From ef88cdb7e73fdb626d3b8ce4c7efc938f51c8fea Mon Sep 17 00:00:00 2001 From: silverwind Date: Mon, 23 Mar 2026 18:34:45 +0100 Subject: [PATCH 01/12] Add `DEFAULT_DELETE_BRANCH_AFTER_MERGE` setting (#36917) Add this config option, applying to new repos: ```ini [repository.pull-request] DEFAULT_DELETE_BRANCH_AFTER_MERGE = true ``` Defaults to `false`, preserving current behavior. --------- Co-authored-by: Claude (Opus 4.6) --- custom/conf/app.example.ini | 3 +++ models/repo/repo_unit.go | 1 + modules/setting/repository.go | 2 ++ 3 files changed, 6 insertions(+) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 9297f3d062..803231ff12 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -1162,6 +1162,9 @@ LEVEL = Info ;; Delay mergeable check until page view or API access, for pull requests that have not been updated in the specified days when their base branches get updated. ;; Use "-1" to always check all pull requests (old behavior). Use "0" to always delay the checks. ;DELAY_CHECK_FOR_INACTIVE_DAYS = 7 +;; +;; Set the default value for "Delete pull request branch after merge by default" for new repositories +;DEFAULT_DELETE_BRANCH_AFTER_MERGE = false ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; diff --git a/models/repo/repo_unit.go b/models/repo/repo_unit.go index 797b34de69..18ebd6be54 100644 --- a/models/repo/repo_unit.go +++ b/models/repo/repo_unit.go @@ -142,6 +142,7 @@ func DefaultPullRequestsConfig() *PullRequestsConfig { AllowRebaseUpdate: true, DefaultAllowMaintainerEdit: true, } + cfg.DefaultDeleteBranchAfterMerge = setting.Repository.PullRequest.DefaultDeleteBranchAfterMerge cfg.DefaultMergeStyle = MergeStyle(setting.Repository.PullRequest.DefaultMergeStyle) cfg.DefaultMergeStyle = util.IfZero(cfg.DefaultMergeStyle, MergeStyleMerge) return cfg diff --git a/modules/setting/repository.go b/modules/setting/repository.go index 662e03598b..f4e45d4702 100644 --- a/modules/setting/repository.go +++ b/modules/setting/repository.go @@ -89,6 +89,7 @@ var ( TestConflictingPatchesWithGitApply bool RetargetChildrenOnMerge bool DelayCheckForInactiveDays int + DefaultDeleteBranchAfterMerge bool } `ini:"repository.pull-request"` // Issue Setting @@ -213,6 +214,7 @@ var ( TestConflictingPatchesWithGitApply bool RetargetChildrenOnMerge bool DelayCheckForInactiveDays int + DefaultDeleteBranchAfterMerge bool }{ WorkInProgressPrefixes: []string{"WIP:", "[WIP]"}, // Same as GitHub. See From 788200de9ffa7aa4fb172a882b75276fc5ece0b0 Mon Sep 17 00:00:00 2001 From: silverwind Date: Mon, 23 Mar 2026 18:41:04 +0100 Subject: [PATCH 02/12] Rework checkbox styling, remove `input` border hover effect (#36870) - Rework all checkbox styling to be consistent inside and outside markup. - Remove `input` border hover effect. Was too subtle and honestly unneeded, consistent with GitHub. - Increase `input` border contrast slightly. - Some small spacing fixes in Markup (nested tasklist and spacing after checkbox). Screenshot 2026-03-09 at 08 18 19 Screenshot 2026-03-09 at 08 18 10 Screenshot 2026-03-09 at 08 17 32 Screenshot 2026-03-09 at 08 17 07 Screenshot 2026-03-09 at 08 21 04 --------- Co-authored-by: Claude (Opus 4.6) Co-authored-by: Lunny Xiao Co-authored-by: Giteabot --- web_src/css/base.css | 6 +-- web_src/css/markup/content.css | 48 +++-------------- web_src/css/modules/checkbox.css | 67 +++++++++++++++++++++++- web_src/css/modules/dropdown.css | 1 - web_src/css/modules/form.css | 22 ++------ web_src/css/themes/theme-gitea-dark.css | 3 +- web_src/css/themes/theme-gitea-light.css | 3 +- 7 files changed, 84 insertions(+), 66 deletions(-) diff --git a/web_src/css/base.css b/web_src/css/base.css index 0d6c4a2f75..2c7bd7395a 100644 --- a/web_src/css/base.css +++ b/web_src/css/base.css @@ -15,8 +15,8 @@ /* line-height: use the default value as "modules/normalize.css" */ --line-height-default: normal; /* images */ - --checkbox-mask-checked: url('data:image/svg+xml;utf8,'); - --checkbox-mask-indeterminate: url('data:image/svg+xml;utf8,'); + --checkbox-mask-checked: url('data:image/svg+xml;utf8,'); + --checkbox-mask-indeterminate: url('data:image/svg+xml;utf8,'); --octicon-chevron-right: url('data:image/svg+xml;utf8,'); --select-arrows: url('data:image/svg+xml;utf8,'); /* other variables */ @@ -27,7 +27,7 @@ --height-loading: 16rem; --min-height-textarea: 132px; /* padding + 6 lines + border = calc(1.57142em + 6lh + 2px), but lh is not fully supported */ --tab-size: 4; - --checkbox-size: 15px; /* height and width of checkbox and radio inputs */ + --checkbox-size: 14px; /* height and width of checkbox and radio inputs */ --page-spacing: 16px; /* space between page elements */ --page-margin-x: 32px; /* minimum space on left and right side of page */ --page-space-bottom: 64px; /* space between last page element and footer */ diff --git a/web_src/css/markup/content.css b/web_src/css/markup/content.css index 047b03fa19..6ca6f95c69 100644 --- a/web_src/css/markup/content.css +++ b/web_src/css/markup/content.css @@ -164,12 +164,16 @@ In markup content, we always use bottom margin for all elements */ list-style-type: none; } +.markup .task-list-item > ul { + margin-top: 4px; +} + .markup .task-list-item p + ul { margin-top: 16px; } .markup .task-list-item input[type="checkbox"] { - margin: 0 .3em .25em -1.4em; + margin: 0 .6em .25em -1.4em; vertical-align: middle; padding: 0; } @@ -188,48 +192,12 @@ In markup content, we always use bottom margin for all elements */ } .markup input[type="checkbox"] { - -webkit-appearance: none; - -moz-appearance: none; - appearance: none; - position: relative; - border: 1px solid var(--color-secondary); - border-radius: var(--border-radius); - background: var(--color-input-background); - height: 14px; - width: 14px; + margin-right: .25em; + margin-bottom: .25em; + cursor: default; opacity: 1 !important; /* override fomantic on edit preview */ pointer-events: auto !important; /* override fomantic on edit preview */ vertical-align: middle !important; /* override fomantic on edit preview */ - -webkit-print-color-adjust: exact; - color-adjust: exact; -} - -.markup input[type="checkbox"]:not([disabled]):hover, -.markup input[type="checkbox"]:not([disabled]):active { - border-color: var(--color-primary); -} - -.markup input[type="checkbox"]::after { - position: absolute; - inset: 0; - pointer-events: none; - background: var(--color-text); - mask-size: cover; - -webkit-mask-size: cover; -} - -.markup input[type="checkbox"]:checked::after { - content: ""; - mask-image: var(--checkbox-mask-checked); - -webkit-mask-image: var(--checkbox-mask-checked); - -webkit-print-color-adjust: exact; - color-adjust: exact; -} - -.markup input[type="checkbox"]:indeterminate::after { - content: ""; - mask-image: var(--checkbox-mask-indeterminate); - -webkit-mask-image: var(--checkbox-mask-indeterminate); } .markup ul ul, diff --git a/web_src/css/modules/checkbox.css b/web_src/css/modules/checkbox.css index f7e61ba360..558486e63a 100644 --- a/web_src/css/modules/checkbox.css +++ b/web_src/css/modules/checkbox.css @@ -1,10 +1,75 @@ /* based on Fomantic UI checkbox module, with just the parts extracted that we use. If you find any unused rules here after refactoring, please remove them. */ -input[type="checkbox"], input[type="radio"] { + appearance: none; width: var(--checkbox-size); height: var(--checkbox-size); + border: 1px solid var(--color-input-border); + border-radius: 50%; + background: var(--color-input-background); +} + +input[type="radio"]:checked { + background: var(--color-white); + border: 4px solid var(--color-primary); +} + +input[type="checkbox"] { + appearance: none; + display: inline-grid; + place-content: center; + width: var(--checkbox-size); + height: var(--checkbox-size); + border: 1px solid var(--color-input-border); + border-radius: 3px; + background: var(--color-input-background); + overflow: hidden; + print-color-adjust: exact; +} + +input[type="checkbox"]::before { + content: ""; + background: var(--color-white); + width: var(--checkbox-size); + height: var(--checkbox-size); + clip-path: inset(var(--checkbox-size) 0 0 0); + mask-image: var(--checkbox-mask-checked); + -webkit-mask-image: var(--checkbox-mask-checked); + mask-size: 75%; + -webkit-mask-size: 75%; + mask-repeat: no-repeat; + -webkit-mask-repeat: no-repeat; + mask-position: center; + -webkit-mask-position: center; +} + +input[type="checkbox"]:checked, +input[type="checkbox"]:indeterminate { + background: var(--color-primary); + border-color: var(--color-primary); +} + +input[type="checkbox"]:checked::before { + clip-path: inset(0); +} + +input[type="checkbox"]:disabled:checked, +input[type="checkbox"]:disabled:indeterminate { + background: var(--color-secondary-dark-4); + border-color: var(--color-secondary-dark-4); +} + +input[type="radio"]:disabled:checked { + border-color: var(--color-secondary-dark-4); +} + +input[type="checkbox"]:indeterminate::before { + clip-path: inset(0); + mask-image: var(--checkbox-mask-indeterminate); + -webkit-mask-image: var(--checkbox-mask-indeterminate); + mask-size: 75%; + -webkit-mask-size: 75%; } .ui.checkbox { diff --git a/web_src/css/modules/dropdown.css b/web_src/css/modules/dropdown.css index 2008ece2ed..1c6e7f8552 100644 --- a/web_src/css/modules/dropdown.css +++ b/web_src/css/modules/dropdown.css @@ -268,7 +268,6 @@ select.ui.dropdown { } .ui.selection.dropdown:hover { - border-color: var(--color-input-border-hover); box-shadow: none; } diff --git a/web_src/css/modules/form.css b/web_src/css/modules/form.css index 56d4f9ba61..2d315786c6 100644 --- a/web_src/css/modules/form.css +++ b/web_src/css/modules/form.css @@ -43,7 +43,7 @@ height: 1.21428571em; } -.ui.form input, +.ui.form input:not([type="checkbox"], [type="radio"]), .ui.search > .prompt { font-family: var(--fonts-regular); margin: 0; @@ -74,10 +74,10 @@ max-height: 24em; } -input, +input:not([type="checkbox"], [type="radio"]), textarea, .ui.input > input, -.ui.form input, +.ui.form input:not([type="checkbox"], [type="radio"]), .ui.form select, .ui.form textarea, .ui.selection.dropdown, @@ -87,22 +87,10 @@ textarea, color: var(--color-input-text); } -input:hover, -textarea:hover, -.ui.input input:hover, -.ui.form input:hover, -.ui.form select:hover, -.ui.form textarea:hover, -.ui.search > .prompt:hover { - background: var(--color-input-background); - border: 1px solid var(--color-input-border-hover); - color: var(--color-input-text); -} - -input:focus, +input:not([type="checkbox"], [type="radio"]):focus, textarea:focus, .ui.input input:focus, -.ui.form input:focus, +.ui.form input:not([type="checkbox"], [type="radio"]):focus, .ui.form select:focus, .ui.form textarea:focus, .ui.search > .prompt:focus { diff --git a/web_src/css/themes/theme-gitea-dark.css b/web_src/css/themes/theme-gitea-dark.css index ad5eec9e82..f347589509 100644 --- a/web_src/css/themes/theme-gitea-dark.css +++ b/web_src/css/themes/theme-gitea-dark.css @@ -205,8 +205,7 @@ gitea-theme-meta-info { --color-input-text: var(--color-text-dark); --color-input-background: #171a1e; --color-input-toggle-background: #2e353c; - --color-input-border: var(--color-secondary); - --color-input-border-hover: var(--color-secondary-dark-1); + --color-input-border: var(--color-secondary-dark-1); --color-light: #00001728; --color-light-mimic-enabled: rgba(0, 0, 0, calc(40 / 255 * 222 / 255 / var(--opacity-disabled))); --color-light-border: #e8f3ff28; diff --git a/web_src/css/themes/theme-gitea-light.css b/web_src/css/themes/theme-gitea-light.css index 049b64f73f..dc916f002d 100644 --- a/web_src/css/themes/theme-gitea-light.css +++ b/web_src/css/themes/theme-gitea-light.css @@ -205,8 +205,7 @@ gitea-theme-meta-info { --color-input-text: var(--color-text-dark); --color-input-background: #fff; --color-input-toggle-background: #d0d7de; - --color-input-border: var(--color-secondary); - --color-input-border-hover: var(--color-secondary-dark-1); + --color-input-border: var(--color-secondary-dark-1); --color-light: #00001706; --color-light-mimic-enabled: rgba(0, 0, 0, calc(6 / 255 * 222 / 255 / var(--opacity-disabled))); --color-light-border: #0000171d; From 4f9f0fc4b86f1995d3d5ac88b98b04df94394672 Mon Sep 17 00:00:00 2001 From: wxiaoguang Date: Tue, 24 Mar 2026 02:23:42 +0800 Subject: [PATCH 03/12] Fix various trivial problems (#36953) 1. remove `TEST_CONFLICTING_PATCHES_WITH_GIT_APPLY` * it defaults to false and is unlikely to be useful for most users (see #22130) * with new git versions (>= 2.40), "merge-tree" is used, "checkConflictsByTmpRepo" isn't called, the option does nothing. 2. fix fragile `db.Cell2Int64` (new: `CellToInt`) 3. allow more routes in maintenance mode (e.g.: captcha) 4. fix MockLocale html escaping to make it have the same behavior as production locale --- custom/conf/app.example.ini | 3 - models/auth/source.go | 6 +- models/auth/source_test.go | 40 +++---- models/db/convert.go | 22 ++-- models/repo/repo_unit.go | 6 +- modules/setting/repository.go | 2 - modules/translation/mock.go | 41 ++++--- routers/common/maintenancemode.go | 48 ++++---- services/pull/patch.go | 162 +-------------------------- tests/integration/pull_merge_test.go | 81 -------------- 10 files changed, 97 insertions(+), 314 deletions(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 803231ff12..5eb4a5e995 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -1153,9 +1153,6 @@ LEVEL = Info ;; Add co-authored-by and co-committed-by trailers if committer does not match author ;ADD_CO_COMMITTER_TRAILERS = true ;; -;; In addition to testing patches using the three-way merge method, re-test conflicting patches with git apply -;TEST_CONFLICTING_PATCHES_WITH_GIT_APPLY = false -;; ;; Retarget child pull requests to the parent pull request branch target on merge of parent pull request. It only works on merged PRs where the head and base branch target the same repo. ;RETARGET_CHILDREN_ON_MERGE = true ;; diff --git a/models/auth/source.go b/models/auth/source.go index c0b262f870..7a008f08a8 100644 --- a/models/auth/source.go +++ b/models/auth/source.go @@ -12,6 +12,7 @@ import ( "code.gitea.io/gitea/models/db" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/optional" + "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/util" @@ -139,7 +140,10 @@ func init() { // BeforeSet is invoked from XORM before setting the value of a field of this object. func (source *Source) BeforeSet(colName string, val xorm.Cell) { if colName == "type" { - typ := Type(db.Cell2Int64(val)) + typ, _, err := db.CellToInt(val, NoType) + if err != nil { + setting.PanicInDevOrTesting("Unable to convert login source (id=%d) type: %v", source.ID, err) + } constructor, ok := registeredConfigs[typ] if !ok { return diff --git a/models/auth/source_test.go b/models/auth/source_test.go index ebc462c581..fbd663a64f 100644 --- a/models/auth/source_test.go +++ b/models/auth/source_test.go @@ -17,13 +17,9 @@ import ( ) type TestSource struct { - auth_model.ConfigBase + auth_model.ConfigBase `json:"-"` - Provider string - ClientID string - ClientSecret string - OpenIDConnectAutoDiscoveryURL string - IconURL string + TestField string } // FromDB fills up a LDAPConfig from serialized format. @@ -37,27 +33,23 @@ func (source *TestSource) ToDB() ([]byte, error) { } func TestDumpAuthSource(t *testing.T) { - assert.NoError(t, unittest.PrepareTestDatabase()) + require.NoError(t, unittest.PrepareTestDatabase()) authSourceSchema, err := unittest.GetXORMEngine().TableInfo(new(auth_model.Source)) - assert.NoError(t, err) + require.NoError(t, err) auth_model.RegisterTypeConfig(auth_model.OAuth2, new(TestSource)) + source := &auth_model.Source{ + Type: auth_model.OAuth2, + Name: "TestSource", + Cfg: &TestSource{TestField: "TestValue"}, + } + require.NoError(t, auth_model.CreateSource(t.Context(), source)) - auth_model.CreateSource(t.Context(), &auth_model.Source{ - Type: auth_model.OAuth2, - Name: "TestSource", - IsActive: false, - Cfg: &TestSource{ - Provider: "ConvertibleSourceName", - ClientID: "42", - }, - }) - - sb := new(strings.Builder) - - // TODO: this test is quite hacky, it should use a low-level "select" (without model processors) but not a database dump - engine := unittest.GetXORMEngine() - require.NoError(t, engine.DumpTables([]*schemas.Table{authSourceSchema}, sb)) - assert.Contains(t, sb.String(), `"Provider":"ConvertibleSourceName"`) + // intentionally test the "dump" to make sure the dumped JSON is correct: https://github.com/go-gitea/gitea/pull/16847 + sb := &strings.Builder{} + require.NoError(t, unittest.GetXORMEngine().DumpTables([]*schemas.Table{authSourceSchema}, sb)) + // the dumped SQL is something like: + // INSERT INTO `login_source` (`id`, `type`, `name`, `is_active`, `is_sync_enabled`, `two_factor_policy`, `cfg`, `created_unix`, `updated_unix`) VALUES (1,6,'TestSource',0,0,'','{"TestField":"TestValue"}',1774179784,1774179784); + assert.Contains(t, sb.String(), `'{"TestField":"TestValue"}'`) } diff --git a/models/db/convert.go b/models/db/convert.go index 80b0f7b04b..374dbfd8a8 100644 --- a/models/db/convert.go +++ b/models/db/convert.go @@ -5,12 +5,11 @@ package db import ( "fmt" - "strconv" - "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" "xorm.io/xorm" + "xorm.io/xorm/convert" "xorm.io/xorm/schemas" ) @@ -74,15 +73,14 @@ WHERE ST.name ='varchar'`) return err } -// Cell2Int64 converts a xorm.Cell type to int64, -// and handles possible irregular cases. -func Cell2Int64(val xorm.Cell) int64 { - switch (*val).(type) { - case []uint8: - log.Trace("Cell2Int64 ([]uint8): %v", *val) - - v, _ := strconv.ParseInt(string((*val).([]uint8)), 10, 64) - return v +// CellToInt converts a xorm.Cell field value to an int value +func CellToInt[T ~int | int64](cell xorm.Cell, def T) (ret T, has bool, err error) { + if *cell == nil { + return def, false, nil } - return (*val).(int64) + val, err := convert.AsInt64(*cell) + if err != nil { + return def, false, err + } + return T(val), true, err } diff --git a/models/repo/repo_unit.go b/models/repo/repo_unit.go index 18ebd6be54..c32adbbcd4 100644 --- a/models/repo/repo_unit.go +++ b/models/repo/repo_unit.go @@ -227,7 +227,11 @@ func (cfg *ProjectsConfig) IsProjectsAllowed(m ProjectsMode) bool { func (r *RepoUnit) BeforeSet(colName string, val xorm.Cell) { switch colName { case "type": - r.Type = unit.Type(db.Cell2Int64(val)) + var err error + r.Type, _, err = db.CellToInt(val, unit.TypeInvalid) + if err != nil { + setting.PanicInDevOrTesting("Unable to convert repo unit (id=%d) type: %v", r.ID, err) + } switch r.Type { case unit.TypeExternalWiki: r.Config = new(ExternalWikiConfig) diff --git a/modules/setting/repository.go b/modules/setting/repository.go index f4e45d4702..9195b7ee50 100644 --- a/modules/setting/repository.go +++ b/modules/setting/repository.go @@ -86,7 +86,6 @@ var ( DefaultMergeMessageOfficialApproversOnly bool PopulateSquashCommentWithCommitMessages bool AddCoCommitterTrailers bool - TestConflictingPatchesWithGitApply bool RetargetChildrenOnMerge bool DelayCheckForInactiveDays int DefaultDeleteBranchAfterMerge bool @@ -211,7 +210,6 @@ var ( DefaultMergeMessageOfficialApproversOnly bool PopulateSquashCommentWithCommitMessages bool AddCoCommitterTrailers bool - TestConflictingPatchesWithGitApply bool RetargetChildrenOnMerge bool DelayCheckForInactiveDays int DefaultDeleteBranchAfterMerge bool diff --git a/modules/translation/mock.go b/modules/translation/mock.go index f457271ea5..02b19d9583 100644 --- a/modules/translation/mock.go +++ b/modules/translation/mock.go @@ -5,8 +5,8 @@ package translation import ( "fmt" + "html" "html/template" - "strings" ) // MockLocale provides a mocked locale without any translations @@ -20,25 +20,40 @@ func (l MockLocale) Language() string { return "en" } -func (l MockLocale) TrString(s string, args ...any) string { - return sprintAny(s, args...) +func (l MockLocale) TrString(format string, args ...any) (ret string) { + ret = format + ":" + for _, arg := range args { + // usually there is no arg or at most 1-2 args, so a simple string concatenation is more efficient + switch v := arg.(type) { + case string: + ret += v + "," + default: + ret += fmt.Sprint(v) + "," + } + } + return ret[:len(ret)-1] } -func (l MockLocale) Tr(s string, args ...any) template.HTML { - return template.HTML(sprintAny(s, args...)) +func (l MockLocale) Tr(format string, args ...any) (ret template.HTML) { + ret = template.HTML(html.EscapeString(format)) + ":" + for _, arg := range args { + // usually there is no arg or at most 1-2 args, so a simple string concatenation is more efficient + switch v := arg.(type) { + case template.HTML: + ret += v + "," + case string: + ret += template.HTML(html.EscapeString(v)) + "," + default: + ret += template.HTML(html.EscapeString(fmt.Sprint(v))) + "," + } + } + return ret[:len(ret)-1] } func (l MockLocale) TrN(cnt any, key1, keyN string, args ...any) template.HTML { - return template.HTML(sprintAny(key1, args...)) + return l.Tr(key1, args...) } func (l MockLocale) PrettyNumber(v any) string { return fmt.Sprint(v) } - -func sprintAny(s string, args ...any) string { - if len(args) == 0 { - return s - } - return s + ":" + fmt.Sprintf(strings.Repeat(",%v", len(args))[1:], args...) -} diff --git a/routers/common/maintenancemode.go b/routers/common/maintenancemode.go index b5827ac94f..adf099df57 100644 --- a/routers/common/maintenancemode.go +++ b/routers/common/maintenancemode.go @@ -7,29 +7,39 @@ import ( "net/http" "strings" + "code.gitea.io/gitea/modules/container" "code.gitea.io/gitea/modules/setting" ) -func isMaintenanceModeAllowedRequest(req *http.Request) bool { - if strings.HasPrefix(req.URL.Path, "/-/") { - // URLs like "/-/admin", "/-/fetch-redirect" and "/-/markup" are still accessible in maintenance mode - return true - } - if strings.HasPrefix(req.URL.Path, "/api/internal/") { - // internal APIs should be allowed - return true - } - if strings.HasPrefix(req.URL.Path, "/user/") { - // URLs like "/user/signin" and "/user/signup" are still accessible in maintenance mode - return true - } - if strings.HasPrefix(req.URL.Path, "/assets/") { - return true - } - return false -} - func MaintenanceModeHandler() func(h http.Handler) http.Handler { + allowedPrefixes := []string{ + "/.well-known/", + "/assets/", + "/avatars/", + + // admin: "/-/admin" + // general-purpose URLs: "/-/fetch-redirect", "/-/markup", etc. + "/-/", + + // internal APIs + "/api/internal/", + + // user login (for admin to login): "/user/login", "/user/logout", "/catpcha/..." + "/user/", + "/captcha/", + } + allowedPaths := container.SetOf( + "/api/healthz", + ) + isMaintenanceModeAllowedRequest := func(req *http.Request) bool { + for _, prefix := range allowedPrefixes { + if strings.HasPrefix(req.URL.Path, prefix) { + return true + } + } + return allowedPaths.Contains(req.URL.Path) + } + return func(next http.Handler) http.Handler { return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) { maintenanceMode := setting.Config().Instance.MaintenanceMode.Value(req.Context()) diff --git a/services/pull/patch.go b/services/pull/patch.go index 30f07f8931..114a437cbc 100644 --- a/services/pull/patch.go +++ b/services/pull/patch.go @@ -5,7 +5,6 @@ package pull import ( - "bufio" "context" "fmt" "io" @@ -15,15 +14,12 @@ import ( git_model "code.gitea.io/gitea/models/git" issues_model "code.gitea.io/gitea/models/issues" - "code.gitea.io/gitea/models/unit" - "code.gitea.io/gitea/modules/container" "code.gitea.io/gitea/modules/git" "code.gitea.io/gitea/modules/git/gitcmd" "code.gitea.io/gitea/modules/gitrepo" "code.gitea.io/gitea/modules/glob" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/process" - "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/util" ) @@ -57,15 +53,6 @@ func DownloadDiffOrPatch(ctx context.Context, pr *issues_model.PullRequest, w io return nil } -var patchErrorSuffices = []string{ - ": already exists in index", - ": patch does not apply", - ": already exists in working directory", - "unrecognized input", - ": No such file or directory", - ": does not exist in index", -} - func checkPullRequestBranchMergeable(ctx context.Context, pr *issues_model.PullRequest) error { ctx, _, finished := process.GetManager().AddContext(ctx, fmt.Sprintf("checkPullRequestBranchMergeable: %s", pr)) defer finished() @@ -349,151 +336,10 @@ func checkConflictsByTmpRepo(ctx context.Context, pr *issues_model.PullRequest, } // 3. OK the three-way merge method has detected conflicts - // 3a. Are still testing with GitApply? If not set the conflict status and move on - if !setting.Repository.PullRequest.TestConflictingPatchesWithGitApply { - pr.Status = issues_model.PullRequestStatusConflict - pr.ConflictedFiles = conflictFiles - - log.Trace("Found %d files conflicted: %v", len(pr.ConflictedFiles), pr.ConflictedFiles) - return true, nil - } - - // 3b. Create a plain patch from head to base - tmpPatchFile, cleanup, err := setting.AppDataTempDir("git-repo-content").CreateTempFileRandom("patch") - if err != nil { - log.Error("Unable to create temporary patch file! Error: %v", err) - return false, fmt.Errorf("unable to create temporary patch file! Error: %w", err) - } - defer cleanup() - - if err := gitRepo.GetDiffBinary(pr.MergeBase+"...tracking", tmpPatchFile); err != nil { - log.Error("Unable to get patch file from %s to %s in %s Error: %v", pr.MergeBase, pr.HeadBranch, pr.BaseRepo.FullName(), err) - return false, fmt.Errorf("unable to get patch file from %s to %s in %s Error: %w", pr.MergeBase, pr.HeadBranch, pr.BaseRepo.FullName(), err) - } - stat, err := tmpPatchFile.Stat() - if err != nil { - return false, fmt.Errorf("unable to stat patch file: %w", err) - } - patchPath := tmpPatchFile.Name() - tmpPatchFile.Close() - - // 3c. if the size of that patch is 0 - there can be no conflicts! - if stat.Size() == 0 { - log.Debug("PullRequest[%d]: Patch is empty - ignoring", pr.ID) - pr.Status = issues_model.PullRequestStatusEmpty - return false, nil - } - - log.Trace("PullRequest[%d].checkPullRequestMergeableByTmpRepo (patchPath): %s", pr.ID, patchPath) - - // 4. Read the base branch in to the index of the temporary repository - _, _, err = gitcmd.NewCommand("read-tree", tmpRepoBaseBranch).WithDir(tmpBasePath).RunStdString(ctx) - if err != nil { - return false, fmt.Errorf("git read-tree %s: %w", pr.BaseBranch, err) - } - - // 5. Now get the pull request configuration to check if we need to ignore whitespace - prUnit, err := pr.BaseRepo.GetUnit(ctx, unit.TypePullRequests) - if err != nil { - return false, err - } - prConfig := prUnit.PullRequestsConfig() - - // 6. Prepare the arguments to apply the patch against the index - cmdApply := gitcmd.NewCommand("apply", "--check", "--cached") - if prConfig.IgnoreWhitespaceConflicts { - cmdApply.AddArguments("--ignore-whitespace") - } - is3way := false - if git.DefaultFeatures().CheckVersionAtLeast("2.32.0") { - cmdApply.AddArguments("--3way") - is3way = true - } - cmdApply.AddDynamicArguments(patchPath) - - // 7. Prep the pipe: - // - Here we could do the equivalent of: - // `git apply --check --cached patch_file > conflicts` - // Then iterate through the conflicts. However, that means storing all the conflicts - // in memory - which is very wasteful. - // - alternatively we can do the equivalent of: - // `git apply --check ... | grep ...` - // meaning we don't store all the conflicts unnecessarily. - stderrReader, stderrReaderClose := cmdApply.MakeStderrPipe() - defer stderrReaderClose() - - // 8. Run the check command - conflict = false - err = cmdApply. - WithDir(tmpBasePath). - WithPipelineFunc(func(ctx gitcmd.Context) error { - const prefix = "error: patch failed:" - const errorPrefix = "error: " - const threewayFailed = "Failed to perform three-way merge..." - const appliedPatchPrefix = "Applied patch to '" - const withConflicts = "' with conflicts." - - conflicts := make(container.Set[string]) - - // Now scan the output from the command - scanner := bufio.NewScanner(stderrReader) - for scanner.Scan() { - line := scanner.Text() - log.Trace("PullRequest[%d].checkPullRequestMergeableByTmpRepo: stderr: %s", pr.ID, line) - if strings.HasPrefix(line, prefix) { - conflict = true - filepath := strings.TrimSpace(strings.Split(line[len(prefix):], ":")[0]) - conflicts.Add(filepath) - } else if is3way && line == threewayFailed { - conflict = true - } else if strings.HasPrefix(line, errorPrefix) { - conflict = true - for _, suffix := range patchErrorSuffices { - if strings.HasSuffix(line, suffix) { - filepath := strings.TrimSpace(strings.TrimSuffix(line[len(errorPrefix):], suffix)) - if filepath != "" { - conflicts.Add(filepath) - } - break - } - } - } else if is3way && strings.HasPrefix(line, appliedPatchPrefix) && strings.HasSuffix(line, withConflicts) { - conflict = true - filepath := strings.TrimPrefix(strings.TrimSuffix(line, withConflicts), appliedPatchPrefix) - if filepath != "" { - conflicts.Add(filepath) - } - } - // only list part of conflicted files - if len(conflicts) >= gitrepo.MaxConflictedDetectFiles { - break - } - } - - if len(conflicts) > 0 { - pr.ConflictedFiles = make([]string, 0, len(conflicts)) - for key := range conflicts { - pr.ConflictedFiles = append(pr.ConflictedFiles, key) - } - } - - return nil - }). - Run(gitRepo.Ctx) - - // 9. Check if the found conflicted files is non-zero, "err" could be non-nil, so we should ignore it if we found conflicts. - // Note: `"err" could be non-nil` is due that if enable 3-way merge, it doesn't return any error on found conflicts. - if len(pr.ConflictedFiles) > 0 { - if conflict { - pr.Status = issues_model.PullRequestStatusConflict - log.Trace("Found %d files conflicted: %v", len(pr.ConflictedFiles), pr.ConflictedFiles) - - return true, nil - } - } else if err != nil { - return false, fmt.Errorf("git apply --check: %w", err) - } - return false, nil + pr.Status = issues_model.PullRequestStatusConflict + pr.ConflictedFiles = conflictFiles + log.Trace("Found %d files conflicted: %v", len(pr.ConflictedFiles), pr.ConflictedFiles) + return true, nil } // ErrFilePathProtected represents a "FilePathProtected" kind of error. diff --git a/tests/integration/pull_merge_test.go b/tests/integration/pull_merge_test.go index c2859e2e16..53709e6ff4 100644 --- a/tests/integration/pull_merge_test.go +++ b/tests/integration/pull_merge_test.go @@ -39,7 +39,6 @@ import ( pull_service "code.gitea.io/gitea/services/pull" repo_service "code.gitea.io/gitea/services/repository" commitstatus_service "code.gitea.io/gitea/services/repository/commitstatus" - files_service "code.gitea.io/gitea/services/repository/files" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -549,86 +548,6 @@ func TestCantFastForwardOnlyMergeDiverging(t *testing.T) { }) } -func TestConflictChecking(t *testing.T) { - onGiteaRun(t, func(t *testing.T, giteaURL *url.URL) { - user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) - - // Create new clean repo to test conflict checking. - baseRepo, err := repo_service.CreateRepository(t.Context(), user, user, repo_service.CreateRepoOptions{ - Name: "conflict-checking", - Description: "Tempo repo", - AutoInit: true, - Readme: "Default", - DefaultBranch: "main", - }) - assert.NoError(t, err) - assert.NotEmpty(t, baseRepo) - - // create a commit on new branch. - _, err = files_service.ChangeRepoFiles(t.Context(), baseRepo, user, &files_service.ChangeRepoFilesOptions{ - Files: []*files_service.ChangeRepoFile{ - { - Operation: "create", - TreePath: "important_file", - ContentReader: strings.NewReader("Just a non-important file"), - }, - }, - Message: "Add a important file", - OldBranch: "main", - NewBranch: "important-secrets", - }) - assert.NoError(t, err) - - // create a commit on main branch. - _, err = files_service.ChangeRepoFiles(t.Context(), baseRepo, user, &files_service.ChangeRepoFilesOptions{ - Files: []*files_service.ChangeRepoFile{ - { - Operation: "create", - TreePath: "important_file", - ContentReader: strings.NewReader("Not the same content :P"), - }, - }, - Message: "Add a important file", - OldBranch: "main", - NewBranch: "main", - }) - assert.NoError(t, err) - - // create Pull to merge the important-secrets branch into main branch. - pullIssue := &issues_model.Issue{ - RepoID: baseRepo.ID, - Title: "PR with conflict!", - PosterID: user.ID, - Poster: user, - IsPull: true, - } - - pullRequest := &issues_model.PullRequest{ - HeadRepoID: baseRepo.ID, - BaseRepoID: baseRepo.ID, - HeadBranch: "important-secrets", - BaseBranch: "main", - HeadRepo: baseRepo, - BaseRepo: baseRepo, - Type: issues_model.PullRequestGitea, - } - prOpts := &pull_service.NewPullRequestOptions{Repo: baseRepo, Issue: pullIssue, PullRequest: pullRequest} - err = pull_service.NewPullRequest(t.Context(), prOpts) - assert.NoError(t, err) - - issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{Title: "PR with conflict!"}) - assert.NoError(t, issue.LoadPullRequest(t.Context())) - conflictingPR := issue.PullRequest - - // Ensure conflictedFiles is populated. - assert.Len(t, conflictingPR.ConflictedFiles, 1) - // Check if status is correct. - assert.Equal(t, issues_model.PullRequestStatusConflict, conflictingPR.Status) - // Ensure that mergeable returns false - assert.False(t, conflictingPR.Mergeable(t.Context())) - }) -} - func TestPullRetargetChildOnBranchDelete(t *testing.T) { onGiteaRun(t, func(t *testing.T, giteaURL *url.URL) { session := loginUser(t, "user1") // FIXME: don't use admin user for testing From cf1e4d7c42ac530162eeea7b8decf94d235f0d97 Mon Sep 17 00:00:00 2001 From: silverwind Date: Mon, 23 Mar 2026 22:42:36 +0100 Subject: [PATCH 04/12] Update GitHub Actions to latest major versions (#36964) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update all Actions to their latest major versions: - `actions/checkout`: v5 → v6 - `dorny/paths-filter`: v3 → v4 - `pnpm/action-setup`: v4 → v5 - `docker/setup-qemu-action`: v3 → v4 - `docker/setup-buildx-action`: v3 → v4 - `docker/build-push-action`: v6 → v7 - `docker/metadata-action`: v5 → v6 - `docker/login-action`: v3 → v4 - `crazy-max/ghaction-import-gpg`: v6 → v7 - `aws-actions/configure-aws-credentials`: v5 → v6 All updates are Node 24 runtime bumps with no workflow-breaking changes for our usage. Co-authored-by: Claude (Opus 4.6) --- .github/workflows/cron-flake-updater.yml | 2 +- .github/workflows/files-changed.yml | 2 +- .github/workflows/pull-compliance.yml | 10 +++++----- .github/workflows/pull-docker-dryrun.yml | 8 ++++---- .github/workflows/pull-e2e-tests.yml | 2 +- .github/workflows/release-nightly.yml | 22 +++++++++++----------- .github/workflows/release-tag-rc.yml | 22 +++++++++++----------- .github/workflows/release-tag-version.yml | 22 +++++++++++----------- 8 files changed, 45 insertions(+), 45 deletions(-) diff --git a/.github/workflows/cron-flake-updater.yml b/.github/workflows/cron-flake-updater.yml index 105802e558..c9a1f22a2a 100644 --- a/.github/workflows/cron-flake-updater.yml +++ b/.github/workflows/cron-flake-updater.yml @@ -13,7 +13,7 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - uses: DeterminateSystems/determinate-nix-action@v3 - uses: DeterminateSystems/update-flake-lock@main with: diff --git a/.github/workflows/files-changed.yml b/.github/workflows/files-changed.yml index 332e9e0d6f..55d206bb0f 100644 --- a/.github/workflows/files-changed.yml +++ b/.github/workflows/files-changed.yml @@ -40,7 +40,7 @@ jobs: json: ${{ steps.changes.outputs.json }} steps: - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v3 + - uses: dorny/paths-filter@v4 id: changes with: filters: | diff --git a/.github/workflows/pull-compliance.yml b/.github/workflows/pull-compliance.yml index fb81622bd6..e44a787587 100644 --- a/.github/workflows/pull-compliance.yml +++ b/.github/workflows/pull-compliance.yml @@ -40,7 +40,7 @@ jobs: - uses: actions/checkout@v6 - uses: astral-sh/setup-uv@v7 - run: uv python install 3.14 - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 - uses: actions/setup-node@v6 with: node-version: 24 @@ -71,7 +71,7 @@ jobs: contents: read steps: - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 - uses: actions/setup-node@v5 with: node-version: 24 @@ -86,7 +86,7 @@ jobs: contents: read steps: - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 - uses: actions/setup-node@v6 with: node-version: 24 @@ -168,7 +168,7 @@ jobs: contents: read steps: - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 - uses: actions/setup-node@v6 with: node-version: 24 @@ -222,7 +222,7 @@ jobs: contents: read steps: - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 - uses: actions/setup-node@v6 with: node-version: 24 diff --git a/.github/workflows/pull-docker-dryrun.yml b/.github/workflows/pull-docker-dryrun.yml index bcc19e3eba..201825ccba 100644 --- a/.github/workflows/pull-docker-dryrun.yml +++ b/.github/workflows/pull-docker-dryrun.yml @@ -21,17 +21,17 @@ jobs: contents: read steps: - uses: actions/checkout@v6 - - uses: docker/setup-qemu-action@v3 - - uses: docker/setup-buildx-action@v3 + - uses: docker/setup-qemu-action@v4 + - uses: docker/setup-buildx-action@v4 - name: Build regular container image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: . platforms: linux/amd64,linux/arm64,linux/riscv64 push: false cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootful - name: Build rootless container image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: . push: false diff --git a/.github/workflows/pull-e2e-tests.yml b/.github/workflows/pull-e2e-tests.yml index c77f7af3f0..3472d517c1 100644 --- a/.github/workflows/pull-e2e-tests.yml +++ b/.github/workflows/pull-e2e-tests.yml @@ -25,7 +25,7 @@ jobs: with: go-version-file: go.mod check-latest: true - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 - uses: actions/setup-node@v6 with: node-version: 24 diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml index a7b2fda042..eaebccd7fb 100644 --- a/.github/workflows/release-nightly.yml +++ b/.github/workflows/release-nightly.yml @@ -22,7 +22,7 @@ jobs: with: go-version-file: go.mod check-latest: true - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 - uses: actions/setup-node@v6 with: node-version: 24 @@ -35,7 +35,7 @@ jobs: TAGS: bindata sqlite sqlite_unlock_notify - name: import gpg key id: import_gpg - uses: crazy-max/ghaction-import-gpg@v6 + uses: crazy-max/ghaction-import-gpg@v7 with: gpg_private_key: ${{ secrets.GPGSIGN_KEY }} passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }} @@ -52,7 +52,7 @@ jobs: echo "Cleaned name is ${REF_NAME}" echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT" - name: configure aws - uses: aws-actions/configure-aws-credentials@v5 + uses: aws-actions/configure-aws-credentials@v6 with: aws-region: ${{ secrets.AWS_REGION }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -71,14 +71,14 @@ jobs: # fetch all commits instead of only the last as some branches are long lived and could have many between versions # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567 - run: git fetch --unshallow --quiet --tags --force - - uses: docker/setup-qemu-action@v3 - - uses: docker/setup-buildx-action@v3 + - uses: docker/setup-qemu-action@v4 + - uses: docker/setup-buildx-action@v4 - name: Get cleaned branch name id: clean_name run: | REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//') echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT" - - uses: docker/metadata-action@v5 + - uses: docker/metadata-action@v6 id: meta with: images: |- @@ -88,7 +88,7 @@ jobs: type=raw,value=${{ steps.clean_name.outputs.branch }} annotations: | org.opencontainers.image.authors="maintainers@gitea.io" - - uses: docker/metadata-action@v5 + - uses: docker/metadata-action@v6 id: meta_rootless with: images: |- @@ -102,18 +102,18 @@ jobs: annotations: | org.opencontainers.image.authors="maintainers@gitea.io" - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GHCR using PAT - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: build regular docker image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: . platforms: linux/amd64,linux/arm64,linux/riscv64 @@ -123,7 +123,7 @@ jobs: cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootful cache-to: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootful,mode=max - name: build rootless docker image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: . platforms: linux/amd64,linux/arm64,linux/riscv64 diff --git a/.github/workflows/release-tag-rc.yml b/.github/workflows/release-tag-rc.yml index fab468c9b4..248fa532ee 100644 --- a/.github/workflows/release-tag-rc.yml +++ b/.github/workflows/release-tag-rc.yml @@ -23,7 +23,7 @@ jobs: with: go-version-file: go.mod check-latest: true - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 - uses: actions/setup-node@v6 with: node-version: 24 @@ -36,7 +36,7 @@ jobs: TAGS: bindata sqlite sqlite_unlock_notify - name: import gpg key id: import_gpg - uses: crazy-max/ghaction-import-gpg@v6 + uses: crazy-max/ghaction-import-gpg@v7 with: gpg_private_key: ${{ secrets.GPGSIGN_KEY }} passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }} @@ -53,7 +53,7 @@ jobs: echo "Cleaned name is ${REF_NAME}" echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT" - name: configure aws - uses: aws-actions/configure-aws-credentials@v5 + uses: aws-actions/configure-aws-credentials@v6 with: aws-region: ${{ secrets.AWS_REGION }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -81,9 +81,9 @@ jobs: # fetch all commits instead of only the last as some branches are long lived and could have many between versions # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567 - run: git fetch --unshallow --quiet --tags --force - - uses: docker/setup-qemu-action@v3 - - uses: docker/setup-buildx-action@v3 - - uses: docker/metadata-action@v5 + - uses: docker/setup-qemu-action@v4 + - uses: docker/setup-buildx-action@v4 + - uses: docker/metadata-action@v6 id: meta with: images: |- @@ -96,7 +96,7 @@ jobs: type=semver,pattern={{version}} annotations: | org.opencontainers.image.authors="maintainers@gitea.io" - - uses: docker/metadata-action@v5 + - uses: docker/metadata-action@v6 id: meta_rootless with: images: |- @@ -112,18 +112,18 @@ jobs: annotations: | org.opencontainers.image.authors="maintainers@gitea.io" - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GHCR using PAT - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: build regular container image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: . platforms: linux/amd64,linux/arm64,linux/riscv64 @@ -131,7 +131,7 @@ jobs: tags: ${{ steps.meta.outputs.tags }} annotations: ${{ steps.meta.outputs.annotations }} - name: build rootless container image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: . platforms: linux/amd64,linux/arm64,linux/riscv64 diff --git a/.github/workflows/release-tag-version.yml b/.github/workflows/release-tag-version.yml index 113a33c3c7..1e84ae1739 100644 --- a/.github/workflows/release-tag-version.yml +++ b/.github/workflows/release-tag-version.yml @@ -26,7 +26,7 @@ jobs: with: go-version-file: go.mod check-latest: true - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 - uses: actions/setup-node@v6 with: node-version: 24 @@ -39,7 +39,7 @@ jobs: TAGS: bindata sqlite sqlite_unlock_notify - name: import gpg key id: import_gpg - uses: crazy-max/ghaction-import-gpg@v6 + uses: crazy-max/ghaction-import-gpg@v7 with: gpg_private_key: ${{ secrets.GPGSIGN_KEY }} passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }} @@ -56,7 +56,7 @@ jobs: echo "Cleaned name is ${REF_NAME}" echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT" - name: configure aws - uses: aws-actions/configure-aws-credentials@v5 + uses: aws-actions/configure-aws-credentials@v6 with: aws-region: ${{ secrets.AWS_REGION }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -84,9 +84,9 @@ jobs: # fetch all commits instead of only the last as some branches are long lived and could have many between versions # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567 - run: git fetch --unshallow --quiet --tags --force - - uses: docker/setup-qemu-action@v3 - - uses: docker/setup-buildx-action@v3 - - uses: docker/metadata-action@v5 + - uses: docker/setup-qemu-action@v4 + - uses: docker/setup-buildx-action@v4 + - uses: docker/metadata-action@v6 id: meta with: images: |- @@ -103,7 +103,7 @@ jobs: type=semver,pattern={{major}}.{{minor}} annotations: | org.opencontainers.image.authors="maintainers@gitea.io" - - uses: docker/metadata-action@v5 + - uses: docker/metadata-action@v6 id: meta_rootless with: images: |- @@ -124,18 +124,18 @@ jobs: annotations: | org.opencontainers.image.authors="maintainers@gitea.io" - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GHCR using PAT - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: build regular container image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: . platforms: linux/amd64,linux/arm64,linux/riscv64 @@ -143,7 +143,7 @@ jobs: tags: ${{ steps.meta.outputs.tags }} annotations: ${{ steps.meta.outputs.annotations }} - name: build rootless container image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: . platforms: linux/amd64,linux/arm64,linux/riscv64 From 86401fd5fd35fc8f337dfc052cb63e53d9c2017a Mon Sep 17 00:00:00 2001 From: Nicolas Date: Mon, 23 Mar 2026 23:30:48 +0100 Subject: [PATCH 05/12] Fix user settings sidebar showing disabled features on some pages (#36958) Move UserDisabledFeatures context data into a shared SettingsCtxData middleware for the /user/settings route group, so it is set consistently on all pages (including Notifications, Actions, etc.) instead of only on the handlers that remembered to set it individually. Fixes #36954 --- routers/web/repo/setting/secrets.go | 2 -- routers/web/user/setting/account.go | 1 - routers/web/user/setting/applications.go | 3 --- routers/web/user/setting/block.go | 2 -- routers/web/user/setting/keys.go | 3 --- routers/web/user/setting/packages.go | 6 ------ routers/web/user/setting/profile.go | 6 ------ routers/web/user/setting/security/security.go | 1 - routers/web/user/setting/settings.go | 8 ++++++++ routers/web/user/setting/webhooks.go | 2 -- routers/web/web.go | 2 +- 11 files changed, 9 insertions(+), 27 deletions(-) diff --git a/routers/web/repo/setting/secrets.go b/routers/web/repo/setting/secrets.go index cd32a7dbb7..419aa26867 100644 --- a/routers/web/repo/setting/secrets.go +++ b/routers/web/repo/setting/secrets.go @@ -7,7 +7,6 @@ import ( "errors" "net/http" - user_model "code.gitea.io/gitea/models/user" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/templates" shared "code.gitea.io/gitea/routers/web/shared/secrets" @@ -74,7 +73,6 @@ func Secrets(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("actions.actions") ctx.Data["PageType"] = "secrets" ctx.Data["PageIsSharedSettingsSecrets"] = true - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) sCtx, err := getSecretsCtx(ctx) if err != nil { diff --git a/routers/web/user/setting/account.go b/routers/web/user/setting/account.go index b333f36462..23bdf33d5f 100644 --- a/routers/web/user/setting/account.go +++ b/routers/web/user/setting/account.go @@ -321,7 +321,6 @@ func loadAccountData(ctx *context.Context) { ctx.Data["Emails"] = emails ctx.Data["ActivationsPending"] = pendingActivation ctx.Data["CanAddEmails"] = !pendingActivation || !setting.Service.RegisterEmailConfirm - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) if setting.Service.UserDeleteWithCommentsMaxTime != 0 { ctx.Data["UserDeleteWithCommentsMaxTime"] = setting.Service.UserDeleteWithCommentsMaxTime.String() diff --git a/routers/web/user/setting/applications.go b/routers/web/user/setting/applications.go index 2498c43b84..9e33b487ea 100644 --- a/routers/web/user/setting/applications.go +++ b/routers/web/user/setting/applications.go @@ -10,7 +10,6 @@ import ( auth_model "code.gitea.io/gitea/models/auth" "code.gitea.io/gitea/models/db" - user_model "code.gitea.io/gitea/models/user" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/templates" "code.gitea.io/gitea/modules/util" @@ -27,7 +26,6 @@ const ( func Applications(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("settings.applications") ctx.Data["PageIsSettingsApplications"] = true - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) loadApplicationsData(ctx) @@ -39,7 +37,6 @@ func ApplicationsPost(ctx *context.Context) { form := web.GetForm(ctx).(*forms.NewAccessTokenForm) ctx.Data["Title"] = ctx.Tr("settings_title") ctx.Data["PageIsSettingsApplications"] = true - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) _ = ctx.Req.ParseForm() var scopeNames []string diff --git a/routers/web/user/setting/block.go b/routers/web/user/setting/block.go index 3756495fd2..3a1625ccf9 100644 --- a/routers/web/user/setting/block.go +++ b/routers/web/user/setting/block.go @@ -6,7 +6,6 @@ package setting import ( "net/http" - user_model "code.gitea.io/gitea/models/user" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/templates" shared_user "code.gitea.io/gitea/routers/web/shared/user" @@ -20,7 +19,6 @@ const ( func BlockedUsers(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("user.block.list") ctx.Data["PageIsSettingsBlockedUsers"] = true - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) shared_user.BlockedUsers(ctx, ctx.Doer) if ctx.Written() { diff --git a/routers/web/user/setting/keys.go b/routers/web/user/setting/keys.go index b78a0ec434..b82fa24a5d 100644 --- a/routers/web/user/setting/keys.go +++ b/routers/web/user/setting/keys.go @@ -35,7 +35,6 @@ func Keys(ctx *context.Context) { ctx.Data["DisableSSH"] = setting.SSH.Disabled ctx.Data["BuiltinSSH"] = setting.SSH.StartBuiltinServer ctx.Data["AllowPrincipals"] = setting.SSH.AuthorizedPrincipalsEnabled - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) loadKeysData(ctx) @@ -50,7 +49,6 @@ func KeysPost(ctx *context.Context) { ctx.Data["DisableSSH"] = setting.SSH.Disabled ctx.Data["BuiltinSSH"] = setting.SSH.StartBuiltinServer ctx.Data["AllowPrincipals"] = setting.SSH.AuthorizedPrincipalsEnabled - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) if ctx.HasError() { loadKeysData(ctx) @@ -341,5 +339,4 @@ func loadKeysData(ctx *context.Context) { ctx.Data["VerifyingID"] = ctx.FormString("verify_gpg") ctx.Data["VerifyingFingerprint"] = ctx.FormString("verify_ssh") - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) } diff --git a/routers/web/user/setting/packages.go b/routers/web/user/setting/packages.go index 51f8c46908..62b0240642 100644 --- a/routers/web/user/setting/packages.go +++ b/routers/web/user/setting/packages.go @@ -25,7 +25,6 @@ const ( func Packages(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("packages.title") ctx.Data["PageIsSettingsPackages"] = true - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) shared.SetPackagesContext(ctx, ctx.Doer) @@ -35,7 +34,6 @@ func Packages(ctx *context.Context) { func PackagesRuleAdd(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("packages.title") ctx.Data["PageIsSettingsPackages"] = true - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) shared.SetRuleAddContext(ctx) @@ -45,7 +43,6 @@ func PackagesRuleAdd(ctx *context.Context) { func PackagesRuleEdit(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("packages.title") ctx.Data["PageIsSettingsPackages"] = true - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) shared.SetRuleEditContext(ctx, ctx.Doer) @@ -55,7 +52,6 @@ func PackagesRuleEdit(ctx *context.Context) { func PackagesRuleAddPost(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("settings_title") ctx.Data["PageIsSettingsPackages"] = true - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) shared.PerformRuleAddPost( ctx, @@ -68,7 +64,6 @@ func PackagesRuleAddPost(ctx *context.Context) { func PackagesRuleEditPost(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("packages.title") ctx.Data["PageIsSettingsPackages"] = true - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) shared.PerformRuleEditPost( ctx, @@ -81,7 +76,6 @@ func PackagesRuleEditPost(ctx *context.Context) { func PackagesRulePreview(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("packages.title") ctx.Data["PageIsSettingsPackages"] = true - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) shared.SetRulePreviewContext(ctx, ctx.Doer) diff --git a/routers/web/user/setting/profile.go b/routers/web/user/setting/profile.go index 81a4a558e9..88d8e75d0c 100644 --- a/routers/web/user/setting/profile.go +++ b/routers/web/user/setting/profile.go @@ -49,8 +49,6 @@ func Profile(ctx *context.Context) { ctx.Data["AllowedUserVisibilityModes"] = setting.Service.AllowedUserVisibilityModesSlice.ToVisibleTypeSlice() ctx.Data["DisableGravatar"] = setting.Config().Picture.DisableGravatar.Value(ctx) - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) - ctx.HTML(http.StatusOK, tplSettingsProfile) } @@ -60,7 +58,6 @@ func ProfilePost(ctx *context.Context) { ctx.Data["PageIsSettingsProfile"] = true ctx.Data["AllowedUserVisibilityModes"] = setting.Service.AllowedUserVisibilityModesSlice.ToVisibleTypeSlice() ctx.Data["DisableGravatar"] = setting.Config().Picture.DisableGravatar.Value(ctx) - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) if ctx.HasError() { ctx.HTML(http.StatusOK, tplSettingsProfile) @@ -200,7 +197,6 @@ func DeleteAvatar(ctx *context.Context) { func Organization(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("settings.organization") ctx.Data["PageIsSettingsOrganization"] = true - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) opts := organization.FindOrgOptions{ ListOptions: db.ListOptions{ @@ -232,7 +228,6 @@ func Organization(ctx *context.Context) { func Repos(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("settings.repos") ctx.Data["PageIsSettingsRepos"] = true - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) ctx.Data["allowAdopt"] = ctx.IsUserSiteAdmin() || setting.Repository.AllowAdoptionOfUnadoptedRepositories ctx.Data["allowDelete"] = ctx.IsUserSiteAdmin() || setting.Repository.AllowDeleteOfUnadoptedRepositories @@ -340,7 +335,6 @@ func Appearance(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("settings.appearance") ctx.Data["PageIsSettingsAppearance"] = true ctx.Data["AllThemes"] = webtheme.GetAvailableThemes() - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) var hiddenCommentTypes *big.Int val, err := user_model.GetUserSetting(ctx, ctx.Doer.ID, user_model.SettingsKeyHiddenCommentTypes) diff --git a/routers/web/user/setting/security/security.go b/routers/web/user/setting/security/security.go index cc4c44993a..1b7efa27d5 100644 --- a/routers/web/user/setting/security/security.go +++ b/routers/web/user/setting/security/security.go @@ -156,5 +156,4 @@ func loadSecurityData(ctx *context.Context) { return } ctx.Data["OpenIDs"] = openid - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) } diff --git a/routers/web/user/setting/settings.go b/routers/web/user/setting/settings.go index 111931633d..e02ddc39af 100644 --- a/routers/web/user/setting/settings.go +++ b/routers/web/user/setting/settings.go @@ -9,9 +9,17 @@ import ( user_model "code.gitea.io/gitea/models/user" "code.gitea.io/gitea/modules/json" + "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/services/context" ) +func SettingsCtxData(ctx *context.Context) { + ctx.Data["PageIsUserSettings"] = true + ctx.Data["EnablePackages"] = setting.Packages.Enabled + ctx.Data["EnableNotifyMail"] = setting.Service.EnableNotifyMail + ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) +} + func UpdatePreferences(ctx *context.Context) { type preferencesForm struct { CodeViewShowFileTree bool `json:"codeViewShowFileTree"` diff --git a/routers/web/user/setting/webhooks.go b/routers/web/user/setting/webhooks.go index 72a95a92e5..3c5d54cbc6 100644 --- a/routers/web/user/setting/webhooks.go +++ b/routers/web/user/setting/webhooks.go @@ -7,7 +7,6 @@ import ( "net/http" "code.gitea.io/gitea/models/db" - user_model "code.gitea.io/gitea/models/user" "code.gitea.io/gitea/models/webhook" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/templates" @@ -25,7 +24,6 @@ func Webhooks(ctx *context.Context) { ctx.Data["BaseLink"] = setting.AppSubURL + "/user/settings/hooks" ctx.Data["BaseLinkNew"] = setting.AppSubURL + "/user/settings/hooks" ctx.Data["Description"] = ctx.Tr("settings.hooks.desc") - ctx.Data["UserDisabledFeatures"] = user_model.DisabledFeaturesWithLoginType(ctx.Doer) ws, err := db.Find[webhook.Webhook](ctx, webhook.ListWebhookOptions{OwnerID: ctx.Doer.ID}) if err != nil { diff --git a/routers/web/web.go b/routers/web/web.go index a76a68ed80..75cc437b43 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -721,7 +721,7 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) { m.Get("", user_setting.BlockedUsers) m.Post("", web.Bind(forms.BlockUserForm{}), user_setting.BlockedUsersPost) }) - }, reqSignIn, ctxDataSet("PageIsUserSettings", true, "EnablePackages", setting.Packages.Enabled, "EnableNotifyMail", setting.Service.EnableNotifyMail)) + }, reqSignIn, user_setting.SettingsCtxData) m.Group("/user", func() { m.Get("/activate", auth.Activate) From 63c2b692597a384168f8383a58aa590430b04c92 Mon Sep 17 00:00:00 2001 From: wxiaoguang Date: Tue, 24 Mar 2026 07:19:08 +0800 Subject: [PATCH 06/12] Make PUBLIC_URL_DETECTION default to "auto" (#36955) Related issues including: #36939 , #35619, #34950 , #34253 , #32554 For users who use reverse-proxy, we have documented the requirements clearly since long time ago : https://docs.gitea.com/administration/reverse-proxies --- custom/conf/app.example.ini | 9 ++++----- modules/setting/server.go | 2 +- routers/web/admin/admin_test.go | 23 +++++++++++++++++------ 3 files changed, 22 insertions(+), 12 deletions(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 5eb4a5e995..b752a81ca9 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -69,13 +69,12 @@ RUN_USER = ; git ;; Most users should set it to the real website URL of their Gitea instance when there is a reverse proxy. ;ROOT_URL = ;; -;; Controls how to detect the public URL. -;; Although it defaults to "legacy" (to avoid breaking existing users), most instances should use the "auto" behavior, +;; Controls how to detect the public URL. Most instances should use the "auto" behavior, ;; especially when the Gitea instance needs to be accessed in a container network. -;; * legacy: detect the public URL from "Host" header if "X-Forwarded-Proto" header exists, otherwise use "ROOT_URL". -;; * auto: always use "Host" header, and also use "X-Forwarded-Proto" header if it exists. If no "Host" header, use "ROOT_URL". +;; * legacy: (default <= 1.25) detect the public URL from "Host" header if "X-Forwarded-Proto" header exists, otherwise use "ROOT_URL". +;; * auto: (default >= 1.26) always use "Host" header, and also use "X-Forwarded-Proto" header if it exists. If no "Host" header, use "ROOT_URL". ;; * never: always use "ROOT_URL", never detect from request headers. -;PUBLIC_URL_DETECTION = legacy +;PUBLIC_URL_DETECTION = auto ;; ;; For development purpose only. It makes Gitea handle sub-path ("/sub-path/owner/repo/...") directly when debugging without a reverse proxy. ;; DO NOT USE IT IN PRODUCTION!!! diff --git a/modules/setting/server.go b/modules/setting/server.go index 7e7611b802..f0fbbce970 100644 --- a/modules/setting/server.go +++ b/modules/setting/server.go @@ -286,7 +286,7 @@ func loadServerFrom(rootCfg ConfigProvider) { defaultAppURL := string(Protocol) + "://" + Domain + ":" + HTTPPort AppURL = sec.Key("ROOT_URL").MustString(defaultAppURL) - PublicURLDetection = sec.Key("PUBLIC_URL_DETECTION").MustString(PublicURLLegacy) + PublicURLDetection = sec.Key("PUBLIC_URL_DETECTION").MustString(PublicURLAuto) if PublicURLDetection != PublicURLAuto && PublicURLDetection != PublicURLLegacy && PublicURLDetection != PublicURLNever { log.Fatal("Invalid PUBLIC_URL_DETECTION value: %s", PublicURLDetection) } diff --git a/routers/web/admin/admin_test.go b/routers/web/admin/admin_test.go index a568c7c5c8..ecdd462f9e 100644 --- a/routers/web/admin/admin_test.go +++ b/routers/web/admin/admin_test.go @@ -13,6 +13,7 @@ import ( "code.gitea.io/gitea/services/contexttest" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) func TestShadowPassword(t *testing.T) { @@ -74,19 +75,29 @@ func TestShadowPassword(t *testing.T) { } func TestSelfCheckPost(t *testing.T) { + defer test.MockVariableValue(&setting.PublicURLDetection)() defer test.MockVariableValue(&setting.AppURL, "http://config/sub/")() defer test.MockVariableValue(&setting.AppSubURL, "/sub")() - ctx, resp := contexttest.MockContext(t, "GET http://host/sub/admin/self_check?location_origin=http://frontend") - SelfCheckPost(ctx) - assert.Equal(t, http.StatusOK, resp.Code) - data := struct { Problems []string `json:"problems"` }{} - err := json.Unmarshal(resp.Body.Bytes(), &data) - assert.NoError(t, err) + + setting.PublicURLDetection = setting.PublicURLLegacy + ctx, resp := contexttest.MockContext(t, "GET http://host/sub/admin/self_check?location_origin=http://frontend") + SelfCheckPost(ctx) + assert.Equal(t, http.StatusOK, resp.Code) + require.NoError(t, json.Unmarshal(resp.Body.Bytes(), &data)) assert.Equal(t, []string{ ctx.Locale.TrString("admin.self_check.location_origin_mismatch", "http://frontend/sub/", "http://config/sub/"), }, data.Problems) + + setting.PublicURLDetection = setting.PublicURLAuto + ctx, resp = contexttest.MockContext(t, "GET http://host/sub/admin/self_check?location_origin=http://frontend") + SelfCheckPost(ctx) + assert.Equal(t, http.StatusOK, resp.Code) + require.NoError(t, json.Unmarshal(resp.Body.Bytes(), &data)) + assert.Equal(t, []string{ + ctx.Locale.TrString("admin.self_check.location_origin_mismatch", "http://frontend/sub/", "http://host/sub/"), + }, data.Problems) } From c5e196dedb8a5f145203dd956907726450411d6f Mon Sep 17 00:00:00 2001 From: GiteaBot Date: Tue, 24 Mar 2026 00:45:32 +0000 Subject: [PATCH 07/12] [skip ci] Updated translations via Crowdin --- options/locale/locale_ga-IE.json | 53 +++++++++++++++++++- options/locale/locale_ko-KR.json | 83 ++++++++++++++++++++++++++------ 2 files changed, 119 insertions(+), 17 deletions(-) diff --git a/options/locale/locale_ga-IE.json b/options/locale/locale_ga-IE.json index f43c9ad355..663de75772 100644 --- a/options/locale/locale_ga-IE.json +++ b/options/locale/locale_ga-IE.json @@ -81,6 +81,7 @@ "retry": "Atriail", "rerun": "Ath-rith", "rerun_all": "Ath-rith na poist go léir", + "rerun_failed": "Athrith poist theipithe", "save": "Sábháil", "add": "Cuir", "add_all": "Cuir Gach", @@ -168,6 +169,7 @@ "search.exact_tooltip": "Ní chuir san áireamh ach torthaí a mheaitseálann leis an téarma", "search.repo_kind": "Cuardaigh stórais…", "search.user_kind": "Cuardaigh úsáideoirí…", + "search.badge_kind": "Cuardaigh suaitheantais…", "search.org_kind": "Cuardaigh eagraíochtaí…", "search.team_kind": "Cuardaigh foirne…", "search.code_kind": "Cuardaigh cód…", @@ -542,6 +544,7 @@ "form.glob_pattern_error": " tá patrún glob neamhbhailí: %s.", "form.regex_pattern_error": "tá patrún regex neamhbhailí: %s.", "form.username_error": "Ní féidir ach carachtair alfa-uimhriúla ('0-9','a-z','A-Z'), fleasc ('-'), fo-líne ('_') agus ponc ('.') a bheith i `. Ní féidir é a thosú ná a chríochnú le carachtair neamh-alfa-uimhriúla, agus tá cosc ar charachtair neamh-alfa-uimhriúla as a chéile ach an oiread.`", + "form.invalid_slug_error": " neamhbhailí.", "form.invalid_group_team_map_error": " tá mapáil neamhbhailí: %s", "form.unknown_error": "Earráid anaithnid:", "form.captcha_incorrect": "Tá an cód CAPTCHA mícheart.", @@ -645,6 +648,7 @@ "user.block.note.edit": "Cuir nóta in eagar", "user.block.list": "Úsáideoirí blocáilte", "user.block.list.none": "Níor chuir tú bac ar aon úsáideoirí.", + "settings.general": "Ginearálta", "settings.profile": "Próifíl", "settings.account": "Cuntas", "settings.appearance": "Dealramh", @@ -2856,6 +2860,30 @@ "admin.hooks": "Crúcaí Gréasán", "admin.integrations": "Comhtháthaithe", "admin.authentication": "Foinsí Fíordheimhnithe", + "admin.badges": "Suaitheantais", + "admin.badges.badges_manage_panel": "Bainistíocht Suaitheantais", + "admin.badges.details": "Sonraí Suaitheantais", + "admin.badges.new_badge": "Cruthaigh Suaitheantas Nua", + "admin.badges.slug": "Sluga", + "admin.badges.slug_been_taken": "Tá an sluga tógtha cheana féin.", + "admin.badges.description": "Cur síos", + "admin.badges.image_url": "URL na híomhá", + "admin.badges.new_success": "Tá an suaitheantas \"%s\" cruthaithe.", + "admin.badges.update_success": "Tá an suaitheantas nuashonraithe.", + "admin.badges.deletion_success": "Tá an suaitheantas scriosta.", + "admin.badges.edit_badge": "Cuir Suaitheantas in Eagar", + "admin.badges.update_badge": "Nuashonraigh Suaitheantas", + "admin.badges.delete_badge": "Scrios Suaitheantas", + "admin.badges.delete_badge_desc": "An bhfuil tú cinnte gur mian leat an suaitheantas seo a scriosadh go buan?", + "admin.badges.users_with_badge": "Úsáideoirí a bhfuil suaitheantas acu: %s", + "admin.badges.not_found": "Níor aimsíodh an suaitheantas.", + "admin.badges.user_already_has": "Tá an suaitheantas seo ag an úsáideoir cheana féin.", + "admin.badges.user_add_success": "Sannadh suaitheantas don úsáideoir go rathúil.", + "admin.badges.user_remove_success": "Baineadh an suaitheantas den úsáideoir go rathúil.", + "admin.badges.manage_users": "Bainistigh Úsáideoirí", + "admin.badges.add_user": "Cuir Úsáideoir leis", + "admin.badges.remove_user": "Bain Úsáideoir", + "admin.badges.delete_user_desc": "An bhfuil tú cinnte gur mian leat an t-úsáideoir seo a bhaint den suaitheantas?", "admin.emails": "Seoltaí Ríomhphoist Úsáideoirí", "admin.config": "Cumraíocht", "admin.config_summary": "Achoimre", @@ -3707,6 +3735,10 @@ "actions.runs.not_done": "Níl an rith sreabha oibre seo críochnaithe.", "actions.runs.view_workflow_file": "Féach ar chomhad sreabha oibre", "actions.runs.workflow_graph": "Graf Sreabhadh Oibre", + "actions.runs.summary": "Achoimre", + "actions.runs.all_jobs": "Gach post", + "actions.runs.triggered_via": "Spreagtha trí %s", + "actions.runs.total_duration": "Fad iomlán:", "actions.workflow.disable": "Díchumasaigh sreabhadh oibre", "actions.workflow.disable_success": "D'éirigh le sreabhadh oibre '%s' a dhíchumasú.", "actions.workflow.enable": "Cumasaigh sreabhadh oibre", @@ -3756,5 +3788,24 @@ "git.filemode.normal_file": "Rialta", "git.filemode.executable_file": "Inrite", "git.filemode.symbolic_link": "Nasc siombalach", - "git.filemode.submodule": "Fo-mhodúl" + "git.filemode.submodule": "Fo-mhodúl", + "org.repos.none": "Gan aon stórtha.", + "actions.general.permissions": "Ceadanna Comhartha Gníomhartha", + "actions.general.token_permissions.mode": "Ceadanna Réamhshocraithe Comharthaí", + "actions.general.token_permissions.mode.desc": "Úsáidfidh post Gníomhartha na ceadanna réamhshocraithe mura ndearbhaíonn sé a cheadanna sa chomhad sreabha oibre.", + "actions.general.token_permissions.mode.permissive": "Ceadaitheach", + "actions.general.token_permissions.mode.permissive.desc": "Ceadanna léigh agus scríbhneoireachta do stórlann an phoist.", + "actions.general.token_permissions.mode.restricted": "Srianta", + "actions.general.token_permissions.mode.restricted.desc": "Ceadanna léite amháin d'aonaid ábhair (cód, eisiúintí) stórlann an phoist.", + "actions.general.token_permissions.override_owner": "Sáraigh cumraíocht leibhéal an úinéara", + "actions.general.token_permissions.override_owner_desc": "Má tá sé cumasaithe, úsáidfidh an stór seo a chumraíocht Gníomhartha féin in ionad an chumraíocht ar leibhéal an úinéara (úsáideoir nó eagraíocht) a leanúint.", + "actions.general.token_permissions.maximum": "Uasmhéid Ceadanna Comharthaí", + "actions.general.token_permissions.maximum.description": "Beidh ceadanna éifeachtacha an phoist gníomhartha teoranta ag na ceadanna uasta.", + "actions.general.token_permissions.fork_pr_note": "Mura gcuirtear tús le post trí iarratas tarraingthe ó fhorc, ní rachaidh a cheadanna éifeachtacha thar na ceadanna léite amháin.", + "actions.general.token_permissions.customize_max_permissions": "Saincheap na ceadanna uasta", + "actions.general.cross_repo": "Rochtain Tras-Stórtha", + "actions.general.cross_repo_desc": "Ceadaigh rochtain (léamh amháin) a bheith ag na stórtha uile san úinéir seo ar na stórtha roghnaithe le GITEA_TOKEN agus poist Gníomhartha á reáchtáil.", + "actions.general.cross_repo_selected": "Stórtha roghnaithe", + "actions.general.cross_repo_target_repos": "Stórtha Spriocdhírithe", + "actions.general.cross_repo_add": "Cuir Stór Sprioc leis" } diff --git a/options/locale/locale_ko-KR.json b/options/locale/locale_ko-KR.json index 8f572e9f9b..e4ea00f31c 100644 --- a/options/locale/locale_ko-KR.json +++ b/options/locale/locale_ko-KR.json @@ -81,6 +81,7 @@ "retry": "재시도", "rerun": "다시 실행", "rerun_all": "모든 작업 다시 실행", + "rerun_failed": "실패한 작업 다시 실행", "save": "저장", "add": "추가", "add_all": "모두 추가", @@ -168,6 +169,7 @@ "search.exact_tooltip": "검색어와 정확하게 일치하는 결과만 포함합니다", "search.repo_kind": "리포지토리 검색…", "search.user_kind": "사용자 검색…", + "search.badge_kind": "배지 검색…", "search.org_kind": "조직 검색…", "search.team_kind": "팀 검색…", "search.code_kind": "코드 검색…", @@ -542,6 +544,7 @@ "form.glob_pattern_error": " 와일드카드 패턴이 잘못됨: %s.", "form.regex_pattern_error": " 정규 표현식 패턴이 잘못됨: %s.", "form.username_error": " `영숫자 ('0-9','a-z','A-Z'), 대시('-'), 밑줄('_'), 마침점 ('.') 만 포함할 수 있습니다. 시작과 끝문자는 반드시 영숫자이어야 하고, 영숫자가 아닌 문자를 연속해서 사용할 수 없습니다.`.", + "form.invalid_slug_error": " 유효하지 않음.", "form.invalid_group_team_map_error": " 매핑이 잘못되었습니다: %s", "form.unknown_error": "알 수 없는 오류:", "form.captcha_incorrect": "CAPTCHA 코드가 올바르지 않습니다.", @@ -645,6 +648,7 @@ "user.block.note.edit": "노트 편집", "user.block.list": "차단된 사용자", "user.block.list.none": "차단한 사용자가 없습니다.", + "settings.general": "일반", "settings.profile": "프로필", "settings.account": "계정", "settings.appearance": "외관", @@ -1154,7 +1158,7 @@ "repo.unstar": "별점취소", "repo.star": "별점", "repo.fork": "포크", - "repo.action.blocked_user": "리포지토리 소유자에게 차단되어 작업을 수행할 수 없습니다.", + "repo.action.blocked_user": "리포지토리 소유자에게 차단되어 액션을 수행할 수 없습니다.", "repo.download_archive": "리포지토리 다운로드", "repo.more_operations": "추가 작업", "repo.quick_guide": "퀵 가이드", @@ -1178,7 +1182,7 @@ "repo.pulls": "풀 리퀘스트", "repo.projects": "프로젝트", "repo.packages": "패키지", - "repo.actions": "동작", + "repo.actions": "액션", "repo.labels": "레이블", "repo.org_labels_desc": "이 조직의 모든 리포지토리에서 사용할 수 있는 조직 수준 레이블", "repo.org_labels_desc_manage": "관리", @@ -2140,7 +2144,7 @@ "repo.settings.projects_mode_repo": "리포지토리 프로젝트만", "repo.settings.projects_mode_owner": "사용자 또는 조직 프로젝트만", "repo.settings.projects_mode_all": "모든 프로젝트", - "repo.settings.actions_desc": "리포지토리 동작 활성화", + "repo.settings.actions_desc": "리포지토리 액션 활성화", "repo.settings.admin_settings": "운영자 설정", "repo.settings.admin_enable_health_check": "리포지토리 헬스 체크 활성화 (git fsck)", "repo.settings.admin_code_indexer": "코드 인덱서", @@ -2174,7 +2178,7 @@ "repo.settings.transfer_in_progress": "현재 진행 중인 이전이 있습니다. 이 저장소를 다른 사용자에게 이전하려면 먼저 취소하십시오.", "repo.settings.transfer_notices_1": "- 개별 사용자에게 리포지토리를 이전하면 리포지토리에 대한 액세스 권한을 잃게 됩니다.", "repo.settings.transfer_notices_2": "- 당신이 (공동)소유하고 있는 조직으로 리포지토리를 이전하면 리포지토리에 대한 액세스 권한을 유지합니다.", - "repo.settings.transfer_notices_3": "- 리포지토리가 비공개이고 개별 사용자에게 이전되는 경우, 이 작업은 해당 사용자가 최소한 읽기 권한을 가지도록 보장합니다 (필요하다면 권한을 변경함).", + "repo.settings.transfer_notices_3": "- 저장소가 비공개이고 개별 사용자에게 이전되는 경우, 이 액션은 해당 사용자가 최소한 읽기 권한을 가지도록 보장합니다(필요하다면 권한을 변경함).", "repo.settings.transfer_notices_4": "- 리포지토리가 조직에 속하고 다른 조직 또는 개인에게 이전하는 경우, 저장소의 이슈와 조직의 프로젝트 보드 간의 연결이 끊어집니다.", "repo.settings.transfer_owner": "새 소유자", "repo.settings.transfer_perform": "이전 수행", @@ -2789,7 +2793,7 @@ "org.teams.can_create_org_repo": "리포지토리 생성", "org.teams.can_create_org_repo_helper": "멤버는 조직에서 새 리포지토리를 만들 수 있습니다. 생성자는 새 리포지토리에 대한 운영자 액세스 권한을 얻습니다.", "org.teams.none_access": "액세스 없음", - "org.teams.none_access_helper": "멤버는 이 단위에서 어떤 작업도 보거나 수행할 수 없습니다. 공개 리포지토리에는 영향을 미치지 않습니다.", + "org.teams.none_access_helper": "멤버는 이 단위에서 어떤 액션도 보거나 수행할 수 없습니다. 공개 리포지토리에는 영향을 미치지 않습니다.", "org.teams.general_access": "일반 액세스", "org.teams.general_access_helper": "멤버 권한은 아래 권한 테이블에 따라 결정됩니다.", "org.teams.read_access": "읽음", @@ -2856,6 +2860,30 @@ "admin.hooks": "Webhook", "admin.integrations": "통합", "admin.authentication": "인증 소스", + "admin.badges": "배지", + "admin.badges.badges_manage_panel": "배지 관리", + "admin.badges.details": "배지 상세정보", + "admin.badges.new_badge": "새 배지 만들기", + "admin.badges.slug": "슬러그", + "admin.badges.slug_been_taken": "이미 사용 중인 슬러그입니다.", + "admin.badges.description": "설명", + "admin.badges.image_url": "이미지 URL", + "admin.badges.new_success": "배지 \"%s\"가 생성되었습니다.", + "admin.badges.update_success": "배지가 업데이트 되었습니다.", + "admin.badges.deletion_success": "배지가 삭제되었습니다.", + "admin.badges.edit_badge": "배지 수정", + "admin.badges.update_badge": "배지 업데이트", + "admin.badges.delete_badge": "배지 삭제", + "admin.badges.delete_badge_desc": "이 배지를 영구적으로 삭제하겠습니까?", + "admin.badges.users_with_badge": "배지를 가진 사용자: %s", + "admin.badges.not_found": "배지를 찾을 수 없음.", + "admin.badges.user_already_has": "사용자는 이 배지를 이미 갖고 있습니다.", + "admin.badges.user_add_success": "사용자에게 배지가 성공적으로 지정되었습니다.", + "admin.badges.user_remove_success": "사용자에게 배지를 제거하는데 성공하였습니다.", + "admin.badges.manage_users": "사용자 관리", + "admin.badges.add_user": "사용자 추가", + "admin.badges.remove_user": "사용자 삭제", + "admin.badges.delete_user_desc": "이 사용자를 배지에서 제거하는 것이 확실한가요?", "admin.emails": "사용자 이메일 주소", "admin.config": "구성", "admin.config_summary": "요약", @@ -2909,7 +2937,7 @@ "admin.dashboard.sync_external_users": "외부 사용자 데이터 동기화", "admin.dashboard.cleanup_hook_task_table": "hook_task 테이블 정리", "admin.dashboard.cleanup_packages": "만료된 패키지 정리", - "admin.dashboard.cleanup_actions": "만료된 작업 리소스 정리", + "admin.dashboard.cleanup_actions": "만료된 액션 리소스 정리", "admin.dashboard.server_uptime": "서버를 켠 시간", "admin.dashboard.current_goroutine": "현재 Go루틴", "admin.dashboard.current_memory_usage": "현재 메모리 사용율", @@ -2944,10 +2972,10 @@ "admin.dashboard.update_checker": "업데이트 확인", "admin.dashboard.delete_old_system_notices": "데이터베이스에서 모든 오래된 시스템 알림 삭제", "admin.dashboard.gc_lfs": "LFS 메타 객체 가비지 컬렉션", - "admin.dashboard.stop_zombie_tasks": "좀비 작업 동작 중지", + "admin.dashboard.stop_zombie_tasks": "좀비 작업 액션 중지", "admin.dashboard.stop_endless_tasks": "끝나지 않는 작업 중지", - "admin.dashboard.cancel_abandoned_jobs": "포기한 작업 동작 취소", - "admin.dashboard.start_schedule_tasks": "예약된 작업 동작 시작", + "admin.dashboard.cancel_abandoned_jobs": "포기한 작업 액션 취소", + "admin.dashboard.start_schedule_tasks": "예약된 작업 액션 시작", "admin.dashboard.sync_branch.started": "브랜치 동기화 시작됨", "admin.dashboard.sync_tag.started": "태그 동기화 시작됨", "admin.dashboard.rebuild_issue_indexer": "이슈 인덱서 재구축", @@ -3611,7 +3639,7 @@ "packages.owner.settings.chef.keypair": "키 쌍 생성", "packages.owner.settings.chef.keypair.description": "Chef 레지스트리에 인증하려면 키 쌍이 필요합니다. 이전에 키 쌍을 생성한 경우, 새 키 쌍를 생성하면 이전 키 쌍은 폐기됩니다.", "secrets.secrets": "비밀", - "secrets.description": "비밀 키는 특정 동작에 전달되며 다른 방법으로는 읽을 수 없습니다.", + "secrets.description": "비밀 키는 특정 액션에 전달되며 다른 방법으로는 읽을 수 없습니다.", "secrets.none": "아직 비밀이 없습니다.", "secrets.creation.description": "설명", "secrets.creation.name_placeholder": "대소문자를 구분하지 않으며, 영숫자 또는 밑줄 문자만, GITEA_ 또는 GITHUB_로 시작할 수 없음", @@ -3626,8 +3654,8 @@ "secrets.deletion.success": "비밀이 삭제되었습니다.", "secrets.deletion.failed": "비밀 제거에 실패했습니다.", "secrets.management": "비밀 관리", - "actions.actions": "동작", - "actions.unit.desc": "동작 관리", + "actions.actions": "액션", + "actions.unit.desc": "액션 관리", "actions.status.unknown": "알수없음", "actions.status.waiting": "대기 중", "actions.status.running": "실행중", @@ -3703,10 +3731,14 @@ "actions.runs.expire_log_message": "로그가 너무 오래되어 제거되었습니다.", "actions.runs.delete": "워크플로우 실행 삭제", "actions.runs.cancel": "워크플로우 실행 취소", - "actions.runs.delete.description": "이 워크플로우 실행을 영구적으로 삭제하시겠습니까? 이 작업은 되돌릴 수 없습니다.", + "actions.runs.delete.description": "이 워크플로우 실행을 영구적으로 삭제하시겠습니까? 이 동작은 되돌릴 수 없습니다.", "actions.runs.not_done": "이 워크플로우 실행은 완료되지 않았습니다.", "actions.runs.view_workflow_file": "워크플로우 파일 표시", "actions.runs.workflow_graph": "워크플로우 그래프", + "actions.runs.summary": "요약", + "actions.runs.all_jobs": "모든 작업", + "actions.runs.triggered_via": "%s를 통해 트리거됨", + "actions.runs.total_duration": "총기간:", "actions.workflow.disable": "워크플로 비활성화", "actions.workflow.disable_success": "워크플로 '%s'가 성공적으로 비활성화되었습니다.", "actions.workflow.enable": "워크플로 활성화", @@ -3726,7 +3758,7 @@ "actions.variables.none": "아직 변수가 없습니다.", "actions.variables.deletion": "변수 제거", "actions.variables.deletion.description": "변수 제거는 영구적이며 되돌릴 수 없습니다. 계속하시겠습니까?", - "actions.variables.description": "변수는 특정 동작에 전달되며 다른 방법으로는 읽을 수 없습니다.", + "actions.variables.description": "변수는 특정 액션에 전달되며 다른 방법으로는 읽을 수 없습니다.", "actions.variables.id_not_exist": "ID %d인 변수가 존재하지 않습니다.", "actions.variables.edit": "변수 수정", "actions.variables.deletion.failed": "변수 제거에 실패했습니다.", @@ -3738,7 +3770,7 @@ "actions.logs.always_auto_scroll": "로그 자동 스크롤 항상 켜기", "actions.logs.always_expand_running": "실행 중인 로그 항상 펼침", "actions.general": "일반", - "actions.general.enable_actions": "동작 활성화", + "actions.general.enable_actions": "액션 활성화", "actions.general.collaborative_owners_management": "보조 소유자 관리", "actions.general.collaborative_owners_management_help": "보조 소유자는 이 리포지토리의 액션 및 워크플로에 접근할 수 있는 개인 리포지토리를 가진 사용자 또는 조직입니다.", "actions.general.add_collaborative_owner": "보조 소유자 추가", @@ -3756,5 +3788,24 @@ "git.filemode.normal_file": "일반", "git.filemode.executable_file": "실행파일", "git.filemode.symbolic_link": "Symlink", - "git.filemode.submodule": "서브모듈" + "git.filemode.submodule": "서브모듈", + "org.repos.none": "리포지토리 없음.", + "actions.general.permissions": "액션 토큰 권한", + "actions.general.token_permissions.mode": "기본 토큰 권한", + "actions.general.token_permissions.mode.desc": "워크플로 파일에서 권한을 선언하지 않으면 액션 작업은 기본 권한을 사용합니다.", + "actions.general.token_permissions.mode.permissive": "허용적", + "actions.general.token_permissions.mode.permissive.desc": "작업 리포지토리에 대한 읽기 쓰기 권한.", + "actions.general.token_permissions.mode.restricted": "제한됨", + "actions.general.token_permissions.mode.restricted.desc": "작업 리포지토리의 콘텐츠 단위(코드, 릴리스)에 대한 읽기 전용 권한.", + "actions.general.token_permissions.override_owner": "소유자 수준의 구성 오버라이드", + "actions.general.token_permissions.override_owner_desc": "활성화하면, 이 리포지토리는 다음 소유자-수준(사용자 혹은 조직) 구성 대신에 자신의 액션 구성을 사용합니다.", + "actions.general.token_permissions.maximum": "최대 토큰 권한", + "actions.general.token_permissions.maximum.description": "액션 작업의 효과 권한은 최대 권한으로 제한됩니다.", + "actions.general.token_permissions.fork_pr_note": "포크로부터 생성된 풀 리퀘스트로 작업이 시작된 경우, 해당 작업의 유효 권한은 읽기 전용 권한을 초과하지 않습니다.", + "actions.general.token_permissions.customize_max_permissions": "최대 권한을 커스터마이징", + "actions.general.cross_repo": "크로스 리포지토리 억세스", + "actions.general.cross_repo_desc": "선택된 저장소가 이 소유자의 모든 저장소에서 액션 작업을 실행할 때 GITEA_TOKEN을 사용하여 (읽기 전용으로) 액세스할 수 있도록 허용합니다.", + "actions.general.cross_repo_selected": "선택된 리포지토리", + "actions.general.cross_repo_target_repos": "대상 리포지토리", + "actions.general.cross_repo_add": "대상 리포지토리 추가" } From c453d09c36fad094405314dba2f370434b200711 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Mon, 23 Mar 2026 21:08:48 -0700 Subject: [PATCH 08/12] Catch scanner error when possible to avoid bypass (#36963) --- cmd/hook.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/cmd/hook.go b/cmd/hook.go index a0280e283f..992e52c279 100644 --- a/cmd/hook.go +++ b/cmd/hook.go @@ -276,6 +276,9 @@ Gitea or set your environment appropriately.`, "") lastline = 0 } } + if err := scanner.Err(); err != nil { + return fail(ctx, "Hook failed: stdin read error", "scanner error: %v", err) + } if count > 0 { hookOptions.OldCommitIDs = oldCommitIDs[:count] @@ -415,6 +418,11 @@ Gitea or set your environment appropriately.`, "") count = 0 } } + if err := scanner.Err(); err != nil { + _ = dWriter.Close() + hookPrintResults(results) + return fail(ctx, "Hook failed: stdin read error", "scanner error: %v", err) + } if count == 0 { if wasEmpty && masterPushed { From 66b8178e59cf7b44528fecd93637d299582c991e Mon Sep 17 00:00:00 2001 From: silverwind Date: Tue, 24 Mar 2026 17:49:29 +0100 Subject: [PATCH 09/12] Improve AGENTS.md (#36974) 1. Remove header line, useless context bloat 2. Reword all "before commiting" lines because some people may not be using the agent to commit, only to write changes. --- AGENTS.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index 402a9d6945..3db66637b7 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -1,10 +1,8 @@ -# Instructions for agents - - Use `make help` to find available development targets -- Before committing `.go` changes, run `make fmt` to format, and run `make lint-go` to lint -- Before committing `.ts` changes, run `make lint-js` to lint -- Before committing `go.mod` changes, run `make tidy` -- Before committing new `.go` files, add the current year into the copyright header -- Before committing any files, remove all trailing whitespace from source code lines +- Run `make fmt` to format `.go` files, and run `make lint-go` to lint them +- Run `make lint-js` to lint `.ts` files +- Run `make tidy` after any `go.mod` changes +- Add the current year into the copyright header of new `.go` files +- Ensure no trailing whitespace in edited files - Never force-push to pull request branches - Always start issue and pull request comments with an authorship attribution From c96cc701445cfe31fce65dc4ff667ab49f218857 Mon Sep 17 00:00:00 2001 From: Tyrone Yeh Date: Wed, 25 Mar 2026 01:23:13 +0800 Subject: [PATCH 10/12] Add class "list-header-filters" to the div for projects (#36889) closes #36886 --- templates/projects/view.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/projects/view.tmpl b/templates/projects/view.tmpl index e1b7364f41..3e1afab79f 100644 --- a/templates/projects/view.tmpl +++ b/templates/projects/view.tmpl @@ -4,7 +4,7 @@

{{.Project.Title}}

-
+
{{$queryLink := QueryBuild "?" "labels" .SelectLabels "assignee" $.AssigneeID "milestone" $.MilestoneID "archived_labels" (Iif $.ShowArchivedLabels "true")}} {{template "repo/issue/filter_item_label" dict "Labels" .Labels "QueryLink" $queryLink "SupportArchivedLabel" true}} {{template "repo/issue/filter_item_user_assign" dict From cfd900889177676d4b6884f94f943749b0e947ed Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Tue, 24 Mar 2026 20:16:23 +0100 Subject: [PATCH 11/12] add valid github scopes (#36977) test for github supported scopes with test to ensure all of them work and don't panic fixes: https://github.com/go-gitea/gitea/issues/36967 --- services/actions/permission_parser.go | 5 ++++ services/actions/permission_parser_test.go | 30 ++++++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/services/actions/permission_parser.go b/services/actions/permission_parser.go index 9ff6134a7a..8c06e27d4b 100644 --- a/services/actions/permission_parser.go +++ b/services/actions/permission_parser.go @@ -117,6 +117,11 @@ func parseRawPermissionsExplicit(rawPerms *yaml.Node) *repo_model.ActionsTokenPe result.UnitAccessModes[unit.TypeReleases] = mode case "projects": result.UnitAccessModes[unit.TypeProjects] = mode + // Scopes github supports but gitea does not, see url for details + // https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax + case "artifact-metadata", "attestations", "checks", "deployments", + "id-token", "models", "discussions", "pages", "security-events", "statuses": + // not supported default: setting.PanicInDevOrTesting("Unrecognized permission scope: %s", scope) } diff --git a/services/actions/permission_parser_test.go b/services/actions/permission_parser_test.go index 06352516fd..9986814b48 100644 --- a/services/actions/permission_parser_test.go +++ b/services/actions/permission_parser_test.go @@ -33,6 +33,36 @@ func TestParseRawPermissions_ReadAll(t *testing.T) { assert.Equal(t, perm.AccessModeRead, result.UnitAccessModes[unit.TypeProjects]) } +// TestParseRawPermissions_GithubScopes verifies that all scopes that github supports are accounted for +func TestParseRawPermissions_GithubScopes(t *testing.T) { + var rawPerms yaml.Node + // Taken and stripped down from: + // https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#defining-access-for-the-github_token-scopes + yamlContent := ` +actions: read +artifact-metadata: read +attestations: read +checks: read +contents: read +deployments: read +id-token: write +issues: read +models: read +discussions: read +packages: read +pages: read +pull-requests: read +security-events: read +statuses: read` + err := yaml.Unmarshal([]byte(yamlContent), &rawPerms) + require.NoError(t, err) + + result := parseRawPermissionsExplicit(&rawPerms) + require.NotNil(t, result) + + // No asserts for permissions set on purpose +} + func TestParseRawPermissions_WriteAll(t *testing.T) { var rawPerms yaml.Node err := yaml.Unmarshal([]byte(`write-all`), &rawPerms) From 943ff75233dfa854e2864467e7e6b88a0420c359 Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Tue, 24 Mar 2026 16:13:08 -0400 Subject: [PATCH 12/12] Require additional user confirmation for making repo private (#36959) To align with how GitHub requires additional explicit user interaction to make a repo private, including informing them of implications on what happens if they do. --------- Co-authored-by: wxiaoguang --- modules/test/utils.go | 8 + options/locale/locale_en-US.json | 9 +- routers/web/repo/setting/setting.go | 28 ++-- services/repository/repository.go | 93 ++++-------- services/repository/repository_test.go | 4 +- templates/repo/migrate/migrating.tmpl | 6 +- templates/repo/settings/options.tmpl | 137 ++++++------------ .../settings/repo_name_confirm_fields.tmpl | 10 ++ tests/integration/repo_visibility_test.go | 59 ++++++++ 9 files changed, 173 insertions(+), 181 deletions(-) create mode 100644 templates/repo/settings/repo_name_confirm_fields.tmpl create mode 100644 tests/integration/repo_visibility_test.go diff --git a/modules/test/utils.go b/modules/test/utils.go index 4996f5a13b..458cf547d5 100644 --- a/modules/test/utils.go +++ b/modules/test/utils.go @@ -45,6 +45,14 @@ func ParseJSONError(buf []byte) (ret struct { return ret } +func ParseJSONRedirect(buf []byte) (ret struct { + Redirect string `json:"redirect"` +}, +) { + _ = json.Unmarshal(buf, &ret) + return ret +} + func IsNormalPageCompleted(s string) bool { return strings.Contains(s, `
`) } diff --git a/options/locale/locale_en-US.json b/options/locale/locale_en-US.json index de3cbd1a91..2ffa130751 100644 --- a/options/locale/locale_en-US.json +++ b/options/locale/locale_en-US.json @@ -969,7 +969,6 @@ "repo.visibility_description": "Only the owner or the organization members if they have rights, will be able to see it.", "repo.visibility_helper": "Make repository private", "repo.visibility_helper_forced": "Your site administrator forces new repositories to be private.", - "repo.visibility_fork_helper": "(Changing this will affect all forks.)", "repo.clone_helper": "Need help cloning? Visit Help.", "repo.fork_repo": "Fork Repository", "repo.fork_from": "Fork From", @@ -2174,7 +2173,8 @@ "repo.settings.transfer_abort_invalid": "You cannot cancel a non existent repository transfer.", "repo.settings.transfer_abort_success": "The repository transfer to %s was successfully canceled.", "repo.settings.transfer_desc": "Transfer this repository to a user or to an organization for which you have administrator rights.", - "repo.settings.transfer_form_title": "Enter the repository name as confirmation:", + "repo.settings.enter_repo_name_to_confirm": "Enter the repository name as confirmation:", + "repo.settings.enter_repo_full_name_to_confirm": "Enter the full repository name (owner/name) as confirmation:", "repo.settings.transfer_in_progress": "There is currently an ongoing transfer. Please cancel it if you would like to transfer this repository to another user.", "repo.settings.transfer_notices_1": "- You will lose access to the repository if you transfer it to an individual user.", "repo.settings.transfer_notices_2": "- You will keep access to the repository if you transfer it to an organization that you (co-)own.", @@ -2477,7 +2477,10 @@ "repo.settings.visibility.private.text": "Changing the visibility to private will make the repo visible only to allowed members and may remove the relationship between it and existing forks, watchers, and stars.", "repo.settings.visibility.private.bullet_title": "Changing the visibility to private will:", "repo.settings.visibility.private.bullet_one": "Make the repo visible only to allowed members.", - "repo.settings.visibility.private.bullet_two": "May remove the relationship between it and forks, watchers, and stars.", + "repo.settings.visibility.private.bullet_two": "Apply the visibility to its forks, and remove the watchers and stars.", + "repo.settings.visibility.private.stats_stars": "This repository has %d star(s) that may be lost.", + "repo.settings.visibility.private.stats_watchers": "This repository has %d watcher(s) that may be lost.", + "repo.settings.visibility.private.stats_forks": "This repository has %d fork(s) that are associated.", "repo.settings.visibility.public.button": "Make Public", "repo.settings.visibility.public.text": "Changing the visibility to public will make the repo visible to anyone.", "repo.settings.visibility.public.bullet_title": "Changing the visibility to public will:", diff --git a/routers/web/repo/setting/setting.go b/routers/web/repo/setting/setting.go index 8475c8e21e..5a5137a1a7 100644 --- a/routers/web/repo/setting/setting.go +++ b/routers/web/repo/setting/setting.go @@ -999,39 +999,33 @@ func handleSettingsPostUnarchive(ctx *context.Context) { } func handleSettingsPostVisibility(ctx *context.Context) { - form := web.GetForm(ctx).(*forms.RepoSettingForm) repo := ctx.Repo.Repository if repo.IsFork { - ctx.Flash.Error(ctx.Tr("repo.settings.visibility.fork_error")) - ctx.Redirect(ctx.Repo.RepoLink + "/settings") + ctx.JSONError(ctx.Tr("repo.settings.visibility.fork_error")) return } - var err error + private := ctx.FormOptionalBool("private").ValueOrDefault(true) // default to true for privacy & safety // when ForcePrivate enabled, you could change public repo to private, but only admin users can change private to public - if setting.Repository.ForcePrivate && repo.IsPrivate && !ctx.Doer.IsAdmin { - ctx.RenderWithErrDeprecated(ctx.Tr("form.repository_force_private"), tplSettingsOptions, form) + if !private && setting.Repository.ForcePrivate && !ctx.Doer.IsAdmin { + ctx.JSONError(ctx.Tr("form.repository_force_private")) + return + } + if private && repo.FullName() != ctx.FormString("confirm_repo_name") { + ctx.JSONError(ctx.Tr("form.enterred_invalid_repo_name")) return } - if repo.IsPrivate { - err = repo_service.MakeRepoPublic(ctx, repo) - } else { - err = repo_service.MakeRepoPrivate(ctx, repo) - } - + err := repo_service.MakeRepoPrivate(ctx, repo, private) if err != nil { log.Error("Tried to change the visibility of the repo: %s", err) - ctx.Flash.Error(ctx.Tr("repo.settings.visibility.error")) - ctx.Redirect(ctx.Repo.RepoLink + "/settings") + ctx.JSONError(ctx.Tr("repo.settings.visibility.error")) return } ctx.Flash.Success(ctx.Tr("repo.settings.visibility.success")) - - log.Trace("Repository visibility changed: %s/%s", ctx.Repo.Owner.Name, repo.Name) - ctx.Redirect(ctx.Repo.RepoLink + "/settings") + ctx.JSONRedirect(ctx.Repo.RepoLink + "/settings") } func handleSettingRemoteAddrError(ctx *context.Context, err error, form *forms.RepoSettingForm) { diff --git a/services/repository/repository.go b/services/repository/repository.go index ae64f0116a..2ac95ffe3a 100644 --- a/services/repository/repository.go +++ b/services/repository/repository.go @@ -122,9 +122,9 @@ func UpdateRepository(ctx context.Context, repo *repo_model.Repository, visibili }) } -func MakeRepoPublic(ctx context.Context, repo *repo_model.Repository) (err error) { +func MakeRepoPrivate(ctx context.Context, repo *repo_model.Repository, private bool) (err error) { return db.WithTx(ctx, func(ctx context.Context) error { - repo.IsPrivate = false + repo.IsPrivate = private if err := repo_model.UpdateRepositoryColsNoAutoTime(ctx, repo, "is_private"); err != nil { return err } @@ -144,15 +144,33 @@ func MakeRepoPublic(ctx context.Context, repo *repo_model.Repository) (err error return err } - forkRepos, err := repo_model.GetRepositoriesByForkID(ctx, repo.ID) - if err != nil { - return fmt.Errorf("getRepositoriesByForkID: %w", err) + // If repo has become private, we need to set its actions to private, and clear stars and watches. + if private { + _, err = db.GetEngine(ctx). + Where("repo_id = ?", repo.ID).Cols("is_private").Update(&activities_model.Action{IsPrivate: true}) + if err != nil { + return err + } + if err = repo_model.ClearRepoStars(ctx, repo.ID); err != nil { + return err + } + if err = repo_model.ClearRepoWatches(ctx, repo.ID); err != nil { + return err + } } - if repo.Owner.Visibility != structs.VisibleTypePrivate { - for i := range forkRepos { - if err = MakeRepoPublic(ctx, forkRepos[i]); err != nil { - return fmt.Errorf("MakeRepoPublic[%d]: %w", forkRepos[i].ID, err) + shouldUpdateForks := private + if !private && repo.Owner.Visibility != structs.VisibleTypePrivate { + shouldUpdateForks = true + } + if shouldUpdateForks { + forkRepos, err := repo_model.GetRepositoriesByForkID(ctx, repo.ID) + if err != nil { + return fmt.Errorf("getRepositoriesByForkID: %w", err) + } + for _, forkRepo := range forkRepos { + if err = MakeRepoPrivate(ctx, forkRepo, private); err != nil { + return fmt.Errorf("MakeRepoPrivate[%d]: %w", forkRepo.ID, err) } } } @@ -160,63 +178,6 @@ func MakeRepoPublic(ctx context.Context, repo *repo_model.Repository) (err error // If visibility is changed, we need to update the issue indexer. // Since the data in the issue indexer have field to indicate if the repo is public or not. issue_indexer.UpdateRepoIndexer(ctx, repo.ID) - - return nil - }) -} - -func MakeRepoPrivate(ctx context.Context, repo *repo_model.Repository) (err error) { - return db.WithTx(ctx, func(ctx context.Context) error { - repo.IsPrivate = true - if err := repo_model.UpdateRepositoryColsNoAutoTime(ctx, repo, "is_private"); err != nil { - return err - } - - if err = repo.LoadOwner(ctx); err != nil { - return fmt.Errorf("LoadOwner: %w", err) - } - if repo.Owner.IsOrganization() { - // Organization repository need to recalculate access table when visibility is changed. - if err = access_model.RecalculateTeamAccesses(ctx, repo, 0); err != nil { - return fmt.Errorf("recalculateTeamAccesses: %w", err) - } - } - - // If repo has become private, we need to set its actions to private. - _, err = db.GetEngine(ctx).Where("repo_id = ?", repo.ID).Cols("is_private").Update(&activities_model.Action{ - IsPrivate: true, - }) - if err != nil { - return err - } - - if err = repo_model.ClearRepoStars(ctx, repo.ID); err != nil { - return err - } - - if err = repo_model.ClearRepoWatches(ctx, repo.ID); err != nil { - return err - } - - // Create/Remove git-daemon-export-ok for git-daemon... - if err := CheckDaemonExportOK(ctx, repo); err != nil { - return err - } - - forkRepos, err := repo_model.GetRepositoriesByForkID(ctx, repo.ID) - if err != nil { - return fmt.Errorf("getRepositoriesByForkID: %w", err) - } - for i := range forkRepos { - if err = MakeRepoPrivate(ctx, forkRepos[i]); err != nil { - return fmt.Errorf("MakeRepoPrivate[%d]: %w", forkRepos[i].ID, err) - } - } - - // If visibility is changed, we need to update the issue indexer. - // Since the data in the issue indexer have field to indicate if the repo is public or not. - issue_indexer.UpdateRepoIndexer(ctx, repo.ID) - return nil }) } diff --git a/services/repository/repository_test.go b/services/repository/repository_test.go index 2d860f1b9d..5a879a6aa6 100644 --- a/services/repository/repository_test.go +++ b/services/repository/repository_test.go @@ -74,13 +74,13 @@ func TestMakeRepoPrivateClearsWatches(t *testing.T) { assert.NoError(t, unittest.PrepareTestDatabase()) repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1}) - repo.IsPrivate = false + assert.False(t, repo.IsPrivate) watchers, err := repo_model.GetRepoWatchersIDs(t.Context(), repo.ID) require.NoError(t, err) require.NotEmpty(t, watchers) - assert.NoError(t, MakeRepoPrivate(t.Context(), repo)) + assert.NoError(t, MakeRepoPrivate(t.Context(), repo, true)) watchers, err = repo_model.GetRepoWatchersIDs(t.Context(), repo.ID) assert.NoError(t, err) diff --git a/templates/repo/migrate/migrating.tmpl b/templates/repo/migrate/migrating.tmpl index 34145cf475..24768fe5d7 100644 --- a/templates/repo/migrate/migrating.tmpl +++ b/templates/repo/migrate/migrating.tmpl @@ -67,13 +67,13 @@
- - + +
diff --git a/templates/repo/settings/options.tmpl b/templates/repo/settings/options.tmpl index 6cdcd54b18..09c2ab660b 100644 --- a/templates/repo/settings/options.tmpl +++ b/templates/repo/settings/options.tmpl @@ -887,21 +887,8 @@
-
- -
-
- - -
- -
- - -
+ {{template "repo/settings/repo_name_confirm_fields" (dict "RepoName" .Repository.Name)}} + {{template "base/modal_actions_confirm" (dict "ModalButtonDangerText" (ctx.Locale.Tr "repo.settings.convert_confirm"))}}
@@ -917,21 +904,8 @@
-
- -
-
- - -
- -
- - -
+ {{template "repo/settings/repo_name_confirm_fields" (dict "RepoName" .Repository.Name)}} + {{template "base/modal_actions_confirm" (dict "ModalButtonDangerText" (ctx.Locale.Tr "repo.settings.convert_fork_confirm"))}}
@@ -949,25 +923,13 @@
-
- -
-
- - -
+ {{template "repo/settings/repo_name_confirm_fields" (dict "RepoName" .Repository.Name)}}
-
- - -
+ {{template "base/modal_actions_confirm" (dict "ModalButtonDangerText" (ctx.Locale.Tr "repo.settings.transfer_perform"))}}
@@ -986,49 +948,57 @@
-
- -
-
- - -
- -
- - -
+ {{template "repo/settings/repo_name_confirm_fields" (dict "RepoName" .Repository.Name)}} + {{template "base/modal_actions_confirm" (dict "ModalButtonDangerText" (ctx.Locale.Tr "repo.settings.confirm_delete"))}}
{{if not .Repository.IsFork}} -
-
- -
-
- - -
- -
- - -
+ {{template "repo/settings/repo_name_confirm_fields" (dict "RepoName" .Repository.Name)}} + {{template "base/modal_actions_confirm" (dict "ModalButtonDangerText" (ctx.Locale.Tr "repo.settings.confirm_wiki_delete"))}}
diff --git a/templates/repo/settings/repo_name_confirm_fields.tmpl b/templates/repo/settings/repo_name_confirm_fields.tmpl new file mode 100644 index 0000000000..a8f9800e71 --- /dev/null +++ b/templates/repo/settings/repo_name_confirm_fields.tmpl @@ -0,0 +1,10 @@ +
+ +
+
+ + +
diff --git a/tests/integration/repo_visibility_test.go b/tests/integration/repo_visibility_test.go new file mode 100644 index 0000000000..e7ad8ddd87 --- /dev/null +++ b/tests/integration/repo_visibility_test.go @@ -0,0 +1,59 @@ +// Copyright 2026 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package integration + +import ( + "net/http" + "testing" + + repo_model "code.gitea.io/gitea/models/repo" + "code.gitea.io/gitea/models/unittest" + "code.gitea.io/gitea/modules/test" + "code.gitea.io/gitea/tests" + + "github.com/stretchr/testify/assert" +) + +func TestRepositoryVisibilityChange(t *testing.T) { + defer tests.PrepareTestEnv(t)() + session := loginUser(t, "user2") + + t.Run("MakePrivateRequiresCorrectName", func(t *testing.T) { + // Wrong name should be rejected with a JSON error + req := NewRequestWithValues(t, "POST", "/user2/repo1/settings", map[string]string{ + "action": "visibility", + "private": "true", + "confirm_repo_name": "wrong-name", + }) + resp := session.MakeRequest(t, req, http.StatusBadRequest) + assert.NotEmpty(t, test.ParseJSONError(resp.Body.Bytes()).ErrorMessage) + + repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1}) + assert.False(t, repo1.IsPrivate) + + // Correct full name (owner/repo) should succeed with a JSON redirect + req = NewRequestWithValues(t, "POST", "/user2/repo1/settings", map[string]string{ + "action": "visibility", + "private": "true", + "confirm_repo_name": "user2/repo1", + }) + resp = session.MakeRequest(t, req, http.StatusOK) + assert.NotEmpty(t, test.ParseJSONRedirect(resp.Body.Bytes()).Redirect) + + repo1 = unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1}) + assert.True(t, repo1.IsPrivate) + }) + + t.Run("MakePublicDoesNotRequireName", func(t *testing.T) { + req := NewRequestWithValues(t, "POST", "/user2/repo2/settings", map[string]string{ + "action": "visibility", + "private": "false", + }) + resp := session.MakeRequest(t, req, http.StatusOK) + assert.NotEmpty(t, test.ParseJSONRedirect(resp.Body.Bytes()).Redirect) + + repo2 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2}) + assert.False(t, repo2.IsPrivate) + }) +}