diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 193272b0..5e2d086d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -102,8 +102,10 @@ jobs:
                   # 如果有旧 Tag，生成 "Tag-CommitHash" 格式
                   echo "SOURCE_VERSION=${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}" | tee -a "${GITHUB_ENV}"
               else
-              echo "SOURCE_VERSION=${SOURCE_COMMIT:0:8}" | tee -a "${GITHUB_ENV}"
-              echo "⚠️ No tags found in repository. Using version: dev-${SOURCE_COMMIT:0:8}"
+                  # echo "SOURCE_VERSION=${SOURCE_COMMIT:0:8}" | tee -a "${GITHUB_ENV}"
+                  # echo "⚠️ No tags found in repository. Using version: dev-${SOURCE_COMMIT:0:8}"
+                  echo "SOURCE_VERSION=1.35.4-${SOURCE_COMMIT:0:8}" | tee -a "${GITHUB_ENV}"
+              fi
           fi
 
       # Login to Docker Hub
@@ -161,13 +163,13 @@ jobs:
         run: |
           #
           # Check if there is a GitHub Container Registry Login and use it for caching
-          if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then
-            echo "BAKE_CACHE_FROM=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE}-${NORMALIZED_ARCH}" | tee -a "${GITHUB_ENV}"
-            echo "BAKE_CACHE_TO=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE}-${NORMALIZED_ARCH},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}"
-          else
-            echo "BAKE_CACHE_FROM="
-            echo "BAKE_CACHE_TO="
-          fi
+          #if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then
+          #  echo "BAKE_CACHE_FROM=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE}-${NORMALIZED_ARCH}" | tee -a "${GITHUB_ENV}"
+          #  echo "BAKE_CACHE_TO=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE}-${NORMALIZED_ARCH},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}"
+          #else
+          echo "BAKE_CACHE_FROM="
+          echo "BAKE_CACHE_TO="
+          #fi
           #
 
       - name: Generate tags
@@ -198,13 +200,11 @@ jobs:
           source: .
           files: docker/docker-bake.hcl
           targets: "${{ matrix.base_image }}-multi"
+          no-cache: true
           set: |
-            *.cache-from=${{ env.BAKE_CACHE_FROM }}
-            *.cache-to=${{ env.BAKE_CACHE_TO }}
             *.platform=linux/${{ matrix.arch }}
             ${{ env.TAGS }}
             *.output=type=local,dest=./output
-            *.output=type=image,push-by-digest=true,name-canonical=true,push=true
 
       - name: Extract digest SHA
         env:
@@ -238,16 +238,52 @@ jobs:
           mv ./output/vaultwarden vaultwarden-"${NORMALIZED_ARCH}"
 
       # Upload artifacts to Github Actions and Attest the binaries
-      - name: Attest binaries
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
-        with:
-          subject-path: vaultwarden-${{ env.NORMALIZED_ARCH }}
-
-      - name: Upload binaries as artifacts
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      #- name: Attest binaries
+      #  uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+      #  with:
+      #    subject-path: vaultwarden-${{ env.NORMALIZED_ARCH }}
+
+      #- name: Upload binaries as artifacts
+      #  uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      #  with:
+      #    name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-${{ env.NORMALIZED_ARCH }}-${{ matrix.base_image }}
+      #    path: vaultwarden-${{ env.NORMALIZED_ARCH }}
+
+            # --- 修改开始：整理文件并打包成 TAR ---
+      - name: Prepare and Tar Minimal Files
+        env:
+          NORMALIZED_ARCH: ${{ env.NORMALIZED_ARCH }}
+          BASE_IMAGE: ${{ matrix.base_image }}
+          SOURCE_VERSION: ${{ env.SOURCE_VERSION }}
+        run: |
+          # 定义临时文件夹名称
+          TEMP_DIR="vaultwarden-${SOURCE_VERSION}-linux-${NORMALIZED_ARCH}-${BASE_IMAGE}"
+          mkdir -p "${TEMP_DIR}"
+          du -ah
+          echo "Copying essential files to ${TEMP_DIR}..."
+          
+          # 4. 打包成 .tar.gz
+          TARBALL_NAME="${TEMP_DIR}.tar.gz"
+          echo "Creating tarball: ${TARBALL_NAME}"
+          tar -czvf "${TARBALL_NAME}" vaultwarden-${{ env.NORMALIZED_ARCH }} ./output/web-vault/ ./output/healthcheck.sh ./output/start.sh
+
+          # 显示包大小
+          ls -lh "${TARBALL_NAME}"
+          du -sh "${TEMP_DIR}"
+
+          # 导出变量供上传步骤使用
+          echo "TARBALL_NAME=${TARBALL_NAME}" >> "${GITHUB_ENV}"
+          echo "ARTIFACT_NAME=${TEMP_DIR}-tar" >> "${GITHUB_ENV}"
+
+      # --- 修改结束：上传 TAR 包 ---
+      - name: Upload Vaultwarden Tarball
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
-          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-${{ env.NORMALIZED_ARCH }}-${{ matrix.base_image }}
-          path: vaultwarden-${{ env.NORMALIZED_ARCH }}
+          name: ${{ env.ARTIFACT_NAME }}
+          path: ${{ env.TARBALL_NAME }}
+          retention-days: 5
+          # 如果包很大，可以开启分片压缩 (可选)
+          # compression-level: 6 
 
   merge-manifests:
     name: Merge manifests
diff --git a/docker/DockerSettings.yaml b/docker/DockerSettings.yaml
index 7b4a9af7..9a896999 100644
--- a/docker/DockerSettings.yaml
+++ b/docker/DockerSettings.yaml
@@ -6,7 +6,7 @@ vault_image_digest: "sha256:062fcf0d5dc37247dae61b0ee1ba5d20f9296e290d7ad1f6114e
 # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags
 xx_image_digest: "sha256:c64defb9ed5a91eacb37f96ccc3d4cd72521c4bd18d5442905b95e2226b0e707"
 rust_version: 1.93.1 # Rust version to be used
-debian_version: trixie # Debian release name to be used
+debian_version: bookworm # Debian release name to be used
 alpine_version: "3.23" # Alpine version to be used
 # For which platforms/architectures will we try to build images
 platforms: ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"]
diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian
index 8796dedb..ce63350e 100644
--- a/docker/Dockerfile.debian
+++ b/docker/Dockerfile.debian
@@ -36,7 +36,7 @@ FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:c64defb9ed5a91eacb37f
 
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.93.1-slim-trixie AS build
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.93.1-slim-bookworm AS build
 COPY --from=xx / /
 ARG TARGETARCH
 ARG TARGETVARIANT
@@ -161,7 +161,7 @@ RUN source /env-cargo && \
 # To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
 #
 # We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742
-FROM --platform=$TARGETPLATFORM docker.io/library/debian:trixie-slim
+FROM --platform=$TARGETPLATFORM docker.io/library/debian:bookworm-slim
 
 ENV ROCKET_PROFILE="release" \
     ROCKET_ADDRESS=0.0.0.0 \
diff --git a/src/db/models/org_policy.rs b/src/db/models/org_policy.rs
index 0607f146..96811a2b 100644
--- a/src/db/models/org_policy.rs
+++ b/src/db/models/org_policy.rs
@@ -269,7 +269,7 @@ impl OrgPolicy {
                 continue;
             }
 
-            if let Some(user) = Membership::find_by_user_and_org(user_uuid, &policy.org_uuid, conn).await {
+            if let Some(user) = Membership::find_confirmed_by_user_and_org(user_uuid, &policy.org_uuid, conn).await {
                 if user.atype < MembershipType::Admin {
                     return true;
                 }