web: Fix duplicate Turnstile widgets after extended idle

[GirlBossRush]

Details

Turnstile's client-side script includes a self-upgrade mechanism that periodically replaces its own <script> tag with a fresh version. When the upgraded script loads, it restores its internal widget state and then re-scans the DOM for .cf-turnstile elements to implicitly render — even though those containers already have an active widget. This results in duplicate widgets accumulating over time.

This PR changes our Turnstile controller from implicit rendering (via the cf-turnstile class and data-* attributes), to explicit rendering (?render=explicit on the script URL + a manual turnstile.render() call). With explicit mode, the self-upgrade cycle no longer triggers a DOM scan, so existing widgets aren't duplicated.

Closes #18156

[netlify]

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	d129376
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/69d04576b2457d0008e20614
😎 Deploy Preview	https://deploy-preview-21380--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	b5d4ee2
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/69d04227c9f662000834b015
😎 Deploy Preview	https://deploy-preview-21380--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.46%. Comparing base (418fa62) to head (d129376).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #21380      +/-   ##
==========================================
- Coverage   92.47%   92.46%   -0.01%     
==========================================
  Files        1013     1013              
  Lines       58165    58165              
  Branches     1494     1494              
==========================================
- Hits        53788    53785       -3     
- Misses       4337     4340       +3     
  Partials       40       40              

Flag	Coverage Δ
conformance	37.16% <ø> (+<0.01%)	⬆️
e2e	42.63% <ø> (-0.01%)	⬇️
integration	22.12% <ø> (+<0.01%)	⬆️
rust	53.54% <ø> (ø)
unit	91.82% <ø> (ø)
unit-migrate	91.87% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-d129376a7c7d77535f917d95441b204efa03cb70
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-d129376a7c7d77535f917d95441b204efa03cb70

Afterwards, run the upgrade commands from the latest release notes.