g. 50000 = 500.00)',
-    )
+    .requiredOption('--amount <amount>', 'Amount in cents')
     .action(async cmdOpts => {
       const amount = parseIntFlag(cmdOpts.amount, '--amount');
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          await api.setBudgetAmount(cmdOpts.month, cmdOpts.category, amount);
-          printOutput({ success: true }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.setBudgetAmount(cmdOpts.month, cmdOpts.category, amount);
+        printOutput({ success: true }, opts.format);
+      });
     });
 
   budgets
@@ -104,35 +101,24 @@ export function registerBudgetsCommand(program: Command) {
     .action(async cmdOpts => {
       const flag = parseBoolFlag(cmdOpts.flag, '--flag');
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          await api.setBudgetCarryover(cmdOpts.month, cmdOpts.category, flag);
-          printOutput({ success: true }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.setBudgetCarryover(cmdOpts.month, cmdOpts.category, flag);
+        printOutput({ success: true }, opts.format);
+      });
     });
 
   budgets
     .command('hold-next-month')
     .description('Hold budget amount for next month')
     .requiredOption('--month <month>', 'Budget month (YYYY-MM)')
-    .requiredOption(
-      '--amount <amount>',
-      'Amount in cents (e.g. 50000 = 500.00)',
-    )
+    .requiredOption('--amount <amount>', 'Amount in cents')
     .action(async cmdOpts => {
       const parsedAmount = parseIntFlag(cmdOpts.amount, '--amount');
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          await api.holdBudgetForNextMonth(cmdOpts.month, parsedAmount);
-          printOutput({ success: true }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.holdBudgetForNextMonth(cmdOpts.month, parsedAmount);
+        printOutput({ success: true }, opts.format);
+      });
     });
 
   budgets
@@ -141,13 +127,9 @@ export function registerBudgetsCommand(program: Command) {
     .requiredOption('--month <month>', 'Budget month (YYYY-MM)')
     .action(async cmdOpts => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          await api.resetBudgetHold(cmdOpts.month);
-          printOutput({ success: true }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.resetBudgetHold(cmdOpts.month);
+        printOutput({ success: true }, opts.format);
+      });
     });
 }

packages/cli/src/commands/categories.test.ts

@@ -1,131 +0,0 @@
-import * as api from '@actual-app/api';
-import { Command } from 'commander';
-
-import { printOutput } from '#output';
-
-import { registerCategoriesCommand } from './categories';
-import { registerCategoryGroupsCommand } from './category-groups';
-
-vi.mock('@actual-app/api', () => ({
-  getCategories: vi.fn().mockResolvedValue([]),
-  createCategory: vi.fn().mockResolvedValue('new-id'),
-  updateCategory: vi.fn().mockResolvedValue(undefined),
-  deleteCategory: vi.fn().mockResolvedValue(undefined),
-  getCategoryGroups: vi.fn().mockResolvedValue([]),
-  createCategoryGroup: vi.fn().mockResolvedValue('new-group-id'),
-  updateCategoryGroup: vi.fn().mockResolvedValue(undefined),
-  deleteCategoryGroup: vi.fn().mockResolvedValue(undefined),
-}));
-
-vi.mock('#connection', () => ({
-  withConnection: vi.fn((_opts, fn) => fn()),
-}));
-
-vi.mock('#output', () => ({
-  printOutput: vi.fn(),
-}));
-
-function createProgram(): Command {
-  const program = new Command();
-  program.option('--format <format>');
-  program.option('--server-url <url>');
-  program.option('--password <pw>');
-  program.option('--session-token <token>');
-  program.option('--sync-id <id>');
-  program.option('--data-dir <dir>');
-  program.option('--verbose');
-  program.exitOverride();
-  registerCategoriesCommand(program);
-  registerCategoryGroupsCommand(program);
-  return program;
-}
-
-async function run(args: string[]) {
-  const program = createProgram();
-  await program.parseAsync(['node', 'test', ...args]);
-}
-
-describe('categories commands', () => {
-  let stderrSpy: ReturnType<typeof vi.spyOn>;
-  let stdoutSpy: ReturnType<typeof vi.spyOn>;
-
-  beforeEach(() => {
-    vi.clearAllMocks();
-    stderrSpy = vi
-      .spyOn(process.stderr, 'write')
-      .mockImplementation(() => true);
-    stdoutSpy = vi
-      .spyOn(process.stdout, 'write')
-      .mockImplementation(() => true);
-  });
-
-  afterEach(() => {
-    stderrSpy.mockRestore();
-    stdoutSpy.mockRestore();
-  });
-
-  describe('categories list', () => {
-    it('asks the API to exclude hidden categories by default', async () => {
-      await run(['categories', 'list']);
-
-      expect(api.getCategories).toHaveBeenCalledWith({ hidden: false });
-    });
-
-    it('asks the API for all categories when --include-hidden is passed', async () => {
-      await run(['categories', 'list', '--include-hidden']);
-
-      expect(api.getCategories).toHaveBeenCalledWith({});
-    });
-
-    it('prints whatever the API returns', async () => {
-      const visible = {
-        id: '1',
-        name: 'Visible',
-        group_id: 'g1',
-        hidden: false,
-      };
-      vi.mocked(api.getCategories).mockResolvedValue([visible]);
-
-      await run(['categories', 'list']);
-
-      expect(printOutput).toHaveBeenCalledWith([visible], undefined);
-    });
-
-    it('passes format option to printOutput', async () => {
-      vi.mocked(api.getCategories).mockResolvedValue([]);
-
-      await run(['--format', 'csv', 'categories', 'list']);
-
-      expect(printOutput).toHaveBeenCalledWith([], 'csv');
-    });
-  });
-
-  describe('category-groups list', () => {
-    it('asks the API to exclude hidden groups by default', async () => {
-      await run(['category-groups', 'list']);
-
-      expect(api.getCategoryGroups).toHaveBeenCalledWith({ hidden: false });
-    });
-
-    it('asks the API for all groups when --include-hidden is passed', async () => {
-      await run(['category-groups', 'list', '--include-hidden']);
-
-      expect(api.getCategoryGroups).toHaveBeenCalledWith({});
-    });
-
-    it('prints whatever the API returns', async () => {
-      const group = {
-        id: 'g1',
-        name: 'Group',
-        is_income: false,
-        hidden: false,
-        categories: [{ id: 'c1', name: 'Cat', group_id: 'g1', hidden: false }],
-      };
-      vi.mocked(api.getCategoryGroups).mockResolvedValue([group]);
-
-      await run(['category-groups', 'list']);
-
-      expect(printOutput).toHaveBeenCalledWith([group], undefined);
-    });
-  });
-});

packages/cli/src/commands/categories.ts

@@ -1,9 +1,9 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';
 
-import { withConnection } from '#connection';
-import { printOutput } from '#output';
-import { parseBoolFlag } from '#utils';
+import { withConnection } from '../connection';
+import { printOutput } from '../output';
+import { parseBoolFlag } from '../utils';
 
 export function registerCategoriesCommand(program: Command) {
   const categories = program
@@ -12,20 +12,13 @@ export function registerCategoriesCommand(program: Command) {
 
   categories
     .command('list')
-    .description('List categories (excludes hidden by default)')
-    .option('--include-hidden', 'Include hidden categories', false)
-    .action(async cmdOpts => {
+    .description('List all categories')
+    .action(async () => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const result = await api.getCategories(
-            cmdOpts.includeHidden ? {} : { hidden: false },
-          );
-          printOutput(result, opts.format);
-        },
-        { mutates: false },
-      );
+      await withConnection(opts, async () => {
+        const result = await api.getCategories();
+        printOutput(result, opts.format);
+      });
     });
 
   categories
@@ -36,19 +29,15 @@ export function registerCategoriesCommand(program: Command) {
     .option('--is-income', 'Mark as income category', false)
     .action(async cmdOpts => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const id = await api.createCategory({
-            name: cmdOpts.name,
-            group_id: cmdOpts.groupId,
-            is_income: cmdOpts.isIncome,
-            hidden: false,
-          });
-          printOutput({ id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        const id = await api.createCategory({
+          name: cmdOpts.name,
+          group_id: cmdOpts.groupId,
+          is_income: cmdOpts.isIncome,
+          hidden: false,
+        });
+        printOutput({ id }, opts.format);
+      });
     });
 
   categories
@@ -66,14 +55,10 @@ export function registerCategoriesCommand(program: Command) {
         throw new Error('No update fields provided. Use --name or --hidden.');
       }
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          await api.updateCategory(id, fields);
-          printOutput({ success: true, id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.updateCategory(id, fields);
+        printOutput({ success: true, id }, opts.format);
+      });
     });
 
   categories
@@ -82,13 +67,9 @@ export function registerCategoriesCommand(program: Command) {
     .option('--transfer-to <id>', 'Transfer transactions to this category')
     .action(async (id: string, cmdOpts) => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          await api.deleteCategory(id, cmdOpts.transferTo);
-          printOutput({ success: true, id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.deleteCategory(id, cmdOpts.transferTo);
+        printOutput({ success: true, id }, opts.format);
+      });
     });
 }

packages/cli/src/commands/category-groups.ts

@@ -1,9 +1,9 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';
 
-import { withConnection } from '#connection';
-import { printOutput } from '#output';
-import { parseBoolFlag } from '#utils';
+import { withConnection } from '../connection';
+import { printOutput } from '../output';
+import { parseBoolFlag } from '../utils';
 
 export function registerCategoryGroupsCommand(program: Command) {
   const groups = program
@@ -12,20 +12,13 @@ export function registerCategoryGroupsCommand(program: Command) {
 
   groups
     .command('list')
-    .description('List category groups (excludes hidden by default)')
-    .option('--include-hidden', 'Include hidden groups and categories', false)
-    .action(async cmdOpts => {
+    .description('List all category groups')
+    .action(async () => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const result = await api.getCategoryGroups(
-            cmdOpts.includeHidden ? {} : { hidden: false },
-          );
-          printOutput(result, opts.format);
-        },
-        { mutates: false },
-      );
+      await withConnection(opts, async () => {
+        const result = await api.getCategoryGroups();
+        printOutput(result, opts.format);
+      });
     });
 
   groups
@@ -35,18 +28,14 @@ export function registerCategoryGroupsCommand(program: Command) {
     .option('--is-income', 'Mark as income group', false)
     .action(async cmdOpts => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const id = await api.createCategoryGroup({
-            name: cmdOpts.name,
-            is_income: cmdOpts.isIncome,
-            hidden: false,
-          });
-          printOutput({ id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        const id = await api.createCategoryGroup({
+          name: cmdOpts.name,
+          is_income: cmdOpts.isIncome,
+          hidden: false,
+        });
+        printOutput({ id }, opts.format);
+      });
     });
 
   groups
@@ -64,14 +53,10 @@ export function registerCategoryGroupsCommand(program: Command) {
         throw new Error('No update fields provided. Use --name or --hidden.');
       }
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          await api.updateCategoryGroup(id, fields);
-          printOutput({ success: true, id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.updateCategoryGroup(id, fields);
+        printOutput({ success: true, id }, opts.format);
+      });
     });
 
   groups
@@ -80,13 +65,9 @@ export function registerCategoryGroupsCommand(program: Command) {
     .option('--transfer-to <id>', 'Transfer transactions to this category ID')
     .action(async (id: string, cmdOpts) => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          await api.deleteCategoryGroup(id, cmdOpts.transferTo);
-          printOutput({ success: true, id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.deleteCategoryGroup(id, cmdOpts.transferTo);
+        printOutput({ success: true, id }, opts.format);
+      });
     });
 }

packages/cli/src/commands/payees.ts

@@ -1,8 +1,8 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';
 
-import { withConnection } from '#connection';
-import { printOutput } from '#output';
+import { withConnection } from '../connection';
+import { printOutput } from '../output';
 
 export function registerPayeesCommand(program: Command) {
   const payees = program.command('payees').description('Manage payees');
@@ -12,14 +12,10 @@ export function registerPayeesCommand(program: Command) {
     .description('List all payees')
     .action(async () => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const result = await api.getPayees();
-          printOutput(result, opts.format);
-        },
-        { mutates: false },
-      );
+      await withConnection(opts, async () => {
+        const result = await api.getPayees();
+        printOutput(result, opts.format);
+      });
     });
 
   payees
@@ -27,14 +23,10 @@ export function registerPayeesCommand(program: Command) {
     .description('List frequently used payees')
     .action(async () => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const result = await api.getCommonPayees();
-          printOutput(result, opts.format);
-        },
-        { mutates: false },
-      );
+      await withConnection(opts, async () => {
+        const result = await api.getCommonPayees();
+        printOutput(result, opts.format);
+      });
     });
 
   payees
@@ -43,14 +35,10 @@ export function registerPayeesCommand(program: Command) {
     .requiredOption('--name <name>', 'Payee name')
     .action(async cmdOpts => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const id = await api.createPayee({ name: cmdOpts.name });
-          printOutput({ id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        const id = await api.createPayee({ name: cmdOpts.name });
+        printOutput({ id }, opts.format);
+      });
     });
 
   payees
@@ -66,14 +54,10 @@ export function registerPayeesCommand(program: Command) {
         );
       }
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          await api.updatePayee(id, fields);
-          printOutput({ success: true, id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.updatePayee(id, fields);
+        printOutput({ success: true, id }, opts.format);
+      });
     });
 
   payees
@@ -81,14 +65,10 @@ export function registerPayeesCommand(program: Command) {
     .description('Delete a payee')
     .action(async (id: string) => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          await api.deletePayee(id);
-          printOutput({ success: true, id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.deletePayee(id);
+        printOutput({ success: true, id }, opts.format);
+      });
     });
 
   payees
@@ -107,13 +87,9 @@ export function registerPayeesCommand(program: Command) {
         );
       }
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          await api.mergePayees(cmdOpts.target, mergeIds);
-          printOutput({ success: true }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.mergePayees(cmdOpts.target, mergeIds);
+        printOutput({ success: true }, opts.format);
+      });
     });
 }

packages/cli/src/commands/query.test.ts

@@ -1,7 +1,7 @@
 import * as api from '@actual-app/api';
 import { Command } from 'commander';
 
-import { printOutput } from '#output';
+import { printOutput } from '../output';
 
 import { parseOrderBy, registerQueryCommand } from './query';
 
@@ -21,11 +21,11 @@ vi.mock('@actual-app/api', () => {
   };
 });
 
-vi.mock('#connection', () => ({
+vi.mock('../connection', () => ({
   withConnection: vi.fn((_opts, fn) => fn()),
 }));
 
-vi.mock('#output', () => ({
+vi.mock('../output', () => ({
   printOutput: vi.fn(),
 }));
 
@@ -145,25 +145,6 @@ describe('query commands', () => {
       ]);
     });
 
-    it('outputs unwrapped data array (not the full result envelope)', async () => {
-      const mockData = [{ id: '1', amount: -500 }];
-      vi.mocked(api.aqlQuery).mockResolvedValueOnce({
-        data: mockData,
-        dependencies: [],
-      });
-
-      await run([
-        'query',
-        'run',
-        '--table',
-        'transactions',
-        '--select',
-        'id,amount',
-      ]);
-
-      expect(printOutput).toHaveBeenCalledWith(mockData, undefined);
-    });
-
     it('passes --filter as JSON', async () => {
       await run([
         'query',

packages/cli/src/commands/query.ts

@@ -1,10 +1,14 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';
 
-import { withConnection } from '#connection';
-import { readJsonInput } from '#input';
-import { printOutput } from '#output';
-import { isRecord, parseIntFlag } from '#utils';
+import { withConnection } from '../connection';
+import { readJsonInput } from '../input';
+import { printOutput } from '../output';
+import { parseIntFlag } from '../utils';
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
 
 /**
  * Parse order-by strings like "date:desc,amount:asc,id" into
@@ -249,17 +253,7 @@ Available tables: ${AVAILABLE_TABLES}
 Use "actual query tables" and "actual query fields <table>" for schema info.
 
 Common filter operators: $eq, $ne, $lt, $lte, $gt, $gte, $like, $and, $or
-See ActualQL docs for full reference: https://actualbudget.org/docs/api/actual-ql/
-
-Tips:
-  - Amounts are stored as integer cents (e.g. 166500 = 1665.00).
-    Table and CSV output auto-formats these as decimals; JSON keeps raw cents.
-  - Filter "is_parent": false to avoid double-counting split transactions.
-  - Fetch all data in a single query with a date range instead of running
-    one query per month — rapid sequential requests may cause auth failures.
-  - date.month, date.year etc. are not supported as fields in AQL.
-    To group by month, fetch raw transactions with a date range filter
-    and aggregate locally (e.g. in a script).`;
+See ActualQL docs for full reference: https://actualbudget.org/docs/api/actual-ql/`;
 
 export function registerQueryCommand(program: Command) {
   const query = program
@@ -301,31 +295,23 @@ export function registerQueryCommand(program: Command) {
     .addHelpText('after', RUN_EXAMPLES)
     .action(async cmdOpts => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const parsed = cmdOpts.file ? readJsonInput(cmdOpts) : undefined;
-          if (parsed !== undefined && !isRecord(parsed)) {
-            throw new Error('Query file must contain a JSON object');
-          }
-          const queryObj = parsed
-            ? buildQueryFromFile(parsed, cmdOpts.table)
-            : buildQueryFromFlags(cmdOpts);
+      await withConnection(opts, async () => {
+        const parsed = cmdOpts.file ? readJsonInput(cmdOpts) : undefined;
+        if (parsed !== undefined && !isRecord(parsed)) {
+          throw new Error('Query file must contain a JSON object');
+        }
+        const queryObj = parsed
+          ? buildQueryFromFile(parsed, cmdOpts.table)
+          : buildQueryFromFlags(cmdOpts);
 
-          const result = await api.aqlQuery(queryObj);
+        const result = await api.aqlQuery(queryObj);
 
-          if (!isRecord(result) || !('data' in result)) {
-            throw new Error('Query result missing data');
-          }
-
-          if (cmdOpts.count) {
-            printOutput({ count: result.data }, opts.format);
-          } else {
-            printOutput(result.data, opts.format);
-          }
-        },
-        { mutates: false },
-      );
+        if (cmdOpts.count) {
+          printOutput({ count: result.data }, opts.format);
+        } else {
+          printOutput(result, opts.format);
+        }
+      });
     });
 
   query

packages/cli/src/commands/rules.ts

@@ -1,9 +1,9 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';
 
-import { withConnection } from '#connection';
-import { readJsonInput } from '#input';
-import { printOutput } from '#output';
+import { withConnection } from '../connection';
+import { readJsonInput } from '../input';
+import { printOutput } from '../output';
 
 export function registerRulesCommand(program: Command) {
   const rules = program
@@ -15,14 +15,10 @@ export function registerRulesCommand(program: Command) {
     .description('List all rules')
     .action(async () => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const result = await api.getRules();
-          printOutput(result, opts.format);
-        },
-        { mutates: false },
-      );
+      await withConnection(opts, async () => {
+        const result = await api.getRules();
+        printOutput(result, opts.format);
+      });
     });
 
   rules
@@ -30,14 +26,10 @@ export function registerRulesCommand(program: Command) {
     .description('List rules for a specific payee')
     .action(async (payeeId: string) => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const result = await api.getPayeeRules(payeeId);
-          printOutput(result, opts.format);
-        },
-        { mutates: false },
-      );
+      await withConnection(opts, async () => {
+        const result = await api.getPayeeRules(payeeId);
+        printOutput(result, opts.format);
+      });
     });
 
   rules
@@ -47,17 +39,13 @@ export function registerRulesCommand(program: Command) {
     .option('--file <path>', 'Read rule from JSON file (use - for stdin)')
     .action(async cmdOpts => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const rule = readJsonInput(cmdOpts) as Parameters<
-            typeof api.createRule
-          >[0];
-          const id = await api.createRule(rule);
-          printOutput({ id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        const rule = readJsonInput(cmdOpts) as Parameters<
+          typeof api.createRule
+        >[0];
+        const id = await api.createRule(rule);
+        printOutput({ id }, opts.format);
+      });
     });
 
   rules
@@ -67,17 +55,13 @@ export function registerRulesCommand(program: Command) {
     .option('--file <path>', 'Read rule from JSON file (use - for stdin)')
     .action(async cmdOpts => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const rule = readJsonInput(cmdOpts) as Parameters<
-            typeof api.updateRule
-          >[0];
-          await api.updateRule(rule);
-          printOutput({ success: true }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        const rule = readJsonInput(cmdOpts) as Parameters<
+          typeof api.updateRule
+        >[0];
+        await api.updateRule(rule);
+        printOutput({ success: true }, opts.format);
+      });
     });
 
   rules
@@ -85,13 +69,9 @@ export function registerRulesCommand(program: Command) {
     .description('Delete a rule')
     .action(async (id: string) => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          await api.deleteRule(id);
-          printOutput({ success: true, id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.deleteRule(id);
+        printOutput({ success: true, id }, opts.format);
+      });
     });
 }

packages/cli/src/commands/schedules.ts

@@ -1,9 +1,9 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';
 
-import { withConnection } from '#connection';
-import { readJsonInput } from '#input';
-import { printOutput } from '#output';
+import { withConnection } from '../connection';
+import { readJsonInput } from '../input';
+import { printOutput } from '../output';
 
 export function registerSchedulesCommand(program: Command) {
   const schedules = program
@@ -15,14 +15,10 @@ export function registerSchedulesCommand(program: Command) {
     .description('List all schedules')
     .action(async () => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const result = await api.getSchedules();
-          printOutput(result, opts.format);
-        },
-        { mutates: false },
-      );
+      await withConnection(opts, async () => {
+        const result = await api.getSchedules();
+        printOutput(result, opts.format);
+      });
     });
 
   schedules
@@ -32,17 +28,13 @@ export function registerSchedulesCommand(program: Command) {
     .option('--file <path>', 'Read schedule from JSON file (use - for stdin)')
     .action(async cmdOpts => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const schedule = readJsonInput(cmdOpts) as Parameters<
-            typeof api.createSchedule
-          >[0];
-          const id = await api.createSchedule(schedule);
-          printOutput({ id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        const schedule = readJsonInput(cmdOpts) as Parameters<
+          typeof api.createSchedule
+        >[0];
+        const id = await api.createSchedule(schedule);
+        printOutput({ id }, opts.format);
+      });
     });
 
   schedules
@@ -53,17 +45,13 @@ export function registerSchedulesCommand(program: Command) {
     .option('--reset-next-date', 'Reset next occurrence date', false)
     .action(async (id: string, cmdOpts) => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const fields = readJsonInput(cmdOpts) as Parameters<
-            typeof api.updateSchedule
-          >[1];
-          await api.updateSchedule(id, fields, cmdOpts.resetNextDate);
-          printOutput({ success: true, id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        const fields = readJsonInput(cmdOpts) as Parameters<
+          typeof api.updateSchedule
+        >[1];
+        await api.updateSchedule(id, fields, cmdOpts.resetNextDate);
+        printOutput({ success: true, id }, opts.format);
+      });
     });
 
   schedules
@@ -71,13 +59,9 @@ export function registerSchedulesCommand(program: Command) {
     .description('Delete a schedule')
     .action(async (id: string) => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          await api.deleteSchedule(id);
-          printOutput({ success: true, id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.deleteSchedule(id);
+        printOutput({ success: true, id }, opts.format);
+      });
     });
 }

packages/cli/src/commands/server.ts

@@ -2,8 +2,8 @@ import * as api from '@actual-app/api';
 import { Option } from 'commander';
 import type { Command } from 'commander';
 
-import { withConnection } from '#connection';
-import { printOutput } from '#output';
+import { withConnection } from '../connection';
+import { printOutput } from '../output';
 
 export function registerServerCommand(program: Command) {
   const server = program.command('server').description('Server utilities');
@@ -19,7 +19,7 @@ export function registerServerCommand(program: Command) {
           const version = await api.getServerVersion();
           printOutput({ version }, opts.format);
         },
-        { mutates: false, skipBudget: true },
+        { loadBudget: false },
       );
     });
 
@@ -34,17 +34,13 @@ export function registerServerCommand(program: Command) {
     .requiredOption('--name <name>', 'Entity name')
     .action(async cmdOpts => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const id = await api.getIDByName(cmdOpts.type, cmdOpts.name);
-          printOutput(
-            { id, type: cmdOpts.type, name: cmdOpts.name },
-            opts.format,
-          );
-        },
-        { mutates: false },
-      );
+      await withConnection(opts, async () => {
+        const id = await api.getIDByName(cmdOpts.type, cmdOpts.name);
+        printOutput(
+          { id, type: cmdOpts.type, name: cmdOpts.name },
+          opts.format,
+        );
+      });
     });
 
   server
@@ -53,16 +49,12 @@ export function registerServerCommand(program: Command) {
     .option('--account <id>', 'Specific account ID to sync')
     .action(async cmdOpts => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const args = cmdOpts.account
-            ? { accountId: cmdOpts.account }
-            : undefined;
-          await api.runBankSync(args);
-          printOutput({ success: true }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        const args = cmdOpts.account
+          ? { accountId: cmdOpts.account }
+          : undefined;
+        await api.runBankSync(args);
+        printOutput({ success: true }, opts.format);
+      });
     });
 }

packages/cli/src/commands/sync.test.ts

@@ -1,124 +0,0 @@
-import { existsSync, mkdtempSync, rmSync } from 'node:fs';
-import { tmpdir } from 'node:os';
-import { join } from 'node:path';
-
-import { Command } from 'commander';
-
-import { CACHE_FILE_NAME, getMetaDir, writeCacheState } from '#cache';
-import { resolveConfig } from '#config';
-
-import { registerSyncCommand } from './sync';
-
-vi.mock('@actual-app/api', () => ({
-  init: vi.fn().mockResolvedValue(undefined),
-  downloadBudget: vi.fn().mockResolvedValue(undefined),
-  loadBudget: vi.fn().mockResolvedValue(undefined),
-  sync: vi.fn().mockResolvedValue(undefined),
-  shutdown: vi.fn().mockResolvedValue(undefined),
-  getBudgets: vi
-    .fn()
-    .mockResolvedValue([{ id: 'bud-disk-1', groupId: 'sync-1' }]),
-}));
-
-vi.mock('#config', () => ({
-  resolveConfig: vi.fn(),
-}));
-
-let dataDir: string;
-
-function metaDirFor(syncId: string) {
-  return getMetaDir(dataDir, syncId);
-}
-
-function program() {
-  const p = new Command();
-  p.exitOverride();
-  p.option('--sync-id <id>');
-  p.option('--data-dir <path>');
-  p.option('--format <fmt>');
-  p.option('--verbose');
-  registerSyncCommand(p);
-  return p;
-}
-
-describe('actual sync', () => {
-  let stdoutSpy: ReturnType<typeof vi.spyOn>;
-
-  beforeEach(() => {
-    vi.clearAllMocks();
-    dataDir = mkdtempSync(join(tmpdir(), 'actual-cli-sync-'));
-    vi.mocked(resolveConfig).mockResolvedValue({
-      serverUrl: 'http://test',
-      password: 'pw',
-      dataDir,
-      syncId: 'sync-1',
-      cacheTtl: 60,
-      lockTimeout: 10,
-      refresh: false,
-      noLock: true,
-    });
-    stdoutSpy = vi
-      .spyOn(process.stdout, 'write')
-      .mockImplementation(() => true);
-  });
-
-  afterEach(() => {
-    stdoutSpy.mockRestore();
-    rmSync(dataDir, { recursive: true, force: true });
-  });
-
-  it('runs a sync and prints the syncId', async () => {
-    writeCacheState(metaDirFor('sync-1'), {
-      version: 1,
-      syncId: 'sync-1',
-      budgetId: 'bud-disk-1',
-      serverUrl: 'http://test',
-      lastSyncedAt: 0,
-      lastDownloadedAt: 0,
-    });
-    await program().parseAsync(['node', 'actual', 'sync']);
-    const out = stdoutSpy.mock.calls
-      .map((c: unknown[]) => String(c[0]))
-      .join('');
-    expect(out).toMatch(/"syncId":\s*"sync-1"/);
-  });
-
-  it('--status prints cache info without syncing', async () => {
-    writeCacheState(metaDirFor('sync-1'), {
-      version: 1,
-      syncId: 'sync-1',
-      budgetId: 'bud-disk-1',
-      serverUrl: 'http://test',
-      lastSyncedAt: Date.now() - 5000,
-      lastDownloadedAt: Date.now() - 5000,
-    });
-    await program().parseAsync(['node', 'actual', 'sync', '--status']);
-    const out = stdoutSpy.mock.calls
-      .map((c: unknown[]) => String(c[0]))
-      .join('');
-    expect(out).toMatch(/"stale":\s*(true|false)/);
-    expect(out).toMatch(/"ageSeconds":\s*\d+/);
-  });
-
-  it('--status on no prior sync reports "never synced" and exits 0', async () => {
-    await program().parseAsync(['node', 'actual', 'sync', '--status']);
-    const out = stdoutSpy.mock.calls
-      .map((c: unknown[]) => String(c[0]))
-      .join('');
-    expect(out).toMatch(/"neverSynced":\s*true/);
-  });
-
-  it('--clear removes the cache file', async () => {
-    writeCacheState(metaDirFor('sync-1'), {
-      version: 1,
-      syncId: 'sync-1',
-      budgetId: 'bud-disk-1',
-      serverUrl: 'http://test',
-      lastSyncedAt: Date.now(),
-      lastDownloadedAt: Date.now(),
-    });
-    expect(existsSync(join(metaDirFor('sync-1'), CACHE_FILE_NAME))).toBe(true);
-    await program().parseAsync(['node', 'actual', 'sync', '--clear']);
-    expect(existsSync(join(metaDirFor('sync-1'), CACHE_FILE_NAME))).toBe(false);
-  });
-});

packages/cli/src/commands/sync.ts

@@ -1,118 +0,0 @@
-import { rmSync } from 'node:fs';
-import { join } from 'node:path';
-
-import type { Command } from 'commander';
-
-import { CACHE_FILE_NAME, getMetaDir, readCacheState } from '#cache';
-import type { CliConfig } from '#config';
-import { resolveConfig } from '#config';
-import { withConnection } from '#connection';
-import { acquireExclusive } from '#lock';
-import { printOutput } from '#output';
-
-type SyncCmdOpts = {
-  status?: boolean;
-  clear?: boolean;
-};
-
-async function requireSyncIdAndMeta(
-  opts: Record<string, unknown>,
-  flag: string,
-): Promise<{ config: CliConfig; meta: string }> {
-  const config = await resolveConfig(opts);
-  if (!config.syncId) {
-    throw new Error(
-      `Sync ID is required for sync ${flag}. Set --sync-id or ACTUAL_SYNC_ID.`,
-    );
-  }
-  return { config, meta: getMetaDir(config.dataDir, config.syncId) };
-}
-
-export function registerSyncCommand(program: Command) {
-  program
-    .command('sync')
-    .description(
-      'Sync the local cached budget with the server, print cache status, or clear the cache',
-    )
-    .option('--status', 'Print cache status without syncing', false)
-    .option(
-      '--clear',
-      'Delete the local cache; next command re-downloads',
-      false,
-    )
-    .action(async (cmdOpts: SyncCmdOpts) => {
-      const opts = program.opts();
-
-      if (cmdOpts.status) {
-        const { config, meta } = await requireSyncIdAndMeta(opts, '--status');
-        const state = readCacheState(meta);
-        if (state === null) {
-          printOutput(
-            {
-              neverSynced: true,
-              syncId: config.syncId,
-              ttlSeconds: config.cacheTtl,
-            },
-            opts.format,
-          );
-          return;
-        }
-        const rawAgeSeconds = Math.round(
-          (Date.now() - state.lastSyncedAt) / 1000,
-        );
-        const ageSeconds = Math.max(0, rawAgeSeconds);
-        printOutput(
-          {
-            neverSynced: false,
-            syncId: state.syncId,
-            budgetId: state.budgetId,
-            syncedAt: new Date(state.lastSyncedAt).toISOString(),
-            lastDownloadedAt: new Date(state.lastDownloadedAt).toISOString(),
-            ageSeconds,
-            ttlSeconds: config.cacheTtl,
-            stale: rawAgeSeconds < 0 || rawAgeSeconds > config.cacheTtl,
-          },
-          opts.format,
-        );
-        return;
-      }
-
-      if (cmdOpts.clear) {
-        const { config, meta } = await requireSyncIdAndMeta(opts, '--clear');
-        // Serialize with concurrent writers so we don't rm a half-written
-        // state.json that's about to be renamed into place.
-        const release = config.noLock
-          ? null
-          : await acquireExclusive(meta, {
-              timeoutMs: config.lockTimeout * 1000,
-            });
-        try {
-          rmSync(join(meta, CACHE_FILE_NAME), { force: true });
-        } finally {
-          await release?.();
-        }
-        printOutput({ cleared: true, syncId: config.syncId }, opts.format);
-        return;
-      }
-
-      await withConnection(
-        opts,
-        async config => {
-          const state = config.syncId
-            ? readCacheState(getMetaDir(config.dataDir, config.syncId))
-            : null;
-          printOutput(
-            {
-              syncedAt: new Date(
-                state?.lastSyncedAt ?? Date.now(),
-              ).toISOString(),
-              syncId: config.syncId,
-              budgetId: state?.budgetId ?? config.syncId,
-            },
-            opts.format,
-          );
-        },
-        { mutates: true },
-      );
-    });
-}

packages/cli/src/commands/tags.ts

@@ -1,8 +1,8 @@
 import * as api from '@actual-app/api';
 import type { Command } from 'commander';
 
-import { withConnection } from '#connection';
-import { printOutput } from '#output';
+import { withConnection } from '../connection';
+import { printOutput } from '../output';
 
 export function registerTagsCommand(program: Command) {
   const tags = program.command('tags').description('Manage tags');
@@ -12,14 +12,10 @@ export function registerTagsCommand(program: Command) {
     .description('List all tags')
     .action(async () => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const result = await api.getTags();
-          printOutput(result, opts.format);
-        },
-        { mutates: false },
-      );
+      await withConnection(opts, async () => {
+        const result = await api.getTags();
+        printOutput(result, opts.format);
+      });
     });
 
   tags
@@ -30,18 +26,14 @@ export function registerTagsCommand(program: Command) {
     .option('--description <description>', 'Tag description')
     .action(async cmdOpts => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          const id = await api.createTag({
-            tag: cmdOpts.tag,
-            color: cmdOpts.color,
-            description: cmdOpts.description,
-          });
-          printOutput({ id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        const id = await api.createTag({
+          tag: cmdOpts.tag,
+          color: cmdOpts.color,
+          description: cmdOpts.description,
+        });
+        printOutput({ id }, opts.format);
+      });
     });
 
   tags
@@ -63,14 +55,10 @@ export function registerTagsCommand(program: Command) {
         );
       }
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          await api.updateTag(id, fields);
-          printOutput({ success: true, id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.updateTag(id, fields);
+        printOutput({ success: true, id }, opts.format);
+      });
     });
 
   tags
@@ -78,13 +66,9 @@ export function registerTagsCommand(program: Command) {
     .description('Delete a tag')
     .action(async (id: string) => {
       const opts = program.opts();
-      await withConnection(
-        opts,
-        async () => {
-          await api.deleteTag(id);
-          printOutput({ success: true, id }, opts.format);
-        },
-        { mutates: true },
-      );
+      await withConnection(opts, async () => {
+        await api.deleteTag(id);
+        printOutput({ success: true, id }, opts.format);
+      });
     });
 }