diff --git a/.golangci.yml b/.golangci.yml
index 2b85c89fdc..4e01169dc6 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -141,9 +141,6 @@ linters:
- linters:
- unused
text: (?i)swagger
- - linters:
- - staticcheck
- text: (?i)argument x is overwritten before first use
- linters:
- gocritic
text: '(?i)commentFormatting: put a space between `//` and comment text'
diff --git a/Makefile b/Makefile
index cb7742c5c7..d8fce11ee2 100644
--- a/Makefile
+++ b/Makefile
@@ -15,13 +15,13 @@ XGO_VERSION := go-1.25.x
AIR_PACKAGE ?= github.com/air-verse/air@v1
EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3
GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.9.2
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.9.0
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.10.1
GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.15
-MISSPELL_PACKAGE ?= github.com/golangci/misspell/cmd/misspell@v0.7.0
+MISSPELL_PACKAGE ?= github.com/golangci/misspell/cmd/misspell@v0.8.0
SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.33.1
XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1
-ACTIONLINT_PACKAGE ?= github.com/rhysd/actionlint/cmd/actionlint@v1.7.10
+ACTIONLINT_PACKAGE ?= github.com/rhysd/actionlint/cmd/actionlint@v1.7.11
DOCKER_IMAGE ?= gitea/gitea
DOCKER_TAG ?= latest
diff --git a/models/repo/repo.go b/models/repo/repo.go
index 07b9bf30cc..7b7f5adb41 100644
--- a/models/repo/repo.go
+++ b/models/repo/repo.go
@@ -281,7 +281,7 @@ func (repo *Repository) SizeDetailsString() string {
var str strings.Builder
sizeDetails := repo.SizeDetails()
for _, detail := range sizeDetails {
- str.WriteString(fmt.Sprintf("%s: %s, ", detail.Name, base.FileSize(detail.Size)))
+ fmt.Fprintf(&str, "%s: %s, ", detail.Name, base.FileSize(detail.Size))
}
return strings.TrimSuffix(str.String(), ", ")
}
diff --git a/modules/git/foreachref/format.go b/modules/git/foreachref/format.go
index d2f9998fe8..cee21c5b66 100644
--- a/modules/git/foreachref/format.go
+++ b/modules/git/foreachref/format.go
@@ -53,7 +53,7 @@ func (f Format) Flag() string {
var formatFlag strings.Builder
for i, field := range f.fieldNames {
// field key and field value
- formatFlag.WriteString(fmt.Sprintf("%s %%(%s)", field, field))
+ fmt.Fprintf(&formatFlag, "%s %%(%s)", field, field)
if i < len(f.fieldNames)-1 {
// note: escape delimiters to allow control characters as
diff --git a/routers/web/repo/setting/lfs.go b/routers/web/repo/setting/lfs.go
index 8a8015035f..a3a60963d4 100644
--- a/routers/web/repo/setting/lfs.go
+++ b/routers/web/repo/setting/lfs.go
@@ -301,13 +301,13 @@ func LFSFileGet(ctx *context.Context) {
if index != len(lines)-1 {
line += "\n"
}
- output.WriteString(fmt.Sprintf(`%s`, index+1, index+1, line))
+ fmt.Fprintf(&output, `%s`, index+1, index+1, line)
}
ctx.Data["FileContent"] = gotemplate.HTML(output.String())
output.Reset()
for i := 0; i < len(lines); i++ {
- output.WriteString(fmt.Sprintf(`%d`, i+1, i+1))
+ fmt.Fprintf(&output, `%d`, i+1, i+1)
}
ctx.Data["LineNums"] = gotemplate.HTML(output.String())
diff --git a/services/gitdiff/gitdiff.go b/services/gitdiff/gitdiff.go
index 7777cf4a1c..b23e5b1b1c 100644
--- a/services/gitdiff/gitdiff.go
+++ b/services/gitdiff/gitdiff.go
@@ -1594,10 +1594,10 @@ func generatePatchForUnchangedLineFromReader(reader io.Reader, treePath string,
// Generate synthetic patch
var patchBuilder strings.Builder
- patchBuilder.WriteString(fmt.Sprintf("diff --git a/%s b/%s\n", treePath, treePath))
- patchBuilder.WriteString(fmt.Sprintf("--- a/%s\n", treePath))
- patchBuilder.WriteString(fmt.Sprintf("+++ b/%s\n", treePath))
- patchBuilder.WriteString(fmt.Sprintf("@@ -%d,%d +%d,%d @@\n", startLine, len(lines), startLine, len(lines)))
+ fmt.Fprintf(&patchBuilder, "diff --git a/%s b/%s\n", treePath, treePath)
+ fmt.Fprintf(&patchBuilder, "--- a/%s\n", treePath)
+ fmt.Fprintf(&patchBuilder, "+++ b/%s\n", treePath)
+ fmt.Fprintf(&patchBuilder, "@@ -%d,%d +%d,%d @@\n", startLine, len(lines), startLine, len(lines))
for _, lineContent := range lines {
patchBuilder.WriteString(" ")
diff --git a/services/oauth2_provider/jwtsigningkey.go b/services/oauth2_provider/jwtsigningkey.go
index 03c7403f75..4898d54166 100644
--- a/services/oauth2_provider/jwtsigningkey.go
+++ b/services/oauth2_provider/jwtsigningkey.go
@@ -214,13 +214,20 @@ func (key ecdsaSingingKey) VerifyKey() any {
func (key ecdsaSingingKey) ToJWK() (map[string]string, error) {
pubKey := key.key.Public().(*ecdsa.PublicKey)
+ // PublicKey.Bytes returns the uncompressed SEC 1 format: 0x04 || X || Y
+ pubKeyBytes, err := pubKey.Bytes()
+ if err != nil {
+ return nil, err
+ }
+
+ coordLen := (len(pubKeyBytes) - 1) / 2
return map[string]string{
"kty": "EC",
"alg": key.SigningMethod().Alg(),
"kid": key.id,
"crv": pubKey.Params().Name,
- "x": base64.RawURLEncoding.EncodeToString(pubKey.X.Bytes()),
- "y": base64.RawURLEncoding.EncodeToString(pubKey.Y.Bytes()),
+ "x": base64.RawURLEncoding.EncodeToString(pubKeyBytes[1 : 1+coordLen]),
+ "y": base64.RawURLEncoding.EncodeToString(pubKeyBytes[1+coordLen:]),
}, nil
}
diff --git a/services/oauth2_provider/jwtsigningkey_test.go b/services/oauth2_provider/jwtsigningkey_test.go
new file mode 100644
index 0000000000..55de81dfd8
--- /dev/null
+++ b/services/oauth2_provider/jwtsigningkey_test.go
@@ -0,0 +1,61 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package oauth2_provider
+
+import (
+ "crypto/ecdsa"
+ "crypto/elliptic"
+ "crypto/rand"
+ "encoding/base64"
+ "math/big"
+ "testing"
+
+ "github.com/golang-jwt/jwt/v5"
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+)
+
+func TestECDSASigningKeyToJWK(t *testing.T) {
+ for _, tc := range []struct {
+ curve elliptic.Curve
+ signingMethod jwt.SigningMethod
+ expectedAlg string
+ expectedCrv string
+ coordLen int
+ }{
+ {elliptic.P256(), jwt.SigningMethodES256, "ES256", "P-256", 32},
+ {elliptic.P384(), jwt.SigningMethodES384, "ES384", "P-384", 48},
+ {elliptic.P521(), jwt.SigningMethodES512, "ES512", "P-521", 66},
+ } {
+ t.Run(tc.expectedCrv, func(t *testing.T) {
+ privKey, err := ecdsa.GenerateKey(tc.curve, rand.Reader)
+ require.NoError(t, err)
+
+ signingKey, err := newECDSASingingKey(tc.signingMethod, privKey)
+ require.NoError(t, err)
+
+ jwk, err := signingKey.ToJWK()
+ require.NoError(t, err)
+
+ assert.Equal(t, "EC", jwk["kty"])
+ assert.Equal(t, tc.expectedAlg, jwk["alg"])
+ assert.Equal(t, tc.expectedCrv, jwk["crv"])
+ assert.NotEmpty(t, jwk["kid"])
+
+ // Verify coordinates are the correct fixed length per RFC 7518 / SEC 1
+ xBytes, err := base64.RawURLEncoding.DecodeString(jwk["x"])
+ require.NoError(t, err)
+ assert.Len(t, xBytes, tc.coordLen)
+
+ yBytes, err := base64.RawURLEncoding.DecodeString(jwk["y"])
+ require.NoError(t, err)
+ assert.Len(t, yBytes, tc.coordLen)
+
+ // Verify the decoded coordinates reconstruct the original public key point
+ pubKey := privKey.Public().(*ecdsa.PublicKey)
+ assert.Equal(t, 0, new(big.Int).SetBytes(xBytes).Cmp(pubKey.X))
+ assert.Equal(t, 0, new(big.Int).SetBytes(yBytes).Cmp(pubKey.Y))
+ })
+ }
+}
diff --git a/services/release/notes.go b/services/release/notes.go
index c9dc75af70..92ee22e604 100644
--- a/services/release/notes.go
+++ b/services/release/notes.go
@@ -113,7 +113,7 @@ func buildReleaseNotesContent(ctx context.Context, repo *repo_model.Repository,
for _, pr := range prs {
prURL := pr.Issue.HTMLURL(ctx)
- builder.WriteString(fmt.Sprintf("* %s in [#%d](%s)\n", pr.Issue.Title, pr.Issue.Index, prURL))
+ fmt.Fprintf(&builder, "* %s in [#%d](%s)\n", pr.Issue.Title, pr.Issue.Index, prURL)
}
builder.WriteString("\n")
@@ -121,7 +121,7 @@ func buildReleaseNotesContent(ctx context.Context, repo *repo_model.Repository,
if len(contributors) > 0 {
builder.WriteString("## Contributors\n")
for _, contributor := range contributors {
- builder.WriteString(fmt.Sprintf("* @%s\n", contributor.Name))
+ fmt.Fprintf(&builder, "* @%s\n", contributor.Name)
}
builder.WriteString("\n")
}
@@ -130,14 +130,14 @@ func buildReleaseNotesContent(ctx context.Context, repo *repo_model.Repository,
builder.WriteString("## New Contributors\n")
for _, contributor := range newContributors {
prURL := contributor.Issue.HTMLURL(ctx)
- builder.WriteString(fmt.Sprintf("* @%s made their first contribution in [#%d](%s)\n", contributor.Issue.Poster.Name, contributor.Issue.Index, prURL))
+ fmt.Fprintf(&builder, "* @%s made their first contribution in [#%d](%s)\n", contributor.Issue.Poster.Name, contributor.Issue.Index, prURL)
}
builder.WriteString("\n")
}
builder.WriteString("**Full Changelog**: ")
compareURL := fmt.Sprintf("%s/compare/%s...%s", repo.HTMLURL(ctx), util.PathEscapeSegments(baseRef), util.PathEscapeSegments(tagName))
- builder.WriteString(fmt.Sprintf("[%s...%s](%s)", baseRef, tagName, compareURL))
+ fmt.Fprintf(&builder, "[%s...%s](%s)", baseRef, tagName, compareURL)
builder.WriteByte('\n')
return builder.String()
}
diff --git a/services/webhook/discord.go b/services/webhook/discord.go
index 19af779120..c0af7c0243 100644
--- a/services/webhook/discord.go
+++ b/services/webhook/discord.go
@@ -169,7 +169,7 @@ func (d discordConvertor) Push(p *api.PushPayload) (DiscordPayload, error) {
if utf8.RuneCountInString(message) > 50 {
message = fmt.Sprintf("%.47s...", message)
}
- text.WriteString(fmt.Sprintf("[%s](%s) %s - %s", commit.ID[:7], commit.URL, message, commit.Author.Name))
+ fmt.Fprintf(&text, "[%s](%s) %s - %s", commit.ID[:7], commit.URL, message, commit.Author.Name)
// add linebreak to each commit but the last
if i < len(p.Commits)-1 {
text.WriteString("\n")
diff --git a/services/webhook/feishu.go b/services/webhook/feishu.go
index ecce9acc43..ac581df85a 100644
--- a/services/webhook/feishu.go
+++ b/services/webhook/feishu.go
@@ -77,7 +77,7 @@ func (fc feishuConvertor) Push(p *api.PushPayload) (FeishuPayload, error) {
)
var text strings.Builder
- text.WriteString(fmt.Sprintf("[%s:%s] %s\r\n", p.Repo.FullName, branchName, commitDesc))
+ fmt.Fprintf(&text, "[%s:%s] %s\r\n", p.Repo.FullName, branchName, commitDesc)
// for each commit, generate attachment text
for i, commit := range p.Commits {
var authorName string
diff --git a/services/webhook/matrix.go b/services/webhook/matrix.go
index 63fbbf40a9..fa01ecd0b1 100644
--- a/services/webhook/matrix.go
+++ b/services/webhook/matrix.go
@@ -174,11 +174,11 @@ func (m matrixConvertor) Push(p *api.PushPayload) (MatrixPayload, error) {
repoLink := htmlLinkFormatter(p.Repo.HTMLURL, p.Repo.FullName)
branchLink := MatrixLinkToRef(p.Repo.HTMLURL, p.Ref)
var text strings.Builder
- text.WriteString(fmt.Sprintf("[%s] %s pushed %s to %s:
", repoLink, p.Pusher.UserName, commitDesc, branchLink))
+ fmt.Fprintf(&text, "[%s] %s pushed %s to %s:
", repoLink, p.Pusher.UserName, commitDesc, branchLink)
// for each commit, generate a new line text
for i, commit := range p.Commits {
- text.WriteString(fmt.Sprintf("%s: %s - %s", htmlLinkFormatter(commit.URL, commit.ID[:7]), commit.Message, commit.Author.Name))
+ fmt.Fprintf(&text, "%s: %s - %s", htmlLinkFormatter(commit.URL, commit.ID[:7]), commit.Message, commit.Author.Name)
// add linebreak to each commit but the last
if i < len(p.Commits)-1 {
text.WriteString("
")
diff --git a/services/webhook/msteams.go b/services/webhook/msteams.go
index fa39e7228e..34db903712 100644
--- a/services/webhook/msteams.go
+++ b/services/webhook/msteams.go
@@ -134,8 +134,8 @@ func (m msteamsConvertor) Push(p *api.PushPayload) (MSTeamsPayload, error) {
var text strings.Builder
// for each commit, generate attachment text
for i, commit := range p.Commits {
- text.WriteString(fmt.Sprintf("[%s](%s) %s - %s", commit.ID[:7], commit.URL,
- strings.TrimRight(commit.Message, "\r\n"), commit.Author.Name))
+ fmt.Fprintf(&text, "[%s](%s) %s - %s", commit.ID[:7], commit.URL,
+ strings.TrimRight(commit.Message, "\r\n"), commit.Author.Name)
// add linebreak to each commit but the last
if i < len(p.Commits)-1 {
text.WriteString("\n\n")
diff --git a/services/webhook/slack.go b/services/webhook/slack.go
index 0b3dda467c..94d41d2179 100644
--- a/services/webhook/slack.go
+++ b/services/webhook/slack.go
@@ -211,7 +211,7 @@ func (s slackConvertor) Push(p *api.PushPayload) (SlackPayload, error) {
var attachmentText strings.Builder
// for each commit, generate attachment text
for i, commit := range p.Commits {
- attachmentText.WriteString(fmt.Sprintf("%s: %s - %s", SlackLinkFormatter(commit.URL, commit.ID[:7]), SlackShortTextFormatter(commit.Message), SlackTextFormatter(commit.Author.Name)))
+ fmt.Fprintf(&attachmentText, "%s: %s - %s", SlackLinkFormatter(commit.URL, commit.ID[:7]), SlackShortTextFormatter(commit.Message), SlackTextFormatter(commit.Author.Name))
// add linebreak to each commit but the last
if i < len(p.Commits)-1 {
attachmentText.WriteString("\n")
diff --git a/services/webhook/telegram.go b/services/webhook/telegram.go
index 2abc743fab..8e9a53a5de 100644
--- a/services/webhook/telegram.go
+++ b/services/webhook/telegram.go
@@ -96,7 +96,7 @@ func (t telegramConvertor) Push(p *api.PushPayload) (TelegramPayload, error) {
var htmlCommits strings.Builder
for _, commit := range p.Commits {
- htmlCommits.WriteString(fmt.Sprintf("\n[%s] %s", htmlLinkFormatter(commit.URL, commit.ID[:7]), html.EscapeString(strings.TrimRight(commit.Message, "\r\n"))))
+ fmt.Fprintf(&htmlCommits, "\n[%s] %s", htmlLinkFormatter(commit.URL, commit.ID[:7]), html.EscapeString(strings.TrimRight(commit.Message, "\r\n")))
if commit.Author != nil {
htmlCommits.WriteString(" - " + html.EscapeString(commit.Author.Name))
}
diff --git a/services/webhook/wechatwork.go b/services/webhook/wechatwork.go
index da9c6b584c..cac6a700c0 100644
--- a/services/webhook/wechatwork.go
+++ b/services/webhook/wechatwork.go
@@ -86,8 +86,8 @@ func (wc wechatworkConvertor) Push(p *api.PushPayload) (WechatworkPayload, error
}
message := strings.ReplaceAll(commit.Message, "\n\n", "\r\n")
- text.WriteString(fmt.Sprintf(" > [%s](%s) \r\n >%s \n >%s", commit.ID[:7], commit.URL,
- message, authorName))
+ fmt.Fprintf(&text, " > [%s](%s) \r\n >%s \n >%s", commit.ID[:7], commit.URL,
+ message, authorName)
// add linebreak to each commit but the last
if i < len(p.Commits)-1 {