feat(core): Scale expression isolate pool to 0 after inactivity (#28472)

Co-authored-by: Danny Martini <danny@n8n.io>

.agents/design-system-style-rules.md

@@ -0,0 +1,62 @@
+# Design System Style Review Rules
+
+Use these rules when reviewing CSS/SCSS/Vue style changes, especially in
+`packages/frontend/` and `packages/frontend/@n8n/design-system/`.
+
+## 1) Token source priority
+
+Prefer this order when choosing visual values:
+
+1. Semantic tokens from
+   `packages/frontend/@n8n/design-system/src/css/_tokens.scss`
+2. Primitives from
+   `packages/frontend/@n8n/design-system/src/css/_primitives.scss`
+3. Hard-coded values only when no suitable token exists
+
+If no token exists, request a short rationale in the PR.
+
+## 2) Hard-coded visual values
+
+Flag hard-coded visual values and suggest token alternatives. This includes:
+
+- Colors (`#fff`, `rgb()`, `hsl()`, `oklch()`)
+- Spacing and sizing (`px`, `rem`, numeric layout constants in styles)
+- Radius, border widths/styles, and shadows
+- Typography values (font size, weight, line-height)
+- Motion values (durations and easing like `cubic-bezier(...)`)
+
+Severity: strong warning (expected migration to tokens/primitives when possible).
+
+## 3) Legacy token usage
+
+In `_tokens.scss`, the compatibility section labeled
+"Legacy tokens (kept for compatibility)" is considered legacy usage.
+
+When new or modified code uses these legacy token families, flag it as a
+migration opportunity and recommend semantic token usage where available.
+
+Severity: strong warning (discourage new usage, allow compatibility paths).
+
+## 4) Deprecated style and component surfaces
+
+Flag new usage of deprecated/legacy style surfaces in design-system components,
+for example:
+
+- `Button.legacy.scss` and legacy button override classes
+- Legacy button variants/types (for example `highlight`, `highlight-fill`)
+- Legacy component variants that exist for compatibility (for example legacy
+  tabs variant)
+
+Severity: strong warning (prefer modern semantic variants/components).
+
+## 5) Token substitution changes
+
+If a PR changes one token reference to another (for example
+`--text-color` -> `--text-color--subtle`), flag it as a soft warning.
+
+Ask for intent in the PR description/comment:
+
+- Intentional design adjustment, or
+- Potential accidental visual regression
+
+Do not treat token substitution as a hard failure by default.

.bundlemonrc.json

@@ -1,30 +0,0 @@
-{
-	"baseDir": "packages/frontend/editor-ui/dist",
-	"defaultCompression": "gzip",
-	"reportOutput": [
-		[
-			"github",
-			{
-				"checkRun": true,
-				"commitStatus": "off",
-				"prComment": true
-			}
-		]
-	],
-	"files": [
-		{
-			"path": "*.wasm",
-			"friendlyName": "WASM Dependencies"
-		}
-	],
-	"groups": [
-		{
-			"groupName": "Editor UI - Total JS Size",
-			"path": "**/*.js"
-		},
-		{
-			"groupName": "Editor UI - Total CSS Size",
-			"path": "**/*.css"
-		}
-	]
-}

.claude/README.md

@@ -0,0 +1,46 @@
+# Claude Code Configuration
+
+This directory contains shared Claude Code configuration for the n8n team.
+
+All skills, agents, and commands live under the `n8n` plugin at
+`.claude/plugins/n8n/` for `n8n:` namespacing. See
+[plugin README](plugins/n8n/README.md) for full details.
+
+## Setup
+
+### Linear MCP Server
+
+The Linear MCP server uses OAuth authentication. To connect:
+
+1. Start Claude Code in this repository
+2. Run `/mcp` command
+3. Click the Linear authentication link in your browser
+4. Authorize with your Linear account
+
+You only need to do this once per machine.
+
+### Permissions
+
+Configure tool permissions in your global Claude Code settings (`~/.claude/settings.json`), not in this repo. This allows each developer to customize their own approval preferences.
+
+To auto-approve Linear MCP tools, add to your global settings:
+
+```json
+{
+  "permissions": {
+    "allow": [
+      "mcp__linear-server__*"
+    ]
+  }
+}
+```
+
+**Note:** For GitHub/git operations, we use `gh` CLI and `git` commands instead of GitHub MCP.
+
+## Plugin
+
+All skills, commands, and agents are auto-discovered from
+`.claude/plugins/n8n/`. They get the `n8n:` namespace prefix automatically
+(e.g. `n8n:create-pr`, `/n8n:plan`, `n8n:developer`).
+
+See [plugin README](plugins/n8n/README.md) for structure and design decisions.

.claude/plugins/n8n/.claude-plugin/marketplace.json

@@ -0,0 +1,12 @@
+{
+  "name": "n8n",
+  "owner": {
+    "name": "n8n"
+  },
+  "plugins": [
+    {
+      "name": "n8n",
+      "source": "./"
+    }
+  ]
+}

.claude/plugins/n8n/.claude-plugin/plugin.json

@@ -0,0 +1,5 @@
+{
+  "name": "n8n",
+  "version": "0.2.0",
+  "description": "n8n Claude Code plugin — shared skills, commands, and agents for n8n development"
+}

.claude/plugins/n8n/README.md

@@ -0,0 +1,46 @@
+# n8n Claude Code Plugin
+
+Shared skills, commands, and agents for n8n development. All items are
+namespaced under `n8n:` to avoid collisions with personal or third-party
+plugins.
+
+## Usage
+
+Skills, commands, and agents are auto-discovered by Claude Code from this
+plugin directory. Everything gets the `n8n:` namespace prefix automatically.
+
+| Type | Example | Invocation |
+|------|---------|------------|
+| Skill | `skills/create-pr/SKILL.md` | `n8n:create-pr` |
+| Command | `commands/plan.md` | `/n8n:plan PAY-XXX` |
+| Agent | `agents/developer.md` | `n8n:developer` |
+
+## Plugin Structure
+
+```
+.claude/plugins/n8n/
+├── .claude-plugin/
+│   ├── marketplace.json    # Marketplace manifest
+│   └── plugin.json         # Plugin identity
+├── agents/
+│   └── <name>.md           # → n8n:<name> agent
+├── commands/
+│   └── <name>.md           # → /n8n:<name> command
+├── skills/
+│   └── <name>/SKILL.md     # → n8n:<name> skill
+└── README.md
+```
+
+## Design Decisions
+
+### Why a plugin instead of standalone skills?
+
+To get the `n8n:` namespace prefix, avoiding collisions with personal or
+third-party plugins. Claude Code only supports colon-namespaced items through
+the plugin system — standalone `.claude/skills/` entries cannot be namespaced.
+
+### Known Issues
+
+- Plugin skill namespacing requires omitting the `name` field from SKILL.md
+  frontmatter due to a [Claude Code bug](https://github.com/anthropics/claude-code/issues/17271).
+  The directory name is used as the skill identifier instead.

.claude/plugins/n8n/agents/developer.md

@@ -0,0 +1,40 @@
+---
+name: developer
+description: Use this agent for any n8n development task - frontend (Vue 3), backend (Node.js/TypeScript), workflow engine, node creation, or full-stack features. The agent automatically applies n8n conventions and best practices. Examples: <example>user: 'Add a new button to the workflow editor' assistant: 'I'll use the developer agent to implement this following n8n's design system.'</example> <example>user: 'Create an API endpoint for workflow export' assistant: 'I'll use the developer agent to build this API endpoint.'</example> <example>user: 'Fix the CSS issue in the node panel' assistant: 'I'll use the developer agent to fix this styling issue.'</example>
+model: inherit
+color: blue
+---
+
+You are an expert n8n developer with comprehensive knowledge of the n8n workflow automation platform. You handle both frontend (Vue 3 + Pinia + Design System) and backend (Node.js + TypeScript + Express + TypeORM) development.
+
+## Core Expertise
+
+**n8n Architecture**: Monorepo structure with pnpm workspaces, workflow engine (n8n-workflow, n8n-core), node development patterns, frontend (editor-ui package with Vue 3), backend (CLI package with Express), authentication flows, queue management, and event-driven patterns.
+
+**Key Packages**:
+- Frontend: packages/frontend/editor-ui (Vue 3 + Pinia), packages/frontend/@n8n/design-system, packages/frontend/@n8n/i18n
+- Backend: packages/cli (Express + REST API), packages/core (workflow execution), packages/@n8n/db (TypeORM)
+- Shared: packages/workflow, packages/@n8n/api-types
+
+## Development Standards
+
+**TypeScript**: Strict typing (never `any`), use `satisfies` over `as`, proper error handling with UnexpectedError from n8n-workflow.
+
+**Frontend**: Vue 3 Composition API, Pinia stores, n8n design system components, CSS variables from design system, proper i18n with @n8n/i18n.
+
+**Backend**: Controller-service-repository pattern, dependency injection with @n8n/di, @n8n/config for configuration, Zod schemas for validation, TypeORM with multi-database support.
+
+## Workflow
+
+1. **Analyze Requirements**: Identify affected packages and appropriate patterns using n8n conventions
+   - If working from a Linear ticket, use Linear MCP (`mcp__linear-server__get_issue`) to fetch complete context
+   - Review ticket description, comments, and linked GitHub issues
+   - Use `gh` CLI and `git` commands for GitHub/git operations (e.g., `gh pr view`, `git log`)
+2. **Plan Implementation**: Outline steps and dependencies
+3. **Follow Patterns**: Apply n8n architectural patterns consistently
+4. **Ensure Quality**: Run typecheck/lint, write tests, validate across databases
+5. **Complete Implementation**: Provide working code with proper error handling and logging. Review for security vulnerabilities and only finalize when confident the solution is secure
+
+Use pnpm for package management, work within appropriate package directories using pushd/popd, and build when type definitions change.
+
+You deliver maintainable, well-typed code that integrates seamlessly with n8n's monorepo architecture.

.claude/plugins/n8n/agents/linear-issue-triager.md

@@ -0,0 +1,74 @@
+---
+name: linear-issue-triager
+description: Use this agent proactively when a Linear issue is created, updated, or needs comprehensive analysis. This agent performs thorough issue investigation and triage including root cause analysis, severity assessment, and implementation scope identification.
+model: inherit
+color: red
+---
+
+You are an expert n8n Linear Issue Explorer and Analysis Agent, specializing in comprehensive investigation of Linear tickets and GitHub issues within the n8n workflow automation platform ecosystem.
+
+**n8n Conventions**: This agent has deep knowledge of n8n conventions, architecture patterns, and best practices embedded in its expertise.
+
+Your primary role is thorough investigation and context gathering to enable seamless handover to developers or implementation agents through comprehensive analysis and actionable intelligence.
+
+## Core Mission
+Provide thorough analysis and sufficient context for smooth handover - not implementation. Focus on investigation, root cause identification, and actionable intelligence gathering leveraging your deep n8n ecosystem knowledge.
+
+## Investigation Capabilities
+
+### 1. Deep Issue Analysis
+- Fetch Linear ticket details including descriptions, comments, attachments, and linked resources
+- Cross-reference related GitHub issues, pull requests, and community reports
+- Examine and analyze git history and identify specific problematic commits to understand code evolution and potential regressions
+- Analyze patterns and correlations across related issues within the n8n ecosystem
+- Check for related issues or PRs with similar descriptions or file paths.
+
+### 2. Root Cause Investigation
+- Trace issues to specific commits, files, and line numbers across the monorepo
+- Identify whether problems stem from recent changes, workflow engine updates, or node ecosystem changes
+- Distinguish between configuration issues, code bugs, architectural problems, and node integration issues
+- Analyze dependencies and cross-package impacts in TypeScript monorepo structure
+
+### 3. Context Gathering
+- **Implementation Area**: Clearly identify FRONTEND / BACKEND / BOTH / NODE ECOSYSTEM
+- **Technical Scope**: Specific packages, files, workflow components, and code areas involved
+- **User Impact**: Affected user segments, workflow types, and severity assessment
+- **Business Context**: Customer reports, enterprise vs community impact, node usage patterns
+- **Related Issues**: Historical context, similar resolved cases, and ecosystem-wide implications
+
+### 4. Severity Assessment Framework
+- **CRITICAL**: Data loss, silent failures, deployment blockers, workflow execution failures, security vulnerabilities
+- **HIGH**: Core functionality broken, affects multiple users, monitoring/observability issues, node integration problems
+- **MEDIUM**: UI/UX issues, non-critical feature problems, performance degradation, specific node issues
+- **LOW**: Enhancement requests, minor bugs, cosmetic issues, node improvements
+
+## Workflow
+
+1. **Fetch Issue Details**: Get Linear ticket, comments, attachments, and related resources
+   - Use Linear MCP tools (`mcp__linear-server__get_issue`, `mcp__linear-server__list_comments`) to fetch complete ticket data
+   - Get all comments, attachments, and linked GitHub issues
+   - Check for related Linear issues with similar symptoms
+2. **Investigate Root Cause**: Trace to commits, files, and identify problematic changes
+   - Use `git` commands to examine commit history, blame, and file changes
+   - Use `gh` CLI to view PRs and issues (e.g., `gh pr view`, `gh issue view`)
+   - Search codebase for related implementations
+3. **Assess Severity**: Apply framework to determine priority level
+4. **Generate Analysis**: Provide comprehensive handover report with actionable intelligence
+
+## Investigation Output
+
+Provide comprehensive analysis including:
+
+1. **Root Cause Analysis**: Specific technical reason with commit/file references and ecosystem context
+2. **Implementation Scope**: FRONTEND/BACKEND/BOTH/NODE with exact file paths and affected components
+3. **Impact Assessment**: User segments affected, workflow scenarios impacted, and severity level
+4. **Technical Context**: Architecture areas involved, workflow engine implications, node dependencies, related systems
+5. **Investigation Trail**: Commits examined, patterns identified, related issues, ecosystem considerations
+6. **Handover Intelligence**: Everything needed for developer or implementation agent to proceed immediately with full context
+
+## Goal
+Generate detailed investigative reports that provide complete context for immediate development handover, leveraging deep n8n ecosystem knowledge to ensure comprehensive analysis and actionable intelligence for complex workflow automation
+platform issues.
+
+## Important
+**DO NOT post triage results to Linear.** Only generate the analysis as output. The user will decide what to share with the Linear ticket.

.claude/plugins/n8n/commands/plan.md

@@ -0,0 +1,25 @@
+---
+description: Plan n8n Linear ticket implementation
+argument-hint: [PAY-XXXX | DEV-XXXX | ENG-XXXX]
+allowed-tools: Task, Agent, Read, Glob, Grep, Write, Bash
+---
+
+Launch a Plan agent (built-in) to research and design an implementation plan for Linear issue $ARGUMENTS.
+
+The agent should:
+1. Fetch and analyze the Linear ticket using Linear MCP
+2. Identify affected packages and files
+3. Design implementation approach following n8n conventions
+4. Define testing strategy
+5. Document potential risks
+
+Apply n8n architectural patterns (monorepo structure, TypeScript standards, Vue 3 Composition API, Controller-Service-Repository, etc.).
+
+The agent should return the full plan as text (it cannot write files). After receiving the result, save it to `.claude/plans/<TICKET-ID>.md` (e.g. `.claude/plans/PAY-1234.md`). Create the directory if needed. This directory is gitignored.
+
+The plan file should contain:
+- The ticket title and link
+- A summary of the ticket
+- The full implementation plan
+- Testing strategy
+- Risks and open questions

.claude/plugins/n8n/commands/triage.md

@@ -0,0 +1,7 @@
+---
+description: Triage Linear issue with comprehensive analysis
+argument-hint: [PAY-XXXX | DEV-XXXX | ENG-XXXX]
+allowed-tools: Task
+---
+
+Use the n8n:linear-issue-triager agent to triage Linear issue $ARGUMENTS.

.claude/plugins/n8n/scripts/track-skill-usage.mjs

@@ -0,0 +1,55 @@
+#!/usr/bin/env node
+
+// Tracks n8n plugin skill usage by sending anonymized analytics.
+// Called as a PostToolUse hook for the Skill tool.
+// Receives JSON on stdin: { "tool_name": "Skill", "tool_input": { "skill": "n8n:foo", ... }, "tool_response": ... }
+
+import { createHash } from 'node:crypto';
+import { hostname, userInfo, platform, arch, release } from 'node:os';
+
+const TELEMETRY_HOST = 'https://telemetry.n8n.io';
+const TELEMETRY_WRITE_KEY = '1zPn7YoGC3ZXE9zLeTKLuQCB4F6';
+
+const input = await new Promise((resolve) => {
+	let data = '';
+	process.stdin.on('data', (chunk) => (data += chunk));
+	process.stdin.on('end', () => resolve(data));
+});
+
+const { tool_input: toolInput } = JSON.parse(input);
+const skillName = toolInput?.skill;
+
+// Only track n8n-namespaced skills ("n8n-foo" or "n8n:foo")
+const isN8nSkill = skillName.startsWith('n8n:') || skillName.startsWith('n8n-');
+if (!skillName || !isN8nSkill) {
+	process.exit(0);
+}
+
+// Generate anonymized user ID: SHA-256 of (username + hostname + OS + arch + release)
+const raw = `${userInfo().username}@${hostname()}|${platform()}|${arch()}|${release()}`;
+const userId = createHash('sha256').update(raw).digest('hex');
+
+const payload = JSON.stringify({
+	userId,
+	event: 'Claude Code skill activated',
+	properties: {
+		skill: skillName,
+	},
+	context: {
+		ip: '0.0.0.0',
+	},
+});
+
+// Send to telemetry HTTP Track API (fire-and-forget, never block the user)
+try {
+	await fetch(`${TELEMETRY_HOST}/v1/track`, {
+		method: 'POST',
+		headers: {
+			'Content-Type': 'application/json',
+			Authorization: `Basic ${Buffer.from(`${TELEMETRY_WRITE_KEY}:`).toString('base64')}`,
+		},
+		body: payload,
+	});
+} catch {
+	// Silently ignore network errors
+}

.claude/plugins/n8n/skills/content-design/SKILL.md

@@ -0,0 +1,329 @@
+---
+description: >
+  Product content designer for UI copy. Use when writing, reviewing, or auditing
+  user-facing text: button labels, error messages, tooltips, empty states, modal copy,
+  placeholder text, confirmation dialogs, onboarding flows, or i18n strings.
+  Also use when the user says /copy, /content, or /ux-copy.
+allowed-tools: Read, Grep, Glob, Edit
+---
+
+# n8n content design
+
+You are a Senior Content Designer specializing in SaaS tools. You've written UI
+copy for complex products — whiteboard tools, workflow automation, enterprise
+software — where terminology precision directly impacts user success. You treat
+content as interface: every label, error message, and tooltip is a design decision.
+
+You think about what the user needs to know first. In any UI surface — modal,
+tooltip, banner, empty state — you lead with the action or outcome, then add
+context only if it earns its space.
+
+You default to concise and neutral, but you know when a moment of warmth or
+encouragement earns its place — onboarding, empty states, success confirmations.
+You never force personality where clarity is the job.
+
+You check your work against the terminology glossary, voice and tone guidelines,
+and existing UI patterns below. When no guideline covers a case, you flag the
+inconsistency rather than guessing.
+
+You push back on feature names that sound good in marketing but confuse
+in-product. You know the difference between onboarding copy that holds hands
+and copy that respects user intelligence.
+
+You write in short sentences. You cut filler words. You prefer "Save" over
+"Save changes" and "Delete project?" over "Are you sure you want to delete this
+project?" unless disambiguation is genuinely needed. You understand that empty
+states, loading states, and error states are content design problems, not
+afterthoughts.
+
+---
+
+## How to work
+
+### Modes
+
+When invoked, determine what the user needs:
+
+1. **Write** — Draft new UI copy. Ask what surface (button, modal, tooltip,
+   error, empty state, and so on) and what the user action or system state is.
+   Deliver 1-3 options ranked by recommendation. For each option, include:
+   - The copy itself
+   - Which surface it targets (if ambiguous from context)
+   - Suggested i18n key (following the naming convention below)
+   - One-line rationale (which guideline it leans on)
+
+2. **Review** — The user shares existing copy or points to a file. Check it
+   against every rule below. Return a table:
+
+   | Location | Current copy | Issue | Suggested fix |
+   |----------|-------------|-------|---------------|
+
+   Group issues by severity: terminology violations first, then tone, then
+   grammar and formatting. If the copy follows all guidelines, confirm with a
+   brief summary of what was checked (e.g., "Checked against terminology
+   glossary, tone guidelines, grammar rules, and UI patterns — no issues
+   found.").
+
+3. **Audit** — Scan a file or set of files (Vue components, i18n JSON) for
+   violations. Use Grep and Glob to find patterns, then report.
+
+### Where copy lives in n8n
+
+| Location | What's there |
+|----------|-------------|
+| `packages/frontend/@n8n/i18n/src/locales/en.json` | All UI strings (i18n keys) |
+| `packages/frontend/editor-ui/src/**/*.vue` | Inline copy in Vue templates |
+| `packages/frontend/@n8n/design-system/src/**/*.vue` | Design system component defaults |
+| `packages/nodes-base/nodes/**/*.ts` | Node descriptions, parameter labels, placeholders |
+| `packages/@n8n/nodes-langchain/nodes/**/*.ts` | AI node descriptions and labels |
+| `packages/nodes-base/nodes/**/*Description.ts` | Node parameter `displayName`, `description`, `action`, `placeholder` fields (hardcoded, not i18n'd) |
+| `packages/@n8n/nodes-langchain/nodes/**/*Description.ts` | AI node parameter descriptions (hardcoded, not i18n'd) |
+| `packages/cli/src/**/*.ts` | Backend error messages in services/controllers that surface to users (hardcoded) |
+
+When editing copy, prefer changing the i18n JSON (`en.json`) over hardcoded
+strings in Vue files. If you find hardcoded user-facing strings in Vue
+templates, flag them — they should use i18n.
+
+**i18n patterns** (in order of preference):
+
+1. `i18n.baseText('key')` — preferred, most common
+2. `$t('key')` / `t('key')` — Vue i18n plugin shorthand
+3. `locale.baseText('key')` — legacy pattern, still present in older code
+
+### i18n key naming convention
+
+Keys use hierarchical dot-notation matching the feature area:
+
+| Pattern | Example | When to use |
+|---------|---------|-------------|
+| `generic.*` | `generic.cancel`, `generic.save` | Universal labels used across many surfaces |
+| `featureArea.subArea.element` | `settings.communityNodes.empty.title` | Feature-scoped copy |
+| `_reusableBaseText.*` | `_reusableBaseText.credential` | Shared constants referenced by other keys |
+| `_reusableDynamicText.*` | `_reusableDynamicText.simpleInput` | Shared text with dynamic fallbacks |
+
+When suggesting new keys, follow the existing hierarchy. Browse nearby keys in
+`en.json` to match the nesting depth and naming style of the feature area.
+
+---
+
+## Content guidelines
+
+### Language and grammar
+
+**US English.** Always. No exceptions.
+- Do: "categorizing", "color", "analyze"
+- Don't: "categorising", "colour", "analyse"
+
+**Active voice** whenever possible.
+- Do: "Administrators control user access to n8n Cloud."
+- Don't: "User access to n8n Cloud is controlled by administrators."
+
+**Sentence case** for all titles, headings, menu items, labels, and buttons.
+Only capitalize the first word and proper nouns.
+- Do: "What triggers this workflow?", "Zoom in"
+- Don't: "What Triggers This Workflow?", "Zoom In"
+
+**Periods.** A single sentence or fragment doesn't need one. If there are
+multiple sentences (including in tooltips), all of them need one.
+- "Settings" — single label, no period
+- "New workflow executions will show here." — multiple sentences need periods
+- Not: "Settings."
+
+**Contractions.** Use them. They keep the tone conversational.
+- Do: can't, don't, it's, you'll, we're
+- Don't: cannot, can not, it is, you will, we are
+
+**Oxford comma.** Always.
+- Do: "Connect apps, databases, and APIs."
+- Don't: "Connect apps, databases and APIs."
+
+**Abbreviations.** Don't use internal abbreviations or jargon in
+customer-facing copy. Spell out unfamiliar terms on first use.
+- Do: "Role-based access control (RBAC)"
+- Don't: "RBAC" alone without introduction
+
+Plural abbreviations: "APIs" not "API's".
+
+**No Latin abbreviations.** Use plain alternatives.
+
+| Don't use | Use instead |
+|-----------|-------------|
+| e.g. | for example, such as |
+| i.e. | that is, in other words |
+| etc. | and so on |
+| vs / versus | compared to, or |
+| via | through, with, using |
+| n.b. | note |
+| ad hoc | unscheduled, temporary, bespoke |
+| per se | necessarily, intrinsically |
+
+**Dates.** US format. Spell out months when space allows.
+- Do: "Apr 2", "February 14, 2025"
+- Don't: "2. Apr", "02/14/2025"
+
+**Times.** 24-hour format with leading zero (technical audience).
+- Do: 13:34, 07:52
+- Don't: 1:34 PM, 7:52
+
+**Numbers.** Commas for thousands, period for decimals.
+- Do: 23,456 and 346.65
+- Don't: 23456 and 346,65
+
+### Tone and voice
+
+Write like a knowledgeable colleague, not a manual or a marketing page. Be
+technical when precision matters, but default to plain language.
+
+**Do:**
+- Be direct. Lead with the most important information.
+- Use simple words: "use" not "utilize", "so" not "therefore", "but" not
+  "however", "give" not "provide".
+- Write short sentences. Break complex ideas into smaller pieces.
+- Use humor sparingly and only in low-stakes contexts (tooltips,
+  parentheticals, empty states). Never in errors or warnings.
+- Address the user as "you". Refer to n8n as "n8n" or "we" depending on
+  context.
+
+**Don't:**
+- Use formal business language or marketing-speak.
+- Be overly enthusiastic or use filler words.
+- Use "please" excessively. One "please" is fine. Three in a paragraph is too
+  many.
+- Anthropomorphize the product ("n8n thinks...", "n8n wants to...").
+
+**Quick reference:**
+
+| Avoid | Prefer |
+|-------|--------|
+| "Utilize the dropdown to select your preferred option" | "Select an option from the dropdown" |
+| "We are sorry, but we are unable to process your request" | "Something went wrong. Try again in a few minutes." |
+| "You have successfully created a new workflow!" | "Workflow created" |
+| "Please be advised that this action cannot be undone" | "This can't be undone" |
+
+### UI copy patterns
+
+**Action labels (buttons and CTAs).** Start with a verb. Be specific.
+- Do: "Add connection", "Save workflow", "Delete credential"
+- Don't: "New", "Submit", "OK"
+
+For destructive actions, name what's being destroyed: "Delete workflow" not just
+"Delete". Use "Cancel" for aborting a process, "Close" for dismissing
+informational dialogs.
+
+**Error messages.** Structure: what happened + why (if known) + what to do next.
+Always include at least what happened and what to do.
+- Do: "Connection failed. Check that the API key is correct and try again."
+- Do: "Workflow can't be saved. The name field is required."
+- Don't: "Error 403"
+- Don't: "Something went wrong"
+- Don't: "Invalid input. Please try again."
+
+Never blame the user: "The API key isn't valid" not "You entered an invalid API
+key".
+
+**Empty states.** Guide, don't just inform. Explain what the area is for and
+give a clear next step.
+- Do: "No executions yet. Run this workflow to see results here."
+- Don't: "No data"
+
+**Placeholder text.** Use realistic examples. Don't repeat the label.
+- Do: Label: "Webhook URL" / Placeholder: "https://example.com/webhook"
+- Don't: Label: "Webhook URL" / Placeholder: "Enter webhook URL"
+
+**Confirmation dialogs.** State the consequence. Use the specific action as the
+confirm button label.
+- Title: "Delete workflow?"
+- Body: "This will permanently delete 'My Workflow' and its execution history.
+  This can't be undone."
+- Buttons: "Delete workflow" / "Cancel"
+
+**Tooltips.** One or two sentences. Add information the label alone can't
+convey — don't repeat the label.
+- Do: "Pins the output data so the node uses it in future test runs instead of
+  fetching new data."
+- Don't: "Click to pin data"
+
+**Truncation.** Use ellipsis (…). Show full text on hover/tooltip. Node and
+workflow names: truncate from end. File paths: truncate from middle.
+
+### Terminology
+
+Use these terms consistently. Don't capitalize unless starting a sentence.
+
+| Term | Usage | Avoid |
+|------|-------|-------|
+| workflow | The automation a user builds | flow, automation, scenario |
+| node | A step in a workflow | block, step, action |
+| trigger | The node that starts a workflow | starter, initiator |
+| execution | A single run of a workflow | run, instance |
+| credential | Stored authentication for a service | secret, key, token (unless technically specific) |
+| canvas | The area where users build workflows | editor, board |
+| connection | The line between two nodes | edge, link, wire |
+| input/output | Data going into or out of a node | payload (unless technically specific) |
+| pin | Saving node output for reuse in testing | freeze, lock, save |
+
+### n8n-specific conventions
+
+- **"n8n" is always lowercase**, even at the start of a sentence. Never write
+  "N8n" or "N8N".
+- **Node names are proper nouns** — capitalize both words: "Slack Node",
+  "GitHub Node", "HTTP Request Node".
+- **Feature names are lowercase** unless starting a sentence: canvas, workflow,
+  credential, execution.
+- **"n8n Cloud"** is the hosted product name — always capitalize "Cloud".
+
+### Surfaces not covered by guidelines
+
+The guidelines above cover most UI surfaces. For these additional surfaces,
+apply the same voice and tone principles:
+
+**Loading states** — keep short, no period, use ellipsis:
+- Do: "Loading workflows…"
+- Don't: "Please wait while we load your workflows."
+
+**Success notifications** — state what happened, past tense, no exclamation:
+- Do: "Workflow saved"
+- Don't: "Workflow was saved successfully!"
+
+**Status labels** — sentence case, present tense or past participle:
+- Do: "Active", "Running", "Error", "Disabled"
+- Don't: "ACTIVE", "Currently Running", "Has Errors"
+
+### Common audit patterns
+
+When running Audit mode, use these grep patterns against `en.json` and Vue
+files to find the most common violations:
+
+| Violation | Grep pattern | Notes |
+|-----------|-------------|-------|
+| Latin abbreviations | `e\.g\.\|i\.e\.\|etc\.\| via \| vs ` | 50+ instances typical |
+| Missing contractions | `cannot\|do not\|will not\|does not\|is not\|are not` | 20+ instances typical |
+| "please" overuse | `[Pp]lease` | Review each in context — one per surface is fine |
+| User-blaming language | `You need\|You must\|You entered\|You have to` | Rewrite to focus on the system state |
+| Passive voice | `was created\|is controlled\|will be shown\|was deleted` | Not exhaustive — scan manually too |
+
+Run each pattern with Grep against the relevant files, then triage results by
+severity: terminology violations first, then tone, then grammar/formatting.
+
+---
+
+## Checklist
+
+Before finalizing any copy, verify:
+
+- [ ] US English spelling
+- [ ] Active voice
+- [ ] Sentence case (not Title Case)
+- [ ] Contractions used
+- [ ] Oxford comma present in lists
+- [ ] No Latin abbreviations (e.g., i.e., etc., via, vs)
+- [ ] No "please" overuse
+- [ ] No user-blaming language in errors
+- [ ] Terminology matches glossary exactly
+- [ ] Single fragments have no trailing period
+- [ ] Multi-sentence groups all have periods
+- [ ] Button labels start with a verb
+- [ ] Destructive actions name the thing being destroyed
+- [ ] Error messages include what happened + what to do
+- [ ] Empty states include a next step
+- [ ] Placeholders use realistic examples, not label echoes

.claude/plugins/n8n/skills/conventions/SKILL.md

@@ -0,0 +1,97 @@
+---
+description: Quick reference for n8n patterns. Full docs /AGENTS.md
+---
+
+# n8n Quick Reference
+
+**📚 Full Documentation:**
+- **General:** `/AGENTS.md` - Architecture, commands, workflows
+- **Frontend:** `/packages/frontend/AGENTS.md` - CSS variables, timing
+
+Use this skill when you need quick reminders on critical patterns.
+
+## Critical Rules (Must Follow)
+
+**TypeScript:**
+- Never `any` → use `unknown`
+- Prefer `satisfies` over `as` (except tests)
+- Shared types in `@n8n/api-types`
+
+**Error Handling:**
+```typescript
+import { UnexpectedError } from 'n8n-workflow';
+throw new UnexpectedError('message', { extra: { context } });
+// DON'T use deprecated ApplicationError
+```
+
+**Frontend:**
+- Vue 3 Composition API (`<script setup lang="ts">`)
+- CSS variables (never hardcode px) - see `/packages/frontend/AGENTS.md`
+- All text via i18n (`$t('key')`)
+- `data-testid` for E2E (single value, no spaces)
+
+**Backend:**
+- Controller → Service → Repository
+- Dependency injection via `@n8n/di`
+- Config via `@n8n/config`
+- Zod schemas for validation
+
+**Testing:**
+- Vitest (unit), Playwright (E2E)
+- Mock external dependencies
+- Work from package directory: `pushd packages/cli && pnpm test`
+
+**Database:**
+- SQLite/PostgreSQL only (app DB)
+- Exception: DB nodes (MySQL Node, etc.) can use DB-specific features
+
+**Commands:**
+```bash
+pnpm build > build.log 2>&1  # Always redirect
+pnpm typecheck               # Before commit
+pnpm lint                    # Before commit
+```
+
+## Key Packages
+
+| Package | Purpose |
+|---------|---------|
+| `packages/cli` | Backend API |
+| `packages/frontend/editor-ui` | Vue 3 frontend |
+| `packages/@n8n/api-types` | Shared types |
+| `packages/@n8n/db` | TypeORM entities |
+| `packages/workflow` | Core interfaces |
+
+## Common Patterns
+
+**Pinia Store:**
+```typescript
+import { STORES } from '@n8n/stores';
+export const useMyStore = defineStore(STORES.MY_STORE, () => {
+  const state = shallowRef([]);
+  return { state };
+});
+```
+
+**Vue Component:**
+```vue
+<script setup lang="ts">
+type Props = { title: string };
+const props = defineProps<Props>();
+</script>
+```
+
+**Service:**
+```typescript
+import { Service } from '@n8n/di';
+import { Config } from '@n8n/config';
+
+@Service()
+export class MyService {
+  constructor(private readonly config: Config) {}
+}
+```
+
+---
+
+📖 **Need more details?** Read `/AGENTS.md` and `/packages/frontend/AGENTS.md`

.claude/plugins/n8n/skills/create-community-node-lint-rule/SKILL.md

@@ -0,0 +1,217 @@
+---
+description: >-
+  Create new ESLint rules for the @n8n/eslint-plugin-community-nodes package.
+  Use when adding a lint rule, creating a community node lint, or working on
+  eslint-plugin-community-nodes. Guides rule implementation, tests, docs, and
+  plugin registration.
+---
+
+# Create Community Node Lint Rule
+
+Guide for adding new ESLint rules to `packages/@n8n/eslint-plugin-community-nodes/`.
+
+All paths below are relative to `packages/@n8n/eslint-plugin-community-nodes/`.
+
+## Step 1: Understand the Rule
+
+Before writing code, clarify:
+- **What** does the rule detect? (missing property, wrong pattern, bad value)
+- **Where** does it apply? (`.node.ts` files, credential classes, both)
+- **Severity**: `error` (must fix) or `warn` (should fix)?
+- **Fixable?** Can it be auto-fixed safely, or only suggest?
+- **Scope**: Both `recommended` configs, or exclude from `recommendedWithoutN8nCloudSupport`?
+
+## Step 2: Implement the Rule
+
+Create `src/rules/<rule-name>.ts`:
+
+```typescript
+import { AST_NODE_TYPES } from '@typescript-eslint/utils';
+
+import {
+  isNodeTypeClass,       // or isCredentialTypeClass
+  findClassProperty,
+  findObjectProperty,
+  createRule,
+} from '../utils/index.js';
+
+export const YourRuleNameRule = createRule({
+  name: 'rule-name',
+  meta: {
+    type: 'problem',  // or 'suggestion'
+    docs: {
+      description: 'One-line description of what the rule enforces',
+    },
+    messages: {
+      messageId: 'Human-readable message. Use {{placeholder}} for dynamic data.',
+    },
+    fixable: 'code',     // omit if not auto-fixable
+    hasSuggestions: true, // omit if no suggestions
+    schema: [],           // add options schema if configurable
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      ClassDeclaration(node) {
+        if (!isNodeTypeClass(node)) return;
+
+        const descriptionProperty = findClassProperty(node, 'description');
+        if (!descriptionProperty) return;
+
+        const descriptionValue = descriptionProperty.value;
+        if (descriptionValue?.type !== AST_NODE_TYPES.ObjectExpression) return;
+
+        // Rule logic here — use findObjectProperty(), getLiteralValue(), etc.
+
+        context.report({
+          node: targetNode,
+          messageId: 'messageId',
+          data: { /* template vars */ },
+          fix(fixer) {
+            return fixer.replaceText(targetNode, 'replacement');
+          },
+        });
+      },
+    };
+  },
+});
+```
+
+**Naming**: Export as `PascalCaseRule` (e.g. `MissingPairedItemRule`). The `name` field is kebab-case.
+
+**Available AST helpers** — see [reference.md](reference.md) for the full catalog of `ast-utils` and `file-utils` exports.
+
+## Step 3: Write Tests
+
+Create `src/rules/<rule-name>.test.ts`:
+
+```typescript
+import { RuleTester } from '@typescript-eslint/rule-tester';
+
+import { YourRuleNameRule } from './rule-name.js';
+
+const ruleTester = new RuleTester();
+
+// Helper to generate test code — keeps test cases readable
+function createNodeCode(/* parameterize the varying parts */): string {
+  return `
+import type { INodeType, INodeTypeDescription } from 'n8n-workflow';
+
+export class TestNode implements INodeType {
+  description: INodeTypeDescription = {
+    displayName: 'Test Node',
+    name: 'testNode',
+    group: ['input'],
+    version: 1,
+    description: 'A test node',
+    defaults: { name: 'Test Node' },
+    inputs: [],
+    outputs: [],
+    properties: [],
+  };
+}`;
+}
+
+ruleTester.run('rule-name', YourRuleNameRule, {
+  valid: [
+    { name: 'class that does not implement INodeType', code: '...' },
+    { name: 'node with correct pattern', code: createNodeCode(/* correct */) },
+  ],
+  invalid: [
+    {
+      name: 'descriptive case name',
+      code: createNodeCode(/* incorrect */),
+      errors: [{ messageId: 'messageId', data: { /* expected template vars */ } }],
+      output: createNodeCode(/* expected after fix */),  // or `output: null` if no fix
+    },
+  ],
+});
+```
+
+**Test guidelines:**
+- Always test that non-INodeType classes are skipped (valid case)
+- Test both the error message and the fixed output for fixable rules
+- For rules with options, test each option combination
+- For rules using filesystem, mock with `vi.mock('../utils/file-utils.js')`
+- For suggestion-only rules, use `errors: [{ messageId, suggestions: [...] }]`
+
+## Step 4: Register the Rule
+
+### 4a. Add to `src/rules/index.ts`
+
+```typescript
+import { YourRuleNameRule } from './rule-name.js';
+
+// Add to the rules object:
+export const rules = {
+  // ... existing rules
+  'rule-name': YourRuleNameRule,
+} satisfies Record<string, AnyRuleModule>;
+```
+
+### 4b. Add to `src/plugin.ts` configs
+
+Add to **both** config objects (unless the rule depends on n8n cloud features):
+
+```typescript
+'@n8n/community-nodes/rule-name': 'error',  // or 'warn'
+```
+
+- Use `error` for rules that catch bugs or required patterns
+- Use `warn` for style/convention rules (like `options-sorted-alphabetically`)
+- If the rule uses `no-restricted-globals` or `no-restricted-imports` patterns,
+  only add to `recommended` (not `recommendedWithoutN8nCloudSupport`)
+
+## Step 5: Write Documentation
+
+Create `docs/rules/<rule-name>.md`:
+
+```markdown
+# Description of what the rule does (`@n8n/community-nodes/rule-name`)
+
+<!-- end auto-generated rule header -->
+
+## Rule Details
+
+Explain why this rule exists and what problem it prevents.
+
+## Examples
+
+### Incorrect
+
+\`\`\`typescript
+// code that triggers the rule
+\`\`\`
+
+### Correct
+
+\`\`\`typescript
+// code that passes the rule
+\`\`\`
+```
+
+The header above `<!-- end auto-generated rule header -->` will be regenerated by `pnpm build:docs`. Write a reasonable first version — it gets overwritten.
+
+## Step 6: Verify
+
+Run from `packages/@n8n/eslint-plugin-community-nodes/`:
+
+```bash
+pushd packages/@n8n/eslint-plugin-community-nodes
+pnpm test <rule-name>.test.ts   # tests pass
+pnpm typecheck                   # types are clean
+pnpm build                       # compiles
+pnpm build:docs                  # regenerates doc headers and README table
+pnpm lint:docs                   # docs match schema
+popd
+```
+
+## Checklist
+
+- [ ] Rule file: `src/rules/<rule-name>.ts`
+- [ ] Test file: `src/rules/<rule-name>.test.ts`
+- [ ] Registered in `src/rules/index.ts`
+- [ ] Added to configs in `src/plugin.ts`
+- [ ] Doc file: `docs/rules/<rule-name>.md`
+- [ ] README table updated via `pnpm build:docs`
+- [ ] All verification commands pass

.claude/plugins/n8n/skills/create-community-node-lint-rule/reference.md

@@ -0,0 +1,85 @@
+# AST & File Utilities Reference
+
+Helpers available from `../utils/index.js`. Use these instead of writing custom AST traversal.
+
+## ast-utils.ts
+
+### Class/Interface detection
+
+| Function | Returns | Use when |
+|----------|---------|----------|
+| `isNodeTypeClass(node)` | `boolean` | Check if class implements `INodeType` or extends `Node` |
+| `isCredentialTypeClass(node)` | `boolean` | Check if class implements `ICredentialType` |
+
+### Property finding
+
+| Function | Returns | Use when |
+|----------|---------|----------|
+| `findClassProperty(node, name)` | `PropertyDefinition \| null` | Find a property on a class (e.g. `description`, `icon`) |
+| `findObjectProperty(obj, name)` | `Property \| null` | Find a property in an object literal (Identifier key) |
+| `findJsonProperty(obj, name)` | `Property \| null` | Find a property with a Literal key (JSON-style `"key"`) |
+| `findArrayLiteralProperty(obj, name)` | `Property \| null` | Find a property whose value is an ArrayExpression |
+
+### Value extraction
+
+| Function | Returns | Use when |
+|----------|---------|----------|
+| `getLiteralValue(node)` | `string \| boolean \| number \| null` | Extract primitive from a Literal node |
+| `getStringLiteralValue(node)` | `string \| null` | Extract string specifically |
+| `getBooleanLiteralValue(node)` | `boolean \| null` | Extract boolean specifically |
+| `getModulePath(node)` | `string \| null` | Get import path from string literal or template literal |
+
+### Array operations
+
+| Function | Returns | Use when |
+|----------|---------|----------|
+| `hasArrayLiteralValue(arr, value)` | `boolean` | Check if array contains a specific string literal |
+| `extractCredentialInfoFromArray(element)` | `{ name, testedBy } \| null` | Parse credential object from array element |
+| `extractCredentialNameFromArray(element)` | `string \| null` | Get just the credential name from array element |
+
+### Method matching
+
+| Function | Returns | Use when |
+|----------|---------|----------|
+| `isThisHelpersAccess(node)` | `boolean` | Match `this.helpers` member expression |
+| `isThisMethodCall(node, method)` | `boolean` | Match `this.methodName(...)` calls |
+| `isThisHelpersMethodCall(node, method)` | `boolean` | Match `this.helpers.methodName(...)` calls |
+
+### Similarity
+
+| Function | Returns | Use when |
+|----------|---------|----------|
+| `findSimilarStrings(target, candidates, maxDistance?)` | `string[]` | Suggest similar names (Levenshtein distance) |
+
+## file-utils.ts
+
+### Path operations
+
+| Function | Use when |
+|----------|----------|
+| `isContainedWithin(child, parent)` | Check path is within a directory |
+| `safeJoinPath(base, ...parts)` | Join paths with traversal prevention |
+
+### Package.json
+
+| Function | Returns | Use when |
+|----------|---------|----------|
+| `findPackageJson(startDir)` | `string \| null` | Walk up to find nearest package.json |
+| `readPackageJsonN8n(startDir)` | `N8nPackageJson \| null` | Parse n8n config section |
+| `readPackageJsonCredentials(startDir)` | `Set<string>` | Get credential names from package.json |
+| `readPackageJsonNodes(startDir)` | `string[]` | Get resolved node file paths |
+
+### File system
+
+| Function | Use when |
+|----------|----------|
+| `validateIconPath(filePath, iconValue)` | Check icon file exists and is SVG |
+| `extractCredentialNameFromFile(filePath)` | Parse credential class name from file |
+| `fileExistsWithCaseSync(filePath)` | Case-sensitive existence check |
+| `findSimilarSvgFiles(dir, name)` | Suggest similar SVG filenames |
+
+### Credential verification
+
+| Function | Use when |
+|----------|----------|
+| `areAllCredentialUsagesTestedByNodes(startDir)` | Check all credentials have testedBy |

.claude/plugins/n8n/skills/create-issue/SKILL.md

@@ -0,0 +1,360 @@
+---
+description: Create Linear tickets or GitHub issues following n8n conventions. Use when the user asks to create a ticket, file a bug, open an issue, or says /create-issue.
+argument-hint: "[linear|github] <description of the issue>"
+compatibility:
+  requires:
+    - mcp: linear
+      description: Required for creating Linear tickets
+    - cli: gh
+      description: Required for creating GitHub issues. Must be authenticated (gh auth login)
+---
+
+# Create Issue
+
+Create a Linear ticket or GitHub issue for: **$ARGUMENTS**
+
+## Determine Target
+
+Decide where the issue should be created based on user input:
+
+- If the user says "Linear", "ticket", or provides a team key (e.g., AI, NODE, N8N) → **Linear**
+- If the user says "GitHub", "GH issue", or "open source" → **GitHub**
+- If ambiguous, **ask the user** which platform they want
+
+---
+
+## Linear Tickets
+
+### Prerequisites
+
+Verify the Linear MCP is connected before proceeding.
+
+### Style Guide
+
+#### Title
+
+- **Sentence case** — capitalize only the first word (e.g., "Add webhook verification to Trello trigger")
+- **Descriptive** — a reader should understand the scope without opening the ticket
+- **5–15 words** — long enough to be specific, short enough to scan
+- **Imperative mood for features/enhancements** — "Add ...", "Support ...", "Improve ..."
+- **Bug titles** — prefix with `Bug -` followed by a description of the symptom (e.g., "Bug - Pin data not updating after workflow edit")
+- **No ticket IDs in titles** — the identifier (AI-1234) is assigned automatically
+- **No trailing punctuation**
+
+#### Description
+
+Structure the description using markdown headers. Use the appropriate template:
+
+**For bugs:**
+
+```markdown
+## Description
+[Clear explanation of the problem]
+
+## Expected
+[What should happen]
+
+## Actual
+[What happens instead]
+
+## Attachments
+[Screenshots, videos, or screen recordings that illustrate the problem]
+
+## Steps to reproduce
+1. [Step-by-step reproduction]
+
+## Additional context
+- n8n version: [version]
+- Database: [SQLite/PostgreSQL]
+- Hosting: [cloud/self-hosted]
+```
+
+**For features / enhancements:**
+
+```markdown
+## Summary
+[One-paragraph overview of what this adds or changes]
+
+## Problem
+[What limitation or gap exists today]
+
+## Proposed solution
+[How it should work — technical approach if known]
+
+## Out of scope
+[Explicitly note what this does NOT cover, if helpful]
+```
+
+**For tech debt:**
+
+```markdown
+## Summary
+[What technical improvement is needed]
+
+## Current state
+[What the code/system looks like today and why it's problematic]
+
+## Proposed improvement
+[What the improved state should look like]
+
+## Motivation
+[Why this matters — maintainability, performance, developer experience, etc.]
+
+## Scope
+[What is included / excluded from this work]
+```
+
+**For spikes / investigations:**
+
+```markdown
+## Goal
+[What question are we trying to answer]
+
+## Context
+[Why this investigation is needed now]
+
+## Expected output
+[What deliverable is expected — RFC, PoC, decision document, etc.]
+```
+
+#### Attachments (Screenshots / Videos)
+
+If the user provides screenshots, videos, or screen recordings:
+
+- **URLs** — embed directly in the description using markdown image syntax (`![description](url)`)
+- **File paths** — if the user provides a local file path, ask them to upload it to a hosting service (e.g., GitHub, Imgur) or use `mcp__linear-server__create_attachment` to attach it to the Linear ticket after creation
+- **Pasted images in conversation** — describe what the image shows in the ticket description and note that a screenshot was provided. You cannot upload binary data directly.
+
+Always mention in the description when visual evidence was provided, even if it cannot be directly embedded.
+
+#### Priority
+
+| Value | Level    | When to use |
+|-------|----------|-------------|
+| 4     | Low      | Nice-to-have, no user impact |
+| 3     | Normal   | Default — standard planned work |
+| 2     | High     | Blocks other work or affects users significantly |
+| 1     | Urgent   | Production-breaking, security vulnerability, data loss |
+| 0     | None     | Not yet assessed |
+
+**Guardrails:**
+- **Default to Normal (3)** unless the user explicitly states otherwise
+- **Never set Urgent (1)** unless the user explicitly says "urgent", "P0", "production down", or "security vulnerability"
+- **Never set None (0)** — always make a priority assessment. If unsure, use Normal (3)
+
+#### Status
+
+**Guardrails:**
+- **Never create issues in Triage status** — Triage is for externally-reported issues that enter through automated pipelines (GitHub sync, support escalation). Agent-created tickets have known context and should skip triage
+- **Default to Backlog** — use this when the issue is acknowledged but not yet planned for a sprint
+- **Use Todo** only when the user indicates the work is planned for the current cycle or should be picked up soon
+- **Never set In Progress, Review, or Done** at creation time
+
+#### Team
+
+- **Try to fetch up-to-date team areas of responsibility from Notion** using `mcp__notion__notion-search` (search for "areas of responsibility" or similar). Use the fetched data to determine the best team for the issue.
+- **If Notion MCP is unavailable or the lookup fails**, fall back to these common teams: `Engineering` (N8N), `AI`, `NODES`, `Identity & Access` (IAM), `Catalysts` (CAT), `Lifecycle & Governance` (LIGO), `Cloud Platform`, `Docs` (DOC)
+- **Always ask the user which team** if not obvious from context or the Notion lookup
+- If the issue is node-specific, it likely belongs to `NODES`
+- If it involves AI/LangChain nodes, it likely belongs to `AI`
+
+#### Labels
+
+Apply labels from these groups as appropriate:
+
+**Type (pick one):**
+- `bug` — something is broken
+- `feature` — net-new capability
+- `enhancement` — improvement to existing functionality
+- `tech debt` — internal quality improvement
+- `spike` — time-boxed investigation
+- `doc` — documentation-only change
+
+**Area (pick if applicable):**
+- `frontend`, `backend`, `performance`, `testing`, `infra`, `DX`, `Security-Team`
+
+**Source (pick if applicable):**
+- `Internal` — created by team members
+- `GitHub` — originated from a GitHub issue
+- `Sentry` — originated from error monitoring
+- `Zammad` — originated from support
+
+**Bucket (pick if applicable):**
+- Use the relevant feature-area bucket (e.g., `Credentials`, `Canvas/Node`, `RBAC`, `LangChain nodes`, `Form Trigger`, etc.)
+
+**Guardrails:**
+- **Always apply a type label** — every ticket needs at least a type
+- **Do not apply triage-state labels** (`Triage: Pending`, `Triage: Complete`, etc.) — these are managed by triage automation
+- **Do not apply release labels** (`n8n@1.36.0`, etc.) — these are managed by release automation
+- **Do not apply `docs-automation` labels** — these are managed by docs automation
+
+#### Estimates
+
+Only set an estimate if the user provides one or explicitly asks for one. Use t-shirt sizes:
+
+| Size | Value | Approximate effort |
+|------|-------|--------------------|
+| XS   | 1     | ≤ 1 hour           |
+| S    | 2     | ≤ 1 day            |
+| M    | 3     | 2–3 days           |
+| L    | 4     | 3–5 days           |
+| XL   | 5     | ≥ 6 days           |
+
+### Creating the Ticket
+
+1. **Gather required fields** — if any are missing, ask the user:
+   - Title
+   - Team
+   - Description (draft one from the user's input using the templates above)
+
+2. **Present a preview** before creating — show the user:
+   - Title
+   - Team
+   - Status
+   - Priority
+   - Labels
+   - Description (abbreviated if long)
+
+3. **Wait for user confirmation** — do not create until the user approves
+
+4. **Create the ticket** using `mcp__linear-server__save_issue`:
+   ```
+   title: <title>
+   team: <team name>
+   description: <markdown description>
+   priority: <priority number>
+   state: <status name>
+   labels: [<label names>]
+   ```
+
+5. **Report back** with the issue identifier and URL
+
+### Things to Never Do (Linear)
+
+- Never create issues in **Triage** status
+- Never set **Urgent** priority without explicit user instruction
+- Never apply **triage-state**, **release**, or **docs-automation** labels
+- Never set **assignee** unless the user explicitly asks
+- Never set a **cycle** or **milestone** unless the user explicitly asks
+- Never create **duplicate issues** — if the user describes something that sounds like it may exist, search first with `mcp__linear-server__list_issues`
+
+---
+
+## GitHub Issues
+
+### Prerequisites
+
+Verify `gh` CLI is authenticated: `gh auth status`
+
+### Important Context
+
+The n8n GitHub issue tracker (`n8n-io/n8n`) is **bug-only**. Feature requests and questions are redirected to the [community forum](https://community.n8n.io). Blank issues are disabled — the bug template must be used.
+
+### Style Guide
+
+#### Title
+
+- **Sentence case** — same as Linear
+- **Descriptive of the symptom** — what is broken, not what you want
+- **No prefixes required** — do not add "Bug:" or "Bug Report:" (the template handles categorization)
+- **No trailing punctuation**
+
+#### Body
+
+GitHub issues **must** follow the bug report template structure:
+
+```markdown
+### Bug Description
+
+[Clear explanation of the bug]
+
+### Steps to Reproduce
+
+1. [Step 1]
+2. [Step 2]
+3. [Step 3]
+
+### Expected Behavior
+
+[What should happen]
+
+### Debug Info
+
+[If available — output from Help > About n8n > Copy debug information]
+
+### Operating System
+
+[e.g., macOS 14.2, Ubuntu 22.04]
+
+### n8n Version
+
+[e.g., 1.72.1]
+
+### Node.js Version
+
+[e.g., 20.11.0]
+
+### Database
+
+SQLite / PostgreSQL
+
+### Execution Mode
+
+main / queue
+
+### Hosting
+
+n8n cloud / self hosted
+```
+
+**Guardrails:**
+- **Always include reproduction steps** — issues without them get closed as `closed:incomplete-template`
+- **Include debug info if available** — this is critical for triage
+- **Never file feature requests as GitHub issues** — redirect the user to the community forum or suggest creating a Linear ticket instead
+
+#### Labels
+
+Do **not** manually apply labels when creating GitHub issues. The triage automation handles labeling:
+- `triage:pending` is auto-applied
+- `status:in-linear` is auto-applied when synced
+
+### Creating the Issue
+
+1. **Verify it's a bug** — if the user describes a feature request, inform them that GitHub issues are bug-only and suggest alternatives (Linear ticket or community forum)
+
+2. **Draft the issue** using the template above, filling in fields from the user's input
+
+3. **Present a preview** before creating — show the user:
+   - Title
+   - Body (abbreviated if long)
+   - Repository (default: `n8n-io/n8n`)
+
+4. **Wait for user confirmation**
+
+5. **Create the issue** using `gh`:
+   ```bash
+   gh issue create --repo n8n-io/n8n --title "<title>" --body "$(cat <<'EOF'
+   <body content>
+   EOF
+   )"
+   ```
+
+6. **Report back** with the issue number and URL
+
+### Things to Never Do (GitHub)
+
+- Never file **feature requests** as GitHub issues
+- Never create issues **without reproduction steps**
+- Never manually apply **labels** — let automation handle it
+- Never create issues in **repositories other than n8n-io/n8n** unless the user explicitly specifies
+
+---
+
+## Cross-Linking
+
+When both a Linear ticket and GitHub issue exist for the same problem:
+
+- **Linear → GitHub**: Add the GitHub issue URL as a link attachment on the Linear ticket
+- **GitHub → Linear**: Add `https://linear.app/n8n/issue/<TICKET-ID>` in the GitHub issue body
+
+If the user creates one and mentions the other exists, offer to add the cross-link.

.claude/plugins/n8n/skills/create-pr/SKILL.md

@@ -0,0 +1,192 @@
+---
+description: Creates GitHub pull requests with properly formatted titles that pass the check-pr-title CI validation. Use when creating PRs, submitting changes for review, or when the user says /pr or asks to create a pull request.
+allowed-tools: Bash(git:*), Bash(gh:*), Read, Grep, Glob
+---
+
+# Create Pull Request
+
+Creates GitHub PRs with titles that pass n8n's `check-pr-title` CI validation.
+
+## PR Title Format
+
+```
+<type>(<scope>): <summary>
+```
+
+### Types (required)
+
+| Type       | Description                                      | Changelog |
+|------------|--------------------------------------------------|-----------|
+| `feat`     | New feature                                      | Yes       |
+| `fix`      | Bug fix                                          | Yes       |
+| `perf`     | Performance improvement                          | Yes       |
+| `test`     | Adding/correcting tests                          | No        |
+| `docs`     | Documentation only                               | No        |
+| `refactor` | Code change (no bug fix or feature)              | No        |
+| `build`    | Build system or dependencies                     | No        |
+| `ci`       | CI configuration                                 | No        |
+| `chore`    | Routine tasks, maintenance                       | No        |
+
+### Scopes (optional but recommended)
+
+- `API` - Public API changes
+- `benchmark` - Benchmark CLI changes
+- `core` - Core/backend/private API
+- `editor` - Editor UI changes
+- `* Node` - Specific node (e.g., `Slack Node`, `GitHub Node`)
+
+### Summary Rules
+
+- Use imperative present tense: "Add" not "Added"
+- Capitalize first letter
+- No period at the end
+- No ticket IDs (e.g., N8N-1234)
+- Add `(no-changelog)` suffix to exclude from changelog
+
+## Steps
+
+1. **Check current state**:
+   ```bash
+   git status
+   git diff --stat
+   git log origin/master..HEAD --oneline
+   ```
+
+2. **Check for implementation plan**: Look for a plan file in `.claude/plans/`
+   that matches the current branch's ticket ID (e.g. if branch is
+   `scdekov/PAY-1234-some-feature`, check for `.claude/plans/PAY-1234.md`).
+   If a plan file exists, ask the user whether they want to include it in the
+   PR description as a collapsible `<details>` section (see Plan Section below).
+   Only include the plan if the user explicitly approves.
+
+3. **If this is a security fix**, audit every public-facing artifact before
+   proceeding (see Security Fixes below).
+
+4. **Analyze changes** to determine:
+   - Type: What kind of change is this?
+   - Scope: Which package/area is affected?
+   - Summary: What does the change do?
+
+5. **Push branch if needed**:
+   ```bash
+   git push -u origin HEAD
+   ```
+
+6. **Create PR** using gh CLI. Read `.github/pull_request_template.md` as the
+   body structure, then populate each section with actual content before
+   creating the PR:
+   - **Summary**: describe what the PR does and how to test it
+   - **Related tickets**: add the Linear ticket URL (`https://linear.app/n8n/issue/[TICKET-ID]`) and any GitHub issue links
+   - **Checklist**: keep as-is from the template
+	 - Add a "🤖 PR Summary generated by AI" at the end of the body
+
+   ```bash
+   gh pr create --draft --title "<type>(<scope>): <summary>" --body "$(cat <<'EOF'
+   <populated body based on pull_request_template.md>
+   EOF
+   )"
+   ```
+
+## PR Body Guidelines
+
+Based on `.github/pull_request_template.md`:
+
+### Summary Section
+- Describe what the PR does
+- Explain how to test the changes
+- Include screenshots/videos for UI changes
+
+### Related Links Section
+- Link to Linear ticket: `https://linear.app/n8n/issue/[TICKET-ID]`
+- Link to GitHub issues using keywords to auto-close:
+  - `closes #123` / `fixes #123` / `resolves #123`
+- Link to Community forum posts if applicable
+
+### Checklist
+All items should be addressed before merging:
+- The human author of the PR has checked the "I have seen this code, I have run this code, and I take responsibility for this code." checkbox
+- PR title follows conventions
+- Docs updated or follow-up ticket created
+- Tests included (bugs need regression tests, features need coverage)
+- `release/backport` label added if urgent fix needs backporting
+
+## Examples
+
+### Feature in editor
+```
+feat(editor): Add workflow performance metrics display
+```
+
+### Bug fix in core
+```
+fix(core): Resolve memory leak in execution engine
+```
+
+### Node-specific change
+```
+fix(Slack Node): Handle rate limiting in message send
+```
+
+### Breaking change (add exclamation mark before colon)
+```
+feat(API)!: Remove deprecated v1 endpoints
+```
+
+### No changelog entry
+```
+refactor(core): Simplify error handling (no-changelog)
+```
+
+### No scope (affects multiple areas)
+```
+chore: Update dependencies to latest versions
+```
+
+## Validation
+
+The PR title must match this pattern:
+```
+^(feat|fix|perf|test|docs|refactor|build|ci|chore|revert)(\([a-zA-Z0-9 ]+( Node)?\))?!?: [A-Z].+[^.]$
+```
+
+Key validation rules:
+- Type must be one of the allowed types
+- Scope is optional but must be in parentheses if present
+- Exclamation mark for breaking changes goes before the colon
+- Summary must start with capital letter
+- Summary must not end with a period
+
+## Plan Section
+
+If a matching plan file was found in `.claude/plans/` and the user has approved
+including it, add a collapsible section at the end of the PR body (after the
+checklist, before `EOF`):
+
+```markdown
+<details>
+<summary>Implementation plan</summary>
+
+<!-- paste plan file contents here -->
+
+</details>
+```
+
+## Security Fixes
+
+**This repo is public.** Never expose the attack vector in any public artifact.
+Describe **what the code does**, not what threat it prevents.
+
+| Artifact | BAD | GOOD |
+|---|---|---|
+| Branch | `fix-sql-injection-in-webhook` | `fix-webhook-input-validation` |
+| PR title | `fix(core): Prevent SSRF` | `fix(core): Validate outgoing URLs` |
+| Commit msg | `fix: prevent denial of service` | `fix: add payload size validation` |
+| PR body | *"attacker could trigger SSRF…"* | *"validates URL protocol and host"* |
+| Linear ref | URL with slug (leaks title) | URL without slug or ticket ID only |
+| Test name | `'should prevent SQL injection'` | `'should sanitize query parameters'` |
+
+
+**Before pushing a security fix, verify:** no branch name, commit, PR title,
+PR body, Linear URL, test name, or code comment hints at the vulnerability.
+
+**When in doubt, check the Linear issue for possible extra precautions**

.claude/plugins/n8n/skills/create-skill/SKILL.md

@@ -0,0 +1,126 @@
+---
+description: >-
+  Guides users through creating effective Agent Skills. Use when you want to
+  create, write, or author a new skill, or asks about skill structure, best
+  practices, or SKILL.md format.
+---
+# Creating skills
+
+Skills are markdown (plus optional scripts) that teach the agent a focused workflow. **Keep SKILL.md short**—the context window is shared with chat, code, and other skills.
+
+## Where skills live
+
+| Location | When to use |
+|----------|-------------|
+| **`.claude/plugins/n8n/skills/<name>/`** | Default for n8n: team-shared, versioned, namespaced under `n8n:`. |
+| `~/.claude/skills/<name>/` | Personal skill for Claude Code across all projects. |
+| `~/.cursor/skills/<name>/` | Optional personal skill for Cursor only, global to your machine. |
+
+**Do not** put custom skills in `~/.cursor/skills-cursor/`—that is reserved for Cursor’s built-in skills.
+
+Prefer **plugin `.claude/plugins/n8n/skills/`** for anything that should match how the rest of the team works.
+
+## Before you write: gather requirements
+
+Ask (or infer) briefly:
+
+1. **Purpose** — one concrete task or workflow.
+2. **Triggers** — when should the agent apply this skill?
+3. **Gaps** — what does the agent *not* already know (project rules, URLs, formats)?
+4. **Outputs** — templates, checklists, or strict formats?
+5. **Examples** — follow an existing skill in `.claude/plugins/n8n/skills/` if one fits.
+
+Ask the user in plain language when you need more detail.
+
+## File layout
+
+```
+skill-name/
+├── SKILL.md       # required
+├── reference.md   # optional — detail the agent reads only if needed
+├── examples.md    # optional
+└── scripts/       # optional
+```
+
+### Frontmatter (required)
+
+```yaml
+---
+name: skill-name          # lowercase, hyphens, max 64 chars
+description: >-         # max 1024 chars, non-empty — see below
+  ...
+---
+```
+
+**Description** (discovery is everything — third person, WHAT + WHEN, trigger words):
+
+- Good: `Extracts tables from PDFs and fills forms. Use when the user works with PDFs, forms, or document extraction.`
+- Bad: `Helps with documents` or `I can help you with PDFs`
+
+## Authoring rules
+
+1. **Concise** — assume the model is capable; only add non-obvious domain or project facts.
+2. **Progressive disclosure** — essentials in `SKILL.md`; long reference in `reference.md`. Link **one level deep** from `SKILL.md`.
+3. **Prefer one default** — e.g. one library or one workflow; add an escape hatch only if needed.
+4. **Stable wording** — one term per concept; avoid dated “until month X” notes unless you tuck legacy bits behind a short “Deprecated” note.
+5. **Paths** — forward slashes only (`scripts/foo.py`).
+
+**Rough size:** aim for **well under ~200 lines** in `SKILL.md`; if it grows, split detail out.
+
+### Scope: one job per skill (and parent skills)
+
+- **Single responsibility** — one primary workflow or decision tree per skill. If triggers and steps diverge a lot (e.g. “create issue” vs “create PR” vs “full ticket → PR flow”), split into **smaller dedicated skills**.
+- **Prefer small + compose** — two or three focused skills keep irrelevant detail out of context until needed. A **parent** (orchestrator) skill can say *when* to follow each child workflow and link to their `SKILL.md`; avoid pasting full child content into the parent.
+- **When one large skill is OK** — a single end-to-end flow that always runs together and shares one tight checklist;
+
+### MCPs, CLI tools, and other skills
+
+- **Prefer CLI and repo commands** when they solve the same problem — agents handle them well and they usually add less scaffolding noise to context than MCP tool discovery and schemas. Examples: `gh` for PRs/issues, `pnpm` scripts from `AGENTS.md`.
+- **MCPs are optional per user** — not everyone has the same servers enabled. If a skill **requires** a specific MCP to work as written, say so explicitly:
+  - Put a hint in the **frontmatter description** (e.g. “Requires Linear MCP for …”) so mismatches are obvious early.
+  - Add a short **Prerequisites** (or **Requirements**) block near the top: which integration, what it is used for, and a **fallback** (e.g. web UI, `gh`, or “ask the user to paste …”) when it is missing.
+- **Referencing other skills** — use the namespaced invocation name (e.g. `n8n:create-issue`) so the agent resolves the plugin skill. For human-readable links, give the path from the repo root (e.g. `.claude/plugins/n8n/skills/create-issue/SKILL.md`). From a sibling folder, a relative link works too: `[create-issue](../create-issue/SKILL.md)`. Parent skills should delegate steps instead of duplicating long procedures.
+
+## Patterns (pick what fits)
+
+- **Template** — give the exact output shape (markdown/code blocks).
+- **Checklist** — numbered or `- [ ]` steps for multi-step work.
+- **Branching** — “If A → …; if B → …” at the top of a workflow.
+- **Scripts** — document run commands; say whether to **execute** or **read** the script.
+
+## Workflow: create → verify
+
+1. **Name + description** — hyphenated name; description with triggers.
+2. **Outline** — minimal sections; link optional files.
+3. **Implement** — `SKILL.md` first; add `reference.md` / `scripts/` only if they save tokens or reduce errors.
+4. **Check** — third-person description; terminology consistent; no duplicate encyclopedic content the model already knows.
+
+## Anti-patterns
+
+- Verbose tutorials (“what is a PDF”) inside the skill.
+- Many equivalent options with no default.
+- Vague names (`helper`, `utils`).
+- Deep chains of linked files.
+- Assuming an MCP or tool is present without stating it or offering a fallback.
+- One oversized skill that mixes unrelated workflows instead of smaller skills + a thin parent.
+
+## Quick example stub
+
+```markdown
+---
+name: my-workflow
+description: Does X using project convention Y. Use when the user asks for X or mentions Z.
+---
+
+# My workflow
+
+1. …
+2. …
+
+## Output format
+
+Use a fenced code block for the exact shape reviewers should see.
+
+## More detail
+See [reference.md](reference.md) if edge cases matter.
+```

.claude/plugins/n8n/skills/linear-issue/SKILL.md

@@ -0,0 +1,198 @@
+---
+description: Fetch and analyze Linear issue with all related context. Use when starting work on a Linear ticket, analyzing issues, or gathering context about a Linear issue.
+disable-model-invocation: true
+argument-hint: "[issue-id]"
+compatibility:
+  requires:
+    - mcp: linear
+      description: Core dependency — used to fetch issue details, relations, and comments
+    - cli: gh
+      description: GitHub CLI — used to fetch linked PRs and issues. Must be authenticated (gh auth login)
+  optional:
+    - mcp: notion
+      description: Used to fetch linked Notion documents. Skip Notion steps if unavailable.
+    - skill: loom-transcript
+      description: Used to fetch Loom video transcripts. Skip Loom steps if unavailable.
+    - cli: curl
+      description: Used to download images/attachments. Typically pre-installed.
+---
+
+# Linear Issue Analysis
+
+Start work on Linear issue **$ARGUMENTS**
+
+## Prerequisites
+
+This skill depends on external tools. Before proceeding, verify availability:
+
+**Required:**
+- **Linear MCP** (`mcp__linear`): Must be connected. Without it the skill cannot function at all.
+- **GitHub CLI** (`gh`): Must be installed and authenticated. Run `gh auth status` to verify. Used to fetch linked PRs and issues.
+
+**Optional (graceful degradation):**
+- **Notion MCP** (`mcp__notion`): Needed only if the issue links to Notion docs. If unavailable, note the Notion links in the summary and tell the user to check them manually.
+- **Loom transcript skill** (`/loom-transcript`): Needed only if the issue contains Loom videos. If unavailable, note the Loom links in the summary for the user to watch.
+- **curl**: Used to download images. Almost always available; if missing, skip image downloads and note it.
+
+If a required tool is missing, stop and tell the user what needs to be set up before continuing.
+
+## Instructions
+
+Follow these steps to gather comprehensive context about the issue:
+
+### 1. Fetch the Issue and Comments from Linear
+
+Use the Linear MCP tools to fetch the issue details and comments together:
+
+- Use `mcp__linear__get_issue` with the issue ID to get full details including attachments
+- Include relations to see blocking/related/duplicate issues
+- **Immediately after**, use `mcp__linear__list_comments` with the issue ID to fetch all comments
+
+Both calls should be made together in the same step to gather the complete context upfront.
+
+### 2. Check for Private/Security Issues (MANDATORY — do this before anything else)
+
+After fetching the issue, immediately check its labels:
+
+1. Look at the labels returned with the issue.
+2. If any label is **`n8n-private`**:
+   a. Run `git remote -v` (via Bash) to list all configured remotes.
+   b. If **any** remote URL contains `n8n-io/n8n` without the `-private` suffix (i.e. matches the public repo), **stop immediately** and tell the user:
+
+   > **This issue is marked `n8n-private` and must be developed in a clean clone of the private repository.**
+   >
+   > One or more of your remotes point to the **public** `n8n-io/n8n` repo. Mixed remotes are not allowed — you must work in a **separate local clone** of `n8n-io/n8n-private` with no references to the public repo.
+   > For the full process, see: https://www.notion.so/n8n/Processing-critical-high-security-bugs-vulnerabilities-in-private-2f45b6e0c94f803da806f472111fb1a5
+
+   Do **not** continue with any further steps — return after showing this message.
+
+3. If the label is not present, or all remotes point exclusively to `n8n-io/n8n-private`, continue normally.
+
+### 3. Analyze Attachments and Media (MANDATORY)
+
+**IMPORTANT:** This step is NOT optional. You MUST scan and fetch all visual content from BOTH the issue description AND all comments.
+
+**Screenshots/Images (ALWAYS fetch):**
+
+1. Scan the issue description AND all comments for ALL image URLs:
+	- `<img>` tags
+	- Markdown images `![](url)`
+	- Raw URLs (github.com/user-attachments, imgur.com, etc.)
+2. For EACH image found (in description or comments):
+	- Download using `curl -sL "url" -o /path/to/image.png` (GitHub URLs require following redirects) OR the linear mcp
+	- Use the `Read` tool on the downloaded file to view it
+	- Describe what you see in detail
+3. Do NOT skip images - they often contain critical context like error messages, UI states, or configuration
+
+**Loom Videos (ALWAYS fetch transcript):**
+
+1. Scan the issue description AND all comments for Loom URLs (loom.com/share/...)
+2. For EACH Loom video found (in description or comments):
+	- Use the `/loom-transcript` skill to fetch the FULL transcript
+	- Summarize key points, timestamps, and any demonstrated issues
+3. Loom videos often contain crucial reproduction steps and context that text alone cannot convey
+
+### 4. Fetch Related Context
+
+**Related Linear Issues:**
+- Use `mcp__linear__get_issue` for any issues mentioned in relations (blocking, blocked by, related, duplicates)
+- Summarize how they relate to the main issue
+
+**GitHub PRs and Issues:**
+- If GitHub links are mentioned, use `gh` CLI to fetch PR/issue details:
+	- `gh pr view <number>` for pull requests
+	- `gh issue view <number>` for issues
+- Download images attached to issues: `curl -H "Authorization: token $(gh auth token)" -L <image-url> -o image.png`
+
+**Notion Documents:**
+- If Notion links are present, use `mcp__notion__notion-fetch` with the Notion URL or page ID to retrieve document content
+- Summarize relevant documentation
+
+### 5. Review Comments
+
+Comments were already fetched in Step 1. Review them for:
+- Additional context and discussion history
+- Any attachments or media linked in comments (process in Step 3)
+- Clarifications or updates to the original issue description
+
+### 6. Identify Affected Node (if applicable)
+
+Determine whether this issue is specific to a particular n8n node (e.g. a trigger, action, or tool node). Look for clues in:
+- The issue title (e.g. "Linear trigger", "Slack node", "HTTP Request")
+- The issue description and comments mentioning node names
+- Labels or tags on the issue (e.g. `node:linear`, `node:slack`)
+- Screenshots showing a specific node's configuration or error
+
+If the issue is node-specific:
+
+1. **Find the node type ID.** Use `Grep` to search for the node's display name (or keywords from it) in `packages/frontend/editor-ui/data/node-popularity.json` to find the exact node type ID. For reference, common ID patterns are:
+   - Core nodes: `n8n-nodes-base.<camelCaseName>` (e.g. "HTTP Request" → `n8n-nodes-base.httpRequest`)
+   - Trigger variants: `n8n-nodes-base.<name>Trigger` (e.g. "Gmail Trigger" → `n8n-nodes-base.gmailTrigger`)
+   - Tool variants: `n8n-nodes-base.<name>Tool` (e.g. "Google Sheets Tool" → `n8n-nodes-base.googleSheetsTool`)
+   - LangChain/AI nodes: `@n8n/n8n-nodes-langchain.<camelCaseName>` (e.g. "OpenAI Chat Model" → `@n8n/n8n-nodes-langchain.lmChatOpenAi`)
+
+2. **Look up the node's popularity score** — first check for a Flaky assessment (see below), otherwise use the popularity file:
+
+   **Primary: Check for Flaky's assessment in Linear comments.** Flaky is an auto-triage agent that posts issue analysis as a comment. Search the comments already fetched in Step 1 for a comment from a user named "Flaky" (or containing "Flaky" in the author name) — do not re-fetch comments. If found, extract the popularity score and level directly from Flaky's analysis and use those values.
+
+   **Fallback (if no Flaky comment exists):** Look up the node's popularity score from `packages/frontend/editor-ui/data/node-popularity.json`. Use `Grep` to search for the node ID in that file. The popularity score is a log-scale value between 0 and 1. Use these thresholds to classify:
+
+   | Score | Level | Description | Examples |
+   |-------|-------|-------------|----------|
+   | ≥ 0.8 | **High** | Core/widely-used nodes, top ~5% | HTTP Request (0.98), Google Sheets (0.95), Postgres (0.83), Gmail Trigger (0.80) |
+   | 0.4–0.8 | **Medium** | Regularly used integrations | Slack (0.78), GitHub (0.64), Jira (0.65), MongoDB (0.63) |
+   | < 0.4 | **Low** | Niche or rarely used nodes | Amqp (0.34), Wise (0.36), CraftMyPdf (0.33) |
+
+   Include the raw score and the level (high/medium/low) in the summary, and note whether it came from Flaky or the popularity file.
+
+3. If the node is **not found** in the popularity file (and no Flaky comment exists), note that it may be a community node or a very new/niche node.
+
+### 7. Assess Effort/Complexity
+
+**Primary: Check for Flaky's effort estimate in Linear comments.** Search the comments already fetched in Step 1 for a Flaky comment — do not re-fetch. If found, extract the effort/complexity estimate directly from it and use that as your assessment.
+
+**Fallback (if no Flaky comment exists):** After gathering all context, assess the effort required to fix/implement the issue. Use the following T-shirt sizes:
+
+| Size | Approximate effort |
+|------|--------------------|
+| XS   | ≤ 1 hour           |
+| S    | ≤ 1 day            |
+| M    | 2-3 days           |
+| L    | 3-5 days           |
+| XL   | ≥ 6 days           |
+
+To make this assessment, consider:
+- **Scope of changes**: How many files/packages need to be modified? Is it a single node fix or a cross-cutting change?
+- **Complexity**: Is it a straightforward parameter change, a new API integration, a new credential type, or an architectural change?
+- **Testing**: How much test coverage is needed? Are E2E tests required?
+- **Risk**: Could this break existing functionality? Does it need backward compatibility?
+- **Dependencies**: Are there external API changes, new packages, or cross-team coordination needed?
+- **Documentation**: Does this require docs updates, migration guides, or changelog entries?
+
+Provide the T-shirt size along with a brief justification explaining the key factors that drove the estimate. Note whether it came from Flaky or your own assessment.
+
+### 8. Present Summary
+
+**Before presenting, verify you have completed:**
+- [ ] Downloaded and viewed ALL images in the description AND comments
+- [ ] Fetched transcripts for ALL Loom videos in the description AND comments
+- [ ] Fetched ALL linked GitHub issues/PRs via `gh` CLI
+- [ ] Listed all comments on the issue
+- [ ] Checked whether the issue is node-specific and looked up popularity if so
+- [ ] Assessed effort/complexity with T-shirt size
+
+After gathering all context, present a comprehensive summary including:
+
+1. **Issue Overview**: Title, status, priority, assignee, labels
+2. **Description**: Full issue description with any clarifications from comments
+3. **Visual Context**: Summary of screenshots/videos (what you observed in each)
+4. **Affected Node** (if applicable): Node name, node type ID (`n8n-nodes-base.xxx`), popularity score with level (e.g. `0.64 — medium popularity`)
+5. **Related Issues**: How this connects to other work
+6. **Technical Context**: Any PRs, code references, or documentation
+7. **Effort Estimate**: T-shirt size (XS/S/M/L/XL) with justification
+8. **Next Steps**: Suggested approach based on all gathered context
+
+## Notes
+
+- The issue ID can be provided in formats like: `AI-1975`, `node-1975`, or just `1975` (will search)
+- If no issue ID is provided, ask the user for one

.claude/plugins/n8n/skills/loom-transcript/SKILL.md

@@ -0,0 +1,104 @@
+---
+description: Fetch and display the full transcript from a Loom video URL. Use when the user wants to get or read a Loom transcript.
+argument-hint: [loom-url]
+---
+
+# Loom Transcript Fetcher
+
+Fetch the transcript from a Loom video using Loom's GraphQL API.
+
+## Instructions
+
+Given the Loom URL: $ARGUMENTS
+
+### 1. Extract the Video ID
+
+Parse the Loom URL to extract the 32-character hex video ID. Supported URL formats:
+- `https://www.loom.com/share/<video-id>`
+- `https://www.loom.com/embed/<video-id>`
+- `https://www.loom.com/share/<video-id>?sid=<session-id>`
+
+The video ID is the 32-character hex string after `/share/` or `/embed/`.
+
+### 2. Fetch Video Metadata
+
+Use the `WebFetch` tool to POST to `https://www.loom.com/graphql` to get the video title and details.
+
+Use this curl command via Bash:
+
+```bash
+curl -s 'https://www.loom.com/graphql' \
+  -H 'Content-Type: application/json' \
+  -H 'Accept: application/json' \
+  -H 'x-loom-request-source: loom_web_45a5bd4' \
+  -H 'apollographql-client-name: web' \
+  -H 'apollographql-client-version: 45a5bd4' \
+  -d '{
+    "operationName": "GetVideoSSR",
+    "variables": {"id": "<VIDEO_ID>", "password": null},
+    "query": "query GetVideoSSR($id: ID!, $password: String) { getVideo(id: $id, password: $password) { ... on RegularUserVideo { id name description createdAt owner { display_name } } } }"
+  }'
+```
+
+### 3. Fetch the Transcript URLs
+
+Use curl via Bash to call the GraphQL API:
+
+```bash
+curl -s 'https://www.loom.com/graphql' \
+  -H 'Content-Type: application/json' \
+  -H 'Accept: application/json' \
+  -H 'x-loom-request-source: loom_web_45a5bd4' \
+  -H 'apollographql-client-name: web' \
+  -H 'apollographql-client-version: 45a5bd4' \
+  -d '{
+    "operationName": "FetchVideoTranscript",
+    "variables": {"videoId": "<VIDEO_ID>", "password": null},
+    "query": "query FetchVideoTranscript($videoId: ID!, $password: String) { fetchVideoTranscript(videoId: $videoId, password: $password) { ... on VideoTranscriptDetails { id video_id source_url captions_source_url } ... on GenericError { message } } }"
+  }'
+```
+
+Replace `<VIDEO_ID>` with the actual video ID extracted in step 1.
+
+The response contains:
+- `source_url` — JSON transcript URL
+- `captions_source_url` — VTT (WebVTT) captions URL
+
+### 4. Download and Parse the Transcript
+
+Fetch **both** URLs returned from step 3 (if available):
+
+1. **VTT captions** (`captions_source_url`): Download with `curl -sL "<url>"`. This is a WebVTT file with timestamps and text.
+2. **JSON transcript** (`source_url`): Download with `curl -sL "<url>"`. This is a JSON file with transcript segments.
+
+Prefer the VTT captions as the primary source since they include proper timestamps. Fall back to the JSON transcript if VTT is unavailable.
+
+### 5. Present the Transcript
+
+Format and present the full transcript to the user:
+
+**Video:** [Title from metadata]
+**Author:** [Owner name]
+**Date:** [Created date]
+
+---
+
+**0:00** - First transcript segment text...
+
+**0:14** - Second transcript segment text...
+
+(continue for all segments)
+
+---
+
+## Error Handling
+
+- If the GraphQL response contains a `GenericError`, report the error message to the user.
+- If both `source_url` and `captions_source_url` are null/missing, tell the user that no transcript is available for this video.
+- If the video URL is invalid or the ID cannot be extracted, ask the user for a valid Loom URL.
+
+## Notes
+
+- No authentication or cookies are required — Loom's transcript API is publicly accessible.
+- Only English transcripts are available through this API.
+- Transcripts are auto-generated and may contain minor errors.

.claude/plugins/n8n/skills/node-add-oauth/SKILL.md

@@ -0,0 +1,321 @@
+---
+description: Add OAuth2 credential support to an existing n8n node — creates the credential file, updates the node, adds tests, and keeps the CLI constant in sync. Use when the user says /node-add-oauth.
+argument-hint: "[node-name] [optional: custom-scopes flag or scope list]"
+---
+
+## Overview
+
+Add OAuth2 (Authorization Code / 3LO) support to an existing n8n node. Works for any
+third-party service that supports standard OAuth2.
+
+Before starting, read comparable existing OAuth2 credential files and tests under
+`packages/nodes-base/credentials/` to understand the conventions used in this codebase
+(e.g. `DiscordOAuth2Api.credentials.ts`, `MicrosoftTeamsOAuth2Api.credentials.ts`).
+
+---
+
+## Step 0 — Parse arguments
+
+Extract:
+- `NODE_NAME`: the service name (e.g. `GitHub`, `Notion`). Try to infer from the argument;
+  if ambiguous, ask the user.
+- `CUSTOM_SCOPES`: whether the credential should support user-defined scopes. If the
+  argument does not make this clear, **ask the user** before proceeding:
+  > "Should users be able to customise the OAuth2 scopes for this credential, or should
+  > scopes be fixed?"
+
+---
+
+## Step 1 — Explore the node
+
+Read the following (adjust path conventions for the specific service):
+
+1. Node directory: `packages/nodes-base/nodes/{NODE_NAME}/`
+   - Find `*.node.ts` (main node) and any `*Trigger.node.ts`
+   - Find `GenericFunctions.ts` (may be named differently)
+   - Check if an `auth` / `version` subdirectory exists
+2. Existing credentials: `packages/nodes-base/credentials/` — look for existing
+   `{NODE_NAME}*Api.credentials.ts` files to understand the naming convention and any
+   auth method already in use.
+3. `package.json` at `packages/nodes-base/package.json` — find where existing credentials
+   for this node are registered (grep for the node name).
+
+---
+
+## Step 2 — Research OAuth2 endpoints
+
+Look up the service's OAuth2 documentation:
+- Authorization URL
+- Access Token URL
+- Required auth query parameters (e.g. `prompt=consent`, `access_type=offline`)
+- Default scopes needed for the node's existing operations
+- Whether the API requires a cloudId / workspace ID lookup after the token exchange
+  (Atlassian-style gateway APIs do; most services don't)
+
+If you can't determine the endpoints confidently, ask the user to provide them.
+
+---
+
+## Step 3 — Create the credential file
+
+File: `packages/nodes-base/credentials/{NODE_NAME}OAuth2Api.credentials.ts`
+
+```typescript
+import type { ICredentialType, INodeProperties } from 'n8n-workflow';
+
+const defaultScopes = [/* minimum scopes for existing node operations */];
+
+export class {NODE_NAME}OAuth2Api implements ICredentialType {
+	name = '{camelCase}OAuth2Api';
+	extends = ['oAuth2Api'];
+	displayName = '{Display Name} OAuth2 API';
+	documentationUrl = '{doc-slug}'; // matches docs.n8n.io/integrations/...
+
+	properties: INodeProperties[] = [
+		// Include service-specific fields the node needs to construct API calls
+		// (e.g. domain, workspace URL) — add BEFORE the hidden fields below.
+
+		{ displayName: 'Grant Type',        name: 'grantType',      type: 'hidden', default: 'authorizationCode' },
+		{ displayName: 'Authorization URL', name: 'authUrl',        type: 'hidden', default: '{AUTH_URL}', required: true },
+		{ displayName: 'Access Token URL',  name: 'accessTokenUrl', type: 'hidden', default: '{TOKEN_URL}', required: true },
+		// Only include authQueryParameters if the service requires extra query params:
+		{ displayName: 'Auth URI Query Parameters', name: 'authQueryParameters', type: 'hidden', default: '{QUERY_PARAMS}' },
+		{ displayName: 'Authentication',    name: 'authentication', type: 'hidden', default: 'header' },
+
+		// ── Custom scopes block (ONLY when CUSTOM_SCOPES = yes) ──────────────
+		{
+			displayName: 'Custom Scopes',
+			name: 'customScopes',
+			type: 'boolean',
+			default: false,
+			description: 'Define custom scopes',
+		},
+		{
+			displayName:
+				'The default scopes needed for the node to work are already set. If you change these the node may not function correctly.',
+			name: 'customScopesNotice',
+			type: 'notice',
+			default: '',
+			displayOptions: { show: { customScopes: [true] } },
+		},
+		{
+			displayName: 'Enabled Scopes',
+			name: 'enabledScopes',
+			type: 'string',
+			displayOptions: { show: { customScopes: [true] } },
+			default: defaultScopes.join(' '),
+			description: 'Scopes that should be enabled',
+		},
+		// ── End custom scopes block ───────────────────────────────────────────
+
+		{
+			displayName: 'Scope',
+			name: 'scope',
+			type: 'hidden',
+			// Custom scopes: expression toggles between user value and defaults.
+			// Fixed scopes: use the literal defaultScopes string instead.
+			default:
+				'={{$self["customScopes"] ? $self["enabledScopes"] : "' + defaultScopes.join(' ') + '"}}',
+		},
+	];
+}
+```
+
+**Rules:**
+- No `authenticate` block — `oAuth2Api` machinery handles Bearer token injection automatically.
+- No `test` block — the OAuth dance validates the credential.
+- `defaultScopes` at module level is the single source of truth: it populates both the
+  `enabledScopes` default and the `scope` expression fallback. Update it in one place.
+- If the service needs a domain / workspace URL for API call construction, add it as a
+  visible `string` field **before** the hidden fields.
+
+---
+
+## Step 4 — Register the credential in `package.json`
+
+File: `packages/nodes-base/package.json`
+
+Find the `n8n.credentials` array and insert the new entry near other credentials for this
+service (alphabetical ordering within the service's block):
+
+```json
+"dist/credentials/{NODE_NAME}OAuth2Api.credentials.js",
+```
+
+---
+
+## Step 5 — Update `GENERIC_OAUTH2_CREDENTIALS_WITH_EDITABLE_SCOPE` (custom scopes only)
+
+**Only do this step when CUSTOM_SCOPES = yes.**
+
+File: `packages/cli/src/constants.ts`
+
+Add `'{camelCase}OAuth2Api'` to the `GENERIC_OAUTH2_CREDENTIALS_WITH_EDITABLE_SCOPE`
+array. Without this, n8n deletes the user's custom scope on OAuth2 reconnect.
+
+```typescript
+export const GENERIC_OAUTH2_CREDENTIALS_WITH_EDITABLE_SCOPE = [
+	'oAuth2Api',
+	'googleOAuth2Api',
+	'microsoftOAuth2Api',
+	'highLevelOAuth2Api',
+	'mcpOAuth2Api',
+	'{camelCase}OAuth2Api', // ← add this
+];
+```
+
+---
+
+## Step 6 — Update `GenericFunctions.ts`
+
+### 6a — Standard services (token works directly against the instance URL)
+
+Add an `else if` branch before the existing `else` fallback:
+
+```typescript
+} else if ({versionParam} === '{camelCase}OAuth2') {
+	domain = (await this.getCredentials('{camelCase}OAuth2Api')).{domainField} as string;
+	credentialType = '{camelCase}OAuth2Api';
+} else {
+```
+
+### 6b — Gateway services requiring a workspace/cloud ID lookup
+
+When the OAuth token is scoped for a gateway URL rather than the direct instance URL
+(Atlassian's `api.atlassian.com` is the canonical example), add a module-level cache and
+lookup helper **before** the main request function:
+
+```typescript
+// Module-level cache: normalised domain → site/cloud ID
+export const _cloudIdCache = new Map<string, string>();
+
+async function getSiteId(
+	this: IHookFunctions | IExecuteFunctions | ILoadOptionsFunctions,
+	credentialType: string,
+	domain: string,
+): Promise<string> {
+	const normalizedDomain = domain.replace(/\/$/, '');
+	if (_cloudIdCache.has(normalizedDomain)) return _cloudIdCache.get(normalizedDomain)!;
+
+	const resources = (await this.helpers.requestWithAuthentication.call(this, credentialType, {
+		uri: '{ACCESSIBLE_RESOURCES_ENDPOINT}',
+		json: true,
+	})) as Array<{ id: string; url: string }>;
+
+	const site = resources.find((r) => r.url === normalizedDomain);
+	if (!site) {
+		throw new NodeOperationError(
+			this.getNode(),
+			`No accessible site found for domain: ${domain}. Make sure the domain matches your site URL exactly.`,
+		);
+	}
+
+	_cloudIdCache.set(normalizedDomain, site.id);
+	return site.id;
+}
+```
+
+Then in the main request function:
+
+```typescript
+} else if ({versionParam} === '{camelCase}OAuth2') {
+	const rawDomain = (await this.getCredentials('{camelCase}OAuth2Api')).domain as string;
+	credentialType = '{camelCase}OAuth2Api';
+	const siteId = await getSiteId.call(this, credentialType, rawDomain);
+	domain = `{GATEWAY_BASE_URL}/${siteId}`;
+} else {
+```
+
+The existing `uri: \`${domain}/rest${endpoint}\`` construction then produces the correct
+gateway URL automatically.
+
+Add `NodeOperationError` to the `n8n-workflow` import if not already present.
+
+---
+
+## Step 7 — Update the node file(s)
+
+### Main node (`*.node.ts`)
+
+**Credentials array** — add an entry for the new credential type:
+
+```typescript
+{
+	name: '{camelCase}OAuth2Api',
+	required: true,
+	displayOptions: { show: { {versionParam}: ['{camelCase}OAuth2'] } },
+},
+```
+
+**Version/auth options** — add to the `{versionParam}` (or equivalent) options list:
+
+```typescript
+{ name: '{Display Name} (OAuth2)', value: '{camelCase}OAuth2' },
+```
+
+Keep `default` unchanged — existing workflows must not be affected.
+
+### Trigger node (`*Trigger.node.ts`, if present)
+
+Same two changes. Preserve any `displayName` label pattern already used by other credential
+entries in that trigger node's credentials array.
+
+---
+
+## Step 8 — Write credential tests
+
+File: `packages/nodes-base/credentials/test/{NODE_NAME}OAuth2Api.credentials.test.ts`
+
+Use `ClientOAuth2` from `@n8n/client-oauth2` and `nock` for HTTP mocking. Follow the
+structure in `MicrosoftTeamsOAuth2Api.credentials.test.ts`.
+
+Required test cases:
+1. **Metadata** — name, extends array, `enabledScopes` default, auth URL, token URL,
+   `authQueryParameters` default (if applicable).
+2. **Default scopes in authorization URI** — call `oauthClient.code.getUri()`, assert each
+   default scope is present.
+3. **Token retrieval with default scopes** — mock the token endpoint with `nock`, call
+   `oauthClient.code.getToken(...)`, assert `token.data.scope` contains each scope.
+4. **Custom scopes in authorization URI** _(skip when CUSTOM_SCOPES = no)_.
+5. **Token retrieval with custom scopes** _(skip when CUSTOM_SCOPES = no)_.
+6. **Minimal / different scope set** _(skip when CUSTOM_SCOPES = no)_ — assert scopes not
+   in the set are absent from both the URI and token response.
+
+Lifecycle hooks required:
+```typescript
+beforeAll(() => { nock.disableNetConnect(); });
+afterAll(() => { nock.restore(); });
+afterEach(() => { nock.cleanAll(); });
+```
+
+---
+
+## Step 9 — Update `GenericFunctions.test.ts`
+
+In the credential-routing `describe` block:
+
+1. If a site-ID cache (`_cloudIdCache`) was added, import it and call
+   `_cloudIdCache.clear()` (or equivalent) in `afterEach`.
+2. Add/update the OAuth2 routing test case:
+   - **Simple routing**: assert `getCredentials` was called with the correct credential
+     name and `requestWithAuthentication` was called with the correct name and URI.
+   - **Gateway lookup**: mock `requestWithAuthentication` to return the accessible-resources
+     payload on the first call and `{}` on the second. Assert the first call targets the
+     resources endpoint and the second call uses the gateway base URL with the site ID.
+
+---
+
+## Step 10 — Verify
+
+```bash
+# From packages/nodes-base/
+pnpm test credentials/test/{NODE_NAME}OAuth2Api.credentials.test.ts
+pnpm test nodes/{NODE_NAME}/__test__/GenericFunctions.test.ts
+pnpm typecheck
+pnpm lint
+
+# Only when constants.ts was changed:
+pushd ../cli && pnpm typecheck && popd
+```
+
+Fix any type errors before finishing. Never skip `pnpm typecheck`.

.claude/plugins/n8n/skills/reproduce-bug/SKILL.md

@@ -0,0 +1,134 @@
+---
+description: Reproduce a bug from a Linear ticket with a failing test. Expects the full ticket context (title, description, comments) to be provided as input.
+---
+
+# Bug Reproduction Framework
+
+Given a Linear ticket context ($ARGUMENTS), systematically reproduce the bug
+with a failing regression test.
+
+## Step 1: Parse Signals
+
+Extract the following from the provided ticket context:
+- **Error message / stack trace** (if provided)
+- **Reproduction steps** (if provided)
+- **Workflow JSON** (if attached)
+- **Affected area** (node, execution engine, editor, API, config, etc.)
+- **Version where it broke / last working version**
+
+
+## Step 2: Route to Test Strategy
+
+Based on the affected area, pick the test layer and pattern:
+
+| Area | Test Layer | Pattern | Key Location |
+|------|-----------|---------|--------------|
+| Node operation | Jest unit | NodeTestHarness + nock | `packages/nodes-base/nodes/*/test/` |
+| Node credential | Jest unit | jest-mock-extended | `packages/nodes-base/nodes/*/test/` |
+| Trigger webhook | Jest unit | mock IHookFunctions + jest.mock GenericFunctions | `packages/nodes-base/nodes/*/test/` |
+| Binary data | Jest unit | NodeTestHarness assertBinaryData | `packages/core/nodes-testing/` |
+| Execution engine | Jest integration | WorkflowRunner + DI container | `packages/cli/src/__tests__/` |
+| CLI / API | Jest integration | setupTestServer + supertest | `packages/cli/test/integration/` |
+| Config | Jest unit | GlobalConfig + Container | `packages/@n8n/config/src/__tests__/` |
+| Editor UI | Vitest | Vue Test Utils + Pinia | `packages/frontend/editor-ui/src/**/__tests__/` |
+| E2E / Canvas | Playwright | Test containers + composables | `packages/testing/playwright/` |
+
+## Step 3: Locate Source Files
+
+Find the source code for the affected area:
+1. Search for the node/service/component mentioned in the ticket
+2. Find the GenericFunctions file (common bug location for nodes)
+3. Check for existing test files in the same area
+4. Look at recent git history on affected files (`git log --oneline -10 -- <path>`)
+
+## Step 4: Trace the Code Path
+
+Read the source code and trace the execution path that triggers the bug:
+- Follow the call chain from entry point to the failure
+- Identify the specific line(s) where the bug manifests
+- Note any error handling (or lack thereof) around the bug
+
+## Step 5: Form Hypothesis
+
+State a clear, testable hypothesis:
+- "When [input/condition], the code does [wrong thing] because [root cause]"
+- Identify the exact line(s) that need to change
+- Predict what the test output will show
+
+## Step 6: Find Test Patterns
+
+Look for existing tests in the same area:
+1. Check `test/` directories near the affected code
+2. Identify which mock/setup patterns they use
+3. Use the same patterns for consistency
+4. If no tests exist, find the closest similar node/service tests as a template
+
+## Step 7: Write Failing Test
+
+Write a regression test that:
+- Uses the patterns found in Step 6
+- Targets the specific hypothesis from Step 5
+- Includes a comment referencing the ticket ID
+- Asserts the CORRECT behavior (test will fail on current code)
+- Also includes a "happy path" test to prove the setup works
+
+## Step 8: Run and Score
+
+Run the test from the package directory (e.g., `cd packages/nodes-base && pnpm test <file>`).
+
+Classify the result:
+
+| Confidence | Criteria | Output |
+|------------|----------|--------|
+| **CONFIRMED** | Test fails consistently, failure matches hypothesis | Reproduction Report |
+| **LIKELY** | Test fails but failure mode differs slightly | Report + caveat |
+| **UNCONFIRMED** | Cannot trigger the failure | Report: what was tried |
+| **SKIPPED** | Hit a hard bailout trigger | Report: why skipped |
+| **ALREADY_FIXED** | Bug no longer reproduces on current code | Report: when fixed |
+
+## Step 9: Iterate or Bail
+
+If UNCONFIRMED after first attempt:
+- Revisit hypothesis — re-read the code path
+- Try a different test approach or layer
+- Maximum 3 attempts before declaring UNCONFIRMED
+
+**Hard bailout triggers** (stop immediately):
+- Requires real third-party API credentials
+- Race condition / timing-dependent
+- Requires specific cloud/enterprise infrastructure
+- Requires manual UI interaction that can't be scripted
+
+## Output: Reproduction Report
+
+Present findings in this format:
+
+---
+
+**Ticket:** [ID] — [title]
+**Confidence:** [CONFIRMED | LIKELY | UNCONFIRMED | SKIPPED | ALREADY_FIXED]
+
+### Root Cause
+[1-2 sentences explaining the bug mechanism]
+
+### Location
+| File | Lines | Issue |
+|------|-------|-------|
+| `path/to/file.ts` | XX-YY | Description of the problem |
+
+### Failing Test
+`path/to/test/file.test.ts` — X/Y tests fail:
+1. `test name` — [failure description]
+
+### Fix Hint
+[Pseudocode or description of the fix approach]
+
+---
+
+## Important
+
+- **DO NOT fix the bug** — only reproduce it with a failing test
+- **Leave test files in place** as evidence (don't commit unless asked)
+- **Run tests from the package directory** (e.g., `pushd packages/nodes-base && pnpm test <file> && popd`)
+- **Always redirect build output**: `pnpm build > build.log 2>&1`
+- **DO NOT look at existing fix PRs** — the goal is to reproduce from signals alone

.claude/plugins/n8n/skills/setup-mcps/SKILL.md

@@ -0,0 +1,75 @@
+---
+description: >-
+  Configure MCP servers for n8n development. Use when the user says /setup-mcps
+  or asks to set up MCP servers for n8n.
+---
+
+# MCP Setup for n8n Development
+
+Configure commonly used MCP servers for n8n engineers.
+
+## Instructions
+
+1. First, check which MCPs are already configured by running:
+```bash
+claude mcp list
+```
+Parse the output and match by **URL/command**, not server name (users may have
+used different names). The URLs to check for:
+- Linear: `mcp.linear.app`
+- Notion: `mcp.notion.com`
+- Context7: `ctx7` or `context7-mcp`
+- Figma: `mcp.figma.com`
+
+Skip any MCP whose URL/command is already present (regardless of scope or name).
+
+2. Present the MCP selection menu using `AskUserQuestion` with `multiSelect: true`.
+Only show MCPs that are **not** already configured. If all are already configured,
+inform the user and skip the menu.
+
+| Option | Label | Description |
+|--------|-------|-------------|
+| Linear | `Linear` | Linear ticket management (HTTP, OAuth — opens browser to authenticate) |
+| Notion | `Notion` | Notion workspace integration (HTTP, OAuth — opens browser to authenticate) |
+| Context7 | `Context7` | Library documentation lookup (OAuth setup via CLI) |
+| Figma | `Figma` | Figma design integration (HTTP, OAuth — opens browser to authenticate) |
+
+3. Process each selected MCP **one at a time** in a loop. For each MCP:
+   a. Ask the user via `AskUserQuestion`: "Where should **{MCP name}** be installed?"
+      - **user** (default, recommended) — available in all projects
+      - **local** — only in this project
+   b. Run the install command for that MCP with the chosen scope
+   c. Then move to the next MCP and ask again
+
+Do NOT batch the scope question — ask separately for each MCP.
+Do NOT offer project scope — it modifies `.claude/settings.json` which is tracked in git.
+
+Commands per MCP:
+
+### Linear
+```bash
+claude mcp add -s {scope} linear-server --transport http https://mcp.linear.app/mcp
+```
+After adding, tell the user to run `/mcp` in their next session to authenticate.
+
+### Notion
+```bash
+claude mcp add -s {scope} notion --transport http https://mcp.notion.com/mcp
+```
+After adding, tell the user to run `/mcp` in their next session to authenticate.
+
+### Context7
+Tell the user to run this command themselves (it handles auth via OAuth automatically):
+
+```
+npx ctx7 setup --claude
+```
+
+### Figma
+```bash
+claude mcp add -s {scope} figma --transport http https://mcp.figma.com/mcp
+```
+After adding, tell the user to run `/mcp` in their next session to authenticate.
+
+5. After running the commands, confirm which MCPs were configured and note any
+   manual steps remaining (authentication via `/mcp`, Context7 setup).

.claude/plugins/n8n/skills/spec-driven-development/SKILL.md

@@ -0,0 +1,79 @@
+---
+description: Keeps implementation and specs in sync. Use when working on a feature that has a spec in .claude/specs/, when the user says /spec, or when starting implementation of a documented feature. Also use when the user asks to verify implementation against a spec or update a spec after changes.
+---
+
+# Spec-Driven Development
+
+Specs live in `.claude/specs/`. They are the source of truth for architectural
+decisions, API contracts, and implementation scope. Implementation and specs
+must stay in sync — neither leads exclusively.
+
+## Core Loop
+
+```
+Read spec → Implement → Verify alignment → Update spec or code → Repeat
+```
+
+## Before Starting Work
+
+1. **Find the spec.** Search `.claude/specs/` for files matching the feature:
+
+```bash
+ls .claude/specs/
+```
+
+2. **Read the full spec.** Understand scope, decisions, API contracts, and
+   open questions before writing code.
+
+3. **If no spec exists** and the task is non-trivial (new module, new API,
+   architectural change), ask the user whether to create one first.
+
+## During Implementation
+
+- **Reference spec decisions** — don't re-decide what the spec already settled.
+- **When you diverge from the spec** (better approach found, user requested
+  change, constraint discovered), update the spec immediately in the same
+  session. Don't leave spec and code out of sync.
+- **Tick off TODO checkboxes** (`- [ ]` → `- [x]`) as items are completed.
+- **Strike through or annotate** items that were deliberately skipped or
+  replaced, with a brief reason:
+  ```markdown
+  - [x] ~~OpenRouter proxy~~ → Direct execution: nodes call OpenRouter directly
+  ```
+
+## After Completing Work
+
+Run a spec verification pass:
+
+1. **Re-read the spec** alongside the implementation.
+2. **Check each section:**
+   - Do API endpoints in spec match the controller?
+   - Do config/env vars in spec match the config class?
+   - Does the module structure in spec match the actual file tree?
+   - Do type definitions in spec match `@n8n/api-types`?
+   - Are all TODO items correctly checked/unchecked?
+3. **Update the spec** for any drift found. Common drift:
+   - New files added that aren't listed in the structure section
+   - API response shapes changed during implementation
+   - Config defaults adjusted
+   - Architectural decisions refined
+4. **Flag unresolved gaps** to the user — things the spec promises but
+   implementation doesn't deliver yet (acceptable for MVP, but should be noted).
+
+## Spec File Conventions
+
+- One or more markdown files per feature in `.claude/specs/`.
+- Keep specs concise. Use tables for mappings, code blocks for shapes.
+- Use `## Implementation TODO` with checkboxes to track progress.
+- Split into multiple files when it helps (e.g. separate backend/frontend),
+  but don't enforce a rigid naming scheme.
+
+## When the User Asks to "Self-Review" or "Verify Against Spec"
+
+1. Read all relevant specs.
+2. Read all implementation files.
+3. Produce a structured comparison:
+   - **Aligned**: items where spec and code match
+   - **Drift**: items where they diverge (fix immediately)
+   - **Gaps**: spec items not yet implemented (note as future work)
+4. Fix drift, update specs, report gaps to the user.

.claude/settings.json

@@ -0,0 +1,44 @@
+{
+	"permissions": {
+		"allow": [
+			"Bash(git log:*)",
+			"Bash(git show:*)",
+			"Bash(grep:*)",
+			"Bash(ls:*)",
+			"Bash(pnpm build)",
+			"Bash(pnpm lint:*)",
+			"Bash(pnpm test:*)",
+			"Bash(pnpm typecheck:*)",
+			"Bash(popd)",
+			"Bash(pushd:*)",
+			"Bash(mkdir -p .claude/plans)",
+			"Write(.claude/plans/*)"
+		]
+	},
+	"hooks": {
+		"PostToolUse": [
+			{
+				"matcher": "Skill",
+				"hooks": [
+					{
+						"type": "command",
+						"command": "node .claude/plugins/n8n/scripts/track-skill-usage.mjs",
+						"timeout": 10,
+						"async": true
+					}
+				]
+			}
+		]
+	},
+	"extraKnownMarketplaces": {
+		"n8n": {
+			"source": {
+				"source": "directory",
+				"path": "./.claude/plugins/n8n"
+			}
+		}
+	},
+	"enabledPlugins": {
+		"n8n@n8n": true
+	}
+}

.devcontainer/Dockerfile

@@ -1,9 +1,15 @@
-FROM n8nio/base:22
+ARG NODE_VERSION=24
 
-RUN apk add --no-cache --update openssh sudo shadow bash
+FROM node:${NODE_VERSION}-alpine
+
+ARG NODE_VERSION
+
+RUN apk add --no-cache \
+    openssh sudo shadow bash libc-utils \
+    git openssl graphicsmagick tini tzdata ca-certificates libc6-compat
 RUN echo node ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/node && chmod 0440 /etc/sudoers.d/node
 RUN mkdir /workspaces && chown node:node /workspaces
-RUN npm install -g pnpm
+RUN corepack enable
 
 USER node
 RUN mkdir -p ~/.pnpm-store && pnpm config set store-dir ~/.pnpm-store --global

.dockerignore

@@ -1,21 +1,40 @@
-# We want to include the THIRD_PARTY_LICENSES.md file in the Docker image,
-# but not other .md files
-**/*.md
-!**/THIRD_PARTY_LICENSES.md
-**/.env
-.cache
-assets
-node_modules
-packages/node-dev
-packages/**/node_modules
-packages/**/dist
-packages/**/.turbo
-packages/**/*.test.*
-.git
-.github
-!.github/scripts
-*.tsbuildinfo
-docker/compose
-docker/**/Dockerfile
-.vscode
-packages/testing
+# Whitelist approach: ignore everything, then allow only what Docker builds need
+# This reduces build context from ~900MB to just what's required
+
+# Ignore everything first
+*
+
+# === n8n main image (docker/images/n8n/Dockerfile) ===
+!compiled
+!compiled/**
+!THIRD_PARTY_LICENSES.md
+
+# === runners image (docker/images/runners/Dockerfile + Dockerfile.distroless) ===
+!dist
+!dist/task-runner-javascript
+!dist/task-runner-javascript/**
+!packages
+!packages/@n8n
+!packages/@n8n/task-runner-python
+!packages/@n8n/task-runner-python/**
+
+# === Docker build files (entrypoints, configs) ===
+!docker
+!docker/images
+!docker/images/n8n
+!docker/images/n8n/docker-entrypoint.sh
+!docker/images/runners
+!docker/images/runners/n8n-task-runners.json
+
+# === benchmark image (packages/@n8n/benchmark/Dockerfile) ===
+!package.json
+!pnpm-lock.yaml
+!pnpm-workspace.yaml
+!patches
+!patches/**
+!scripts
+!scripts/**
+!packages/@n8n/benchmark
+!packages/@n8n/benchmark/**
+!packages/@n8n/typescript-config
+!packages/@n8n/typescript-config/**

.env.local.example

@@ -0,0 +1,57 @@
+# =============================================================================
+# n8n local development — minimal environment variables
+# =============================================================================
+# This is a minimal example covering some local environment variables for development.
+# Many more variables exist — search for @Env() decorators in the codebase.
+# Most of them already have default values, so you only need to fill in the ones you need to change.
+#
+# Usage (run from the repo root):
+#   1. Copy this file: cp .env.local.example .env.local
+#   2. Fill in the values below
+#   3. Prefix any dev command with dotenvx, for example:
+#        pnpm exec dotenvx run -f .env.local -- pnpm dev:be
+#
+# Note: dotenvx supports variable expansion (e.g. $HOME) but not shell
+#       tilde expansion. Use $HOME instead of ~ for paths.
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Local data folder
+# Source: packages/@n8n/config/src/utils/utils.ts
+# -----------------------------------------------------------------------------
+N8N_USER_FOLDER=
+
+# -----------------------------------------------------------------------------
+# License
+# Source: packages/@n8n/config/src/configs/license.config.ts
+# -----------------------------------------------------------------------------
+# Tenant identifier for the license SDK (for example, self-hosted, sandbox, embed, cloud).
+N8N_LICENSE_TENANT_ID=
+# Activation key used to activate or upgrade the instance license.
+N8N_LICENSE_ACTIVATION_KEY=
+# Ephemeral license certificate.
+N8N_LICENSE_CERT=
+
+# -----------------------------------------------------------------------------
+# AI
+# Source: packages/@n8n/config/src/configs/ai.config.ts
+#         packages/@n8n/config/src/configs/ai-assistant.config.ts
+#         packages/@n8n/config/src/configs/ai-builder.config.ts
+# -----------------------------------------------------------------------------
+# Whether AI features (such as AI nodes and AI assistant) are enabled globally.
+N8N_AI_ENABLED=
+# Base URL of the AI assistant service.
+# When set, requests are sent to this URL instead of the default provider endpoint.
+N8N_AI_ASSISTANT_BASE_URL=
+# API key for the Anthropic (Claude) provider used by the AI workflow builder.
+# When set, enables AI-powered workflow and node building.
+N8N_AI_ANTHROPIC_KEY=
+
+# -----------------------------------------------------------------------------
+# LangSmith tracing (optional)
+# Not an n8n config var — read directly by the LangChain SDK.
+# See: https://docs.smith.langchain.com/
+# -----------------------------------------------------------------------------
+LANGSMITH_ENDPOINT=
+LANGSMITH_PROJECT=
+LANGSMITH_TRACING=

.github/CI-TELEMETRY.md

@@ -0,0 +1,114 @@
+# CI Telemetry
+
+Pipeline: **GitHub Actions → Webhook → n8n → BigQuery**
+
+## Unified Payload Shape
+
+All telemetry uses the same format:
+
+```json
+{
+  "timestamp": "2026-03-16T12:00:00.000Z",
+  "benchmark_name": "kafka-throughput-10n-10kb",
+  "git":    { "sha": "abc12345", "branch": "master", "pr": null },
+  "ci":     { "runId": "123", "runUrl": "...", "job": "test", "workflow": "CI", "attempt": 1 },
+  "runner": { "provider": "blacksmith", "cpuCores": 8, "memoryGb": 16.0 },
+  "metrics": [
+    { "metric_name": "exec-per-sec", "value": 12.4, "unit": "exec/s", "dimensions": { "trigger": "kafka", "nodes": 10 } }
+  ]
+}
+```
+
+## Standard Context Fields
+
+```typescript
+git.sha         // GITHUB_SHA (first 8 chars)
+git.branch      // GITHUB_HEAD_REF ?? GITHUB_REF_NAME
+git.pr          // PR number from GITHUB_REF
+
+ci.runId        // GITHUB_RUN_ID
+ci.runUrl       // https://github.com/<repo>/actions/runs/<runId>
+ci.job          // GITHUB_JOB
+ci.workflow     // GITHUB_WORKFLOW
+ci.attempt      // GITHUB_RUN_ATTEMPT
+
+runner.provider  // 'github' | 'blacksmith' | 'local'
+runner.cpuCores  // os.cpus().length
+runner.memoryGb  // os.totalmem()
+```
+
+**Runner provider logic:**
+```typescript
+if (!process.env.CI) return 'local';
+if (process.env.RUNNER_ENVIRONMENT === 'github-hosted') return 'github';
+return 'blacksmith';
+```
+
+## Implementations
+
+| Telemetry | Source | Metrics |
+|-----------|--------|---------|
+| Playwright perf/benchmark | `packages/testing/playwright/reporters/metrics-reporter.ts` | Any metric attached via `attachMetric()` |
+| Build stats | `.github/scripts/send-build-stats.mjs` | Per-package build duration, cache hit/miss, run total |
+| Docker stats | `.github/scripts/send-docker-stats.mjs` | Image size per platform, docker build duration |
+| Container stack | `packages/testing/containers/telemetry.ts` | E2E stack startup times per service |
+
+## Secrets
+
+```
+QA_METRICS_WEBHOOK_URL
+QA_METRICS_WEBHOOK_USER
+QA_METRICS_WEBHOOK_PASSWORD
+```
+
+## BigQuery Table
+
+`qa_performance_metrics` — schema:
+
+```sql
+timestamp        TIMESTAMP NOT NULL
+benchmark_name   STRING
+metric_name      STRING NOT NULL
+value            FLOAT64 NOT NULL
+unit             STRING
+dimensions       JSON                 -- {"nodes": 10, "trigger": "kafka", "package": "@n8n/cli"}
+git_sha          STRING
+git_branch       STRING
+git_pr           INT64
+ci_run_id        STRING
+ci_run_url       STRING
+ci_job           STRING
+ci_workflow      STRING
+ci_attempt       INT64
+runner_provider  STRING
+runner_cpu_cores INT64
+runner_memory_gb FLOAT64
+```
+
+Query example:
+```sql
+-- Build duration trend by package (cache misses only)
+SELECT DATE(timestamp), JSON_VALUE(dimensions, '$.package'), AVG(value)
+FROM qa_performance_metrics
+WHERE metric_name = 'build-duration'
+  AND JSON_VALUE(dimensions, '$.cache') = 'miss'
+GROUP BY 1, 2 ORDER BY 1;
+```
+
+## Adding New Telemetry
+
+**From a script:**
+```javascript
+import { sendMetrics, metric } from './send-metrics.mjs';
+
+await sendMetrics([
+  metric('my-metric', 42.0, 'ms', { context: 'value' }),
+]);
+```
+
+**From a Playwright test:**
+```typescript
+import { attachMetric } from '../utils/performance-helper';
+
+await attachMetric(testInfo, 'my-metric', 42.0, 'ms', { context: 'value' });
+```

.github/CLAUDE.md

@@ -0,0 +1,42 @@
+@../AGENTS.md
+
+## .github Quick Reference
+
+This folder contains n8n's GitHub Actions infrastructure.
+
+### Key Files
+
+| File/Folder | Purpose |
+|-------------|---------|
+| `WORKFLOWS.md` | Complete CI/CD documentation |
+| `workflows/` | GitHub Actions workflows |
+| `actions/` | Reusable composite actions |
+| `scripts/` | Release & Docker automation |
+| `CODEOWNERS` | Team review ownership |
+
+### Workflow Naming
+
+| Prefix | Purpose |
+|--------|---------|
+| `test-` | Testing (unit, E2E, visual) |
+| `ci-` | Continuous integration |
+| `util-` | Utilities (notifications) |
+| `build-` | Build processes |
+| `release-` | Release automation |
+| `sec-` | Security scanning |
+
+Reusable workflows: add `-reusable` or `-callable` suffix.
+
+### Common Tasks
+
+**Add workflow:** Create in `workflows/`, document in `WORKFLOWS.md`
+
+**Add script:** Create `.mjs` in `scripts/`, document in `WORKFLOWS.md`
+
+### Reference
+
+See `WORKFLOWS.md` for:
+- Architecture diagrams
+- Workflow call graph
+- Scheduled jobs & triggers
+- Runners & secrets

.github/CODEOWNERS

@@ -1,4 +1,6 @@
 packages/@n8n/db/src/migrations/ @n8n-io/migrations-review
+.github/workflows @n8n-io/ci-admins
+.github/scripts @n8n-io/ci-admins
+.github/actions @n8n-io/ci-admins
+.github/poutine-rules @n8n-io/ci-admins
 
-# Node popularity data updates
-packages/frontend/editor-ui/data/node-popularity.json @n8n-io/catalysts

.github/ISSUE_TEMPLATE/01-bug.yml

@@ -66,7 +66,7 @@ body:
     id: nodejs-version
     attributes:
       label: Node.js Version
-      placeholder: ex. 22.16.0
+      placeholder: ex. 24.0.0
     validations:
       required: true
   - type: dropdown
@@ -76,8 +76,6 @@ body:
       options:
         - SQLite (default)
         - PostgreSQL
-        - MySQL
-        - MariaDB
       default: 0
     validations:
       required: true

.github/WORKFLOWS.md

@@ -0,0 +1,676 @@
+# GitHub Actions & CI/CD Documentation
+
+Complete reference for n8n's `.github/` folder.
+
+---
+
+## Folder Structure
+
+```
+.github/
+├── WORKFLOWS.md                          # This document
+├── CI-TELEMETRY.md                       # Telemetry & metrics guide
+├── CODEOWNERS                            # Team ownership for PR reviews
+├── pull_request_template.md              # PR description template
+├── pull_request_title_conventions.md     # Title format rules (Angular)
+├── actionlint.yml                        # Workflow linter config
+├── docker-compose.yml                    # DB services for local testing
+├── test-metrics/
+│   └── playwright.json                   # E2E performance baselines
+├── ISSUE_TEMPLATE/
+│   ├── config.yml                        # Routes to community/security
+│   └── 01-bug.yml                        # Structured bug report form
+├── scripts/                              # Automation scripts
+│   ├── bump-versions.mjs                 # Calculate next version
+│   ├── update-changelog.mjs              # Generate CHANGELOG
+│   ├── trim-fe-packageJson.js            # Strip frontend devDeps
+│   ├── ensure-provenance-fields.mjs      # Add license/author fields
+│   ├── validate-docs-links.js            # Check documentation URLs
+│   ├── send-build-stats.mjs              # Turbo build telemetry → webhook
+│   └── docker/
+│       ├── docker-tags.mjs               # Generate image tags
+│       └── docker-config.mjs             # Build context config
+├── actions/                              # Custom composite actions
+│   ├── setup-nodejs/                     # pnpm + Node + Turbo cache
+│   └── docker-registry-login/            # GHCR + DockerHub auth
+└── workflows/                            # GitHub Actions workflows
+```
+
+---
+
+## Architecture Overview
+
+```
+┌────────────────────────────────────────────────────────────────────────────┐
+│                          n8n CI/CD ARCHITECTURE                            │
+├────────────────────────────────────────────────────────────────────────────┤
+│                                                                            │
+│  TRIGGERS                     PIPELINES                      OUTPUTS       │
+│  ────────                     ─────────                      ───────       │
+│                                                                            │
+│  ┌──────────┐    ┌──────────────────────────────────┐    ┌────────────┐   │
+│  │    PR    │───▶│  ci-pull-requests.yml            │───▶│   Checks   │   │
+│  └──────────┘    │  ├─ build + paths-filter         │    │    Gate    │   │
+│                  │  ├─ unit-test (reusable)         │    └────────────┘   │
+│  ┌──────────┐    │  ├─ typecheck                    │                     │
+│  │   Push   │───▶│  ├─ lint (reusable)              │    ┌────────────┐   │
+│  │  master  │    │  ├─ e2e-tests (reusable)         │───▶│  Coverage  │   │
+│  └──────────┘    │  └─ security (if .github/**)     │    └────────────┘   │
+│                  └──────────────────────────────────┘                     │
+│                                                                            │
+│  ┌──────────┐    ┌──────────────────────────────────┐    ┌────────────┐   │
+│  │  Merge   │───▶│  release-publish.yml             │───▶│    NPM     │   │
+│  │release/* │    │  ├─ publish-to-npm               │    ├────────────┤   │
+│  └──────────┘    │  ├─ publish-to-docker-hub        │───▶│   Docker   │   │
+│                  │  ├─ create-github-release        │    ├────────────┤   │
+│                  │  ├─ create-sentry-release        │───▶│   Sentry   │   │
+│                  │  └─ generate-sbom                │    ├────────────┤   │
+│                  └──────────────────────────────────┘───▶│    SBOM    │   │
+│                                                          └────────────┘   │
+│  ┌──────────┐    ┌──────────────────────────────────┐                     │
+│  │ Schedule │───▶│  Nightly/Weekly Jobs             │    ┌────────────┐   │
+│  │  (cron)  │    │  ├─ docker-build-push (nightly)  │───▶│   Images   │   │
+│  └──────────┘    │  ├─ test-benchmark-nightly       │───▶│  Metrics   │   │
+│                  │  ├─ test-workflows-nightly       │    └────────────┘   │
+│                  │  ├─ test-e2e-vm-expressions      │                     │
+│                  │  └─ test-e2e-coverage-weekly     │                     │
+│                  └──────────────────────────────────┘                     │
+│                                                                            │
+└────────────────────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## Quick Reference
+
+| Prefix     | Purpose                                 |
+|------------|-----------------------------------------|
+| `test-`    | Testing (E2E, unit, visual, benchmarks) |
+| `ci-`      | Continuous integration                  |
+| `util-`    | Utilities (notifications, sync, Claude) |
+| `build-`   | Build processes                         |
+| `release-` | Release automation                      |
+| `sec-`     | Security scanning                       |
+| Other      | Docker, SBOM, patch releases            |
+
+---
+
+## PR Title Conventions
+
+Commits drive changelog generation. Follow Angular convention:
+
+```
+Format: <type>(<scope>): <summary>
+
+Types:   feat | fix | perf | test | docs | refactor | build | ci | chore
+Scopes:  API | benchmark | core | editor | * Node (optional)
+
+Examples:
+  feat(editor): Add dark mode toggle
+  fix(Slack Node): Handle rate limiting correctly
+  perf(core): Optimize workflow execution by 20%
+  refactor: Migrate to TypeScript strict mode (no-changelog)
+
+Breaking Changes:  Add "BREAKING CHANGE:" footer with migration guide
+Deprecations:      Add "DEPRECATED:" footer with update path
+Skip Changelog:    Add "(no-changelog)" to PR title
+```
+
+See `pull_request_title_conventions.md` for full spec.
+
+---
+
+## What Runs When You Open a PR
+
+### Flow Diagram
+
+```
+┌──────────────────────────────────────────────────────────────────────────────┐
+│                            PR OPENED / UPDATED                               │
+└─────────────────────────────────────┬────────────────────────────────────────┘
+                                      │
+          ┌───────────────────────────┴───────────────────────┐
+          ▼                                                   ▼
+┌───────────────────────────┐                     ┌───────────────────────────┐
+│  ci-pull-requests.yml     │                     │  ci-check-pr-title.yml    │
+│  (main orchestrator)      │                     │  (validates title format) │
+└─────────────┬─────────────┘                     └───────────────────────────┘
+              │
+              ▼
+┌───────────────────────────┐
+│  install-and-build        │
+│  └─ paths-filter          │──────────────────────────────────────────┐
+└─────────────┬─────────────┘                                          │
+              │                                                        │
+              │ [if non-Python files changed]                          │ [if .github/** changed]
+              │                                                        │
+    ┌─────────┼─────────┬─────────────┬─────────────┐                  │
+    │         │         │             │             │                  │
+    ▼         ▼         ▼             ▼             ▼                  ▼
+┌───────┐ ┌───────┐ ┌───────┐ ┌────────────┐ ┌────────────┐   ┌────────────┐
+│ unit  │ │ type  │ │ lint  │ │  e2e-tests │ │  security  │   │  security  │
+│ test  │ │ check │ │       │ │            │ │  checks    │   │  checks    │
+└───┬───┘ └───┬───┘ └───┬───┘ └─────┬──────┘ └─────┬──────┘   └─────┬──────┘
+    │         │         │           │              │                │
+    │         │         │     ┌─────┴─────┐        │                │
+    │         │         │     ▼           ▼        │                │
+    │         │         │  Internal    Fork PR     │                │
+    │         │         │  14 shards   6 shards    │                │
+    │         │         │  Docker      SQLite      │                │
+    │         │         │                          │                │
+    └─────────┴─────────┴──────────┬───────────────┴────────────────┘
+                                   │
+                                   ▼
+                    ┌──────────────────────────────┐
+                    │       required-checks        │
+                    │        (merge gate)          │
+                    └──────────────────────────────┘
+```
+
+### Path-Filtered Workflows
+
+These only run if specific files changed:
+
+| Files Changed                                                          | Workflow                    | Branch     |
+|------------------------------------------------------------------------|-----------------------------|------------|
+| `packages/@n8n/task-runner-python/**`                                  | `ci-python.yml`             | any        |
+| `packages/cli/src/databases/**`, `*.entity.ts`, `*.repository.ts`      | `test-db.yml`               | any        |
+| `packages/frontend/@n8n/storybook/**`, design-system, chat             | `test-visual-storybook.yml` | master     |
+| `docker/images/n8n-base/Dockerfile`                                    | `build-base-image.yml`      | any        |
+| `**/package.json`, `**/turbo.json`                                     | `build-windows.yml`         | master     |
+| `packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/**` | `test-evals-python.yml`  | any        |
+| `packages/@n8n/benchmark/**`                                           | `build-benchmark-image.yml` | master     |
+| `packages/cli/src/public-api/**/*.{css,yaml,yml}`                      | `util-sync-api-docs.yml`    | master     |
+
+### On PR Review
+
+| Event                      | Workflow                    | Condition                    |
+|----------------------------|-----------------------------|------------------------------|
+| Review approved            | `test-visual-chromatic.yml` | + design files changed       |
+| Comment with `@claude`     | `util-claude.yml`           | mention in any comment       |
+| Any review                 | `util-notify-pr-status.yml` | not community-labeled        |
+
+### On PR Close/Merge
+
+| Event                      | Workflow                    |
+|----------------------------|-----------------------------|
+| PR closed (any)            | `util-notify-pr-status.yml` |
+| PR merged to `release/*`   | `release-publish.yml`       |
+
+### Manual Triggers (PR Comments)
+
+| Command            | Workflow                     | Permissions         |
+|--------------------|------------------------------|---------------------|
+| `/test-workflows`  | `test-workflows-callable.yml`| admin/write/maintain|
+
+**Why:** Re-run tests without pushing commits. Useful for flaky test investigation.
+
+### Other Manual Workflows
+
+| Workflow                  | Purpose                                                 |
+|---------------------------|---------------------------------------------------------|
+| `util-claude-task.yml`    | Run Claude Code to complete a task and create a PR      |
+| `util-data-tooling.yml`   | SQLite/PostgreSQL export/import validation (manual)     |
+
+#### Claude Task Runner (`util-claude-task.yml`)
+
+Runs Claude Code to complete a task, then creates a PR with the changes. Use for well-specced tasks or simple fixes. Can be triggered via GitHub UI or API.
+
+Claude reads templates from `.github/claude-templates/` for task-specific guidance. Add new templates as needed for recurring task types.
+
+**Inputs:**
+- `task` - Description of what Claude should do
+- `user_token` - GitHub PAT (PR will be authored by the token owner)
+
+**Token requirements** (fine-grained PAT):
+- Repository: `n8n-io/n8n`
+- Contents: `Read and write`
+- Pull requests: `Read and write`
+
+**Governance:** If you provide your personal PAT, you cannot approve the resulting PR. For automated/bot use cases (e.g., dependabot-style updates via n8n workflows), an app token can be used instead.
+
+---
+
+## Workflow Call Graph
+
+Shows which workflows call which reusable workflows:
+
+```
+CALLER                             REUSABLE WORKFLOW
+───────────────────────────────────────────────────────────────────────────────
+
+ci-pull-requests.yml
+    ├──────────────────────────▶  test-unit-reusable.yml
+    ├──────────────────────────▶  test-linting-reusable.yml
+    ├──────────────────────────▶  test-e2e-ci-reusable.yml
+    │                                 └──────────▶  test-e2e-reusable.yml
+    └──────────────────────────▶  sec-ci-reusable.yml
+                                      └──────────▶  sec-poutine-reusable.yml
+
+ci-master.yml
+    ├──────────────────────────▶  test-unit-reusable.yml
+    └──────────────────────────▶  test-linting-reusable.yml
+
+release-publish.yml
+    ├──────────────────────────▶  docker-build-push.yml
+    │                                 └──────────▶  security-trivy-scan-callable.yml
+    └──────────────────────────▶  sbom-generation-callable.yml
+
+test-workflows-nightly.yml
+    └──────────────────────────▶  test-workflows-callable.yml
+
+test-e2e-vm-expressions-nightly.yml
+    └──────────────────────────▶  test-e2e-ci-reusable.yml
+                                      └──────────▶  test-e2e-reusable.yml
+
+PR Comment Dispatchers (triggered by /command in PR comments):
+test-workflows-pr-comment.yml
+    └──────────────────────────▶  test-workflows-callable.yml
+```
+
+---
+
+## Release Lifecycle
+
+```
+┌────────────────────────────────────────────────────────────────────────────┐
+│                           RELEASE LIFECYCLE                                │
+├────────────────────────────────────────────────────────────────────────────┤
+│                                                                            │
+│  STAGE 1: Create Release PR                                                │
+│  ───────────────────────────                                               │
+│  Trigger: Manual workflow_dispatch                                         │
+│                                                                            │
+│  release-create-pr.yml                                                     │
+│  ├─ bump-versions.mjs ────────▶ Calculate X.Y.Z                            │
+│  ├─ update-changelog.mjs ─────▶ Generate CHANGELOG                         │
+│  └─ Create PR: release-pr/X.Y.Z → release/X.Y.Z                            │
+│                                                                            │
+│  Inputs:                                                                   │
+│  ├─ release-type: patch │ minor │ major │ experimental │ premajor          │
+│  └─ base-branch: default master                                            │
+│                          │                                                 │
+│                          ▼                                                 │
+│  STAGE 2: CI Validation                                                    │
+│  ───────────────────────                                                   │
+│  ci-pull-requests.yml runs full suite                                      │
+│  ├─ NO ci-check-pr-title.yml (skipped for release branches)                │
+│  └─ NO test-visual-chromatic.yml (skipped)                                 │
+│                          │                                                 │
+│                          ▼ [Merge PR]                                      │
+│  STAGE 3: Publish                                                          │
+│  ───────────────                                                           │
+│  release-publish.yml (triggered on merge to release/*)                     │
+│  ├─ publish-to-npm                                                         │
+│  │   ├─ trim-fe-packageJson.js ───▶ Strip devDeps                          │
+│  │   ├─ ensure-provenance-fields.mjs ───▶ Add license fields               │
+│  │   └─ npm publish (tag: rc or latest)                                    │
+│  ├─ publish-to-docker-hub ────────▶ docker-build-push.yml                  │
+│  │   └─ Multi-arch: amd64 + arm64                                          │
+│  ├─ create-github-release                                                  │
+│  ├─ create-sentry-release (sourcemaps)                                     │
+│  ├─ generate-sbom ────────────────▶ sbom-generation-callable.yml           │
+│  │   └─ CycloneDX + Cosign signing                                         │
+│  └─ trigger-release-note (stable only)                                     │
+│                          │                                                 │
+│                          ▼                                                 │
+│  STAGE 4: Channel Promotion (optional)                                     │
+│  ──────────────────────────────────────                                    │
+│  Trigger: Manual release-push-to-channel.yml                               │
+│  ├─ beta ─────▶ npm tags: next, beta                                       │
+│  └─ stable ───▶ npm tags: latest, stable                                   │
+│                                                                            │
+└────────────────────────────────────────────────────────────────────────────┘
+```
+
+### Other Release Workflows
+
+| Workflow                         | Trigger            | Purpose                                        |
+|----------------------------------|--------------------|------------------------------------------------|
+| `release-standalone-package.yml` | Manual dispatch    | Release individual packages (@n8n/codemirror-lang, @n8n/create-node, etc.) |
+| `create-patch-release-branch.yml`| Manual dispatch    | Cherry-pick commits for patch releases         |
+
+---
+
+## Fork vs Internal PR
+
+| Aspect             | Internal PR                      | Fork PR                 |
+|--------------------|----------------------------------|-------------------------|
+| E2E Runner         | `blacksmith-2vcpu-ubuntu-2204`   | `ubuntu-latest`         |
+| E2E Mode           | `docker-build` (multi-main)      | `local` (SQLite)        |
+| E2E Shards         | 14 + 2                           | 6 + 2                   |
+| Test Command       | `test:container:multi-main:*`    | `test:local:*`          |
+| Secrets            | Full access                      | None                    |
+| Currents Recording | Yes                              | No                      |
+| Failure Artifacts  | No                               | Yes                     |
+
+**Why:** Fork PRs cannot access repository secrets. Local mode with SQLite provides feedback without paid services.
+
+---
+
+## ci-master.yml
+
+Runs on push to `master` or `1.x`:
+
+```
+Push to master/1.x
+├─ build-github (populate cache)
+├─ unit-test (matrix: Node 22.x, 24.14.1, 25.x)
+│   └─ Coverage only on 24.14.1
+├─ lint
+└─ notify-on-failure (Slack #alerts-build)
+```
+
+---
+
+## Scheduled Jobs
+
+| Schedule (UTC)            | Workflow                          | Purpose                  |
+|---------------------------|-----------------------------------|--------------------------|
+| Daily 00:00               | `docker-build-push.yml`           | Nightly Docker images    |
+| Daily 00:00               | `test-db.yml`                     | Database compatibility   |
+| Daily 00:00               | `test-e2e-performance-reusable.yml`| Performance E2E         |
+| Daily 00:00               | `test-visual-storybook.yml`       | Storybook deploy         |
+| Daily 00:00               | `test-visual-chromatic.yml`       | Visual regression        |
+| Daily 00:00               | `util-check-docs-urls.yml`        | Doc link validation      |
+| Daily 01:30, 02:30, 03:30 | `test-benchmark-nightly.yml`      | Performance benchmarks   |
+| Daily 02:00               | `test-workflows-nightly.yml`      | Workflow tests           |
+| Daily 04:00               | `test-e2e-vm-expressions-nightly.yml`| VM expression E2E     |
+| Daily 05:00               | `test-benchmark-destroy-nightly.yml`| Cleanup benchmark env  |
+| Monday 00:00              | `util-update-node-popularity.yml` | Node usage stats         |
+| Monday 02:00              | `test-e2e-coverage-weekly.yml`    | Weekly E2E coverage      |
+| Saturday 22:00            | `test-evals-ai.yml`               | AI workflow evals        |
+
+---
+
+## Custom Actions
+
+Composite actions in `.github/actions/`:
+
+| Action                   | Purpose                                      | Used By            |
+|--------------------------|----------------------------------------------|--------------------|
+| `setup-nodejs`           | pnpm + Node.js + Turbo cache + Docker (opt)  | Most CI workflows  |
+| `docker-registry-login`  | GHCR + DockerHub + DHI authentication        | Docker workflows   |
+
+### setup-nodejs
+
+```yaml
+inputs:
+  node-version:        # default: '24.14.1'
+  enable-docker-cache: # default: 'false' (Blacksmith Buildx)
+  build-command:       # default: 'pnpm build'
+```
+
+### docker-registry-login
+
+```yaml
+inputs:
+  login-ghcr:       # default: 'true'
+  login-dockerhub:  # default: 'false'
+  login-dhi:        # default: 'false'
+```
+
+---
+
+## Reusable Workflows
+
+Workflows with `workflow_call` trigger:
+
+| Workflow                           | Inputs                                        | Purpose               |
+|------------------------------------|-----------------------------------------------|-----------------------|
+| `test-unit-reusable.yml`           | `ref`, `nodeVersion`, `collectCoverage`       | Unit tests            |
+| `test-linting-reusable.yml`        | `ref`, `nodeVersion`                          | ESLint                |
+| `test-e2e-reusable.yml`            | `branch`, `test-mode`, `shards`, `runner`     | Core E2E executor     |
+| `test-e2e-ci-reusable.yml`         | `branch`                                      | E2E orchestrator      |
+| `test-e2e-docker-pull-reusable.yml`| `branch`, `n8n_version`                       | E2E with pulled image |
+| `test-workflows-callable.yml`      | `git_ref`, `compare_schemas`                  | Workflow tests        |
+| `docker-build-push.yml`            | `n8n_version`, `release_type`, `push_enabled` | Docker build          |
+| `sec-ci-reusable.yml`              | `ref`                                         | Security orchestrator |
+| `sec-poutine-reusable.yml`         | `ref`                                         | Poutine scanner       |
+| `security-trivy-scan-callable.yml` | `image_ref`                                   | Trivy scan            |
+| `sbom-generation-callable.yml`     | `n8n_version`, `release_tag_ref`              | SBOM generation       |
+
+---
+
+## Scripts
+
+Scripts in `.github/scripts/`:
+
+### Release Scripts
+
+| Script                        | Purpose                    | Called By               |
+|-------------------------------|----------------------------|-------------------------|
+| `bump-versions.mjs`           | Calculate next version     | `release-create-pr.yml` |
+| `update-changelog.mjs`        | Generate CHANGELOG         | `release-create-pr.yml` |
+| `trim-fe-packageJson.js`      | Strip frontend devDeps     | `release-publish.yml`   |
+| `ensure-provenance-fields.mjs`| Add license/author fields  | `release-publish.yml`   |
+
+### Docker Scripts
+
+| Script                  | Purpose           | Called By              |
+|-------------------------|-------------------|------------------------|
+| `docker/docker-config.mjs`| Build context   | `docker-build-push.yml`|
+| `docker/docker-tags.mjs`  | Image tags      | `docker-build-push.yml`|
+
+### Validation Scripts
+
+| Script                  | Purpose           | Called By                 |
+|-------------------------|-------------------|---------------------------|
+| `validate-docs-links.js`| Check doc URLs    | `util-check-docs-urls.yml`|
+| `send-build-stats.mjs`  | Build telemetry   | `setup-nodejs` action     |
+
+---
+
+## Telemetry
+
+CI metrics are collected via webhooks to n8n, then stored in BigQuery for analysis.
+
+See **[CI-TELEMETRY.md](CI-TELEMETRY.md)** for:
+- Common data points (git, CI context, runner info)
+- Existing implementations (build stats, container stack)
+- How to add new telemetry
+- BigQuery schema patterns and queries
+
+---
+
+## CODEOWNERS
+
+Team ownership mappings in `CODEOWNERS`:
+
+| Path Pattern                                                 | Team                       |
+|--------------------------------------------------------------|----------------------------|
+| `packages/@n8n/db/src/migrations/`                           | @n8n-io/migrations-review  |
+
+---
+
+## Runner Selection
+
+| Runner                              | vCPU | Use Case                    |
+|-------------------------------------|------|-----------------------------|
+| `ubuntu-slim`                       | 1    | Gate jobs (required-checks) |
+| `ubuntu-latest`                     | 2    | Simple jobs, fork PR E2E    |
+| `blacksmith-2vcpu-ubuntu-2204`      | 2    | Standard builds, E2E shards |
+| `blacksmith-4vcpu-ubuntu-2204`      | 4    | Unit tests, typecheck, lint |
+| `blacksmith-8vcpu-ubuntu-2204`      | 8    | E2E coverage (weekly)       |
+| `blacksmith-4vcpu-ubuntu-2204-arm`  | 4    | ARM64 Docker builds         |
+
+### Selection Guidelines
+
+**`ubuntu-slim`** - Status check aggregation, gate/required-check jobs, notifications
+
+**`ubuntu-latest`** - Simple build verification, scheduled maintenance, PR comment handlers, release tagging, Docker manifest creation, any job where speed is not critical
+
+**`blacksmith-2vcpu-ubuntu-2204`** - Initial build/install (benefits from Blacksmith caching), database integration tests (I/O bound), Chromatic/Storybook builds
+
+**`blacksmith-4vcpu-ubuntu-2204`** - Unit tests (parallelized), linting (parallel file processing), typechecking (CPU-intensive), E2E test shards
+
+**`blacksmith-8vcpu-ubuntu-2204`** - Heavy parallel workloads, full E2E coverage runs
+
+### Runner Provider Toggle
+
+The `RUNNER_PROVIDER` repository variable controls runner selection across workflows:
+
+| Value | Behavior |
+|-------|----------|
+| (unset) | Use Blacksmith runners (default) |
+| `github` | Use GitHub-hosted `ubuntu-latest` |
+
+**Note:** When set to `github`, all jobs use `ubuntu-latest` regardless of any runner inputs or defaults specified in reusable workflows. GitHub runners have fewer vCPUs (2 vs 4), so jobs may run slower.
+
+---
+
+## Security
+
+### Why We Do This
+
+Supply chain security ensures artifacts haven't been tampered with. We provide three types of signed attestations:
+
+```
+                    ATTESTATION (signed statement)
+                           │
+         ┌─────────────────┼─────────────────┐
+         │                 │                 │
+         ▼                 ▼                 ▼
+    PROVENANCE           SBOM              VEX
+
+    "Trust the           "Know the         "Understand
+     build"               contents"          the risk"
+```
+
+| Attestation | Question It Answers |
+|-------------|--------------------------------|
+| **Provenance** | "Can we trust this artifact came from n8n's CI and wasn't tampered with?" |
+| **SBOM** | "What dependencies are inside?" (license compliance, vulnerability scanning) |
+| **VEX** | "The scanner found CVE-X - does it actually affect us or is it a false positive?" |
+
+**How they relate:**
+- **SBOM** is the ingredients list - input for both license checks AND security scanning
+- **VEX** is the security triage output - "we investigated CVE-X, here's our assessment"
+- **Provenance** proves the SBOM and VEX came from our CI, not an attacker
+
+---
+
+### Poutine (Supply Chain)
+
+- **Runs on:** PR changes to `.github/**`
+- **Detects:** Exposed secrets, insecure workflow configs
+- **Output:** SARIF to GitHub Security tab
+
+### Trivy (Container)
+
+- **Runs on:** stable/nightly/rc Docker builds
+- **Scans:** n8n image, runners image
+- **Output:** Slack `#notify-security-scan-outputs` (all), `#mission-security` (critical)
+
+### SBOM
+
+- **Runs on:** release-publish
+- **Format:** CycloneDX JSON
+- **Signing:** GitHub Attestation API
+- **Attached to:** GitHub Release
+
+### SLSA L3 Provenance
+
+SLSA (Supply-chain Levels for Software Artifacts) Level 3 provides cryptographic proof of build integrity.
+
+| Artifact | Generator | Level |
+|----------|-----------|-------|
+| Docker images | `slsa-framework/slsa-github-generator` | L3 |
+| npm packages | `NPM_CONFIG_PROVENANCE=true` | L3 |
+
+**Docker provenance** uses the SLSA GitHub Generator as a reusable workflow (not an action). This is required for L3 because provenance must be generated in an isolated environment the build can't tamper with.
+
+```yaml
+# IMPORTANT: Must use semantic version tags (@vX.Y.Z), NOT commit SHAs.
+# The slsa-verifier requires tagged versions to verify authenticity.
+uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+```
+
+**Verify provenance:**
+```bash
+# Docker
+slsa-verifier verify-image ghcr.io/n8n-io/n8n:VERSION \
+  --source-uri github.com/n8n-io/n8n
+
+# npm
+npm audit signatures n8n@VERSION
+```
+
+### VEX (Vulnerability Exploitability eXchange)
+
+VEX documents which CVEs actually affect n8n vs false positives from scanners.
+
+- **File:** `security/vex.openvex.json`
+- **Format:** OpenVEX (broad scanner compatibility - Trivy, Docker Scout, etc.)
+- **Attached to:** GitHub Release, Docker image attestations
+- **Used by:** Trivy scans (via `security/trivy.yaml`)
+
+**VEX Status Types:**
+| Status | Meaning |
+|--------|---------|
+| `not_affected` | CVE doesn't impact n8n (code not reachable, etc.) |
+| `affected` | CVE impacts n8n, tracking fix |
+| `fixed` | CVE was present, now fixed |
+| `under_investigation` | Assessing impact |
+
+**Verify VEX attestation:**
+```bash
+cosign verify-attestation --type openvex \
+  --certificate-identity-regexp '.*github.com/n8n-io/n8n.*' \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  ghcr.io/n8n-io/n8n:VERSION
+```
+
+**Adding a CVE statement to security/vex.openvex.json:**
+```json
+{
+  "statements": [
+    {
+      "vulnerability": { "name": "CVE-2024-XXXXX" },
+      "products": [{ "@id": "pkg:github/n8n-io/n8n" }],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "statement": "n8n does not use the affected code path in this dependency"
+    }
+  ]
+}
+```
+
+---
+
+## Secrets
+
+### By Category
+
+| Category            | Secrets                                                     |
+|---------------------|-------------------------------------------------------------|
+| Package Publishing  | `NPM_TOKEN`, `DOCKER_USERNAME`, `DOCKER_PASSWORD`           |
+| Notifications       | `SLACK_WEBHOOK_URL`, `QBOT_SLACK_TOKEN`                     |
+| Code Quality        | `CODECOV_TOKEN`, `CHROMATIC_PROJECT_TOKEN`, `CURRENTS_RECORD_KEY` |
+| Error Tracking      | `SENTRY_AUTH_TOKEN`, `SENTRY_ORG`, `SENTRY_*_PROJECT`       |
+| Cloud/CDN           | `CLOUDFLARE_API_TOKEN`, `CLOUDFLARE_ACCOUNT_ID`             |
+| GitHub Automation   | `N8N_ASSISTANT_APP_ID`, `N8N_ASSISTANT_PRIVATE_KEY`         |
+| Benchmarking        | `BENCHMARK_ARM_*`, `N8N_BENCHMARK_LICENSE_CERT`             |
+| AI/Evals            | `ANTHROPIC_API_KEY`, `EVALS_LANGSMITH_*`                    |
+
+### Scoping
+
+- **`secrets: inherit`** - passes all secrets to reusable workflows
+- **Explicit passing** - for minimal exposure
+- **Environment: `benchmarking`** - Azure OIDC credentials
+
+---
+
+## Future Vision
+
+### Redundancy Review
+
+Comment trigger (`/test-workflows`) is a workaround.
+
+Long-term: Main CI should be reliable enough to not need these.
+
+### Workflow Testability
+
+- Tools like `act` for local testing
+- Unit tests for `.github/scripts/*.mjs`
+- Validation with `actionlint`

.github/actionlint.yaml

@@ -1,7 +0,0 @@
-self-hosted-runner:
-  labels:
-    - blacksmith-2vcpu-ubuntu-2204
-    - blacksmith-4vcpu-ubuntu-2204
-    - blacksmith-2vcpu-ubuntu-2204-arm
-    - blacksmith-4vcpu-ubuntu-2204-arm
-    - blacksmith-8vcpu-ubuntu-2204

.github/actionlint.yml

@@ -0,0 +1,8 @@
+self-hosted-runner:
+  labels:
+    - blacksmith-2vcpu-ubuntu-2204
+    - blacksmith-4vcpu-ubuntu-2204
+    - blacksmith-2vcpu-ubuntu-2204-arm
+    - blacksmith-4vcpu-ubuntu-2204-arm
+    - blacksmith-8vcpu-ubuntu-2204
+    - ubuntu-slim

.github/actions/ci-filter/__tests__/ci-filter.test.ts

@@ -0,0 +1,235 @@
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import { matchGlob, parseFilters, evaluateFilter, runValidate } from '../ci-filter.mjs';
+
+// --- matchGlob ---
+
+describe('matchGlob', () => {
+	it('** matches dotfiles', () => {
+		assert.ok(matchGlob('.github/workflows/ci.yml', '**'));
+	});
+
+	it('** matches deeply nested paths', () => {
+		assert.ok(matchGlob('packages/cli/src/controllers/auth.ts', '**'));
+	});
+
+	it('** matches root-level files', () => {
+		assert.ok(matchGlob('README.md', '**'));
+	});
+
+	it('.github/** matches workflow files', () => {
+		assert.ok(matchGlob('.github/workflows/ci.yml', '.github/**'));
+	});
+
+	it('.github/** matches action files', () => {
+		assert.ok(matchGlob('.github/actions/ci-filter/action.yml', '.github/**'));
+	});
+
+	it('.github/** does not match non-.github paths', () => {
+		assert.ok(!matchGlob('packages/cli/src/index.ts', '.github/**'));
+	});
+
+	it('scoped package pattern matches files in that package', () => {
+		assert.ok(
+			matchGlob(
+				'packages/@n8n/task-runner-python/src/main.py',
+				'packages/@n8n/task-runner-python/**',
+			),
+		);
+	});
+
+	it('scoped package pattern does not match other packages', () => {
+		assert.ok(!matchGlob('packages/@n8n/config/src/index.ts', 'packages/@n8n/task-runner-python/**'));
+	});
+
+	it('* matches single-level only', () => {
+		assert.ok(matchGlob('README.md', '*.md'));
+		assert.ok(!matchGlob('docs/README.md', '*.md'));
+	});
+
+	it('exact path match', () => {
+		assert.ok(matchGlob('package.json', 'package.json'));
+		assert.ok(!matchGlob('packages/cli/package.json', 'package.json'));
+	});
+
+	it('? matches single character', () => {
+		assert.ok(matchGlob('file1.txt', 'file?.txt'));
+		assert.ok(!matchGlob('file12.txt', 'file?.txt'));
+	});
+
+	it('**/ at start matches zero or more path segments', () => {
+		assert.ok(matchGlob('src/index.ts', '**/index.ts'));
+		assert.ok(matchGlob('packages/cli/src/index.ts', '**/index.ts'));
+		assert.ok(matchGlob('index.ts', '**/index.ts'));
+	});
+
+	it('**/ in middle matches nested paths', () => {
+		assert.ok(matchGlob('packages/@n8n/db/src/deep/file.ts', 'packages/@n8n/db/**'));
+	});
+});
+
+// --- parseFilters ---
+
+describe('parseFilters', () => {
+	it('parses single-line filter', () => {
+		const filters = parseFilters('workflows: .github/**');
+		assert.deepEqual(filters.get('workflows'), ['.github/**']);
+	});
+
+	it('parses single-line with multiple patterns', () => {
+		const filters = parseFilters('db: packages/@n8n/db/** packages/cli/**');
+		assert.deepEqual(filters.get('db'), ['packages/@n8n/db/**', 'packages/cli/**']);
+	});
+
+	it('parses multi-line filter', () => {
+		const input = `non-python:
+  **
+  !packages/@n8n/task-runner-python/**`;
+		const filters = parseFilters(input);
+		assert.deepEqual(filters.get('non-python'), ['**', '!packages/@n8n/task-runner-python/**']);
+	});
+
+	it('parses mixed single and multi-line', () => {
+		const input = `non-python:
+  **
+  !packages/@n8n/task-runner-python/**
+workflows: .github/**`;
+		const filters = parseFilters(input);
+		assert.equal(filters.size, 2);
+		assert.deepEqual(filters.get('non-python'), ['**', '!packages/@n8n/task-runner-python/**']);
+		assert.deepEqual(filters.get('workflows'), ['.github/**']);
+	});
+
+	it('ignores comments and blank lines', () => {
+		const input = `# This is a comment
+
+workflows: .github/**
+
+# Another comment
+db: packages/@n8n/db/**`;
+		const filters = parseFilters(input);
+		assert.equal(filters.size, 2);
+	});
+
+	it('throws on malformed input', () => {
+		assert.throws(() => parseFilters('not a valid filter line'), /Malformed/);
+	});
+
+	it('throws on filter with no patterns', () => {
+		const input = `empty:
+other: .github/**`;
+		assert.throws(() => parseFilters(input), /no patterns/);
+	});
+});
+
+// --- evaluateFilter ---
+
+describe('evaluateFilter', () => {
+	it('python-only files with non-python filter returns false', () => {
+		const files = [
+			'packages/@n8n/task-runner-python/src/main.py',
+			'packages/@n8n/task-runner-python/pyproject.toml',
+		];
+		const patterns = ['**', '!packages/@n8n/task-runner-python/**'];
+		assert.equal(evaluateFilter(files, patterns), false);
+	});
+
+	it('mixed python and non-python returns true', () => {
+		const files = [
+			'packages/@n8n/task-runner-python/src/main.py',
+			'packages/cli/src/index.ts',
+		];
+		const patterns = ['**', '!packages/@n8n/task-runner-python/**'];
+		assert.equal(evaluateFilter(files, patterns), true);
+	});
+
+	it('non-python files with non-python filter returns true', () => {
+		const files = ['packages/cli/src/index.ts', 'packages/core/src/utils.ts'];
+		const patterns = ['**', '!packages/@n8n/task-runner-python/**'];
+		assert.equal(evaluateFilter(files, patterns), true);
+	});
+
+	it('.github files with workflows filter returns true', () => {
+		const files = ['.github/workflows/ci.yml', '.github/actions/setup/action.yml'];
+		const patterns = ['.github/**'];
+		assert.equal(evaluateFilter(files, patterns), true);
+	});
+
+	it('non-.github files with workflows filter returns false', () => {
+		const files = ['packages/cli/src/index.ts'];
+		const patterns = ['.github/**'];
+		assert.equal(evaluateFilter(files, patterns), false);
+	});
+
+	it('empty changed files returns false', () => {
+		assert.equal(evaluateFilter([], ['**']), false);
+	});
+
+	it('last matching pattern wins (gitignore semantics)', () => {
+		const files = ['packages/@n8n/task-runner-python/src/main.py'];
+		const patterns = ['**', '!packages/@n8n/task-runner-python/**', 'packages/@n8n/task-runner-python/**'];
+		assert.equal(evaluateFilter(files, patterns), true);
+	});
+});
+
+// --- runValidate ---
+
+describe('runValidate', () => {
+	function runWithResults(jobResults: Record<string, { result: string }>): number | null {
+		const originalEnv = process.env.INPUT_JOB_RESULTS;
+		const originalExit = process.exit;
+		let exitCode: number | null = null;
+
+		process.env.INPUT_JOB_RESULTS = JSON.stringify(jobResults);
+		process.exit = ((code: number) => { exitCode = code; }) as never;
+
+		try {
+			runValidate();
+		} finally {
+			process.env.INPUT_JOB_RESULTS = originalEnv;
+			process.exit = originalExit;
+		}
+
+		return exitCode;
+	}
+
+	it('passes when all jobs succeed', () => {
+		assert.equal(runWithResults({
+			'install-and-build': { result: 'success' },
+			'unit-test': { result: 'success' },
+			typecheck: { result: 'success' },
+			lint: { result: 'success' },
+		}), null);
+	});
+
+	it('passes when some jobs are skipped (filtered out)', () => {
+		assert.equal(runWithResults({
+			'install-and-build': { result: 'success' },
+			'unit-test': { result: 'success' },
+			'security-checks': { result: 'skipped' },
+		}), null);
+	});
+
+	it('fails when a job fails', () => {
+		assert.equal(runWithResults({
+			'install-and-build': { result: 'success' },
+			'unit-test': { result: 'failure' },
+			typecheck: { result: 'success' },
+		}), 1);
+	});
+
+	it('fails when a job is cancelled', () => {
+		assert.equal(runWithResults({
+			'install-and-build': { result: 'success' },
+			'unit-test': { result: 'cancelled' },
+		}), 1);
+	});
+
+	it('fails when multiple jobs have problems', () => {
+		assert.equal(runWithResults({
+			'unit-test': { result: 'failure' },
+			typecheck: { result: 'cancelled' },
+			lint: { result: 'success' },
+		}), 1);
+	});
+});

.github/actions/ci-filter/action.yml

@@ -0,0 +1,39 @@
+name: 'CI Filter'
+description: |
+  Filter CI jobs by changed files and validate results.
+
+  Modes:
+    - filter: Determines which jobs to run based on changed files and a provided filter definition.
+    - validate: Checks the results of required jobs and fails if any of them failed or were cancelled.
+
+inputs:
+  mode:
+    description: 'filter or validate'
+    required: true
+  filters:
+    description: 'Filter definitions (gitignore-style DSL)'
+    required: false
+  base-ref:
+    description: 'Base branch for diff. Auto-detected if not specified.'
+    required: false
+  job-results:
+    description: 'Job results from needs context as JSON (mode=validate)'
+    required: false
+
+outputs:
+  results:
+    description: 'JSON object: { "filter-name": true/false }'
+    value: ${{ steps.run.outputs.results }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Run CI Filter
+      id: run
+      shell: bash
+      env:
+        INPUT_MODE: ${{ inputs.mode }}
+        INPUT_FILTERS: ${{ inputs.filters }}
+        INPUT_BASE_REF: ${{ inputs.base-ref || github.event.pull_request.base.ref || github.event.merge_group.base_ref || 'master' }}
+        INPUT_JOB_RESULTS: ${{ inputs.job-results }}
+      run: node ${{ github.action_path }}/ci-filter.mjs

.github/actions/ci-filter/ci-filter.mjs

@@ -0,0 +1,216 @@
+import { execSync } from 'node:child_process';
+import { appendFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { resolve } from 'node:path';
+
+// --- Glob matching (dotfile-safe) ---
+
+/**
+ * Match a file path against a glob pattern.
+ * Unlike path.matchesGlob / standard POSIX globs, `**` matches dotfiles.
+ */
+export function matchGlob(filePath, pattern) {
+	let regex = '';
+	let i = 0;
+	while (i < pattern.length) {
+		const ch = pattern[i];
+		if (ch === '*' && pattern[i + 1] === '*') {
+			if (pattern[i + 2] === '/') {
+				regex += '(?:.+/)?';
+				i += 3;
+			} else {
+				regex += '.*';
+				i += 2;
+			}
+		} else if (ch === '*') {
+			regex += '[^/]*';
+			i++;
+		} else if (ch === '?') {
+			regex += '[^/]';
+			i++;
+		} else {
+			regex += ch.replace(/[.+^${}()|[\]\\]/g, '\\$&');
+			i++;
+		}
+	}
+	return new RegExp(`^${regex}$`).test(filePath);
+}
+
+// --- Filter DSL parser ---
+
+/**
+ * Parse filter definitions from the input DSL.
+ *
+ * Supports two formats:
+ *   Single-line:  `name: pattern1 pattern2`
+ *   Multi-line:   `name:` followed by indented patterns (one per line)
+ *
+ * Lines starting with # and blank lines are ignored.
+ */
+export function parseFilters(input) {
+	const filters = new Map();
+	const lines = input.split('\n');
+	let currentFilter = null;
+
+	for (const rawLine of lines) {
+		const line = rawLine.trim();
+
+		if (!line || line.startsWith('#')) continue;
+
+		const headerMatch = line.match(/^([a-zA-Z0-9_-]+):\s*(.*)?$/);
+		if (headerMatch) {
+			const name = headerMatch[1];
+			const rest = (headerMatch[2] || '').trim();
+			const patterns = [];
+			currentFilter = name;
+			filters.set(name, patterns);
+
+			if (rest) {
+				patterns.push(...rest.split(/\s+/));
+				currentFilter = null;
+			}
+			continue;
+		}
+
+		if (currentFilter && rawLine.match(/^\s/)) {
+			const patterns = filters.get(currentFilter);
+			if (patterns) patterns.push(line);
+			continue;
+		}
+
+		throw new Error(`Malformed filter input at: "${rawLine}"`);
+	}
+
+	for (const [name, patterns] of filters) {
+		if (patterns.length === 0) {
+			throw new Error(`Filter "${name}" has no patterns`);
+		}
+	}
+
+	return filters;
+}
+
+// --- Git operations ---
+
+const SAFE_REF = /^[a-zA-Z0-9_./-]+$/;
+
+export function getChangedFiles(baseRef) {
+	if (!SAFE_REF.test(baseRef)) {
+		throw new Error(`Unsafe base ref: "${baseRef}"`);
+	}
+	execSync(`git fetch --depth=1 origin ${baseRef}`, { stdio: 'pipe' });
+	const output = execSync('git diff --name-only FETCH_HEAD HEAD', { encoding: 'utf-8' });
+	return output
+		.split('\n')
+		.map((f) => f.trim())
+		.filter(Boolean);
+}
+
+// --- Filter evaluation ---
+
+/**
+ * Evaluate a single filter against changed files using gitignore semantics.
+ * Patterns evaluated in order, last match wins. ! prefix excludes.
+ * Filter triggers if ANY changed file passes.
+ */
+export function evaluateFilter(changedFiles, patterns) {
+	for (const file of changedFiles) {
+		let included = false;
+		for (const pattern of patterns) {
+			if (pattern.startsWith('!')) {
+				if (matchGlob(file, pattern.slice(1))) {
+					included = false;
+				}
+			} else {
+				if (matchGlob(file, pattern)) {
+					included = true;
+				}
+			}
+		}
+		if (included) return true;
+	}
+	return false;
+}
+
+// --- Mode: filter ---
+
+function setOutput(name, value) {
+	const outputFile = process.env.GITHUB_OUTPUT;
+	if (outputFile) {
+		const delimiter = `ghadelimiter_${Date.now()}`;
+		appendFileSync(outputFile, `${name}<<${delimiter}\n${value}\n${delimiter}\n`);
+	}
+}
+
+export function runFilter() {
+	const filtersInput = process.env.INPUT_FILTERS;
+	const baseRef = process.env.INPUT_BASE_REF;
+
+	if (!filtersInput) {
+		throw new Error('INPUT_FILTERS is required in filter mode');
+	}
+	if (!baseRef) {
+		throw new Error('INPUT_BASE_REF is required in filter mode');
+	}
+
+	const filters = parseFilters(filtersInput);
+	const changedFiles = getChangedFiles(baseRef);
+
+	console.log(`Changed files (${changedFiles.length}):`);
+	for (const f of changedFiles) {
+		console.log(`  ${f}`);
+	}
+
+	const results = {};
+
+	for (const [name, patterns] of filters) {
+		const matched = evaluateFilter(changedFiles, patterns);
+		results[name] = matched;
+		console.log(`Filter "${name}": ${matched}`);
+	}
+
+	setOutput('results', JSON.stringify(results));
+}
+
+// --- Mode: validate ---
+
+export function runValidate() {
+	const raw = process.env.INPUT_JOB_RESULTS;
+	if (!raw) {
+		throw new Error('INPUT_JOB_RESULTS is required in validate mode');
+	}
+
+	const jobResults = JSON.parse(raw);
+	const problems = [];
+
+	for (const [job, data] of Object.entries(jobResults)) {
+		if (data.result === 'failure') problems.push(`${job}: failed`);
+		if (data.result === 'cancelled') problems.push(`${job}: cancelled`);
+	}
+
+	if (problems.length > 0) {
+		console.error('Required checks failed:');
+		for (const p of problems) {
+			console.error(`  - ${p}`);
+		}
+		process.exit(1);
+	}
+
+	console.log('All required checks passed:');
+	for (const [job, data] of Object.entries(jobResults)) {
+		console.log(`  ${job}: ${data.result}`);
+	}
+}
+
+// --- Main (only when run directly, not when imported by tests) ---
+
+if (resolve(fileURLToPath(import.meta.url)) === resolve(process.argv[1])) {
+	const mode = process.env.INPUT_MODE;
+	if (mode === 'filter') {
+		runFilter();
+	} else if (mode === 'validate') {
+		runValidate();
+	} else {
+		throw new Error(`Unknown mode: "${mode}". Expected "filter" or "validate".`);
+	}
+}

.github/actions/docker-registry-login/action.yml

@@ -0,0 +1,56 @@
+# Composite action for logging into Docker registries (GHCR and/or DockerHub).
+# Centralizes the login pattern used across multiple Docker workflows.
+
+name: 'Docker Registry Login'
+description: 'Login to GitHub Container Registry and/or DockerHub'
+
+inputs:
+  login-ghcr:
+    description: 'Login to GitHub Container Registry'
+    required: false
+    default: 'true'
+  login-dockerhub:
+    description: 'Login to DockerHub'
+    required: false
+    default: 'false'
+  login-dhi:
+    description: 'Login to Docker Hardened Images registry (dhi.io)'
+    required: false
+    default: 'false'
+  dockerhub-username:
+    description: 'DockerHub username (required if login-dockerhub or login-dhi is true)'
+    required: false
+  dockerhub-password:
+    description: 'DockerHub password (required if login-dockerhub or login-dhi is true)'
+    required: false
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Login to GitHub Container Registry
+      if: inputs.login-ghcr == 'true'
+      shell: bash
+      env:
+        GHCR_TOKEN: ${{ github.token }}
+        GHCR_USER: ${{ github.actor }}
+      run: |
+        node .github/scripts/retry.mjs --attempts 3 --delay 10 \
+          'echo "$GHCR_TOKEN" | docker login ghcr.io -u "$GHCR_USER" --password-stdin'
+
+    - name: Login to DockerHub
+      if: inputs.login-dockerhub == 'true'
+      shell: bash
+      env:
+        DOCKER_USER: ${{ inputs.dockerhub-username }}
+        DOCKER_PASS: ${{ inputs.dockerhub-password }}
+      run: |
+        node .github/scripts/retry.mjs --attempts 3 --delay 10 \
+          'echo "$DOCKER_PASS" | docker login -u "$DOCKER_USER" --password-stdin'
+
+    - name: Login to DHI Registry
+      if: inputs.login-dhi == 'true'
+      uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+      with:
+        registry: dhi.io
+        username: ${{ inputs.dockerhub-username }}
+        password: ${{ inputs.dockerhub-password }}

.github/actions/setup-nodejs-blacksmith/action.yml

@@ -1,42 +0,0 @@
-name: 'Blacksmith Node.js Build Setup'
-description: 'Configures Node.js with pnpm, installs dependencies, enables Turborepo caching, (optional) sets up Docker layer caching, and builds the project or an optional command.'
-
-inputs:
-  node-version:
-    description: 'Node.js version to use. Uses latest 22.x by default.'
-    required: false
-    default: '22.x'
-  enable-docker-cache:
-    description: 'Whether to set up Blacksmith Buildx for Docker layer caching.'
-    required: false
-    default: 'false'
-    type: boolean
-  build-command:
-    description: 'Command to execute for building the project or an optional command. Leave empty to skip build step.'
-    required: false
-    default: 'pnpm build'
-    type: string
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Setup Node.js
-      uses: useblacksmith/setup-node@65c6ca86fdeb0ab3d85e78f57e4f6a7e4780b391 # v5.0.4
-      with:
-        node-version: ${{ inputs.node-version }}
-
-    - name: Setup pnpm and Install Dependencies
-      uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
-      with:
-        run_install: true
-
-    - name: Configure Turborepo Cache
-      uses: useblacksmith/caching-for-turbo@bafb57e7ebdbf1185762286ec94d24648cd3938a # v1
-
-    - name: Setup Docker Builder for Docker Cache
-      if: ${{ inputs.enable-docker-cache == 'true' }}
-      uses: useblacksmith/setup-docker-builder@0b434dfbb431f4e3a2bcee7a773a56bd363184c5 # v1
-
-    - name: Build Project
-      run: ${{ inputs.build-command }}
-      shell: bash

.github/actions/setup-nodejs-github/action.yml

@@ -1,33 +0,0 @@
-name: 'GitHub Node.js Build Setup for Github Hosted Runners'
-description: 'Configures Node.js with pnpm, installs dependencies, enables Turborepo caching, and builds the project or an optional command.'
-
-inputs:
-  node-version:
-    description: 'Node.js version to use. Uses latest 22.x by default.'
-    required: false
-    default: '22.x'
-  build-command:
-    description: 'Command to execute for building the project or an optional command. Leave empty to skip build step.'
-    required: false
-    default: 'pnpm build'
-    type: string
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Setup Node.js
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
-      with:
-        node-version: ${{ inputs.node-version }}
-
-    - name: Setup pnpm and Install Dependencies
-      uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
-      with:
-        run_install: true
-
-    - name: Configure Turborepo Cache
-      uses: rharkor/caching-for-turbo@2b4b5b14a8d16b8556a58993a8ac331d56d8906d # v2.3.2
-
-    - name: Build Project
-      run: ${{ inputs.build-command }}
-      shell: bash

.github/actions/setup-nodejs/action.yml

@@ -0,0 +1,88 @@
+# This action works transparently on both Blacksmith and GitHub-hosted runners.
+# Blacksmith runners benefit from transparent caching and optional Docker layer caching.
+# GitHub-hosted runners use standard GitHub Actions caching.
+
+name: 'Node.js Build Setup'
+description: 'Configures Node.js with pnpm, installs Aikido SafeChain for supply chain protection, installs dependencies, enables Turborepo caching, (optional) sets up Docker layer caching, and builds the project or an optional command.'
+
+inputs:
+  node-version:
+    description: 'Node.js version to use. Pinned to 24.14.1 by default for reproducible builds.'
+    required: false
+    default: '24.14.1'
+  enable-docker-cache:
+    description: 'Whether to set up Blacksmith Buildx for Docker layer caching (Blacksmith runners only).'
+    required: false
+    default: 'false'
+  build-command:
+    description: 'Command to execute for building the project or an optional command. Leave empty to skip build step.'
+    required: false
+    default: 'pnpm build'
+  install-command:
+    description: 'Command to execute for installing project dependencies. Leave empty to skip install step.'
+    required: false
+    default: 'pnpm install --frozen-lockfile'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Setup pnpm
+      uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
+
+    - name: Setup Node.js
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      with:
+        node-version: ${{ inputs.node-version }}
+        cache: 'pnpm'
+
+    # To avoid setup-node cache failure.
+    # see: https://github.com/actions/setup-node/issues/1137
+    - name: Verify PNPM Cache Directory
+      shell: bash
+      run: |
+        PNPM_STORE_PATH="$( pnpm store path --silent )"
+        if [ ! -d "$PNPM_STORE_PATH" ]; then
+            mkdir -p "$PNPM_STORE_PATH"
+        fi
+
+    - name: Install Aikido SafeChain
+      if: runner.os != 'Windows'
+      run: |
+        VERSION="1.4.1"
+        EXPECTED_SHA256="628235987175072a4255aa3f5f0128f31795b63970f1970ae8a04d07bf8527b0"
+        node .github/scripts/retry.mjs --attempts 3 --delay 10 \
+          "curl -fsSL -o install-safe-chain.sh https://github.com/AikidoSec/safe-chain/releases/download/${VERSION}/install-safe-chain.sh"
+        echo "${EXPECTED_SHA256}  install-safe-chain.sh" | sha256sum -c -
+        sh install-safe-chain.sh --ci
+        rm install-safe-chain.sh
+      shell: bash
+
+    - name: Install Dependencies
+      if: ${{ inputs.install-command != '' }}
+      run: |
+        ${{ inputs.install-command }}
+      shell: bash
+
+    - name: Disable safe-chain
+      if: runner.os != 'Windows'
+      run: safe-chain teardown
+      shell: bash
+
+    - name: Configure Turborepo Cache
+      uses: rharkor/caching-for-turbo@0abc2381e688c4d2832f0665a68a01c6e82f0d6c # v2.3.11
+
+    - name: Setup Docker Builder for Docker Cache (Blacksmith)
+      if: ${{ inputs.enable-docker-cache == 'true' && contains(runner.name, 'blacksmith') }}
+      uses: useblacksmith/setup-docker-builder@ef12d5b165b596e3aa44ea8198d8fde563eab402 # v1.4.0
+
+    - name: Setup Docker Builder (GitHub fallback)
+      if: ${{ inputs.enable-docker-cache == 'true' && !contains(runner.name, 'blacksmith') }}
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+    - name: Build Project
+      if: ${{ inputs.build-command != '' }}
+      run: |
+        ${{ inputs.build-command }} --summarize
+        node .github/scripts/send-build-stats.mjs || true
+        node .github/scripts/send-docker-stats.mjs || true
+      shell: bash

.github/claude-templates/e2e-test.md

@@ -0,0 +1,119 @@
+# E2E Test Task Guide
+
+## Required Reading
+
+**Before writing any code**, read these files:
+```
+packages/testing/playwright/AGENTS.md      # Patterns, anti-patterns, entry points
+packages/testing/playwright/CONTRIBUTING.md # Detailed architecture (first 200 lines)
+```
+
+## Spec Validation
+
+Before starting, verify the spec includes:
+
+| Required | Example |
+|----------|---------|
+| **File(s) to modify** | `tests/e2e/credentials/crud.spec.ts` |
+| **Specific behavior** | "Verify credential renaming updates the list" |
+| **Pattern reference** | "Follow existing tests in same file" or "See AGENTS.md" |
+
+**If missing, ask for clarification.** Don't guess at requirements.
+
+## Commands
+
+```bash
+# Run single test
+pnpm --filter=n8n-playwright test:local tests/e2e/your-test.spec.ts --reporter=list 2>&1 | tail -50
+
+# Run with pattern match
+pnpm --filter=n8n-playwright test:local --grep "should do something" --reporter=list 2>&1 | tail -50
+
+# Container tests (requires pnpm build:docker first)
+pnpm --filter=n8n-playwright test:container:sqlite --grep @capability:email --reporter=list 2>&1 | tail -50
+```
+
+## Test Structure
+
+```typescript
+import { test, expect } from '../fixtures/base';
+import { nanoid } from 'nanoid';
+
+test('should do something @mode:sqlite', async ({ n8n, api }) => {
+  // Setup via API (faster, more reliable)
+  const workflow = await api.workflowApi.createWorkflow(workflowJson);
+
+  // UI interaction via entry points
+  await n8n.start.fromBlankCanvas();
+
+  // Assertions
+  await expect(n8n.workflows.getWorkflowByName(workflow.name)).toBeVisible();
+});
+```
+
+## Entry Points
+
+Use `n8n.start.*` methods - see `composables/TestEntryComposer.ts`:
+- `fromBlankCanvas()` - New workflow
+- `fromImportedWorkflow(file)` - Pre-built workflow
+- `fromNewProjectBlankCanvas()` - Project-scoped
+- `withUser(user)` - Isolated browser context
+
+## Multi-User Tests
+
+```typescript
+const member = await api.publicApi.createUser({ role: 'global:member' });
+const memberPage = await n8n.start.withUser(member);
+await memberPage.navigate.toWorkflows();
+```
+
+## Development Process
+
+1. **Validate spec** - Has file, behavior, pattern reference?
+2. **Read existing code** - Understand current patterns in the file
+3. **Identify helpers needed** - Check `pages/`, `services/`, `composables/`
+4. **Add helpers first** if missing
+5. **Write test** following 4-layer architecture
+6. **Verify iteratively** - Small changes, test frequently
+
+## Mandatory Verification
+
+**Always run before marking complete:**
+
+```bash
+# 1. Tests pass (check output for failures - piping loses exit code)
+pnpm --filter=n8n-playwright test:local <your-test> --reporter=list 2>&1 | tail -50
+
+# 2. Not flaky (required)
+pnpm --filter=n8n-playwright test:local <your-test> --repeat-each 3 --reporter=list 2>&1 | tail -50
+
+# 3. Lint passes
+pnpm --filter=n8n-playwright lint 2>&1 | tail -30
+
+# 4. Typecheck passes
+pnpm --filter=n8n-playwright typecheck 2>&1 | tail -30
+```
+
+**Important:** Piping through `tail` loses the exit code. Always check the output for "failed" or error messages rather than relying on exit codes.
+
+**If any fail, fix before completing.**
+
+## Refactoring Existing Tests
+
+**Always verify tests pass BEFORE making changes:**
+```bash
+pnpm --filter=n8n-playwright test:local tests/e2e/target-file.spec.ts --reporter=list 2>&1 | tail -50
+```
+
+Then make small incremental changes, re-running after each.
+
+## Done Checklist
+
+- [ ] Spec had clear file, behavior, and pattern reference
+- [ ] Read `AGENTS.md` and relevant existing code
+- [ ] Used `n8n.start.*` entry points
+- [ ] Used `nanoid()` for unique IDs (not `Date.now()`)
+- [ ] No serial mode, `@db:reset`, or `n8n.api.signin()`
+- [ ] Multi-user tests use `n8n.start.withUser()`
+- [ ] Tests pass with `--repeat-each 3`
+- [ ] Lint and typecheck pass

.github/claude-templates/security-fix.md

@@ -0,0 +1,179 @@
+# Security Vulnerability Fix Guidelines
+
+## Overview
+This guide covers how to fix security vulnerabilities in the n8n codebase. Follow a systematic approach to identify, fix, and verify vulnerabilities in dependencies or base images.
+
+## Decision Tree
+```
+Is it a direct dependency?
+  → Yes: Update in catalog or package.json
+  → No: Is it transitive?
+    → Yes: Add pnpm override
+    → No: Is it base image?
+      → Yes: Update Dockerfile, trigger base image workflow
+```
+
+## Process Flow
+```
+Scan → Investigate → Fix → Verify
+  ↓        ↓          ↓       ↓
+pnpm    pnpm why   Update  pnpm
+build:  (trace)    deps   build:
+docker:            or      docker:
+scan              override scan
+```
+
+## Step-by-Step Process
+
+### 1. Initial Setup
+Start with a clean install:
+```bash
+pnpm install --frozen-lockfile
+```
+
+### 2. Scan for Vulnerabilities
+Run the Docker scan to verify if the vulnerability exists:
+```bash
+pnpm build:docker:scan
+```
+
+### 3. Investigate the Source
+Use `pnpm why` to trace where the vulnerable package is coming from:
+```bash
+pnpm why <package-name> -r
+```
+
+### 4. Determine Fix Strategy
+
+#### Case A: Direct Dependency
+If the vulnerable package is a **direct dependency**:
+
+**Update via Catalog** (preferred for shared dependencies):
+```yaml
+# pnpm-workspace.yaml
+catalog:
+  '@azure/identity': 4.13.0  # Updated version
+```
+
+```json
+// packages/cli/package.json
+{
+  "dependencies": {
+    "@azure/identity": "catalog:"
+  }
+}
+```
+
+**Or update directly in package.json:**
+```json
+{
+  "dependencies": {
+    "vulnerable-package": "^1.2.3"
+  }
+}
+```
+
+Then: `pnpm install`
+
+#### Case B: Transitive Dependency
+If the vulnerable package is a **transitive dependency**:
+
+**Add an override** in the root `package.json`:
+```json
+{
+  "pnpm": {
+    "overrides": {
+      "vulnerable-package": "^1.2.3"
+    }
+  }
+}
+```
+
+**For multiple versions:**
+```json
+{
+  "pnpm": {
+    "overrides": {
+      "vulnerable-package@3": "^3.2.1",
+      "vulnerable-package@4": "^4.0.1"
+    }
+  }
+}
+```
+
+Then: `pnpm install`
+
+#### Case C: Base Image / NPM Issue
+If the vulnerability comes from the **base Docker image**:
+
+1. Check `docker/images/n8n-base/Dockerfile`
+2. Update Node version or Alpine packages if needed
+3. Note: Base image rebuild requires manual workflow trigger
+
+### 5. Verify the Fix
+```bash
+pnpm install
+pnpm why <package-name>  # Check version updated
+pnpm build:docker:scan    # Confirm vulnerability resolved
+```
+
+## Commit & PR Standards
+
+### Commit Format
+```
+{type}({scope}): {neutral description}
+
+{Brief neutral context}
+
+Addresses: CVE-XXXX-XXXXX
+Refs: {LINEAR-ID}
+```
+
+### Type Selection
+| Scenario | Type |
+|----------|------|
+| Dependency update | `fix(deps)` |
+| Code vulnerability fix | `fix` |
+| License/compliance | `chore` |
+| Docker/build hardening | `build` |
+
+### Title Language - USE NEUTRAL LANGUAGE
+Commit/PR titles appear in changelogs. Use neutral language:
+
+| ❌ Avoid | ✅ Use Instead |
+|----------|----------------|
+| CVE-XXXX-XXXXX | (footer only) |
+| vulnerability, exploit | issue, concern |
+| critical, security fix | improvement, update |
+| patch vulnerability | validate, harden, ensure |
+
+### Example Commit
+**Good:**
+```
+fix(deps): update jws to 4.0.1
+
+Updates jws package to latest stable version.
+
+Addresses: CVE-2025-65945
+Refs: SEC-412
+```
+
+**Bad:**
+```
+fix(security): patch critical CVE-2025-65945 in jws
+```
+
+## Done Checklist
+- [ ] `pnpm build:docker:scan` shows no vulnerability for the CVE
+- [ ] `pnpm why <package>` shows updated version
+- [ ] Commit follows neutral language format (no CVE in title)
+- [ ] PR references Linear ticket if provided
+
+## Common Commands
+```bash
+pnpm install --frozen-lockfile  # Initial setup
+pnpm build:docker:scan          # Scan for vulnerabilities
+pnpm why <package-name> -r      # Investigate dependency
+pnpm install                    # Update lockfile after changes
+pnpm list <package-name>        # Check specific package versions
+```

.github/docker-compose.yml

@@ -1,25 +1,4 @@
 services:
-  mariadb:
-    image: mariadb:10.5
-    environment:
-      - MARIADB_DATABASE=n8n
-      - MARIADB_ROOT_PASSWORD=password
-      - MARIADB_MYSQL_LOCALHOST_USER=true
-    ports:
-      - 3306:3306
-    tmpfs:
-      - /var/lib/mysql
-
-  mysql-8.4:
-    image: mysql:8.4
-    environment:
-      - MYSQL_DATABASE=n8n
-      - MYSQL_ROOT_PASSWORD=password
-    ports:
-      - 3306:3306
-    tmpfs:
-      - /var/lib/mysql
-
   postgres:
     image: postgres:16
     restart: always

.github/poutine-rules/unpinned_action.rego

@@ -0,0 +1,43 @@
+# METADATA
+# title: Unpinned GitHub Action
+# description: |-
+#   GitHub Action not pinned to full commit SHA.
+#   Pin actions to SHA for supply chain security.
+# custom:
+#   level: error
+package rules.unpinned_action
+
+import data.poutine
+import rego.v1
+
+rule := poutine.rule(rego.metadata.chain())
+
+# Match 40-character hex SHA (Git) or 64-character sha256 digest (Docker)
+is_sha_pinned(uses) if {
+	regex.match(`@(sha256:[a-f0-9]{64}|[a-f0-9]{40})`, uses)
+}
+
+# Check if it's a local action (starts with ./)
+is_local_action(uses) if {
+	startswith(uses, "./")
+}
+
+# Check if it's a reusable workflow call
+is_reusable_workflow(uses) if {
+	contains(uses, ".github/workflows/")
+}
+
+results contains poutine.finding(rule, pkg.purl, {
+	"path": workflow.path,
+	"job": job.id,
+	"step": i,
+	"details": sprintf("Action '%s' should be pinned to a full commit SHA", [step.uses]),
+}) if {
+	pkg := input.packages[_]
+	workflow := pkg.github_actions_workflows[_]
+	job := workflow.jobs[_]
+	step := job.steps[i]
+	step.uses
+	not is_sha_pinned(step.uses)
+	not is_local_action(step.uses)
+}

.github/pull_request_template.md

@@ -10,13 +10,14 @@ Photos and videos are recommended.
 <!--
 Include links to **Linear ticket** or Github issue or Community forum post.
 Important in order to close *automatically* and provide context to reviewers.
-https://linear.app/n8n/issue/
+https://linear.app/n8n/issue/[TICKET-ID]
 -->
 <!-- Use "closes #<issue-number>", "fixes #<issue-number>", or "resolves #<issue-number>" to automatically close issues when the PR is merged. -->
 
 
 ## Review / Merge checklist
 
+- [ ] I have seen this code, I have run this code, and I take responsibility for this code.
 - [ ] PR title and summary are descriptive. ([conventions](../blob/master/.github/pull_request_title_conventions.md)) <!--
    **Remember, the title automatically goes into the changelog.
    Use `(no-changelog)` otherwise.**
@@ -26,4 +27,4 @@ https://linear.app/n8n/issue/
    A bug is not considered fixed, unless a test is added to prevent it from happening again.
    A feature is not complete without tests.
 -->
-- [ ] PR Labeled with `release/backport` (if the PR is an urgent fix that needs to be backported)
+- [ ] PR Labeled with `Backport to Beta`, `Backport to Stable`, or `Backport to v1` (if the PR is an urgent fix that needs to be backported)

.github/scripts/bump-versions.mjs

@@ -1,4 +1,5 @@
 import semver from 'semver';
+import { parse } from 'yaml';
 import { writeFile, readFile } from 'fs/promises';
 import { resolve } from 'path';
 import child_process from 'child_process';
@@ -7,14 +8,19 @@ import assert from 'assert';
 
 const exec = promisify(child_process.exec);
 
+/**
+ * @param {string | semver.SemVer} currentVersion
+ */
 function generateExperimentalVersion(currentVersion) {
 	const parsed = semver.parse(currentVersion);
 	if (!parsed) throw new Error(`Invalid version: ${currentVersion}`);
 
 	// Check if it's already an experimental version
 	if (parsed.prerelease.length > 0 && parsed.prerelease[0] === 'exp') {
+		const minor = parsed.prerelease[1] || 0;
+		const minorInt = typeof minor === 'string' ? parseInt(minor) : minor;
 		// Increment the experimental minor version
-		const expMinor = (parsed.prerelease[1] || 0) + 1;
+		const expMinor = minorInt + 1;
 		return `${parsed.major}.${parsed.minor}.${parsed.patch}-exp.${expMinor}`;
 	}
 
@@ -22,34 +28,32 @@ function generateExperimentalVersion(currentVersion) {
 	return `${parsed.major}.${parsed.minor}.${parsed.patch}-exp.0`;
 }
 
-function generateRcVersion(currentVersion) {
-	const parsed = semver.parse(currentVersion);
-	if (!parsed) throw new Error(`Invalid version: ${currentVersion}`);
-
-	// Check if it's already an RC version
-	if (parsed.prerelease.length > 0 && parsed.prerelease[0] === 'rc') {
-		// Increment the RC number
-		const rcNum = (parsed.prerelease[1] || 0) + 1;
-		return `${parsed.major}.${parsed.minor}.${parsed.patch}-rc.${rcNum}`;
-	}
-
-	// Create new RC version: <major>.<minor>.<patch>-rc.0
-	return `${parsed.major}.${parsed.minor}.${parsed.patch}-rc.0`;
-}
-
 const rootDir = process.cwd();
-const releaseType = process.env.RELEASE_TYPE;
-assert.match(releaseType, /^(patch|minor|major|experimental|rc)$/, 'Invalid RELEASE_TYPE');
+
+const releaseType = /** @type { import('semver').ReleaseType | "experimental" } */ (
+	process.env.RELEASE_TYPE
+);
+assert.match(releaseType, /^(patch|minor|major|experimental|premajor)$/, 'Invalid RELEASE_TYPE');
 
 // TODO: if releaseType is `auto` determine release type based on the changelog
 
 const lastTag = (await exec('git describe --tags --match "n8n@*" --abbrev=0')).stdout.trim();
-const packages = JSON.parse((await exec('pnpm ls -r --only-projects --json')).stdout);
+const packages = JSON.parse(
+	(
+		await exec(
+			`pnpm ls -r --only-projects --json | jq -r '[.[] | { name: .name, version: .version, path: .path,  private: .private}]'`,
+		)
+	).stdout,
+);
 
 const packageMap = {};
-for (let { name, path, version, private: isPrivate, dependencies } of packages) {
-	if (isPrivate && path !== rootDir) continue;
-	if (path === rootDir) name = 'monorepo-root';
+for (let { name, path, version, private: isPrivate } of packages) {
+	if (isPrivate && path !== rootDir) {
+		continue;
+	}
+	if (path === rootDir) {
+		name = 'monorepo-root';
+	}
 
 	const isDirty = await exec(`git diff --quiet HEAD ${lastTag} -- ${path}`)
 		.then(() => false)
@@ -63,6 +67,111 @@ assert.ok(
 	'No changes found since the last release',
 );
 
+// Propagate isDirty transitively: if a package's dependency will be bumped,
+// that package also needs a bump (e.g. design-system → editor-ui → cli).
+
+// Detect root-level changes that affect resolved dep versions without touching individual
+// package.json files: pnpm.overrides (applies to all specifiers)
+// and pnpm-workspace.yaml catalog entries (applies only to deps using a "catalog:…" specifier).
+
+const rootPkgJson = JSON.parse(await readFile(resolve(rootDir, 'package.json'), 'utf-8'));
+const rootPkgJsonAtTag = await exec(`git show ${lastTag}:package.json`)
+	.then(({ stdout }) => JSON.parse(stdout))
+	.catch(() => ({}));
+
+const getOverrides = (pkg) => ({ ...pkg.pnpm?.overrides, ...pkg.overrides });
+
+const currentOverrides = getOverrides(rootPkgJson);
+const previousOverrides = getOverrides(rootPkgJsonAtTag);
+
+const changedOverrides = new Set(
+	Object.keys({ ...currentOverrides, ...previousOverrides }).filter(
+		(k) => currentOverrides[k] !== previousOverrides[k],
+	),
+);
+
+const parseWorkspaceYaml = (content) => {
+	try {
+		return /** @type {Record<string, unknown>} */ (parse(content) ?? {});
+	} catch {
+		return {};
+	}
+};
+const workspaceYaml = parseWorkspaceYaml(
+	await readFile(resolve(rootDir, 'pnpm-workspace.yaml'), 'utf-8').catch(() => ''),
+);
+const workspaceYamlAtTag = parseWorkspaceYaml(
+	await exec(`git show ${lastTag}:pnpm-workspace.yaml`)
+		.then(({ stdout }) => stdout)
+		.catch(() => ''),
+);
+const getCatalogs = (ws) => {
+	const result = new Map();
+	if (ws.catalog) {
+		result.set('default', /** @type {Record<string,string>} */ (ws.catalog));
+	}
+
+	for (const [name, entries] of Object.entries(ws.catalogs ?? {})) {
+		result.set(name, entries);
+	}
+
+	return result;
+};
+// changedCatalogEntries: Map<catalogName, Set<depName>>
+const currentCatalogs = getCatalogs(workspaceYaml);
+const previousCatalogs = getCatalogs(workspaceYamlAtTag);
+const changedCatalogEntries = new Map();
+for (const catalogName of new Set([...currentCatalogs.keys(), ...previousCatalogs.keys()])) {
+	const current = currentCatalogs.get(catalogName) ?? {};
+	const previous = previousCatalogs.get(catalogName) ?? {};
+	const changedDeps = new Set(
+		Object.keys({ ...current, ...previous }).filter((dep) => current[dep] !== previous[dep]),
+	);
+	if (changedDeps.size > 0) {
+		changedCatalogEntries.set(catalogName, changedDeps);
+	}
+}
+
+// Store full dep objects (with specifiers) so we can inspect "catalog:…" values below.
+const depsByPackage = {};
+for (const packageName in packageMap) {
+	const packageFile = resolve(packageMap[packageName].path, 'package.json');
+	const packageJson = JSON.parse(await readFile(packageFile, 'utf-8'));
+	depsByPackage[packageName] = /** @type {Record<string,string>} */ (
+		packageJson.dependencies ?? {}
+	);
+}
+
+// Mark packages dirty if any dep had a root-level override or catalog version change.
+for (const [packageName, deps] of Object.entries(depsByPackage)) {
+	if (packageMap[packageName].isDirty) continue;
+	for (const [dep, specifier] of Object.entries(deps)) {
+		if (changedOverrides.has(dep)) {
+			packageMap[packageName].isDirty = true;
+			break;
+		}
+		if (typeof specifier === 'string' && specifier.startsWith('catalog:')) {
+			const catalogName = specifier === 'catalog:' ? 'default' : specifier.slice(8);
+			if (changedCatalogEntries.get(catalogName)?.has(dep)) {
+				packageMap[packageName].isDirty = true;
+				break;
+			}
+		}
+	}
+}
+
+let changed = true;
+while (changed) {
+	changed = false;
+	for (const packageName in packageMap) {
+		if (packageMap[packageName].isDirty) continue;
+		if (Object.keys(depsByPackage[packageName]).some((dep) => packageMap[dep]?.isDirty)) {
+			packageMap[packageName].isDirty = true;
+			changed = true;
+		}
+	}
+}
+
 // Keep the monorepo version up to date with the released version
 packageMap['monorepo-root'].version = packageMap['n8n'].version;
 
@@ -71,17 +180,32 @@ for (const packageName in packageMap) {
 	const packageFile = resolve(path, 'package.json');
 	const packageJson = JSON.parse(await readFile(packageFile, 'utf-8'));
 
-	packageJson.version = packageMap[packageName].nextVersion =
-		isDirty ||
-		Object.keys(packageJson.dependencies || {}).some(
-			(dependencyName) => packageMap[dependencyName]?.isDirty,
-		)
-			? releaseType === 'experimental'
-				? generateExperimentalVersion(version)
-				: releaseType === 'rc'
-					? generateRcVersion(version)
-					: semver.inc(version, releaseType)
-			: version;
+	const dependencyIsDirty = Object.keys(packageJson.dependencies || {}).some(
+		(dependencyName) => packageMap[dependencyName]?.isDirty,
+	);
+
+	let newVersion = version;
+
+	if (isDirty || dependencyIsDirty) {
+		switch (releaseType) {
+			case 'experimental':
+				newVersion = generateExperimentalVersion(version);
+				break;
+			case 'premajor':
+				newVersion = semver.inc(
+					version,
+					version.includes('-rc.') ? 'prerelease' : 'premajor',
+					undefined,
+					'rc',
+				);
+				break;
+			default:
+				newVersion = semver.inc(version, releaseType);
+				break;
+		}
+	}
+
+	packageJson.version = packageMap[packageName].nextVersion = newVersion;
 
 	await writeFile(packageFile, JSON.stringify(packageJson, null, 2) + '\n');
 }

.github/scripts/claude-task/prepare-claude-prompt.mjs

@@ -0,0 +1,68 @@
+#!/usr/bin/env node
+/**
+ * Builds the Claude task prompt and writes it to GITHUB_ENV.
+ * Uses a random delimiter to prevent heredoc collision with user input.
+ *
+ * Usage: node prepare-claude-prompt.mjs
+ *
+ * Environment variables:
+ *   INPUT_TASK     - The task description (required)
+ *   USE_RAW_PROMPT - "true" to pass task directly without wrapping
+ *   GITHUB_ENV     - Path to GitHub env file (set by Actions)
+ */
+
+import { randomUUID } from 'node:crypto';
+import { appendFileSync, readdirSync } from 'node:fs';
+
+const task = process.env.INPUT_TASK;
+const useRaw = process.env.USE_RAW_PROMPT === 'true';
+const envFile = process.env.GITHUB_ENV;
+
+if (!task) {
+	console.error('INPUT_TASK environment variable is required');
+	process.exit(1);
+}
+
+if (!envFile) {
+	console.error('GITHUB_ENV environment variable is required');
+	process.exit(1);
+}
+
+let prompt;
+
+if (useRaw) {
+	prompt = task;
+} else {
+	// List available templates so Claude knows what exists (reads them if needed)
+	const templateDir = '.github/claude-templates';
+	let templateSection = '';
+	try {
+		const files = readdirSync(templateDir).filter((f) => f.endsWith('.md'));
+		if (files.length > 0) {
+			const listing = files.map((f) => `  - ${templateDir}/${f}`).join('\n');
+			templateSection = `\n# Templates\nThese guides are available if relevant to your task. Read any that match before starting:\n${listing}`;
+		}
+	} catch {
+		// No templates directory, skip
+	}
+
+	prompt = `# Task
+${task}
+${templateSection}
+# Instructions
+1. Read any relevant templates listed above before starting
+2. Complete the task described above
+3. Make commits as you work - the last commit message will be used as the PR title
+4. IMPORTANT: End every commit message with: Co-authored-by: Claude <noreply@anthropic.com>
+5. Ensure code passes linting and type checks before finishing
+
+# Token Optimization
+When running lint/typecheck, suppress verbose output:
+  pnpm lint 2>&1 | tail -30
+  pnpm typecheck 2>&1 | tail -30`;
+}
+
+// Random delimiter guarantees no collision with user content
+const delimiter = `CLAUDE_PROMPT_DELIM_${randomUUID().replace(/-/g, '')}`;
+appendFileSync(envFile, `CLAUDE_PROMPT<<${delimiter}\n${prompt}\n${delimiter}\n`);
+

.github/scripts/claude-task/resume-callback.mjs

@@ -0,0 +1,59 @@
+#!/usr/bin/env node
+/**
+ * Sends a callback to the resume URL with the Claude task result.
+ * Uses fetch() directly to avoid E2BIG errors from shell argument limits.
+ *
+ * Usage: node resume-callback.mjs
+ *
+ * Environment variables:
+ *   RESUME_URL      - Callback URL to POST to (required)
+ *   EXECUTION_FILE  - Path to Claude's execution output JSON (optional)
+ *   CLAUDE_OUTCOME  - "success" or "failure" (required)
+ *   CLAUDE_SESSION_ID - Session ID for resuming conversations (optional)
+ *   BRANCH_NAME     - Git branch name (optional)
+ */
+
+import { existsSync, readFileSync } from 'node:fs';
+
+const resumeUrl = process.env.RESUME_URL;
+const executionFile = process.env.EXECUTION_FILE;
+const claudeOutcome = process.env.CLAUDE_OUTCOME;
+const sessionId = process.env.CLAUDE_SESSION_ID ?? '';
+const branchName = process.env.BRANCH_NAME ?? '';
+
+if (!resumeUrl) {
+	console.error('RESUME_URL environment variable is required');
+	process.exit(1);
+}
+
+const success = claudeOutcome === 'success';
+let result = null;
+
+if (executionFile && existsSync(executionFile)) {
+	try {
+		const execution = JSON.parse(readFileSync(executionFile, 'utf-8'));
+		// Extract the last element (Claude's final result message)
+		result = Array.isArray(execution) ? execution.at(-1) : execution;
+	} catch (err) {
+		console.warn(`Failed to parse execution file: ${err.message}`);
+	}
+}
+
+const payload = JSON.stringify({ success, branch: branchName, sessionId, result });
+
+try {
+	const response = await fetch(resumeUrl, {
+		method: 'POST',
+		headers: { 'Content-Type': 'application/json' },
+		body: payload,
+	});
+
+	if (!response.ok) {
+		const body = await response.text();
+		console.error(`Callback failed: ${body}`);
+		process.exit(1);
+	}
+} catch (err) {
+	console.error(`Callback error: ${err.message}`);
+	process.exit(1);
+}

.github/scripts/cleanup-ghcr-images.mjs

@@ -0,0 +1,157 @@
+#!/usr/bin/env node
+/**
+ * Cleanup GHCR images for n8n CI
+ *
+ * Modes:
+ *   --tag <tag>     Delete exact tag (post-run cleanup)
+ *   --stale <days>  Delete ci-* images older than N days (daily scheduled cleanup)
+ *
+ * Context:
+ *   - Each CI run tags images as ci-{run_id}
+ *   - Post-run cleanup uses --tag to delete the current run's images
+ *   - Daily cron uses --stale to catch any orphaned images
+ */
+import { exec } from 'node:child_process';
+import { promisify } from 'node:util';
+
+const execAsync = promisify(exec);
+const ORG = process.env.GHCR_ORG || 'n8n-io';
+const REPO = process.env.GHCR_REPO || 'n8n';
+const PACKAGES = [REPO, 'runners'];
+const [mode, rawValue] = process.argv.slice(2);
+
+if (!['--tag', '--stale'].includes(mode) || !rawValue) {
+	console.error('Usage: cleanup-ghcr-images.mjs --tag <tag> | --stale <days>');
+	process.exit(1);
+}
+
+const value = mode === '--stale' ? parseInt(rawValue, 10) : rawValue;
+if (mode === '--stale' && (isNaN(value) || value <= 0)) {
+	console.error('Error: --stale requires a positive number of days');
+	process.exit(1);
+}
+
+async function ghApi(path) {
+	const { stdout } = await execAsync(
+		`gh api "/orgs/${ORG}/packages/container/${path}"`,
+	);
+	return JSON.parse(stdout);
+}
+
+async function ghDelete(path) {
+	await execAsync(`gh api --method DELETE "/orgs/${ORG}/packages/container/${path}"`);
+}
+
+async function fetchPage(pkg, page) {
+	try {
+		return await ghApi(`${pkg}/versions?per_page=100&page=${page}`);
+	} catch (err) {
+		if (err.code === 1 && err.stderr?.includes('404')) return [];
+		throw new Error(`Failed to fetch ${pkg} page ${page}: ${err.message}`);
+	}
+}
+
+const isCiImage = (v) => {
+	const tags = v.metadata?.container?.tags || [];
+	return tags.some((t) => t.startsWith('ci-') || t.startsWith('pr-'));
+};
+
+const isStale = (v, days) => {
+	const cutoff = Date.now() - days * 86400000;
+	return isCiImage(v) && new Date(v.created_at) < cutoff;
+};
+
+async function getVersionsForTag(pkg, tag) {
+	const batch = await fetchPage(pkg, 1);
+	const match = batch.find((v) => v.metadata?.container?.tags?.includes(tag));
+	return match ? [match] : [];
+}
+
+async function getVersionsForStale(pkg, days) {
+	const versions = [];
+	const cutoff = Date.now() - days * 86400000;
+	// Use 2x cutoff as safety window for early termination
+	const earlyExitCutoff = Date.now() - days * 2 * 86400000;
+	let pagesWithoutCiImages = 0;
+
+	const firstPage = await fetchPage(pkg, 1);
+	if (!firstPage.length) return [];
+
+	for (const v of firstPage) {
+		if (isStale(v, days)) versions.push(v);
+	}
+	if (firstPage.length < 100) return versions;
+
+	for (let page = 2; ; page += 10) {
+		const batches = await Promise.all(
+			Array.from({ length: 10 }, (_, i) => fetchPage(pkg, page + i)),
+		);
+		let done = false;
+		for (const batch of batches) {
+			if (!batch.length || batch.length < 100) done = true;
+
+			let hasCiImages = false;
+			for (const v of batch) {
+				if (isCiImage(v)) {
+					hasCiImages = true;
+					if (new Date(v.created_at) < cutoff) versions.push(v);
+				}
+			}
+
+			// Early termination: if we've gone through pages without finding
+			// any CI images and all items are older than 2x cutoff, we're past
+			// the CI image window
+			if (!hasCiImages) {
+				pagesWithoutCiImages++;
+				const oldestInBatch = batch[batch.length - 1];
+				if (
+					pagesWithoutCiImages >= 3 &&
+					oldestInBatch &&
+					new Date(oldestInBatch.created_at) < earlyExitCutoff
+				) {
+					console.log(`  Early termination at page ${page + batches.indexOf(batch)}`);
+					done = true;
+				}
+			} else {
+				pagesWithoutCiImages = 0;
+			}
+
+			if (!batch.length || done) break;
+		}
+		if (done) break;
+	}
+	return versions;
+}
+
+let hasErrors = false;
+
+for (const pkg of PACKAGES) {
+	console.log(`Processing ${pkg}...`);
+	let consecutiveErrors = 0;
+
+	const toDelete =
+		mode === '--tag'
+			? await getVersionsForTag(pkg, value)
+			: await getVersionsForStale(pkg, value);
+
+	if (!toDelete.length) {
+		console.log(`  No matching images found`);
+		continue;
+	}
+
+	for (const v of toDelete) {
+		try {
+			await ghDelete(`${pkg}/versions/${v.id}`);
+			console.log(`  Deleted ${v.metadata.container.tags.join(',')}`);
+			consecutiveErrors = 0;
+		} catch (err) {
+			console.error(`  Failed to delete ${v.id}: ${err.message}`);
+			hasErrors = true;
+			if (++consecutiveErrors >= 3) {
+				throw new Error('Too many consecutive delete failures, aborting');
+			}
+		}
+	}
+}
+
+if (hasErrors) process.exit(1);

.github/scripts/cleanup-release-branch.mjs

@@ -0,0 +1,123 @@
+import fs from 'node:fs/promises';
+import { getOctokit } from '@actions/github';
+import { ensureEnvVar, readPrLabels } from './github-helpers.mjs';
+
+/**
+ * @typedef {PullRequestCheckPass | PullRequestCheckFail} PullRequestCheckResult
+ **/
+
+/**
+ * @typedef PullRequestCheckPass
+ * @property {true} pass
+ * @property {string} baseRef
+ * */
+
+/**
+ * @typedef PullRequestCheckFail
+ * @property {false} pass
+ * @property {string} reason
+ * */
+
+/**
+ * @param {PullRequestCheckResult} pullRequestCheck
+ *
+ * @returns { pullRequestCheck is PullRequestCheckFail }
+ * */
+function pullRequestCheckFailed(pullRequestCheck) {
+	return !pullRequestCheck.pass;
+}
+
+/**
+ * @param {any} pullRequest
+ * @returns {PullRequestCheckResult}
+ */
+export function pullRequestIsDismissedRelease(pullRequest) {
+	if (!pullRequest) {
+		throw new Error('Missing pullRequest in event payload');
+	}
+
+	const baseRef = pullRequest?.base?.ref ?? '';
+	const headRef = pullRequest?.head?.ref ?? '';
+	const merged = Boolean(pullRequest?.merged);
+
+	if (merged) {
+		return { pass: false, reason: 'PR was merged' };
+	}
+
+	// Must match your release PR pattern:
+	//   base: release/<ver>
+	//   head: release-pr/<ver>
+	if (!baseRef.startsWith('release/')) {
+		return { pass: false, reason: `Base ref '${baseRef}' is not release/*` };
+	}
+	if (!headRef.startsWith('release-pr/')) {
+		return { pass: false, reason: `Head ref '${headRef}' is not release-pr/*` };
+	}
+
+	const baseVer = baseRef.slice('release/'.length);
+	const headVer = headRef.slice('release-pr/'.length);
+
+	if (!baseVer || baseVer !== headVer) {
+		return { pass: false, reason: `Version mismatch: base='${baseVer}' head='${headVer}'` };
+	}
+
+	const labelNames = readPrLabels(pullRequest);
+	if (!labelNames.includes('release')) {
+		return {
+			pass: false,
+			reason: `Missing required label 'release' (labels: ${labelNames.join(', ') || '[none]'})`,
+		};
+	}
+
+	return { pass: true, baseRef };
+}
+
+async function main() {
+	const token = ensureEnvVar('GITHUB_TOKEN');
+	const eventPath = ensureEnvVar('GITHUB_EVENT_PATH');
+	const repoFullName = ensureEnvVar('GITHUB_REPOSITORY');
+
+	const [owner, repo] = repoFullName.split('/');
+	if (!owner || !repo) {
+		throw new Error(`Invalid GITHUB_REPOSITORY: '${repoFullName}'`);
+	}
+
+	const rawEventData = await fs.readFile(eventPath, 'utf8');
+	const event = JSON.parse(rawEventData);
+
+	const result = pullRequestIsDismissedRelease(event.pull_request);
+	if (pullRequestCheckFailed(result)) {
+		console.log(`no-op: ${result.reason}`);
+		return;
+	}
+
+	const branch = result.baseRef; // e.g. "release/2.11.0"
+	console.log(`PR qualifies. Deleting branch '${branch}'...`);
+
+	const octokit = getOctokit(token);
+
+	try {
+		await octokit.rest.git.deleteRef({
+			owner,
+			repo,
+			// ref must be "heads/<branch>"
+			ref: `heads/${branch}`,
+		});
+		console.log(`Deleted '${branch}'.`);
+	} catch (err) {
+		// If it was already deleted, treat as success.
+		const status = err?.status;
+		if (status === 404) {
+			console.log(`Branch '${branch}' not found (already deleted).`);
+			return;
+		}
+
+		console.error(err);
+		throw new Error(`Failed to delete '${branch}'.`);
+	}
+}
+
+// only run when executed directly, not when imported by tests
+if (import.meta.url === `file://${process.argv[1]}`) {
+	await main();
+}

.github/scripts/cleanup-release-branch.test.mjs

@@ -0,0 +1,147 @@
+import { describe, it, mock, before } from 'node:test';
+import assert from 'node:assert/strict';
+import { readPrLabels } from './github-helpers.mjs';
+
+/**
+ * Run these tests by running
+ *
+ * node --test --experimental-test-module-mocks ./.github/scripts/cleanup-release-branch.test.mjs
+ * */
+
+// mock.module must be called before the module under test is imported,
+// because static imports are hoisted and resolve before any code runs.
+mock.module('./github-helpers.mjs', {
+	namedExports: {
+		ensureEnvVar: () => {}, // no-op
+		readPrLabels: (pr) => {
+			return readPrLabels(pr);
+		},
+	},
+});
+
+let pullRequestIsDismissedRelease;
+before(async () => {
+	({ pullRequestIsDismissedRelease } = await import('./cleanup-release-branch.mjs'));
+});
+
+describe('pullRequestIsDismissedRelease', () => {
+	it('Recognizes classic dismissed pull request', () => {
+		const pullRequest = {
+			merged: false,
+			labels: ['release'],
+			base: {
+				ref: 'release/2.9.0',
+			},
+			head: {
+				ref: 'release-pr/2.9.0',
+			},
+		};
+
+		/** @type { import('./cleanup-release-branch.mjs').PullRequestCheckResult } */
+		const result = pullRequestIsDismissedRelease(pullRequest);
+
+		assert.equal(result.pass, true);
+		assert.equal(result.reason, undefined);
+	});
+
+	it("Doesn't pass PR with malformed head", () => {
+		const pullRequest = {
+			merged: false,
+			labels: ['release'],
+			base: {
+				ref: 'release/2.9.0',
+			},
+			head: {
+				ref: 'my-fork-release-pr/2.9.0',
+			},
+		};
+
+		/** @type { import('./cleanup-release-branch.mjs').PullRequestCheckResult } */
+		const result = pullRequestIsDismissedRelease(pullRequest);
+
+		assert.equal(result.pass, false);
+		assert.equal(result.reason, `Head ref '${pullRequest.head.ref}' is not release-pr/*`);
+	});
+
+	it("Doesn't pass PR with malformed base", () => {
+		const pullRequest = {
+			merged: false,
+			labels: ['release'],
+			base: {
+				ref: 'master',
+			},
+			head: {
+				ref: 'release-pr/2.9.0',
+			},
+		};
+
+		/** @type { import('./cleanup-release-branch.mjs').PullRequestCheckResult } */
+		const result = pullRequestIsDismissedRelease(pullRequest);
+
+		assert.equal(result.pass, false);
+		assert.equal(result.reason, `Base ref '${pullRequest.base.ref}' is not release/*`);
+	});
+
+	it("Doesn't pass merged PR's", () => {
+		const pullRequest = {
+			merged: true,
+			labels: ['release'],
+			base: {
+				ref: 'release/2.9.0',
+			},
+			head: {
+				ref: 'release-pr/2.9.0',
+			},
+		};
+
+		/** @type { import('./cleanup-release-branch.mjs').PullRequestCheckResult } */
+		const result = pullRequestIsDismissedRelease(pullRequest);
+
+		assert.equal(result.pass, false);
+		assert.equal(result.reason, `PR was merged`);
+	});
+
+	it("Doesn't pass on PR version mismatch", () => {
+		const pullRequest = {
+			merged: false,
+			labels: ['release'],
+			base: {
+				ref: 'release/2.9.0',
+			},
+			head: {
+				ref: 'release-pr/2.9.1',
+			},
+		};
+
+		/** @type { import('./cleanup-release-branch.mjs').PullRequestCheckResult } */
+		const result = pullRequestIsDismissedRelease(pullRequest);
+
+		assert.equal(result.pass, false);
+		assert.equal(
+			result.reason,
+			`Version mismatch: base='${pullRequest.base.ref.replace('release/', '')}' head='${pullRequest.head.ref.replace('release-pr/', '')}'`,
+		);
+	});
+
+	it("Doesn't pass a PR with missing 'release' label", () => {
+		const pullRequest = {
+			merged: false,
+			labels: ['release-pr', 'core-team'],
+			base: {
+				ref: 'release/2.9.0',
+			},
+			head: {
+				ref: 'release-pr/2.9.0',
+			},
+		};
+
+		/** @type { import('./cleanup-release-branch.mjs').PullRequestCheckResult } */
+		const result = pullRequestIsDismissedRelease(pullRequest);
+
+		assert.equal(result.pass, false);
+		assert.equal(
+			result.reason,
+			`Missing required label 'release' (labels: ${pullRequest.labels.join(', ')})`,
+		);
+	});
+});

.github/scripts/compute-backport-targets.mjs

@@ -0,0 +1,109 @@
+// Creates backport PR's according to labels on merged PR
+
+import {
+	getPullRequestById,
+	readPrLabels,
+	resolveRcBranchForTrack,
+	writeGithubOutput,
+} from './github-helpers.mjs';
+
+/** @type { Record<string, import('./github-helpers.mjs').ReleaseTrack> } */
+const BACKPORT_BY_TAG_MAP = {
+	'Backport to Beta': 'beta',
+	'Backport to Stable': 'stable',
+};
+
+const BACKPORT_BY_BRANCH_MAP = {
+	'Backport to v1': '1.x',
+};
+
+/**
+ * @param {Set<string>} labels
+ *
+ * @returns { Set<string> }
+ */
+export function labelsToReleaseCandidateBranches(labels) {
+	const targets = new Set();
+
+	// Backport by tag map includes mapping of label to git tag to resolve
+	for (const [label, tag] of Object.entries(BACKPORT_BY_TAG_MAP)) {
+		// Check if backport label is present
+		if (!labels.has(label)) {
+			continue;
+		}
+
+		const branch = resolveRcBranchForTrack(tag);
+		// Make sure our backport branch exists
+		if (!branch) {
+			continue;
+		}
+
+		targets.add(branch);
+	}
+
+	// Backport by branch map includes mapping of label to git branch. This is used for
+	// older versions of n8n. v1, etc.
+	for (const [label, branch] of Object.entries(BACKPORT_BY_BRANCH_MAP)) {
+		// Check if backport label is present
+		if (!labels.has(label)) {
+			continue;
+		}
+
+		targets.add(branch);
+	}
+
+	return targets;
+}
+
+/**
+ * This script is called in 2 cases:
+ *
+ * 1. When a PR is merged, in which case functions like `readPrLabels` reads PR info from GITHUB_EVENT_PATH
+ * 2. Manually via Workflow Dispatch, where a Pull Request ID is passed as an env parameter
+ *
+ * @returns { Promise<undefined | any> } Pull request object, if ID was provided in env params
+ */
+async function fetchPossiblePullRequestFromEnv() {
+	const pullRequestEnv = process.env.PULL_REQUEST_ID;
+	if (!pullRequestEnv) {
+		// No ID provided, will proceed to read data from GITHUB_EVENT_PATH
+		return undefined;
+	}
+
+	const pullRequestNumber = parseInt(pullRequestEnv);
+	if (isNaN(pullRequestNumber)) {
+		throw new Error(
+			"PULL_REQUEST_ID must be a number. It shouldn't contain any other symbols (#, PR, etc.)",
+		);
+	}
+
+	return await getPullRequestById(pullRequestNumber);
+}
+
+export async function getLabels() {
+	const pullRequest = await fetchPossiblePullRequestFromEnv();
+	return new Set(readPrLabels(pullRequest));
+}
+
+async function main() {
+	const labels = await getLabels();
+	if (!labels || labels.size === 0) {
+		console.log('No labels on PR. Exiting...');
+		return;
+	}
+
+	const backportBranches = labelsToReleaseCandidateBranches(labels);
+
+	if (backportBranches.size === 0) {
+		console.log('No backports needed. Exiting...');
+		return;
+	}
+
+	const target_branches = [...backportBranches].join(' '); // korthout/backport-action@v4 uses space-delimited branch list
+	writeGithubOutput({ target_branches });
+}
+
+// only run when executed directly, not when imported by tests
+if (import.meta.url === `file://${process.argv[1]}`) {
+	await main();
+}

.github/scripts/compute-backport-targets.test.mjs

@@ -0,0 +1,104 @@
+import { describe, it, mock, before } from 'node:test';
+import assert from 'node:assert/strict';
+import { readPrLabels } from './github-helpers.mjs';
+
+/**
+ * Run these tests by running
+ *
+ * node --test --experimental-test-module-mocks ./.github/scripts/compute-backport-targets.test.mjs
+ * */
+
+// mock.module must be called before the module under test is imported,
+// because static imports are hoisted and resolve before any code runs.
+mock.module('./github-helpers.mjs', {
+	namedExports: {
+		ensureEnvVar: () => {}, // no-op
+		readPrLabels: readPrLabels,
+		resolveRcBranchForTrack: mockResolveRcBranchForTrack,
+		writeGithubOutput: () => {}, //no-op
+		getPullRequestById: () => {
+			return {
+				labels: ['n8n team', 'Backport to Beta'],
+			};
+		},
+	},
+});
+
+function mockResolveRcBranchForTrack(track) {
+	switch (track) {
+		case 'beta':
+			return 'release-candidate/2.10.1';
+		case 'stable':
+			return 'release-candidate/2.9.4';
+	}
+	return undefined;
+}
+
+let labelsToReleaseCandidateBranches, getLabels;
+before(async () => {
+	({ labelsToReleaseCandidateBranches, getLabels } = await import(
+		'./compute-backport-targets.mjs'
+	));
+});
+
+describe('Compute backport targets', () => {
+	it('Finds backport branches for pointer tag labels', () => {
+		const labels = new Set(['Backport to Beta', 'Backport to Stable']);
+		/** @type { Set<string> } */
+		const result = labelsToReleaseCandidateBranches(labels);
+
+		assert.equal(result.size, 2);
+		assert.ok(result.has('release-candidate/2.10.1'));
+		assert.ok(result.has('release-candidate/2.9.4'));
+	});
+
+	it("Doesn't parse other labes to backport branches", () => {
+		const labels = new Set(['n8n team', 'release']);
+		/** @type { Set<string> } */
+		const result = labelsToReleaseCandidateBranches(labels);
+
+		assert.equal(result.size, 0);
+	});
+
+	it("Doesn't parse malformed backport labels", () => {
+		const labels = new Set(['Backport to Fork', 'Backport to my Home']);
+		/** @type { Set<string> } */
+		const result = labelsToReleaseCandidateBranches(labels);
+
+		assert.equal(result.size, 0);
+	});
+
+	it('Should parse labels properly in Pull request context', async () => {
+		process.env.GITHUB_EVENT_PATH = './fixtures/mock-github-event.json';
+		/** @type { Set<string> } */
+		const labels = await getLabels();
+
+		assert.equal(labels.size, 2);
+		assert.ok(labels.has('release'));
+		assert.ok(labels.has('Backport to Stable'));
+	});
+	it('Should parse labels properly in manual workflow context', async () => {
+		process.env.PULL_REQUEST_ID = '123';
+		/** @type { Set<string> } */
+		const labels = await getLabels();
+
+		assert.equal(labels.size, 2);
+		assert.ok(labels.has('n8n team'));
+		assert.ok(labels.has('Backport to Beta'));
+	});
+
+	it('Should throw when passed pull request id with #', async () => {
+		process.env.PULL_REQUEST_ID = '#123';
+		await assert.rejects(getLabels);
+	});
+
+	it('Should not throw when passed pull request id with just a number', async () => {
+		process.env.PULL_REQUEST_ID = '123';
+		await assert.doesNotReject(getLabels);
+	});
+
+	it('Should throw when passed pull request id with other than numbers included', async () => {
+		process.env.PULL_REQUEST_ID = 'abc-123';
+		await assert.rejects(getLabels);
+	});
+});

.github/scripts/create-github-release.mjs

@@ -0,0 +1,81 @@
+import {
+	deleteRelease,
+	ensureEnvVar,
+	getExistingRelease,
+	initGithub,
+	isReleaseTrack,
+	writeGithubOutput,
+} from './github-helpers.mjs';
+
+/**
+ * Creates release in GitHub.
+ *
+ * Required env variables:
+ *	- RELEASE_TAG	 - Release tag on git e.g. n8n@2.13.0
+ *	- BODY - Body of the release. Contains release notes etc.
+ *	- IS_PRE_RELEASE - If releasing in pre-release. Currently only for beta track.
+ *	- MAKE_LATEST - If released version should be marked as latest on GitHub
+ *	- COMMIT	- Commitish for release to point to
+ *
+ * Optional env variables:
+ *	- ADDITIONAL_TAGS	-	Comma-separated list of additional tags to release under e.g. beta
+ *
+ * GitHub variables
+ *	- GITHUB_TOKEN	-	 Used to authenticate to octokit - Can be overwritten for privileged access
+ *	- GITHUB_REPOSITORY	-	 Used to determine target repository
+ * */
+async function createGitHubRelease() {
+	const RELEASE_TAG = ensureEnvVar('RELEASE_TAG');
+	const ADDITIONAL_TAGS = process.env.ADDITIONAL_TAGS ?? '';
+	const BODY = ensureEnvVar('BODY');
+	const IS_PRE_RELEASE = ensureEnvVar('IS_PRE_RELEASE');
+	const MAKE_LATEST = ensureEnvVar('MAKE_LATEST');
+	const COMMIT = ensureEnvVar('COMMIT');
+
+	const { octokit, owner, repo } = initGithub();
+
+	const allTags = [
+		RELEASE_TAG,
+		...ADDITIONAL_TAGS.split(',')
+			.map((t) => t.trim())
+			.filter(Boolean),
+	];
+	const releases = [];
+
+	for (const tag of allTags) {
+		const existingRelease = await getExistingRelease(tag);
+		const isReleaseTrackTag = isReleaseTrack(tag);
+
+		// If we have an existing track release, we want to
+		// delete the old release before pushing a new one.
+		if (isReleaseTrackTag && existingRelease) {
+			await deleteRelease(existingRelease.id);
+		}
+
+		const releaseResponse = await octokit.rest.repos.createRelease({
+			tag_name: tag,
+			name: tag,
+			body: BODY,
+			draft: false,
+			prerelease: IS_PRE_RELEASE === 'true',
+			make_latest: MAKE_LATEST === 'true' ? 'true' : 'false',
+			target_commitish: COMMIT,
+			owner,
+			repo,
+		});
+
+		const release = releaseResponse.data;
+		releases.push(release);
+
+		console.log(`Successfully created release ${release.html_url}`);
+	}
+
+	writeGithubOutput({
+		release_urls: releases.map((release) => release.html_url).join(', '),
+	});
+}
+
+// only run when executed directly, not when imported by tests
+if (import.meta.url === `file://${process.argv[1]}`) {
+	createGitHubRelease();
+}

.github/scripts/detect-new-packages.mjs

@@ -0,0 +1,104 @@
+/**
+ * Detects packages in the monorepo that have not yet been published to npm.
+ *
+ * Packages that are new (never published) cannot be released via OIDC Trusted
+ * Publishing because Trusted Publishing requires the package to already exist
+ * on npm with the publisher configured first.
+ *
+ * New packages must be handled manually:
+ *   1. Published once using an NPM token
+ *   2. Configured with Trusted Publishing on npmjs.com
+ *
+ * Exit codes:
+ *   0 – All public packages exist on npm
+ *   1 – One or more public packages have never been published
+ */
+
+import child_process from 'child_process';
+import { promisify } from 'util';
+import { writeGithubOutput } from './github-helpers.mjs';
+
+const exec = promisify(child_process.exec);
+
+const packages = JSON.parse(
+	(
+		await exec(
+			`pnpm ls -r --only-projects --json | jq -r '[.[] | { name:.name, private: .private}]'`,
+		)
+	).stdout,
+);
+
+const newPackages = [];
+
+for (const { name, private: isPrivate } of packages) {
+	if (isPrivate) continue;
+
+	// Scoped packages must be encoded: @n8n/foo → @n8n%2Ffoo
+	const encodedName = name.startsWith('@') ? name.replace('/', '%2F') : name;
+	const url = `https://registry.npmjs.org/${encodedName}`;
+
+	try {
+		console.log(`Checking if ${name} exists...`);
+		const response = await fetch(url, { method: 'HEAD' });
+		if (response.status === 404) {
+			newPackages.push(name);
+		} else if (!response.ok && response.status !== 405) {
+			// 405 = Method Not Allowed for HEAD (some registries), not an error
+			console.log(
+				`::warning::Unexpected HTTP ${response.status} when checking npm registry for "${name}". Skipping check.`,
+			);
+		}
+	} catch (error) {
+		console.log(
+			`::warning::Could not reach npm registry for "${name}": ${error.message}. Skipping check.`,
+		);
+	}
+}
+
+if (newPackages.length === 0) {
+	const publicCount = packages.filter((p) => !p.private).length;
+	console.log(`✅ All ${publicCount} public packages exist on npm.`);
+	process.exit(0);
+}
+
+console.log(`
+
+❌ New unpublished packages detected!
+
+The following packages do not yet exist on npm and cannot be published via
+OIDC Trusted Publishing until they have been published at least once manually:
+
+`);
+
+for (const pkg of newPackages) {
+	console.log(
+		`::error::Package "${pkg}" has never been published to npm. A manual first-publish with an NPM token is required before it can use OIDC Trusted Publishing.`,
+	);
+}
+
+console.log(`
+Steps to unblock the release, for each new package listed above:
+
+  1. Publish the package once manually using an NPM token:
+			cd to/where/package/lives
+			pnpm login
+			pnpm publish --access public
+
+  2. Configure Trusted Publishing on npmjs.com for each new package:
+       https://docs.npmjs.com/trusted-publishers
+
+     Use the following settings:
+       Repository owner : n8n-io
+       Repository name  : n8n
+       Workflow filename: release-publish.yml
+
+  3. Re-run the Release: Publish workflow.
+
+`);
+
+const output = {
+	packages: newPackages.join(','),
+};
+console.log(` -- Writing to github output: ${JSON.stringify(output)}`);
+writeGithubOutput(output);
+process.exit(1);

.github/scripts/determine-release-candidate-branch-for-track.mjs

@@ -0,0 +1,52 @@
+import {
+	ensureEnvVar,
+	listCommitsBetweenRefs,
+	resolveRcBranchForTrack,
+	resolveReleaseTagForTrack,
+	writeGithubOutput,
+} from './github-helpers.mjs';
+
+function main() {
+	const track = /** @type { import('./github-helpers.mjs').ReleaseTrack } */ (
+		ensureEnvVar('TRACK')
+	);
+
+	const currentTag = resolveReleaseTagForTrack(track);
+
+	const releaseCandidateBranch = resolveRcBranchForTrack(track);
+
+	if (!currentTag?.tag || !releaseCandidateBranch) {
+		throw new Error(
+			`Couldn't resolve needed parameters. currentTag.tag=${currentTag?.tag}, releaseCandidateBranch=${releaseCandidateBranch}`,
+		);
+	}
+
+	console.log(`Commits between ${releaseCandidateBranch} and ${currentTag.tag}:`);
+	console.log(listCommitsBetweenRefs(releaseCandidateBranch, currentTag.tag));
+
+	const commitList = listCommitsBetweenRefs(releaseCandidateBranch, currentTag.tag)
+		.split('\n')
+		.filter((commit) => commit.trim().length > 0);
+	const actionableCommitList = filterActionableCommits(commitList);
+
+	const output = {
+		release_candidate_branch: releaseCandidateBranch,
+		should_update: actionableCommitList.length > 0 ? 'true' : 'false',
+	};
+
+	console.log(output);
+
+	writeGithubOutput(output);
+}
+
+/**
+ * @param { string[] } commitList
+ * */
+export function filterActionableCommits(commitList) {
+	return commitList.filter((commit) => !commit.trimStart().startsWith('ci:'));
+}
+
+// only run when executed directly, not when imported by tests
+if (import.meta.url === `file://${process.argv[1]}`) {
+	main();
+}

.github/scripts/determine-release-version-changes.mjs

@@ -0,0 +1,46 @@
+import { ensureEnvVar, sh, writeGithubOutput } from './github-helpers.mjs';
+
+function determineReleaseVersionChanges() {
+	const previousVersion = ensureEnvVar('PREVIOUS_VERSION_TAG');
+	const releaseVersion = ensureEnvVar('RELEASE_VERSION_TAG');
+
+	const log = sh('git', [
+		'--no-pager',
+		'log',
+		'--format="%s (%h)"',
+		`${previousVersion}..${releaseVersion}`,
+	]);
+
+	writeGithubOutput({
+		has_node_enhancements: hasNodeEnhancements(log),
+		has_core_changes: hasCoreChanges(log),
+	});
+}
+
+/**
+ * Matches commit messages with
+ *
+ * fix(nodes)
+ * fix(xyz Node)
+ * feat(nodes)
+ * feat(xyz Node)
+ *
+ * @param {string} log
+ */
+export function hasNodeEnhancements(log) {
+	return /(fix|feat)\((.*Node|nodes)\)/.test(log);
+}
+
+/**
+ * Matches commit messages with feat(core) or feat(editor)
+ *
+ * @param {string} log
+ */
+export function hasCoreChanges(log) {
+	return /feat\((core|editor)\)/.test(log);
+}
+
+// only run when executed directly, not when imported by tests
+if (import.meta.url === `file://${process.argv[1]}`) {
+	determineReleaseVersionChanges();
+}

.github/scripts/determine-release-version-changes.test.mjs

@@ -0,0 +1,47 @@
+import { describe, it, mock, before } from 'node:test';
+import assert from 'node:assert/strict';
+
+/**
+ * Run these tests by running
+ *
+ * node --test --experimental-test-module-mocks ./.github/scripts/determine-release-version-changes.test.mjs
+ * */
+
+// mock.module must be called before the module under test is imported,
+// because static imports are hoisted and resolve before any code runs.
+mock.module('./github-helpers.mjs', {
+	namedExports: {
+		ensureEnvVar: () => {}, // no-op
+		sh: () => {}, // no-op
+		writeGithubOutput: () => {}, // no-op
+	},
+});
+
+let hasNodeEnhancements, hasCoreChanges;
+before(async () => {
+	({ hasNodeEnhancements, hasCoreChanges } = await import(
+		'./determine-release-version-changes.mjs'
+	));
+});
+
+describe('Determine release version changes', () => {
+	it('Matches nodes feature', () => {
+		assert.ok(hasNodeEnhancements('feat(nodes): Added a utility for node'));
+	});
+	it('Matches nodes fix', () => {
+		assert.ok(hasNodeEnhancements('fix(nodes): Fix said utility'));
+	});
+	it('Matches named node feature', () => {
+		assert.ok(hasNodeEnhancements('feat(Github Actions Node): Add ability to call webhooks'));
+	});
+	it('Matches named node fix', () => {
+		assert.ok(hasNodeEnhancements('fix(OpenAI Node): Allow credentials to pass through'));
+	});
+
+	it('Matches core changes', () => {
+		assert.ok(hasCoreChanges('feat(core): Add cli flag'));
+	});
+	it('Matches editor changes', () => {
+		assert.ok(hasCoreChanges('feat(editor): Add button'));
+	});
+});

.github/scripts/determine-version-info.mjs

@@ -0,0 +1,138 @@
+import { readFileSync } from 'node:fs';
+import {
+	RELEASE_TRACKS,
+	resolveReleaseTagForTrack,
+	tagVersionInfoToReleaseCandidateBranchName,
+	writeGithubOutput,
+} from './github-helpers.mjs';
+import semver from 'semver';
+
+/**
+ * @param {any} packageVersion
+ */
+export function determineTrack(packageVersion) {
+	if (!semver.valid(packageVersion)) {
+		throw new Error(`Package semver not valid. Got ${packageVersion}`);
+	}
+
+	/** @type { Partial<Record<import('./github-helpers.mjs').ReleaseTrack, import('./github-helpers.mjs').TagVersionInfo>> } */
+	const trackToReleaseMap = {};
+	for (const t of RELEASE_TRACKS) {
+		trackToReleaseMap[t] = resolveReleaseTagForTrack(t);
+	}
+
+	console.log('Current Tracks: ', JSON.stringify(trackToReleaseMap, null, 4));
+
+	let track = null;
+	let newStable = null;
+	let bump = determineBump(packageVersion);
+	const releaseType = determineReleaseType(packageVersion);
+
+	// Check through our current release versions, if semver matches,
+	// we inherit the track pointer from them
+	for (const [releaseTrack, tagVersionInfo] of Object.entries(trackToReleaseMap)) {
+		if (tagVersionInfo && matchesTrack(tagVersionInfo, packageVersion)) {
+			track = releaseTrack;
+			break;
+		}
+	}
+
+	if (!track) {
+		if (!trackToReleaseMap.beta?.version) {
+			throw new Error(
+				'Likely updating to new beta release, but no existing beta tag was found in git.',
+			);
+		}
+		// If not track was found in current versions, we verify we're building a
+		// new beta version and the input is not invalid.
+		assertNewBetaRelease(trackToReleaseMap.beta.version, packageVersion);
+
+		track = 'beta';
+		newStable = trackToReleaseMap.beta.version;
+	}
+
+	if (!track) {
+		throw new Error('Could not determine track for release. Exiting...');
+	}
+
+	const rc_branch = tagVersionInfoToReleaseCandidateBranchName({
+		version: packageVersion,
+		tag: /** @type {import('./github-helpers.mjs').ReleaseVersion} */ (`n8n@${packageVersion}`),
+	});
+
+	const previousVersion = trackToReleaseMap[track]?.version;
+
+	const output = {
+		previous_version: previousVersion,
+		version: packageVersion,
+		track,
+		bump,
+		new_stable_version: newStable,
+		release_type: releaseType,
+		rc_branch,
+	};
+
+	writeGithubOutput(output);
+	console.log(
+		`Determined track info: ${Object.entries(output)
+			.map(([key, val]) => `${key}=${val}`)
+			.join(', ')}`,
+	);
+
+	return output;
+}
+
+/**
+ * The current version matches the track, if their Major and Minor semvers match.
+ *
+ * This means that we are working with a patch release
+ *
+ * @param {import("./github-helpers.mjs").TagVersionInfo} tagVersionInfo
+ * @param {any} currentVersion
+ */
+function matchesTrack(tagVersionInfo, currentVersion) {
+	if (semver.major(tagVersionInfo.version) !== semver.major(currentVersion)) {
+		return false;
+	}
+	if (semver.minor(tagVersionInfo.version) !== semver.minor(currentVersion)) {
+		return false;
+	}
+	return true;
+}
+
+/**
+ * @param {string} currentBetaVersion
+ * @param {any} currentVersion
+ */
+function assertNewBetaRelease(currentBetaVersion, currentVersion) {
+	if (semver.major(currentBetaVersion) !== semver.major(currentVersion)) {
+		throw new Error('Major version bumps are not allowed by this pipeline');
+	}
+
+	const bumpedCurrentBeta = semver.inc(currentBetaVersion, 'minor');
+	if (semver.minor(bumpedCurrentBeta) !== semver.minor(currentVersion)) {
+		throw new Error(
+			`Trying to upgrade minor version by more than one increment. Previous: ${bumpedCurrentBeta}, Requested: ${currentVersion}`,
+		);
+	}
+}
+
+function determineReleaseType(currentVersion) {
+	if (currentVersion.includes('-rc.')) {
+		return 'rc';
+	}
+	return 'stable';
+}
+
+function determineBump(currentVersion) {
+	if (semver.patch(currentVersion) === 0 && determineReleaseType(currentVersion) != 'rc') {
+		return 'minor';
+	}
+	return 'patch';
+}
+
+// only run when executed directly, not when imported by tests
+if (import.meta.url === `file://${process.argv[1]}`) {
+	const packageJson = JSON.parse(readFileSync('./package.json', 'utf8'));
+	determineTrack(packageJson.version);
+}

.github/scripts/determine-version-info.test.mjs

@@ -0,0 +1,107 @@
+import { describe, it, mock, before } from 'node:test';
+import assert from 'node:assert/strict';
+import { tagVersionInfoToReleaseCandidateBranchName } from './github-helpers.mjs';
+
+/**
+ * Run these tests by running
+ *
+ * node --test --experimental-test-module-mocks ./.github/scripts/determine-version-info.test.mjs
+ * */
+
+// mock.module must be called before the module under test is imported,
+// because static imports are hoisted and resolve before any code runs.
+mock.module('./github-helpers.mjs', {
+	namedExports: {
+		RELEASE_TRACKS: ['stable', 'beta', 'v1'],
+		resolveReleaseTagForTrack: (track) => {
+			// Always return deterministic data
+			if (track === 'stable') return { version: '2.9.2', tag: 'n8n@2.9.2' };
+			if (track === 'beta') return { version: '2.10.1', tag: 'n8n@2.10.1' };
+			return { version: '1.123.33', tag: 'n8n@1.123.33' };
+		},
+		tagVersionInfoToReleaseCandidateBranchName,
+		writeGithubOutput: () => {}, // no-op in tests
+		getCommitForRef: () => {}, // no-op
+		localRefExists: () => {}, // no-op
+		remoteBranchExists: () => {}, // no-op
+		sh: () => {}, // no-op
+	},
+});
+
+let determineTrack;
+before(async () => {
+	({ determineTrack } = await import('./determine-version-info.mjs'));
+});
+
+describe('determine-tracks', () => {
+	it('Allow patch releases on stable', () => {
+		const output = determineTrack('2.9.3');
+
+		assert.equal(output.track, 'stable');
+		assert.equal(output.version, '2.9.3');
+		assert.equal(output.previous_version, '2.9.2');
+		assert.equal(output.bump, 'patch');
+		assert.equal(output.new_stable_version, null);
+		assert.equal(output.release_type, 'stable');
+		assert.equal(output.rc_branch, 'release-candidate/2.9.x');
+	});
+
+	it('Allow patch releases on beta', () => {
+		const output = determineTrack('2.10.2');
+
+		assert.equal(output.track, 'beta');
+		assert.equal(output.version, '2.10.2');
+		assert.equal(output.previous_version, '2.10.1');
+		assert.equal(output.bump, 'patch');
+		assert.equal(output.new_stable_version, null);
+		assert.equal(output.release_type, 'stable');
+		assert.equal(output.rc_branch, 'release-candidate/2.10.x');
+	});
+
+	// This use case might happen if a patch release fails and we proceed with rolling over to next release
+	it('Allow skipping versions in patches', () => {
+		const output = determineTrack('2.9.4');
+
+		assert.equal(output.track, 'stable');
+		assert.equal(output.version, '2.9.4');
+		assert.equal(output.previous_version, '2.9.2');
+		assert.equal(output.bump, 'patch');
+		assert.equal(output.new_stable_version, null);
+		assert.equal(output.release_type, 'stable');
+		assert.equal(output.rc_branch, 'release-candidate/2.9.x');
+	});
+
+	it('Disallow skipping versions in minors', () => {
+		assert.throws(() => determineTrack('2.12.0'));
+	});
+	it('Disallow changing major version', () => {
+		assert.throws(() => determineTrack('3.0.0'));
+	});
+	it('Throw when track is not determinable', () => {
+		assert.throws(() => determineTrack(''));
+	});
+
+	it('Set track as "beta" when doing a minor bump', () => {
+		const output = determineTrack('2.11.0');
+
+		assert.equal(output.track, 'beta');
+		assert.equal(output.version, '2.11.0');
+		assert.equal(output.previous_version, '2.10.1');
+		assert.equal(output.bump, 'minor');
+		assert.equal(output.new_stable_version, '2.10.1');
+		assert.equal(output.release_type, 'stable');
+		assert.equal(output.rc_branch, 'release-candidate/2.11.x');
+	});
+
+	it('Set release_type accordingly on rc releases', () => {
+		const output = determineTrack('2.10.2-rc.1');
+
+		assert.equal(output.track, 'beta');
+		assert.equal(output.version, '2.10.2-rc.1');
+		assert.equal(output.previous_version, '2.10.1');
+		assert.equal(output.bump, 'patch');
+		assert.equal(output.new_stable_version, null);
+		assert.equal(output.release_type, 'rc');
+		assert.equal(output.rc_branch, 'release-candidate/2.10.x');
+	});
+});

.github/scripts/docker/docker-config.mjs

@@ -31,7 +31,7 @@ class BuildContext {
 				case 'pull_request':
 					context.version = `pr-${pr}`;
 					context.release_type = 'dev';
-					context.push_to_ghcr = false;
+					context.platforms = ['linux/amd64'];
 					break;
 
 				case 'workflow_dispatch':

.github/scripts/docker/docker-tags.mjs

@@ -9,7 +9,7 @@ class TagGenerator {
 		this.githubOutput = process.env.GITHUB_OUTPUT || null;
 	}
 
-	generate({ image, version, platform, includeDockerHub = false }) {
+	generate({ image, version, platform, includeDockerHub = false, sha = '' }) {
 		let imageName = image;
 		let versionSuffix = '';
 
@@ -27,6 +27,21 @@ class TagGenerator {
 		};
 
 		tags.all = [...tags.ghcr, ...tags.docker];
+
+		// Generate additional SHA-based tags for immutable references
+		if (sha) {
+			const shaVersion = `${version}-${sha}`;
+			const shaPlatformTag = `${shaVersion}${versionSuffix}${platformSuffix}`;
+			const shaGhcr = [`ghcr.io/${this.githubOwner}/${imageName}:${shaPlatformTag}`];
+			const shaDocker = includeDockerHub
+				? [`${this.dockerUsername}/${imageName}:${shaPlatformTag}`]
+				: [];
+			tags.all = [...tags.all, ...shaGhcr, ...shaDocker];
+			tags.ghcr = [...tags.ghcr, ...shaGhcr];
+			tags.docker = [...tags.docker, ...shaDocker];
+			tags.shaPrimaryTag = shaGhcr[0].replace(/-amd64$|-arm64$/, '');
+		}
+
 		return tags;
 	}
 
@@ -40,18 +55,21 @@ class TagGenerator {
 				`${prefixStr}docker_tag=${tags.docker[0] || ''}`,
 				`${prefixStr}primary_tag=${primaryTag}`,
 			];
+			if (tags.shaPrimaryTag) {
+				outputs.push(`${prefixStr}sha_primary_tag=${tags.shaPrimaryTag}`);
+			}
 			appendFileSync(this.githubOutput, outputs.join('\n') + '\n');
 		} else {
 			console.log(JSON.stringify(tags, null, 2));
 		}
 	}
 
-	generateAll({ version, platform, includeDockerHub = false }) {
+	generateAll({ version, platform, includeDockerHub = false, sha = '' }) {
 		const images = ['n8n', 'runners', 'runners-distroless'];
 		const results = {};
 
 		for (const image of images) {
-			const tags = this.generate({ image, version, platform, includeDockerHub });
+			const tags = this.generate({ image, version, platform, includeDockerHub, sha });
 			const prefix = image.replace('-distroless', '_distroless');
 			results[prefix] = tags;
 
@@ -86,6 +104,7 @@ if (import.meta.url === `file://${process.argv[1]}`) {
 				version,
 				platform: getArg('platform'),
 				includeDockerHub: hasFlag('include-docker'),
+				sha: getArg('sha') || '',
 			});
 			if (!generator.githubOutput) {
 				console.log(JSON.stringify(results, null, 2));
@@ -101,6 +120,7 @@ if (import.meta.url === `file://${process.argv[1]}`) {
 				version,
 				platform: getArg('platform'),
 				includeDockerHub: hasFlag('include-docker'),
+				sha: getArg('sha') || '',
 			});
 			generator.output(tags);
 		}

.github/scripts/docker/get-manifest-digests.mjs

@@ -0,0 +1,63 @@
+#!/usr/bin/env node
+/**
+ * Extracts manifest digests and image names for SLSA provenance and VEX attestation.
+ *
+ * Usage:
+ *   N8N_TAG=ghcr.io/n8n-io/n8n:1.0.0 node get-manifest-digests.mjs
+ *
+ * Environment variables:
+ *   N8N_TAG              - Full image reference for n8n image
+ *   RUNNERS_TAG          - Full image reference for runners image
+ *   DISTROLESS_TAG       - Full image reference for runners-distroless image
+ *   GITHUB_OUTPUT        - Path to GitHub Actions output file (optional)
+ */
+
+import { execSync } from 'node:child_process';
+import { appendFileSync } from 'node:fs';
+
+const githubOutput = process.env.GITHUB_OUTPUT || null;
+
+function getDigest(imageRef) {
+	if (!imageRef) return '';
+	const raw = execSync(`docker buildx imagetools inspect "${imageRef}" --raw`, {
+		encoding: 'utf8',
+	});
+	const hash = execSync('sha256sum', { input: raw, encoding: 'utf8' }).split(' ')[0].trim();
+	return `sha256:${hash}`;
+}
+
+function getImageName(imageRef) {
+	if (!imageRef) return '';
+	return imageRef.replace(/:([^:]+)$/, '');
+}
+
+function setOutput(name, value) {
+	if (githubOutput && value) appendFileSync(githubOutput, `${name}=${value}\n`);
+}
+
+const n8nTag = process.env.N8N_TAG || '';
+const runnersTag = process.env.RUNNERS_TAG || '';
+const distrolessTag = process.env.DISTROLESS_TAG || '';
+
+const results = {
+	n8n: { digest: getDigest(n8nTag), image: getImageName(n8nTag) },
+	runners: { digest: getDigest(runnersTag), image: getImageName(runnersTag) },
+	runners_distroless: { digest: getDigest(distrolessTag), image: getImageName(distrolessTag) },
+};
+
+setOutput('n8n_digest', results.n8n.digest);
+setOutput('n8n_image', results.n8n.image);
+setOutput('runners_digest', results.runners.digest);
+setOutput('runners_image', results.runners.image);
+setOutput('runners_distroless_digest', results.runners_distroless.digest);
+setOutput('runners_distroless_image', results.runners_distroless.image);
+
+console.log('=== Manifest Digests ===');
+console.log(`n8n: ${results.n8n.digest || 'N/A'}`);
+console.log(`runners: ${results.runners.digest || 'N/A'}`);
+console.log(`runners-distroless: ${results.runners_distroless.digest || 'N/A'}`);
+console.log('');
+console.log('=== Image Names ===');
+console.log(`n8n: ${results.n8n.image || 'N/A'}`);
+console.log(`runners: ${results.runners.image || 'N/A'}`);
+console.log(`runners-distroless: ${results.runners_distroless.image || 'N/A'}`);

.github/scripts/ensure-provenance-fields.mjs

@@ -9,7 +9,13 @@ const exec = promisify(child_process.exec);
 const commonFiles = ['LICENSE.md', 'LICENSE_EE.md'];
 
 const baseDir = resolve(dirname(fileURLToPath(import.meta.url)), '../..');
-const packages = JSON.parse((await exec('pnpm ls -r --only-projects --json')).stdout);
+const packages = JSON.parse(
+	(
+		await exec(
+			`pnpm ls -r --only-projects --json | jq -r '[.[] | { name: .name, version: .version, path: .path,  private: .private}]'`,
+		)
+	).stdout,
+);
 
 for (let { name, path, version, private: isPrivate } of packages) {
 	if (isPrivate) continue;

.github/scripts/ensure-release-candidate-branches.mjs

@@ -0,0 +1,143 @@
+import semver from 'semver';
+import {
+	getCommitForRef,
+	localRefExists,
+	RELEASE_CANDIDATE_BRANCH_PREFIX,
+	remoteBranchExists,
+	resolveReleaseTagForTrack,
+	sh,
+	tagVersionInfoToReleaseCandidateBranchName,
+	trySh,
+	writeGithubOutput,
+} from './github-helpers.mjs';
+
+/**
+ * @typedef BranchChanges
+ * @property { import('./github-helpers.mjs').TagVersionInfo[] } branchesToEnsure TagVersionInfo for branches the system needs to make sure exist
+ * @property { string[] } branchesToDeprecate Branches the system needs to remove as deprecated
+ * */
+
+/**
+ * Look into git tags and determine which release candidate branches need to
+ * exist and which need to be deprecated and removed.
+ *
+ * @returns { BranchChanges }
+ * */
+export function determineBranchChanges() {
+	const branchesToDeprecate = [];
+
+	const currentBetaVersion = resolveReleaseTagForTrack('beta');
+	const currentStableVersion = resolveReleaseTagForTrack('stable');
+
+	if (!currentBetaVersion || !currentStableVersion) {
+		throw new Error(
+			`Could not find current stable and/or beta tags. Beta: ${currentBetaVersion?.tag ?? 'not found'}, Stable: ${currentStableVersion?.tag ?? 'not found'}`,
+		);
+	}
+
+	const branchesToEnsure = [currentBetaVersion, currentStableVersion];
+
+	const stableVersion = currentStableVersion.version;
+	// Deprecated branch is the current stable minus 2 versions. e.g. stable: 2.9.x, deprecated is 2.7.x
+	const deprecatedMinorVersion = semver.minor(stableVersion) - 2;
+
+	if (deprecatedMinorVersion >= 0) {
+		const deprecatedBranch = `${RELEASE_CANDIDATE_BRANCH_PREFIX}${semver.major(stableVersion)}.${deprecatedMinorVersion}.x`;
+		branchesToDeprecate.push(deprecatedBranch);
+	}
+
+	return {
+		branchesToEnsure,
+		branchesToDeprecate,
+	};
+}
+
+/**
+ * @param {import("./github-helpers.mjs").TagVersionInfo} tagInfo
+ */
+function ensureBranch(tagInfo) {
+	const branch = tagVersionInfoToReleaseCandidateBranchName(tagInfo);
+
+	if (remoteBranchExists(branch)) {
+		console.log(`Branch ${branch} already exists on origin. Skipping.`);
+		return branch;
+	}
+
+	const commitRef = getCommitForRef(tagInfo.tag);
+
+	console.log(`Creating branch ${branch} from ${tagInfo.tag} (${commitRef})`);
+	// Create local branch (force safe: it shouldn't exist, but keep it robust)
+	if (localRefExists(`refs/heads/${branch}`)) {
+		sh('git', ['branch', '-f', branch, commitRef]);
+	} else {
+		sh('git', ['switch', '-c', branch, commitRef]);
+	}
+
+	sh('git', ['push', 'origin', branch]);
+
+	return branch;
+}
+
+/**
+ * @param {string} branch
+ */
+function removeBranch(branch) {
+	if (!remoteBranchExists(branch)) {
+		console.log(`Couldn't find branch ${branch}. Skipping removal.`);
+		return null;
+	}
+
+	console.log(`Removing remote branch ${branch} from origin...`);
+	// Delete remote branch
+	trySh('git', ['push', 'origin', '--delete', branch]);
+
+	// Optional local cleanup (keeps reruns tidy)
+	if (localRefExists(`refs/heads/${branch}`)) {
+		console.log(`Removing local branch ${branch}...`);
+		trySh('git', ['branch', '-D', branch]);
+	}
+
+	return branch;
+}
+
+function main() {
+	const branchChanges = determineBranchChanges();
+
+	console.log('💡 Determined branch changes');
+	console.log('');
+	console.log(
+		`		Branches to ensure: ${branchChanges.branchesToEnsure.map(tagVersionInfoToReleaseCandidateBranchName).join(', ')}`,
+	);
+	console.log(`		Branches to deprecate: ${branchChanges.branchesToDeprecate.join(', ')}`);
+	console.log('');
+	console.log('Preparing to apply changes...');
+
+	let ensuredBranches = [];
+	for (const tagInfo of branchChanges.branchesToEnsure) {
+		const branch = ensureBranch(tagInfo);
+		ensuredBranches.push(branch);
+	}
+
+	console.log('');
+	console.log('Starting deprecation of branches...');
+
+	let removedBranches = [];
+	for (const branch of branchChanges.branchesToDeprecate) {
+		const removedBranch = removeBranch(branch);
+		if (removedBranch) {
+			removedBranches.push(removedBranch);
+		}
+	}
+
+	console.log('Done!');
+
+	writeGithubOutput({
+		ensuredBranches: ensuredBranches.join(','),
+		removedBranches: removedBranches.join(','),
+	});
+}
+
+// only run when executed directly, not when imported by tests
+if (import.meta.url === `file://${process.argv[1]}`) {
+	main();
+}

.github/scripts/ensure-release-candidate-branches.test.mjs

@@ -0,0 +1,69 @@
+import { describe, it, mock, before } from 'node:test';
+import assert from 'node:assert/strict';
+import { RELEASE_CANDIDATE_BRANCH_PREFIX } from './github-helpers.mjs';
+
+/**
+ * Run these tests by running
+ *
+ * node --test --experimental-test-module-mocks ./.github/scripts/ensure-release-candidate-branches.test.mjs
+ * */
+
+let tagVersionInfoToReleaseCandidateBranchName;
+before(async () => {
+	({ tagVersionInfoToReleaseCandidateBranchName } = await import('./github-helpers.mjs'));
+});
+
+// mock.module must be called before the module under test is imported,
+// because static imports are hoisted and resolve before any code runs.
+mock.module('./github-helpers.mjs', {
+	namedExports: {
+		RELEASE_TRACKS: ['stable', 'beta', 'v1'],
+		RELEASE_PREFIX: 'n8n@',
+		RELEASE_CANDIDATE_BRANCH_PREFIX: RELEASE_CANDIDATE_BRANCH_PREFIX,
+		tagVersionInfoToReleaseCandidateBranchName,
+		resolveReleaseTagForTrack: (track) => {
+			// Always return deterministic data
+			if (track === 'stable') return { version: '2.9.2', tag: 'n8n@2.9.2' };
+			if (track === 'beta') return { version: '2.10.1', tag: 'n8n@2.10.1' };
+			return { version: '1.123.33', tag: 'n8n@1.123.33' };
+		},
+		writeGithubOutput: () => {}, // no-op in tests
+		sh: () => {}, // no-op in tests
+		trySh: () => {}, // no-op in tests
+		getCommitForRef: () => {}, // no-op in tests
+		remoteBranchExists: () => {}, // no-op in tests
+		localRefExists: () => {}, // no-op in tests
+	},
+});
+
+let determineBranchChanges;
+before(async () => {
+	({ determineBranchChanges } = await import('./ensure-release-candidate-branches.mjs'));
+});
+
+describe('Determine branch changes', () => {
+	it('Correctly determines ensureable branches', () => {
+		const output = determineBranchChanges();
+		const ensureBranches = output.branchesToEnsure.map(tagVersionInfoToReleaseCandidateBranchName);
+
+		assert.ok(
+			ensureBranches.includes('release-candidate/2.10.x'),
+			"Beta release-candidate branch doesn't exist",
+		);
+
+		assert.ok(
+			ensureBranches.includes('release-candidate/2.9.x'),
+			"Stable release-candidate branch doesn't exist",
+		);
+	});
+
+	it('Correctly determines deprecated branches', () => {
+		/** @type { import('./ensure-release-candidate-branches.mjs').BranchChanges} */
+		const output = determineBranchChanges();
+
+		assert.ok(
+			output.branchesToDeprecate.includes('release-candidate/2.7.x'),
+			'Existing branch release-candidate/2.7.x should be marked for removal',
+		);
+	});
+});

.github/scripts/fixtures/mock-github-event.json

@@ -0,0 +1,5 @@
+{
+	"pull_request": {
+		"labels": ["release", "Backport to Stable"]
+	}
+}

.github/scripts/get-release-versions.mjs

@@ -0,0 +1,63 @@
+import semver from 'semver';
+import {
+	getCommitForRef,
+	listTagsPointingAt,
+	RELEASE_PREFIX,
+	RELEASE_TRACKS,
+	stripReleasePrefixes,
+	writeGithubOutput,
+} from './github-helpers.mjs';
+
+/**
+ * Given a list of tag names, return the highest semver tag (keeping the original 'v' prefix),
+ * or "" if none match semver.
+ *
+ * @param {string[]} tags
+ **/
+function highestSemverTag(tags) {
+	const candidates = tags
+		.filter((t) => t.startsWith(RELEASE_PREFIX))
+		.map((t) => ({
+			tag: t,
+			version: stripReleasePrefixes(t),
+		}))
+		.filter(({ version }) => semver.valid(version));
+
+	if (candidates.length === 0) return '';
+
+	candidates.sort((a, b) => semver.rcompare(a.version, b.version));
+	return candidates[0]?.tag;
+}
+
+/**
+ * @param {string} track
+ **/
+function getSemverTagForTrack(track) {
+	const commit = getCommitForRef(track);
+	if (!commit) return '';
+
+	const tags = listTagsPointingAt(commit);
+	return highestSemverTag(tags);
+}
+
+function main() {
+	/** @type { Record<string, string> } */
+	const outputs = {};
+	for (const track of RELEASE_TRACKS) {
+		outputs[track] = getSemverTagForTrack(track);
+	}
+
+	writeGithubOutput(outputs);
+
+	console.log('Current release versions: ');
+	for (const [k, v] of Object.entries(outputs)) {
+		console.log(`${k}: ${v || '(not found)'}`);
+	}
+}
+
+try {
+	main();
+} catch (err) {
+	console.error(String(err?.message ?? err));
+	process.exit(1);
+}

.github/scripts/github-helpers.mjs

@@ -0,0 +1,386 @@
+import { getOctokit } from '@actions/github';
+import { execFileSync } from 'node:child_process';
+import fs from 'node:fs';
+import path from 'node:path';
+import semver from 'semver';
+
+export const CURRENT_MAJOR_VERSION = 2;
+export const RELEASE_CANDIDATE_BRANCH_PREFIX = 'release-candidate/';
+
+export const RELEASE_TRACKS = /** @type { const } */ ([
+	//
+	'stable',
+	'beta',
+	'v1',
+]);
+
+/**
+ * @typedef { InstanceType<typeof import("@actions/github/lib/utils").GitHub> } GitHubInstance
+ * */
+
+/**
+ * @typedef {typeof RELEASE_TRACKS[number]} ReleaseTrack
+ * */
+
+/**
+ * @typedef {`${number}.${number}.${number}`} SemVer
+ * */
+
+/**
+ * @typedef {`${RELEASE_PREFIX}${SemVer}`} ReleaseVersion
+ * */
+
+/**
+ * @typedef {{ tag: ReleaseVersion, version: SemVer }} TagVersionInfo
+ * */
+
+export const RELEASE_PREFIX = 'n8n@';
+
+/**
+ * Given a list of tags, return the highest semver for tags like "n8n@2.7.0".
+ * Returns the *tag string* (e.g. "n8n@2.7.0") or null.
+ *
+ * @param {string[]} tags
+ *
+ * @returns { ReleaseVersion | null }
+ * */
+export function pickHighestReleaseTag(tags) {
+	const versions = tags
+		.filter((t) => t.startsWith(RELEASE_PREFIX))
+		.map((t) => ({ tag: t, v: stripReleasePrefixes(t) }))
+		.filter(({ v }) => semver.valid(v))
+		.sort((a, b) => semver.rcompare(a.v, b.v));
+
+	return /** @type { ReleaseVersion } */ (versions[0]?.tag) ?? null;
+}
+
+/**
+ * @param {any} track
+ *
+ * @returns { track is ReleaseTrack }
+ * */
+export function isReleaseTrack(track) {
+	return RELEASE_TRACKS.includes(track);
+}
+
+/**
+ * @param {any} track
+ *
+ * @returns { ReleaseTrack }
+ * */
+export function ensureReleaseTrack(track) {
+	if (!RELEASE_TRACKS.includes(track)) {
+		throw new Error(`Invalid track ${track}. Available tracks are ${RELEASE_TRACKS.join(', ')}`);
+	}
+
+	return track;
+}
+
+/**
+ * Resolve a release track tag (stable/beta/etc.) to the corresponding
+ * n8n@x.y.z tag pointing at the same commit.
+ *
+ * Returns null if the track tag or release tag is missing.
+ *
+ * @param { typeof RELEASE_TRACKS[number] } track
+ *
+ * @returns { TagVersionInfo | null }
+ * */
+export function resolveReleaseTagForTrack(track) {
+	const commit = getCommitForRef(track);
+	if (!commit) return null;
+
+	const tagsAtCommit = listTagsPointingAt(commit);
+	const releaseTag = pickHighestReleaseTag(tagsAtCommit);
+	if (!releaseTag) return null;
+
+	return {
+		tag: releaseTag,
+		version: stripReleasePrefixes(releaseTag),
+	};
+}
+
+/**
+ * Resolve a release track tag (stable/beta/etc.) to the corresponding
+ * release-candidate/<major>.<minor>.x branch, based on the n8n@<x.y.z> tag
+ * pointing at the same commit.
+ *
+ * Returns null if the track tag or release tag is missing.
+ *
+ * @param { ReleaseTrack } track
+ * */
+export function resolveRcBranchForTrack(track) {
+	if (track === 'v1') {
+		return '1.x';
+	}
+
+	const commit = getCommitForRef(track);
+	if (!commit) return null;
+
+	const tagsAtCommit = listTagsPointingAt(commit);
+	const releaseTag = pickHighestReleaseTag(tagsAtCommit);
+	if (!releaseTag) return null;
+
+	const version = stripReleasePrefixes(releaseTag);
+	const parsed = semver.parse(version);
+	if (!parsed) return null;
+
+	return `release-candidate/${parsed.major}.${parsed.minor}.x`;
+}
+
+/**
+ * Takes a TagVersionInfo object and returns a rc-branch name.
+ *
+ * e.g. release-candidate/2.8.x or 1.x
+ *
+ * @param {import('./github-helpers.mjs').TagVersionInfo} tagVersionInfo
+ *
+ * @returns { `${RELEASE_CANDIDATE_BRANCH_PREFIX}${number}.${number}.x` | `${number}.x` }
+ * */
+export function tagVersionInfoToReleaseCandidateBranchName(tagVersionInfo) {
+	const version = tagVersionInfo.version;
+	const majorVersion = semver.major(version);
+	if (majorVersion < CURRENT_MAJOR_VERSION) {
+		return `${majorVersion}.x`;
+	}
+
+	return `${RELEASE_CANDIDATE_BRANCH_PREFIX}${majorVersion}.${semver.minor(version)}.x`;
+}
+
+/**
+ * @param {string} tag
+ *
+ * @returns { SemVer }
+ * */
+export function stripReleasePrefixes(tag) {
+	return /** @type { SemVer } */ (
+		tag.startsWith(RELEASE_PREFIX) ? tag.slice(RELEASE_PREFIX.length) : tag
+	);
+}
+
+export function getEventFromGithubEventPath() {
+	let eventPath = ensureEnvVar('GITHUB_EVENT_PATH');
+	if (!path.isAbsolute(eventPath)) {
+		eventPath = import.meta.dirname + '/' + eventPath;
+	}
+	return JSON.parse(fs.readFileSync(eventPath, 'utf8'));
+}
+
+/**
+ * @param {any} [pullRequest] Optional pull request object. If not provided, reads from GITHUB_EVENT_PATH
+ *
+ * @returns {string[]}
+ */
+export function readPrLabels(pullRequest) {
+	if (!pullRequest) {
+		const event = getEventFromGithubEventPath();
+		pullRequest = event.pull_request;
+	}
+	/** @type { string[] | { name: string }[] } */
+	const labels = pullRequest?.labels ?? [];
+
+	return labels.map((l) => (typeof l === 'string' ? l : l?.name)).filter(Boolean);
+}
+
+/**
+ * Ensures git tag exists.
+ *
+ * @param {string} tag
+ * @throws {Error} if no tag was found
+ */
+export function ensureTagExists(tag) {
+	sh('git', ['fetch', '--force', '--no-tags', 'origin', `refs/tags/${tag}:refs/tags/${tag}`]);
+}
+
+/**
+ * @param {string} bump
+ *
+ * @returns { bump is import("semver").ReleaseType }
+ * */
+export function isReleaseType(bump) {
+	return ['major', 'minor', 'patch'].includes(bump);
+}
+
+/**
+ * @param {string} variableName
+ */
+export function ensureEnvVar(variableName) {
+	const v = process.env[variableName];
+	if (!v) {
+		throw new Error(`Missing required env var: ${variableName}`);
+	}
+	return v;
+}
+
+/**
+ * @param {string} cmd
+ * @param {readonly string[]} args
+ * @param {import("node:child_process").ExecFileOptionsWithStringEncoding} args
+ *
+ * @example sh("git", ["tag", "--points-at", commit]);
+ * */
+export function sh(cmd, args, opts = {}) {
+	return execFileSync(cmd, args, { encoding: 'utf8', ...opts }).trim();
+}
+
+/**
+ * @param {string} cmd
+ * @param {readonly string[]} args
+ * @param {import("node:child_process").ExecFileOptionsWithStringEncoding} args
+ *
+ * @example trySh("git", ["tag", "--points-at", commit]);
+ * */
+export function trySh(cmd, args, opts = {}) {
+	try {
+		return { ok: true, out: sh(cmd, args, opts) };
+	} catch {
+		return { ok: false, out: '' };
+	}
+}
+
+/**
+ * Append outputs to GITHUB_OUTPUT if available.
+ *
+ * @param {Record<string, string | boolean>} obj
+ */
+export function writeGithubOutput(obj) {
+	const path = process.env.GITHUB_OUTPUT;
+	if (!path) return;
+
+	const lines = Object.entries(obj)
+		.map(([k, v]) => `${k}=${v ?? ''}`)
+		.join('\n');
+
+	fs.appendFileSync(path, lines + '\n', 'utf8');
+}
+
+/**
+ * Resolve a ref (tag/branch/SHA) to the underlying commit SHA.
+ * Uses ^{} so annotated tags are peeled to the commit.
+ * Returns null if ref doesn't exist.
+ *
+ * @param {string} ref
+ */
+export function getCommitForRef(ref) {
+	const res = trySh('git', ['rev-parse', `${ref}^{}`]);
+	return res.ok && res.out ? res.out : null;
+}
+
+/**
+ * List all tags that point at the given commit SHA.
+ *
+ * @param {string} commit
+ */
+export function listTagsPointingAt(commit) {
+	const res = trySh('git', ['tag', '--points-at', commit]);
+	if (!res.ok || !res.out) return [];
+
+	return res.out
+		.split('\n')
+		.map((s) => s.trim())
+		.filter(Boolean);
+}
+
+/**
+ * @param {string} from
+ * @param {string} to
+ */
+export function listCommitsBetweenRefs(from, to) {
+	return sh('git', ['--no-pager', 'log', '--format=%s (%h)', `${to}..origin/${from}`]);
+}
+
+/**
+ * @param {string} from
+ * @param {string} to
+ */
+export function countCommitsBetweenRefs(from, to) {
+	const output = sh('git', ['rev-list', '--count', `${to}..origin/${from}`]);
+	const count = parseInt(output);
+
+	return isNaN(count) ? 0 : count;
+}
+
+/**
+ * @param {string} branch
+ */
+export function remoteBranchExists(branch) {
+	const res = trySh('git', ['ls-remote', '--heads', 'origin', branch]);
+	return res.ok && res.out.length > 0;
+}
+
+/**
+ * @param {string} ref
+ */
+export function localRefExists(ref) {
+	const res = trySh('git', ['show-ref', '--verify', '--quiet', ref]);
+	return res.ok;
+}
+
+/**
+ * Initializes octokit with GITHUB_TOKEN from env vars.
+ *
+ * Also ensures the existence of useful environment variables.
+ * */
+export function initGithub() {
+	const token = ensureEnvVar('GITHUB_TOKEN');
+	const repoFullName = ensureEnvVar('GITHUB_REPOSITORY');
+
+	const [owner, repo] = repoFullName.split('/');
+
+	const octokit = getOctokit(token);
+
+	return {
+		octokit,
+		owner,
+		repo,
+	};
+}
+
+/**
+ * @param {number} pullRequestId
+ */
+export async function getPullRequestById(pullRequestId) {
+	const { octokit, owner, repo } = initGithub();
+
+	const pullRequest = await octokit.rest.pulls.get({
+		owner,
+		repo,
+		pull_number: pullRequestId,
+	});
+
+	return pullRequest.data;
+}
+
+/**
+ * @param {string} tag
+ */
+export async function getExistingRelease(tag) {
+	const { octokit, owner, repo } = initGithub();
+
+	try {
+		const releaseRequest = await octokit.rest.repos.getReleaseByTag({
+			owner,
+			repo,
+			tag,
+		});
+
+		return releaseRequest.data;
+	} catch (ex) {
+		if (ex?.status === 404) {
+			return undefined;
+		}
+		throw ex;
+	}
+}
+
+/**
+ * @param {number} releaseId
+ */
+export async function deleteRelease(releaseId) {
+	const { octokit, owner, repo } = initGithub();
+	await octokit.rest.repos.deleteRelease({
+		owner,
+		repo,
+		release_id: releaseId,
+	});
+}

.github/scripts/jsconfig.json

@@ -0,0 +1,10 @@
+{
+  "compilerOptions": {
+    "module": "esnext",
+    "target": "esnext",
+    "checkJs": true,
+    "moduleResolution": "bundler"
+  },
+  "exclude": ["node_modules"]
+}
+

.github/scripts/move-track-tag.mjs

@@ -0,0 +1,18 @@
+import { ensureEnvVar, ensureReleaseTrack, ensureTagExists, sh } from './github-helpers.mjs';
+
+function main() {
+	const trackEnv = ensureEnvVar('TRACK');
+	const track = ensureReleaseTrack(trackEnv);
+
+	const versionInput = ensureEnvVar('VERSION_TAG'); // e.g. n8n@2.7.0
+
+	ensureTagExists(versionInput);
+
+	sh('git', ['tag', '-f', track, versionInput]);
+
+	sh('git', ['push', 'origin', '-f', `refs/tags/${track}:refs/tags/${track}`]);
+
+	console.log(`Moved pointer tag ${track} to point to ${versionInput}`);
+}
+
+main();

.github/scripts/package.json

@@ -1,12 +1,20 @@
 {
+  "name": "workflow-scripts",
+  "scripts": {
+    "test": "node --test --experimental-test-module-mocks ./*.test.mjs ./quality/*.test.mjs"
+  },
   "dependencies": {
-    "cacheable-lookup": "6.1.0",
-    "conventional-changelog": "^4.0.0",
-    "debug": "4.3.4",
-    "glob": "10.5.0",
-    "p-limit": "3.1.0",
-    "picocolors": "1.0.1",
-    "semver": "7.5.4",
-    "tempfile": "5.0.0"
+    "@actions/github": "9.0.0",
+    "@octokit/core": "7.0.6",
+    "conventional-changelog": "7.2.0",
+    "debug": "4.4.3",
+    "glob": "13.0.6",
+    "minimatch": "10.2.4",
+    "semver": "7.7.4",
+    "tempfile": "6.0.1",
+    "yaml": "^2.8.3"
+  },
+  "devDependencies": {
+    "conventional-changelog-angular": "8.3.0"
   }
 }

.github/scripts/plan-release.mjs

@@ -0,0 +1,62 @@
+import semver from 'semver';
+import {
+	ensureEnvVar,
+	isReleaseType,
+	RELEASE_PREFIX,
+	stripReleasePrefixes,
+	writeGithubOutput,
+} from './github-helpers.mjs';
+
+const track = ensureEnvVar('TRACK');
+const bump = ensureEnvVar('BUMP');
+
+const stable = process.env['STABLE_VERSION'];
+const beta = process.env['BETA_VERSION'];
+const v1 = process.env['V1_VERSION'];
+
+let base = null;
+switch (track) {
+	case 'stable':
+		base = stable;
+		break;
+	case 'beta':
+		base = beta;
+		break;
+	case 'v1':
+		base = v1;
+		break;
+}
+
+if (!base) {
+	console.error(
+		`Unknown track or missing base version. track=${track} stable=${stable} beta=${beta} v1=${v1}`,
+	);
+	process.exit(1);
+}
+
+const cleanedBase = stripReleasePrefixes(base);
+if (!cleanedBase) {
+	console.error(`Invalid base version: ${base}`);
+	process.exit(1);
+}
+
+if (!isReleaseType(bump)) {
+	console.error(`Invalid release type in $bump: ${bump}`);
+	process.exit(1);
+}
+
+const next = semver.inc(cleanedBase, bump);
+if (!next) {
+	console.error(`Could not bump version. base=${cleanedBase} bump=${bump}`);
+	process.exit(1);
+}
+
+const output = {
+	base_version: cleanedBase,
+	new_version: next,
+	new_version_tag: `${RELEASE_PREFIX}${next}`,
+};
+
+writeGithubOutput(output);
+
+console.log(`Releasing track=${track} bump=${bump} base=${cleanedBase} -> new=${next}`);

.github/scripts/pnpm-lock.yaml

@@ -0,0 +1,552 @@
+lockfileVersion: '9.0'
+
+settings:
+  autoInstallPeers: true
+  excludeLinksFromLockfile: false
+
+importers:
+
+  .:
+    dependencies:
+      '@actions/github':
+        specifier: 9.0.0
+        version: 9.0.0
+      '@octokit/core':
+        specifier: 7.0.6
+        version: 7.0.6
+      conventional-changelog:
+        specifier: 7.2.0
+        version: 7.2.0(conventional-commits-filter@5.0.0)
+      debug:
+        specifier: 4.4.3
+        version: 4.4.3
+      glob:
+        specifier: 13.0.6
+        version: 13.0.6
+      minimatch:
+        specifier: 10.2.4
+        version: 10.2.4
+      semver:
+        specifier: 7.7.4
+        version: 7.7.4
+      tempfile:
+        specifier: 6.0.1
+        version: 6.0.1
+      yaml:
+        specifier: ^2.8.3
+        version: 2.8.3
+    devDependencies:
+      conventional-changelog-angular:
+        specifier: 8.3.0
+        version: 8.3.0
+
+packages:
+
+  '@actions/github@9.0.0':
+    resolution: {integrity: sha512-yJ0RoswsAaKcvkmpCE4XxBRiy/whH2SdTBHWzs0gi4wkqTDhXMChjSdqBz/F4AeiDlP28rQqL33iHb+kjAMX6w==}
+
+  '@actions/http-client@3.0.2':
+    resolution: {integrity: sha512-JP38FYYpyqvUsz+Igqlc/JG6YO9PaKuvqjM3iGvaLqFnJ7TFmcLyy2IDrY0bI0qCQug8E9K+elv5ZNfw62ZJzA==}
+
+  '@conventional-changelog/git-client@2.6.0':
+    resolution: {integrity: sha512-T+uPDciKf0/ioNNDpMGc8FDsehJClZP0yR3Q5MN6wE/Y/1QZ7F+80OgznnTCOlMEG4AV0LvH2UJi3C/nBnaBUg==}
+    engines: {node: '>=18'}
+    peerDependencies:
+      conventional-commits-filter: ^5.0.0
+      conventional-commits-parser: ^6.3.0
+    peerDependenciesMeta:
+      conventional-commits-filter:
+        optional: true
+      conventional-commits-parser:
+        optional: true
+
+  '@octokit/auth-token@6.0.0':
+    resolution: {integrity: sha512-P4YJBPdPSpWTQ1NU4XYdvHvXJJDxM6YwpS0FZHRgP7YFkdVxsWcpWGy/NVqlAA7PcPCnMacXlRm1y2PFZRWL/w==}
+    engines: {node: '>= 20'}
+
+  '@octokit/core@7.0.6':
+    resolution: {integrity: sha512-DhGl4xMVFGVIyMwswXeyzdL4uXD5OGILGX5N8Y+f6W7LhC1Ze2poSNrkF/fedpVDHEEZ+PHFW0vL14I+mm8K3Q==}
+    engines: {node: '>= 20'}
+
+  '@octokit/endpoint@11.0.3':
+    resolution: {integrity: sha512-FWFlNxghg4HrXkD3ifYbS/IdL/mDHjh9QcsNyhQjN8dplUoZbejsdpmuqdA76nxj2xoWPs7p8uX2SNr9rYu0Ag==}
+    engines: {node: '>= 20'}
+
+  '@octokit/graphql@9.0.3':
+    resolution: {integrity: sha512-grAEuupr/C1rALFnXTv6ZQhFuL1D8G5y8CN04RgrO4FIPMrtm+mcZzFG7dcBm+nq+1ppNixu+Jd78aeJOYxlGA==}
+    engines: {node: '>= 20'}
+
+  '@octokit/openapi-types@27.0.0':
+    resolution: {integrity: sha512-whrdktVs1h6gtR+09+QsNk2+FO+49j6ga1c55YZudfEG+oKJVvJLQi3zkOm5JjiUXAagWK2tI2kTGKJ2Ys7MGA==}
+
+  '@octokit/plugin-paginate-rest@14.0.0':
+    resolution: {integrity: sha512-fNVRE7ufJiAA3XUrha2omTA39M6IXIc6GIZLvlbsm8QOQCYvpq/LkMNGyFlB1d8hTDzsAXa3OKtybdMAYsV/fw==}
+    engines: {node: '>= 20'}
+    peerDependencies:
+      '@octokit/core': '>=6'
+
+  '@octokit/plugin-rest-endpoint-methods@17.0.0':
+    resolution: {integrity: sha512-B5yCyIlOJFPqUUeiD0cnBJwWJO8lkJs5d8+ze9QDP6SvfiXSz1BF+91+0MeI1d2yxgOhU/O+CvtiZ9jSkHhFAw==}
+    engines: {node: '>= 20'}
+    peerDependencies:
+      '@octokit/core': '>=6'
+
+  '@octokit/request-error@7.1.0':
+    resolution: {integrity: sha512-KMQIfq5sOPpkQYajXHwnhjCC0slzCNScLHs9JafXc4RAJI+9f+jNDlBNaIMTvazOPLgb4BnlhGJOTbnN0wIjPw==}
+    engines: {node: '>= 20'}
+
+  '@octokit/request@10.0.8':
+    resolution: {integrity: sha512-SJZNwY9pur9Agf7l87ywFi14W+Hd9Jg6Ifivsd33+/bGUQIjNujdFiXII2/qSlN2ybqUHfp5xpekMEjIBTjlSw==}
+    engines: {node: '>= 20'}
+
+  '@octokit/types@16.0.0':
+    resolution: {integrity: sha512-sKq+9r1Mm4efXW1FCk7hFSeJo4QKreL/tTbR0rz/qx/r1Oa2VV83LTA/H/MuCOX7uCIJmQVRKBcbmWoySjAnSg==}
+
+  '@simple-libs/child-process-utils@1.0.2':
+    resolution: {integrity: sha512-/4R8QKnd/8agJynkNdJmNw2MBxuFTRcNFnE5Sg/G+jkSsV8/UBgULMzhizWWW42p8L5H7flImV2ATi79Ove2Tw==}
+    engines: {node: '>=18'}
+
+  '@simple-libs/hosted-git-info@1.0.2':
+    resolution: {integrity: sha512-aAmGQdMH+ZinytKuA2832u0ATeOFNYNk4meBEXtB5xaPotUgggYNhq5tYU/v17wEbmTW5P9iHNqNrFyrhnqBAg==}
+    engines: {node: '>=18'}
+
+  '@simple-libs/stream-utils@1.2.0':
+    resolution: {integrity: sha512-KxXvfapcixpz6rVEB6HPjOUZT22yN6v0vI0urQSk1L8MlEWPDFCZkhw2xmkyoTGYeFw7tWTZd7e3lVzRZRN/EA==}
+    engines: {node: '>=18'}
+
+  '@types/normalize-package-data@2.4.4':
+    resolution: {integrity: sha512-37i+OaWTh9qeK4LSHPsyRC7NahnGotNuZvjLSgcPzblpHB3rrCJxAOgI5gCdKm7coonsaX1Of0ILiTcnZjbfxA==}
+
+  array-ify@1.0.0:
+    resolution: {integrity: sha512-c5AMf34bKdvPhQ7tBGhqkgKNUzMr4WUs+WDtC2ZUGOUncbxKMTvqxYctiseW3+L4bA8ec+GcZ6/A/FW4m8ukng==}
+
+  balanced-match@4.0.4:
+    resolution: {integrity: sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==}
+    engines: {node: 18 || 20 || >=22}
+
+  before-after-hook@4.0.0:
+    resolution: {integrity: sha512-q6tR3RPqIB1pMiTRMFcZwuG5T8vwp+vUvEG0vuI6B+Rikh5BfPp2fQ82c925FOs+b0lcFQ8CFrL+KbilfZFhOQ==}
+
+  brace-expansion@5.0.4:
+    resolution: {integrity: sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==}
+    engines: {node: 18 || 20 || >=22}
+
+  compare-func@2.0.0:
+    resolution: {integrity: sha512-zHig5N+tPWARooBnb0Zx1MFcdfpyJrfTJ3Y5L+IFvUm8rM74hHz66z0gw0x4tijh5CorKkKUCnW82R2vmpeCRA==}
+
+  conventional-changelog-angular@8.3.0:
+    resolution: {integrity: sha512-DOuBwYSqWzfwuRByY9O4oOIvDlkUCTDzfbOgcSbkY+imXXj+4tmrEFao3K+FxemClYfYnZzsvudbwrhje9VHDA==}
+    engines: {node: '>=18'}
+
+  conventional-changelog-preset-loader@5.0.0:
+    resolution: {integrity: sha512-SetDSntXLk8Jh1NOAl1Gu5uLiCNSYenB5tm0YVeZKePRIgDW9lQImromTwLa3c/Gae298tsgOM+/CYT9XAl0NA==}
+    engines: {node: '>=18'}
+
+  conventional-changelog-writer@8.4.0:
+    resolution: {integrity: sha512-HHBFkk1EECxxmCi4CTu091iuDpQv5/OavuCUAuZmrkWpmYfyD816nom1CvtfXJ/uYfAAjavgHvXHX291tSLK8g==}
+    engines: {node: '>=18'}
+    hasBin: true
+
+  conventional-changelog@7.2.0:
+    resolution: {integrity: sha512-BEdgG+vPl53EVlTTk9sZ96aagFp0AQ5pw/ggiQMy2SClLbTo1r0l+8dSg79gkLOO5DS1Lswuhp5fWn6RwE+ivg==}
+    engines: {node: '>=18'}
+    hasBin: true
+
+  conventional-commits-filter@5.0.0:
+    resolution: {integrity: sha512-tQMagCOC59EVgNZcC5zl7XqO30Wki9i9J3acbUvkaosCT6JX3EeFwJD7Qqp4MCikRnzS18WXV3BLIQ66ytu6+Q==}
+    engines: {node: '>=18'}
+
+  conventional-commits-parser@6.3.0:
+    resolution: {integrity: sha512-RfOq/Cqy9xV9bOA8N+ZH6DlrDR+5S3Mi0B5kACEjESpE+AviIpAptx9a9cFpWCCvgRtWT+0BbUw+e1BZfts9jg==}
+    engines: {node: '>=18'}
+    hasBin: true
+
+  debug@4.4.3:
+    resolution: {integrity: sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==}
+    engines: {node: '>=6.0'}
+    peerDependencies:
+      supports-color: '*'
+    peerDependenciesMeta:
+      supports-color:
+        optional: true
+
+  dot-prop@5.3.0:
+    resolution: {integrity: sha512-QM8q3zDe58hqUqjraQOmzZ1LIH9SWQJTlEKCH4kJ2oQvLZk7RbQXvtDM2XEq3fwkV9CCvvH4LA0AV+ogFsBM2Q==}
+    engines: {node: '>=8'}
+
+  fast-content-type-parse@3.0.0:
+    resolution: {integrity: sha512-ZvLdcY8P+N8mGQJahJV5G4U88CSvT1rP8ApL6uETe88MBXrBHAkZlSEySdUlyztF7ccb+Znos3TFqaepHxdhBg==}
+
+  fd-package-json@2.0.0:
+    resolution: {integrity: sha512-jKmm9YtsNXN789RS/0mSzOC1NUq9mkVd65vbSSVsKdjGvYXBuE4oWe2QOEoFeRmJg+lPuZxpmrfFclNhoRMneQ==}
+
+  glob@13.0.6:
+    resolution: {integrity: sha512-Wjlyrolmm8uDpm/ogGyXZXb1Z+Ca2B8NbJwqBVg0axK9GbBeoS7yGV6vjXnYdGm6X53iehEuxxbyiKp8QmN4Vw==}
+    engines: {node: 18 || 20 || >=22}
+
+  handlebars@4.7.8:
+    resolution: {integrity: sha512-vafaFqs8MZkRrSX7sFVUdo3ap/eNiLnb4IakshzvP56X5Nr1iGKAIqdX6tMlm6HcNRIkr6AxO5jFEoJzzpT8aQ==}
+    engines: {node: '>=0.4.7'}
+    hasBin: true
+
+  hosted-git-info@8.1.0:
+    resolution: {integrity: sha512-Rw/B2DNQaPBICNXEm8balFz9a6WpZrkCGpcWFpy7nCj+NyhSdqXipmfvtmWt9xGfp0wZnBxB+iVpLmQMYt47Tw==}
+    engines: {node: ^18.17.0 || >=20.5.0}
+
+  is-obj@2.0.0:
+    resolution: {integrity: sha512-drqDG3cbczxxEJRoOXcOjtdp1J/lyp1mNn0xaznRs8+muBhgQcrnbspox5X5fOw0HnMnbfDzvnEMEtqDEJEo8w==}
+    engines: {node: '>=8'}
+
+  is-safe-filename@0.1.1:
+    resolution: {integrity: sha512-4SrR7AdnY11LHfDKTZY1u6Ga3RuxZdl3YKWWShO5iyuG5h8QS4GD2tOb04peBJ5I7pXbR+CGBNEhTcwK+FzN3g==}
+    engines: {node: '>=20'}
+
+  json-with-bigint@3.5.7:
+    resolution: {integrity: sha512-7ei3MdAI5+fJPVnKlW77TKNKwQ5ppSzWvhPuSuINT/GYW9ZOC1eRKOuhV9yHG5aEsUPj9BBx5JIekkmoLHxZOw==}
+
+  lru-cache@10.4.3:
+    resolution: {integrity: sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==}
+
+  lru-cache@11.2.7:
+    resolution: {integrity: sha512-aY/R+aEsRelme17KGQa/1ZSIpLpNYYrhcrepKTZgE+W3WM16YMCaPwOHLHsmopZHELU0Ojin1lPVxKR0MihncA==}
+    engines: {node: 20 || >=22}
+
+  meow@13.2.0:
+    resolution: {integrity: sha512-pxQJQzB6djGPXh08dacEloMFopsOqGVRKFPYvPOt9XDZ1HasbgDZA74CJGreSU4G3Ak7EFJGoiH2auq+yXISgA==}
+    engines: {node: '>=18'}
+
+  minimatch@10.2.4:
+    resolution: {integrity: sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==}
+    engines: {node: 18 || 20 || >=22}
+
+  minimist@1.2.8:
+    resolution: {integrity: sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==}
+
+  minipass@7.1.3:
+    resolution: {integrity: sha512-tEBHqDnIoM/1rXME1zgka9g6Q2lcoCkxHLuc7ODJ5BxbP5d4c2Z5cGgtXAku59200Cx7diuHTOYfSBD8n6mm8A==}
+    engines: {node: '>=16 || 14 >=14.17'}
+
+  ms@2.1.3:
+    resolution: {integrity: sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==}
+
+  neo-async@2.6.2:
+    resolution: {integrity: sha512-Yd3UES5mWCSqR+qNT93S3UoYUkqAZ9lLg8a7g9rimsWmYGK8cVToA4/sF3RrshdyV3sAGMXVUmpMYOw+dLpOuw==}
+
+  normalize-package-data@7.0.1:
+    resolution: {integrity: sha512-linxNAT6M0ebEYZOx2tO6vBEFsVgnPpv+AVjk0wJHfaUIbq31Jm3T6vvZaarnOeWDh8ShnwXuaAyM7WT3RzErA==}
+    engines: {node: ^18.17.0 || >=20.5.0}
+
+  path-scurry@2.0.2:
+    resolution: {integrity: sha512-3O/iVVsJAPsOnpwWIeD+d6z/7PmqApyQePUtCndjatj/9I5LylHvt5qluFaBT3I5h3r1ejfR056c+FCv+NnNXg==}
+    engines: {node: 18 || 20 || >=22}
+
+  semver@7.7.4:
+    resolution: {integrity: sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==}
+    engines: {node: '>=10'}
+    hasBin: true
+
+  source-map@0.6.1:
+    resolution: {integrity: sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==}
+    engines: {node: '>=0.10.0'}
+
+  spdx-correct@3.2.0:
+    resolution: {integrity: sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==}
+
+  spdx-exceptions@2.5.0:
+    resolution: {integrity: sha512-PiU42r+xO4UbUS1buo3LPJkjlO7430Xn5SVAhdpzzsPHsjbYVflnnFdATgabnLude+Cqu25p6N+g2lw/PFsa4w==}
+
+  spdx-expression-parse@3.0.1:
+    resolution: {integrity: sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==}
+
+  spdx-license-ids@3.0.23:
+    resolution: {integrity: sha512-CWLcCCH7VLu13TgOH+r8p1O/Znwhqv/dbb6lqWy67G+pT1kHmeD/+V36AVb/vq8QMIQwVShJ6Ssl5FPh0fuSdw==}
+
+  temp-dir@3.0.0:
+    resolution: {integrity: sha512-nHc6S/bwIilKHNRgK/3jlhDoIHcp45YgyiwcAk46Tr0LfEqGBVpmiAyuiuxeVE44m3mXnEeVhaipLOEWmH+Njw==}
+    engines: {node: '>=14.16'}
+
+  tempfile@6.0.1:
+    resolution: {integrity: sha512-DE4nURsf7nUqYHJKTgOVdpt0SBY5r4us4kbFXqg7KZFB7ih27NxIk3qXv29FtqTaE45stnLKTECmSc9ICuRbDQ==}
+    engines: {node: '>=20'}
+
+  tunnel@0.0.6:
+    resolution: {integrity: sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==}
+    engines: {node: '>=0.6.11 <=0.7.0 || >=0.7.3'}
+
+  uglify-js@3.19.3:
+    resolution: {integrity: sha512-v3Xu+yuwBXisp6QYTcH4UbH+xYJXqnq2m/LtQVWKWzYc1iehYnLixoQDN9FH6/j9/oybfd6W9Ghwkl8+UMKTKQ==}
+    engines: {node: '>=0.8.0'}
+    hasBin: true
+
+  undici@6.24.1:
+    resolution: {integrity: sha512-sC+b0tB1whOCzbtlx20fx3WgCXwkW627p4EA9uM+/tNNPkSS+eSEld6pAs9nDv7WbY1UUljBMYPtu9BCOrCWKA==}
+    engines: {node: '>=18.17'}
+
+  universal-user-agent@7.0.3:
+    resolution: {integrity: sha512-TmnEAEAsBJVZM/AADELsK76llnwcf9vMKuPz8JflO1frO8Lchitr0fNaN9d+Ap0BjKtqWqd/J17qeDnXh8CL2A==}
+
+  validate-npm-package-license@3.0.4:
+    resolution: {integrity: sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==}
+
+  walk-up-path@4.0.0:
+    resolution: {integrity: sha512-3hu+tD8YzSLGuFYtPRb48vdhKMi0KQV5sn+uWr8+7dMEq/2G/dtLrdDinkLjqq5TIbIBjYJ4Ax/n3YiaW7QM8A==}
+    engines: {node: 20 || >=22}
+
+  wordwrap@1.0.0:
+    resolution: {integrity: sha512-gvVzJFlPycKc5dZN4yPkP8w7Dc37BtP1yczEneOb4uq34pXZcvrtRTmWV8W+Ume+XCxKgbjM+nevkyFPMybd4Q==}
+
+  yaml@2.8.3:
+    resolution: {integrity: sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==}
+    engines: {node: '>= 14.6'}
+    hasBin: true
+
+snapshots:
+
+  '@actions/github@9.0.0':
+    dependencies:
+      '@actions/http-client': 3.0.2
+      '@octokit/core': 7.0.6
+      '@octokit/plugin-paginate-rest': 14.0.0(@octokit/core@7.0.6)
+      '@octokit/plugin-rest-endpoint-methods': 17.0.0(@octokit/core@7.0.6)
+      '@octokit/request': 10.0.8
+      '@octokit/request-error': 7.1.0
+      undici: 6.24.1
+
+  '@actions/http-client@3.0.2':
+    dependencies:
+      tunnel: 0.0.6
+      undici: 6.24.1
+
+  '@conventional-changelog/git-client@2.6.0(conventional-commits-filter@5.0.0)(conventional-commits-parser@6.3.0)':
+    dependencies:
+      '@simple-libs/child-process-utils': 1.0.2
+      '@simple-libs/stream-utils': 1.2.0
+      semver: 7.7.4
+    optionalDependencies:
+      conventional-commits-filter: 5.0.0
+      conventional-commits-parser: 6.3.0
+
+  '@octokit/auth-token@6.0.0': {}
+
+  '@octokit/core@7.0.6':
+    dependencies:
+      '@octokit/auth-token': 6.0.0
+      '@octokit/graphql': 9.0.3
+      '@octokit/request': 10.0.8
+      '@octokit/request-error': 7.1.0
+      '@octokit/types': 16.0.0
+      before-after-hook: 4.0.0
+      universal-user-agent: 7.0.3
+
+  '@octokit/endpoint@11.0.3':
+    dependencies:
+      '@octokit/types': 16.0.0
+      universal-user-agent: 7.0.3
+
+  '@octokit/graphql@9.0.3':
+    dependencies:
+      '@octokit/request': 10.0.8
+      '@octokit/types': 16.0.0
+      universal-user-agent: 7.0.3
+
+  '@octokit/openapi-types@27.0.0': {}
+
+  '@octokit/plugin-paginate-rest@14.0.0(@octokit/core@7.0.6)':
+    dependencies:
+      '@octokit/core': 7.0.6
+      '@octokit/types': 16.0.0
+
+  '@octokit/plugin-rest-endpoint-methods@17.0.0(@octokit/core@7.0.6)':
+    dependencies:
+      '@octokit/core': 7.0.6
+      '@octokit/types': 16.0.0
+
+  '@octokit/request-error@7.1.0':
+    dependencies:
+      '@octokit/types': 16.0.0
+
+  '@octokit/request@10.0.8':
+    dependencies:
+      '@octokit/endpoint': 11.0.3
+      '@octokit/request-error': 7.1.0
+      '@octokit/types': 16.0.0
+      fast-content-type-parse: 3.0.0
+      json-with-bigint: 3.5.7
+      universal-user-agent: 7.0.3
+
+  '@octokit/types@16.0.0':
+    dependencies:
+      '@octokit/openapi-types': 27.0.0
+
+  '@simple-libs/child-process-utils@1.0.2':
+    dependencies:
+      '@simple-libs/stream-utils': 1.2.0
+
+  '@simple-libs/hosted-git-info@1.0.2': {}
+
+  '@simple-libs/stream-utils@1.2.0': {}
+
+  '@types/normalize-package-data@2.4.4': {}
+
+  array-ify@1.0.0: {}
+
+  balanced-match@4.0.4: {}
+
+  before-after-hook@4.0.0: {}
+
+  brace-expansion@5.0.4:
+    dependencies:
+      balanced-match: 4.0.4
+
+  compare-func@2.0.0:
+    dependencies:
+      array-ify: 1.0.0
+      dot-prop: 5.3.0
+
+  conventional-changelog-angular@8.3.0:
+    dependencies:
+      compare-func: 2.0.0
+
+  conventional-changelog-preset-loader@5.0.0: {}
+
+  conventional-changelog-writer@8.4.0:
+    dependencies:
+      '@simple-libs/stream-utils': 1.2.0
+      conventional-commits-filter: 5.0.0
+      handlebars: 4.7.8
+      meow: 13.2.0
+      semver: 7.7.4
+
+  conventional-changelog@7.2.0(conventional-commits-filter@5.0.0):
+    dependencies:
+      '@conventional-changelog/git-client': 2.6.0(conventional-commits-filter@5.0.0)(conventional-commits-parser@6.3.0)
+      '@simple-libs/hosted-git-info': 1.0.2
+      '@types/normalize-package-data': 2.4.4
+      conventional-changelog-preset-loader: 5.0.0
+      conventional-changelog-writer: 8.4.0
+      conventional-commits-parser: 6.3.0
+      fd-package-json: 2.0.0
+      meow: 13.2.0
+      normalize-package-data: 7.0.1
+    transitivePeerDependencies:
+      - conventional-commits-filter
+
+  conventional-commits-filter@5.0.0: {}
+
+  conventional-commits-parser@6.3.0:
+    dependencies:
+      '@simple-libs/stream-utils': 1.2.0
+      meow: 13.2.0
+
+  debug@4.4.3:
+    dependencies:
+      ms: 2.1.3
+
+  dot-prop@5.3.0:
+    dependencies:
+      is-obj: 2.0.0
+
+  fast-content-type-parse@3.0.0: {}
+
+  fd-package-json@2.0.0:
+    dependencies:
+      walk-up-path: 4.0.0
+
+  glob@13.0.6:
+    dependencies:
+      minimatch: 10.2.4
+      minipass: 7.1.3
+      path-scurry: 2.0.2
+
+  handlebars@4.7.8:
+    dependencies:
+      minimist: 1.2.8
+      neo-async: 2.6.2
+      source-map: 0.6.1
+      wordwrap: 1.0.0
+    optionalDependencies:
+      uglify-js: 3.19.3
+
+  hosted-git-info@8.1.0:
+    dependencies:
+      lru-cache: 10.4.3
+
+  is-obj@2.0.0: {}
+
+  is-safe-filename@0.1.1: {}
+
+  json-with-bigint@3.5.7: {}
+
+  lru-cache@10.4.3: {}
+
+  lru-cache@11.2.7: {}
+
+  meow@13.2.0: {}
+
+  minimatch@10.2.4:
+    dependencies:
+      brace-expansion: 5.0.4
+
+  minimist@1.2.8: {}
+
+  minipass@7.1.3: {}
+
+  ms@2.1.3: {}
+
+  neo-async@2.6.2: {}
+
+  normalize-package-data@7.0.1:
+    dependencies:
+      hosted-git-info: 8.1.0
+      semver: 7.7.4
+      validate-npm-package-license: 3.0.4
+
+  path-scurry@2.0.2:
+    dependencies:
+      lru-cache: 11.2.7
+      minipass: 7.1.3
+
+  semver@7.7.4: {}
+
+  source-map@0.6.1: {}
+
+  spdx-correct@3.2.0:
+    dependencies:
+      spdx-expression-parse: 3.0.1
+      spdx-license-ids: 3.0.23
+
+  spdx-exceptions@2.5.0: {}
+
+  spdx-expression-parse@3.0.1:
+    dependencies:
+      spdx-exceptions: 2.5.0
+      spdx-license-ids: 3.0.23
+
+  spdx-license-ids@3.0.23: {}
+
+  temp-dir@3.0.0: {}
+
+  tempfile@6.0.1:
+    dependencies:
+      is-safe-filename: 0.1.1
+      temp-dir: 3.0.0
+
+  tunnel@0.0.6: {}
+
+  uglify-js@3.19.3:
+    optional: true
+
+  undici@6.24.1: {}
+
+  universal-user-agent@7.0.3: {}
+
+  validate-npm-package-license@3.0.4:
+    dependencies:
+      spdx-correct: 3.2.0
+      spdx-expression-parse: 3.0.1
+
+  walk-up-path@4.0.0: {}
+
+  wordwrap@1.0.0: {}
+
+  yaml@2.8.3: {}

.github/scripts/pnpm-utils.mjs

@@ -0,0 +1,25 @@
+import child_process from 'child_process';
+import { promisify } from 'node:util';
+
+const exec = promisify(child_process.exec);
+
+/**
+ * @typedef PnpmPackage
+ * @property { string } name
+ * @property { string } version
+ * @property { string } path
+ * @property { boolean } private
+ * */
+
+/**
+ * @returns { Promise<PnpmPackage[]> }
+ * */
+export async function getMonorepoProjects() {
+	return JSON.parse(
+		(
+			await exec(
+				`pnpm ls -r --only-projects --json | jq -r '[.[] | { name: .name, version: .version, path: .path,  private: .private}]'`,
+			)
+		).stdout,
+	);
+}

.github/scripts/populate-cloud-databases.mjs

@@ -0,0 +1,32 @@
+import { ensureEnvVar } from './github-helpers.mjs';
+
+async function populateCloudDatabases() {
+	const payload = ensureEnvVar('PAYLOAD');
+	const webhookData = ensureEnvVar('N8N_POPULATE_CLOUD_WEBHOOK_DATA');
+
+	const { user, secret, url } = JSON.parse(webhookData);
+
+	console.log('Payload: ', JSON.parse(payload));
+
+	const response = await fetch(url, {
+		method: 'POST',
+		headers: {
+			'Content-Type': 'application/json',
+			Authorization: 'Basic ' + Buffer.from(`${user}:${secret}`).toString('base64'),
+		},
+		body: payload,
+	});
+
+	const status = response.status;
+	console.log('Webhook call returned status ' + status);
+
+	if (status !== 200) {
+		const body = await response.text();
+		throw new Error(`Webhook call failed:\n\n ${body}`);
+	}
+}
+
+// only run when executed directly, not when imported by tests
+if (import.meta.url === `file://${process.argv[1]}`) {
+	populateCloudDatabases();
+}

.github/scripts/post-qa-metrics-comment.mjs

@@ -0,0 +1,143 @@
+#!/usr/bin/env node
+/**
+ * Fetches QA metric comparisons and posts/updates a PR comment.
+ *
+ * Usage:
+ *   node .github/scripts/post-qa-metrics-comment.mjs --metrics memory-heap-used-baseline
+ *   node .github/scripts/post-qa-metrics-comment.mjs --metrics memory-heap-used-baseline --pr 27880 --dry-run
+ *
+ * Env:
+ *   QA_METRICS_COMMENT_WEBHOOK_URL - n8n workflow webhook (required)
+ *   QA_METRICS_WEBHOOK_USER/PASSWORD - Basic auth for webhook
+ *   GITHUB_TOKEN - For posting comments (not needed with --dry-run)
+ *   GITHUB_REF, GITHUB_REPOSITORY, GITHUB_SHA - Auto-set in CI
+ */
+
+import { parseArgs } from 'node:util';
+
+const MARKER = '<!-- n8n-qa-metrics-comparison -->';
+
+const { values } = parseArgs({
+	options: {
+		metrics: { type: 'string' },
+		pr: { type: 'string' },
+		'baseline-days': { type: 'string', default: '14' },
+		'dry-run': { type: 'boolean', default: false },
+	},
+	strict: true,
+});
+
+const metrics = values.metrics?.split(',').map((m) => m.trim());
+if (!metrics?.length) {
+	console.error('--metrics is required (comma-separated metric names)');
+	process.exit(1);
+}
+
+const pr = parseInt(values.pr ?? inferPr(), 10);
+if (!pr) {
+	console.error('--pr is required (or set GITHUB_REF)');
+	process.exit(1);
+}
+
+const webhookUrl = process.env.QA_METRICS_COMMENT_WEBHOOK_URL;
+if (!webhookUrl) {
+	console.error('QA_METRICS_COMMENT_WEBHOOK_URL is required');
+	process.exit(1);
+}
+
+const repo = process.env.GITHUB_REPOSITORY ?? 'n8n-io/n8n';
+const sha = process.env.GITHUB_SHA?.slice(0, 8) ?? '';
+const baselineDays = parseInt(values['baseline-days'], 10);
+
+// --- Fetch ---
+
+const headers = { 'Content-Type': 'application/json' };
+const user = process.env.QA_METRICS_WEBHOOK_USER;
+const pass = process.env.QA_METRICS_WEBHOOK_PASSWORD;
+if (user && pass) {
+	headers.Authorization = `Basic ${Buffer.from(`${user}:${pass}`).toString('base64')}`;
+}
+
+console.log(`PR #${pr}: fetching ${metrics.join(', ')} (${baselineDays}-day baseline)`);
+
+let res;
+try {
+	res = await fetch(webhookUrl, {
+		method: 'POST',
+		headers,
+		body: JSON.stringify({
+			pr_number: pr,
+			github_repo: repo,
+			git_sha: sha,
+			baseline_days: baselineDays,
+			metric_names: metrics,
+		}),
+		signal: AbortSignal.timeout(60_000),
+	});
+} catch (err) {
+	console.warn(`Webhook unreachable, skipping metrics comment: ${err.message}`);
+	process.exit(0);
+}
+
+if (!res.ok) {
+	const text = await res.text().catch(() => '');
+	console.warn(`Webhook failed: ${res.status} ${res.statusText}\n${text}`);
+	console.warn('Skipping metrics comment.');
+	process.exit(0);
+}
+
+const { markdown, has_data } = await res.json();
+
+if (!has_data || !markdown) {
+	console.log('No metric data available, skipping.');
+	process.exit(0);
+}
+
+if (values['dry-run']) {
+	console.log('\n--- DRY RUN ---\n');
+	console.log(markdown);
+	process.exit(0);
+}
+
+// --- Post comment ---
+
+const token = process.env.GITHUB_TOKEN;
+if (!token) {
+	console.error('GITHUB_TOKEN is required to post comments');
+	process.exit(1);
+}
+
+const [owner, repoName] = repo.split('/');
+const ghHeaders = {
+	Accept: 'application/vnd.github+json',
+	Authorization: `Bearer ${token}`,
+	'Content-Type': 'application/json',
+};
+
+const comments = await fetch(
+	`https://api.github.com/repos/${owner}/${repoName}/issues/${pr}/comments?per_page=100`,
+	{ headers: ghHeaders },
+).then((r) => r.json());
+
+const existing = Array.isArray(comments)
+	? comments.find((c) => c.body?.includes(MARKER))
+	: null;
+
+if (existing) {
+	await fetch(
+		`https://api.github.com/repos/${owner}/${repoName}/issues/comments/${existing.id}`,
+		{ method: 'PATCH', headers: ghHeaders, body: JSON.stringify({ body: markdown }) },
+	);
+	console.log(`Updated comment ${existing.id}`);
+} else {
+	const created = await fetch(
+		`https://api.github.com/repos/${owner}/${repoName}/issues/${pr}/comments`,
+		{ method: 'POST', headers: ghHeaders, body: JSON.stringify({ body: markdown }) },
+	).then((r) => r.json());
+	console.log(`Created comment ${created.id}`);
+}
+
+function inferPr() {
+	const match = (process.env.GITHUB_REF ?? '').match(/refs\/pull\/(\d+)/);
+	return match?.[1];
+}

.github/scripts/promote-github-release.mjs

@@ -0,0 +1,68 @@
+import {
+	deleteRelease,
+	ensureEnvVar,
+	getExistingRelease,
+	initGithub,
+	writeGithubOutput,
+} from './github-helpers.mjs';
+
+/**
+ * Promotes a GitHub release to latest
+ *
+ * Required env variables:
+ *	- RELEASE_TAG	 - Release tag on git e.g. n8n@2.13.0
+ *
+ * GitHub variables
+ *	- GITHUB_TOKEN	-	 Used to authenticate to octokit - Can be overwritten for privileged access
+ *	- GITHUB_REPOSITORY	-	 Used to determine target repository
+ * */
+async function promoteGitHubRelease() {
+	const RELEASE_TAG = ensureEnvVar('RELEASE_TAG');
+	const { octokit, owner, repo } = initGithub();
+
+	const existingRelease = await getExistingRelease(RELEASE_TAG);
+	if (!existingRelease) {
+		console.warn("Couldn't find release by tag. Exiting...");
+		process.exit(1);
+	}
+
+	const releaseResponse = await octokit.rest.repos.updateRelease({
+		owner,
+		repo,
+		release_id: existingRelease.id,
+		prerelease: false,
+		make_latest: 'true',
+	});
+
+	console.log(`Successfully updated release ${releaseResponse.data.html_url}`);
+
+	const existingStableRelease = await getExistingRelease('stable');
+	if (existingStableRelease) {
+		await deleteRelease(existingStableRelease.id);
+		console.log("Deleted previous 'stable' release.");
+	}
+
+	const stableReleaseResponse = await octokit.rest.repos.createRelease({
+		tag_name: 'stable',
+		name: 'stable',
+		body: releaseResponse.data.body,
+		draft: false,
+		prerelease: false,
+		make_latest: 'false',
+		target_commitish: releaseResponse.data.target_commitish,
+		owner,
+		repo,
+	});
+
+	console.log(`Successfully created new stable release ${stableReleaseResponse.data.html_url}`);
+
+	writeGithubOutput({
+		release_url: releaseResponse.data.html_url,
+		stable_release_url: stableReleaseResponse.data.html_url,
+	});
+}
+
+// only run when executed directly, not when imported by tests
+if (import.meta.url === `file://${process.argv[1]}`) {
+	promoteGitHubRelease();
+}

.github/scripts/quality/check-ownership-checkbox.mjs

@@ -0,0 +1,81 @@
+/**
+ * Checks that the PR description contains a checked ownership acknowledgement checkbox.
+ *
+ * Exit codes:
+ *   0 – Checkbox is present and checked
+ *   1 – Checkbox is missing or unchecked
+ */
+
+import { initGithub, getEventFromGithubEventPath } from '../github-helpers.mjs';
+
+const BOT_MARKER = '<!-- pr-ownership-check -->';
+
+/**
+ * Returns true if the PR body contains a checked ownership acknowledgement checkbox.
+ *
+ * @param {string | null | undefined} body
+ * @returns {boolean}
+ */
+export function isOwnershipCheckboxChecked(body) {
+	return /\[x\]\s+I have seen this code,\s+I have run this code,\s+and I take responsibility for this code/i.test(
+		body ?? '',
+	);
+}
+
+async function main() {
+	const event = getEventFromGithubEventPath();
+	const pr = event.pull_request;
+	const { octokit, owner, repo } = initGithub();
+
+	const { data: comments } = await octokit.rest.issues.listComments({
+		owner,
+		repo,
+		issue_number: pr.number,
+		per_page: 100,
+	});
+	const botComment = comments.find((c) => c.body.includes(BOT_MARKER));
+
+	if (!isOwnershipCheckboxChecked(pr.body)) {
+		const message = [
+			BOT_MARKER,
+			'## ⚠️ Ownership acknowledgement required',
+			'',
+			'Please add or check the following item in your PR description before this can be merged:',
+			'',
+			'```',
+			'- [x] I have seen this code, I have run this code, and I take responsibility for this code.',
+			'```',
+		].join('\n');
+
+		if (botComment) {
+			await octokit.rest.issues.updateComment({
+				owner,
+				repo,
+				comment_id: botComment.id,
+				body: message,
+			});
+		} else {
+			await octokit.rest.issues.createComment({
+				owner,
+				repo,
+				issue_number: pr.number,
+				body: message,
+			});
+		}
+
+		console.log(
+			'::error::Ownership checkbox is not checked. Add it to your PR description and check it.',
+		);
+		process.exit(1);
+	} else if (botComment) {
+		await octokit.rest.issues.deleteComment({
+			owner,
+			repo,
+			comment_id: botComment.id,
+		});
+	}
+}
+
+if (import.meta.url === `file://${process.argv[1]}`) {
+	await main();
+}

.github/scripts/quality/check-ownership-checkbox.test.mjs

@@ -0,0 +1,85 @@
+import { describe, it, before, mock } from 'node:test';
+import assert from 'node:assert/strict';
+
+/**
+ * Run with:
+ * node --test --experimental-test-module-mocks .github/scripts/quality/check-ownership-checkbox.test.mjs
+ */
+
+mock.module('../github-helpers.mjs', {
+	namedExports: {
+		initGithub: () => {},
+		getEventFromGithubEventPath: () => {},
+	},
+});
+
+let isOwnershipCheckboxChecked;
+before(async () => {
+	({ isOwnershipCheckboxChecked } = await import('./check-ownership-checkbox.mjs'));
+});
+
+describe('isOwnershipCheckboxChecked', () => {
+	it('returns true for a checked checkbox with exact text', () => {
+		const body =
+			'- [x] I have seen this code, I have run this code, and I take responsibility for this code.';
+		assert.ok(isOwnershipCheckboxChecked(body));
+	});
+
+	it('returns true for uppercase [X]', () => {
+		const body =
+			'- [X] I have seen this code, I have run this code, and I take responsibility for this code.';
+		assert.ok(isOwnershipCheckboxChecked(body));
+	});
+
+	it('returns false for an unchecked checkbox [ ]', () => {
+		const body =
+			'- [ ] I have seen this code, I have run this code, and I take responsibility for this code.';
+		assert.equal(isOwnershipCheckboxChecked(body), false);
+	});
+
+	it('returns false when the checkbox is absent', () => {
+		const body = '## Summary\n\nThis PR does some things.\n';
+		assert.equal(isOwnershipCheckboxChecked(body), false);
+	});
+
+	it('returns false for null body', () => {
+		assert.equal(isOwnershipCheckboxChecked(null), false);
+	});
+
+	it('returns false for undefined body', () => {
+		assert.equal(isOwnershipCheckboxChecked(undefined), false);
+	});
+
+	it('returns false for empty body', () => {
+		assert.equal(isOwnershipCheckboxChecked(''), false);
+	});
+
+	it('returns true when checkbox appears among other content', () => {
+		const body = [
+			'## Summary',
+			'',
+			'Some description here.',
+			'',
+			'## Checklist',
+			'- [x] Tests included',
+			'- [x] I have seen this code, I have run this code, and I take responsibility for this code.',
+			'- [ ] Docs updated',
+		].join('\n');
+		assert.ok(isOwnershipCheckboxChecked(body));
+	});
+
+	it('returns false when only other checkboxes are checked', () => {
+		const body = [
+			'- [x] Tests included',
+			'- [x] Docs updated',
+			'- [ ] I have seen this code, I have run this code, and I take responsibility for this code.',
+		].join('\n');
+		assert.equal(isOwnershipCheckboxChecked(body), false);
+	});
+
+	it('is case-insensitive for the checkbox marker', () => {
+		const lower =
+			'- [x] i have seen this code, i have run this code, and i take responsibility for this code.';
+		assert.ok(isOwnershipCheckboxChecked(lower));
+	});
+});

.github/scripts/quality/check-pr-size.mjs

@@ -0,0 +1,172 @@
+/**
+ * Checks that the PR does not exceed the line addition limit.
+ *
+ * Files matching any pattern in EXCLUDE_PATTERNS are not counted toward the
+ * limit (e.g. test files, snapshots).
+ *
+ * A maintainer (write access or above) can override by commenting `/size-limit-override`
+ * on the PR. The override takes effect on the next pull_request event (push, reopen, etc.).
+ *
+ * Exit codes:
+ *   0 – PR is within the limit, or a valid override comment exists
+ *   1 – PR exceeds the limit with no valid override
+ */
+
+import { minimatch } from 'minimatch';
+import { initGithub, getEventFromGithubEventPath } from '../github-helpers.mjs';
+
+export const SIZE_LIMIT = 1000;
+export const OVERRIDE_COMMAND = '/size-limit-override';
+
+export const EXCLUDE_PATTERNS = [
+	// Test files (by extension)
+	'**/*.test.ts',
+	'**/*.test.js',
+	'**/*.test.mjs',
+	'**/*.spec.ts',
+	'**/*.spec.js',
+	'**/*.spec.mjs',
+	// Test directories
+	'**/test/**',
+	'**/tests/**',
+	'**/__tests__/**',
+	// Snapshots
+	'**/__snapshots__/**',
+	'**/*.snap',
+	// Fixtures and mocks
+	'**/fixtures/**',
+	'**/__mocks__/**',
+	// Dedicated testing package
+	'packages/testing/**',
+	// Lock file (can produce massive diffs on dependency changes)
+	'pnpm-lock.yaml',
+];
+
+const BOT_MARKER = '<!-- pr-size-check -->';
+
+/**
+ * Returns true if any comment in the list is a valid `/size-limit-override` from a
+ * user with write access or above.
+ *
+ * @param {Array<{ body?: string, user: { login: string } | null }>} comments
+ * @param {(username: string) => Promise<string>} getPermission - returns the permission level string
+ * @returns {Promise<boolean>}
+ */
+export async function hasValidOverride(comments, getPermission) {
+	for (const comment of comments) {
+		if (!comment.body?.startsWith(OVERRIDE_COMMAND)) {
+			continue;
+		}
+
+		if (!comment.user) {
+			return false;
+		}
+
+		const perm = await getPermission(comment.user.login);
+		if (['admin', 'write', 'maintain'].includes(perm)) {
+			return true;
+		}
+	}
+	return false;
+}
+
+/**
+ * Returns the total additions across all files, excluding those matching any exclude pattern.
+ *
+ * @param {Array<{ filename: string, additions: number }>} files
+ * @param {string[]} excludePatterns
+ * @returns {number}
+ */
+export function countFilteredAdditions(files, excludePatterns) {
+	return files
+		.filter((file) => !excludePatterns.some((pattern) => minimatch(file.filename, pattern)))
+		.reduce((sum, file) => sum + file.additions, 0);
+}
+
+async function main() {
+	const event = getEventFromGithubEventPath();
+	const pr = event.pull_request;
+	const { octokit, owner, repo } = initGithub();
+
+	const files = await octokit.paginate(octokit.rest.pulls.listFiles, {
+		owner,
+		repo,
+		pull_number: pr.number,
+		per_page: 100,
+	});
+
+	const additions = countFilteredAdditions(files, EXCLUDE_PATTERNS);
+
+	const { data: comments } = await octokit.rest.issues.listComments({
+		owner,
+		repo,
+		issue_number: pr.number,
+		per_page: 100,
+		sort: 'created',
+		direction: 'desc',
+	});
+
+	const overrideFound = await hasValidOverride(comments, async (username) => {
+		const { data: perm } = await octokit.rest.repos.getCollaboratorPermissionLevel({
+			owner,
+			repo,
+			username,
+		});
+		return perm.permission;
+	});
+
+	const botComment = comments.find((c) => c.body?.includes(BOT_MARKER));
+
+	if (additions > SIZE_LIMIT && !overrideFound) {
+		const message = [
+			BOT_MARKER,
+			`## ! PR exceeds size limit (${additions.toLocaleString()} lines added)`,
+			'',
+			`This PR adds **${additions.toLocaleString()} lines**, exceeding the ${SIZE_LIMIT.toLocaleString()}-line limit (test files excluded).`,
+			'',
+			'Large PRs are harder to review and increase the risk of bugs going unnoticed. Please consider:',
+			'- Breaking this into smaller, logically separate PRs',
+			'- Moving unrelated changes to a follow-up PR',
+			'',
+			`If the size is genuinely justified (e.g. generated code, large migrations, test fixtures), a maintainer can override by commenting \`${OVERRIDE_COMMAND}\` and then pushing a new commit or re-running this check.`,
+		].join('\n');
+
+		if (botComment) {
+			await octokit.rest.issues.updateComment({
+				owner,
+				repo,
+				comment_id: botComment.id,
+				body: message,
+			});
+		} else {
+			await octokit.rest.issues.createComment({
+				owner,
+				repo,
+				issue_number: pr.number,
+				body: message,
+			});
+		}
+
+		console.log(
+			`::error::PR adds ${additions.toLocaleString()} lines (test files excluded), exceeding the ${SIZE_LIMIT.toLocaleString()}-line limit. Reduce PR size or ask a maintainer to comment \`${OVERRIDE_COMMAND}\`.`,
+		);
+		process.exit(1);
+	} else {
+		if (botComment) {
+			await octokit.rest.issues.deleteComment({
+				owner,
+				repo,
+				comment_id: botComment.id,
+			});
+		}
+		if (overrideFound && additions > SIZE_LIMIT) {
+			console.log(
+				`PR size limit overridden. ${additions.toLocaleString()} lines added (limit: ${SIZE_LIMIT.toLocaleString()}, test files excluded).`,
+			);
+		}
+	}
+}
+
+if (import.meta.url === `file://${process.argv[1]}`) {
+	await main();
+}

.github/scripts/quality/check-pr-size.test.mjs

@@ -0,0 +1,206 @@
+import { describe, it, before, mock } from 'node:test';
+import assert from 'node:assert/strict';
+
+/**
+ * Run with:
+ * node --test --experimental-test-module-mocks .github/scripts/quality/check-pr-size.test.mjs
+ */
+
+mock.module('../github-helpers.mjs', {
+	namedExports: {
+		initGithub: () => {},
+		getEventFromGithubEventPath: () => {},
+	},
+});
+
+let hasValidOverride, countFilteredAdditions, SIZE_LIMIT, OVERRIDE_COMMAND, EXCLUDE_PATTERNS;
+before(async () => {
+	({ hasValidOverride, countFilteredAdditions, SIZE_LIMIT, OVERRIDE_COMMAND, EXCLUDE_PATTERNS } =
+		await import('./check-pr-size.mjs'));
+});
+
+/** @param {string} permission */
+const permissionGetter = (permission) => async (_username) => permission;
+
+describe('SIZE_LIMIT', () => {
+	it('is 1000', () => {
+		assert.equal(SIZE_LIMIT, 1000);
+	});
+});
+
+describe('hasValidOverride', () => {
+	it('returns false when there are no comments', async () => {
+		const result = await hasValidOverride([], permissionGetter('write'));
+		assert.equal(result, false);
+	});
+
+	it('returns false when no comment starts with the override command', async () => {
+		const comments = [
+			{ body: 'Looks good to me!', user: { login: 'reviewer' } },
+			{ body: 'Please split this PR.', user: { login: 'maintainer' } },
+		];
+		const result = await hasValidOverride(comments, permissionGetter('write'));
+		assert.equal(result, false);
+	});
+
+	it('returns true when a write-access user has posted the override command', async () => {
+		const comments = [{ body: OVERRIDE_COMMAND, user: { login: 'maintainer' } }];
+		const result = await hasValidOverride(comments, permissionGetter('write'));
+		assert.ok(result);
+	});
+
+	it('returns true for maintain permission', async () => {
+		const comments = [{ body: OVERRIDE_COMMAND, user: { login: 'lead' } }];
+		const result = await hasValidOverride(comments, permissionGetter('maintain'));
+		assert.ok(result);
+	});
+
+	it('returns true for admin permission', async () => {
+		const comments = [{ body: OVERRIDE_COMMAND, user: { login: 'admin' } }];
+		const result = await hasValidOverride(comments, permissionGetter('admin'));
+		assert.ok(result);
+	});
+
+	it('returns false when the override commenter only has read access', async () => {
+		const comments = [{ body: OVERRIDE_COMMAND, user: { login: 'outsider' } }];
+		const result = await hasValidOverride(comments, permissionGetter('read'));
+		assert.equal(result, false);
+	});
+
+	it('returns false when the override commenter only has triage access', async () => {
+		const comments = [{ body: OVERRIDE_COMMAND, user: { login: 'triager' } }];
+		const result = await hasValidOverride(comments, permissionGetter('triage'));
+		assert.equal(result, false);
+	});
+
+	it('returns false when the override command appears mid-comment, not at the start', async () => {
+		const comments = [
+			{
+				body: `Please note: ${OVERRIDE_COMMAND} should only be used when justified.`,
+				user: { login: 'maintainer' },
+			},
+		];
+		const result = await hasValidOverride(comments, permissionGetter('write'));
+		assert.equal(result, false);
+	});
+
+	it('returns true when one of several comments is a valid override', async () => {
+		const comments = [
+			{ body: 'Looks good!', user: { login: 'reviewer' } },
+			{ body: OVERRIDE_COMMAND, user: { login: 'maintainer' } },
+			{ body: 'Please add tests.', user: { login: 'other' } },
+		];
+		const result = await hasValidOverride(comments, permissionGetter('write'));
+		assert.ok(result);
+	});
+
+	it('returns false when override comment exists but all posters lack write access', async () => {
+		const comments = [
+			{ body: OVERRIDE_COMMAND, user: { login: 'user1' } },
+			{ body: OVERRIDE_COMMAND, user: { login: 'user2' } },
+		];
+		const result = await hasValidOverride(comments, permissionGetter('read'));
+		assert.equal(result, false);
+	});
+
+	it('checks permissions per commenter independently', async () => {
+		const permissions = { writer: 'write', reader: 'read' };
+		const getPermission = async (username) => permissions[username] ?? 'read';
+
+		const comments = [
+			{ body: OVERRIDE_COMMAND, user: { login: 'reader' } },
+			{ body: OVERRIDE_COMMAND, user: { login: 'writer' } },
+		];
+		const result = await hasValidOverride(comments, getPermission);
+		assert.ok(result);
+	});
+});
+
+describe('countFilteredAdditions', () => {
+	it('sums additions across all files when no patterns are given', () => {
+		const files = [
+			{ filename: 'src/foo.ts', additions: 100 },
+			{ filename: 'src/bar.ts', additions: 200 },
+		];
+		assert.equal(countFilteredAdditions(files, []), 300);
+	});
+
+	it('excludes files matching a glob pattern', () => {
+		const files = [
+			{ filename: 'src/foo.ts', additions: 100 },
+			{ filename: 'src/foo.test.ts', additions: 500 },
+		];
+		assert.equal(countFilteredAdditions(files, ['**/*.test.ts']), 100);
+	});
+
+	it('excludes files matching any of multiple patterns', () => {
+		const files = [
+			{ filename: 'src/foo.ts', additions: 100 },
+			{ filename: 'src/foo.test.ts', additions: 200 },
+			{ filename: 'src/foo.spec.ts', additions: 300 },
+			{ filename: 'src/__tests__/bar.ts', additions: 400 },
+		];
+		assert.equal(
+			countFilteredAdditions(files, ['**/*.test.ts', '**/*.spec.ts', '**/__tests__/**']),
+			100,
+		);
+	});
+
+	it('returns 0 when all files are excluded', () => {
+		const files = [
+			{ filename: 'src/foo.test.ts', additions: 100 },
+			{ filename: 'src/bar.test.ts', additions: 200 },
+		];
+		assert.equal(countFilteredAdditions(files, ['**/*.test.ts']), 0);
+	});
+
+	it('returns 0 for an empty file list', () => {
+		assert.equal(countFilteredAdditions([], EXCLUDE_PATTERNS), 0);
+	});
+
+	it('applies EXCLUDE_PATTERNS to common test file extensions', () => {
+		const files = [
+			{ filename: 'src/service.ts', additions: 50 },
+			{ filename: 'src/service.test.ts', additions: 100 },
+			{ filename: 'src/service.spec.ts', additions: 100 },
+			{ filename: 'src/service.test.mjs', additions: 100 },
+			{ filename: 'src/service.spec.mjs', additions: 100 },
+			{ filename: 'src/service.test.js', additions: 100 },
+			{ filename: 'src/service.spec.js', additions: 100 },
+			{ filename: 'src/__tests__/helper.ts', additions: 100 },
+			{ filename: 'src/component.snap', additions: 100 },
+		];
+		assert.equal(countFilteredAdditions(files, EXCLUDE_PATTERNS), 50);
+	});
+
+	it('applies EXCLUDE_PATTERNS to test directories (test/, tests/, __tests__)', () => {
+		const files = [
+			{ filename: 'packages/cli/src/service.ts', additions: 50 },
+			{ filename: 'packages/cli/test/unit/service.test.ts', additions: 100 },
+			{ filename: 'packages/cli/test/integration/api.test.ts', additions: 100 },
+			{ filename: 'packages/nodes-base/nodes/Foo/tests/Foo.test.ts', additions: 100 },
+			{ filename: 'packages/core/src/__tests__/cipher.test.ts', additions: 100 },
+		];
+		assert.equal(countFilteredAdditions(files, EXCLUDE_PATTERNS), 50);
+	});
+
+	it('applies EXCLUDE_PATTERNS to snapshots, fixtures, and mocks', () => {
+		const files = [
+			{ filename: 'packages/cli/src/service.ts', additions: 50 },
+			{ filename: 'packages/editor-ui/src/__snapshots__/Canvas.test.ts.snap', additions: 100 },
+			{ filename: 'packages/workflow/test/fixtures/workflow.json', additions: 100 },
+			{ filename: 'packages/core/src/__mocks__/fs.ts', additions: 100 },
+		];
+		assert.equal(countFilteredAdditions(files, EXCLUDE_PATTERNS), 50);
+	});
+
+	it('applies EXCLUDE_PATTERNS to packages/testing and pnpm-lock.yaml', () => {
+		const files = [
+			{ filename: 'packages/cli/src/service.ts', additions: 50 },
+			{ filename: 'packages/testing/playwright/tests/workflow.spec.ts', additions: 100 },
+			{ filename: 'packages/testing/playwright/pages/CanvasPage.ts', additions: 100 },
+			{ filename: 'pnpm-lock.yaml', additions: 500 },
+		];
+		assert.equal(countFilteredAdditions(files, EXCLUDE_PATTERNS), 50);
+	});
+});

.github/scripts/quality/handle-size-override.mjs

@@ -0,0 +1,97 @@
+/**
+ * Re-triggers the PR Size Limit check when a maintainer comments `/size-limit-override`.
+ *
+ * Finds the latest `PR Size Limit` check run on the PR's HEAD commit and re-requests it.
+ * The re-run scans comments, finds the override, and passes — satisfying branch protection
+ * without any label manipulation or status API calls.
+ *
+ * Exit codes:
+ *   0 – Check run re-requested successfully
+ *   1 – Commenter lacks permission, or no check run found to re-request
+ */
+
+import { initGithub, getEventFromGithubEventPath } from '../github-helpers.mjs';
+
+const CHECK_NAME = 'PR Size Limit';
+
+/**
+ * @param {{
+ *   octokit: import('../github-helpers.mjs').GitHubInstance,
+ *   owner: string,
+ *   repo: string,
+ *   prNumber: number,
+ *   commenter: string,
+ *   commentId: number,
+ * }} params
+ */
+export async function run({ octokit, owner, repo, prNumber, commenter, commentId }) {
+	const { data: perm } = await octokit.rest.repos.getCollaboratorPermissionLevel({
+		owner,
+		repo,
+		username: commenter,
+	});
+
+	if (!['admin', 'write', 'maintain'].includes(perm.permission)) {
+		console.log(
+			`::error::@${commenter} does not have permission to override the PR size limit (requires write access).`,
+		);
+		process.exit(1);
+	}
+
+	const { data: pr } = await octokit.rest.pulls.get({
+		owner,
+		repo,
+		pull_number: prNumber,
+	});
+	const headSha = pr.head.sha;
+
+	const {
+		data: { check_runs },
+	} = await octokit.rest.checks.listForRef({
+		owner,
+		repo,
+		ref: headSha,
+		check_name: CHECK_NAME,
+		per_page: 1,
+	});
+
+	if (check_runs.length === 0) {
+		console.log(
+			`::error::No '${CHECK_NAME}' check run found for ${headSha}. Push a new commit to trigger it.`,
+		);
+		process.exit(1);
+	}
+
+	await octokit.rest.checks.rerequestRun({
+		owner,
+		repo,
+		check_run_id: check_runs[0].id,
+	});
+
+	await octokit.rest.reactions.createForIssueComment({
+		owner,
+		repo,
+		comment_id: commentId,
+		content: '+1',
+	});
+
+	console.log(`Re-requested '${CHECK_NAME}' check run (${check_runs[0].id}) for ${headSha}`);
+}
+
+async function main() {
+	const event = getEventFromGithubEventPath();
+	const { octokit, owner, repo } = initGithub();
+
+	await run({
+		octokit,
+		owner,
+		repo,
+		prNumber: event.issue.number,
+		commenter: event.sender.login,
+		commentId: event.comment.id,
+	});
+}
+
+if (import.meta.url === `file://${process.argv[1]}`) {
+	await main();
+}

.github/scripts/retry.mjs

@@ -0,0 +1,60 @@
+#!/usr/bin/env node
+/**
+ * Retry a shell command with configurable attempts and delay.
+ *
+ * Usage: node retry.mjs [--attempts N] [--delay N] '<command>'
+ *
+ * Options:
+ *   --attempts N   Maximum number of attempts (default: 4)
+ *   --delay N      Seconds to wait between retries (default: 15)
+ *
+ * The command is executed via shell, so pipes and env-var expansion work.
+ * Exits 0 on first success, 1 if all attempts fail.
+ */
+import { execSync } from 'node:child_process';
+
+const args = process.argv.slice(2);
+
+function getFlag(name, defaultValue) {
+	const index = args.indexOf(`--${name}`);
+	if (index === -1 || !args[index + 1]) return defaultValue;
+	const value = parseInt(args[index + 1], 10);
+	if (Number.isNaN(value) || value <= 0) {
+		console.error(`Error: --${name} must be a positive integer`);
+		process.exit(1);
+	}
+	return value;
+}
+
+const attempts = getFlag('attempts', 4);
+const delay = getFlag('delay', 15);
+
+// Command is the last positional arg (skip flags and their values)
+const command = args
+	.filter((a, i) => {
+		if (a.startsWith('--')) return false;
+		if (i > 0 && args[i - 1].startsWith('--')) return false;
+		return true;
+	})
+	.pop();
+
+if (!command) {
+	console.error("Usage: node retry.mjs [--attempts N] [--delay N] '<command>'");
+	process.exit(1);
+}
+
+for (let i = 1; i <= attempts; i++) {
+	try {
+		execSync(command, { shell: true, stdio: 'inherit' });
+		process.exit(0);
+	} catch {
+		if (i < attempts) {
+			console.error(`Attempt ${i}/${attempts} failed, retrying in ${delay}s...`);
+			execSync(`sleep ${delay}`);
+		} else {
+			console.error(`Attempt ${i}/${attempts} failed, no more retries.`);
+		}
+	}
+}
+
+process.exit(1);

.github/scripts/send-build-stats.mjs

@@ -0,0 +1,67 @@
+#!/usr/bin/env node
+/**
+ * Sends Turbo build stats to the unified QA metrics webhook.
+ *
+ * Reads the Turbo run summary from .turbo/runs/ and emits per-package
+ * build-duration metrics with {package, cache, task} dimensions, plus
+ * a run-level build-total-duration summary.
+ *
+ * Usage: node send-build-stats.mjs
+ *
+ * Environment variables:
+ *   QA_METRICS_WEBHOOK_URL      - Webhook URL (required to send)
+ *   QA_METRICS_WEBHOOK_USER     - Basic auth username
+ *   QA_METRICS_WEBHOOK_PASSWORD - Basic auth password
+ */
+
+import { existsSync, readFileSync, readdirSync } from 'node:fs';
+import { join } from 'node:path';
+
+import { sendMetrics, metric } from './send-metrics.mjs';
+
+const runsDir = '.turbo/runs';
+if (!existsSync(runsDir)) {
+	console.log('No .turbo/runs directory found (turbo --summarize not used), skipping.');
+	process.exit(0);
+}
+
+const files = readdirSync(runsDir)
+	.filter((f) => f.endsWith('.json'))
+	.sort();
+if (files.length === 0) {
+	console.error('No summary file found in .turbo/runs/');
+	process.exit(1);
+}
+
+const summary = JSON.parse(readFileSync(join(runsDir, files.at(-1)), 'utf-8'));
+
+const metrics = [];
+
+for (const task of summary.tasks ?? []) {
+	if (task.execution?.exitCode !== 0) continue;
+	const durationMs = task.execution.durationMs ?? 0;
+	const cacheHit = task.cache?.status === 'HIT';
+	// taskId format: "package-name#task-name"
+	const [pkg, taskName] = task.taskId?.split('#') ?? [task.package, task.task];
+
+	metrics.push(
+		metric('build-duration', durationMs / 1000, 's', {
+			package: pkg ?? 'unknown',
+			task: taskName ?? 'build',
+			cache: cacheHit ? 'hit' : 'miss',
+		}),
+	);
+}
+
+const totalMs = summary.durationMs ?? 0;
+const totalTasks = summary.tasks?.length ?? 0;
+const cachedTasks = summary.tasks?.filter((t) => t.cache?.status === 'HIT').length ?? 0;
+
+metrics.push(
+	metric('build-total-duration', totalMs / 1000, 's', {
+		total_tasks: totalTasks,
+		cached_tasks: cachedTasks,
+	}),
+);
+
+await sendMetrics(metrics, 'build-stats');

.github/scripts/send-docker-stats.mjs

@@ -0,0 +1,88 @@
+#!/usr/bin/env node
+/**
+ * Sends Docker build stats to the unified QA metrics webhook.
+ *
+ * Reads manifests produced by build-n8n.mjs and dockerize-n8n.mjs and emits
+ * per-image docker-image-size metrics and build duration metrics with
+ * {image, platform} dimensions.
+ *
+ * Usage: node send-docker-stats.mjs
+ *
+ * Environment variables:
+ *   QA_METRICS_WEBHOOK_URL      - Webhook URL (required to send)
+ *   QA_METRICS_WEBHOOK_USER     - Basic auth username
+ *   QA_METRICS_WEBHOOK_PASSWORD - Basic auth password
+ */
+
+import { existsSync, readFileSync } from 'node:fs';
+
+import { sendMetrics, metric } from './send-metrics.mjs';
+
+/** Parse human-readable sizes (e.g. "1.5G", "500M", "12K") to MB. */
+function parseSizeToMB(val) {
+	if (typeof val === 'number') return val / (1024 * 1024);
+	if (typeof val !== 'string') return null;
+	const match = val.match(/^([\d.]+)\s*([KMGT]?)i?B?$/i);
+	if (!match) return null;
+	const num = parseFloat(match[1]);
+	const suffix = match[2].toUpperCase();
+	const toMB = { '': 1 / (1024 * 1024), 'K': 1 / 1024, 'M': 1, 'G': 1024, 'T': 1024 * 1024 };
+	return Math.round(num * (toMB[suffix] ?? 1) * 100) / 100;
+}
+
+const buildManifestPath = 'compiled/build-manifest.json';
+const dockerManifestPath = 'docker-build-manifest.json';
+
+if (!existsSync(buildManifestPath) && !existsSync(dockerManifestPath)) {
+	console.log('No build or docker manifests found, skipping.');
+	process.exit(0);
+}
+
+const buildManifest = existsSync(buildManifestPath)
+	? JSON.parse(readFileSync(buildManifestPath, 'utf-8'))
+	: null;
+
+const dockerManifest = existsSync(dockerManifestPath)
+	? JSON.parse(readFileSync(dockerManifestPath, 'utf-8'))
+	: null;
+
+const metrics = [];
+
+if (buildManifest) {
+	const sizeMB = parseSizeToMB(buildManifest.artifactSize);
+	if (sizeMB != null) {
+		metrics.push(metric('artifact-size', sizeMB, 'MB', { artifact: 'compiled' }));
+	}
+	const duration = buildManifest.buildDuration;
+	if (duration?.total != null) {
+		metrics.push(metric('build-duration', duration.total / 1000, 's', { artifact: 'compiled' }));
+	}
+}
+
+if (dockerManifest) {
+	const platform = dockerManifest.platform ?? 'unknown';
+
+	for (const image of dockerManifest.images ?? []) {
+		const imageSizeMB = parseSizeToMB(image.size ?? image.sizeBytes);
+		const imageName = image.imageName ?? image.name ?? 'unknown';
+		const shortName = imageName.replace(/^n8nio\//, '').replace(/:.*$/, '');
+		if (imageSizeMB != null) {
+			metrics.push(
+				metric(`docker-image-size-${shortName}`, imageSizeMB, 'MB', { platform }),
+			);
+		}
+	}
+
+	if (dockerManifest.buildDurationMs != null) {
+		metrics.push(
+			metric('docker-build-duration', dockerManifest.buildDurationMs / 1000, 's', { platform }),
+		);
+	}
+}
+
+if (metrics.length === 0) {
+	console.log('No metrics to send.');
+	process.exit(0);
+}
+
+await sendMetrics(metrics, 'docker-stats');

.github/scripts/send-metrics.mjs

@@ -0,0 +1,94 @@
+#!/usr/bin/env node
+/**
+ * Shared metrics sender for CI scripts.
+ * See .github/CI-TELEMETRY.md for payload shape and BigQuery schema.
+ *
+ * Usage:
+ *   import { sendMetrics, metric } from './send-metrics.mjs';
+ *   await sendMetrics([metric('build-duration', 45.2, 's', { package: '@n8n/cli' })]);
+ *
+ * Env: QA_METRICS_WEBHOOK_URL, QA_METRICS_WEBHOOK_USER, QA_METRICS_WEBHOOK_PASSWORD
+ */
+
+import * as os from 'node:os';
+
+/** Build a single metric object. */
+export function metric(name, value, unit, dimensions = {}) {
+	return { metric_name: name, value, unit, dimensions };
+}
+
+/** Build git/ci/runner context from environment variables. */
+export function buildContext(benchmarkName = null) {
+	const ref = process.env.GITHUB_REF ?? '';
+	const prMatch = ref.match(/refs\/pull\/(\d+)/);
+	const runId = process.env.GITHUB_RUN_ID ?? null;
+
+	return {
+		timestamp: new Date().toISOString(),
+		benchmark_name: benchmarkName,
+		git: {
+			sha: process.env.GITHUB_SHA?.slice(0, 8) ?? null,
+			branch: process.env.GITHUB_HEAD_REF ?? process.env.GITHUB_REF_NAME ?? null,
+			pr: prMatch ? parseInt(prMatch[1], 10) : null,
+		},
+		ci: {
+			runId,
+			runUrl:
+				runId && process.env.GITHUB_REPOSITORY
+					? `https://github.com/${process.env.GITHUB_REPOSITORY}/actions/runs/${runId}`
+					: null,
+			job: process.env.GITHUB_JOB ?? null,
+			workflow: process.env.GITHUB_WORKFLOW ?? null,
+			attempt: process.env.GITHUB_RUN_ATTEMPT
+				? parseInt(process.env.GITHUB_RUN_ATTEMPT, 10)
+				: null,
+		},
+		runner: {
+			provider: !process.env.CI
+				? 'local'
+				: process.env.RUNNER_ENVIRONMENT === 'github-hosted'
+					? 'github'
+					: 'blacksmith',
+			cpuCores: os.cpus().length,
+			memoryGb: Math.round((os.totalmem() / (1024 * 1024 * 1024)) * 10) / 10,
+		},
+	};
+}
+
+export async function sendMetrics(metrics, benchmarkName = null) {
+	const webhookUrl = process.env.QA_METRICS_WEBHOOK_URL;
+	const webhookUser = process.env.QA_METRICS_WEBHOOK_USER;
+	const webhookPassword = process.env.QA_METRICS_WEBHOOK_PASSWORD;
+
+	if (!webhookUrl) {
+		console.log('QA_METRICS_WEBHOOK_URL not set, skipping.');
+		return;
+	}
+
+	if (!webhookUser || !webhookPassword) {
+		console.log('QA_METRICS_WEBHOOK_USER/PASSWORD not set, skipping.');
+		return;
+	}
+
+	const payload = { ...buildContext(benchmarkName), metrics };
+	const basicAuth = Buffer.from(`${webhookUser}:${webhookPassword}`).toString('base64');
+
+	const response = await fetch(webhookUrl, {
+		method: 'POST',
+		headers: {
+			'Content-Type': 'application/json',
+			Authorization: `Basic ${basicAuth}`,
+		},
+		body: JSON.stringify(payload),
+		signal: AbortSignal.timeout(30_000),
+	});
+
+	if (!response.ok) {
+		const body = await response.text().catch(() => '');
+		throw new Error(
+			`Webhook failed: ${response.status} ${response.statusText}${body ? `\n${body}` : ''}`,
+		);
+	}
+
+	console.log(`Sent ${metrics.length} metric(s): ${response.status}`);
+}

.github/scripts/send-version-release-notification.mjs

@@ -0,0 +1,32 @@
+import { ensureEnvVar } from './github-helpers.mjs';
+
+async function sendVersionReleaseNotification() {
+	const payload = ensureEnvVar('PAYLOAD');
+	const webhookData = ensureEnvVar('N8N_VERSION_RELEASE_NOTIFICATION_DATA');
+
+	const { user, secret, url } = JSON.parse(webhookData);
+
+	console.log('Payload: ', JSON.parse(payload));
+
+	const response = await fetch(url, {
+		method: 'POST',
+		headers: {
+			'Content-Type': 'application/json',
+			Authorization: 'Basic ' + Buffer.from(`${user}:${secret}`).toString('base64'),
+		},
+		body: payload,
+	});
+
+	const status = response.status;
+	console.log('Webhook call returned status ' + status);
+
+	if (status !== 200) {
+		const body = await response.text();
+		throw new Error(`Webhook call failed:\n\n ${body}`);
+	}
+}
+
+// only run when executed directly, not when imported by tests
+if (import.meta.url === `file://${process.argv[1]}`) {
+	sendVersionReleaseNotification();
+}

.github/scripts/set-latest-for-monorepo-packages.mjs

@@ -0,0 +1,28 @@
+import { trySh } from './github-helpers.mjs';
+import { getMonorepoProjects } from './pnpm-utils.mjs';
+
+async function setLatestForMonorepoPackages() {
+	const packages = await getMonorepoProjects();
+
+	const publishedPackages = packages //
+		.filter((pkg) => !pkg.private)
+		.filter((pkg) => pkg.version);
+
+	for (const pkg of publishedPackages) {
+		const versionName = `${pkg.name}@${pkg.version}`;
+		const res = trySh('npm', ['dist-tag', 'add', versionName, 'latest']);
+		if (res.ok) {
+			console.log(`Set ${versionName} as latest`);
+		} else {
+			console.warn(`Update failed for ${versionName}`);
+		}
+	}
+}
+
+// only run when executed directly, not when imported by tests
+if (import.meta.url === `file://${process.argv[1]}`) {
+	setLatestForMonorepoPackages().catch((err) => {
+		console.error(err);
+		process.exit(1);
+	});
+}

.github/scripts/update-changelog.mjs

@@ -1,5 +1,5 @@
 import createTempFile from 'tempfile';
-import conventionalChangelog from 'conventional-changelog';
+import { ConventionalChangelog } from 'conventional-changelog';
 import { resolve } from 'path';
 import { createReadStream, createWriteStream } from 'fs';
 import { dirname } from 'path';
@@ -12,21 +12,48 @@ const fullChangelogFile = resolve(baseDir, 'CHANGELOG.md');
 // Version includes experimental versions (e.g., 1.2.3-exp.0)
 const versionChangelogFile = resolve(baseDir, `CHANGELOG-${packageJson.version}.md`);
 
-const changelogStream = conventionalChangelog({
-	preset: 'angular',
-	releaseCount: 1,
-	tagPrefix: 'n8n@',
-	transform: (commit, callback) => {
-		const hasNoChangelogInHeader = commit.header.includes('(no-changelog)');
-		const isBenchmarkScope = commit.scope === 'benchmark';
+const changelogStream = new ConventionalChangelog()
+	.package(packageJson)
+	.readRepository()
+	.loadPreset('angular')
+	.tags({
+		prefix: 'n8n@',
+	})
+	.context({
+		version: packageJson.version,
+		repoUrl: 'https://github.com/n8n-io/n8n',
+	})
+	.options({
+		releaseCount: 1,
+		transformCommit(commit) {
+			const hasNoChangelogInHeader = commit.header?.includes('(no-changelog)');
+			const isBenchmarkScope = commit.scope === 'benchmark';
 
-		// Ignore commits that have 'benchmark' scope or '(no-changelog)' in the header
-		callback(null, hasNoChangelogInHeader || isBenchmarkScope ? undefined : commit);
-	},
-}).on('error', (err) => {
-	console.error(err.stack);
-	process.exit(1);
-});
+			// Ignore commits that have 'benchmark' scope or '(no-changelog)' in the header
+			if (hasNoChangelogInHeader || isBenchmarkScope) return null;
+
+			// Strip backport information from commit subject, e.g.:
+			// "Fix something (backport to release-candidate/2.12.x) (#123)" → "Fix something (#123)"
+			if (commit.subject) {
+				// The commit.subject is immutable so we need to recreate the commit object
+
+				/** @type { import("conventional-changelog").Commit } */
+				let newCommit = /** @type { any } */ ({
+					...commit,
+					subject: commit.subject.replace(/\s*\(backport to [^)]+\)/g, ''),
+				});
+
+				return newCommit;
+			}
+
+			return commit;
+		},
+	})
+	.writeStream()
+	.on('error', (err) => {
+		console.error(err.stack);
+		process.exit(1);
+	});
 
 // Write the new changelog to a new temporary file, so that the contents can be used in the PR description
 await pipeline(changelogStream, createWriteStream(versionChangelogFile));
@@ -36,5 +63,6 @@ await pipeline(changelogStream, createWriteStream(versionChangelogFile));
 const tmpFile = createTempFile();
 const tmpStream = createWriteStream(tmpFile);
 await pipeline(createReadStream(versionChangelogFile), tmpStream, { end: false });
+tmpStream.write('\n\n');
 await pipeline(createReadStream(fullChangelogFile), tmpStream);
 await pipeline(createReadStream(tmpFile), createWriteStream(fullChangelogFile));

.github/scripts/validate-docs-links.js

@@ -1,90 +0,0 @@
-#!/usr/bin/env node
-
-const packages = ['nodes-base', '@n8n/nodes-langchain'];
-const concurrency = 20;
-let exitCode = 0;
-
-const debug = require('debug')('n8n');
-const path = require('path');
-const https = require('https');
-const glob = require('glob');
-const pLimit = require('p-limit');
-const picocolors = require('picocolors');
-const Lookup = require('cacheable-lookup').default;
-
-const agent = new https.Agent({ keepAlive: true, keepAliveMsecs: 5000 });
-new Lookup().install(agent);
-const limiter = pLimit(concurrency);
-
-const validateUrl = async (packageName, kind, type) =>
-	new Promise((resolve, reject) => {
-		const name = type.displayName;
-		const documentationUrl =
-			kind === 'credentials'
-				? type.documentationUrl
-				: type.codex?.resources?.primaryDocumentation?.[0]?.url;
-		if (!documentationUrl) resolve([name, null]);
-
-		const url = new URL(
-			/^https?:\/\//.test(documentationUrl)
-				? documentationUrl
-				: `https://docs.n8n.io/integrations/builtin/${kind}/${documentationUrl.toLowerCase()}/`,
-		);
-		https
-			.request(
-				{
-					hostname: url.hostname,
-					port: 443,
-					path: url.pathname,
-					method: 'HEAD',
-					agent,
-				},
-				(res) => {
-					debug(picocolors.green('✓'), packageName, kind, name);
-					resolve([name, res.statusCode]);
-				},
-			)
-			.on('error', (e) => {
-				debug(picocolors.red('✘'), packageName, kind, name);
-				reject(e);
-			})
-			.end();
-	});
-
-const checkLinks = async (packageName, kind) => {
-	const baseDir = path.resolve(__dirname, '../../packages', packageName);
-	let types = require(path.join(baseDir, `dist/types/${kind}.json`));
-	if (kind === 'nodes')
-		types = types.filter(
-			({ codex, hidden }) => !!codex?.resources?.primaryDocumentation && !hidden,
-		);
-	debug(packageName, kind, types.length);
-
-	const statuses = await Promise.all(
-		types.map((type) =>
-			limiter(() => {
-				return validateUrl(packageName, kind, type);
-			}),
-		),
-	);
-
-	const missingDocs = [];
-	const invalidUrls = [];
-	for (const [name, statusCode] of statuses) {
-		if (statusCode === null) missingDocs.push(name);
-		if (statusCode !== 200) invalidUrls.push(name);
-	}
-
-	if (missingDocs.length)
-		console.log('Documentation URL missing in %s for %s', packageName, kind, missingDocs);
-	if (invalidUrls.length)
-		console.log('Documentation URL invalid in %s for %s', packageName, kind, invalidUrls);
-	if (missingDocs.length || invalidUrls.length) exitCode = 1;
-};
-
-(async () => {
-	for (const packageName of packages) {
-		await Promise.all([checkLinks(packageName, 'credentials'), checkLinks(packageName, 'nodes')]);
-		if (exitCode !== 0) process.exit(exitCode);
-	}
-})();

.github/test-metrics/playwright.json

@@ -0,0 +1,832 @@
+{
+  "updatedAt": "2026-04-10T10:10:12.160Z",
+  "source": "currents",
+  "projectId": "LRxcNt",
+  "specs": {
+    "tests/e2e/workflows/editor/canvas/actions.spec.ts": {
+      "avgDuration": 143495,
+      "testCount": 19,
+      "flakyRate": 0.2895
+    },
+    "tests/e2e/projects/projects.spec.ts": {
+      "avgDuration": 141370,
+      "testCount": 7,
+      "flakyRate": 0.0189
+    },
+    "tests/e2e/credentials/crud.spec.ts": {
+      "avgDuration": 119882,
+      "testCount": 14,
+      "flakyRate": 0
+    },
+    "tests/e2e/workflows/list/workflows.spec.ts": {
+      "avgDuration": 115566,
+      "testCount": 10,
+      "flakyRate": 0.0076
+    },
+    "tests/e2e/ai/langchain-agents.spec.ts": {
+      "avgDuration": 112278,
+      "testCount": 7,
+      "flakyRate": 0.0225
+    },
+    "tests/e2e/workflows/editor/code/code-node.spec.ts": {
+      "avgDuration": 111238,
+      "testCount": 12,
+      "flakyRate": 0.1895
+    },
+    "tests/e2e/workflows/editor/canvas/canvas-zoom.spec.ts": {
+      "avgDuration": 103779,
+      "testCount": 13,
+      "flakyRate": 0.0447
+    },
+    "tests/e2e/workflows/editor/canvas/undo-redo.spec.ts": {
+      "avgDuration": 103215,
+      "testCount": 14,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/settings/personal/two-factor-authentication.spec.ts": {
+      "avgDuration": 101275,
+      "testCount": 7,
+      "flakyRate": 0.0057
+    },
+    "tests/e2e/workflows/editor/canvas/canvas-nodes.spec.ts": {
+      "avgDuration": 98150,
+      "testCount": 8,
+      "flakyRate": 0.1383
+    },
+    "tests/e2e/ai/assistant-basic.spec.ts": {
+      "avgDuration": 98077,
+      "testCount": 11,
+      "flakyRate": 0.0092
+    },
+    "tests/e2e/ai/builder-setup-wizard.spec.ts": {
+      "avgDuration": 98038,
+      "testCount": 9,
+      "flakyRate": 0.011
+    },
+    "tests/e2e/chat-hub/chat-hub-tools.spec.ts": {
+      "avgDuration": 97205,
+      "testCount": 1,
+      "flakyRate": 0.9665
+    },
+    "tests/e2e/workflows/editor/ndv/ndv-core.spec.ts": {
+      "avgDuration": 96983,
+      "testCount": 14,
+      "flakyRate": 0.0038
+    },
+    "tests/e2e/data-tables/tables.spec.ts": {
+      "avgDuration": 96687,
+      "testCount": 7,
+      "flakyRate": 0
+    },
+    "tests/e2e/workflows/editor/ndv/ndv-data-display.spec.ts": {
+      "avgDuration": 93865,
+      "testCount": 11,
+      "flakyRate": 0.0875
+    },
+    "tests/e2e/data-tables/details.spec.ts": {
+      "avgDuration": 88739,
+      "testCount": 11,
+      "flakyRate": 0
+    },
+    "tests/e2e/workflows/editor/code/editors.spec.ts": {
+      "avgDuration": 88632,
+      "testCount": 11,
+      "flakyRate": 0.0187
+    },
+    "tests/e2e/projects/folders-operations.spec.ts": {
+      "avgDuration": 83495,
+      "testCount": 14,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/auth/oidc.spec.ts": {
+      "avgDuration": 79906,
+      "testCount": 1,
+      "flakyRate": 0.0111
+    },
+    "tests/e2e/workflows/executions/list.spec.ts": {
+      "avgDuration": 79342,
+      "testCount": 11,
+      "flakyRate": 0.3131
+    },
+    "tests/e2e/nodes/webhook.spec.ts": {
+      "avgDuration": 78999,
+      "testCount": 9,
+      "flakyRate": 0.0037
+    },
+    "tests/e2e/workflows/editor/expressions/mapping.spec.ts": {
+      "avgDuration": 77958,
+      "testCount": 10,
+      "flakyRate": 0.2096
+    },
+    "tests/e2e/workflows/templates/credentials-setup.spec.ts": {
+      "avgDuration": 77108,
+      "testCount": 8,
+      "flakyRate": 0.0076
+    },
+    "tests/e2e/workflows/editor/execution/execution.spec.ts": {
+      "avgDuration": 73018,
+      "testCount": 14,
+      "flakyRate": 0.041
+    },
+    "tests/e2e/sharing/credential-visibility.spec.ts": {
+      "avgDuration": 71543,
+      "testCount": 5,
+      "flakyRate": 0
+    },
+    "tests/e2e/workflows/editor/ndv/resource-locator.spec.ts": {
+      "avgDuration": 70513,
+      "testCount": 7,
+      "flakyRate": 0.3126
+    },
+    "tests/e2e/ai/langchain-vectorstores.spec.ts": {
+      "avgDuration": 69923,
+      "testCount": 2,
+      "flakyRate": 0.0391
+    },
+    "tests/e2e/workflows/editor/ndv/pinning.spec.ts": {
+      "avgDuration": 68441,
+      "testCount": 10,
+      "flakyRate": 0.1299
+    },
+    "tests/e2e/workflows/editor/ndv/ndv-parameters.spec.ts": {
+      "avgDuration": 68415,
+      "testCount": 9,
+      "flakyRate": 0.0094
+    },
+    "tests/e2e/building-blocks/canvas-actions.spec.ts": {
+      "avgDuration": 66499,
+      "testCount": 9,
+      "flakyRate": 0.0037
+    },
+    "tests/e2e/workflows/editor/execution/logs.spec.ts": {
+      "avgDuration": 65890,
+      "testCount": 8,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/workflows/executions/filter.spec.ts": {
+      "avgDuration": 61881,
+      "testCount": 2,
+      "flakyRate": 0.3026
+    },
+    "tests/e2e/workflows/editor/viewer-permissions.spec.ts": {
+      "avgDuration": 61620,
+      "testCount": 3,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/ai/assistant-credential-help.spec.ts": {
+      "avgDuration": 59289,
+      "testCount": 4,
+      "flakyRate": 0.0106
+    },
+    "tests/e2e/workflows/editor/subworkflows/extraction.spec.ts": {
+      "avgDuration": 59183,
+      "testCount": 3,
+      "flakyRate": 0
+    },
+    "tests/e2e/projects/project-settings.spec.ts": {
+      "avgDuration": 57519,
+      "testCount": 8,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/node-creator/actions.spec.ts": {
+      "avgDuration": 56035,
+      "testCount": 4,
+      "flakyRate": 0.0056
+    },
+    "tests/e2e/ai/assistant-code-help.spec.ts": {
+      "avgDuration": 55927,
+      "testCount": 2,
+      "flakyRate": 0.013
+    },
+    "tests/e2e/workflows/editor/expressions/modal.spec.ts": {
+      "avgDuration": 54475,
+      "testCount": 6,
+      "flakyRate": 0.0038
+    },
+    "tests/e2e/chat-hub/chat-hub-basic.spec.ts": {
+      "avgDuration": 54335,
+      "testCount": 3,
+      "flakyRate": 0.0395
+    },
+    "tests/e2e/ai/assistant-support-chat.spec.ts": {
+      "avgDuration": 54072,
+      "testCount": 3,
+      "flakyRate": 0.0112
+    },
+    "tests/e2e/nodes/send-and-wait.spec.ts": {
+      "avgDuration": 52972,
+      "testCount": 5,
+      "flakyRate": 0.0144
+    },
+    "tests/e2e/workflows/editor/execution/debug.spec.ts": {
+      "avgDuration": 52540,
+      "testCount": 4,
+      "flakyRate": 0.0339
+    },
+    "tests/e2e/workflows/checklist/production-checklist.spec.ts": {
+      "avgDuration": 52502,
+      "testCount": 7,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/workflows/editor/routing.spec.ts": {
+      "avgDuration": 52209,
+      "testCount": 6,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/workflows/editor/expressions/inline.spec.ts": {
+      "avgDuration": 51959,
+      "testCount": 7,
+      "flakyRate": 0.0602
+    },
+    "tests/e2e/ai/hitl-for-tools.spec.ts": {
+      "avgDuration": 51720,
+      "testCount": 2,
+      "flakyRate": 0.0089
+    },
+    "tests/e2e/dynamic-credentials/execution-status.spec.ts": {
+      "avgDuration": 49785,
+      "testCount": 2,
+      "flakyRate": 0.0037
+    },
+    "tests/e2e/regression/ADO-4462-template-setup-experiment.spec.ts": {
+      "avgDuration": 49662,
+      "testCount": 2,
+      "flakyRate": 0
+    },
+    "tests/e2e/projects/projects-move-resources.spec.ts": {
+      "avgDuration": 48906,
+      "testCount": 2,
+      "flakyRate": 0
+    },
+    "tests/e2e/workflows/editor/ndv/paired-item.spec.ts": {
+      "avgDuration": 48408,
+      "testCount": 6,
+      "flakyRate": 0
+    },
+    "tests/e2e/nodes/form-trigger-node.spec.ts": {
+      "avgDuration": 48230,
+      "testCount": 5,
+      "flakyRate": 0.0053
+    },
+    "tests/e2e/projects/folders-basic.spec.ts": {
+      "avgDuration": 47996,
+      "testCount": 11,
+      "flakyRate": 0.0055
+    },
+    "tests/e2e/workflows/editor/expressions/transformation.spec.ts": {
+      "avgDuration": 46587,
+      "testCount": 6,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/building-blocks/node-details-configuration.spec.ts": {
+      "avgDuration": 46585,
+      "testCount": 7,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/ai/rag-callout.spec.ts": {
+      "avgDuration": 45684,
+      "testCount": 2,
+      "flakyRate": 0.0075
+    },
+    "tests/e2e/credentials/global.spec.ts": {
+      "avgDuration": 45667,
+      "testCount": 5,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/workflows/editor/tags.spec.ts": {
+      "avgDuration": 44112,
+      "testCount": 7,
+      "flakyRate": 0
+    },
+    "tests/e2e/api/waiting-endpoint-security.spec.ts": {
+      "avgDuration": 44090,
+      "testCount": 2,
+      "flakyRate": 0.0168
+    },
+    "tests/e2e/workflows/editor/workflow-actions/publish.spec.ts": {
+      "avgDuration": 43744,
+      "testCount": 8,
+      "flakyRate": 0.0037
+    },
+    "tests/e2e/api/wait-form-resume.spec.ts": {
+      "avgDuration": 43563,
+      "testCount": 2,
+      "flakyRate": 0.0075
+    },
+    "tests/e2e/chat-hub/chat-hub-workflow-agent.spec.ts": {
+      "avgDuration": 43386,
+      "testCount": 2,
+      "flakyRate": 0.1304
+    },
+    "tests/e2e/projects/folders-advanced.spec.ts": {
+      "avgDuration": 42193,
+      "testCount": 6,
+      "flakyRate": 0
+    },
+    "tests/e2e/ai/workflow-builder.spec.ts": {
+      "avgDuration": 41361,
+      "testCount": 5,
+      "flakyRate": 0.0074
+    },
+    "tests/e2e/workflows/editor/subworkflows/workflow-selector.spec.ts": {
+      "avgDuration": 41020,
+      "testCount": 5,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/chat-hub/chat-hub-attachment.spec.ts": {
+      "avgDuration": 40578,
+      "testCount": 3,
+      "flakyRate": 0.075
+    },
+    "tests/e2e/nodes/kafka-nodes.spec.ts": {
+      "avgDuration": 40562,
+      "testCount": 2,
+      "flakyRate": 0.0057
+    },
+    "tests/e2e/settings/log-streaming/log-streaming-observability.spec.ts": {
+      "avgDuration": 40559,
+      "testCount": 2,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/building-blocks/credentials.spec.ts": {
+      "avgDuration": 40125,
+      "testCount": 6,
+      "flakyRate": 0
+    },
+    "tests/e2e/ai/chat-session.spec.ts": {
+      "avgDuration": 39605,
+      "testCount": 1,
+      "flakyRate": 0.0093
+    },
+    "tests/e2e/workflows/editor/ndv/ndv-floating-nodes.spec.ts": {
+      "avgDuration": 39174,
+      "testCount": 4,
+      "flakyRate": 0.0056
+    },
+    "tests/e2e/workflows/editor/ndv/resource-mapper.spec.ts": {
+      "avgDuration": 38031,
+      "testCount": 5,
+      "flakyRate": 0.0094
+    },
+    "tests/e2e/auth/admin-smoke.spec.ts": {
+      "avgDuration": 37487,
+      "testCount": 1,
+      "flakyRate": 0.0112
+    },
+    "tests/e2e/workflows/templates/templates.spec.ts": {
+      "avgDuration": 37367,
+      "testCount": 9,
+      "flakyRate": 0.0038
+    },
+    "tests/e2e/auth/authenticated.spec.ts": {
+      "avgDuration": 37279,
+      "testCount": 5,
+      "flakyRate": 0.5
+    },
+    "tests/e2e/node-creator/special-nodes.spec.ts": {
+      "avgDuration": 36223,
+      "testCount": 3,
+      "flakyRate": 0.0037
+    },
+    "tests/e2e/cloud/cloud.spec.ts": {
+      "avgDuration": 35463,
+      "testCount": 3,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/api/discovery.spec.ts": {
+      "avgDuration": 34520,
+      "testCount": 4,
+      "flakyRate": 0.0075
+    },
+    "tests/e2e/api/webhook-external.spec.ts": {
+      "avgDuration": 33749,
+      "testCount": 2,
+      "flakyRate": 0.0074
+    },
+    "tests/e2e/node-creator/categories.spec.ts": {
+      "avgDuration": 31496,
+      "testCount": 5,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/settings/external-secrets/aws-secrets-manager.spec.ts": {
+      "avgDuration": 31370,
+      "testCount": 1,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/chat-hub/chat-hub-chat-user.spec.ts": {
+      "avgDuration": 31053,
+      "testCount": 1,
+      "flakyRate": 0.0148
+    },
+    "tests/e2e/ai/langchain-chains.spec.ts": {
+      "avgDuration": 30019,
+      "testCount": 4,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/sentry/sentry-baseline.spec.ts": {
+      "avgDuration": 29919,
+      "testCount": 3,
+      "flakyRate": 0.0094
+    },
+    "tests/e2e/workflows/editor/editor-after-route-changes.spec.ts": {
+      "avgDuration": 28537,
+      "testCount": 1,
+      "flakyRate": 0
+    },
+    "tests/e2e/nodes/community-nodes.spec.ts": {
+      "avgDuration": 28299,
+      "testCount": 3,
+      "flakyRate": 0
+    },
+    "tests/e2e/settings/personal/personal.spec.ts": {
+      "avgDuration": 28173,
+      "testCount": 2,
+      "flakyRate": 0.0018
+    },
+    "tests/e2e/workflows/list/import.spec.ts": {
+      "avgDuration": 27685,
+      "testCount": 5,
+      "flakyRate": 0.0037
+    },
+    "tests/e2e/app-config/demo-reimport.spec.ts": {
+      "avgDuration": 26704,
+      "testCount": 3,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/workflows/editor/execution/inject-previous.spec.ts": {
+      "avgDuration": 25773,
+      "testCount": 2,
+      "flakyRate": 0.1013
+    },
+    "tests/e2e/settings/environments/variables.spec.ts": {
+      "avgDuration": 25388,
+      "testCount": 7,
+      "flakyRate": 0.0036
+    },
+    "tests/e2e/workflows/editor/subworkflows/debugging.spec.ts": {
+      "avgDuration": 24987,
+      "testCount": 4,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/settings/external-secrets/secret-providers-connections-ui.spec.ts": {
+      "avgDuration": 24924,
+      "testCount": 2,
+      "flakyRate": 0.0038
+    },
+    "tests/e2e/chat-hub/chat-hub-personal-agent.spec.ts": {
+      "avgDuration": 24517,
+      "testCount": 2,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/workflows/demo-diff.spec.ts": {
+      "avgDuration": 23452,
+      "testCount": 9,
+      "flakyRate": 0
+    },
+    "tests/e2e/node-creator/navigation.spec.ts": {
+      "avgDuration": 22759,
+      "testCount": 4,
+      "flakyRate": 0
+    },
+    "tests/e2e/settings/log-streaming/log-streaming.spec.ts": {
+      "avgDuration": 22635,
+      "testCount": 5,
+      "flakyRate": 0
+    },
+    "tests/e2e/auth/password-reset.spec.ts": {
+      "avgDuration": 22549,
+      "testCount": 1,
+      "flakyRate": 0.0056
+    },
+    "tests/e2e/building-blocks/workflow-entry-points.spec.ts": {
+      "avgDuration": 22343,
+      "testCount": 5,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/api/webhook-isolation.spec.ts": {
+      "avgDuration": 22179,
+      "testCount": 14,
+      "flakyRate": 1
+    },
+    "tests/e2e/sharing/access-control.spec.ts": {
+      "avgDuration": 21220,
+      "testCount": 5,
+      "flakyRate": 0.0018
+    },
+    "tests/e2e/building-blocks/user-service.spec.ts": {
+      "avgDuration": 21016,
+      "testCount": 8,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/app-config/security-notifications.spec.ts": {
+      "avgDuration": 20927,
+      "testCount": 5,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/capabilities/task-runner.spec.ts": {
+      "avgDuration": 20563,
+      "testCount": 2,
+      "flakyRate": 0
+    },
+    "tests/e2e/settings/users/users.spec.ts": {
+      "avgDuration": 19620,
+      "testCount": 5,
+      "flakyRate": 0.0018
+    },
+    "tests/e2e/nodes/if-node.spec.ts": {
+      "avgDuration": 19366,
+      "testCount": 2,
+      "flakyRate": 0.0261
+    },
+    "tests/e2e/chat-hub/chat-hub-settings.spec.ts": {
+      "avgDuration": 19317,
+      "testCount": 2,
+      "flakyRate": 0.0149
+    },
+    "tests/e2e/regression/PAY-4367-node-shifting-cyclic.spec.ts": {
+      "avgDuration": 18403,
+      "testCount": 3,
+      "flakyRate": 0.0018
+    },
+    "tests/e2e/sharing/workflow-sharing.spec.ts": {
+      "avgDuration": 18390,
+      "testCount": 4,
+      "flakyRate": 0.0187
+    },
+    "tests/e2e/nodes/mcp-trigger.spec.ts": {
+      "avgDuration": 17518,
+      "testCount": 23,
+      "flakyRate": 0.0206
+    },
+    "tests/e2e/workflows/editor/ndv/io-filter.spec.ts": {
+      "avgDuration": 16620,
+      "testCount": 2,
+      "flakyRate": 0.0037
+    },
+    "tests/e2e/node-creator/vector-stores.spec.ts": {
+      "avgDuration": 16413,
+      "testCount": 3,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/capabilities/proxy-server.spec.ts": {
+      "avgDuration": 15032,
+      "testCount": 4,
+      "flakyRate": 0
+    },
+    "tests/e2e/sharing/credential-sharing.spec.ts": {
+      "avgDuration": 14609,
+      "testCount": 3,
+      "flakyRate": 0
+    },
+    "tests/e2e/workflows/editor/execution/partial.spec.ts": {
+      "avgDuration": 14272,
+      "testCount": 2,
+      "flakyRate": 0
+    },
+    "tests/e2e/nodes/http-request-node.spec.ts": {
+      "avgDuration": 14008,
+      "testCount": 2,
+      "flakyRate": 0
+    },
+    "tests/e2e/regression/AI-812-partial-execs-broken-when-using-chat-trigger.spec.ts": {
+      "avgDuration": 12959,
+      "testCount": 2,
+      "flakyRate": 0.0037
+    },
+    "tests/e2e/nodes/pdf-node.spec.ts": {
+      "avgDuration": 12937,
+      "testCount": 1,
+      "flakyRate": 0.0094
+    },
+    "tests/e2e/app-config/demo.spec.ts": {
+      "avgDuration": 12575,
+      "testCount": 4,
+      "flakyRate": 0.0169
+    },
+    "tests/e2e/regression/ADO-2372-prevent-clipping-params.spec.ts": {
+      "avgDuration": 11272,
+      "testCount": 2,
+      "flakyRate": 0
+    },
+    "tests/e2e/node-creator/workflows.spec.ts": {
+      "avgDuration": 11165,
+      "testCount": 2,
+      "flakyRate": 0
+    },
+    "tests/e2e/settings/workers/workers.spec.ts": {
+      "avgDuration": 10895,
+      "testCount": 4,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/regression/ADO-1338-ndv-missing-input-panel.spec.ts": {
+      "avgDuration": 9094,
+      "testCount": 1,
+      "flakyRate": 0
+    },
+    "tests/e2e/regression/SUG-121-fields-reset-after-closing-ndv.spec.ts": {
+      "avgDuration": 7975,
+      "testCount": 1,
+      "flakyRate": 0.0261
+    },
+    "tests/e2e/workflows/editor/ndv/schema-preview.spec.ts": {
+      "avgDuration": 7781,
+      "testCount": 1,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/regression/CAT-726-canvas-node-connectors-not-rendered-when-nodes-inserted.spec.ts": {
+      "avgDuration": 7648,
+      "testCount": 1,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/regression/AI-1401-sub-nodes-input-panel.spec.ts": {
+      "avgDuration": 7312,
+      "testCount": 1,
+      "flakyRate": 0
+    },
+    "tests/e2e/regression/SUG-38-inline-expression-preview.spec.ts": {
+      "avgDuration": 7060,
+      "testCount": 1,
+      "flakyRate": 0
+    },
+    "tests/e2e/settings/community-nodes/community-nodes.spec.ts": {
+      "avgDuration": 6765,
+      "testCount": 1,
+      "flakyRate": 0
+    },
+    "tests/e2e/regression/AI-716-correctly-set-up-agent-model-shows-error.spec.ts": {
+      "avgDuration": 6689,
+      "testCount": 1,
+      "flakyRate": 0
+    },
+    "tests/e2e/api/binary-data-xss.spec.ts": {
+      "avgDuration": 6602,
+      "testCount": 1,
+      "flakyRate": 0.0037
+    },
+    "tests/e2e/nodes/email-send-node.spec.ts": {
+      "avgDuration": 6601,
+      "testCount": 1,
+      "flakyRate": 0
+    },
+    "tests/e2e/credentials/oauth.spec.ts": {
+      "avgDuration": 6299,
+      "testCount": 1,
+      "flakyRate": 0
+    },
+    "tests/e2e/auth/signin.spec.ts": {
+      "avgDuration": 6147,
+      "testCount": 1,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/regression/ADO-2230-ndv-reset-data-pagination.spec.ts": {
+      "avgDuration": 5986,
+      "testCount": 1,
+      "flakyRate": 0.0019
+    },
+    "tests/e2e/nodes/schedule-trigger-node.spec.ts": {
+      "avgDuration": 5738,
+      "testCount": 1,
+      "flakyRate": 0
+    },
+    "tests/e2e/workflows/editor/canvas/stickies.spec.ts": {
+      "avgDuration": 5546,
+      "testCount": 1,
+      "flakyRate": 0.0018
+    },
+    "tests/e2e/workflows/editor/canvas/focus-panel.spec.ts": {
+      "avgDuration": 5108,
+      "testCount": 1,
+      "flakyRate": 0
+    },
+    "tests/e2e/regression/ADO-2929-can-load-old-switch-node-workflows.spec.ts": {
+      "avgDuration": 4878,
+      "testCount": 1,
+      "flakyRate": 0
+    },
+    "tests/e2e/settings/log-streaming/log-streaming-ui-e2e.spec.ts": {
+      "avgDuration": 4794,
+      "testCount": 1,
+      "flakyRate": 0
+    },
+    "tests/e2e/mcp/mcp-service.spec.ts": {
+      "avgDuration": 4302,
+      "testCount": 26,
+      "flakyRate": 0
+    },
+    "tests/e2e/app-config/versions.spec.ts": {
+      "avgDuration": 2952,
+      "testCount": 1,
+      "flakyRate": 0
+    },
+    "tests/e2e/workflows/editor/subworkflows/wait.spec.ts": {
+      "avgDuration": 2894,
+      "testCount": 4,
+      "flakyRate": 0.0094
+    },
+    "tests/e2e/dynamic-credentials/external-user-trigger.spec.ts": {
+      "avgDuration": 1392,
+      "testCount": 1,
+      "flakyRate": 0
+    },
+    "tests/e2e/workflows/editor/subworkflows/subworkflow-version-resolution.spec.ts": {
+      "avgDuration": 1310,
+      "testCount": 4,
+      "flakyRate": 0
+    },
+    "tests/e2e/nodes/n8n-trigger.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 2,
+      "flakyRate": 0
+    },
+    "tests/e2e/credentials/api-operations.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 5,
+      "flakyRate": 0
+    },
+    "tests/e2e/app-config/env-feature-flags.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 2,
+      "flakyRate": 0
+    },
+    "tests/e2e/dynamic-credentials/resolver-deletion.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 3,
+      "flakyRate": 0
+    },
+    "tests/e2e/settings/external-secrets/secret-providers-connections.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 1,
+      "flakyRate": 0
+    },
+    "tests/e2e/nodes/code-node-api.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 1,
+      "flakyRate": 0
+    },
+    "tests/e2e/workflows/editor/workflow-actions/archive.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 7,
+      "flakyRate": 0
+    },
+    "tests/e2e/settings/environments/source-control.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 4,
+      "flakyRate": 0
+    },
+    "tests/e2e/workflows/editor/workflow-actions/run.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 4,
+      "flakyRate": 0
+    },
+    "tests/e2e/ai/langchain-tools.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 2,
+      "flakyRate": 0
+    },
+    "tests/e2e/ai/langchain-memory.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 2,
+      "flakyRate": 0
+    },
+    "tests/e2e/workflows/editor/workflow-actions/copy-paste.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 3,
+      "flakyRate": 0
+    },
+    "tests/e2e/workflows/editor/execution/previous-nodes.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 1,
+      "flakyRate": 0
+    },
+    "tests/e2e/source-control/push.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 4,
+      "flakyRate": 0
+    },
+    "tests/e2e/app-config/nps-survey.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 1,
+      "flakyRate": 0
+    },
+    "tests/e2e/source-control/pull.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 2,
+      "flakyRate": 0
+    },
+    "tests/e2e/workflows/editor/workflow-actions/settings.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 3,
+      "flakyRate": 0
+    },
+    "tests/e2e/workflows/editor/workflow-actions/duplicate.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 2,
+      "flakyRate": 0
+    },
+    "tests/e2e/ai/evaluations.spec.ts": {
+      "avgDuration": 60000,
+      "testCount": 1,
+      "flakyRate": 0
+    }
+  }
+}

.github/workflows/backport.yml

@@ -0,0 +1,83 @@
+name: 'Util: Backport pull request changes'
+
+run-name: Backport pull request ${{ github.event.pull_request.number || inputs.pull-request-id }}
+
+on:
+  pull_request:
+    types: [closed]
+  workflow_dispatch:
+    inputs:
+      pull-request-id:
+        description: 'The ID number of the pull request (e.g. 3342). No #, no extra letters.'
+        required: true
+        type: string
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  backport:
+    if: |
+      github.event.pull_request.merged == true ||
+      github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-slim
+    steps:
+      - name: Generate GitHub App Token
+        id: generate-token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        with:
+          app-id: ${{ secrets.N8N_ASSISTANT_APP_ID }}
+          private-key: ${{ secrets.N8N_ASSISTANT_PRIVATE_KEY }}
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-nodejs
+        with:
+          build-command: ''
+          install-command: pnpm install --frozen-lockfile --dir ./.github/scripts --ignore-workspace
+
+      - name: Compute backport targets
+        id: targets
+        env:
+          PULL_REQUEST_ID: ${{ inputs.pull-request-id }}
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+        run: node .github/scripts/compute-backport-targets.mjs
+
+      - name: Backport
+        if: steps.targets.outputs.target_branches != ''
+        uses: korthout/backport-action@4aaf0e03a94ff0a619c9a511b61aeb42adea5b02 # v4.2.0
+        with:
+          github_token: ${{ steps.generate-token.outputs.token }}
+          source_pr_number: ${{ github.event.pull_request.number || inputs.pull-request-id }}
+          target_branches: ${{ steps.targets.outputs.target_branches }}
+          pull_description: |-
+            # Description
+            Backport of #${pull_number} to `${target_branch}`.
+
+            ## Checklist for the author (@${pull_author}) to go through.
+
+            - [ ] Review the backport changes
+            - [ ] Fix possible conflicts
+            - [ ] Merge to target branch
+
+            After this PR has been merged, it will be picked up in the next patch release for release track.
+
+            # Original description
+
+            ${pull_description}
+          pull_title: ${pull_title} (backport to ${target_branch})
+          add_author_as_assignee: true
+          add_author_as_reviewer: true
+          copy_assignees: true
+          copy_requested_reviewers: false
+          copy_labels_pattern: '^(?!Backport to\b).+' # Copy everything except backport labels
+          add_labels: 'automation:backport'
+          experimental: >
+            {
+              "conflict_resolution": "draft_commit_conflicts"
+            }

.github/workflows/benchmark-destroy-nightly.yml

@@ -1,46 +0,0 @@
-name: Destroy Benchmark Env
-
-on:
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-
-permissions:
-  id-token: write
-  contents: read
-
-concurrency:
-  group: benchmark
-  cancel-in-progress: false
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    environment: benchmarking
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - name: Azure login
-        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
-        with:
-          client-id: ${{ secrets.BENCHMARK_ARM_CLIENT_ID }}
-          tenant-id: ${{ secrets.BENCHMARK_ARM_TENANT_ID }}
-          subscription-id: ${{ secrets.BENCHMARK_ARM_SUBSCRIPTION_ID }}
-
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
-        with:
-          node-version: 22.x
-
-      - name: Setup corepack and pnpm
-        run: |
-          npm i -g corepack@0.33
-          corepack enable
-
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-
-      - name: Destroy cloud env
-        run: pnpm destroy-cloud-env
-        working-directory: packages/@n8n/benchmark

.github/workflows/benchmark-nightly.yml

@@ -1,122 +0,0 @@
-name: Run Nightly Benchmark
-run-name: Benchmark ${{ inputs.n8n_tag || 'nightly' }}
-
-on:
-  schedule:
-    - cron: '30 1,2,3 * * *'
-  workflow_dispatch:
-    inputs:
-      debug:
-        description: 'Use debug logging'
-        required: true
-        default: 'false'
-      n8n_tag:
-        description: 'Name of the n8n docker tag to run the benchmark against.'
-        required: true
-        default: 'nightly'
-      benchmark_tag:
-        description: 'Name of the benchmark cli docker tag to run the benchmark with.'
-        required: true
-        default: 'latest'
-
-env:
-  ARM_CLIENT_ID: ${{ secrets.BENCHMARK_ARM_CLIENT_ID }}
-  ARM_SUBSCRIPTION_ID: ${{ secrets.BENCHMARK_ARM_SUBSCRIPTION_ID }}
-  ARM_TENANT_ID: ${{ secrets.BENCHMARK_ARM_TENANT_ID }}
-  N8N_TAG: ${{ inputs.n8n_tag || 'nightly' }}
-  N8N_BENCHMARK_TAG: ${{ inputs.benchmark_tag || 'latest' }}
-  DEBUG: ${{ inputs.debug == 'true' && '--debug' || '' }}
-
-permissions:
-  id-token: write
-  contents: read
-
-concurrency:
-  group: benchmark
-  cancel-in-progress: false
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    environment: benchmarking
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
-        with:
-          terraform_version: '1.8.5'
-
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
-        with:
-          node-version: 22.x
-
-      - name: Setup corepack and pnpm
-        run: |
-          npm i -g corepack@0.33
-          corepack enable
-
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-
-      - name: Azure login
-        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
-        with:
-          client-id: ${{ env.ARM_CLIENT_ID }}
-          tenant-id: ${{ env.ARM_TENANT_ID }}
-          subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }}
-
-      - name: Destroy any existing environment
-        run: pnpm destroy-cloud-env
-        working-directory: packages/@n8n/benchmark
-
-      - name: Provision the environment
-        run: pnpm provision-cloud-env ${{ env.DEBUG }}
-        working-directory: packages/@n8n/benchmark
-
-      - name: Run the benchmark
-        id: benchmark
-        env:
-          BENCHMARK_RESULT_WEBHOOK_URL: ${{ secrets.BENCHMARK_RESULT_WEBHOOK_URL }}
-          BENCHMARK_RESULT_WEBHOOK_AUTH_HEADER: ${{ secrets.BENCHMARK_RESULT_WEBHOOK_AUTH_HEADER }}
-          N8N_LICENSE_CERT: ${{ secrets.N8N_BENCHMARK_LICENSE_CERT }}
-        run: |
-          pnpm benchmark-in-cloud \
-            --vus 5 \
-            --duration 1m \
-            --n8nTag ${{ env.N8N_TAG }} \
-            --benchmarkTag ${{ env.N8N_BENCHMARK_TAG }} \
-            ${{ env.DEBUG }}
-        working-directory: packages/@n8n/benchmark
-
-        # We need to login again because the access token expires
-      - name: Azure login
-        if: always()
-        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
-        with:
-          client-id: ${{ env.ARM_CLIENT_ID }}
-          tenant-id: ${{ env.ARM_TENANT_ID }}
-          subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }}
-
-      - name: Destroy the environment
-        if: always()
-        run: pnpm destroy-cloud-env ${{ env.DEBUG }}
-        working-directory: packages/@n8n/benchmark
-
-      - name: Fail `build` job if `benchmark` step failed
-        if: steps.benchmark.outcome == 'failure'
-        run: exit 1
-
-  notify-on-failure:
-    name: Notify Cats on failure
-    runs-on: ubuntu-latest
-    needs: [build]
-    if: failure()
-    steps:
-      - uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
-        with:
-          status: ${{ job.status }}
-          channel: '#team-catalysts'
-          webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
-          message: Benchmark run failed for n8n tag `${{ inputs.n8n_tag || 'nightly' }}` - ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}

.github/workflows/build-base-image.yml

@@ -0,0 +1,71 @@
+name: 'Build: Base Image'
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'docker/images/n8n-base/Dockerfile'
+      - '.github/workflows/build-base-image.yml'
+  pull_request:
+    paths:
+      - 'docker/images/n8n-base/Dockerfile'
+      - '.github/workflows/build-base-image.yml'
+  workflow_dispatch:
+    inputs:
+      push:
+        description: 'Push to registries'
+        required: false
+        default: false
+        type: boolean
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        node_version: ['22', '24.14.1', '25']
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Login to DHI Registry (for pulling base images)
+        uses: ./.github/actions/docker-registry-login
+        with:
+          login-ghcr: 'false'
+          login-dhi: 'true'
+          dockerhub-username: ${{ secrets.DOCKER_USERNAME }}
+          dockerhub-password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Login to Docker registries (for pushing)
+        if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.push == true)
+        uses: ./.github/actions/docker-registry-login
+        with:
+          login-ghcr: 'true'
+          login-dockerhub: 'true'
+          dockerhub-username: ${{ secrets.DOCKER_USERNAME }}
+          dockerhub-password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build and push
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        with:
+          context: .
+          file: ./docker/images/n8n-base/Dockerfile
+          build-args: |
+            NODE_VERSION=${{ matrix.node_version }}
+          platforms: linux/amd64,linux/arm64
+          provenance: ${{ github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.push == true) }}
+          sbom: ${{ github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.push == true) }}
+          push: ${{ github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.push == true) }}
+          tags: |
+            ${{ secrets.DOCKER_USERNAME }}/base:${{ matrix.node_version }}-${{ github.sha }}
+            ${{ secrets.DOCKER_USERNAME }}/base:${{ matrix.node_version }}
+            ghcr.io/${{ github.repository_owner }}/base:${{ matrix.node_version }}-${{ github.sha }}
+            ghcr.io/${{ github.repository_owner }}/base:${{ matrix.node_version }}
+          no-cache: true

.github/workflows/build-benchmark-image.yml

@@ -0,0 +1,41 @@
+name: 'Build: Benchmark Image'
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+    paths:
+      - 'packages/@n8n/benchmark/**'
+      - 'pnpm-lock.yaml'
+      - 'pnpm-workspace.yaml'
+      - '.github/workflows/build-benchmark-image.yml'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Login to GitHub Container Registry
+        uses: ./.github/actions/docker-registry-login
+
+      - name: Build
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        env:
+          DOCKER_BUILD_SUMMARY: false
+        with:
+          context: .
+          file: ./packages/@n8n/benchmark/Dockerfile
+          platforms: linux/amd64
+          provenance: false
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/n8n-benchmark:latest

.github/workflows/build-unit-test-pr-comment.yml

@@ -1,100 +0,0 @@
-name: Trigger build/unit tests on PR comment
-
-on:
-  issue_comment:
-    types: [created]
-
-permissions:
-  pull-requests: read
-  contents: read
-  actions: write
-  issues: write
-
-jobs:
-  validate_and_dispatch:
-    name: Validate user and dispatch CI workflow
-    if: github.event.issue.pull_request && startsWith(github.event.comment.body, '/build-unit-test')
-    runs-on: ubuntu-latest
-    steps:
-      - name: Validate user permissions and collect PR data
-        id: check_permissions
-        uses: actions/github-script@v7
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const commenter = context.actor;
-            const body = (context.payload.comment.body || '').trim();
-            const isCommand = body.startsWith('/build-unit-test');
-            const allowedPermissions = ['admin', 'write', 'maintain'];
-            const commentId = context.payload.comment.id;
-            const { owner, repo } = context.repo;
-
-            async function react(content) {
-              try {
-                await github.rest.reactions.createForIssueComment({
-                  owner,
-                  repo,
-                  comment_id: commentId,
-                  content,
-                });
-              } catch (error) {
-                console.log(`Failed to add reaction '${content}': ${error.message}`);
-              }
-            }
-
-            core.setOutput('proceed', 'false');
-            core.setOutput('headSha', '');
-            core.setOutput('prNumber', '');
-
-            if (!context.payload.issue.pull_request || !isCommand) {
-              console.log('Comment is not /build-unit-test on a pull request. Skipping.');
-              return;
-            }
-
-            let permission;
-            try {
-              const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
-                owner,
-                repo,
-                username: commenter,
-              });
-              permission = data.permission;
-            } catch (error) {
-              console.log(`Could not verify permissions for @${commenter}: ${error.message}`);
-              await react('confused');
-              return;
-            }
-
-            if (!allowedPermissions.includes(permission)) {
-              console.log(`User @${commenter} has '${permission}' permission; requires admin/write/maintain.`);
-              await react('-1');
-              return;
-            }
-
-            try {
-              const prNumber = context.issue.number;
-              const { data: pr } = await github.rest.pulls.get({
-                owner,
-                repo,
-                pull_number: prNumber,
-              });
-              await react('+1');
-              core.setOutput('proceed', 'true');
-              core.setOutput('headSha', pr.head.sha);
-              core.setOutput('prNumber', String(prNumber));
-            } catch (error) {
-              console.log(`Failed to fetch PR details for PR #${context.issue.number}: ${error.message}`);
-              await react('confused');
-            }
-
-      - name: Dispatch build/unit test workflow
-        if: ${{ steps.check_permissions.outputs.proceed == 'true' }}
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          HEAD_SHA: ${{ steps.check_permissions.outputs.headSha }}
-          PR_NUMBER: ${{ steps.check_permissions.outputs.prNumber }}
-        run: |
-          gh workflow run ci-manual-build-unit-tests.yml \
-            --repo "${{ github.repository }}" \
-            -f ref="${HEAD_SHA}" \
-            -f pr_number="${PR_NUMBER}"