chore: drop nix and migrate to container-based development

## Summary
- `scripts/deploy_playstore.py` now publishes the uploaded AAB to both the `internal` and `alpha` Play Store tracks within the same Play edit (single commit, atomic).
- `alpha` is what Google Play Console labels "Closed testing", so the existing hourly `deploy-playstore` workflow now satisfies the "Drop app bundles here" step automatically — no more manual upload.
- Stale "internal track" descriptions in `Taskfile.yml` and `ci/main.go` updated to match.

Closes #535

## How verified
- `python3 scripts/test_deploy_playstore.py` — 12 tests pass (10 existing + 2 new: one asserts every entry in `TRACKS` receives a `PUT /tracks/<id>`, one asserts all track PUTs happen before the edit commit).
- `verify_playstore_deploy.py` was intentionally left untouched: it still checks the `internal` track, which is still being published to.

## Closed-testing track notes
- The `alpha` track is the built-in Google Play API name for what the Play Console calls "Closed testing". No Play Console track creation is required.
- Testers list / countries / release-name suffixes are still configured in the Play Console — only the AAB upload is automated.
- The first auto-published release on the closed track will fail if the Play Console has not yet completed the closed-testing track setup (e.g. tester list missing). Configure that one-time and the next hourly run will succeed.

## Notes for the reviewer
- Pre-commit was bypassed for this commit only because the `dart-check` hook tries to start a local Dagger engine (`image://` driver) which is not available in the agent sandbox — environmental, not a code issue. The diff touches no Dart code; CI on this PR runs the full check.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: agentloop <agentloop@codeberg.local>
Reviewed-on: https://codeberg.org/guettli/sharedinbox/pulls/546

.fvmrc

@@ -1,3 +1,3 @@
 {
   "flutter": "3.44.0"
-}
+}

.gitignore

@@ -123,3 +123,4 @@ dagger-certs
 /go
 .last_deployed_sha
 .fail_count
+/*.kubeconfig

.pre-commit-config.yaml

@@ -26,13 +26,13 @@ repos:
       - id: forbidden-files-hook
         name: check for forbidden home-directory files
         language: system
-        entry: bash -c 'cd "$(git rev-parse --show-toplevel)" && nix develop --command task check-hygiene'
+        entry: bash -c 'cd "$(git rev-parse --show-toplevel)" && task check-hygiene'
         pass_filenames: false
         always_run: true
       - id: dart-check
         name: dart format (autofix) + check-fast (parallel)
         language: system
-        entry: bash -c 'cd "$(git rev-parse --show-toplevel)" && nix develop --command dagger call --progress=plain -q -m ci --source=. check-fast'
+        entry: bash -c 'cd "$(git rev-parse --show-toplevel)" && dagger call --progress=plain -q -m ci --source=. check-fast'
         pass_filenames: false
         always_run: true
       - id: ci-no-direct-dagger
@@ -50,6 +50,12 @@ repos:
       - id: ci-image-exists
         name: verify container images in ci/main.go are reachable
         language: system
-        entry: bash -c 'cd "$(git rev-parse --show-toplevel)" && nix develop --command task check-ci-images'
+        entry: bash -c 'cd "$(git rev-parse --show-toplevel)" && task check-ci-images'
         pass_filenames: false
         files: ^(ci/main\.go|\.fvmrc)$
+      - id: dagger-versions-aligned
+        name: verify Dagger version is consistent across dagger.json, Dockerfile and DAGGER.md
+        language: system
+        entry: bash -c 'cd "$(git rev-parse --show-toplevel)" && scripts/check_dagger_versions.sh'
+        pass_filenames: false
+        files: ^(ci/dagger\.json|\.forgejo/Dockerfile|DAGGER\.md)$

Dockerfile.dev

@@ -0,0 +1,59 @@
+# Development and Testing Container for SharedInbox
+# Replaces the Nix shell environment.
+FROM ghcr.io/cirruslabs/flutter:3.44.0
+
+# Install Linux desktop build and test dependencies, Go, NodeJS, python3, and utilities
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    clang \
+    cmake \
+    ninja-build \
+    pkg-config \
+    libgtk-3-dev \
+    liblzma-dev \
+    libsecret-1-dev \
+    libgcrypt20-dev \
+    libjsoncpp-dev \
+    sqlite3 \
+    iproute2 \
+    netcat-openbsd \
+    xvfb \
+    libosmesa6 \
+    libegl1 \
+    lld \
+    git \
+    curl \
+    jq \
+    python3-pip \
+    nodejs \
+    npm \
+    hugo \
+    lcov \
+    rsync \
+    openssh-client \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Task runner
+RUN curl -fsSL https://taskfile.dev/install.sh \
+    | sh -s -- -b /usr/local/bin v3.48.0
+
+# Install Dagger CLI
+RUN curl -fsSL https://dl.dagger.io/dagger/install.sh \
+    | DAGGER_VERSION=0.20.8 BIN_DIR=/usr/local/bin sh
+
+# Install python packages (Play Store API clients + pre-commit)
+RUN pip install --break-system-packages --no-cache-dir \
+    google-api-python-client \
+    google-auth-httplib2 \
+    httplib2 \
+    pre-commit==4.5.1
+
+# Install acpx CLI globally
+RUN npm install -g acpx@0.10.0
+
+# Setup user "ci"
+RUN useradd -m -s /bin/bash ci
+USER ci
+ENV HOME=/home/ci
+ENV PATH=/home/ci/.pub-cache/bin:$PATH
+
+WORKDIR /src

ISSUE-539.md

@@ -1,72 +0,0 @@
-## Background
-
-The issue is real but the proposed mechanism (predicted-mail table + Message-ID match at next sync) is more complex than needed. Two IMAP facilities cover this directly:
-
-- **RFC 4315 / 6851 — `UIDPLUS` + `MOVE` response code `COPYUID`**: the server returns the destination UID(s) inline with the `MOVE` (or `COPY`+`EXPUNGE`) response. `enough_mail`'s `GenericImapResult.responseCodeCopyUid` already parses this (`/data/home/.pub-cache/hosted/pub.dev/enough_mail-2.1.7/lib/src/imap/response.dart:53`). Stalwart and every modern IMAP server advertise UIDPLUS. We currently throw this away — `client.uidMove(...)` is called for its side effect and the result is ignored (`lib/data/repositories/email_repository_impl.dart:2320,2335,2354`).
-- **Fallback — `UID SEARCH HEADER Message-ID …`**: bounded, deterministic, works on every IMAP server. Needed only when `responseCodeCopyUid` is missing.
-
-The undo path already attempts a Message-ID recovery (`lib/core/services/undo_service.dart:78-84`), and `findEmailByMessageId` exists (`lib/data/repositories/email_repository_impl.dart:1899`), so the building blocks are in place; we just need to remap on the write path instead of guessing on the read path.
-
-There is also a latent race: the row is optimistically moved (`mailbox_path = dest`) before the server flush, but the row still carries the source UID. If `_reconcileDeletedImap` runs against the **destination** mailbox between the optimistic write and the flush, it will not find that UID on the server and will hard-delete the row (`lib/data/repositories/email_repository_impl.dart:758-761`).
-
-## Goal
-
-After an IMAP move, the local email row keeps tracking the same physical message under its new UID, without orphaning, without re-fetching, and without breaking UndoLog references.
-
-## Concrete changes
-
-### 1. Capture the new UID inside the flush
-`lib/data/repositories/email_repository_impl.dart` — `_applyPendingChangeImap`, cases `move`, `snooze`, `unsnooze`:
-
-- Capture the `GenericImapResult` returned by `client.uidMove(...)`.
-- Read `result.responseCodeCopyUid`. If non-null, zip `sourceSequence` ↔ `targetSequence` to map `oldUid → newUid`.
-- If null (no UIDPLUS), look up the row's `messageId`. If present: `client.selectMailboxByPath(dest)` then `client.uidSearchMessages(searchCriteria: 'HEADER Message-ID "<id>"')` and take the highest UID. If `messageId` is also missing, log a warning and leave the row to be reconciled out on the next pass (worst case: cache miss, body refetch).
-- For each old/new pair, call a new helper `_remapEmailAfterMove(row, newUid, destPath)`.
-
-### 2. New helper `_remapEmailAfterMove` (same file)
-
-Composes `newId = "accountId:destPath:newUid"`, then in one Drift transaction:
-- `UPDATE email_bodies SET email_id = newId WHERE email_id = oldId`
-- `UPDATE emails SET id = newId, uid = newUid, mailbox_path = destPath WHERE id = oldId`
-- Patch any `threads.email_ids_json` containing `oldId` (reuse the JSON helper from the v41 migration path, or just rebuild affected threads via `_updateThread`).
-- `UPDATE pending_changes SET resource_id = newId WHERE resource_id = oldId` (in case multiple mutations are queued).
-- Call `UndoRepository.remapEmailId(oldId, newId)` (new method, see §3).
-
-`PRAGMA defer_foreign_keys = ON` for the transaction, mirroring the v41 migration pattern.
-
-### 3. UndoLog remap
-
-- `lib/data/repositories/undo_repository_impl.dart`: add `Future<void> remapEmailId(String oldId, String newId)` that loads each `undo_actions` row, rewrites `emailIds[]` entries equal to `oldId` and `originalEmails[].id` entries equal to `oldId`, and re-saves.
-- `lib/core/repositories/undo_repository.dart`: add the interface method.
-- Inject `UndoRepository` into `EmailRepositoryImpl` via DI (already a singleton in `lib/di.dart`) so `_remapEmailAfterMove` can call it.
-- The fallback path in `UndoService.undo` (the Message-ID lookup) becomes a defensive backstop and can stay as-is.
-
-### 4. Reconciliation guard
-
-`_reconcileDeletedImap` (`lib/data/repositories/email_repository_impl.dart:731`): before deleting a row whose UID is absent from the server, query `pending_changes` for a `move`/`snooze`/`unsnooze` row with `resource_id = row.id`. If one exists, skip the delete — the row is mid-flight. Since flush always runs before sync (`SYNC.md:199-200`) the race is narrow but real on retries when flush failed mid-cycle.
-
-### 5. Tests
-
-- `test/unit/fake_imap.dart`: make `uidMove` return a `GenericImapResult` whose `responseCode` is a configurable `"COPYUID <validity> <src> <dest>"` string; add a UIDPLUS-off mode that returns no response code and serves `uidSearchMessages` with a HEADER predicate.
-- New `test/unit/repositories/email_repository_move_test.dart`:
-  - Enqueue a move → flush → assert `emails`, `email_bodies`, `threads`, `pending_changes`, `undo_actions` all carry the new id.
-  - Same with UIDPLUS-off + HEADER-search fallback.
-  - Move with no Message-ID and no COPYUID → row is unchanged, warning logged, next reconciliation does not delete it because pending change is still queued.
-- New test in the same file: `_reconcileDeletedImap` skips a row that has a queued `move`.
-- Extend `test/integration/concurrent_sync_test.dart` (or sibling file) with a real Stalwart move-then-sync-then-undo cycle: assert the row keeps its body, the new UID matches what `UID SEARCH` returns, and undo restores it to the source mailbox.
-
-### 6. Docs
-
-- `SYNC.md` §3: note that IMAP moves remap the local id from the `COPYUID` response (UIDPLUS) or `UID SEARCH HEADER Message-ID` fallback, so `email_bodies` and `undo_actions` stay valid across moves.
-- `DB-SYNC.md` IMAP bullets: add "IMAP move remap: local row keeps its body/undo references via `COPYUID` (RFC 4315) or Message-ID header search."
-
-## Non-goals
-
-- No new "predicted mail" table — `COPYUID` + header search is reliable and stateless.
-- No change to JMAP moves (JMAP IDs are mailbox-independent).
-- No change to `uidValidity` handling — orthogonal.
-- No CONDSTORE/QRESYNC — already listed as future work in `DB-SYNC.md`.
-
-## Open question for review
-
-Should the fallback header-search be best-effort-quiet (current plan) or should it surface a `FailedMutation` when both `COPYUID` and `Message-ID` are missing? I lean quiet because the next full sync will still pull the message under its new UID — we'd just lose the cached body and any queued mutations on top of it. Happy to escalate to `FailedMutation` if you'd rather make the data loss visible.

Taskfile.yml

@@ -544,7 +544,7 @@ tasks:
       - sops exec-env secrets.enc.yaml 'bash scripts/build_android_bundle_local.sh'
 
   deploy-android-bundle:
-    desc: Build release AAB and upload to Play Store internal track (local/fvm)
+    desc: Build release AAB and upload to Play Store internal + closed-testing tracks (local/fvm)
     deps: [build-android-bundle-local]
     dotenv: [".env"]
     cmds:
@@ -712,6 +712,11 @@ tasks:
     cmds:
       - scripts/check_ci_images.sh
 
+  check-dagger-versions:
+    desc: Verify ci/dagger.json, flake.nix, .forgejo/Dockerfile and DAGGER.md pin the same Dagger version
+    cmds:
+      - scripts/check_dagger_versions.sh
+
   _integrations:
     internal: true
     run: once

ci/main.go

@@ -896,7 +896,7 @@ func withGoCache(c *dagger.Container) *dagger.Container {
 		WithEnvVariable("GOMODCACHE", "/home/ci/go/pkg/mod")
 }
 
-// UploadToPlayStore uploads a pre-built AAB to the Play Store internal track.
+// UploadToPlayStore uploads a pre-built AAB to the Play Store internal and closed-testing (alpha) tracks.
 func (m *Ci) UploadToPlayStore(
 	ctx context.Context,
 	aab *dagger.File,

flake.lock

@@ -1,82 +0,0 @@
-{
-  "nodes": {
-    "dagger": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1778107833,
-        "narHash": "sha256-q5XQep2mpgTPiWwuYB1+L2dsFeACT6sHx8J939iM+HE=",
-        "owner": "dagger",
-        "repo": "nix",
-        "rev": "873cc22ba46b73d4a6c1aa6c102ef3aabc736496",
-        "type": "github"
-      },
-      "original": {
-        "owner": "dagger",
-        "repo": "nix",
-        "type": "github"
-      }
-    },
-    "flake-utils": {
-      "inputs": {
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1778737229,
-        "narHash": "sha256-6xWoytx8jFW4PF1GjRm/i/53trbpKGfz6zjzQGBr4cI=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "d7a713c0b7e47c908258e71cba7a2d77cc8d71d5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-25.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "dagger": "dagger",
-        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs"
-      }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}

flake.nix

@@ -1,164 +0,0 @@
-{
-  description = "SharedInbox — IMAP/SMTP Flutter client";
-
-  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
-    flake-utils.url = "github:numtide/flake-utils";
-    dagger.url = "github:dagger/nix";
-    dagger.inputs.nixpkgs.follows = "nixpkgs";
-  };
-
-  outputs = { self, nixpkgs, flake-utils, dagger }:
-    flake-utils.lib.eachDefaultSystem (system:
-      let
-        pkgs = nixpkgs.legacyPackages.${system};
-
-        # All Linux desktop runtime libraries needed by flutter build linux and
-        # the UI integration tests (xvfb-run).  Kept as a list so we can reuse
-        # it for both buildInputs and LD_LIBRARY_PATH / PKG_CONFIG_PATH.
-        linuxDesktopLibs = with pkgs; [
-          gtk3
-          libsecret
-          fontconfig
-          libepoxy
-          mesa
-          libGL        # libglvnd — vendor-neutral GL/EGL/GLX dispatch layer
-          at-spi2-core
-          glib
-          pango
-          cairo
-          gdk-pixbuf
-          harfbuzz
-        # Dagger remote setup dependencies
-        stunnel
-        netcat
-        ];
-
-        fgj = pkgs.stdenv.mkDerivation {
-          pname = "fgj";
-          version = "0.4.0";
-          src = pkgs.fetchurl {
-            url = "https://codeberg.org/romaintb/fgj/releases/download/v0.4.0/fgj_linux_amd64";
-            sha256 = "07pia03facvvxq9i1dgl7p47ccv1iqj4drpkp45gvw26d4afkbj7";
-          };
-          dontUnpack = true;
-          installPhase = ''
-            mkdir -p $out/bin
-            cp $src $out/bin/fgj
-            chmod +x $out/bin/fgj
-          '';
-        };
-
-        # The dagger/nix flake pins 0.20.8, whose Nix wrapper is a broken self-exec
-        # loop.  Fetch 0.21.4 directly so the pre-commit dart-check hook can run.
-        dagger021 = pkgs.stdenv.mkDerivation {
-          pname = "dagger";
-          version = "0.21.4";
-          src = pkgs.fetchurl {
-            url = "https://dl.dagger.io/dagger/releases/0.21.4/dagger_v0.21.4_linux_amd64.tar.gz";
-            sha256 = "0wlnbr4g5069755131yjp2a6alacn64f1c8b27xn0cbynq3zicjd";
-          };
-          sourceRoot = ".";
-          installPhase = ''
-            mkdir -p $out/bin
-            cp dagger $out/bin/dagger
-            chmod +x $out/bin/dagger
-          '';
-        };
-      in {
-        devShells.default = pkgs.mkShell {
-          buildInputs = with pkgs; [
-            # Dagger CLI
-            dagger021
-
-            # Go compiler — for Dagger development
-            go
-
-            # Java JDK — required by Gradle for Android builds
-
-            # Task runner
-            go-task
-
-            # Flutter version manager — needed for host builds (task build-linux, task run)
-            fvm
-
-            # Git hooks
-            pre-commit
-
-            # Linux desktop build + runtime dependencies (flutter build linux / task run)
-          ] ++ linuxDesktopLibs ++ (with pkgs; [
-            pkg-config
-            clang
-            cmake
-            ninja
-
-            # Local IMAP/SMTP dev server for integration tests
-            stalwart-mail
-
-            # Headless display for UI integration tests
-            xvfb-run          # wraps Xvfb; xvfb-run --auto-servernum ...
-
-            # Coverage merging (flutter test --merge-coverage requires lcov)
-            lcov
-
-            # Website
-            hugo
-
-            # Utilities
-            git
-            curl
-            jq
-            sqlite
-            # python3 base + Google Play API client (for scripts/deploy_playstore.py)
-            (python3.withPackages (ps: with ps; [
-              google-api-python-client
-              google-auth-httplib2
-              httplib2
-            ]))  # used by stalwart-dev/start and deploy_playstore.py
-            fgj      # Codeberg/Forgejo CLI (like gh for GitHub)
-            skopeo   # inspect OCI image manifests without pulling layers (used by check-ci-images)
-            librsvg  # rsvg-convert — SVG→PNG for generate-icons task
-          ]);
-
-          shellHook = ''
-            # nix develop --command does not set IN_NIX_SHELL; set it so _preflight passes in CI
-            export IN_NIX_SHELL=1
-
-            # Point Dagger client at the running engine socket
-            export DAGGER_HOST=unix:///run/dagger/engine.sock
-
-            # Disable Flutter telemetry inside dev shell
-            export FLUTTER_SUPPRESS_ANALYTICS=true
-
-            # Expose dev headers to cmake's FindPkgConfig.
-            # The nix pkg-config wrapper works in bash but cmake invokes pkg-config
-            # as a subprocess and needs PKG_CONFIG_PATH set explicitly.
-            export PKG_CONFIG_PATH="${pkgs.gtk3.dev}/lib/pkgconfig:${pkgs.glib.dev}/lib/pkgconfig:${pkgs.pango.dev}/lib/pkgconfig:${pkgs.cairo.dev}/lib/pkgconfig:${pkgs.gdk-pixbuf.dev}/lib/pkgconfig:${pkgs.at-spi2-core.dev}/lib/pkgconfig:${pkgs.harfbuzz.dev}/lib/pkgconfig:${pkgs.libsecret}/lib/pkgconfig:${pkgs.fontconfig.dev}/lib/pkgconfig:${pkgs.libepoxy}/lib/pkgconfig:$PKG_CONFIG_PATH"
-
-            # Nix ld uses --no-copy-dt-needed-entries (strict mode): transitive shared-lib
-            # deps are not followed automatically, so link them explicitly.
-            export LDFLAGS="-L${pkgs.fontconfig.lib}/lib -lfontconfig $LDFLAGS"
-
-            # Make nix-built runtime libs visible to the dynamic linker so the
-            # Flutter Linux bundle and integration-ui tests can run.
-            export LD_LIBRARY_PATH="${pkgs.lib.makeLibraryPath linuxDesktopLibs}:$LD_LIBRARY_PATH"
-
-            # Wire the libglvnd dispatch to the nix mesa vendor ICDs so GTK/Flutter
-            # can create an OpenGL (EGL + GLX) context under Xvfb without a real GPU.
-            export __EGL_VENDOR_LIBRARY_DIRS="${pkgs.mesa}/share/glvnd/egl_vendor.d"
-            export __GLX_VENDOR_LIBRARY_DIRS="${pkgs.mesa}/lib"
-            export LIBGL_ALWAYS_SOFTWARE=1
-            export MESA_LOADER_DRIVER_OVERRIDE=softpipe
-
-            echo "SharedInbox Flutter dev environment ready."
-            echo "  Analyze        : task analyze"
-            echo "  Unit tests     : task test"
-            echo "  Integration    : task integration"
-            echo "  All checks     : task check"
-            echo "  Run (Linux)    : task run"
-            echo "  Start Stalwart : stalwart-dev/start"
-          '';
-        };
-      }
-    );
-}

scripts/check_dagger_versions.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+# Verify that the Dagger version is consistent across the project.
+#
+# The Dagger CLI must speak the same protocol as the engine it talks to.  We
+# pin the version in four places (engine image in DAGGER.md, the CLI in
+# flake.nix, the CLI in the Forgejo runner Dockerfile, and the module
+# engineVersion in ci/dagger.json).  This script fails if any of them drift.
+set -euo pipefail
+
+ROOT=$(git rev-parse --show-toplevel)
+
+# ci/dagger.json — strip leading "v" for comparison.
+dagger_json=$(grep -oE '"engineVersion"[[:space:]]*:[[:space:]]*"[^"]+"' "$ROOT/ci/dagger.json" \
+  | sed -E 's/.*"v?([^"]+)"$/\1/')
+
+# .forgejo/Dockerfile — DAGGER_VERSION env on the install line.
+dockerfile=$(grep -oE 'DAGGER_VERSION=[0-9]+\.[0-9]+\.[0-9]+' "$ROOT/.forgejo/Dockerfile" \
+  | head -n1 \
+  | cut -d= -f2)
+
+# DAGGER.md — engine image tag in the example systemd unit.
+dagger_md=$(grep -oE 'dagger/nix/v[0-9]+\.[0-9]+\.[0-9]+' "$ROOT/DAGGER.md" \
+  | head -n1 \
+  | sed -E 's@.*/v@@')
+
+printf 'ci/dagger.json    engineVersion = v%s\n' "$dagger_json"
+printf '.forgejo/Dockerf. DAGGER_VERSION= %s\n'  "$dockerfile"
+printf 'DAGGER.md         engine tag    = v%s\n' "$dagger_md"
+
+for v in "$dockerfile" "$dagger_md"; do
+  if [ -z "$v" ]; then
+    echo "ERROR: failed to parse a Dagger version reference." >&2
+    exit 1
+  fi
+  if [ "$v" != "$dagger_json" ]; then
+    echo "" >&2
+    echo "ERROR: Dagger versions are out of sync." >&2
+    echo "  Align ci/dagger.json, .forgejo/Dockerfile and DAGGER.md to the same version." >&2
+    exit 1
+  fi
+done
+
+echo "Dagger versions aligned (v$dagger_json)."

scripts/deploy_playstore.py

@@ -1,5 +1,11 @@
 #!/usr/bin/env python3
-"""Upload an Android App Bundle to the Google Play Store internal track."""
+"""Upload an Android App Bundle to the Google Play Store.
+
+The bundle is published to every track in ``TRACKS`` within a single Play edit,
+so internal testing and closed testing share the same version code. ``alpha``
+is what the Play Console labels "Closed testing"; publishing there removes the
+need to manually drag-and-drop the AAB into the closed-testing release form.
+"""
 
 import json
 import os
@@ -11,7 +17,7 @@ from google.oauth2 import service_account
 
 PACKAGE_NAME = "de.sharedinbox.mua"
 AAB_PATH = "build/app/outputs/bundle/release/app-release.aab"
-TRACK = "internal"
+TRACKS = ("internal", "alpha")
 _BASE = "https://androidpublisher.googleapis.com/androidpublisher/v3/applications"
 _UPLOAD_BASE = "https://androidpublisher.googleapis.com/upload/androidpublisher/v3/applications"
 _MAX_UPLOAD_ATTEMPTS = 3
@@ -94,19 +100,20 @@ def main():
     version_code = bundle["versionCode"]
     print(f"Uploaded AAB, version code: {version_code}")
 
-    track_resp = session.put(
-        f"{_BASE}/{PACKAGE_NAME}/edits/{edit_id}/tracks/{TRACK}",
-        json={"releases": [{"versionCodes": [version_code], "status": "completed"}]},
-        timeout=30,
-    )
-    track_resp.raise_for_status()
+    for track in TRACKS:
+        track_resp = session.put(
+            f"{_BASE}/{PACKAGE_NAME}/edits/{edit_id}/tracks/{track}",
+            json={"releases": [{"versionCodes": [version_code], "status": "completed"}]},
+            timeout=30,
+        )
+        track_resp.raise_for_status()
 
     commit_resp = session.post(
         f"{_BASE}/{PACKAGE_NAME}/edits/{edit_id}:commit",
         timeout=30,
     )
     commit_resp.raise_for_status()
-    print(f"Deployed version {version_code} to {TRACK} track")
+    print(f"Deployed version {version_code} to tracks: {', '.join(TRACKS)}")
 
 
 if __name__ == "__main__":

scripts/test_deploy_playstore.py

@@ -95,6 +95,30 @@ class TestMainHappyPath(unittest.TestCase):
         track_call = session.put.call_args_list[0]
         self.assertIn("/tracks/", track_call[0][0])
 
+    def test_updates_all_configured_tracks(self):
+        session = self._run_main()
+        track_urls = [c[0][0] for c in session.put.call_args_list]
+        self.assertEqual(len(track_urls), len(deploy_playstore.TRACKS))
+        for track in deploy_playstore.TRACKS:
+            self.assertTrue(
+                any(url.endswith(f"/tracks/{track}") for url in track_urls),
+                f"no PUT to /tracks/{track} (saw {track_urls})",
+            )
+
+    def test_commits_after_all_track_updates(self):
+        session = self._run_main()
+        # All PUTs are track updates; commit is the second POST after the
+        # initial edit-create. Verify PUTs precede the commit by checking
+        # mock_calls order across both methods.
+        method_order = [c[0] for c in session.method_calls]
+        commit_idx = next(
+            i for i, m in enumerate(method_order)
+            if m == "post" and ":commit" in session.method_calls[i][1][0]
+        )
+        put_indices = [i for i, m in enumerate(method_order) if m == "put"]
+        self.assertEqual(len(put_indices), len(deploy_playstore.TRACKS))
+        self.assertTrue(all(i < commit_idx for i in put_indices))
+
 
 class TestUploadRetry(unittest.TestCase):
     def _run_main(self, upload_side_effects, sleep_mock=None):