Upgrade a service safely

Service	What to watch
Redmine	Major versions need `rake db:migrate`. Sometimes plugins need re-install.
Mattermost	Postgres schema migrations automatic. Sometimes plugins (calls, board) need re-config.
Authentik	Has its own migration system; usually clean. Major versions occasionally rotate signing keys → re-run `just sso-fix-all`.
ERPNext	Frappe runs `bench migrate` on startup. Major versions can take 30+ min on a large dataset.
n8n	Workflow format usually stable. Major versions sometimes deprecate node types — check the changelog.
Wiki.js	DB migration automatic. Theming/code injection (e.g. Mermaid 11 via `configure-mermaid.ts`) may need re-application — see the release-run script for #3901 as an example.
Postgres	NEVER bump major versions without a planned dump → restore. PMA pins postgres versions per service for this reason.

¶ Upgrade a service safely