Automate upstream sync workflow and fix CI gaps

- bin/sync-upstream: automation script for upstream tag sync with
  logo file restoration from ORIG_HEAD after merge
- CI: setup-node@v1->@v4, set-output->$GITHUB_OUTPUT,
  docuseal_test->wabosign_test, add rebrand-check and
  assets-precompile jobs
- Docker: checkout@v3->@v4, metadata-action@v4->@v5,
  login-action@v3->@v6, images->wabolabs/wabosign, add PR build test
- rebrand-sync: add logo paths to DENY_PATHS
- .gitattributes: add -merge for brand logo files
- REBRANDING.md: update per-sync workflow with logo restoration step

.gitattributes

@@ -1 +1,9 @@
 *.html linguist-detectable=false
+
+# WaboSign brand binary files — never merge upstream versions; always keep ours
+public/favicon.svg       -merge
+public/favicon.ico       -merge
+public/favicon-16x16.png -merge
+public/favicon-32x32.png -merge
+public/favicon-96x96.png -merge
+public/logo.svg          -merge

.github/workflows/ci.yml

@@ -60,12 +60,12 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Install Node.js
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v4
         with:
           node-version: 20.19.0
       - name: Cache directory path
         id: yarn-cache-dir-path
-        run: echo "::set-output name=dir::$(yarn cache dir)"
+        run: echo "dir=$(yarn cache dir)" >> "$GITHUB_OUTPUT"
       - uses: actions/cache@v4
         id: yarn-cache
         with:
@@ -108,6 +108,57 @@ jobs:
       - name: Run Brakeman
         run: bundle exec brakeman -q --exit-on-warn
 
+  assets_precompile:
+    name: Assets precompile
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 4.0.5
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.19.0
+      - name: Cache gems
+        uses: actions/cache@v4
+        with:
+          path: vendor/bundle
+          key: ${{ runner.os }}-gem-${{ hashFiles('**/Gemfile.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-gem-
+      - name: Cache node_modules
+        uses: actions/cache@v4
+        with:
+          path: node_modules
+          key: ${{ runner.os }}-node-${{ hashFiles('**/yarn.lock') }}
+      - name: Install dependencies
+        env:
+          RAILS_ENV: production
+        run: |
+          gem install bundler
+          bundle config path vendor/bundle
+          bundle install --jobs 4 --retry 4
+          yarn install
+      - name: Precompile assets
+        env:
+          RAILS_ENV: production
+          SECRET_KEY_BASE: dummy-for-precompile
+          DATABASE_URL: postgres://postgres:postgres@localhost:5432/wabosign_test
+        run: |
+          bundle exec rake assets:precompile
+
+  rebrand_check:
+    name: Rebrand check
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run rebrand-check
+        run: bin/rebrand-check
+
   rspec:
     name: RSpec
     runs-on: ubuntu-latest
@@ -119,7 +170,7 @@ jobs:
         env:
           POSTGRES_USER: postgres
           POSTGRES_PASSWORD: postgres
-          POSTGRES_DB: docuseal_test
+          POSTGRES_DB: wabosign_test
         ports: ["5432:5432"]
         options: >-
           --health-cmd pg_isready
@@ -134,7 +185,7 @@ jobs:
         with:
           ruby-version: 4.0.5
       - name: Set up Node
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v4
         with:
           node-version: 20.19.0
       - name: Install Chrome
@@ -171,7 +222,7 @@ jobs:
           RAILS_ENV: test
           NODE_ENV: test
           COVERAGE: true
-          DATABASE_URL: postgres://postgres:postgres@localhost:5432/docuseal_test
+          DATABASE_URL: postgres://postgres:postgres@localhost:5432/wabosign_test
         run: |
           bundle exec rake db:create
           bundle exec rake db:migrate

.github/workflows/docker.yml

@@ -1,6 +1,14 @@
 name: Build Docker Images
 
 on:
+  pull_request:
+    paths:
+      - 'Dockerfile'
+      - 'Gemfile'
+      - 'Gemfile.lock'
+      - 'yarn.lock'
+      - 'package.json'
+      - '.github/workflows/docker.yml'
   push:
     tags:
       - "*.*.*"
@@ -12,16 +20,18 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         submodules: recursive
 
     - name: Docker meta
       id: meta
-      uses: docker/metadata-action@v4
+      uses: docker/metadata-action@v5
       with:
-        images: docuseal/docuseal
+        images: wabolabs/wabosign
-        tags: type=semver,pattern={{version}}
+        tags: |
+          type=ref,event=pr
+          type=semver,pattern={{version}},event=tag
 
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v3
@@ -30,10 +40,12 @@ jobs:
       uses: docker/setup-buildx-action@v3
 
     - name: Create .version file
+      if: github.ref_type == 'tag'
       run: echo ${{ github.ref_name }} > .version
 
     - name: Login to Docker Hub
-      uses: docker/login-action@v3
+      if: github.event_name != 'pull_request'
+      uses: docker/login-action@v6
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -42,6 +54,6 @@ jobs:
       uses: docker/build-push-action@v6
       with:
         context: .
-        push: true
+        push: ${{ github.event_name != 'pull_request' }}
         platforms: linux/amd64,linux/arm64
         tags: ${{ steps.meta.outputs.tags }}

REBRANDING.md

@@ -89,6 +89,11 @@ git checkout master
 git merge --no-ff sync/upstream-<tag>
 # Resolve conflicts. Rerere caches recurring resolutions.
 
+# Restore WaboSign brand assets that the merge may have overwritten:
+git checkout ORIG_HEAD -- public/favicon.svg public/favicon.ico \
+  public/favicon-16x16.png public/favicon-32x32.png \
+  public/favicon-96x96.png public/logo.svg
+
 bin/rebrand-sync                                # catch upstream-only new files
 bin/rebrand-check                               # CI gate
 
@@ -99,6 +104,11 @@ yarn install
 git tag wabosign-synced-with-<tag>
 ```
 
+Or use the automated script:
+```sh
+bin/sync-upstream <tag>
+```
+
 ### Adding new preserved tokens
 
 When upstream introduces a new SDK identifier, binary URL, or attribution surface that must survive the sweep, edit `PRESERVE` in [bin/rebrand-sync](bin/rebrand-sync) and `ALLOW_PATTERNS` in [bin/rebrand-check](bin/rebrand-check) together. The two must stay in sync — `rebrand-sync` decides what the sweep ignores, `rebrand-check` decides what CI tolerates.

bin/rebrand-sync

@@ -49,6 +49,14 @@ DENY_PATHS = Set.new([
   'app/views/shared/_email_attribution.html.erb',
   'bin/rebrand-sync',
   'bin/rebrand-check',
+  # WaboSign brand logo files — must never be touched by the sweep;
+  # restored from ORIG_HEAD by bin/sync-upstream after an upstream merge.
+  'public/favicon.svg',
+  'public/favicon.ico',
+  'public/favicon-16x16.png',
+  'public/favicon-32x32.png',
+  'public/favicon-96x96.png',
+  'public/logo.svg',
   # Holds UPSTREAM_NAME / UPSTREAM_URL constants — must not be swept.
   'lib/wabosign.rb',
   # Encrypted-config migration matches the literal upstream string to find

bin/sync-upstream

@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+# frozen_string_literal: true
+#
+# bin/sync-upstream — automate upstream DocuSeal sync
+#
+# Usage:
+#   bin/sync-upstream <tag>
+#
+# Example:
+#   bin/sync-upstream 3.0.2
+#
+# Environment:
+#   UPSTREAM_REMOTE  (default: upstream)
+#   UPSTREAM_URL     (default: https://github.com/docusealco/docuseal.git)
+
+set -euo pipefail
+
+UPSTREAM_REMOTE="${UPSTREAM_REMOTE:-upstream}"
+TAG="${1:-}"
+
+if [ -z "$TAG" ]; then
+  echo "Usage: $0 <tag>" >&2
+  echo "  e.g. $0 3.0.2" >&2
+  exit 1
+fi
+
+# Ensure rerere is on so recurring conflict resolutions are cached
+git config rerere.enabled true
+git config rerere.autoupdate true
+
+echo "=== Fetching $UPSTREAM_REMOTE ==="
+git fetch "$UPSTREAM_REMOTE" --tags
+
+# Record the commit at the tag so we can verify later
+TAG_COMMIT="$(git rev-parse --verify "$TAG^{commit}" 2>/dev/null || true)"
+if [ -z "$TAG_COMMIT" ]; then
+  echo "Tag $TAG not found. Double-check the tag name." >&2
+  exit 1
+fi
+
+echo "=== Creating sync/upstream-$TAG from $TAG ==="
+git checkout -b "sync/upstream-$TAG" "$TAG"
+
+echo "=== Applying rebrand sweep ==="
+bin/rebrand-sync
+
+echo "=== Committing rebranded tree ==="
+git add -A
+if git diff --cached --quiet; then
+  echo "Nothing to commit — rebrand-sync produced no changes."
+else
+  git commit -m "Apply WaboSign rebrand sweep to upstream $TAG"
+fi
+
+echo "=== Merging into master ==="
+git checkout master
+git merge --no-ff "sync/upstream-$TAG" -m "Merge upstream $TAG into master"
+
+echo "=== Restoring WaboSign binary assets overwritten by merge ==="
+# Merging an upstream tag may overwrite our brand logo files that rebrand-sync
+# cannot protect (they are binary / opaque-image and bypass the text sweep).
+# Restore them from pre-merge master (ORIG_HEAD).
+LOGO_FILES=(
+  public/favicon.svg
+  public/favicon.ico
+  public/favicon-16x16.png
+  public/favicon-32x32.png
+  public/favicon-96x96.png
+  public/logo.svg
+)
+for f in "${LOGO_FILES[@]}"; do
+  if git show ORIG_HEAD:"$f" &>/dev/null 2>&1; then
+    git checkout ORIG_HEAD -- "$f"
+    echo "  restored: $f"
+  fi
+done
+
+echo "=== Catching new upstream files (post-merge sweep) ==="
+bin/rebrand-sync
+bin/rebrand-check
+
+echo ""
+echo "============================================================"
+echo "Sync of $TAG complete."
+echo "Next steps:"
+echo "  1. bundle install && yarn install"
+echo "  2. Run tests: bundle exec rspec"
+echo "  3. Tag: git tag wabosign-synced-with-$TAG"
+echo "  4. Push: git push origin master --tags"
+echo "============================================================"