From a639d8051053d66af1e03d8e70955ef8bc74cb61 Mon Sep 17 00:00:00 2001
From: mohitrajain <mohit.rajain@wire.com>
Date: Tue, 2 Jun 2026 16:57:14 +0200
Subject: [PATCH 1/4] fix: WPB-25755 bring changes from #876 for release-5.27
 and rebased from master

---
 changelog.d/3-deploy-builds/wire-server-5.27 |  1 +
 offline/tasks/proc_pull_charts.sh            |  2 +-
 values/wire-server/demo-secrets.example.yaml |  2 +-
 values/wire-server/demo-values.example.yaml  | 23 +++++++++++++++-----
 values/wire-server/prod-values.example.yaml  | 23 +++++++++++++++-----
 5 files changed, 37 insertions(+), 14 deletions(-)
 create mode 100644 changelog.d/3-deploy-builds/wire-server-5.27

diff --git a/changelog.d/3-deploy-builds/wire-server-5.27 b/changelog.d/3-deploy-builds/wire-server-5.27
new file mode 100644
index 000000000..eef103064
--- /dev/null
+++ b/changelog.d/3-deploy-builds/wire-server-5.27
@@ -0,0 +1 @@
+Added: update prod and demo example values/secrets for wire-server 5.27, aligning PostgreSQL config, postgresMigration (conversation, teamFeatures), rabbitmq, and mlsPrivateKeys across all services
diff --git a/offline/tasks/proc_pull_charts.sh b/offline/tasks/proc_pull_charts.sh
index 20b1e7fb1..c0ab02834 100755
--- a/offline/tasks/proc_pull_charts.sh
+++ b/offline/tasks/proc_pull_charts.sh
@@ -84,5 +84,5 @@ pull_charts() {
 
 }
 
-wire_build="https://raw.githubusercontent.com/wireapp/wire-builds/f941851bee7666441a23ba782766cd8d7de5043e/build.json"
+wire_build="https://raw.githubusercontent.com/wireapp/wire-builds/ecd204f07540e79fc1febe2483a42111129a5d0d/build.json"
 wire_build_chart_release "$wire_build" | pull_charts
diff --git a/values/wire-server/demo-secrets.example.yaml b/values/wire-server/demo-secrets.example.yaml
index 0780cc146..731de571b 100644
--- a/values/wire-server/demo-secrets.example.yaml
+++ b/values/wire-server/demo-secrets.example.yaml
@@ -121,7 +121,7 @@ nginz:
     basicAuth: "<username>:<htpasswd-hashed-password>"
 
 
-# RabbitMQ credentials for background-worker.
+# RabbitMQ and PostgreSQL credentials for background-worker.
 background-worker:
   secrets:
     pgPassword: verysecurepassword
diff --git a/values/wire-server/demo-values.example.yaml b/values/wire-server/demo-values.example.yaml
index f12567827..252878384 100644
--- a/values/wire-server/demo-values.example.yaml
+++ b/values/wire-server/demo-values.example.yaml
@@ -36,6 +36,9 @@ brig:
       port: "5432"
       user: wire-server
       dbname: wire-server
+    # See pool size calculation guide: https://docs.wire.com/latest/how-to/administrate/postgresql.html
+    postgresqlPool:
+      size: 10 # adjust pool size as needed based on expected load and available resources
     useSES: false
     # Set to false if you want to hand out DynamoDB to store prekeys
     randomPrekeys: true
@@ -183,10 +186,15 @@ galley:
       port: "5432"
       user: wire-server
       dbname: wire-server
+    # See pool size calculation guide: https://docs.wire.com/latest/how-to/administrate/postgresql.html
+    postgresqlPool:
+      size: 10 # adjust pool size as needed based on expected load and available resources
     # Explicitly set postgresMigration to cassandra for fresh deployments.
-    # This controls whether galley reads conversations from Cassandra or PostgreSQL.
+    # This controls whether galley reads conversations/teamFeatures from Cassandra or PostgreSQL.
     postgresMigration:
       conversation: cassandra
+      conversationCodes: cassandra
+      teamFeatures: cassandra
     enableFederation: false # Enable to use federation
     settings:
       # prefix URI used when inviting users to a conversation by link
@@ -366,13 +374,16 @@ background-worker:
       port: "5432"
       user: wire-server
       dbname: wire-server
-    # IMPORTANT: At Chart 5.25.0, the background-worker Helm chart incorrectly defaults
-    # postgresMigration.conversation to "postgresql" instead of "cassandra".
-    # This MUST be explicitly set to "cassandra" unless you have already migrated
-    # conversations to PostgreSQL. Without this override, User Group to Channel sync
-    # jobs will silently skip member synchronization.
+    # See pool size calculation guide: https://docs.wire.com/latest/how-to/administrate/postgresql.html
+    postgresqlPool:
+      size: 5 # Background worker has fewer connections to DB, so smaller pool size is fine
     postgresMigration:
       conversation: cassandra
+      conversationCodes: cassandra
+      teamFeatures: cassandra
+    migrateConversations: false
+    migrateConversationCodes: false
+    migrateTeamFeatures: false
     # Enable for federation
     enableFederation: false
   metrics:
diff --git a/values/wire-server/prod-values.example.yaml b/values/wire-server/prod-values.example.yaml
index 31932fbe5..5ab911af7 100644
--- a/values/wire-server/prod-values.example.yaml
+++ b/values/wire-server/prod-values.example.yaml
@@ -36,6 +36,9 @@ brig:
       port: "5432"
       user: wire-server
       dbname: wire-server
+    # See pool size calculation guide: https://docs.wire.com/latest/how-to/administrate/postgresql.html
+    postgresqlPool:
+      size: 10 # adjust pool size as needed based on expected load and available resources
     useSES: false
     # Set to false if you want to hand out DynamoDB to store prekeys
     randomPrekeys: true
@@ -183,10 +186,15 @@ galley:
       port: "5432"
       user: wire-server
       dbname: wire-server
+    # See pool size calculation guide: https://docs.wire.com/latest/how-to/administrate/postgresql.html
+    postgresqlPool:
+      size: 10 # adjust pool size as needed based on expected load and available resources
     # Explicitly set postgresMigration to cassandra for fresh deployments.
-    # This controls whether galley reads conversations from Cassandra or PostgreSQL.
+    # This controls whether galley reads conversations/teamFeatures from Cassandra or PostgreSQL.
     postgresMigration:
       conversation: cassandra
+      conversationCodes: cassandra
+      teamFeatures: cassandra
     enableFederation: false # Enable to use federation
     settings:
       # prefix URI used when inviting users to a conversation by link
@@ -366,13 +374,16 @@ background-worker:
       port: "5432"
       user: wire-server
       dbname: wire-server
-    # IMPORTANT: At Chart 5.25.0, the background-worker Helm chart incorrectly defaults
-    # postgresMigration.conversation to "postgresql" instead of "cassandra".
-    # This MUST be explicitly set to "cassandra" unless you have already migrated
-    # conversations to PostgreSQL. Without this override, User Group to Channel sync
-    # jobs will silently skip member synchronization.
+    # See pool size calculation guide: https://docs.wire.com/latest/how-to/administrate/postgresql.html
+    postgresqlPool:
+      size: 5 # Background worker has fewer connections to DB, so smaller pool size is fine
     postgresMigration:
       conversation: cassandra
+      conversationCodes: cassandra
+      teamFeatures: cassandra
+    migrateConversations: false
+    migrateConversationCodes: false
+    migrateTeamFeatures: false
     # Enable for federation
     enableFederation: false
   metrics:

From ba20d77c623b25eada96bd9cbfac494230329f0c Mon Sep 17 00:00:00 2001
From: mohitrajain <mohit.rajain@wire.com>
Date: Wed, 3 Jun 2026 17:26:33 +0200
Subject: [PATCH 2/4] fix: WPB-25755 update default artifact hashes for
 wiab-stag and dev and update changelog for release 5.27

---
 CHANGELOG.md                                 | 5 +++++
 ansible/inventory/demo/host.yml              | 2 +-
 ansible/inventory/demo/wiab-staging.yml      | 2 +-
 changelog.d/3-deploy-builds/wire-server-5.27 | 1 -
 4 files changed, 7 insertions(+), 3 deletions(-)
 delete mode 100644 changelog.d/3-deploy-builds/wire-server-5.27

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 972567033..ede600d1d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,11 @@
 ## Breaking changes
 
 -->
+# Relase 5.27
+
+## Release notes
+
+* Added: update prod and demo example values/secrets for wire-server 5.27, aligning PostgreSQL config, postgresMigration (conversation, teamFeatures), rabbitmq, and mlsPrivateKeys across all services
 
 # Relase 5.25 R1
 
diff --git a/ansible/inventory/demo/host.yml b/ansible/inventory/demo/host.yml
index e98fc4d30..0e4a23614 100644
--- a/ansible/inventory/demo/host.yml
+++ b/ansible/inventory/demo/host.yml
@@ -18,7 +18,7 @@ wiab:
     wire_ip: ""
 
     # artifact_hash
-    artifact_hash: "2dd562a37d449eb88eb1f77dcad5c9153987af5f"
+    artifact_hash: "54c1c37d9b5d963d581d43e38c2c0b93c4c086d9"
   
     # docker vars
     docker_ce_version: "5:28.1.1-1~ubuntu.24.04~noble"
diff --git a/ansible/inventory/demo/wiab-staging.yml b/ansible/inventory/demo/wiab-staging.yml
index 66f2d97be..30af930c8 100644
--- a/ansible/inventory/demo/wiab-staging.yml
+++ b/ansible/inventory/demo/wiab-staging.yml
@@ -6,6 +6,6 @@ wiab-staging:
       ansible_user: 'demo'
       ansible_ssh_private_key_file: "~/.ssh/id_ed25519"
   vars:
-    artifact_hash: 2dd562a37d449eb88eb1f77dcad5c9153987af5f
+    artifact_hash: 54c1c37d9b5d963d581d43e38c2c0b93c4c086d9
     # when enabled, disable WAN SNAT/masquerading for VMs on the private network
     private_deployment: true
diff --git a/changelog.d/3-deploy-builds/wire-server-5.27 b/changelog.d/3-deploy-builds/wire-server-5.27
deleted file mode 100644
index eef103064..000000000
--- a/changelog.d/3-deploy-builds/wire-server-5.27
+++ /dev/null
@@ -1 +0,0 @@
-Added: update prod and demo example values/secrets for wire-server 5.27, aligning PostgreSQL config, postgresMigration (conversation, teamFeatures), rabbitmq, and mlsPrivateKeys across all services

From 9b351ff9ba67f10271def0a95a7a8f9a6e1b63c9 Mon Sep 17 00:00:00 2001
From: mohitrajain <mohit.rajain@wire.com>
Date: Thu, 4 Jun 2026 22:24:40 +0200
Subject: [PATCH 3/4] fix: WPB-25755 allow for no change detection in
 changelog.d directory if file addition and removal is part of the same PR

---
 .github/workflows/changelog-verify.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/changelog-verify.yml b/.github/workflows/changelog-verify.yml
index 04e10e473..a3e8ce3a6 100644
--- a/.github/workflows/changelog-verify.yml
+++ b/.github/workflows/changelog-verify.yml
@@ -65,8 +65,12 @@ jobs:
           ALLOW_RELEASE_CLEANUP=false
 
           if [ -z "$CHANGED_FILES" ]; then
-            if [ -n "$DELETED_FILES" ] && [ -n "$CHANGELOG_MODIFIED" ]; then
-              echo "No new or modified changelog.d/ entries found, but CHANGELOG.md changed, so this release cleanup is allowed."
+            if [ -n "$CHANGELOG_MODIFIED" ]; then
+              if [ -n "$DELETED_FILES" ]; then
+                echo "Release detected via CHANGELOG.md update; deleted changelog.d/ entries are allowed."
+              else
+                echo "Release detected via CHANGELOG.md update; no changelog.d/ deletions found in this compare range."
+              fi
               ALLOW_RELEASE_CLEANUP=true
             else
               echo "No files changed in changelog.d/ for this ${GITHUB_EVENT_NAME:-event}."

From 516326c370bd8afe07888a2834ba37e3aee5bc5f Mon Sep 17 00:00:00 2001
From: mohitrajain <mohit.rajain@wire.com>
Date: Fri, 5 Jun 2026 16:09:31 +0200
Subject: [PATCH 4/4] fix: WPB-25755 update the artifact for 5.27 based on main
 branch

---
 offline/tasks/proc_pull_charts.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/offline/tasks/proc_pull_charts.sh b/offline/tasks/proc_pull_charts.sh
index c0ab02834..ee3c69bf2 100755
--- a/offline/tasks/proc_pull_charts.sh
+++ b/offline/tasks/proc_pull_charts.sh
@@ -84,5 +84,5 @@ pull_charts() {
 
 }
 
-wire_build="https://raw.githubusercontent.com/wireapp/wire-builds/ecd204f07540e79fc1febe2483a42111129a5d0d/build.json"
+wire_build="https://raw.githubusercontent.com/wireapp/wire-builds/20fc45b2199c71c22b94371b0c5a1697b1b952c6/build.json"
 wire_build_chart_release "$wire_build" | pull_charts