fix(sidebar): set helper anchor color to match the other items [C9S-47] (#2058 )

fix(kube/app): enable edit button for regular apps [BE-12690] (#2039 )
feat(policies): banner and confirmation on change policy [C9S-20] (#1988 )
2026-03-16 15:50:59 +13:00 · 2026-03-15 11:22:09 +02:00 · 2026-03-13 14:11:53 +13:00 · 2026-03-13 11:34:28 +13:00 · 2026-03-13 08:30:45 +13:00 · 2026-03-12 12:30:40 +13:00
1155 changed files with 55248 additions and 29986 deletions
--- a/.eslintrc.yml
+++ b/.eslintrc.yml
@@ -17,7 +17,7 @@ plugins:
  - import

 parserOptions:
-  ecmaVersion: 2018
+  ecmaVersion: latest
  sourceType: module
  project: './tsconfig.json'
  ecmaFeatures:
@@ -114,7 +114,13 @@ overrides:
      '@typescript-eslint/explicit-module-boundary-types': off
      '@typescript-eslint/no-unused-vars': 'error'
      '@typescript-eslint/no-explicit-any': 'error'
-      'jsx-a11y/label-has-associated-control': ['error', { 'assert': 'either', controlComponents: ['Input', 'Checkbox'] }]
+      'jsx-a11y/label-has-associated-control':
+        - error
+        - assert: either
+          controlComponents:
+            - Input
+            - Checkbox
+      'jsx-a11y/control-has-associated-label': off
      'react/function-component-definition': ['error', { 'namedComponents': 'function-declaration' }]
      'react/jsx-no-bind': off
      'no-await-in-loop': 'off'
@@ -133,15 +139,19 @@ overrides:
          'react/jsx-props-no-spreading': off
  - files:
      - app/**/*.test.*
+    plugins:
+      - '@vitest'
    extends:
-      - 'plugin:vitest/recommended'
+      - 'plugin:@vitest/legacy-recommended'
    env:
-      'vitest/env': true
+      '@vitest/env': true
    rules:
      'react/jsx-no-constructed-context-values': off
      '@typescript-eslint/no-restricted-imports': off
      no-restricted-imports: off
      'react/jsx-props-no-spreading': off
+      '@vitest/no-conditional-expect': warn
+      'max-classes-per-file': off
  - files:
      - app/**/*.stories.*
    rules:
@@ -149,3 +159,4 @@ overrides:
      '@typescript-eslint/no-restricted-imports': off
      no-restricted-imports: off
      'react/jsx-props-no-spreading': off
+      'storybook/no-renderer-packages': off
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -22,7 +22,7 @@ body:
      options:
        - label: Yes, I've searched similar issues on [GitHub](https://github.com/portainer/portainer/issues).
          required: true
-        - label: Yes, I've checked whether this issue is covered in the Portainer [documentation](https://docs.portainer.io) or [knowledge base](https://portal.portainer.io/knowledge).
+        - label: Yes, I've checked whether this issue is covered in the Portainer [documentation](https://docs.portainer.io).
          required: true

  - type: markdown
@@ -94,8 +94,16 @@ body:
      description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
      multiple: false
      options:
+        - '2.39.0'
+        - '2.38.1'
+        - '2.38.0'
+        - '2.37.0'
+        - '2.36.0'
        - '2.35.0'
        - '2.34.0'
+        - '2.33.7'
+        - '2.33.6'
+        - '2.33.5'
        - '2.33.4'
        - '2.33.3'
        - '2.33.2'
@@ -135,8 +143,6 @@ body:
        - '2.21.4'
        - '2.21.3'
        - '2.21.2'
-        - '2.21.1'
-        - '2.21.0'
    validations:
      required: true

--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,5 @@ api/docs
 .env
 go.work.sum

+.vitest
+
--- a/.golangci-forward.yaml
+++ b/.golangci-forward.yaml
@@ -6,7 +6,7 @@ linters:
  settings:
    forbidigo:
      forbid:
-        - pattern: ^dataservices.DataStore.(EdgeGroup|EdgeJob|EdgeStack|EndpointRelation|Endpoint|GitCredential|Registry|ResourceControl|Role|Settings|Snapshot|Stack|Tag|User)$
+        - pattern: ^dataservices.DataStore.(EdgeGroup|EdgeJob|EdgeStack|EndpointRelation|Endpoint|GitCredential|Registry|ResourceControl|Role|Settings|Snapshot|SSLSettings|Stack|Tag|User)$
          msg: Use a transaction instead
      analyze-types: true
  exclusions:
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,10 +1,14 @@
 version: "2"
+
+run:
+  allow-parallel-runners: true
 linters:
  default: none
  enable:
    - bodyclose
    - copyloopvar
    - depguard
+    - errcheck
    - errorlint
    - forbidigo
    - govet
@@ -17,8 +21,14 @@ linters:
    - durationcheck
    - errorlint
    - govet
+    - usetesting
    - zerologlint
    - testifylint
+    - modernize
+    - unconvert
+    - unused
+    - zerologlint
+    - exptostd
  settings:
    staticcheck:
      checks: ["all", "-ST1003", "-ST1005", "-ST1016", "-SA1019", "-QF1003"]
@@ -42,6 +52,30 @@ linters:
              desc: golang.org/x/crypto is not allowed because of FIPS mode
            - pkg: github.com/ProtonMail/go-crypto/openpgp
              desc: github.com/ProtonMail/go-crypto/openpgp is not allowed because of FIPS mode
+            - pkg: github.com/cosi-project/runtime
+              desc: github.com/cosi-project/runtime is not allowed because of FIPS mode
+            - pkg: gopkg.in/yaml.v2
+              desc: use go.yaml.in/yaml/v3 instead
+            - pkg: gopkg.in/yaml.v3
+              desc: use go.yaml.in/yaml/v3 instead
+            - pkg: github.com/golang-jwt/jwt/v4
+              desc: use github.com/golang-jwt/jwt/v5 instead
+            - pkg: github.com/mitchellh/mapstructure
+              desc: use github.com/go-viper/mapstructure/v2 instead
+            - pkg: gopkg.in/alecthomas/kingpin.v2
+              desc: use github.com/alecthomas/kingpin/v2 instead
+            - pkg: github.com/jcmturner/gokrb5$
+              desc: use github.com/jcmturner/gokrb5/v8 instead
+            - pkg: github.com/gofrs/uuid
+              desc: use github.com/google/uuid
+            - pkg: github.com/Masterminds/semver$
+              desc: use github.com/Masterminds/semver/v3
+            - pkg: github.com/blang/semver
+              desc: use github.com/Masterminds/semver/v3
+            - pkg: github.com/coreos/go-semver
+              desc: use github.com/Masterminds/semver/v3
+            - pkg: github.com/hashicorp/go-version
+              desc: use github.com/Masterminds/semver/v3
    forbidigo:
      forbid:
        - pattern: ^tls\.Config$
@@ -59,12 +93,13 @@ linters:
      - comments
      - common-false-positives
      - legacy
-      - std-error-handling
    paths:
      - third_party$
      - builtin$
      - examples$
 formatters:
+  enable:
+    - gofmt
  exclusions:
    generated: lax
    paths:
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -1,4 +1,4 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"

-cd $(dirname -- "$0") && yarn lint-staged
+cd $(dirname -- "$0") && pnpm lint-staged
--- a/.prettierignore
+++ b/.prettierignore
@@ -1,2 +1,3 @@
 dist
-api/datastore/test_data
+api/datastore/test_data
+coverage
--- a/.storybook/main.ts
+++ b/.storybook/main.ts
@@ -9,20 +9,38 @@ const config: StorybookConfig = {
  addons: [
    '@storybook/addon-links',
    '@storybook/addon-essentials',
+    '@storybook/addon-webpack5-compiler-swc',
+    '@chromatic-com/storybook',
    {
-      name: '@storybook/addon-styling',
+      name: '@storybook/addon-styling-webpack',
+
      options: {
-        cssLoaderOptions: {
-          importLoaders: 1,
-          modules: {
-            localIdentName: '[path][name]__[local]',
-            auto: true,
-            exportLocalsConvention: 'camelCaseOnly',
+        rules: [
+          {
+            test: /\.css$/,
+            sideEffects: true,
+            use: [
+              require.resolve('style-loader'),
+              {
+                loader: require.resolve('css-loader'),
+                options: {
+                  importLoaders: 1,
+                  modules: {
+                    localIdentName: '[path][name]__[local]',
+                    auto: true,
+                    exportLocalsConvention: 'camelCaseOnly',
+                  },
+                },
+              },
+              {
+                loader: require.resolve('postcss-loader'),
+                options: {
+                  implementation: postcss,
+                },
+              },
+            ],
          },
-        },
-        postCss: {
-          implementation: postcss,
-        },
+        ],
      },
    },
  ],
--- a/.storybook/preview.tsx
+++ b/.storybook/preview.tsx
@@ -1,9 +1,9 @@
 import '../app/assets/css';
-import React from 'react';
 import { pushStateLocationPlugin, UIRouter } from '@uirouter/react';
 import { initialize as initMSW, mswLoader } from 'msw-storybook-addon';
 import { handlers } from '../app/setup-tests/server-handlers';
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
+import { Preview } from '@storybook/react';

 initMSW(
  {
@@ -21,31 +21,30 @@ initMSW(
  handlers
 );

-export const parameters = {
-  actions: { argTypesRegex: '^on[A-Z].*' },
-  controls: {
-    matchers: {
-      color: /(background|color)$/i,
-      date: /Date$/,
-    },
-  },
-  msw: {
-    handlers,
-  },
-};
-
 const testQueryClient = new QueryClient({
  defaultOptions: { queries: { retry: false } },
 });

-export const decorators = [
-  (Story) => (
+const preview: Preview = {
+  decorators: (Story) => (
    <QueryClientProvider client={testQueryClient}>
      <UIRouter plugins={[pushStateLocationPlugin]}>
        <Story />
      </UIRouter>
    </QueryClientProvider>
  ),
-];
+  loaders: [mswLoader],
+  parameters: {
+    controls: {
+      matchers: {
+        color: /(background|color)$/i,
+        date: /Date$/,
+      },
+    },
+    msw: {
+      handlers,
+    },
+  },
+};

-export const loaders = [mswLoader];
+export default preview;
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1,44 @@
+# Portainer Community Edition
+
+Open-source container management platform with full Docker and Kubernetes support.
+
+see also:
+
+- docs/guidelines/server-architecture.md
+- docs/guidelines/go-conventions.md
+- docs/guidelines/typescript-conventions.md
+
+## Package Manager
+
+- **PNPM** 10+ (for frontend)
+- **Go** 1.25.7 (for backend)
+
+## Build Commands
+
+```bash
+# Full build
+make build              # Build both client and server
+make build-client       # Build React/AngularJS frontend
+make build-server       # Build Go binary
+make build-image        # Build Docker image
+
+# Development
+make dev                # Run both in dev mode
+make dev-client         # Start webpack-dev-server (port 8999)
+make dev-server         # Run containerized Go server
+
+pnpm run dev            # Webpack dev server
+pnpm run build          # Build frontend with webpack
+pnpm run test           # Run frontend tests
+
+# Testing
+make test               # All tests (backend + frontend)
+make test-server        # Backend tests only
+make lint               # Lint all code
+make format             # Format code
+```
+
+## Development Servers
+
+- Frontend: http://localhost:8999
+- Backend: http://localhost:9000 (HTTP) / https://localhost:9443 (HTTPS)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -77,7 +77,7 @@ The feature request process is similar to the bug report process but has an extr

 ## Build and run Portainer locally

-Ensure you have Docker, Node.js, yarn, and Golang installed in the correct versions.
+Ensure you have Docker, Node.js, pnpm, and Golang installed in the correct versions.

 Install dependencies:

--- a/19
+++ b/19
@@ -20,7 +20,7 @@ all: tidy deps build-server build-client ## Build the client, server and downloa
 build-all: all ## Alias for the 'all' target (used by CI)

 build-client: init-dist ## Build the client
-	export NODE_ENV=$(ENV) && yarn build --config $(WEBPACK_CONFIG)
+	export NODE_ENV=$(ENV) && pnpm run build --config $(WEBPACK_CONFIG)

 build-server: init-dist ## Build the server binary
 	./build/build_binary.sh "$(PLATFORM)" "$(ARCH)"
@@ -29,7 +29,7 @@ build-image: build-all ## Build the Portainer image locally
 	docker buildx build --load -t portainerci/portainer-ce:$(TAG) -f build/linux/Dockerfile .

 build-storybook: ## Build and serve the storybook files
-	yarn storybook:build
+	pnpm run storybook:build

 ##@ Build dependencies
 .PHONY: deps server-deps client-deps tidy
@@ -39,7 +39,7 @@ server-deps: init-dist ## Download dependant server binaries
 	@./build/download_binaries.sh $(PLATFORM) $(ARCH)

 client-deps: ## Install client dependencies
-	yarn
+	pnpm install

 tidy: ## Tidy up the go.mod file
 	@go mod tidy
@@ -55,7 +55,7 @@ clean: ## Remove all build and download artifacts
 test: test-server test-client ## Run all tests

 test-client: ## Run client tests
-	yarn test $(ARGS) --coverage
+	pnpm run test $(ARGS) --coverage

 test-server:	## Run server tests
 	$(GOTESTSUM) --format pkgname-and-test-fails --format-hide-empty-pkg --hide-summary skipped -- -cover -covermode=atomic -coverprofile=coverage.out ./...
@@ -67,7 +67,7 @@ dev: ## Run both the client and server in development mode
 	make dev-client

 dev-client: ## Run the client in development mode
-	yarn dev
+	pnpm install && pnpm run dev

 dev-server: build-server ## Run the server in development mode
 	@./dev/run_container.sh
@@ -81,7 +81,7 @@ dev-server-podman: build-server ## Run the server in development mode
 format: format-client format-server ## Format all code

 format-client: ## Format client code
-	yarn format
+	pnpm run format

 format-server: ## Format server code
 	go fmt ./...
@@ -91,7 +91,7 @@ format-server: ## Format server code
 lint: lint-client lint-server ## Lint all code

 lint-client: ## Lint client code
-	yarn lint
+	pnpm run lint

 lint-server: tidy ## Lint server code
 	golangci-lint run --timeout=10m -c .golangci.yaml
@@ -105,11 +105,12 @@ dev-extension: build-server build-client ## Run the extension in development mod
 ##@ Docs
 .PHONY: docs-build docs-validate docs-clean docs-validate-clean
 docs-build: init-dist ## Build docs
+	go mod download -x
 	cd api && $(SWAG) init -o "../dist/docs" -ot "yaml" -g ./http/handler/handler.go --parseDependency --parseInternal --parseDepth 2 -p pascalcase --markdownFiles ./

 docs-validate: docs-build ## Validate docs
-	yarn swagger2openapi --warnOnly dist/docs/swagger.yaml -o dist/docs/openapi.yaml
-	yarn swagger-cli validate dist/docs/openapi.yaml
+	pnpm swagger2openapi --warnOnly dist/docs/swagger.yaml -o dist/docs/openapi.yaml
+	pnpm swagger-cli validate dist/docs/openapi.yaml

 ##@ Helpers
 .PHONY: help
--- a/README.md
+++ b/README.md
@@ -46,7 +46,7 @@ You can join the Portainer Community by visiting [https://www.portainer.io/join-

 ## Security

- Here at Portainer, we believe in [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) of security issues. If you have found a security issue, please report it to <security@portainer.io>.
+For information about reporting security vulnerabilities, please see our [Security Policy](SECURITY.md).

 ## Work for us

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,61 @@
+# Security Policy
+
+## Supported Versions
+
+Portainer maintains both Short-Term Support (STS) and Long-Term Support (LTS) versions in accordance with our official [Portainer Lifecycle Policy](https://docs.portainer.io/start/lifecycle).
+
+| Version Type | Support Status |
+| --- | --- |
+| LTS (Long-Term Support) | Supported for critical security fixes |
+| STS (Short-Term Support) | Supported until the next STS or LTS release |
+| Legacy / EOL | Not supported |
+
+For a detailed breakdown of current versions and their specific End of Life (EOL) dates, 
+please refer to the [Portainer Lifecycle Policy](https://docs.portainer.io/start/lifecycle).
+
+## Reporting a Vulnerability
+
+The Portainer team takes the security of our products seriously. If you believe you have found a security vulnerability in any Portainer-owned repository, please report it to us responsibly.
+
+**Please do not report security vulnerabilities via public GitHub issues.**
+
+### Disclosure Process
+
+1. **Report**: You can report in one of two ways:
+
+    - **GitHub**: Use the **Report a vulnerability** button on the **Security** tab of this repository.
+
+    - **Email**: Send your findings to security@portainer.io.
+
+2. **Details**: To help us verify the issue, please include:
+
+    - A description of the vulnerability and its potential impact.
+
+    - Step-by-step instructions to reproduce the issue (e.g. proof-of-concept code, scripts, or screenshots).
+
+    - The version of the software and the environment in which it was found.
+
+3. **Acknowledge**: We will acknowledge receipt of your report and provide an initial assessment.
+
+4. **Resolution**: We will work to resolve the issue as quickly as possible. We request that you do not disclose the vulnerability publicly until we have released a fix and notified affected users.
+
+## Our Commitment
+
+If you follow the responsible disclosure process, we will:
+
+- Respond to your report in a timely manner.
+
+- Provide an estimated timeline for remediation.
+
+- Notify you when the vulnerability has been patched.
+
+- Give credit for the discovery (if desired) once the fix is public.
+
+
+We will make every effort to promptly address any security weaknesses. Security advisories and fixes will be published through GitHub Security Advisories and other channels as needed.
+
+Thank you for helping keep Portainer and our community secure.
+
+## Resources
+
+- [Contributing to Portainer](https://docs.portainer.io/contribute/contribute#contributing-to-the-portainer-ce-codebase)
--- a/api/agent/version.go
+++ b/api/agent/version.go
@@ -11,20 +11,18 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/url"
+
+	"github.com/rs/zerolog/log"
 )

 // GetAgentVersionAndPlatform returns the agent version and platform
 //
 // it sends a ping to the agent and parses the version and platform from the headers
 func GetAgentVersionAndPlatform(endpointUrl string, tlsConfig *tls.Config) (portainer.AgentPlatform, string, error) { //nolint:forbidigo
-	httpCli := &http.Client{
-		Timeout: 3 * time.Second,
-	}
+	httpCli := &http.Client{Timeout: 3 * time.Second}

 	if tlsConfig != nil {
-		httpCli.Transport = &http.Transport{
-			TLSClientConfig: tlsConfig,
-		}
+		httpCli.Transport = &http.Transport{TLSClientConfig: tlsConfig}
 	}

 	parsedURL, err := url.ParseURL(endpointUrl + "/ping")
@@ -44,8 +42,10 @@ func GetAgentVersionAndPlatform(endpointUrl string, tlsConfig *tls.Config) (port
 		return 0, "", err
 	}

-	io.Copy(io.Discard, resp.Body)
-	resp.Body.Close()
+	_, _ = io.Copy(io.Discard, resp.Body)
+	if err := resp.Body.Close(); err != nil {
+		log.Warn().Err(err).Msg("failed to close response body")
+	}

 	if resp.StatusCode != http.StatusNoContent {
 		return 0, "", fmt.Errorf("Failed request with status %d", resp.StatusCode)
--- a/api/apikey/service_test.go
+++ b/api/apikey/service_test.go
@@ -157,7 +157,10 @@ func Test_UpdateAPIKey(t *testing.T) {

 	t.Run("Successfully updates the api-key LastUsed time", func(t *testing.T) {
 		user := portainer.User{ID: 1}
-		store.User().Create(&user)
+
+		err := store.User().Create(&user)
+		require.NoError(t, err)
+
 		_, apiKey, err := service.GenerateApiKey(user, "test-x")
 		require.NoError(t, err)

--- a/api/archive/tar.go
+++ b/api/archive/tar.go
@@ -17,18 +17,15 @@ func TarFileInBuffer(fileContent []byte, fileName string, mode int64) ([]byte, e
 		Size: int64(len(fileContent)),
 	}

-	err := tarWriter.WriteHeader(header)
-	if err != nil {
+	if err := tarWriter.WriteHeader(header); err != nil {
 		return nil, err
 	}

-	_, err = tarWriter.Write(fileContent)
-	if err != nil {
+	if _, err := tarWriter.Write(fileContent); err != nil {
 		return nil, err
 	}

-	err = tarWriter.Close()
-	if err != nil {
+	if err := tarWriter.Close(); err != nil {
 		return nil, err
 	}

@@ -43,10 +40,7 @@ type tarFileInBuffer struct {

 func NewTarFileInBuffer() *tarFileInBuffer {
 	var b bytes.Buffer
-	return &tarFileInBuffer{
-		b: &b,
-		w: tar.NewWriter(&b),
-	}
+	return &tarFileInBuffer{b: &b, w: tar.NewWriter(&b)}
 }

 // Put puts a single file to tar archive buffer.
@@ -61,11 +55,9 @@ func (t *tarFileInBuffer) Put(fileContent []byte, fileName string, mode int64) e
 		return err
 	}

-	if _, err := t.w.Write(fileContent); err != nil {
-		return err
-	}
+	_, err := t.w.Write(fileContent)

-	return nil
+	return err
 }

 // Bytes returns the archive as a byte array.
--- a/api/archive/targz.go
+++ b/api/archive/targz.go
@@ -9,6 +9,9 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+
+	"github.com/portainer/portainer/api/filesystem"
+	"github.com/portainer/portainer/api/logs"
 )

 // TarGzDir creates a tar.gz archive and returns it's path.
@@ -20,12 +23,13 @@ func TarGzDir(absolutePath string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	defer outFile.Close()
+	defer logs.CloseAndLogErr(outFile)

 	zipWriter := gzip.NewWriter(outFile)
-	defer zipWriter.Close()
+	defer logs.CloseAndLogErr(zipWriter)
+
 	tarWriter := tar.NewWriter(zipWriter)
-	defer tarWriter.Close()
+	defer logs.CloseAndLogErr(tarWriter)

 	err = filepath.Walk(absolutePath, func(path string, info os.FileInfo, err error) error {
 		if err != nil {
@@ -86,7 +90,7 @@ func ExtractTarGz(r io.Reader, outputDirPath string) error {
 	if err != nil {
 		return err
 	}
-	defer zipReader.Close()
+	defer logs.CloseAndLogErr(zipReader)

 	tarReader := tar.NewReader(zipReader)

@@ -105,7 +109,7 @@ func ExtractTarGz(r io.Reader, outputDirPath string) error {
 		case tar.TypeDir:
 			// skip, dir will be created with a file
 		case tar.TypeReg:
-			p := filepath.Clean(filepath.Join(outputDirPath, header.Name))
+			p := filesystem.JoinPaths(outputDirPath, header.Name)
 			if err := os.MkdirAll(filepath.Dir(p), 0o744); err != nil {
 				return fmt.Errorf("Failed to extract dir %s", filepath.Dir(p))
 			}
@@ -116,7 +120,7 @@ func ExtractTarGz(r io.Reader, outputDirPath string) error {
 			if _, err := io.Copy(outFile, tarReader); err != nil {
 				return fmt.Errorf("Failed to extract file %s", header.Name)
 			}
-			outFile.Close()
+			logs.CloseAndLogErr(outFile)
 		default:
 			return fmt.Errorf("tar: unknown type: %v in %s",
 				header.Typeflag,
--- a/api/archive/targz_test.go
+++ b/api/archive/targz_test.go
@@ -1,12 +1,16 @@
 package archive

 import (
+	"archive/tar"
+	"compress/gzip"
 	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"testing"

+	"github.com/portainer/portainer/api/filesystem"
+	"github.com/rs/zerolog/log"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -14,7 +18,7 @@ import (
 func listFiles(dir string) []string {
 	items := make([]string, 0)

-	filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
+	if err := filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
 		if path == dir {
 			return nil
 		}
@@ -22,7 +26,9 @@ func listFiles(dir string) []string {
 		items = append(items, path)

 		return nil
-	})
+	}); err != nil {
+		log.Warn().Err(err).Msg("failed to list files in directory")
+	}

 	return items
 }
@@ -34,7 +40,7 @@ func Test_shouldCreateArchive(t *testing.T) {
 	err := os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
 	require.NoError(t, err)

-	os.MkdirAll(path.Join(tmpdir, "dir"), 0700)
+	err = os.MkdirAll(path.Join(tmpdir, "dir"), 0700)
 	require.NoError(t, err)

 	err = os.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
@@ -105,3 +111,56 @@ func Test_shouldCreateArchive2(t *testing.T) {
 	wasExtracted("dir/inner")
 	wasExtracted("dir/.dotfile")
 }
+
+func TestExtractTarGzPathTraversal(t *testing.T) {
+	testDir := t.TempDir()
+
+	// Create an evil file with a path traversal attempt
+	tarPath := filesystem.JoinPaths(testDir, "evil.tar.gz")
+
+	evilFile, err := os.Create(tarPath)
+	require.NoError(t, err)
+
+	gzWriter := gzip.NewWriter(evilFile)
+	tarWriter := tar.NewWriter(gzWriter)
+
+	content := []byte("evil content")
+
+	header := &tar.Header{
+		Name:     "../evil.txt",
+		Mode:     0600,
+		Size:     int64(len(content)),
+		Typeflag: tar.TypeReg,
+	}
+
+	err = tarWriter.WriteHeader(header)
+	require.NoError(t, err)
+
+	_, err = tarWriter.Write(content)
+	require.NoError(t, err)
+
+	err = tarWriter.Close()
+	require.NoError(t, err)
+
+	err = gzWriter.Close()
+	require.NoError(t, err)
+
+	err = evilFile.Close()
+	require.NoError(t, err)
+
+	// Attempt to extract the evil file
+	extractionDir := filesystem.JoinPaths(testDir, "extraction")
+	err = os.Mkdir(extractionDir, 0700)
+	require.NoError(t, err)
+
+	tarFile, err := os.Open(tarPath)
+	require.NoError(t, err)
+
+	// Check that the file didn't escape
+	err = ExtractTarGz(tarFile, extractionDir)
+	require.NoError(t, err)
+	require.NoFileExists(t, filesystem.JoinPaths(testDir, "evil.txt"))
+
+	err = tarFile.Close()
+	require.NoError(t, err)
+}
--- a/api/archive/zip.go
+++ b/api/archive/zip.go
@@ -8,6 +8,8 @@ import (
 	"path/filepath"
 	"strings"

+	"github.com/portainer/portainer/api/logs"
+
 	"github.com/pkg/errors"
 )

@@ -18,7 +20,7 @@ func UnzipFile(src string, dest string) error {
 	if err != nil {
 		return err
 	}
-	defer r.Close()
+	defer logs.CloseAndLogErr(r)

 	for _, f := range r.File {
 		p := filepath.Join(dest, f.Name)
@@ -30,7 +32,9 @@ func UnzipFile(src string, dest string) error {

 		if f.FileInfo().IsDir() {
 			// Make Folder
-			os.MkdirAll(p, os.ModePerm)
+			if err := os.MkdirAll(p, os.ModePerm); err != nil {
+				return err
+			}

 			continue
 		}
@@ -53,13 +57,13 @@ func unzipFile(f *zip.File, p string) error {
 	if err != nil {
 		return errors.Wrapf(err, "unzipFile: can't create file %s", p)
 	}
-	defer outFile.Close()
+	defer logs.CloseAndLogErr(outFile)

 	rc, err := f.Open()
 	if err != nil {
 		return errors.Wrapf(err, "unzipFile: can't open zip file %s in the archive", f.Name)
 	}
-	defer rc.Close()
+	defer logs.CloseAndLogErr(rc)

 	if _, err = io.Copy(outFile, rc); err != nil {
 		return errors.Wrapf(err, "unzipFile: can't copy an archived file content")
--- a/api/aws/ecr/ecr.go
+++ b/api/aws/ecr/ecr.go
@@ -6,6 +6,15 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/ecr"
 )

+// Registry represents an ECR registry endpoint information.
+// This struct is used to parse and validate ECR endpoint URLs.
+type Registry struct {
+	ID     string // AWS account ID (empty for accountless endpoints like "ecr-fips.us-west-1.amazonaws.com")
+	FIPS   bool   // Whether this is a FIPS endpoint (contains "-fips" in the URL)
+	Region string // AWS region (e.g., "us-east-1", "us-gov-west-1")
+	Public bool   // Whether this is ecr-public.aws.com
+}
+
 type (
 	Service struct {
 		accessKey string
--- a/api/aws/ecr/parse_endpoints.go
+++ b/api/aws/ecr/parse_endpoints.go
@@ -0,0 +1,70 @@
+package ecr
+
+import (
+	"fmt"
+	"net/url"
+	"regexp"
+	"strings"
+)
+
+// ecrEndpointPattern matches all valid ECR endpoints including account-prefixed and accountless formats.
+// Based on AWS ECR credential helper regex but extended to support accountless endpoints.
+//
+// Supported formats:
+//   - Account-prefixed: 123456789012.dkr.ecr-fips.us-east-1.amazonaws.com
+//   - Account-prefixed (hyphen): 123456789012.dkr-ecr-fips.us-west-1.on.aws
+//   - Accountless service: ecr-fips.us-west-1.amazonaws.com
+//   - Accountless API: ecr-fips.us-east-1.api.aws
+//   - Non-FIPS variants: All formats above without "-fips"
+//
+// Regex groups:
+//   - Group 1: Full account prefix (optional) - e.g., "123456789012.dkr." or "123456789012.dkr-"
+//   - Group 2: Account ID (optional) - e.g., "123456789012"
+//   - Group 3: FIPS flag (optional) - either "-fips" or empty string
+//   - Group 4: Region - e.g., "us-east-1", "us-gov-west-1"
+//   - Group 5: Domain suffix - e.g., "amazonaws.com", "api.aws"
+var ecrEndpointPattern = regexp.MustCompile(
+	`^((\d{12})\.dkr[\.\-])?ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.(amazonaws\.(?:com(?:\.cn)?|eu)|api\.aws|on\.(?:aws|amazonwebservices\.com\.cn)|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)$`,
+)
+
+// ParseECREndpoint parses an ECR registry URL and extracts registry information.
+
+// This function replaces the AWS ECR credential helper library's ExtractRegistry function,
+// which only supports account-prefixed endpoints.
+//
+// Reference: https://docs.aws.amazon.com/general/latest/gr/ecr.html
+func ParseECREndpoint(urlStr string) (*Registry, error) {
+	// Normalize URL by adding https:// prefix if not present
+	if !strings.HasPrefix(urlStr, "https://") && !strings.HasPrefix(urlStr, "http://") {
+		urlStr = "https://" + urlStr
+	}
+
+	u, err := url.Parse(urlStr)
+	if err != nil {
+		return nil, fmt.Errorf("invalid URL: %w", err)
+	}
+
+	hostname := u.Hostname()
+
+	// Special case: ECR Public
+	// ECR Public uses a different domain and doesn't have FIPS variant
+	if hostname == "ecr-public.aws.com" {
+		return &Registry{
+			FIPS:   false,
+			Public: true,
+		}, nil
+	}
+
+	// Parse standard ECR endpoints using regex
+	matches := ecrEndpointPattern.FindStringSubmatch(hostname)
+	if len(matches) == 0 {
+		return nil, fmt.Errorf("not a valid ECR endpoint: %s", hostname)
+	}
+
+	return &Registry{
+		ID:     matches[2],            // Account ID (may be empty for accountless endpoints)
+		FIPS:   matches[3] == "-fips", // Check if "-fips" is present
+		Region: matches[4],            // AWS region
+		Public: false,
+	}, nil
+}
--- a/api/aws/ecr/parse_endpoints_test.go
+++ b/api/aws/ecr/parse_endpoints_test.go
@@ -0,0 +1,253 @@
+package ecr
+
+import (
+	"testing"
+)
+
+func TestParseECREndpoint(t *testing.T) {
+	tests := []struct {
+		name      string
+		url       string
+		want      *Registry
+		wantError bool
+	}{
+		// Standard AWS Commercial - Account-prefixed FIPS
+		{
+			name: "account-prefixed FIPS us-east-1",
+			url:  "123456789012.dkr.ecr-fips.us-east-1.amazonaws.com",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   true,
+				Region: "us-east-1",
+				Public: false,
+			},
+		},
+		{
+			name: "account-prefixed FIPS us-west-2",
+			url:  "123456789012.dkr.ecr-fips.us-west-2.amazonaws.com",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   true,
+				Region: "us-west-2",
+				Public: false,
+			},
+		},
+
+		// Accountless FIPS service endpoints
+		{
+			name: "accountless FIPS us-west-1",
+			url:  "ecr-fips.us-west-1.amazonaws.com",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-west-1",
+				Public: false,
+			},
+		},
+		{
+			name: "accountless FIPS us-east-2",
+			url:  "ecr-fips.us-east-2.amazonaws.com",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-east-2",
+				Public: false,
+			},
+		},
+
+		// Accountless FIPS API endpoints
+		{
+			name: "accountless FIPS API us-west-1",
+			url:  "ecr-fips.us-west-1.api.aws",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-west-1",
+				Public: false,
+			},
+		},
+		{
+			name: "accountless FIPS API us-east-1",
+			url:  "ecr-fips.us-east-1.api.aws",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-east-1",
+				Public: false,
+			},
+		},
+
+		// on.aws domain with hyphen separator
+		{
+			name: "account-prefixed FIPS hyphen us-west-1",
+			url:  "123456789012.dkr-ecr-fips.us-west-1.on.aws",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   true,
+				Region: "us-west-1",
+				Public: false,
+			},
+		},
+		{
+			name: "account-prefixed FIPS hyphen us-east-2",
+			url:  "123456789012.dkr-ecr-fips.us-east-2.on.aws",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   true,
+				Region: "us-east-2",
+				Public: false,
+			},
+		},
+
+		// AWS GovCloud
+		{
+			name: "account-prefixed FIPS us-gov-east-1",
+			url:  "123456789012.dkr.ecr-fips.us-gov-east-1.amazonaws.com",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   true,
+				Region: "us-gov-east-1",
+				Public: false,
+			},
+		},
+		{
+			name: "account-prefixed FIPS us-gov-west-1",
+			url:  "123456789012.dkr.ecr-fips.us-gov-west-1.amazonaws.com",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   true,
+				Region: "us-gov-west-1",
+				Public: false,
+			},
+		},
+		{
+			name: "accountless FIPS us-gov-west-1",
+			url:  "ecr-fips.us-gov-west-1.amazonaws.com",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-gov-west-1",
+				Public: false,
+			},
+		},
+		{
+			name: "accountless FIPS API us-gov-east-1",
+			url:  "ecr-fips.us-gov-east-1.api.aws",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-gov-east-1",
+				Public: false,
+			},
+		},
+
+		// ECR Public
+		{
+			name: "ecr-public",
+			url:  "ecr-public.aws.com",
+			want: &Registry{
+				ID:     "",
+				FIPS:   false,
+				Region: "",
+				Public: true,
+			},
+		},
+
+		// Non-FIPS endpoints (valid ECR but FIPS=false)
+		{
+			name: "account-prefixed non-FIPS us-east-1",
+			url:  "123456789012.dkr.ecr.us-east-1.amazonaws.com",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   false,
+				Region: "us-east-1",
+				Public: false,
+			},
+		},
+		{
+			name: "accountless non-FIPS us-west-1",
+			url:  "ecr.us-west-1.amazonaws.com",
+			want: &Registry{
+				ID:     "",
+				FIPS:   false,
+				Region: "us-west-1",
+				Public: false,
+			},
+		},
+		{
+			name: "accountless non-FIPS API us-east-2",
+			url:  "ecr.us-east-2.api.aws",
+			want: &Registry{
+				ID:     "",
+				FIPS:   false,
+				Region: "us-east-2",
+				Public: false,
+			},
+		},
+
+		// URLs with https:// prefix
+		{
+			name: "with https prefix",
+			url:  "https://ecr-fips.us-west-1.amazonaws.com",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-west-1",
+				Public: false,
+			},
+		},
+
+		// Invalid endpoints
+		{
+			name:      "not an ECR URL",
+			url:       "not-an-ecr-url.com",
+			wantError: true,
+		},
+		{
+			name:      "invalid account ID length",
+			url:       "123.dkr.ecr-fips.us-east-1.amazonaws.com",
+			wantError: true,
+		},
+		{
+			name:      "empty string",
+			url:       "",
+			wantError: true,
+		},
+		{
+			name:      "docker hub",
+			url:       "docker.io",
+			wantError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := ParseECREndpoint(tt.url)
+
+			if tt.wantError {
+				if err == nil {
+					t.Errorf("ParseECREndpoint() expected error but got none")
+				}
+				return
+			}
+
+			if err != nil {
+				t.Errorf("ParseECREndpoint() unexpected error: %v", err)
+				return
+			}
+
+			if got.ID != tt.want.ID {
+				t.Errorf("ParseECREndpoint() ID = %v, want %v", got.ID, tt.want.ID)
+			}
+			if got.FIPS != tt.want.FIPS {
+				t.Errorf("ParseECREndpoint() FIPS = %v, want %v", got.FIPS, tt.want.FIPS)
+			}
+			if got.Region != tt.want.Region {
+				t.Errorf("ParseECREndpoint() Region = %v, want %v", got.Region, tt.want.Region)
+			}
+			if got.Public != tt.want.Public {
+				t.Errorf("ParseECREndpoint() Public = %v, want %v", got.Public, tt.want.Public)
+			}
+		})
+	}
+}
--- a/api/backup/backup.go
+++ b/api/backup/backup.go
@@ -12,6 +12,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/offlinegate"
+	"github.com/portainer/portainer/api/logs"

 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
@@ -97,7 +98,7 @@ func encrypt(path string, passphrase string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	defer in.Close()
+	defer logs.CloseAndLogErr(in)

 	outFileName := path + ".encrypted"
 	out, err := os.Create(outFileName)
@@ -105,7 +106,5 @@ func encrypt(path string, passphrase string) (string, error) {
 		return "", err
 	}

-	err = crypto.AesEncrypt(in, out, []byte(passphrase))
-
-	return outFileName, err
+	return outFileName, crypto.AesEncrypt(in, out, []byte(passphrase))
 }
--- a/api/backup/restore.go
+++ b/api/backup/restore.go
@@ -16,6 +16,8 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/offlinegate"
+
+	"github.com/rs/zerolog/log"
 )

 var filesToRestore = append(filesToBackup, "portainer.db")
@@ -31,17 +33,20 @@ func RestoreArchive(archive io.Reader, password string, filestorePath string, ga
 	}

 	restorePath := filepath.Join(filestorePath, "restore", time.Now().Format("20060102150405"))
-	defer os.RemoveAll(filepath.Dir(restorePath))
+	defer func() {
+		if err := os.RemoveAll(filepath.Dir(restorePath)); err != nil {
+			log.Warn().Err(err).Msg("failed to clean up restore files")
+		}
+	}()

-	err = extractArchive(archive, restorePath)
-	if err != nil {
+	if err := extractArchive(archive, restorePath); err != nil {
 		return errors.Wrap(err, "cannot extract files from the archive. Please ensure the password is correct and try again")
 	}

 	unlock := gate.Lock()
 	defer unlock()

-	if err = datastore.Close(); err != nil {
+	if err := datastore.Close(); err != nil {
 		return errors.Wrap(err, "Failed to stop db")
 	}

@@ -51,7 +56,7 @@ func RestoreArchive(archive io.Reader, password string, filestorePath string, ga
 		return errors.Wrap(err, "failed to restore from backup. Portainer database missing from backup file")
 	}

-	if err = restoreFiles(restorePath, filestorePath); err != nil {
+	if err := restoreFiles(restorePath, filestorePath); err != nil {
 		return errors.Wrap(err, "failed to restore the system state")
 	}

@@ -89,8 +94,7 @@ func getRestoreSourcePath(dir string) (string, error) {

 func restoreFiles(srcDir string, destinationDir string) error {
 	for _, filename := range filesToRestore {
-		err := filesystem.CopyPath(filepath.Join(srcDir, filename), destinationDir)
-		if err != nil {
+		if err := filesystem.CopyPath(filepath.Join(srcDir, filename), destinationDir); err != nil {
 			return err
 		}
 	}
@@ -98,14 +102,18 @@ func restoreFiles(srcDir string, destinationDir string) error {
 	// TODO:  This is very boltdb module specific once again due to the filename.  Move to bolt module? Refactor for another day

 	// Prevent the possibility of having both databases.  Remove any default new instance
-	os.Remove(filepath.Join(destinationDir, boltdb.DatabaseFileName))
-	os.Remove(filepath.Join(destinationDir, boltdb.EncryptedDatabaseFileName))
+	if err := os.Remove(filepath.Join(destinationDir, boltdb.DatabaseFileName)); err != nil && !os.IsNotExist(err) {
+		return err
+	}
+
+	if err := os.Remove(filepath.Join(destinationDir, boltdb.EncryptedDatabaseFileName)); err != nil && !os.IsNotExist(err) {
+		return err
+	}

 	// Now copy the database.  It'll be either portainer.db or portainer.edb

 	// Note: CopyPath does not return an error if the source file doesn't exist
-	err := filesystem.CopyPath(filepath.Join(srcDir, boltdb.EncryptedDatabaseFileName), destinationDir)
-	if err != nil {
+	if err := filesystem.CopyPath(filepath.Join(srcDir, boltdb.EncryptedDatabaseFileName), destinationDir); err != nil {
 		return err
 	}

--- a/api/chisel/service.go
+++ b/api/chisel/service.go
@@ -89,10 +89,8 @@ func (service *Service) pingAgent(endpointID portainer.EndpointID) error {
 		return err
 	}

-	io.Copy(io.Discard, resp.Body)
-	resp.Body.Close()
-
-	return nil
+	_, _ = io.Copy(io.Discard, resp.Body)
+	return resp.Body.Close()
 }

 // KeepTunnelAlive keeps the tunnel of the given environment for maxAlive duration, or until ctx is done
--- a/api/chisel/tunnel.go
+++ b/api/chisel/tunnel.go
@@ -142,7 +142,9 @@ func (s *Service) TunnelAddr(endpoint *portainer.Endpoint) (string, error) {
 			continue
 		}

-		conn.Close()
+		if err := conn.Close(); err != nil {
+			log.Warn().Err(err).Msg("failed to close tcp connection")
+		}

 		break
 	}
--- a/api/cli/cli.go
+++ b/api/cli/cli.go
@@ -32,7 +32,7 @@ func CLIFlags() *portainer.CLIFlags {
 		Assets:                    kingpin.Flag("assets", "Path to the assets").Default(defaultAssetsDirectory).Short('a').String(),
 		Data:                      kingpin.Flag("data", "Path to the folder where the data is stored").Default(defaultDataDirectory).Short('d').String(),
 		EndpointURL:               kingpin.Flag("host", "Environment URL").Short('H').String(),
-		FeatureFlags:              kingpin.Flag("feat", "List of feature flags").Strings(),
+		FeatureFlags:              kingpin.Flag("feat", "List of feature flags").Envar(portainer.FeatureFlagEnvVar).Strings(),
 		EnableEdgeComputeFeatures: kingpin.Flag("edge-compute", "Enable Edge Compute features").Bool(),
 		NoAnalytics:               kingpin.Flag("no-analytics", "Disable Analytics in app (deprecated)").Bool(),
 		TLSSkipVerify:             kingpin.Flag("tlsskipverify", "Disable TLS server verification").Default(defaultTLSSkipVerify).Bool(),
@@ -52,7 +52,6 @@ func CLIFlags() *portainer.CLIFlags {
 		SecretKeyName:             kingpin.Flag("secret-key-name", "Secret key name for encryption and will be used as /run/secrets/<secret-key-name>.").Default(defaultSecretKeyName).String(),
 		LogLevel:                  kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),
 		LogMode:                   kingpin.Flag("log-mode", "Set the logging output mode").Default("PRETTY").Enum("NOCOLOR", "PRETTY", "JSON"),
-		KubectlShellImage:         kingpin.Flag("kubectl-shell-image", "Kubectl shell image").Envar(portainer.KubectlShellImageEnvVar).Default(portainer.DefaultKubectlShellImage).String(),
 		PullLimitCheckDisabled:    kingpin.Flag("pull-limit-check-disabled", "Pull limit check").Envar(portainer.PullLimitCheckDisabledEnvVar).Default(defaultPullLimitCheckDisabled).Bool(),
 		TrustedOrigins:            kingpin.Flag("trusted-origins", "List of trusted origins for CSRF protection. Separate multiple origins with a comma.").Envar(portainer.TrustedOriginsEnvVar).String(),
 		CSP:                       kingpin.Flag("csp", "Content Security Policy (CSP) header").Envar(portainer.CSPEnvVar).Default("true").Bool(),
@@ -95,6 +94,11 @@ func (Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 	flags.TLSKey = tlsKeyFlag.String()
 	flags.TLSCacert = kingpin.Flag("tlscacert", "Path to the CA").Default(defaultTLSCACertPath).String()

+	flags.KubectlShellImage = kingpin.Flag(
+		"kubectl-shell-image",
+		"Kubectl shell image",
+	).Envar(portainer.KubectlShellImageEnvVar).Default(portainer.DefaultKubectlShellImage).String()
+
 	kingpin.Parse()

 	if !filepath.IsAbs(*flags.Assets) {
--- a/api/cli/defaults.go
+++ b/api/cli/defaults.go
@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package cli

--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -55,7 +55,7 @@ import (
 	"github.com/portainer/portainer/pkg/libstack/compose"
 	"github.com/portainer/portainer/pkg/validate"

-	"github.com/gofrs/uuid"
+	"github.com/google/uuid"
 	"github.com/rs/zerolog/log"
 )

@@ -119,7 +119,7 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 	}

 	if isNew {
-		instanceId, err := uuid.NewV4()
+		instanceId, err := uuid.NewRandom()
 		if err != nil {
 			log.Fatal().Err(err).Msg("failed generating instance id")
 		}
@@ -134,15 +134,16 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 			InstanceID:    instanceId.String(),
 			MigratorCount: migratorCount,
 		}
-		store.VersionService.UpdateVersion(&v)
+
+		if err := store.VersionService.UpdateVersion(&v); err != nil {
+			log.Fatal().Err(err).Msg("failed to update version")
+		}

 		if err := updateSettingsFromFlags(store, flags); err != nil {
 			log.Fatal().Err(err).Msg("failed updating settings from flags")
 		}
-	} else {
-		if err := store.MigrateData(); err != nil {
-			log.Fatal().Err(err).Msg("failed migration")
-		}
+	} else if err := store.MigrateData(); err != nil {
+		log.Fatal().Err(err).Msg("failed migration")
 	}

 	if err := updateSettingsFromFlags(store, flags); err != nil {
@@ -153,7 +154,7 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 	go func() {
 		<-shutdownCtx.Done()

-		defer connection.Close()
+		defer logs.CloseAndLogErr(connection)
 	}()

 	return store
@@ -347,7 +348,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 	trustedOrigins := []string{}
 	if *flags.TrustedOrigins != "" {
 		// validate if the trusted origins are valid urls
-		for _, origin := range strings.Split(*flags.TrustedOrigins, ",") {
+		for origin := range strings.SplitSeq(*flags.TrustedOrigins, ",") {
 			if !validate.IsTrustedOrigin(origin) {
 				log.Fatal().Str("trusted_origin", origin).Msg("invalid url for trusted origin. Please check the trusted origins flag.")
 			}
@@ -529,7 +530,9 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	scheduler := scheduler.NewScheduler(shutdownCtx)
 	stackDeployer := deployments.NewStackDeployer(swarmStackManager, composeStackManager, kubernetesDeployer, dockerClientFactory, dataStore)
-	deployments.StartStackSchedules(scheduler, stackDeployer, dataStore, gitService)
+	if err := deployments.StartStackSchedules(scheduler, stackDeployer, dataStore, gitService); err != nil {
+		log.Fatal().Err(err).Msg("failed to start stack scheduler")
+	}

 	sslDBSettings, err := dataStore.SSLSettings().Settings()
 	if err != nil {
@@ -630,7 +633,7 @@ func main() {
 			Str("build_number", build.BuildNumber).
 			Str("image_tag", build.ImageTag).
 			Str("nodejs_version", build.NodejsVersion).
-			Str("yarn_version", build.YarnVersion).
+			Str("pnpm_version", build.PnpmVersion).
 			Str("webpack_version", build.WebpackVersion).
 			Str("go_version", build.GoVersion).
 			Msg("starting Portainer")
--- a/api/crypto/aes.go
+++ b/api/crypto/aes.go
@@ -164,7 +164,9 @@ func aesEncryptGCM(input io.Reader, output io.Writer, passphrase []byte) error {
 			return err
 		}

-		nonce.Increment()
+		if err := nonce.Increment(); err != nil {
+			return err
+		}
 	}

 	return nil
@@ -235,7 +237,9 @@ func aesDecryptGCM(input io.Reader, passphrase []byte) (io.Reader, error) {
 			return nil, err
 		}

-		nonce.Increment()
+		if err := nonce.Increment(); err != nil {
+			return nil, err
+		}
 	}

 	return &buf, nil
--- a/api/crypto/aes_test.go
+++ b/api/crypto/aes_test.go
@@ -9,6 +9,7 @@ import (
 	"path/filepath"
 	"testing"

+	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/pkg/fips"

 	"github.com/stretchr/testify/assert"
@@ -47,16 +48,17 @@ func Test_encryptAndDecrypt_withTheSamePassword(t *testing.T) {
 		)

 		content := randBytes(1024*1024*100 + 523)
-		os.WriteFile(originFilePath, content, 0600)
+		err := os.WriteFile(originFilePath, content, 0600)
+		require.NoError(t, err)

 		originFile, _ := os.Open(originFilePath)
-		defer originFile.Close()
+		defer logs.CloseAndLogErr(originFile)

 		encryptedFileWriter, _ := os.Create(encryptedFilePath)

-		err := encrypt(originFile, encryptedFileWriter, []byte(passphrase))
+		err = encrypt(originFile, encryptedFileWriter, []byte(passphrase))
 		require.NoError(t, err, "Failed to encrypt a file")
-		encryptedFileWriter.Close()
+		logs.CloseAndLogErr(encryptedFileWriter)

 		encryptedContent, err := os.ReadFile(encryptedFilePath)
 		require.NoError(t, err, "Couldn't read encrypted file")
@@ -64,11 +66,11 @@ func Test_encryptAndDecrypt_withTheSamePassword(t *testing.T) {

 		encryptedFileReader, err := os.Open(encryptedFilePath)
 		require.NoError(t, err)
-		defer encryptedFileReader.Close()
+		defer logs.CloseAndLogErr(encryptedFileReader)

 		decryptedFileWriter, err := os.Create(decryptedFilePath)
 		require.NoError(t, err)
-		defer decryptedFileWriter.Close()
+		defer logs.CloseAndLogErr(decryptedFileWriter)

 		decryptedReader, err := decrypt(encryptedFileReader, []byte(passphrase))
 		if !decryptShouldSucceed {
@@ -76,9 +78,11 @@ func Test_encryptAndDecrypt_withTheSamePassword(t *testing.T) {
 		} else {
 			require.NoError(t, err, "Failed to decrypt file indicated by decryptShouldSucceed")

-			io.Copy(decryptedFileWriter, decryptedReader)
+			_, err = io.Copy(decryptedFileWriter, decryptedReader)
+			require.NoError(t, err)

-			decryptedContent, _ := os.ReadFile(decryptedFilePath)
+			decryptedContent, err := os.ReadFile(decryptedFilePath)
+			require.NoError(t, err)
 			assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
 		}
 	}
@@ -149,33 +153,40 @@ func Test_encryptAndDecrypt_withStrongPassphrase(t *testing.T) {
 		)

 		content := randBytes(500)
-		os.WriteFile(originFilePath, content, 0600)

-		originFile, _ := os.Open(originFilePath)
-		defer originFile.Close()
+		err := os.WriteFile(originFilePath, content, 0600)
+		require.NoError(t, err)
+
+		originFile, err := os.Open(originFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(originFile)

 		encryptedFileWriter, _ := os.Create(encryptedFilePath)

-		err := encrypt(originFile, encryptedFileWriter, []byte(passphrase))
+		err = encrypt(originFile, encryptedFileWriter, []byte(passphrase))
 		require.NoError(t, err, "Failed to encrypt a file")
-		encryptedFileWriter.Close()
+		logs.CloseAndLogErr(encryptedFileWriter)

 		encryptedContent, err := os.ReadFile(encryptedFilePath)
 		require.NoError(t, err, "Couldn't read encrypted file")
 		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")

-		encryptedFileReader, _ := os.Open(encryptedFilePath)
-		defer encryptedFileReader.Close()
+		encryptedFileReader, err := os.Open(encryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(encryptedFileReader)

-		decryptedFileWriter, _ := os.Create(decryptedFilePath)
-		defer decryptedFileWriter.Close()
+		decryptedFileWriter, err := os.Create(decryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(decryptedFileWriter)

 		decryptedReader, err := decrypt(encryptedFileReader, []byte(passphrase))
 		require.NoError(t, err, "Failed to decrypt file")

-		io.Copy(decryptedFileWriter, decryptedReader)
+		_, err = io.Copy(decryptedFileWriter, decryptedReader)
+		require.NoError(t, err)

-		decryptedContent, _ := os.ReadFile(decryptedFilePath)
+		decryptedContent, err := os.ReadFile(decryptedFilePath)
+		require.NoError(t, err)
 		assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
 	}

@@ -199,16 +210,19 @@ func Test_encryptAndDecrypt_withTheSamePasswordSmallFile(t *testing.T) {
 		)

 		content := randBytes(500)
-		os.WriteFile(originFilePath, content, 0600)
+		err := os.WriteFile(originFilePath, content, 0600)
+		require.NoError(t, err)

-		originFile, _ := os.Open(originFilePath)
-		defer originFile.Close()
+		originFile, err := os.Open(originFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(originFile)

-		encryptedFileWriter, _ := os.Create(encryptedFilePath)
+		encryptedFileWriter, err := os.Create(encryptedFilePath)
+		require.NoError(t, err)

-		err := encrypt(originFile, encryptedFileWriter, []byte("passphrase"))
+		err = encrypt(originFile, encryptedFileWriter, []byte("passphrase"))
 		require.NoError(t, err, "Failed to encrypt a file")
-		encryptedFileWriter.Close()
+		logs.CloseAndLogErr(encryptedFileWriter)

 		encryptedContent, err := os.ReadFile(encryptedFilePath)
 		require.NoError(t, err, "Couldn't read encrypted file")
@@ -216,11 +230,11 @@ func Test_encryptAndDecrypt_withTheSamePasswordSmallFile(t *testing.T) {

 		encryptedFileReader, err := os.Open(encryptedFilePath)
 		require.NoError(t, err)
-		defer encryptedFileReader.Close()
+		defer logs.CloseAndLogErr(encryptedFileReader)

 		decryptedFileWriter, err := os.Create(decryptedFilePath)
 		require.NoError(t, err)
-		defer decryptedFileWriter.Close()
+		defer logs.CloseAndLogErr(decryptedFileWriter)

 		decryptedReader, err := decrypt(encryptedFileReader, []byte("passphrase"))
 		require.NoError(t, err, "Failed to decrypt file")
@@ -258,11 +272,11 @@ func Test_encryptAndDecrypt_withEmptyPassword(t *testing.T) {

 		originFile, err := os.Open(originFilePath)
 		require.NoError(t, err)
-		defer originFile.Close()
+		defer logs.CloseAndLogErr(originFile)

 		encryptedFileWriter, err := os.Create(encryptedFilePath)
 		require.NoError(t, err)
-		defer encryptedFileWriter.Close()
+		defer logs.CloseAndLogErr(encryptedFileWriter)

 		err = encrypt(originFile, encryptedFileWriter, []byte(""))
 		require.NoError(t, err, "Failed to encrypt a file")
@@ -273,11 +287,11 @@ func Test_encryptAndDecrypt_withEmptyPassword(t *testing.T) {

 		encryptedFileReader, err := os.Open(encryptedFilePath)
 		require.NoError(t, err)
-		defer encryptedFileReader.Close()
+		defer logs.CloseAndLogErr(encryptedFileReader)

 		decryptedFileWriter, err := os.Create(decryptedFilePath)
 		require.NoError(t, err)
-		defer decryptedFileWriter.Close()
+		defer logs.CloseAndLogErr(decryptedFileWriter)

 		decryptedReader, err := decrypt(encryptedFileReader, []byte(""))
 		require.NoError(t, err, "Failed to decrypt file")
@@ -310,25 +324,30 @@ func Test_decryptWithDifferentPassphrase_shouldProduceWrongResult(t *testing.T)
 		)

 		content := randBytes(1034)
-		os.WriteFile(originFilePath, content, 0600)
+		err := os.WriteFile(originFilePath, content, 0600)
+		require.NoError(t, err)

-		originFile, _ := os.Open(originFilePath)
-		defer originFile.Close()
+		originFile, err := os.Open(originFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(originFile)

-		encryptedFileWriter, _ := os.Create(encryptedFilePath)
-		defer encryptedFileWriter.Close()
+		encryptedFileWriter, err := os.Create(encryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(encryptedFileWriter)

-		err := encrypt(originFile, encryptedFileWriter, []byte("passphrase"))
+		err = encrypt(originFile, encryptedFileWriter, []byte("passphrase"))
 		require.NoError(t, err, "Failed to encrypt a file")
 		encryptedContent, err := os.ReadFile(encryptedFilePath)
 		require.NoError(t, err, "Couldn't read encrypted file")
 		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")

-		encryptedFileReader, _ := os.Open(encryptedFilePath)
-		defer encryptedFileReader.Close()
+		encryptedFileReader, err := os.Open(encryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(encryptedFileReader)

-		decryptedFileWriter, _ := os.Create(decryptedFilePath)
-		defer decryptedFileWriter.Close()
+		decryptedFileWriter, err := os.Create(decryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(decryptedFileWriter)

 		_, err = decrypt(encryptedFileReader, []byte("garbage"))
 		require.Error(t, err, "Should not allow decrypt with wrong passphrase")
--- a/api/crypto/tls.go
+++ b/api/crypto/tls.go
@@ -92,7 +92,9 @@ func CreateTLSConfigurationFromDisk(config portainer.TLSConfiguration) (*tls.Con
 }

 func createTLSConfigurationFromDisk(fipsEnabled bool, config portainer.TLSConfiguration) (*tls.Config, error) { //nolint:forbidigo
-	if !config.TLS {
+	if !config.TLS && fipsEnabled {
+		return nil, fips.ErrTLSRequired
+	} else if !config.TLS {
 		return nil, nil
 	}

--- a/api/database/boltdb/db_test.go
+++ b/api/database/boltdb/db_test.go
@@ -98,18 +98,36 @@ func Test_NeedsEncryptionMigration(t *testing.T) {
 				// Special case.  If portainer.db and portainer.edb exist.
 				dbFile1 := path.Join(connection.Path, DatabaseFileName)
 				f, _ := os.Create(dbFile1)
-				f.Close()
-				defer os.Remove(dbFile1)
+
+				err := f.Close()
+				require.NoError(t, err)
+
+				defer func() {
+					err := os.Remove(dbFile1)
+					require.NoError(t, err)
+				}()

 				dbFile2 := path.Join(connection.Path, EncryptedDatabaseFileName)
 				f, _ = os.Create(dbFile2)
-				f.Close()
-				defer os.Remove(dbFile2)
+
+				err = f.Close()
+				require.NoError(t, err)
+
+				defer func() {
+					err := os.Remove(dbFile2)
+					require.NoError(t, err)
+				}()
 			} else if tc.dbname != "" {
 				dbFile := path.Join(connection.Path, tc.dbname)
 				f, _ := os.Create(dbFile)
-				f.Close()
-				defer os.Remove(dbFile)
+
+				err := f.Close()
+				require.NoError(t, err)
+
+				defer func() {
+					err := os.Remove(dbFile)
+					require.NoError(t, err)
+				}()
 			}

 			if tc.key {
@@ -136,7 +154,8 @@ func TestDBCompaction(t *testing.T) {
 			return err
 		}

-		b.Put([]byte("key"), []byte("value"))
+		err = b.Put([]byte("key"), []byte("value"))
+		require.NoError(t, err)

 		return nil
 	})
--- a/api/database/boltdb/export.go
+++ b/api/database/boltdb/export.go
@@ -3,6 +3,7 @@ package boltdb
 import (
 	"time"

+	"github.com/portainer/portainer/api/logs"
 	"github.com/rs/zerolog/log"
 	"github.com/segmentio/encoding/json"
 	bolt "go.etcd.io/bbolt"
@@ -37,7 +38,7 @@ func (c *DbConnection) ExportJSON(databasePath string, metadata bool) ([]byte, e
 	if err != nil {
 		return []byte("{}"), err
 	}
-	defer connection.Close()
+	defer logs.CloseAndLogErr(connection)

 	backup := make(map[string]any)
 	if metadata {
--- a/api/database/boltdb/json.go
+++ b/api/database/boltdb/json.go
@@ -45,12 +45,12 @@ func (connection *DbConnection) UnmarshalObject(data []byte, object any) error {
 		}
 	}

-	if e := json.Unmarshal(data, object); e != nil {
+	if err := json.Unmarshal(data, object); err != nil {
 		// Special case for the VERSION bucket. Here we're not using json
 		// So we need to return it as a string
 		s, ok := object.(*string)
 		if !ok {
-			return errors.Wrap(err, e.Error())
+			return errors.Wrap(err, "Failed unmarshalling object")
 		}

 		*s = string(data)
--- a/api/database/boltdb/json_test.go
+++ b/api/database/boltdb/json_test.go
@@ -10,14 +10,14 @@ import (
 	"io"
 	"testing"

-	"github.com/gofrs/uuid"
+	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

 const (
-	jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"InternalAuthSettings": {"RequiredPasswordLength": 12}"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","EnableTelemetry":true,"HelmRepositoryURL":"https://charts.bitnami.com/bitnami","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
+	jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"InternalAuthSettings": {"RequiredPasswordLength": 12}"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","HelmRepositoryURL":"https://charts.bitnami.com/bitnami","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
 	passphrase = "my secret key"
 )

@@ -29,7 +29,7 @@ func secretToEncryptionKey(passphrase string) []byte {
 func Test_MarshalObjectUnencrypted(t *testing.T) {
 	is := assert.New(t)

-	uuid := uuid.Must(uuid.NewV4())
+	uuid := uuid.New()

 	tests := []struct {
 		object   any
--- a/api/database/boltdb/tx_test.go
+++ b/api/database/boltdb/tx_test.go
@@ -6,6 +6,7 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/stretchr/testify/require"
 )

 const testBucketName = "test-bucket"
@@ -17,70 +18,55 @@ type testStruct struct {
 }

 func TestTxs(t *testing.T) {
-	conn := DbConnection{
-		Path: t.TempDir(),
-	}
+	conn := DbConnection{Path: t.TempDir()}

 	err := conn.Open()
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer conn.Close()
+	require.NoError(t, err)
+	defer func() {
+		err := conn.Close()
+		require.NoError(t, err)
+	}()

 	// Error propagation
 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
 		return errors.New("this is an error")
 	})
-	if err == nil {
-		t.Fatal("an error was expected, got nil instead")
-	}
+	require.Error(t, err)

 	// Create an object
-	newObj := testStruct{
-		Key:   "key",
-		Value: "value",
-	}
+	newObj := testStruct{Key: "key", Value: "value"}

 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
-		err = tx.SetServiceName(testBucketName)
-		if err != nil {
+		if err := tx.SetServiceName(testBucketName); err != nil {
 			return err
 		}

 		return tx.CreateObjectWithId(testBucketName, testId, newObj)
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)

 	obj := testStruct{}
 	err = conn.ViewTx(func(tx portainer.Transaction) error {
 		return tx.GetObject(testBucketName, conn.ConvertToKey(testId), &obj)
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)

 	if obj.Key != newObj.Key || obj.Value != newObj.Value {
 		t.Fatalf("expected %s:%s, got %s:%s instead", newObj.Key, newObj.Value, obj.Key, obj.Value)
 	}

 	// Update an object
-	updatedObj := testStruct{
-		Key:   "updated-key",
-		Value: "updated-value",
-	}
+	updatedObj := testStruct{Key: "updated-key", Value: "updated-value"}

 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
 		return tx.UpdateObject(testBucketName, conn.ConvertToKey(testId), &updatedObj)
 	})
+	require.NoError(t, err)

 	err = conn.ViewTx(func(tx portainer.Transaction) error {
 		return tx.GetObject(testBucketName, conn.ConvertToKey(testId), &obj)
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)

 	if obj.Key != updatedObj.Key || obj.Value != updatedObj.Value {
 		t.Fatalf("expected %s:%s, got %s:%s instead", updatedObj.Key, updatedObj.Value, obj.Key, obj.Value)
@@ -90,16 +76,12 @@ func TestTxs(t *testing.T) {
 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
 		return tx.DeleteObject(testBucketName, conn.ConvertToKey(testId))
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)

 	err = conn.ViewTx(func(tx portainer.Transaction) error {
 		return tx.GetObject(testBucketName, conn.ConvertToKey(testId), &obj)
 	})
-	if !dataservices.IsErrObjectNotFound(err) {
-		t.Fatal(err)
-	}
+	require.True(t, dataservices.IsErrObjectNotFound(err))

 	// Get next identifier
 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
@@ -112,15 +94,11 @@ func TestTxs(t *testing.T) {

 		return nil
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)

 	// Try to write in a read transaction
 	err = conn.ViewTx(func(tx portainer.Transaction) error {
 		return tx.CreateObjectWithId(testBucketName, testId, newObj)
 	})
-	if err == nil {
-		t.Fatal("an error was expected, got nil instead")
-	}
+	require.Error(t, err)
 }
--- a/api/dataservices/base_test.go
+++ b/api/dataservices/base_test.go
@@ -21,7 +21,7 @@ type mockConnection struct {
 	portainer.Connection
 }

-func (m mockConnection) UpdateObject(bucket string, key []byte, value interface{}) error {
+func (m mockConnection) UpdateObject(bucket string, key []byte, value any) error {
 	obj := value.(*testObject)

 	m.store[obj.ID] = *obj
@@ -50,7 +50,6 @@ func (m mockConnection) ViewTx(fn func(portainer.Transaction) error) error {
 func (m mockConnection) ConvertToKey(v int) []byte {
 	return []byte(strconv.Itoa(v))
 }
-
 func TestReadAll(t *testing.T) {
 	service := BaseDataService[testObject, int]{
 		Bucket:     "testBucket",
--- a/api/dataservices/base_tx.go
+++ b/api/dataservices/base_tx.go
@@ -72,3 +72,13 @@ func (service BaseDataServiceTx[T, I]) Delete(ID I) error {
 	identifier := service.Connection.ConvertToKey(int(ID))
 	return service.Tx.DeleteObject(service.Bucket, identifier)
 }
+
+func Read[T any](tx portainer.Transaction, bucket string, key []byte) (*T, error) {
+	var element T
+
+	if err := tx.GetObject(bucket, key, &element); err != nil {
+		return nil, err
+	}
+
+	return &element, nil
+}
--- a/api/dataservices/edgestack/edgestack_test.go
+++ b/api/dataservices/edgestack/edgestack_test.go
@@ -5,6 +5,7 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/boltdb"
+	"github.com/portainer/portainer/api/logs"

 	"github.com/stretchr/testify/require"
 )
@@ -14,7 +15,7 @@ func TestUpdate(t *testing.T) {
 	err := conn.Open()
 	require.NoError(t, err)

-	defer conn.Close()
+	defer logs.CloseAndLogErr(conn)

 	service, err := NewService(conn, func(portainer.Transaction, portainer.EdgeStackID) {})
 	require.NoError(t, err)
--- a/api/dataservices/endpoint/endpoint.go
+++ b/api/dataservices/endpoint/endpoint.go
@@ -119,6 +119,19 @@ func (service *Service) Endpoints() ([]portainer.Endpoint, error) {
 	return endpoints, nil
 }

+// ReadAll retrieves all the elements that satisfy all the provided predicates.
+func (service *Service) ReadAll(predicates ...func(endpoint portainer.Endpoint) bool) ([]portainer.Endpoint, error) {
+	var endpoints []portainer.Endpoint
+	var err error
+
+	err = service.connection.ViewTx(func(tx portainer.Transaction) error {
+		endpoints, err = service.Tx(tx).ReadAll(predicates...)
+		return err
+	})
+
+	return endpoints, err
+}
+
 // EndpointIDByEdgeID returns the EndpointID from the given EdgeID using an in-memory index
 func (service *Service) EndpointIDByEdgeID(edgeID string) (portainer.EndpointID, bool) {
 	service.mu.RLock()
--- a/api/dataservices/endpoint/tx.go
+++ b/api/dataservices/endpoint/tx.go
@@ -89,6 +89,11 @@ func (service ServiceTx) Endpoints() ([]portainer.Endpoint, error) {
 	)
 }

+// ReadAll retrieves all the elements that satisfy all the provided predicates.
+func (service ServiceTx) ReadAll(predicates ...func(endpoint portainer.Endpoint) bool) ([]portainer.Endpoint, error) {
+	return dataservices.BaseDataServiceTx[portainer.Endpoint, portainer.EndpointID]{Bucket: BucketName, Connection: service.service.connection, Tx: service.tx}.ReadAll(predicates...)
+}
+
 func (service ServiceTx) EndpointIDByEdgeID(edgeID string) (portainer.EndpointID, bool) {
 	log.Error().Str("func", "EndpointIDByEdgeID").Msg("cannot be called inside a transaction")

--- a/api/dataservices/endpointrelation/endpointrelation_test.go
+++ b/api/dataservices/endpointrelation/endpointrelation_test.go
@@ -7,6 +7,7 @@ import (
 	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/dataservices/edgestack"
 	"github.com/portainer/portainer/api/internal/edge/cache"
+	"github.com/portainer/portainer/api/logs"

 	"github.com/stretchr/testify/require"
 )
@@ -20,7 +21,7 @@ func TestUpdateRelation(t *testing.T) {
 	err := conn.Open()
 	require.NoError(t, err)

-	defer conn.Close()
+	defer logs.CloseAndLogErr(conn)

 	service, err := NewService(conn)
 	require.NoError(t, err)
@@ -109,7 +110,7 @@ func TestAddEndpointRelationsForEdgeStack(t *testing.T) {
 	err := conn.Open()
 	require.NoError(t, err)

-	defer conn.Close()
+	defer logs.CloseAndLogErr(conn)

 	service, err := NewService(conn)
 	require.NoError(t, err)
@@ -128,7 +129,7 @@ func TestEndpointRelations(t *testing.T) {
 	err := conn.Open()
 	require.NoError(t, err)

-	defer conn.Close()
+	defer logs.CloseAndLogErr(conn)

 	service, err := NewService(conn)
 	require.NoError(t, err)
--- a/api/dataservices/errors/errors.go
+++ b/api/dataservices/errors/errors.go
@@ -6,7 +6,7 @@ import (

 var (
 	ErrObjectNotFound     = errors.New("object not found inside the database")
-	ErrWrongDBEdition     = errors.New("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://documentation.portainer.io/v2.0-be/downgrade/be-to-ce/")
+	ErrWrongDBEdition     = errors.New("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://docs.portainer.io/faqs/upgrading/can-i-downgrade-from-portainer-business-to-portainer-ce")
 	ErrDBImportFailed     = errors.New("importing backup failed")
 	ErrDatabaseIsUpdating = errors.New("database is currently in updating state. Failed prior upgrade. Please restore from backup or delete the database and restart Portainer")
 )
--- a/api/dataservices/interface.go
+++ b/api/dataservices/interface.go
@@ -102,6 +102,9 @@ type (

 	// EndpointService represents a service for managing environment(endpoint) data
 	EndpointService interface {
+		// partial dataservices.BaseCRUD[portainer.Endpoint, portainer.EndpointID]
+		ReadAll(predicates ...func(endpoint portainer.Endpoint) bool) ([]portainer.Endpoint, error)
+
 		Endpoint(ID portainer.EndpointID) (*portainer.Endpoint, error)
 		EndpointIDByEdgeID(edgeID string) (portainer.EndpointID, bool)
 		EndpointsByTeamID(teamID portainer.TeamID) ([]portainer.Endpoint, error)
@@ -223,6 +226,7 @@ type (
 	UserService interface {
 		BaseCRUD[portainer.User, portainer.UserID]
 		UserByUsername(username string) (*portainer.User, error)
+		UserIDByUsername(username string) (portainer.UserID, error)
 		UsersByRole(role portainer.UserRole) ([]portainer.User, error)
 	}

--- a/api/dataservices/resourcecontrol/resourcecontrol.go
+++ b/api/dataservices/resourcecontrol/resourcecontrol.go
@@ -3,6 +3,7 @@ package resourcecontrol
 import (
 	"errors"
 	"fmt"
+	"slices"

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
@@ -64,11 +65,9 @@ func (service *Service) ResourceControlByResourceIDAndType(resourceID string, re
 				return nil, stop
 			}

-			for _, subResourceID := range rc.SubResourceIDs {
-				if subResourceID == resourceID {
-					resourceControl = rc
-					return nil, stop
-				}
+			if slices.Contains(rc.SubResourceIDs, resourceID) {
+				resourceControl = rc
+				return nil, stop
 			}

 			return &portainer.ResourceControl{}, nil
--- a/api/dataservices/resourcecontrol/tx.go
+++ b/api/dataservices/resourcecontrol/tx.go
@@ -3,6 +3,7 @@ package resourcecontrol
 import (
 	"errors"
 	"fmt"
+	"slices"

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
@@ -35,11 +36,9 @@ func (service ServiceTx) ResourceControlByResourceIDAndType(resourceID string, r
 				return nil, stop
 			}

-			for _, subResourceID := range rc.SubResourceIDs {
-				if subResourceID == resourceID {
-					resourceControl = rc
-					return nil, stop
-				}
+			if slices.Contains(rc.SubResourceIDs, resourceID) {
+				resourceControl = rc
+				return nil, stop
 			}

 			return &portainer.ResourceControl{}, nil
--- a/api/dataservices/ssl/ssl.go
+++ b/api/dataservices/ssl/ssl.go
@@ -31,6 +31,13 @@ func NewService(connection portainer.Connection) (*Service, error) {
 	}, nil
 }

+func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
+	return ServiceTx{
+		service: service,
+		tx:      tx,
+	}
+}
+
 // Settings retrieve the ssl settings object.
 func (service *Service) Settings() (*portainer.SSLSettings, error) {
 	var settings portainer.SSLSettings
--- a/api/dataservices/ssl/tx.go
+++ b/api/dataservices/ssl/tx.go
@@ -0,0 +1,31 @@
+package ssl
+
+import (
+	portainer "github.com/portainer/portainer/api"
+)
+
+type ServiceTx struct {
+	service *Service
+	tx      portainer.Transaction
+}
+
+func (service ServiceTx) BucketName() string {
+	return BucketName
+}
+
+// Settings retrieve the settings object.
+func (service ServiceTx) Settings() (*portainer.SSLSettings, error) {
+	var settings portainer.SSLSettings
+
+	err := service.tx.GetObject(BucketName, []byte(key), &settings)
+	if err != nil {
+		return nil, err
+	}
+
+	return &settings, nil
+}
+
+// UpdateSettings persists a Settings object.
+func (service ServiceTx) UpdateSettings(settings *portainer.SSLSettings) error {
+	return service.tx.UpdateObject(BucketName, []byte(key), settings)
+}
--- a/api/dataservices/stack/tests/stack_test.go
+++ b/api/dataservices/stack/tests/stack_test.go
@@ -8,13 +8,13 @@ import (
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/filesystem"

-	"github.com/gofrs/uuid"
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

 func newGuidString(t *testing.T) string {
-	uuid, err := uuid.NewV4()
+	uuid, err := uuid.NewRandom()
 	require.NoError(t, err)

 	return uuid.String()
--- a/api/dataservices/user/tx.go
+++ b/api/dataservices/user/tx.go
@@ -36,6 +36,18 @@ func (service ServiceTx) UserByUsername(username string) (*portainer.User, error
 	return nil, err
 }

+func (service ServiceTx) UserIDByUsername(username string) (portainer.UserID, error) {
+	user, err := service.UserByUsername(username)
+	if err != nil {
+		return 0, err
+	}
+
+	if user == nil {
+		return 0, dserrors.ErrObjectNotFound
+	}
+	return user.ID, nil
+}
+
 // UsersByRole return an array containing all the users with the specified role.
 func (service ServiceTx) UsersByRole(role portainer.UserRole) ([]portainer.User, error) {
 	var users = make([]portainer.User, 0)
--- a/api/dataservices/user/user.go
+++ b/api/dataservices/user/user.go
@@ -65,6 +65,18 @@ func (service *Service) UserByUsername(username string) (*portainer.User, error)
 	return nil, err
 }

+func (service *Service) UserIDByUsername(username string) (portainer.UserID, error) {
+	user, err := service.UserByUsername(username)
+	if err != nil {
+		return 0, err
+	}
+
+	if user == nil {
+		return 0, dserrors.ErrObjectNotFound
+	}
+	return user.ID, nil
+}
+
 // UsersByRole return an array containing all the users with the specified role.
 func (service *Service) UsersByRole(role portainer.UserRole) ([]portainer.User, error) {
 	var users = make([]portainer.User, 0)
--- a/api/dataservices/version/tx.go
+++ b/api/dataservices/version/tx.go
@@ -0,0 +1,70 @@
+package version
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/database/models"
+	"github.com/portainer/portainer/api/dataservices"
+)
+
+type ServiceTx struct {
+	dataservices.BaseDataServiceTx[models.Version, int] // ID is not used
+}
+
+func (tx ServiceTx) InstanceID() (string, error) {
+	v, err := tx.Version()
+	if err != nil {
+		return "", err
+	}
+
+	return v.InstanceID, nil
+}
+
+func (tx ServiceTx) UpdateInstanceID(ID string) error {
+	v, err := tx.Version()
+	if err != nil {
+		if !dataservices.IsErrObjectNotFound(err) {
+			return err
+		}
+
+		v = &models.Version{}
+	}
+
+	v.InstanceID = ID
+
+	return tx.UpdateVersion(v)
+}
+
+func (tx ServiceTx) Edition() (portainer.SoftwareEdition, error) {
+	v, err := tx.Version()
+	if err != nil {
+		return 0, err
+	}
+
+	return portainer.SoftwareEdition(v.Edition), nil
+}
+
+func (tx ServiceTx) Version() (*models.Version, error) {
+	var v models.Version
+
+	err := tx.Tx.GetObject(BucketName, []byte(versionKey), &v)
+	if err != nil {
+		return nil, err
+	}
+
+	return &v, nil
+}
+
+func (tx ServiceTx) UpdateVersion(version *models.Version) error {
+	return tx.Tx.UpdateObject(BucketName, []byte(versionKey), version)
+}
+
+func (tx ServiceTx) SchemaVersion() (string, error) {
+	var v models.Version
+
+	err := tx.Tx.GetObject(BucketName, []byte(versionKey), &v)
+	if err != nil {
+		return "", err
+	}
+
+	return v.SchemaVersion, nil
+}
--- a/api/dataservices/version/version.go
+++ b/api/dataservices/version/version.go
@@ -33,6 +33,16 @@ func NewService(connection portainer.Connection) (*Service, error) {
 	}, nil
 }

+func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
+	return ServiceTx{
+		BaseDataServiceTx: dataservices.BaseDataServiceTx[models.Version, int]{
+			Bucket:     BucketName,
+			Connection: service.connection,
+			Tx:         tx,
+		},
+	}
+}
+
 func (service *Service) SchemaVersion() (string, error) {
 	v, err := service.Version()
 	if err != nil {
--- a/api/datastore/backup.go
+++ b/api/datastore/backup.go
@@ -14,33 +14,40 @@ import (
 // corruption and if a path is not given a default is used.
 // The path or an error are returned.
 func (store *Store) Backup(path string) (string, error) {
+	if err := store.Close(); err != nil {
+		return "", fmt.Errorf("failed to close store before backup: %w", err)
+	}
+
+	filename, err := store.backupDBFile(path)
+	if err != nil {
+		return "", err
+	}
+
+	if _, err := store.Open(); err != nil {
+		return "", fmt.Errorf("failed to reopen store after backup: %w", err)
+	}
+
+	return filename, nil
+}
+
+// backupDBFile copies the database file to the backup location.
+// Does not manage connection state - works with the database file directly regardless of connection state.
+func (store *Store) backupDBFile(backupPath string) (string, error) {
 	if err := store.createBackupPath(); err != nil {
 		return "", err
 	}

 	backupFilename := store.backupFilename()
-	if path != "" {
-		backupFilename = path
-	}
-	log.Info().Str("from", store.connection.GetDatabaseFilePath()).Str("to", backupFilename).Msgf("Backing up database")
-
-	// Close the store before backing up
-	err := store.Close()
-	if err != nil {
-		return "", fmt.Errorf("failed to close store before backup: %w", err)
+	if backupPath != "" {
+		backupFilename = backupPath
 	}

-	err = store.fileService.Copy(store.connection.GetDatabaseFilePath(), backupFilename, true)
-	if err != nil {
+	log.Info().Str("from", store.connection.GetDatabaseFilePath()).Str("to", backupFilename).Msg("Backing up database")
+
+	if err := store.fileService.Copy(store.connection.GetDatabaseFilePath(), backupFilename, true); err != nil {
 		return "", fmt.Errorf("failed to create backup file: %w", err)
 	}

-	// reopen the store
-	_, err = store.Open()
-	if err != nil {
-		return "", fmt.Errorf("failed to reopen store after backup: %w", err)
-	}
-
 	return backupFilename, nil
 }

@@ -50,15 +57,17 @@ func (store *Store) Restore() error {
 }

 func (store *Store) RestoreFromFile(backupFilename string) error {
-	store.Close()
+	if err := store.Close(); err != nil {
+		return err
+	}
+
 	if err := store.fileService.Copy(backupFilename, store.connection.GetDatabaseFilePath(), true); err != nil {
 		return fmt.Errorf("unable to restore backup file %q. err: %w", backupFilename, err)
 	}

 	log.Info().Str("from", backupFilename).Str("to", store.connection.GetDatabaseFilePath()).Msgf("database restored")

-	_, err := store.Open()
-	if err != nil {
+	if _, err := store.Open(); err != nil {
 		return fmt.Errorf("unable to determine version of restored portainer backup file: %w", err)
 	}

@@ -80,6 +89,7 @@ func (store *Store) createBackupPath() error {
 			return fmt.Errorf("unable to create backup folder: %w", err)
 		}
 	}
+
 	return nil
 }

--- a/api/datastore/backup_test.go
+++ b/api/datastore/backup_test.go
@@ -1,9 +1,11 @@
 package datastore

 import (
+	"os"
 	"testing"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/database/models"
 	"github.com/stretchr/testify/require"

@@ -36,8 +38,12 @@ func TestBackup(t *testing.T) {
 			Edition:       int(portainer.PortainerCE),
 			SchemaVersion: portainer.APIVersion,
 		}
-		store.VersionService.UpdateVersion(&v)
-		store.Backup("")
+
+		err := store.VersionService.UpdateVersion(&v)
+		require.NoError(t, err)
+
+		_, err = store.Backup("")
+		require.NoError(t, err)

 		if !isFileExist(backupFileName) {
 			t.Errorf("Expect backup file to be created %s", backupFileName)
@@ -53,10 +59,14 @@ func TestRestore(t *testing.T) {
 		updateEdition(store, portainer.PortainerCE)
 		updateVersion(store, "2.4")

-		store.Backup("")
+		_, err := store.Backup("")
+		require.NoError(t, err)
+
 		updateVersion(store, "2.16")
 		testVersion(store, "2.16", t)
-		store.Restore()
+
+		err = store.Restore()
+		require.NoError(t, err)

 		// check if the restore is successful and the version is correct
 		testVersion(store, "2.4", t)
@@ -66,13 +76,65 @@ func TestRestore(t *testing.T) {
 		// override and set initial db version and edition
 		updateEdition(store, portainer.PortainerCE)
 		updateVersion(store, "2.4")
-		store.Backup("")
+
+		_, err := store.Backup("")
+		require.NoError(t, err)
+
 		updateVersion(store, "2.14")
 		updateVersion(store, "2.16")
 		testVersion(store, "2.16", t)
-		store.Restore()
+
+		err = store.Restore()
+		require.NoError(t, err)

 		// check if the restore is successful and the version is correct
 		testVersion(store, "2.4", t)
 	})
 }
+
+func TestBackupDBFile(t *testing.T) {
+	_, store := MustNewTestStore(t, true, false)
+
+	t.Run("creates backup file without managing connection state", func(t *testing.T) {
+		// Verify connection is usable before
+		_, err := store.VersionService.Version()
+		require.NoError(t, err, "connection should be usable before backupDBFile")
+
+		// backupDBFile should work without closing the connection
+		backupFilename, err := store.backupDBFile("")
+		require.NoError(t, err)
+		require.FileExists(t, backupFilename)
+
+		// Verify connection is still usable after (not closed/reopened)
+		_, err = store.VersionService.Version()
+		require.NoError(t, err, "connection should still be usable after backupDBFile")
+
+		require.NoError(t, os.Remove(backupFilename))
+	})
+
+	t.Run("uses custom path when provided", func(t *testing.T) {
+		customPath := t.TempDir() + "/custom-backup.db"
+		backupFilename, err := store.backupDBFile(customPath)
+		require.NoError(t, err)
+		require.Equal(t, customPath, backupFilename)
+		require.FileExists(t, backupFilename)
+	})
+}
+
+func TestBackupDBFileUsesCorrectPath(t *testing.T) {
+	_, store := MustNewTestStore(t, true, false)
+
+	t.Run("backs up unencrypted db when encrypted flag is false", func(t *testing.T) {
+		store.connection.SetEncrypted(false)
+
+		backupFilename, err := store.backupDBFile("")
+		require.NoError(t, err)
+		require.FileExists(t, backupFilename)
+
+		// Verify it backed up the unencrypted file (portainer.db)
+		require.Contains(t, backupFilename, boltdb.DatabaseFileName)
+		require.NotContains(t, backupFilename, boltdb.EncryptedDatabaseFileName)
+
+		require.NoError(t, os.Remove(backupFilename))
+	})
+}
--- a/api/datastore/datastore.go
+++ b/api/datastore/datastore.go
@@ -32,34 +32,38 @@ func (store *Store) Open() (newStore bool, err error) {
 	}

 	if encryptionReq {
-		backupFilename, err := store.Backup("")
+		// NeedsEncryptionMigration() sets encrypted=true as a side effect when a key exists.
+		// We need to set it back to false so GetDatabaseFilePath() returns the path to the
+		// actual unencrypted file (portainer.db) that we want to back up.
+		store.connection.SetEncrypted(false)
+
+		// Use backupDBFile directly since connection isn't open yet
+		// and we don't want to trigger the close/open cycle of Backup()
+		backupFilename, err := store.backupDBFile("")
 		if err != nil {
 			return false, fmt.Errorf("failed to backup database prior to encrypting: %w", err)
 		}

-		err = store.encryptDB()
-		if err != nil {
-			store.RestoreFromFile(backupFilename) // restore from backup if encryption fails
-			return false, err
+		if err := store.encryptDB(); err != nil {
+			innerErr := store.RestoreFromFile(backupFilename) // restore from backup if encryption fails
+			return false, errors.Join(err, innerErr)
 		}
 	}

-	err = store.connection.Open()
-	if err != nil {
+	if err := store.connection.Open(); err != nil {
 		return false, err
 	}

-	err = store.initServices()
-	if err != nil {
+	if err := store.initServices(); err != nil {
 		return false, err
 	}

 	// If no settings object exists then assume we have a new store
-	_, err = store.SettingsService.Settings()
-	if err != nil {
+	if _, err := store.SettingsService.Settings(); err != nil {
 		if store.IsErrObjectNotFound(err) {
 			return true, nil
 		}
+
 		return false, err
 	}

@@ -72,19 +76,13 @@ func (store *Store) Close() error {

 func (store *Store) UpdateTx(fn func(dataservices.DataStoreTx) error) error {
 	return store.connection.UpdateTx(func(tx portainer.Transaction) error {
-		return fn(&StoreTx{
-			store: store,
-			tx:    tx,
-		})
+		return fn(&StoreTx{store: store, tx: tx})
 	})
 }

 func (store *Store) ViewTx(fn func(dataservices.DataStoreTx) error) error {
 	return store.connection.ViewTx(func(tx portainer.Transaction) error {
-		return fn(&StoreTx{
-			store: store,
-			tx:    tx,
-		})
+		return fn(&StoreTx{store: store, tx: tx})
 	})
 }

@@ -99,6 +97,7 @@ func (store *Store) CheckCurrentEdition() error {
 	if store.edition() != portainer.Edition {
 		return portainerErrors.ErrWrongDBEdition
 	}
+
 	return nil
 }

@@ -107,6 +106,7 @@ func (store *Store) edition() portainer.SoftwareEdition {
 	if store.IsErrObjectNotFound(err) {
 		edition = portainer.PortainerCE
 	}
+
 	return edition
 }

@@ -125,13 +125,11 @@ func (store *Store) Rollback(force bool) error {

 func (store *Store) encryptDB() error {
 	store.connection.SetEncrypted(false)
-	err := store.connection.Open()
-	if err != nil {
+	if err := store.connection.Open(); err != nil {
 		return err
 	}

-	err = store.initServices()
-	if err != nil {
+	if err := store.initServices(); err != nil {
 		return err
 	}

@@ -144,8 +142,7 @@ func (store *Store) encryptDB() error {

 	log.Info().Str("filename", exportFilename).Msg("exporting database backup")

-	err = store.Export(exportFilename)
-	if err != nil {
+	if err := store.Export(exportFilename); err != nil {
 		log.Error().Str("filename", exportFilename).Err(err).Msg("failed to export")

 		return err
@@ -154,38 +151,33 @@ func (store *Store) encryptDB() error {
 	log.Info().Msg("database backup exported")

 	// Close existing un-encrypted db so that we can delete the file later
-	store.connection.Close()
-
-	// Tell the db layer to create an encrypted db when opened
-	store.connection.SetEncrypted(true)
-	store.connection.Open()
-
-	// We have to init services before import
-	err = store.initServices()
-	if err != nil {
+	if err := store.connection.Close(); err != nil {
 		return err
 	}

-	err = store.Import(exportFilename)
-	if err != nil {
+	if err := store.Import(exportFilename); err != nil {
+		log.Error().Err(err).Msg("failed to import database backup")
+
 		// Remove the new encrypted file that we failed to import
-		os.Remove(store.connection.GetDatabaseFilePath())
+		if err := os.Remove(store.connection.GetDatabaseFilePath()); err != nil {
+			log.Error().Msg("failed to remove the file after import failure")
+		}

 		log.Fatal().Err(portainerErrors.ErrDBImportFailed).Msg("")
 	}

-	err = os.Remove(oldFilename)
-	if err != nil {
+	if err := os.Remove(oldFilename); err != nil {
 		log.Error().Msg("failed to remove the un-encrypted db file")
 	}

-	err = os.Remove(exportFilename)
-	if err != nil {
+	if err := os.Remove(exportFilename); err != nil {
 		log.Error().Msg("failed to remove the json backup file")
 	}

 	// Close db connection
-	store.connection.Close()
+	if err := store.connection.Close(); err != nil {
+		return err
+	}

 	log.Info().Msg("database successfully encrypted")

--- a/api/datastore/datastore_test.go
+++ b/api/datastore/datastore_test.go
@@ -51,13 +51,13 @@ func TestStoreFull(t *testing.T) {

 func (store *Store) testEnvironments(t *testing.T) {
 	id := store.CreateEndpoint(t, "local", portainer.KubernetesLocalEnvironment, "", true)
-	store.CreateEndpointRelation(id)
+	store.CreateEndpointRelation(t, id)

 	id = store.CreateEndpoint(t, "agent", portainer.AgentOnDockerEnvironment, agentOnDockerEnvironmentUrl, true)
-	store.CreateEndpointRelation(id)
+	store.CreateEndpointRelation(t, id)

 	id = store.CreateEndpoint(t, "edge", portainer.EdgeAgentOnKubernetesEnvironment, edgeAgentOnKubernetesEnvironmentUrl, true)
-	store.CreateEndpointRelation(id)
+	store.CreateEndpointRelation(t, id)
 }

 func newEndpoint(endpointType portainer.EndpointType, id portainer.EndpointID, name, URL string, TLS bool) *portainer.Endpoint {
@@ -90,18 +90,7 @@ func newEndpoint(endpointType portainer.EndpointType, id portainer.EndpointID, n
 }

 func setEndpointAuthorizations(endpoint *portainer.Endpoint) {
-	endpoint.SecuritySettings = portainer.EndpointSecuritySettings{
-		AllowVolumeBrowserForRegularUsers: false,
-		EnableHostManagementFeatures:      false,
-
-		AllowSysctlSettingForRegularUsers:         true,
-		AllowBindMountsForRegularUsers:            true,
-		AllowPrivilegedModeForRegularUsers:        true,
-		AllowHostNamespaceForRegularUsers:         true,
-		AllowContainerCapabilitiesForRegularUsers: true,
-		AllowDeviceMappingForRegularUsers:         true,
-		AllowStackManagementForRegularUsers:       true,
-	}
+	endpoint.SecuritySettings = portainer.DefaultEndpointSecuritySettings()
 }

 func (store *Store) CreateEndpoint(t *testing.T, name string, endpointType portainer.EndpointType, URL string, tls bool) portainer.EndpointID {
@@ -142,7 +131,9 @@ func (store *Store) CreateEndpoint(t *testing.T, name string, endpointType porta
 	}

 	setEndpointAuthorizations(expectedEndpoint)
-	store.Endpoint().Create(expectedEndpoint)
+
+	err := store.Endpoint().Create(expectedEndpoint)
+	require.NoError(t, err)

 	endpoint, err := store.Endpoint().Endpoint(id)
 	require.NoError(t, err, "Endpoint() should not return an error")
@@ -151,13 +142,14 @@ func (store *Store) CreateEndpoint(t *testing.T, name string, endpointType porta
 	return endpoint.ID
 }

-func (store *Store) CreateEndpointRelation(id portainer.EndpointID) {
+func (store *Store) CreateEndpointRelation(t *testing.T, id portainer.EndpointID) {
 	relation := &portainer.EndpointRelation{
 		EndpointID: id,
 		EdgeStacks: map[portainer.EdgeStackID]bool{},
 	}

-	store.EndpointRelation().Create(relation)
+	err := store.EndpointRelation().Create(relation)
+	require.NoError(t, err)
 }

 func (store *Store) testSSLSettings(t *testing.T) {
@@ -169,7 +161,8 @@ func (store *Store) testSSLSettings(t *testing.T) {
 		SelfSigned:  true,
 	}

-	store.SSLSettings().UpdateSettings(ssl)
+	err := store.SSLSettings().UpdateSettings(ssl)
+	require.NoError(t, err)

 	settings, err := store.SSLSettings().Settings()
 	require.NoError(t, err, "Get sslsettings should succeed")
@@ -282,7 +275,8 @@ func (store *Store) testCustomTemplates(t *testing.T) {
 		CreatedByUserID: 10,
 	}

-	customTemplate.Create(expectedTemplate)
+	err := customTemplate.Create(expectedTemplate)
+	require.NoError(t, err)

 	actualTemplate, err := customTemplate.Read(expectedTemplate.ID)
 	require.NoError(t, err, "CustomTemplate should not return an error")
--- a/api/datastore/init.go
+++ b/api/datastore/init.go
@@ -31,7 +31,6 @@ func (store *Store) checkOrCreateDefaultSettings() error {
 	settings, err := store.SettingsService.Settings()
 	if store.IsErrObjectNotFound(err) {
 		defaultSettings := &portainer.Settings{
-			EnableTelemetry:      false,
 			AuthenticationMethod: portainer.AuthenticationInternal,
 			BlackListedLabels:    make([]portainer.Pair, 0),
 			InternalAuthSettings: portainer.InternalAuthSettings{
--- a/api/datastore/migrate_data_test.go
+++ b/api/datastore/migrate_data_test.go
@@ -9,14 +9,15 @@ import (
 	"path/filepath"
 	"testing"

-	"github.com/Masterminds/semver"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/database/models"
 	"github.com/portainer/portainer/api/datastore/migrator"

+	"github.com/Masterminds/semver/v3"
 	"github.com/google/go-cmp/cmp"
 	"github.com/rs/zerolog/log"
+	"github.com/stretchr/testify/require"
 )

 func TestMigrateData(t *testing.T) {
@@ -53,9 +54,11 @@ func TestMigrateData(t *testing.T) {
 		}

 		testVersion(store, portainer.APIVersion, t)
-		store.Close()
+		err := store.Close()
+		require.NoError(t, err)

-		newStore, _ = store.Open()
+		newStore, err = store.Open()
+		require.NoError(t, err)
 		if newStore {
 			t.Error("Expect store to NOT be new DB")
 		}
@@ -63,8 +66,11 @@ func TestMigrateData(t *testing.T) {

 	t.Run("MigrateData should create backup file upon update", func(t *testing.T) {
 		_, store := MustNewTestStore(t, true, false)
-		store.VersionService.UpdateVersion(&models.Version{SchemaVersion: "1.0", Edition: int(portainer.PortainerCE)})
-		store.MigrateData()
+		err := store.VersionService.UpdateVersion(&models.Version{SchemaVersion: "2.0", Edition: int(portainer.PortainerCE)})
+		require.NoError(t, err)
+
+		err = store.MigrateData()
+		require.NoError(t, err)

 		backupfilename := store.backupFilename()
 		if exists, _ := store.fileService.FileExists(backupfilename); !exists {
@@ -73,21 +79,28 @@ func TestMigrateData(t *testing.T) {
 	})

 	t.Run("MigrateData should recover and restore backup during migration critical failure", func(t *testing.T) {
-		os.Setenv("PORTAINER_TEST_MIGRATE_FAIL", "FAIL")
+		t.Setenv("PORTAINER_TEST_MIGRATE_FAIL", "FAIL")

 		version := "2.15"
 		_, store := MustNewTestStore(t, true, false)
-		store.VersionService.UpdateVersion(&models.Version{SchemaVersion: version, Edition: int(portainer.PortainerCE)})
-		store.MigrateData()

-		store.Open()
+		err := store.VersionService.UpdateVersion(&models.Version{SchemaVersion: version, Edition: int(portainer.PortainerCE)})
+		require.NoError(t, err)
+
+		err = store.MigrateData()
+		require.Error(t, err)
+
 		testVersion(store, version, t)
 	})

 	t.Run("MigrateData should fail to create backup if database file is set to updating", func(t *testing.T) {
 		_, store := MustNewTestStore(t, true, false)
-		store.VersionService.StoreIsUpdating(true)
-		store.MigrateData()
+
+		err := store.VersionService.StoreIsUpdating(true)
+		require.NoError(t, err)
+
+		err = store.MigrateData()
+		require.Error(t, err)

 		// If you get an error, it usually means that the backup folder doesn't exist (no backups). Expected!
 		// If the backup file is not blank, then it means a backup was created.  We don't want that because we
@@ -115,10 +128,12 @@ func TestMigrateData(t *testing.T) {

 		if latestMigrations.Version.Equal(semver.MustParse(portainer.APIVersion)) {
 			v.MigratorCount = len(latestMigrations.MigrationFuncs)
-			store.VersionService.UpdateVersion(v)
+			err = store.VersionService.UpdateVersion(v)
+			require.NoError(t, err)
 		}

-		store.MigrateData()
+		err = store.MigrateData()
+		require.NoError(t, err)

 		// If you get an error, it usually means that the backup folder doesn't exist (no backups). Expected!
 		// If the backup file is not blank, then it means a backup was created.  We don't want that because we
@@ -141,8 +156,12 @@ func TestMigrateData(t *testing.T) {
 		}

 		v.MigratorCount = 1000
-		store.VersionService.UpdateVersion(v)
-		store.MigrateData()
+
+		err = store.VersionService.UpdateVersion(v)
+		require.NoError(t, err)
+
+		err = store.MigrateData()
+		require.NoError(t, err)

 		// If you get an error, it usually means that the backup folder doesn't exist (no backups). Expected!
 		// If the backup file is not blank, then it means a backup was created.  We don't want that because we
@@ -158,14 +177,14 @@ func TestRollback(t *testing.T) {
 	t.Run("Rollback should restore upgrade after backup", func(t *testing.T) {
 		version := "2.11"

-		v := models.Version{
-			SchemaVersion: version,
-		}
+		v := models.Version{SchemaVersion: version}

 		_, store := MustNewTestStore(t, false, false)
-		store.VersionService.UpdateVersion(&v)

-		_, err := store.Backup("")
+		err := store.VersionService.UpdateVersion(&v)
+		require.NoError(t, err)
+
+		_, err = store.Backup("")
 		if err != nil {
 			log.Fatal().Err(err).Msg("")
 		}
@@ -184,7 +203,9 @@ func TestRollback(t *testing.T) {
 			return
 		}

-		store.Open()
+		_, err = store.Open()
+		require.NoError(t, err)
+
 		testVersion(store, version, t)
 	})

@@ -197,9 +218,11 @@ func TestRollback(t *testing.T) {
 		}

 		_, store := MustNewTestStore(t, true, false)
-		store.VersionService.UpdateVersion(&v)

-		_, err := store.Backup("")
+		err := store.VersionService.UpdateVersion(&v)
+		require.NoError(t, err)
+
+		_, err = store.Backup("")
 		if err != nil {
 			log.Fatal().Err(err).Msg("")
 		}
@@ -218,7 +241,8 @@ func TestRollback(t *testing.T) {
 			return
 		}

-		store.Open()
+		_, err = store.Open()
+		require.NoError(t, err)
 		testVersion(store, version, t)
 	})
 }
@@ -237,17 +261,17 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 	_, store := MustNewTestStore(t, true, false)

 	fmt.Println("store.path=", store.GetConnection().GetDatabaseFilePath())
-	store.connection.DeleteObject("version", []byte("VERSION"))
+
+	err = store.connection.DeleteObject("version", []byte("VERSION"))
+	require.NoError(t, err)

 	//	defer teardown()
-	err = importJSON(t, bytes.NewReader(srcJSON), store)
-	if err != nil {
+	if err := importJSON(t, bytes.NewReader(srcJSON), store); err != nil {
 		return err
 	}

 	// Run the actual migrations on our input database.
-	err = store.MigrateData()
-	if err != nil {
+	if err := store.MigrateData(); err != nil {
 		return err
 	}

@@ -260,8 +284,7 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 		}

 		v.InstanceID = "463d5c47-0ea5-4aca-85b1-405ceefee254"
-		err = store.VersionService.UpdateVersion(v)
-		if err != nil {
+		if err := store.VersionService.UpdateVersion(v); err != nil {
 			return err
 		}
 	}
@@ -270,10 +293,10 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 	// exportJson rather than ExportRaw. The exportJson function allows us to
 	// strip out the metadata which we don't want for our tests.
 	// TODO: update connection interface in CE to allow us to use ExportRaw and pass meta false
-	err = store.connection.Close()
-	if err != nil {
+	if err := store.connection.Close(); err != nil {
 		t.Fatalf("err closing bolt connection: %v", err)
 	}
+
 	con, ok := store.connection.(*boltdb.DbConnection)
 	if !ok {
 		t.Fatalf("backing database is not using boltdb, but the migrations test requires it")
@@ -302,11 +325,15 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 	// Compare the result we got with the one we wanted.
 	if diff := cmp.Diff(wantJSON, gotJSON); diff != "" {
 		gotPath := filepath.Join(os.TempDir(), "portainer-migrator-test-fail.json")
-		os.WriteFile(
+		err = os.WriteFile(
 			gotPath,
 			gotJSON,
 			0o600,
 		)
+		if err != nil {
+			log.Warn().Err(err).Msg("failed writing migrated output to temp file")
+		}
+
 		t.Errorf(
 			"migrate data from %s to %s failed\nwrote migrated input to %s\nmismatch (-want +got):\n%s",
 			srcPath,
--- a/api/datastore/migrate_legacyversion.go
+++ b/api/datastore/migrate_legacyversion.go
@@ -105,12 +105,18 @@ func (store *Store) getOrMigrateLegacyVersion() (*models.Version, error) {

 // finishMigrateLegacyVersion writes the new version to the DB and removes the old version keys from the DB
 func (store *Store) finishMigrateLegacyVersion(versionToWrite *models.Version) error {
-	err := store.VersionService.UpdateVersion(versionToWrite)
+	if err := store.VersionService.UpdateVersion(versionToWrite); err != nil {
+		return err
+	}

 	// Remove legacy keys if present
-	store.connection.DeleteObject(bucketName, []byte(legacyDBVersionKey))
-	store.connection.DeleteObject(bucketName, []byte(legacyEditionKey))
-	store.connection.DeleteObject(bucketName, []byte(legacyInstanceKey))
+	if err := store.connection.DeleteObject(bucketName, []byte(legacyDBVersionKey)); err != nil {
+		return err
+	}

-	return err
+	if err := store.connection.DeleteObject(bucketName, []byte(legacyEditionKey)); err != nil {
+		return err
+	}
+
+	return store.connection.DeleteObject(bucketName, []byte(legacyInstanceKey))
 }
--- a/api/datastore/migrator/migrate_2_33_test.go
+++ b/api/datastore/migrator/migrate_2_33_test.go
@@ -6,6 +6,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/dataservices/edgegroup"
+	"github.com/portainer/portainer/api/logs"

 	"github.com/stretchr/testify/require"
 )
@@ -15,7 +16,7 @@ func TestMigrateEdgeGroupEndpointsToRoars_2_33_0Idempotency(t *testing.T) {
 	err := conn.Open()
 	require.NoError(t, err)

-	defer conn.Close()
+	defer logs.CloseAndLogErr(conn)

 	edgeGroupService, err := edgegroup.NewService(conn)
 	require.NoError(t, err)
--- a/api/datastore/migrator/migrate_ce.go
+++ b/api/datastore/migrator/migrate_ce.go
@@ -7,7 +7,7 @@ import (
 	"github.com/pkg/errors"
 	portainer "github.com/portainer/portainer/api"

-	"github.com/Masterminds/semver"
+	"github.com/Masterminds/semver/v3"
 	"github.com/rs/zerolog/log"
 )

@@ -95,7 +95,7 @@ func (m *Migrator) NeedsMigration() bool {

 	// In this particular instance we should log a fatal error
 	if m.CurrentDBEdition() != portainer.PortainerCE {
-		log.Fatal().Msg("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://documentation.portainer.io/v2.0-be/downgrade/be-to-ce/")
+		log.Fatal().Msg("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://docs.portainer.io/faqs/upgrading/can-i-downgrade-from-portainer-business-to-portainer-ce")

 		return false
 	}
--- a/api/datastore/migrator/migrate_dbversion24.go
+++ b/api/datastore/migrator/migrate_dbversion24.go
@@ -21,7 +21,6 @@ func (m *Migrator) updateSettingsToDB25() error {
 	}

 	legacySettings.UserSessionTimeout = portainer.DefaultUserSessionTimeout
-	legacySettings.EnableTelemetry = true

 	legacySettings.AllowContainerCapabilitiesForRegularUsers = true

--- a/api/datastore/migrator/migrate_dbversion31.go
+++ b/api/datastore/migrator/migrate_dbversion31.go
@@ -77,8 +77,12 @@ func (m *Migrator) updateRegistriesToDB32() error {
 				Namespaces:         []string{},
 			}
 		}
-		m.registryService.Update(registry.ID, &registry)
+
+		if err := m.registryService.Update(registry.ID, &registry); err != nil {
+			return err
+		}
 	}
+
 	return nil
 }

@@ -121,10 +125,11 @@ func (m *Migrator) updateDockerhubToDB32() error {
 			if !migrated {
 				// keep this one entry
 				migrated = true
-			} else {
 				// delete subsequent duplicates
-				m.registryService.Delete(r.ID)
+			} else if err := m.registryService.Delete(r.ID); err != nil {
+				return err
 			}
+
 		}
 	}

@@ -138,7 +143,6 @@ func (m *Migrator) updateDockerhubToDB32() error {
 	}

 	for _, endpoint := range endpoints {
-
 		if endpoint.Type != portainer.KubernetesLocalEnvironment &&
 			endpoint.Type != portainer.AgentOnKubernetesEnvironment &&
 			endpoint.Type != portainer.EdgeAgentOnKubernetesEnvironment {
@@ -146,18 +150,14 @@ func (m *Migrator) updateDockerhubToDB32() error {
 			userAccessPolicies := portainer.UserAccessPolicies{}
 			for userId := range endpoint.UserAccessPolicies {
 				if _, found := endpoint.UserAccessPolicies[userId]; found {
-					userAccessPolicies[userId] = portainer.AccessPolicy{
-						RoleID: 0,
-					}
+					userAccessPolicies[userId] = portainer.AccessPolicy{RoleID: 0}
 				}
 			}

 			teamAccessPolicies := portainer.TeamAccessPolicies{}
 			for teamId := range endpoint.TeamAccessPolicies {
 				if _, found := endpoint.TeamAccessPolicies[teamId]; found {
-					teamAccessPolicies[teamId] = portainer.AccessPolicy{
-						RoleID: 0,
-					}
+					teamAccessPolicies[teamId] = portainer.AccessPolicy{RoleID: 0}
 				}
 			}

--- a/api/datastore/migrator/migrator.go
+++ b/api/datastore/migrator/migrator.go
@@ -29,7 +29,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices/version"
 	"github.com/portainer/portainer/api/internal/authorization"

-	"github.com/Masterminds/semver"
+	"github.com/Masterminds/semver/v3"
 	"github.com/rs/zerolog/log"
 )

--- a/api/datastore/pendingactions_test.go
+++ b/api/datastore/pendingactions_test.go
@@ -6,6 +6,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/pendingactions/actions"
 	"github.com/portainer/portainer/api/pendingactions/handlers"
+	"github.com/stretchr/testify/require"
 )

 type cleanNAPWithOverridePolicies struct {
@@ -16,7 +17,10 @@ func Test_ConvertCleanNAPWithOverridePoliciesPayload(t *testing.T) {
 	t.Run("test ConvertCleanNAPWithOverridePoliciesPayload", func(t *testing.T) {

 		_, store := MustNewTestStore(t, true, false)
-		defer store.Close()
+		defer func() {
+			err := store.Close()
+			require.NoError(t, err)
+		}()

 		gid := portainer.EndpointGroupID(1)

@@ -92,7 +96,8 @@ func Test_ConvertCleanNAPWithOverridePoliciesPayload(t *testing.T) {
 				})
 			}

-			store.PendingActions().Delete(d.PendingAction.ID)
+			err = store.PendingActions().Delete(d.PendingAction.ID)
+			require.NoError(t, err)
 		}
 	})
 }
--- a/api/datastore/postinit/migrate_post_init.go
+++ b/api/datastore/postinit/migrate_post_init.go
@@ -1,8 +1,10 @@
 package postinit

 import (
+	"cmp"
 	"context"
 	"fmt"
+	"slices"

 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
@@ -11,6 +13,7 @@ import (
 	dockerClient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	"github.com/portainer/portainer/api/kubernetes/cli"
+	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/api/pendingactions/actions"
 	"github.com/portainer/portainer/pkg/endpoints"

@@ -43,40 +46,65 @@ func NewPostInitMigrator(

 // PostInitMigrate will run all post-init migrations, which require docker/kube clients for all edge or non-edge environments
 func (postInitMigrator *PostInitMigrator) PostInitMigrate() error {
-	environments, err := postInitMigrator.dataStore.Endpoint().Endpoints()
-	if err != nil {
-		log.Error().Err(err).Msg("Error getting environments")
-		return err
-	}
+	var environments []portainer.Endpoint

-	for _, environment := range environments {
-		// edge environments will run after the server starts, in pending actions
-		if endpoints.IsEdgeEndpoint(&environment) {
-			// Skip edge environments that do not have direct connectivity
-			if !endpoints.HasDirectConnectivity(&environment) {
+	if err := postInitMigrator.dataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		var err error
+		if environments, err = tx.Endpoint().ReadAll(func(endpoint portainer.Endpoint) bool {
+			return endpoints.HasDirectConnectivity(&endpoint)
+		}); err != nil {
+			return fmt.Errorf("failed to retrieve environments: %w", err)
+		}
+
+		var pendingActions []portainer.PendingAction
+		if pendingActions, err = tx.PendingActions().ReadAll(func(action portainer.PendingAction) bool {
+			return action.Action == actions.PostInitMigrateEnvironment
+		}); err != nil {
+			return fmt.Errorf("failed to retrieve pending actions: %w", err)
+		}
+
+		// Sort for the binary search in createPostInitMigrationPendingAction()
+		slices.SortFunc(pendingActions, func(a, b portainer.PendingAction) int {
+			return cmp.Compare(a.EndpointID, b.EndpointID)
+		})
+
+		for _, environment := range environments {
+			if !endpoints.IsEdgeEndpoint(&environment) {
 				continue
 			}

+			// Edge environments will run after the server starts, in pending actions
 			log.Info().
 				Int("endpoint_id", int(environment.ID)).
 				Msg("adding pending action 'PostInitMigrateEnvironment' for environment")

-			if err := postInitMigrator.createPostInitMigrationPendingAction(environment.ID); err != nil {
+			if err := postInitMigrator.createPostInitMigrationPendingAction(tx, environment.ID, pendingActions); err != nil {
 				log.Error().
 					Err(err).
 					Int("endpoint_id", int(environment.ID)).
 					Msg("error creating pending action for environment")
 			}
-		} else {
-			// Non-edge environments will run before the server starts.
-			if err := postInitMigrator.MigrateEnvironment(&environment); err != nil {
-				log.Error().
-					Err(err).
-					Int("endpoint_id", int(environment.ID)).
-					Msg("error running post-init migrations for non-edge environment")
-			}
 		}

+		return err
+	}); err != nil {
+		log.Error().Err(err).Msg("error running post-init migrations")
+
+		return err
+	}
+
+	for _, environment := range environments {
+		if endpoints.IsEdgeEndpoint(&environment) {
+			continue
+		}
+
+		// Non-edge environments will run before the server starts.
+		if err := postInitMigrator.MigrateEnvironment(&environment); err != nil {
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(environment.ID)).
+				Msg("error running post-init migrations for non-edge environment")
+		}
 	}

 	return nil
@@ -84,56 +112,73 @@ func (postInitMigrator *PostInitMigrator) PostInitMigrate() error {

 // try to create a post init migration pending action. If it already exists, do nothing
 // this function exists for readability, not reusability
-func (postInitMigrator *PostInitMigrator) createPostInitMigrationPendingAction(environmentID portainer.EndpointID) error {
+// pending actions must be passed in ascending order by endpoint ID
+func (postInitMigrator *PostInitMigrator) createPostInitMigrationPendingAction(tx dataservices.DataStoreTx, environmentID portainer.EndpointID, pendingActions []portainer.PendingAction) error {
 	action := portainer.PendingAction{
 		EndpointID: environmentID,
 		Action:     actions.PostInitMigrateEnvironment,
 	}
-	pendingActions, err := postInitMigrator.dataStore.PendingActions().ReadAll()
-	if err != nil {
-		return fmt.Errorf("failed to retrieve pending actions: %w", err)
+
+	if _, found := slices.BinarySearchFunc(pendingActions, environmentID, func(e portainer.PendingAction, id portainer.EndpointID) int {
+		return cmp.Compare(e.EndpointID, id)
+	}); found {
+		log.Debug().
+			Str("action", action.Action).
+			Int("endpoint_id", int(action.EndpointID)).
+			Msg("pending action already exists for environment, skipping...")
+
+		return nil
 	}

-	for _, dba := range pendingActions {
-		if dba.EndpointID == action.EndpointID && dba.Action == action.Action {
-			log.Debug().
-				Str("action", action.Action).
-				Int("endpoint_id", int(action.EndpointID)).
-				Msg("pending action already exists for environment, skipping...")
-			return nil
-		}
-	}
-
-	return postInitMigrator.dataStore.PendingActions().Create(&action)
+	return tx.PendingActions().Create(&action)
 }

 // MigrateEnvironment runs migrations on a single environment
 func (migrator *PostInitMigrator) MigrateEnvironment(environment *portainer.Endpoint) error {
-	log.Info().Msgf("Executing post init migration for environment %d", environment.ID)
+	log.Info().
+		Int("endpoint_id", int(environment.ID)).
+		Msg("executing post init migration for environment")

 	switch {
 	case endpointutils.IsKubernetesEndpoint(environment):
 		// get the kubeclient for the environment, and skip all kube migrations if there's an error
 		kubeclient, err := migrator.kubeFactory.GetPrivilegedKubeClient(environment)
 		if err != nil {
-			log.Error().Err(err).Msgf("Error creating kubeclient for environment: %d", environment.ID)
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(environment.ID)).
+				Msg("error creating kubeclient for environment")
+
 			return err
 		}
-		// if one environment fails, it is logged and the next migration runs. The error is returned at the end and handled by pending actions
-		err = migrator.MigrateIngresses(*environment, kubeclient)
-		if err != nil {
+
+		// If one environment fails, it is logged and the next migration runs. The error is returned at the end and handled by pending actions
+		if err := migrator.MigrateIngresses(*environment, kubeclient); err != nil {
 			return err
 		}
+
 		return nil
 	case endpointutils.IsDockerEndpoint(environment):
 		// get the docker client for the environment, and skip all docker migrations if there's an error
 		dockerClient, err := migrator.dockerFactory.CreateClient(environment, "", nil)
 		if err != nil {
-			log.Error().Err(err).Msgf("Error creating docker client for environment: %d", environment.ID)
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(environment.ID)).
+				Msg("error creating docker client for environment")
+
+			return err
+		}
+		defer logs.CloseAndLogErr(dockerClient)
+
+		if err := migrator.MigrateGPUs(*environment, dockerClient); err != nil {
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(environment.ID)).
+				Msg("error migrating GPUs for environment")
+
 			return err
 		}
-		defer dockerClient.Close()
-		migrator.MigrateGPUs(*environment, dockerClient)
 	}

 	return nil
@@ -144,13 +189,20 @@ func (migrator *PostInitMigrator) MigrateIngresses(environment portainer.Endpoin
 	if !environment.PostInitMigrations.MigrateIngresses {
 		return nil
 	}
-	log.Debug().Msgf("Migrating ingresses for environment %d", environment.ID)

-	err := migrator.kubeFactory.MigrateEndpointIngresses(&environment, migrator.dataStore, kubeclient)
-	if err != nil {
-		log.Error().Err(err).Msgf("Error migrating ingresses for environment %d", environment.ID)
+	log.Debug().
+		Int("endpoint_id", int(environment.ID)).
+		Msg("migrating ingresses for environment")
+
+	if err := migrator.kubeFactory.MigrateEndpointIngresses(&environment, migrator.dataStore, kubeclient); err != nil {
+		log.Error().
+			Err(err).
+			Int("endpoint_id", int(environment.ID)).
+			Msg("error migrating ingresses for environment")
+
 		return err
 	}
+
 	return nil
 }

@@ -160,29 +212,42 @@ func (migrator *PostInitMigrator) MigrateGPUs(e portainer.Endpoint, dockerClient
 	return migrator.dataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
 		environment, err := tx.Endpoint().Endpoint(e.ID)
 		if err != nil {
-			log.Error().Err(err).Msgf("Error getting environment %d", e.ID)
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(e.ID)).
+				Msg("error getting environment")
+
 			return err
 		}
+
 		// Early exit if we do not need to migrate!
 		if !environment.PostInitMigrations.MigrateGPUs {
 			return nil
 		}
-		log.Debug().Msgf("Migrating GPUs for environment %d", e.ID)

-		// get all containers
+		log.Debug().
+			Int("endpoint_id", int(e.ID)).
+			Msg("migrating GPUs for environment")
+
+		// Get all containers
 		containers, err := dockerClient.ContainerList(context.Background(), container.ListOptions{All: true})
 		if err != nil {
-			log.Error().Err(err).Msgf("failed to list containers for environment %d", environment.ID)
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(environment.ID)).
+				Msg("failed to list containers for environment")
+
 			return err
 		}

-		// check for a gpu on each container. If even one GPU is found, set EnableGPUManagement to true for the whole environment
+		// Check for a gpu on each container. If even one GPU is found, set EnableGPUManagement to true for the whole environment
 	containersLoop:
 		for _, container := range containers {
 			// https://www.sobyte.net/post/2022-10/go-docker/ has nice documentation on the docker client with GPUs
 			containerDetails, err := dockerClient.ContainerInspect(context.Background(), container.ID)
 			if err != nil {
 				log.Error().Err(err).Msg("failed to inspect container")
+
 				continue
 			}

@@ -196,10 +261,14 @@ func (migrator *PostInitMigrator) MigrateGPUs(e portainer.Endpoint, dockerClient
 			}
 		}

-		// set the MigrateGPUs flag to false so we don't run this again
+		// Set the MigrateGPUs flag to false so we don't run this again
 		environment.PostInitMigrations.MigrateGPUs = false
 		if err := tx.Endpoint().UpdateEndpoint(environment.ID, environment); err != nil {
-			log.Error().Err(err).Msgf("Error updating EnableGPUManagement flag for environment %d", environment.ID)
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(environment.ID)).
+				Msg("error updating EnableGPUManagement flag for environment")
+
 			return err
 		}

--- a/api/datastore/services.go
+++ b/api/datastore/services.go
@@ -391,16 +391,16 @@ type storeExport struct {
 	ResourceControl    []portainer.ResourceControl    `json:"resource_control,omitempty"`
 	Role               []portainer.Role               `json:"roles,omitempty"`
 	Schedules          []portainer.Schedule           `json:"schedules,omitempty"`
-	Settings           portainer.Settings             `json:"settings,omitempty"`
+	Settings           portainer.Settings             `json:"settings,omitzero"`
 	Snapshot           []portainer.Snapshot           `json:"snapshots,omitempty"`
-	SSLSettings        portainer.SSLSettings          `json:"ssl,omitempty"`
+	SSLSettings        portainer.SSLSettings          `json:"ssl,omitzero"`
 	Stack              []portainer.Stack              `json:"stacks,omitempty"`
 	Tag                []portainer.Tag                `json:"tags,omitempty"`
 	TeamMembership     []portainer.TeamMembership     `json:"team_membership,omitempty"`
 	Team               []portainer.Team               `json:"teams,omitempty"`
-	TunnelServer       portainer.TunnelServerInfo     `json:"tunnel_server,omitempty"`
+	TunnelServer       portainer.TunnelServerInfo     `json:"tunnel_server,omitzero"`
 	User               []portainer.User               `json:"users,omitempty"`
-	Version            models.Version                 `json:"version,omitempty"`
+	Version            models.Version                 `json:"version,omitzero"`
 	Webhook            []portainer.Webhook            `json:"webhooks,omitempty"`
 	Metadata           map[string]any                 `json:"metadata,omitempty"`
 }
@@ -625,85 +625,129 @@ func (store *Store) Import(filename string) (err error) {
 		return err
 	}

-	store.Version().UpdateVersion(&backup.Version)
+	err = store.Version().UpdateVersion(&backup.Version)
+	if err != nil {
+		return err
+	}

 	for _, v := range backup.CustomTemplate {
-		store.CustomTemplate().Update(v.ID, &v)
+		if err := store.CustomTemplate().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the custom template in the database")
+		}
 	}

 	for _, v := range backup.EdgeGroup {
-		store.EdgeGroup().Update(v.ID, &v)
+		if err := store.EdgeGroup().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the edge group in the database")
+		}
 	}

 	for _, v := range backup.EdgeJob {
-		store.EdgeJob().Update(v.ID, &v)
+		if err := store.EdgeJob().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the edge job in the database")
+		}
 	}

 	for _, v := range backup.EdgeStack {
-		store.EdgeStack().UpdateEdgeStack(v.ID, &v)
+		if err := store.EdgeStack().UpdateEdgeStack(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the edge stack in the database")
+		}
 	}

 	for _, v := range backup.Endpoint {
-		store.Endpoint().UpdateEndpoint(v.ID, &v)
+		if err := store.Endpoint().UpdateEndpoint(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the endpoint in the database")
+		}
 	}

 	for _, v := range backup.EndpointGroup {
-		store.EndpointGroup().Update(v.ID, &v)
+		if err := store.EndpointGroup().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the endpoint group in the database")
+		}
 	}

 	for _, v := range backup.EndpointRelation {
-		store.EndpointRelation().UpdateEndpointRelation(v.EndpointID, &v)
+		if err := store.EndpointRelation().UpdateEndpointRelation(v.EndpointID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the endpoint relation in the database")
+		}
 	}

 	for _, v := range backup.HelmUserRepository {
-		store.HelmUserRepository().Update(v.ID, &v)
+		if err := store.HelmUserRepository().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the helm user repository in the database")
+		}
 	}

 	for _, v := range backup.Registry {
-		store.Registry().Update(v.ID, &v)
+		if err := store.Registry().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the registry in the database")
+		}
 	}

 	for _, v := range backup.ResourceControl {
-		store.ResourceControl().Update(v.ID, &v)
+		if err := store.ResourceControl().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the resource control in the database")
+		}
 	}

 	for _, v := range backup.Role {
-		store.Role().Update(v.ID, &v)
+		if err := store.Role().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the role in the database")
+		}
 	}

-	store.Settings().UpdateSettings(&backup.Settings)
-	store.SSLSettings().UpdateSettings(&backup.SSLSettings)
+	if err := store.Settings().UpdateSettings(&backup.Settings); err != nil {
+		log.Warn().Err(err).Msg("failed to update the settings in the database")
+	}
+
+	if err := store.SSLSettings().UpdateSettings(&backup.SSLSettings); err != nil {
+		log.Warn().Err(err).Msg("failed to update the SSL settings in the database")
+	}

 	for _, v := range backup.Snapshot {
-		store.Snapshot().Update(v.EndpointID, &v)
+		if err := store.Snapshot().Update(v.EndpointID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the snapshot in the database")
+		}
 	}

 	for _, v := range backup.Stack {
-		store.Stack().Update(v.ID, &v)
+		if err := store.Stack().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the stack in the database")
+		}
 	}

 	for _, v := range backup.Tag {
-		store.Tag().Update(v.ID, &v)
+		if err := store.Tag().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the tag in the database")
+		}
 	}

 	for _, v := range backup.TeamMembership {
-		store.TeamMembership().Update(v.ID, &v)
+		if err := store.TeamMembership().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the team membership in the database")
+		}
 	}

 	for _, v := range backup.Team {
-		store.Team().Update(v.ID, &v)
+		if err := store.Team().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the team in the database")
+		}
 	}

-	store.TunnelServer().UpdateInfo(&backup.TunnelServer)
+	if err := store.TunnelServer().UpdateInfo(&backup.TunnelServer); err != nil {
+		log.Warn().Err(err).Msg("failed to update the tunnel server info in the database")
+	}

 	for _, user := range backup.User {
 		if err := store.User().Update(user.ID, &user); err != nil {
-			log.Debug().Str("user", fmt.Sprintf("%+v", user)).Err(err).Msg("failed to update the user in the database")
+			log.Warn().Str("user", fmt.Sprintf("%+v", user)).Err(err).Msg("failed to update the user in the database")
 		}
 	}

 	for _, v := range backup.Webhook {
-		store.Webhook().Update(v.ID, &v)
+		if err := store.Webhook().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the webhook in the database")
+		}
 	}

 	return store.connection.RestoreMetadata(backup.Metadata)
--- a/api/datastore/services_tx.go
+++ b/api/datastore/services_tx.go
@@ -74,7 +74,9 @@ func (tx *StoreTx) Snapshot() dataservices.SnapshotService {
 	return tx.store.SnapshotService.Tx(tx.tx)
 }

-func (tx *StoreTx) SSLSettings() dataservices.SSLSettingsService { return nil }
+func (tx *StoreTx) SSLSettings() dataservices.SSLSettingsService {
+	return tx.store.SSLSettingsService.Tx(tx.tx)
+}

 func (tx *StoreTx) Stack() dataservices.StackService {
 	return tx.store.StackService.Tx(tx.tx)
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -89,6 +89,7 @@
        "allowDeviceMappingForRegularUsers": true,
        "allowHostNamespaceForRegularUsers": true,
        "allowPrivilegedModeForRegularUsers": true,
+        "allowSecurityOptForRegularUsers": false,
        "allowStackManagementForRegularUsers": true,
        "allowSysctlSettingForRegularUsers": false,
        "allowVolumeBrowserForRegularUsers": false,
@@ -603,7 +604,6 @@
    "EdgeAgentCheckinInterval": 5,
    "EdgePortainerUrl": "",
    "EnableEdgeComputeFeatures": false,
-    "EnableTelemetry": true,
    "EnforceEdgeID": false,
    "FeatureFlagSettings": null,
    "GlobalDeploymentOptions": {
@@ -614,7 +614,7 @@
      "RequiredPasswordLength": 12
    },
    "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.36.0",
+    "KubectlShellImage": "portainer/kubectl-shell:2.39.0",
    "LDAPSettings": {
      "AnonymousMode": true,
      "AutoCreateUsers": true,
@@ -943,7 +943,7 @@
    }
  ],
  "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.36.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.39.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
  },
  "webhooks": null
 }
--- a/api/docker/client/client.go
+++ b/api/docker/client/client.go
@@ -11,6 +11,7 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/crypto"
+	"github.com/rs/zerolog/log"

 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/client"
@@ -143,11 +144,16 @@ func (t *NodeNameTransport) RoundTrip(req *http.Request) (*http.Response, error)

 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
-		resp.Body.Close()
+		if err := resp.Body.Close(); err != nil {
+			log.Warn().Err(err).Msg("failed to close response body")
+		}
+
 		return resp, err
 	}

-	resp.Body.Close()
+	if err := resp.Body.Close(); err != nil {
+		log.Warn().Err(err).Msg("failed to close response body")
+	}

 	resp.Body = io.NopCloser(bytes.NewReader(body))

--- a/api/docker/container.go
+++ b/api/docker/container.go
@@ -8,8 +8,9 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/docker/images"
+	"github.com/portainer/portainer/api/logs"

-	"github.com/Masterminds/semver"
+	"github.com/Masterminds/semver/v3"
 	"github.com/docker/docker/api/types"
 	dockercontainer "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/network"
@@ -75,7 +76,7 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End
 	if err != nil {
 		return nil, errors.Wrap(err, "create client error")
 	}
-	defer cli.Close()
+	defer logs.CloseAndLogErr(cli)

 	log.Debug().Str("container_id", containerId).Msg("starting to fetch container information")

@@ -146,13 +147,19 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End

 	c.sr.push(func() {
 		log.Debug().Str("container_id", containerId).Str("container", container.Name).Msg("restoring the container")
-		cli.ContainerRename(ctx, containerId, container.Name)
-
-		for _, network := range container.NetworkSettings.Networks {
-			cli.NetworkConnect(ctx, network.NetworkID, containerId, network)
+		if err := cli.ContainerRename(ctx, containerId, container.Name); err != nil {
+			log.Warn().Err(err).Msg("failure to rename container")
 		}

-		cli.ContainerStart(ctx, containerId, dockercontainer.StartOptions{})
+		for _, network := range container.NetworkSettings.Networks {
+			if err := cli.NetworkConnect(ctx, network.NetworkID, containerId, network); err != nil {
+				log.Warn().Err(err).Msg("failure to connect container to network")
+			}
+		}
+
+		if err := cli.ContainerStart(ctx, containerId, dockercontainer.StartOptions{}); err != nil {
+			log.Warn().Err(err).Msg("failure to start container")
+		}
 	})

 	log.Debug().Str("container", strings.Split(container.Name, "/")[1]).Msg("starting to create a new container")
@@ -175,8 +182,14 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End

 	c.sr.push(func() {
 		log.Debug().Str("container_id", create.ID).Msg("removing the new container")
-		cli.ContainerStop(ctx, create.ID, dockercontainer.StopOptions{})
-		cli.ContainerRemove(ctx, create.ID, dockercontainer.RemoveOptions{})
+
+		if err := cli.ContainerStop(ctx, create.ID, dockercontainer.StopOptions{}); err != nil {
+			log.Warn().Err(err).Msg("failure to stop container")
+		}
+
+		if err := cli.ContainerRemove(ctx, create.ID, dockercontainer.RemoveOptions{}); err != nil {
+			log.Warn().Err(err).Msg("failure to remove container")
+		}
 	})

 	if err != nil {
--- a/api/docker/images/puller.go
+++ b/api/docker/images/puller.go
@@ -5,6 +5,7 @@ import (
 	"io"

 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/logs"

 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/client"
@@ -42,7 +43,7 @@ func (puller *Puller) Pull(ctx context.Context, img Image) error {
 	if err != nil {
 		return err
 	}
-	defer out.Close()
+	defer logs.CloseAndLogErr(out)

 	_, err = io.ReadAll(out)

--- a/api/docker/images/status.go
+++ b/api/docker/images/status.go
@@ -280,13 +280,7 @@ func contains(statuses []Status, status Status) bool {
 		return false
 	}

-	for _, s := range statuses {
-		if s == status {
-			return true
-		}
-	}
-
-	return false
+	return slices.Contains(statuses, status)
 }

 func allMatch(statuses []Status, status Status) bool {
--- a/api/docker/snapshot.go
+++ b/api/docker/snapshot.go
@@ -3,6 +3,7 @@ package docker
 import (
 	portainer "github.com/portainer/portainer/api"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
+	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/pkg/snapshot"
 )

@@ -24,7 +25,7 @@ func (snapshotter *Snapshotter) CreateSnapshot(endpoint *portainer.Endpoint) (*p
 	if err != nil {
 		return nil, err
 	}
-	defer cli.Close()
+	defer logs.CloseAndLogErr(cli)

 	return snapshot.CreateDockerSnapshot(cli)
 }
--- a/api/docker/stats/container_stats.go
+++ b/api/docker/stats/container_stats.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"sync"

+	"github.com/containerd/containerd/errdefs"
 	"github.com/docker/docker/api/types/container"
 )

@@ -35,8 +36,10 @@ func CalculateContainerStats(ctx context.Context, cli DockerClient, isSwarm bool
 	var aggErr error
 	var aggMu sync.Mutex

+	var processedCount int
 	for i := range containers {
 		id := containers[i].ID
+
 		semaphore <- struct{}{}
 		wg.Go(func() {
 			defer func() { <-semaphore }()
@@ -44,8 +47,17 @@ func CalculateContainerStats(ctx context.Context, cli DockerClient, isSwarm bool
 			containerInspection, err := cli.ContainerInspect(ctx, id)
 			stat := ContainerStats{}
 			if err != nil {
+				if errdefs.IsNotFound(err) {
+					// An edge case is reported that Docker can list containers with no names,
+					// but when inspecting a container with specific ID and it is not found.
+					// In this case, we can safely ignore the error.
+					// ref@https://linear.app/portainer/issue/BE-12567/500-error-when-loading-docker-dashboard-in-portainer
+					return
+				}
+
 				aggMu.Lock()
 				aggErr = errors.Join(aggErr, err)
+				processedCount++
 				aggMu.Unlock()
 				return
 			}
@@ -56,6 +68,7 @@ func CalculateContainerStats(ctx context.Context, cli DockerClient, isSwarm bool
 			stopped += stat.Stopped
 			healthy += stat.Healthy
 			unhealthy += stat.Unhealthy
+			processedCount++
 			mu.Unlock()
 		})
 	}
@@ -67,7 +80,7 @@ func CalculateContainerStats(ctx context.Context, cli DockerClient, isSwarm bool
 		Stopped:   stopped,
 		Healthy:   healthy,
 		Unhealthy: unhealthy,
-		Total:     len(containers),
+		Total:     processedCount,
 	}, aggErr
 }

--- a/api/docker/stats/container_stats_test.go
+++ b/api/docker/stats/container_stats_test.go
@@ -3,9 +3,11 @@ package stats
 import (
 	"context"
 	"errors"
+	"fmt"
 	"testing"
 	"time"

+	"github.com/containerd/containerd/errdefs"
 	"github.com/docker/docker/api/types/container"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
@@ -37,6 +39,7 @@ func TestCalculateContainerStats(t *testing.T) {
 		{ID: "container8"},
 		{ID: "container9"},
 		{ID: "container10"},
+		{ID: "container11"},
 	}

 	// Setup mock expectations with different container states to test various scenarios
@@ -58,7 +61,6 @@ func TestCalculateContainerStats(t *testing.T) {
 		{"container10", container.StateDead, nil, ContainerStats{Running: 0, Stopped: 1, Healthy: 0, Unhealthy: 0}},
 	}

-	expected := ContainerStats{}
 	// Setup mock expectations for all containers with artificial delays to simulate real Docker calls
 	for _, state := range containerStates {
 		mockClient.On("ContainerInspect", mock.Anything, state.id).Return(container.InspectResponse{
@@ -68,15 +70,12 @@ func TestCalculateContainerStats(t *testing.T) {
 					Health: state.health,
 				},
 			},
-		}, nil).After(50 * time.Millisecond) // Simulate 50ms Docker API call
-
-		expected.Running += state.expected.Running
-		expected.Stopped += state.expected.Stopped
-		expected.Healthy += state.expected.Healthy
-		expected.Unhealthy += state.expected.Unhealthy
-		expected.Total++
+		}, nil).After(30 * time.Millisecond) // Simulate 30ms Docker API call
 	}

+	// Setup mock expectation for a container that returns NotFound error
+	mockClient.On("ContainerInspect", mock.Anything, "container11").Return(container.InspectResponse{}, fmt.Errorf("No such container: %w", errdefs.ErrNotFound)).After(50 * time.Millisecond)
+
 	// Call the function and measure time
 	startTime := time.Now()
 	stats, err := CalculateContainerStats(context.Background(), mockClient, false, containers)
@@ -84,11 +83,10 @@ func TestCalculateContainerStats(t *testing.T) {
 	duration := time.Since(startTime)

 	// Assert results
-	assert.Equal(t, expected, stats)
-	assert.Equal(t, expected.Running, stats.Running)
-	assert.Equal(t, expected.Stopped, stats.Stopped)
-	assert.Equal(t, expected.Healthy, stats.Healthy)
-	assert.Equal(t, expected.Unhealthy, stats.Unhealthy)
+	assert.Equal(t, 6, stats.Running)
+	assert.Equal(t, 4, stats.Stopped)
+	assert.Equal(t, 2, stats.Healthy)
+	assert.Equal(t, 2, stats.Unhealthy)
 	assert.Equal(t, 10, stats.Total)

 	// Verify concurrent processing by checking that all mock calls were made
--- a/api/edge/edge.go
+++ b/api/edge/edge.go
@@ -77,6 +77,9 @@ type (
 		// CreatedByUserId is the user ID that created this stack
 		// Used for adding labels to Kubernetes manifests
 		CreatedByUserId string
+
+		// HelmConfig represents the Helm configuration for an edge stack
+		HelmConfig portainer.HelmConfig
 	}

 	DeployerOptionsPayload struct {
--- a/api/exec/compose_stack.go
+++ b/api/exec/compose_stack.go
@@ -13,6 +13,7 @@ import (
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/http/proxy/factory"
 	"github.com/portainer/portainer/api/internal/registryutils"
+	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/api/stacks/stackutils"
 	"github.com/portainer/portainer/pkg/libstack"

@@ -180,7 +181,7 @@ func createEnvFile(stack *portainer.Stack) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	defer envfile.Close()
+	defer logs.CloseAndLogErr(envfile)

 	// Copy from default .env file
 	defaultEnvPath := path.Join(stack.ProjectPath, path.Dir(stack.EntryPoint), ".env")
@@ -205,13 +206,14 @@ func copyDefaultEnvFile(w io.Writer, defaultEnvFilePath string) error {
 		return nil
 	}

-	defer defaultEnvFile.Close()
+	defer logs.CloseAndLogErr(defaultEnvFile)

 	if _, err = io.Copy(w, defaultEnvFile); err == nil {
 		if _, err = fmt.Fprintf(w, "\n"); err != nil {
 			return fmt.Errorf("failed to copy default env file: %w", err)
 		}
 	}
+
 	return nil
 	// If couldn't copy the .env file, then ignore the error and try to continue
 }
@@ -223,6 +225,7 @@ func copyConfigEnvVars(w io.Writer, envs []portainer.Pair) error {
 			return fmt.Errorf("failed to copy config env vars: %w", err)
 		}
 	}
+
 	return nil
 }

--- a/api/exec/compose_stack_integration_test.go
+++ b/api/exec/compose_stack_integration_test.go
@@ -11,6 +11,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/pkg/libstack/compose"
 	"github.com/portainer/portainer/pkg/testhelpers"
+	"github.com/stretchr/testify/require"

 	"github.com/rs/zerolog/log"
 )
@@ -25,8 +26,11 @@ const composedContainerName = "compose_wrapper_test"
 func setup(t *testing.T) (*portainer.Stack, *portainer.Endpoint) {
 	dir := t.TempDir()
 	composeFileName := "compose_wrapper_test.yml"
-	f, _ := os.Create(filepath.Join(dir, composeFileName))
-	f.WriteString(composeFile)
+	f, err := os.Create(filepath.Join(dir, composeFileName))
+	require.NoError(t, err)
+
+	_, err = f.WriteString(composeFile)
+	require.NoError(t, err)

 	stack := &portainer.Stack{
 		ProjectPath: dir,
@@ -34,11 +38,7 @@ func setup(t *testing.T) (*portainer.Stack, *portainer.Endpoint) {
 		Name:        "project-name",
 	}

-	endpoint := &portainer.Endpoint{
-		URL: "unix://",
-	}
-
-	return stack, endpoint
+	return stack, &portainer.Endpoint{URL: "unix://"}
 }

 func Test_UpAndDown(t *testing.T) {
--- a/api/exec/compose_stack_test.go
+++ b/api/exec/compose_stack_test.go
@@ -71,7 +71,9 @@ func Test_createEnvFile(t *testing.T) {

 func Test_createEnvFile_mergesDefultAndInplaceEnvVars(t *testing.T) {
 	dir := t.TempDir()
-	os.WriteFile(path.Join(dir, ".env"), []byte("VAR1=VAL1\nVAR2=VAL2\n"), 0600)
+	err := os.WriteFile(path.Join(dir, ".env"), []byte("VAR1=VAL1\nVAR2=VAL2\n"), 0600)
+	require.NoError(t, err)
+
 	stack := &portainer.Stack{
 		ProjectPath: dir,
 		Env: []portainer.Pair{
@@ -83,8 +85,12 @@ func Test_createEnvFile_mergesDefultAndInplaceEnvVars(t *testing.T) {
 	assert.Equal(t, filepath.Join(stack.ProjectPath, "stack.env"), result)
 	require.NoError(t, err)
 	assert.FileExists(t, path.Join(dir, "stack.env"))
-	f, _ := os.Open(path.Join(dir, "stack.env"))
-	content, _ := io.ReadAll(f)
+
+	f, err := os.Open(path.Join(dir, "stack.env"))
+	require.NoError(t, err)
+
+	content, err := io.ReadAll(f)
+	require.NoError(t, err)

 	assert.Equal(t, []byte("VAR1=VAL1\nVAR2=VAL2\n\nVAR1=NEW_VAL1\nVAR3=VAL3\n"), content)
 }
--- a/api/exec/kubernetes_deploy.go
+++ b/api/exec/kubernetes_deploy.go
@@ -111,8 +111,8 @@ func (deployer *KubernetesDeployer) command(operation string, userID portainer.U
 	}

 	operations := map[string]func(context.Context, []string) (string, error){
-		"apply":  client.Apply,
-		"delete": client.Delete,
+		"apply":  client.ApplyDynamic,
+		"delete": client.DeleteDynamic,
 	}

 	operationFunc, ok := operations[operation]
--- a/api/exec/swarm_stack.go
+++ b/api/exec/swarm_stack.go
@@ -183,7 +183,7 @@ func (manager *SwarmStackManager) prepareDockerCommandAndArgs(binaryPath, config
 		if !endpoint.TLSConfig.TLSSkipVerify {
 			args = append(args, "--tlsverify", "--tlscacert", endpoint.TLSConfig.TLSCACertPath)
 		} else {
-			args = append(args, "--tlscacert", "''")
+			args = append(args, "--tlscacert", "")
 		}

 		if endpoint.TLSConfig.TLSCertPath != "" && endpoint.TLSConfig.TLSKeyPath != "" {
--- a/api/exec/swarm_stack_test.go
+++ b/api/exec/swarm_stack_test.go
@@ -3,7 +3,9 @@ package exec
 import (
 	"testing"

+	portainer "github.com/portainer/portainer/api"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestConfigFilePaths(t *testing.T) {
@@ -13,3 +15,29 @@ func TestConfigFilePaths(t *testing.T) {
 	output := configureFilePaths(args, filePaths)
 	assert.ElementsMatch(t, expected, output, "wrong output file paths")
 }
+
+func TestPrepareDockerCommandAndArgs(t *testing.T) {
+	binaryPath := "/test/dist"
+	configPath := "/test/config"
+	manager := &SwarmStackManager{
+		binaryPath: binaryPath,
+		configPath: configPath,
+	}
+
+	endpoint := &portainer.Endpoint{
+		URL: "tcp://test:9000",
+		TLSConfig: portainer.TLSConfiguration{
+			TLS:           true,
+			TLSSkipVerify: true,
+		},
+	}
+
+	command, args, err := manager.prepareDockerCommandAndArgs(binaryPath, configPath, endpoint)
+	require.NoError(t, err)
+
+	expectedCommand := "/test/dist/docker"
+	expectedArgs := []string{"--config", "/test/config", "-H", "tcp://test:9000", "--tls", "--tlscacert", ""}
+
+	require.Equal(t, expectedCommand, command)
+	require.Equal(t, expectedArgs, args)
+}
--- a/api/filesystem/copy.go
+++ b/api/filesystem/copy.go
@@ -6,6 +6,8 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+
+	"github.com/portainer/portainer/api/logs"
 )

 // CopyPath copies file or directory defined by the path to the toDir path
@@ -14,6 +16,8 @@ func CopyPath(path string, toDir string) error {
 	if err != nil && errors.Is(err, os.ErrNotExist) {
 		// skip copy if file does not exist
 		return nil
+	} else if err != nil {
+		return err
 	}

 	if !info.IsDir() {
@@ -65,7 +69,7 @@ func copyFile(src, dst string) error {
 	if err != nil {
 		return err
 	}
-	defer from.Close()
+	defer logs.CloseAndLogErr(from)

 	// has to include 'execute' bit, otherwise fails. MkdirAll follows `mkdir -m` restrictions
 	if err := os.MkdirAll(filepath.Dir(dst), 0755); err != nil {
@@ -75,7 +79,7 @@ func copyFile(src, dst string) error {
 	if err != nil {
 		return err
 	}
-	defer to.Close()
+	defer logs.CloseAndLogErr(to)

 	_, err = io.Copy(to, from)
 	return err
--- a/api/filesystem/copy_test.go
+++ b/api/filesystem/copy_test.go
@@ -19,12 +19,15 @@ func Test_copyFile_returnsError_whenSourceDoesNotExist(t *testing.T) {
 func Test_copyFile_shouldMakeAbackup(t *testing.T) {
 	tmpdir := t.TempDir()
 	content := []byte("content")
-	os.WriteFile(path.Join(tmpdir, "origin"), content, 0600)

-	err := copyFile(path.Join(tmpdir, "origin"), path.Join(tmpdir, "copy"))
+	err := os.WriteFile(path.Join(tmpdir, "origin"), content, 0600)
 	require.NoError(t, err)

-	copyContent, _ := os.ReadFile(path.Join(tmpdir, "copy"))
+	err = copyFile(path.Join(tmpdir, "origin"), path.Join(tmpdir, "copy"))
+	require.NoError(t, err)
+
+	copyContent, err := os.ReadFile(path.Join(tmpdir, "copy"))
+	require.NoError(t, err)
 	assert.Equal(t, content, copyContent)
 }

@@ -59,10 +62,14 @@ func Test_CopyPath_shouldSkipWhenNotExist(t *testing.T) {
 func Test_CopyPath_shouldCopyFile(t *testing.T) {
 	tmpdir := t.TempDir()
 	content := []byte("content")
-	os.WriteFile(path.Join(tmpdir, "file"), content, 0600)

-	os.MkdirAll(path.Join(tmpdir, "backup"), 0700)
-	err := CopyPath(path.Join(tmpdir, "file"), path.Join(tmpdir, "backup"))
+	err := os.WriteFile(path.Join(tmpdir, "file"), content, 0600)
+	require.NoError(t, err)
+
+	err = os.MkdirAll(path.Join(tmpdir, "backup"), 0700)
+	require.NoError(t, err)
+
+	err = CopyPath(path.Join(tmpdir, "file"), path.Join(tmpdir, "backup"))
 	require.NoError(t, err)

 	copyContent, err := os.ReadFile(path.Join(tmpdir, "backup", "file"))
@@ -79,3 +86,20 @@ func Test_CopyPath_shouldCopyDir(t *testing.T) {
 	assert.FileExists(t, filepath.Join(destination, "copy_test", "dir", ".dotfile"))
 	assert.FileExists(t, filepath.Join(destination, "copy_test", "dir", "inner"))
 }
+
+func TestCopyPathPanic(t *testing.T) {
+	dir := t.TempDir()
+	p := filepath.Join(dir, "myfile")
+
+	err := os.WriteFile(p, []byte("contents"), 0644)
+	require.NoError(t, err)
+
+	err = os.Chmod(dir, 0)
+	require.NoError(t, err)
+
+	err = CopyPath(p, t.TempDir())
+	require.Error(t, err)
+
+	err = os.Chmod(dir, 0755)
+	require.NoError(t, err)
+}
--- a/api/filesystem/filesystem.go
+++ b/api/filesystem/filesystem.go
@@ -12,8 +12,9 @@ import (
 	"strings"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/logs"

-	"github.com/gofrs/uuid"
+	"github.com/google/uuid"
 	"github.com/rs/zerolog/log"
 	"github.com/segmentio/encoding/json"
 )
@@ -194,7 +195,7 @@ func (service *Service) Copy(fromFilePath string, toFilePath string, deleteIfExi
 		return err
 	}

-	defer finput.Close()
+	defer logs.CloseAndLogErr(finput)

 	exists, err = service.FileExists(toFilePath)
 	if err != nil {
@@ -217,7 +218,7 @@ func (service *Service) Copy(fromFilePath string, toFilePath string, deleteIfExi
 		return err
 	}

-	defer foutput.Close()
+	defer logs.CloseAndLogErr(foutput)

 	buf := make([]byte, 1024)
 	for {
@@ -702,7 +703,7 @@ func (service *Service) createPEMFileInStore(content []byte, fileType, filePath
 	if err != nil {
 		return err
 	}
-	defer out.Close()
+	defer logs.CloseAndLogErr(out)

 	return pem.Encode(out, block)
 }
@@ -811,7 +812,7 @@ func (service *Service) getEdgeJobTaskLogPath(edgeJobID string, taskID string) s

 // GetTemporaryPath returns a temp folder
 func (service *Service) GetTemporaryPath() (string, error) {
-	uid, err := uuid.NewV4()
+	uid, err := uuid.NewRandom()
 	if err != nil {
 		return "", err
 	}
@@ -1008,7 +1009,7 @@ func CreateFile(path string, r io.Reader) error {
 		return err
 	}

-	defer out.Close()
+	defer logs.CloseAndLogErr(out)

 	_, err = io.Copy(out, r)
 	return err
--- a/api/filesystem/filesystem_fileexists_test.go
+++ b/api/filesystem/filesystem_fileexists_test.go
@@ -30,11 +30,12 @@ func Test_FileExists_whenFileNotExistsShouldReturnFalse(t *testing.T) {
 }

 func testHelperFileExists_fileExists(t *testing.T, checker func(path string) (bool, error)) {
-	file, err := os.CreateTemp("", t.Name())
+	file, err := os.CreateTemp(t.TempDir(), t.Name())
 	require.NoError(t, err, "CreateTemp should not fail")

 	t.Cleanup(func() {
-		os.RemoveAll(file.Name())
+		err := os.RemoveAll(file.Name())
+		require.NoError(t, err)
 	})

 	exists, err := checker(file.Name())
--- a/api/filesystem/filesystem_move_test.go
+++ b/api/filesystem/filesystem_move_test.go
@@ -58,12 +58,14 @@ func Test_movePath_succesIfOverwriteSetWhenDestinationDirExists(t *testing.T) {
 func Test_movePath_successWhenSourceExistsAndDestinationIsMissing(t *testing.T) {
 	tmp := t.TempDir()
 	sourceDir := path.Join(tmp, "source")
-	os.Mkdir(sourceDir, 0766)
+	err := os.Mkdir(sourceDir, 0766)
+	require.NoError(t, err)
+
 	file1 := addFile(t, sourceDir, "dir", "file")
 	file2 := addFile(t, sourceDir, "file")
 	destinationDir := path.Join(tmp, "destination")

-	err := MoveDirectory(sourceDir, destinationDir, false)
+	err = MoveDirectory(sourceDir, destinationDir, false)
 	require.NoError(t, err)
 	assert.NoFileExists(t, file1, "source dir contents should be moved")
 	assert.NoFileExists(t, file2, "source dir contents should be moved")
--- a/api/filesystem/filesystem_test.go
+++ b/api/filesystem/filesystem_test.go
@@ -15,7 +15,8 @@ func createService(t *testing.T) *Service {
 	require.NoError(t, err, "NewService should not fail")

 	t.Cleanup(func() {
-		os.RemoveAll(dataStorePath)
+		err := os.RemoveAll(dataStorePath)
+		require.NoError(t, err)
 	})

 	return service
--- a/api/filesystem/serialize.go
+++ b/api/filesystem/serialize.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"

 	"golang.org/x/mod/semver"
@@ -27,11 +28,8 @@ func FilterDirForEntryFile(dirEntries []DirEntry, entryFile string) []DirEntry {
 	for _, dirEntry := range dirEntries {
 		match := false
 		if dirEntry.IsFile {
-			for _, filter := range filters {
-				if filter == dirEntry.Name {
-					match = true
-					break
-				}
+			if slices.Contains(filters, dirEntry.Name) {
+				match = true
 			}
 		} else {
 			for _, filter := range filters {
@@ -167,3 +165,21 @@ func DecodeDirEntries(dirEntries []DirEntry) error {

 	return nil
 }
+
+// GetDirEntriesByFilenames returns the dir entries that are files and match the provided filenames
+func GetDirEntriesByFilenames(dirEntries []DirEntry, names []string) []DirEntry {
+	var filteredDirEntries []DirEntry
+
+	for _, dirEntry := range dirEntries {
+		if !dirEntry.IsFile {
+			continue
+		}
+		for _, name := range names {
+			if dirEntry.Name == name {
+				filteredDirEntries = append(filteredDirEntries, dirEntry)
+			}
+		}
+	}
+
+	return filteredDirEntries
+}
--- a/api/filesystem/serialize_per_dev_configs.go
+++ b/api/filesystem/serialize_per_dev_configs.go
@@ -30,6 +30,20 @@ func MultiFilterDirForPerDevConfigs(dirEntries []DirEntry, configPath string, mu
 	return deduplicate(filteredDirEntries), envFiles
 }

+// MultiFilterDirForPerDevConfigsWithDefaults filers the given dirEntries with multiple filter args, returns the merged entries for the given device
+// and always includes the defaultFilenames
+func MultiFilterDirForPerDevConfigsWithDefaults(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs, defaultFilenames []string) ([]DirEntry, []string) {
+
+	filteredDirEntries, envFiles := MultiFilterDirForPerDevConfigs(dirEntries, configPath, multiFilterArgs)
+
+	// Add files that should always be included
+	// e.g. entrypoint files
+	defaultDirEntries := GetDirEntriesByFilenames(dirEntries, defaultFilenames)
+	filteredDirEntries = append(filteredDirEntries, defaultDirEntries...)
+
+	return deduplicate(filteredDirEntries), envFiles
+}
+
 func deduplicate(dirEntries []DirEntry) []DirEntry {
 	var deduplicatedDirEntries []DirEntry

--- a/api/filesystem/serialize_per_dev_configs_test.go
+++ b/api/filesystem/serialize_per_dev_configs_test.go
@@ -49,8 +49,11 @@ func TestMultiFilterDirForPerDevConfigs(t *testing.T) {
 	f(
 		baseDirEntries,
 		"configs",
-		MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
-		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
+		MultiFilterArgs{
+			{"file1", portainer.PerDevConfigsTypeFile},
+			{"folder1", portainer.PerDevConfigsTypeDir},
+		},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3], baseDirEntries[5], baseDirEntries[6]},
 	)

 	// Filter file1 and file2
@@ -76,6 +79,106 @@ func TestMultiFilterDirForPerDevConfigs(t *testing.T) {
 	)
 }

+func TestMultiFilterDirForPerDevConfigsWithDefaults(t *testing.T) {
+	f := func(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs, defaultFilenames []string, wantDirEntries []DirEntry) {
+		t.Helper()
+
+		dirEntries, _ = MultiFilterDirForPerDevConfigsWithDefaults(dirEntries, configPath, multiFilterArgs, defaultFilenames)
+		require.Equal(t, wantDirEntries, dirEntries)
+	}
+
+	baseDirEntries := []DirEntry{
+		{".env", "", true, 420},
+		{"docker-compose.yaml", "", true, 420},
+		{"configs", "", false, 420},
+		{"configs/file1.conf", "", true, 420},
+		{"configs/file2.conf", "", true, 420},
+		{"configs/folder1", "", false, 420},
+		{"configs/folder1/config1", "", true, 420},
+		{"configs/folder2", "", false, 420},
+		{"configs/folder2/config2", "", true, 420},
+		{"configs/docker-compose-2.yaml", "", true, 420},
+		{"configs/folder2/docker-compose-3.yaml", "", true, 420},
+	}
+
+	// Filter file1
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"file1", portainer.PerDevConfigsTypeFile}},
+		nil,
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3]},
+	)
+
+	// Filter folder1
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
+		nil,
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
+	)
+
+	// Filter file1 and folder1
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{
+			{"file1", portainer.PerDevConfigsTypeFile},
+			{"folder1", portainer.PerDevConfigsTypeDir},
+		},
+		nil,
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3], baseDirEntries[5], baseDirEntries[6]},
+	)
+
+	// Filter file1 and file2
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{
+			{"file1", portainer.PerDevConfigsTypeFile},
+			{"file2", portainer.PerDevConfigsTypeFile},
+		},
+		nil,
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3], baseDirEntries[4]},
+	)
+
+	// Filter folder1 and folder2
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{
+			{"folder1", portainer.PerDevConfigsTypeDir},
+			{"folder2", portainer.PerDevConfigsTypeDir},
+		},
+		nil,
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6], baseDirEntries[7], baseDirEntries[8], baseDirEntries[10]},
+	)
+
+	// Filter file1 and folder1 and docker-compose-2.yaml
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{
+			{"file1", portainer.PerDevConfigsTypeFile},
+			{"folder1", portainer.PerDevConfigsTypeDir},
+		},
+		[]string{"configs/docker-compose-2.yaml"},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3], baseDirEntries[5], baseDirEntries[6], baseDirEntries[9]},
+	)
+
+	// Filter file1 and docker-compose-3.yaml
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{
+			{"file1", portainer.PerDevConfigsTypeFile},
+		},
+		[]string{"configs/folder2/docker-compose-3.yaml"},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3], baseDirEntries[10]},
+	)
+}
+
 func TestMultiFilterDirForPerDevConfigsEnvFiles(t *testing.T) {
 	f := func(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs, wantEnvFiles []string) {
 		t.Helper()
@@ -120,3 +223,15 @@ func TestIsInConfigDir(t *testing.T) {
 	f(DirEntry{Name: "edgestacktest/edge-configs/standalone-edge-agent-async"}, "edgestacktest/edge-configs", true)
 	f(DirEntry{Name: "edgestacktest/edge-configs/abc.txt"}, "edgestacktest/edge-configs", true)
 }
+
+func TestShouldIncludeDir(t *testing.T) {
+	f := func(dirEntry DirEntry, deviceName, configPath string, expect bool) {
+		t.Helper()
+
+		actual := shouldIncludeDir(dirEntry, deviceName, configPath)
+		assert.Equal(t, expect, actual)
+	}
+
+	f(DirEntry{Name: "app/blue-app", IsFile: false}, "blue-app", "app", true)
+	f(DirEntry{Name: "app/blue-app/values.yaml", IsFile: true}, "blue-app", "app", true)
+}
--- a/api/filesystem/write.go
+++ b/api/filesystem/write.go
@@ -5,6 +5,7 @@ import (
 	"path/filepath"

 	"github.com/pkg/errors"
+	"github.com/portainer/portainer/api/logs"
 )

 // WriteToFile creates a file in the filesystem storage
@@ -17,7 +18,7 @@ func WriteToFile(dst string, content []byte) error {
 	if err != nil {
 		return errors.Wrapf(err, "failed to open a file %q", dst)
 	}
-	defer file.Close()
+	defer logs.CloseAndLogErr(file)

 	_, err = file.Write(content)
 	return errors.Wrapf(err, "failed to write a file %q", dst)
--- a/api/git/azure.go
+++ b/api/git/azure.go
@@ -13,6 +13,8 @@ import (
 	"github.com/portainer/portainer/api/archive"
 	"github.com/portainer/portainer/api/crypto"
 	gittypes "github.com/portainer/portainer/api/git/types"
+	"github.com/portainer/portainer/api/logs"
+	"github.com/rs/zerolog/log"

 	"github.com/go-git/go-git/v5/plumbing/filemode"
 	"github.com/pkg/errors"
@@ -76,10 +78,13 @@ func (a *azureClient) download(ctx context.Context, destination string, opt clon
 	if err != nil {
 		return errors.Wrap(err, "failed to download a zip file from Azure DevOps")
 	}
-	defer os.Remove(zipFilepath)
+	defer func() {
+		if err := os.Remove(zipFilepath); err != nil {
+			log.Warn().Err(err).Msg("failed to remove temporary zip file")
+		}
+	}()

-	err = archive.UnzipFile(zipFilepath, destination)
-	if err != nil {
+	if err := archive.UnzipFile(zipFilepath, destination); err != nil {
 		return errors.Wrap(err, "failed to unzip file")
 	}

@@ -102,7 +107,7 @@ func (a *azureClient) downloadZipFromAzureDevOps(ctx context.Context, opt cloneO
 		return "", errors.WithMessage(err, "failed to create temp file")
 	}

-	defer zipFile.Close()
+	defer logs.CloseAndLogErr(zipFile)

 	req, err := http.NewRequestWithContext(ctx, "GET", downloadUrl, nil)
 	if opt.username != "" || opt.password != "" {
@@ -123,14 +128,17 @@ func (a *azureClient) downloadZipFromAzureDevOps(ctx context.Context, opt cloneO
 		return "", errors.WithMessage(err, "failed to make an HTTP request")
 	}

-	defer res.Body.Close()
+	defer func() {
+		if err := res.Body.Close(); err != nil {
+			log.Warn().Err(err).Msg("failed to close response body")
+		}
+	}()

 	if res.StatusCode != http.StatusOK {
 		return "", fmt.Errorf("failed to download zip with a status \"%v\"", res.Status)
 	}

-	_, err = io.Copy(zipFile, res.Body)
-	if err != nil {
+	if _, err := io.Copy(zipFile, res.Body); err != nil {
 		return "", errors.WithMessage(err, "failed to save HTTP response to a file")
 	}

@@ -175,7 +183,11 @@ func (a *azureClient) getRootItem(ctx context.Context, opt fetchOption) (*azureI
 	if err != nil {
 		return nil, errors.WithMessage(err, "failed to make an HTTP request")
 	}
-	defer resp.Body.Close()
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			log.Warn().Err(err).Msg("failed to close response body")
+		}
+	}()

 	if resp.StatusCode != http.StatusOK {
 		return nil, checkAzureStatusCode(fmt.Errorf("failed to get repository root item with a status \"%v\"", resp.Status), resp.StatusCode)
@@ -365,12 +377,12 @@ const (
 )

 func formatReferenceName(name string) string {
-	if strings.HasPrefix(name, branchPrefix) {
-		return strings.TrimPrefix(name, branchPrefix)
+	if after, ok := strings.CutPrefix(name, branchPrefix); ok {
+		return after
 	}

-	if strings.HasPrefix(name, tagPrefix) {
-		return strings.TrimPrefix(name, tagPrefix)
+	if after, ok := strings.CutPrefix(name, tagPrefix); ok {
+		return after
 	}

 	return name
@@ -417,7 +429,11 @@ func (a *azureClient) listRefs(ctx context.Context, opt baseOption) ([]string, e
 	if err != nil {
 		return nil, errors.WithMessage(err, "failed to make an HTTP request")
 	}
-	defer resp.Body.Close()
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			log.Warn().Err(err).Msg("failed to close response body")
+		}
+	}()

 	if resp.StatusCode != http.StatusOK {
 		return nil, checkAzureStatusCode(fmt.Errorf("failed to list refs with a status \"%v\"", resp.Status), resp.StatusCode)
@@ -477,7 +493,11 @@ func (a *azureClient) listFiles(ctx context.Context, opt fetchOption) ([]string,
 	if err != nil {
 		return nil, errors.WithMessage(err, "failed to make an HTTP request")
 	}
-	defer resp.Body.Close()
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			log.Warn().Err(err).Msg("failed to close response body")
+		}
+	}()

 	if resp.StatusCode != http.StatusOK {
 		return nil, fmt.Errorf("failed to list tree url with a status \"%v\"", resp.Status)
--- a/api/git/azure_integration_test.go
+++ b/api/git/azure_integration_test.go
@@ -139,8 +139,12 @@ func TestService_ListRefs_Azure_Concurrently(t *testing.T) {
 	username := getRequiredValue(t, "AZURE_DEVOPS_USERNAME")
 	service := newService(context.TODO(), repositoryCacheSize, 200*time.Millisecond)

-	go service.ListRefs(privateAzureRepoURL, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
-	service.ListRefs(privateAzureRepoURL, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
+	go func() {
+		_, _ = service.ListRefs(privateAzureRepoURL, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
+	}()
+
+	_, err := service.ListRefs(privateAzureRepoURL, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
+	require.NoError(t, err)

 	time.Sleep(2 * time.Second)
 }
@@ -153,6 +157,7 @@ func TestService_ListFiles_Azure(t *testing.T) {
 		err          error
 		matchedCount int
 	}
+
 	service := newService(context.TODO(), 0, 0)
 	accessToken := getRequiredValue(t, "AZURE_DEVOPS_PAT")
 	username := getRequiredValue(t, "AZURE_DEVOPS_USERNAME")
@@ -289,6 +294,7 @@ func TestService_ListFiles_Azure(t *testing.T) {
 				tt.extensions,
 				false,
 			)
+
 			if tt.expect.shouldFail {
 				require.Error(t, err)
 				if tt.expect.err != nil {
@@ -311,18 +317,21 @@ func TestService_ListFiles_Azure_Concurrently(t *testing.T) {
 	username := getRequiredValue(t, "AZURE_DEVOPS_USERNAME")
 	service := newService(context.TODO(), repositoryCacheSize, 200*time.Millisecond)

-	go service.ListFiles(
-		privateAzureRepoURL,
-		"refs/heads/main",
-		username,
-		accessToken,
-		gittypes.GitCredentialAuthType_Basic,
-		false,
-		false,
-		[]string{},
-		false,
-	)
-	service.ListFiles(
+	go func() {
+		_, _ = service.ListFiles(
+			privateAzureRepoURL,
+			"refs/heads/main",
+			username,
+			accessToken,
+			gittypes.GitCredentialAuthType_Basic,
+			false,
+			false,
+			[]string{},
+			false,
+		)
+	}()
+
+	_, err := service.ListFiles(
 		privateAzureRepoURL,
 		"refs/heads/main",
 		username,
@@ -333,6 +342,7 @@ func TestService_ListFiles_Azure_Concurrently(t *testing.T) {
 		[]string{},
 		false,
 	)
+	require.NoError(t, err)

 	time.Sleep(2 * time.Second)
 }
@@ -342,6 +352,7 @@ func getRequiredValue(t *testing.T, name string) string {
 	if !ok {
 		t.Fatalf("can't find required env var \"%s\"", name)
 	}
+
 	return value
 }

--- a/api/git/azure_test.go
+++ b/api/git/azure_test.go
@@ -333,13 +333,12 @@ func Test_azureDownloader_latestCommitID(t *testing.T) {
 		  ]
 		}`
 		w.Header().Set("Content-Type", "application/json")
-		w.Write([]byte(response))
+
+		_, _ = w.Write([]byte(response))
 	}))
 	defer server.Close()

-	a := &azureClient{
-		baseUrl: server.URL,
-	}
+	a := &azureClient{baseUrl: server.URL}

 	tests := []struct {
 		name    string
@@ -421,7 +420,7 @@ func Test_cloneRepository_azure(t *testing.T) {
 			git := &testRepoManager{}

 			s := &Service{azure: azure, git: git}
-			s.cloneRepository("", cloneOption{
+			err := s.cloneRepository("", cloneOption{
 				fetchOption: fetchOption{
 					baseOption: baseOption{

@@ -430,6 +429,7 @@ func Test_cloneRepository_azure(t *testing.T) {
 				},
 				depth: 1,
 			})
+			require.NoError(t, err)

 			// if azure API is called, git isn't and vice versa
 			assert.Equal(t, tt.called, azure.called)
--- a/api/git/git_integration_test.go
+++ b/api/git/git_integration_test.go
@@ -82,8 +82,12 @@ func TestService_ListRefs_Github_Concurrently(t *testing.T) {
 	service := newService(context.TODO(), repositoryCacheSize, 200*time.Millisecond)

 	repositoryUrl := privateGitRepoURL
-	go service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
-	service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
+	go func() {
+		_, _ = service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
+	}()
+
+	_, err := service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
+	require.NoError(t, err)

 	time.Sleep(2 * time.Second)
 }
@@ -255,18 +259,21 @@ func TestService_ListFiles_Github_Concurrently(t *testing.T) {
 	username := getRequiredValue(t, "GITHUB_USERNAME")
 	service := newService(context.TODO(), repositoryCacheSize, 200*time.Millisecond)

-	go service.ListFiles(
-		repositoryUrl,
-		"refs/heads/main",
-		username,
-		accessToken,
-		gittypes.GitCredentialAuthType_Basic,
-		false,
-		false,
-		[]string{},
-		false,
-	)
-	service.ListFiles(
+	go func() {
+		_, _ = service.ListFiles(
+			repositoryUrl,
+			"refs/heads/main",
+			username,
+			accessToken,
+			gittypes.GitCredentialAuthType_Basic,
+			false,
+			false,
+			[]string{},
+			false,
+		)
+	}()
+
+	_, err := service.ListFiles(
 		repositoryUrl,
 		"refs/heads/main",
 		username,
@@ -277,6 +284,7 @@ func TestService_ListFiles_Github_Concurrently(t *testing.T) {
 		[]string{},
 		false,
 	)
+	require.NoError(t, err)

 	time.Sleep(2 * time.Second)
 }
@@ -289,8 +297,10 @@ func TestService_purgeCache_Github(t *testing.T) {
 	username := getRequiredValue(t, "GITHUB_USERNAME")
 	service := NewService(context.TODO())

-	service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
-	service.ListFiles(
+	_, err := service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
+	require.NoError(t, err)
+
+	_, err = service.ListFiles(
 		repositoryUrl,
 		"refs/heads/main",
 		username,
@@ -301,6 +311,7 @@ func TestService_purgeCache_Github(t *testing.T) {
 		[]string{},
 		false,
 	)
+	require.NoError(t, err)

 	assert.Equal(t, 1, service.repoRefCache.Len())
 	assert.Equal(t, 1, service.repoFileCache.Len())
@@ -320,8 +331,9 @@ func TestService_purgeCacheByTTL_Github(t *testing.T) {
 	// 40*timeout is designed for giving enough time for ListRefs and ListFiles to cache the result
 	service := newService(context.TODO(), 2, 40*timeout)

-	service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
-	service.ListFiles(
+	_, err := service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
+	require.NoError(t, err)
+	_, err = service.ListFiles(
 		repositoryUrl,
 		"refs/heads/main",
 		username,
@@ -332,6 +344,7 @@ func TestService_purgeCacheByTTL_Github(t *testing.T) {
 		[]string{},
 		false,
 	)
+	require.NoError(t, err)
 	assert.Equal(t, 1, service.repoRefCache.Len())
 	assert.Equal(t, 1, service.repoFileCache.Len())

--- a/Show More
+++ b/Show More