diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 09d4374..013922d 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -21,10 +21,10 @@ test:
     image: roadiz/php-runner:8.4.13-bookworm
     stage: test
     interruptible: true
-    only:
-        - develop
-        - tags
-        - merge_requests
+    rules:
+        - if: '$CI_COMMIT_BRANCH == "develop"'
+        - if: '$CI_COMMIT_TAG'
+        - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
     cache:
         key: ${CI_COMMIT_REF_SLUG}
         paths:
@@ -59,8 +59,8 @@ build_develop:
     stage: build
     image: docker:git
     interruptible: true
-    only:
-        - develop
+    rules:
+        - if: '$CI_COMMIT_BRANCH == "develop"'
     services:
         - docker:dind
     variables:
@@ -79,8 +79,8 @@ build_develop:
 build_tag:
     stage: build
     image: docker:git
-    only:
-        - tags
+    rules:
+        - if: '$CI_COMMIT_TAG'
     services:
         - docker:dind
     variables:
@@ -107,8 +107,8 @@ build_tag:
 deploy_develop:
     stage: deploy
     image: alpine:3.21
-    only:
-        - develop
+    rules:
+        - if: '$CI_COMMIT_BRANCH == "develop"'
     needs:
         - build_develop
     interruptible: true
@@ -145,7 +145,7 @@ deploy_production:
 
 create_gitlab_release:
     stage: release
-    image: registry.gitlab.com/gitlab-org/release-cli:latest
+    image: registry.gitlab.com/gitlab-org/cli:latest
     rules:
         - if: $CI_COMMIT_TAG
     script:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index ebc59b2..4f9835b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,18 @@
 
 All notable changes to project will be documented in this file.
 
+## [2.7.0](https://github.com/roadiz/skeleton/compare/v2.6.5...2.7.0) - 2026-01-23
+
+### Bug Fixes
+
+- update PHP version, adjust user/group handling in Dockerfiles, remove sudo on Docker images and remove cache-clear in production entrypoint - ([057e43f](https://github.com/roadiz/skeleton/commit/057e43f974ac36c3abab8bf1c4a6d9b36c0a8748)) - Ambroise Maupate
+- add cache warmup for production environment in entrypoint scripts - ([29601d4](https://github.com/roadiz/skeleton/commit/29601d447a75add0bd38444cb9207bce91da5db8)) - Ambroise Maupate
+
+### CI/CD
+
+- update CI rules for branch and tag handling - ([ea8b5a8](https://github.com/roadiz/skeleton/commit/ea8b5a85e3dc8912cee35691ee5766e87c037bde)) - Ambroise Maupate
+- update release-cli image in CI configuration - ([edc3962](https://github.com/roadiz/skeleton/commit/edc396209529309dce01f396561eea96e8f01f26)) - Ambroise Maupate
+
 ## [2.6.5](https://github.com/roadiz/skeleton/compare/v2.6.4...2.6.5) - 2025-10-23
 
 ### Bug Fixes
diff --git a/Dockerfile b/Dockerfile
index 35a0d43..ea9fb44 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
-ARG PHP_VERSION=8.4.13
+ARG PHP_VERSION=8.5.1
 ARG MYSQL_VERSION=8.4.7
-ARG NGINX_VERSION=1.28.0
+ARG NGINX_VERSION=1.28.1
 ARG MARIADB_VERSION=11.8.3
 ARG VARNISH_VERSION=7.7.3
 
@@ -11,7 +11,7 @@ ARG GID=${UID}
 # PHP - FRANKENPHP #
 ####################
 
-FROM dunglas/frankenphp:php${PHP_VERSION}-bookworm AS php-franken
+FROM dunglas/frankenphp:php${PHP_VERSION}-trixie AS php-franken
 
 LABEL org.opencontainers.image.authors="ambroise@rezo-zero.com, eliot@rezo-zero.com"
 
@@ -33,15 +33,13 @@ apt-get --quiet --yes --purge --autoremove upgrade
 apt-get --quiet --yes --no-install-recommends --verbose-versions install \
     acl \
     less \
-    sudo \
     git \
     ffmpeg
 rm -rf /var/lib/apt/lists/*
 
 # User
-addgroup --gid ${UID} php
+addgroup --gid ${GID} php
 adduser --home /home/php --shell /bin/bash --uid ${UID} --gecos php --ingroup php --disabled-password php
-echo "php ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/php
 
 # App
 install --verbose --owner php --group php --mode 0755 --directory /app
@@ -105,6 +103,9 @@ VOLUME /app
 
 FROM php-franken AS php-prod-franken
 
+ARG UID
+ARG GID
+
 ENV XDEBUG_MODE=off
 ENV APP_ENV=prod
 ENV APP_RUNTIME_ENV=prod
@@ -124,15 +125,15 @@ CMD ["--config", "/etc/frankenphp/Caddyfile", "--adapter", "caddyfile"]
 USER php
 
 # Composer
-COPY --link --chown=php:php composer.* symfony.* ./
+COPY --link --chown=${UID}:${GID} composer.json composer.lock symfony.lock ./
 RUN <<EOF
 # If you depend on private Gitlab repositories, you must use a deploy token and username
 #composer config gitlab-token.gitlab.rezo-zero.com ${COMPOSER_DEPLOY_TOKEN_USER} ${COMPOSER_DEPLOY_TOKEN}
 composer install --no-cache --prefer-dist --no-dev --no-autoloader --no-scripts --no-progress
 EOF
 
-COPY --link --chown=php:php ./api .
-COPY --link --chown=php:php --from=encore-build /app/public/static ./public/static
+COPY --link --chown=${UID}:${GID} ./api .
+COPY --link --chown=${UID}:${GID} --from=encore-build /app/public/static ./public/static
 
 RUN <<EOF
 composer dump-autoload --classmap-authoritative --no-dev
@@ -152,11 +153,12 @@ VOLUME /app/config/jwt \
 # PHP #
 #######
 
-FROM php:${PHP_VERSION}-fpm-bookworm AS php
+FROM php:${PHP_VERSION}-fpm-trixie AS php
 
 LABEL org.opencontainers.image.authors="ambroise@rezo-zero.com"
 
 ARG UID
+ARG GID
 
 ARG COMPOSER_VERSION=2.8.9
 ARG PHP_EXTENSION_REDIS_VERSION=6.1.0
@@ -176,15 +178,13 @@ apt-get --quiet --yes --purge --autoremove upgrade
 # Packages - System
 apt-get --quiet --yes --no-install-recommends --verbose-versions install \
     less \
-    sudo \
     git \
     ffmpeg
 rm -rf /var/lib/apt/lists/*
 
 # User
-addgroup --gid ${UID} php
+addgroup --gid ${GID} php
 adduser --home /home/php --shell /bin/bash --uid ${UID} --gecos php --ingroup php --disabled-password php
-echo "php ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/php
 
 # App
 install --verbose --owner php --group php --mode 0755 --directory /app
@@ -263,6 +263,9 @@ USER php
 
 FROM php AS php-prod
 
+ARG UID
+ARG GID
+
 # If you depend on private Gitlab repositories, you must use a deploy token and username
 #ARG COMPOSER_DEPLOY_TOKEN
 #ARG COMPOSER_DEPLOY_TOKEN_USER="gitlab+deploy-token-1"
@@ -282,14 +285,14 @@ COPY --link --chmod=755 docker/php/docker-migrate-entrypoint /usr/local/bin/dock
 USER php
 
 # Composer
-COPY --link --chown=php:php composer.* symfony.* ./
+COPY --link --chown=${UID}:${GID} composer.json composer.lock symfony.lock ./
 RUN <<EOF
 # If you depend on private Gitlab repositories, you must use a deploy token and username
 #composer config gitlab-token.gitlab.rezo-zero.com ${COMPOSER_DEPLOY_TOKEN_USER} ${COMPOSER_DEPLOY_TOKEN}
 composer install --no-cache --prefer-dist --no-dev --no-autoloader --no-scripts --no-progress
 EOF
 
-COPY --link --chown=php:php . .
+COPY --link --chown=${UID}:${GID} . .
 
 RUN <<EOF
 composer dump-autoload --classmap-authoritative --no-dev
@@ -311,11 +314,12 @@ VOLUME /app/config/jwt \
 # Nginx #
 #########
 
-FROM nginx:${NGINX_VERSION}-bookworm AS nginx
+FROM nginx:${NGINX_VERSION}-trixie AS nginx
 
 LABEL org.opencontainers.image.authors="ambroise@rezo-zero.com"
 
 ARG UID
+ARG GID
 
 SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"]
 
@@ -323,15 +327,12 @@ RUN <<EOF
 # Packages
 apt-get --quiet update
 apt-get --quiet --yes --purge --autoremove upgrade
-apt-get --quiet --yes --no-install-recommends --verbose-versions install \
-    less \
-    sudo
+apt-get --quiet --yes --no-install-recommends --verbose-versions install less
 rm -rf /var/lib/apt/lists/*
 
 # User
-groupmod --gid ${UID} nginx
+groupmod --gid ${GID} nginx
 usermod --uid ${UID} nginx
-echo "nginx ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/nginx
 
 # App
 install --verbose --owner nginx --group nginx --mode 0755 --directory /app
@@ -362,14 +363,16 @@ FROM nginx AS nginx-dev
 VOLUME /app
 
 
-
 ##############
 # Nginx PROD #
 ##############
 
+ARG UID
+ARG GID
+
 FROM nginx AS nginx-prod
 # Copy public files from API
-COPY --link --from=php-prod --chown=${USER_UID}:${USER_UID} /app/public /app/public
+COPY --link --from=php-prod --chown=${UID}:${GID} /app/public /app/public
 
 # Only enable healthcheck in production when the app is ready to serve requests on root path
 # This could prevent Traefik or an ingress controller to route traffic to the app
diff --git a/compose.prod.yml b/compose.prod.yml
index 6084e0c..172a1c9 100644
--- a/compose.prod.yml
+++ b/compose.prod.yml
@@ -36,6 +36,8 @@ services:
         # https://github.com/api-platform/core/issues/3168
         # https://www.varnish-software.com/developers/tutorials/troubleshooting-varnish/
         command: "-p http_resp_hdr_len=16384 -p http_resp_size=65536"
+        ulimits:
+            memlock: -1
         tmpfs: /var/lib/varnish/varnishd:exec
         depends_on:
             - nginx
diff --git a/compose.yml b/compose.yml
index e146470..4d88823 100644
--- a/compose.yml
+++ b/compose.yml
@@ -101,6 +101,8 @@ services:
         # https://github.com/api-platform/core/issues/3168
         # https://www.varnish-software.com/developers/tutorials/troubleshooting-varnish/
         command: "-p http_resp_hdr_len=16384 -p http_resp_size=65536"
+        ulimits:
+            memlock: -1
         tmpfs: /var/lib/varnish/varnishd:exec
         depends_on:
             - nginx
diff --git a/composer.json b/composer.json
index 527e592..cd59e55 100644
--- a/composer.json
+++ b/composer.json
@@ -11,7 +11,7 @@
         "nelmio/cors-bundle": "^2.5",
         "roadiz/cms-pack": "^3.0",
         "sentry/sentry-symfony": "^5.3",
-        "symfony/redis-messenger": "7.3.*",
+        "symfony/redis-messenger": "7.4.*",
         "symfony/flex": "*",
         "symfony/requirements-checker": "^2.0"
     },
@@ -23,14 +23,14 @@
         "phpstan/phpstan-symfony": "*",
         "phpunit/phpunit": "^9.5",
         "rector/rector": "^2.1",
-        "symfony/browser-kit": "7.3.*",
-        "symfony/css-selector": "7.3.*",
-        "symfony/debug-bundle": "7.3.*",
+        "symfony/browser-kit": "7.4.*",
+        "symfony/css-selector": "7.4.*",
+        "symfony/debug-bundle": "7.4.*",
         "symfony/filesystem": ">=7.1",
         "symfony/maker-bundle": "^1.64",
-        "symfony/phpunit-bridge": "7.3.*",
-        "symfony/stopwatch": "7.3.*",
-        "symfony/web-profiler-bundle": "7.3.*"
+        "symfony/phpunit-bridge": "7.4.*",
+        "symfony/stopwatch": "7.4.*",
+        "symfony/web-profiler-bundle": "7.4.*"
     },
     "config": {
         "optimize-autoloader": true,
@@ -96,7 +96,7 @@
     "extra": {
         "symfony": {
             "allow-contrib": false,
-            "require": "7.3.*",
+            "require": "7.4.*",
             "docker": false
         }
     }
diff --git a/composer.json.dist b/composer.json.dist
index 527e592..cd59e55 100644
--- a/composer.json.dist
+++ b/composer.json.dist
@@ -11,7 +11,7 @@
         "nelmio/cors-bundle": "^2.5",
         "roadiz/cms-pack": "^3.0",
         "sentry/sentry-symfony": "^5.3",
-        "symfony/redis-messenger": "7.3.*",
+        "symfony/redis-messenger": "7.4.*",
         "symfony/flex": "*",
         "symfony/requirements-checker": "^2.0"
     },
@@ -23,14 +23,14 @@
         "phpstan/phpstan-symfony": "*",
         "phpunit/phpunit": "^9.5",
         "rector/rector": "^2.1",
-        "symfony/browser-kit": "7.3.*",
-        "symfony/css-selector": "7.3.*",
-        "symfony/debug-bundle": "7.3.*",
+        "symfony/browser-kit": "7.4.*",
+        "symfony/css-selector": "7.4.*",
+        "symfony/debug-bundle": "7.4.*",
         "symfony/filesystem": ">=7.1",
         "symfony/maker-bundle": "^1.64",
-        "symfony/phpunit-bridge": "7.3.*",
-        "symfony/stopwatch": "7.3.*",
-        "symfony/web-profiler-bundle": "7.3.*"
+        "symfony/phpunit-bridge": "7.4.*",
+        "symfony/stopwatch": "7.4.*",
+        "symfony/web-profiler-bundle": "7.4.*"
     },
     "config": {
         "optimize-autoloader": true,
@@ -96,7 +96,7 @@
     "extra": {
         "symfony": {
             "allow-contrib": false,
-            "require": "7.3.*",
+            "require": "7.4.*",
             "docker": false
         }
     }
diff --git a/composer_dev.json.dist b/composer_dev.json.dist
index 3b35cc4..1a479b7 100644
--- a/composer_dev.json.dist
+++ b/composer_dev.json.dist
@@ -13,7 +13,7 @@
         "nelmio/cors-bundle": "^2.5",
         "roadiz/cms-pack": "dev-develop",
         "sentry/sentry-symfony": "^5.3",
-        "symfony/redis-messenger": "7.3.*",
+        "symfony/redis-messenger": "7.4.*",
         "symfony/flex": "*",
         "symfony/requirements-checker": "^2.0"
     },
@@ -25,14 +25,14 @@
         "phpstan/phpstan-symfony": "*",
         "phpunit/phpunit": "^9.5",
         "rector/rector": "^2.1",
-        "symfony/browser-kit": "7.3.*",
-        "symfony/css-selector": "7.3.*",
-        "symfony/debug-bundle": "7.3.*",
+        "symfony/browser-kit": "7.4.*",
+        "symfony/css-selector": "7.4.*",
+        "symfony/debug-bundle": "7.4.*",
         "symfony/filesystem": ">=7.1",
         "symfony/maker-bundle": "^1.64",
-        "symfony/phpunit-bridge": "7.3.*",
-        "symfony/stopwatch": "7.3.*",
-        "symfony/web-profiler-bundle": "7.3.*"
+        "symfony/phpunit-bridge": "7.4.*",
+        "symfony/stopwatch": "7.4.*",
+        "symfony/web-profiler-bundle": "7.4.*"
     },
     "config": {
         "optimize-autoloader": true,
@@ -98,7 +98,7 @@
     "extra": {
         "symfony": {
             "allow-contrib": false,
-            "require": "7.3.*",
+            "require": "7.4.*",
             "docker": false
         }
     }
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index f459aaa..24048f3 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -122,6 +122,7 @@ security:
             - ROLE_ACCESS_CUSTOMFORMS
             - ROLE_ACCESS_CUSTOMFORMS_DELETE
             - ROLE_ACCESS_CUSTOMFORMS_RETENTION
+            - ROLE_ACCESS_CUSTOMFORMS_WEBHOOKS
             - ROLE_ACCESS_DOCTRINE_CACHE_DELETE
             - ROLE_ACCESS_DOCUMENTS
             - ROLE_ACCESS_DOCUMENTS_CREATION_DATE
@@ -149,3 +150,4 @@ security:
             - ROLE_ACCESS_WEBHOOKS
             - ROLE_ALLOWED_TO_SWITCH
             - ROLE_BACKEND_USER
+            - ROLE_PUBLIC_USER
diff --git a/docker/frankenphp/docker-php-entrypoint-prod b/docker/frankenphp/docker-php-entrypoint-prod
index 0a1d992..3ff71ae 100644
--- a/docker/frankenphp/docker-php-entrypoint-prod
+++ b/docker/frankenphp/docker-php-entrypoint-prod
@@ -1,11 +1,6 @@
 #!/bin/sh
 set -e
 
-# Print env infos
-echo "APP_ENV=${APP_ENV}";
-echo "APP_RUNTIME_ENV=${APP_RUNTIME_ENV}";
-echo "APP_DEBUG=${APP_DEBUG}";
-
 #
 # Override default entrypoint to add some maintenance and migration commands (PROD)
 # DO NOT CALL THIS SCRIPT FOR WORKERS AND CRON containers (see docker-compose.yml)
@@ -13,22 +8,24 @@ echo "APP_DEBUG=${APP_DEBUG}";
 
 # Print local env vars to .env.xxx.php file for performances and crontab jobs
 /usr/local/bin/composer dump-env prod
-/app/bin/console assets:install -n
 
 # To improve performance (i.e. avoid decrypting secrets at runtime),
 # you can decrypt your secrets during deployment to the "local" vault:
 #APP_RUNTIME_ENV=prod /app/bin/console secrets:decrypt-to-local --force
 
+if [ "${APP_ENV}" = "prod" ]; then
+  /app/bin/console cache:warmup
+fi
+
+#
+# Uncomment the following lines if you need to clear caches
+# at each deployment (WILL slow down the deployment time)
+#
 # Clear caches after migrations
-/app/bin/console cache:clear -n
+#/app/bin/console cache:clear -n
 # Clear all cache pool on Symfony
-/app/bin/console cache:pool:clear cache.global_clearer -n
-
-/app/bin/console lexik:jwt:generate-keypair --skip-if-exists
+#/app/bin/console cache:pool:clear cache.global_clearer -n
 
-# first arg is `-f` or `--some-option`
-if [ "${1#-}" != "$1" ]; then
-	set -- frankenphp run "$@"
-fi
+#/app/bin/console lexik:jwt:generate-keypair --skip-if-exists
 
 exec "$@"
diff --git a/docker/php/docker-php-entrypoint b/docker/php/docker-php-entrypoint
index 7c58d46..a8726c7 100755
--- a/docker/php/docker-php-entrypoint
+++ b/docker/php/docker-php-entrypoint
@@ -1,11 +1,6 @@
 #!/bin/sh
 set -e
 
-# Print env infos
-echo "APP_ENV=${APP_ENV}";
-echo "APP_RUNTIME_ENV=${APP_RUNTIME_ENV}";
-echo "APP_DEBUG=${APP_DEBUG}";
-
 #
 # Override default entrypoint to add some maintenance and migration commands (PROD)
 # DO NOT CALL THIS SCRIPT FOR WORKERS AND CRON containers (see docker-compose.yml)
@@ -13,27 +8,22 @@ echo "APP_DEBUG=${APP_DEBUG}";
 
 # Print local env vars to .env.xxx.php file for performances and crontab jobs
 /usr/local/bin/composer dump-env prod
-/app/bin/console assets:install -n
 
 # To improve performance (i.e. avoid decrypting secrets at runtime),
 # you can decrypt your secrets during deployment to the "local" vault:
 #APP_RUNTIME_ENV=prod /app/bin/console secrets:decrypt-to-local --force
 
-/app/bin/console lexik:jwt:generate-keypair --skip-if-exists
+if [ "${APP_ENV}" = "prod" ]; then
+  /app/bin/console cache:warmup
+fi
 
 #
-# Wait for database to be ready for next commands and migrations
+# Uncomment the following lines if you need to clear caches
+# at each deployment (WILL slow down the deployment time)
 #
-/wait-for-it.sh -t 0 -s ${MYSQL_HOST}:${MYSQL_PORT}
-
 # Clear caches after migrations
-/app/bin/console cache:clear -n
+#/app/bin/console cache:clear -n
 # Clear all cache pool on Symfony
-/app/bin/console cache:pool:clear cache.global_clearer -n
-
-# first arg is `-f` or `--some-option`
-if [ "${1#-}" != "$1" ]; then
-	set -- php-fpm "$@"
-fi
+#/app/bin/console cache:pool:clear cache.global_clearer -n
 
 exec "$@"