Migrate to https://gitea.com/gitea/runner/releases/tag/v1.0.0 which
includes the `act` package directory previously referenced by
`nektos/act`.
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
## Summary
- Enforce **Conventional Commits** on PR titles (PRs are squash-merged,
so the PR title becomes the final commit message).
- Add a local `make lint-pr-title` target so contributors can validate
titles before pushing.
## Why
We squash-merge PRs, which means the final repository history is largely
shaped by **PR titles**. Enforcing a consistent Conventional Commits
format makes:
- **Release notes & changelogs easier to generate** (types like `feat` /
`fix` can be grouped automatically).
- **History easier to scan** (uniform structure, optional scopes,
explicit breaking changes via `!`).
- **Automation more reliable** (future tooling can infer category and
scope from the title).
## PR title format
```text
type(scope)!: subject
type: one of build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test
scope: optional (e.g. web, api, actions, repo, …)
!: optional, indicates a breaking change
subject: short, imperative, no trailing period
```
## Examples
```text
feat(web): add dark mode toggle
fix(api): avoid panic when repo is missing
chore(ci): lint PR titles with commitlint
refactor(templates): reduce duplication in repo list rendering
feat!: remove legacy OAuth endpoint
```
## Local testing
```text
make deps-frontend
make lint-pr-title PR_TITLE="feat(web): add dark mode toggle"
```
---------
Signed-off-by: Nicolas <bircni@icloud.com>
Co-authored-by: nb <nb@users.noreply.local>
Co-authored-by: GPT-5.2 <gpt-5.2@openai.com>
1. Fix ugly commit form "warning" message
2. Use JSONError for "Update PR Branch" response
3. Remove useless "timeline" class
4. Make timeline review default to "comment" to avoid icon missing
5. Align PR's "command line instructions" UI
6. Simply "Update PR branch" button logic
And then some TODOs are fixed.
---------
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Docs polish — pure typo fixes, nothing under `src/`.
## Files
- `CHANGELOG.md`
- line 1386: `appearence` → `appearance`
- line 2117: `succesfully` → `successfully`
- line 2301: `preceeded` → `preceded`
- line 5593: `paramater` → `parameter`
Fixes were applied from a curated correction list, with code blocks /
inline code / URLs left alone.
This PR contains the following updates:
| Package | Type | Update | Change | Pending |
|---|---|---|---|---|
| [bitnamilegacy/minio](https://redirect.github.com/bitnami/containers)
([source](https://redirect.github.com/bitnami/containers/tree/HEAD/bitnami/minio))
| service | minor | `2021.3.17` → `2021.12.29` | |
| [bitnamilegacy/minio](https://redirect.github.com/bitnami/containers)
([source](https://redirect.github.com/bitnami/containers/tree/HEAD/bitnami/minio))
| service | minor | `2023.8.31` → `2023.12.23` | |
| [bitnamilegacy/mysql](https://redirect.github.com/bitnami/containers)
([source](https://redirect.github.com/bitnami/containers/tree/HEAD/bitnami/mysql))
| service | minor | `8.0` → `8.4` | |
|
[renovatebot/github-action](https://redirect.github.com/renovatebot/github-action)
| action | patch | `v46.1.10` → `v46.1.12` | `v46.1.13` |
---
### Release Notes
<details>
<summary>renovatebot/github-action (renovatebot/github-action)</summary>
###
[`v46.1.12`](https://redirect.github.com/renovatebot/github-action/releases/tag/v46.1.12)
[Compare
Source](https://redirect.github.com/renovatebot/github-action/compare/v46.1.11...v46.1.12)
##### Bug Fixes
- **deps:** update dependency
[@​actions/core](https://redirect.github.com/actions/core) to
v3.0.1
([e8a6055](e8a6055d6d))
##### Documentation
- update references to renovatebot/github-action to v46.1.11
([317011a](317011a6ef))
##### Miscellaneous Chores
- **deps:** update dependency typescript-eslint to v8.59.0
([8e3560a](8e3560ab95))
##### Continuous Integration
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.142.0
([0fee00d](0fee00dc59))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.142.1
([c7cfc88](c7cfc88250))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.144.0
([39e7d09](39e7d09c7b))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.145.0
([0bbd415](0bbd415a9c))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.146.0
([889c739](889c7399ca))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.147.0
([7addce6](7addce6f1e))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.150.0
([804ce16](804ce1618f))
###
[`v46.1.11`](https://redirect.github.com/renovatebot/github-action/releases/tag/v46.1.11)
[Compare
Source](https://redirect.github.com/renovatebot/github-action/compare/v46.1.10...v46.1.11)
##### Documentation
- update references to renovatebot/github-action to v46.1.10
([0b264d2](0b264d27f8))
##### Miscellaneous Chores
- **deps:** update actions/setup-node action to v6.4.0
([951a814](951a81487a))
- **deps:** update dependency prettier to v3.8.3
([a763833](a763833a7d))
- **deps:** update dependency typescript-eslint to v8.58.2
([119d68e](119d68e8f6))
##### Build System
- **deps:** lock file maintenance
([f82feed](f82feedb56))
##### Continuous Integration
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.132.3
([99cc805](99cc805d75))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.133.0
([a63d39b](a63d39be1e))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.135.0
([955b000](955b0000ba))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.136.0
([65167cd](65167cdb3f))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.136.1
([7b21b86](7b21b86ced))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.136.3
([28a2dc0](28a2dc07b8))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.137.0
([b0cf2a4](b0cf2a4c91))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.138.0
([3700882](3700882c45))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.138.1
([f516ce2](f516ce2f92))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.138.3
([3411548](3411548d9c))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.0
([5201886](5201886b45))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.1
([5856263](5856263af8))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.4
([999691d](999691d7f3))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.5
([f703a54](f703a54130))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.6
([3ba85c2](3ba85c2979))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.7
([96f2f09](96f2f09b9d))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.8
([5af45e5](5af45e5b84))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.140.0
([01e9139](01e91393d3))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.141.0
([814a2a4](814a2a47c0))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.141.1
([fb3abdf](fb3abdf7fa))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.141.2
([e3a9af5](e3a9af55ac))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.141.5
([4f14b2f](4f14b2f81d))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.141.6
([2357784](2357784955))
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- Only on Monday (`* * * * 1`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
Run `nolyfill` as a renovate post-upgrade step alongside `make svg`, so
npm dep bumps keep `pnpm.overrides` in sync.
---
This PR was written with the help of Claude Opus 4.7
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Almost done
`pull_merge_box.tmpl` only has about 80 lines now, and (almost) all
variable accesses are strictly typed.
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Nicolas <bircni@icloud.com>
Fixes#37446.
The job-status resolver in `checkJobsOfCurrentRunAttempt` only
considered `needs` and job-level concurrency when transitioning jobs out
of `Blocked`. When something drove the resolver against a run blocked
solely by workflow-level concurrency — for example, a sibling run in the
same group entering the queue and triggering `EmitJobsIfReadyByRun` —
the run's job silently became `Waiting` while another run still held the
concurrency group, and the runner could pick it up, defeating the
concurrency guarantee.
The fix bails out of the resolver when the run's latest attempt is still
blocked by run-level concurrency. `checkRunConcurrency` re-evaluates
when the holding run finishes.
Covered by a unit test
(`Test_checkJobsOfCurrentRunAttempt_RunLevelConcurrencyKeepsJobsBlocked`
in `services/actions/job_emitter_test.go`) that sets up a Running holder
attempt and a Blocked sibling attempt in the same concurrency group
directly in the DB, calls `checkJobsOfCurrentRunAttempt`, and asserts
the blocked job stays `Blocked`. Fails on master, passes with the fix.
---
This PR was written with the help of Claude Opus 4.7
---------
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
The migration repository model now carries Website alongside Description, the GitHub/Gitea downloaders populate it, and mirror finalization persists both description and website so the About section is not empty after creating a mirror.
Fixes#37495
---------
Signed-off-by: cyphercodes <cyphercodes@users.noreply.github.com>
Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Purpose:
1. Make the whole code base have unified "item" layout
2. Clarify our "list" styles: "flex-relaxed-list", "flex-divided-list"
3. Prepare to replace legacy "ui relaxed list"
* https://github.com/go-gitea/gitea/pull/37445#discussion_r3144458865
4. Prepare for refactoring the "pull merge box", it needs the
"flex-divided-list"
* related to "Refactor pull request view (*)" like #37451
5. Fix legacy abuses of "flex-list", e.g.: repo home sidebar
When running `gitea dump` with output routed to stdout (--file -),
deprecation warnings from loadAvatarsFrom were written to stdout,
corrupting the archive stream.
Root cause: PrepareConsoleLoggerLevel (called in app.Before) sets up a
console logger via SetConsoleLogger, which used WriterConsoleOption{}
defaulting Stderr to false (i.e. stdout). This logger is installed
before the dump subcommand can redirect logging to stderr in runDump.
Fix: use WriterConsoleOption{Stderr: true} in SetConsoleLogger so all
early CLI diagnostic output goes to stderr from the start. This is
correct for all subcommands — diagnostic/log output should never pollute
stdout.
---------
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Nicolas <bircni@icloud.com>
After the Webpack-to-Vite migration (#37002), mCaptcha stopped working
entirely on the registration page, throwing an error:
`TypeError: setting getter-only property "INPUT_NAME"`
This fix stops trying to mutate the read-only INPUT_NAME export. Instead
it probes for the Widget constructor at module.default (direct) or
module.default.default (CJS-wrapped), constructs the widget, and then
renames the hidden input element it creates to m-captcha-response which
is the field name Gitea's backend reads from the submitted form.
Generative AI was used to help with making this PR.
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
Drops `github.com/olivere/elastic/v7` (unmaintained) and replaces it
with a small in-house wrapper that speaks the Elasticsearch REST API
directly via `net/http`. The subset used by Gitea (`_cluster/health`,
`_bulk`, `_doc`, `_delete_by_query`, `_refresh`, `_search`, `HEAD`/`PUT`
index) is stable across the targeted servers, so no client library is
needed.
**Targets tested**
- Elasticsearch 7, 8, 9
- OpenSearch 1, 2, 3
**Why not `go-elasticsearch`?**
The official client enforces an `X-Elastic-Product` server-identity
check that OpenSearch deliberately fails, which would force shipping a
transport shim to defeat it. Going direct over `net/http` removes that
fight along with several MB of transitive deps (`elastic-transport-go`,
`go.opentelemetry.io/otel{,/metric,/trace}`, `auto/sdk`, `easyjson`,
`intern`, `logr`, `stdr`).
Replaces: #30755
Fixes: https://github.com/go-gitea/gitea/issues/30752
---
This PR was written with the help of Claude Opus 4.7
---------
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
1. Make the content area stretch the box, enabling text selection to
start over empty space.
2. Disable linter for markdown, it can never produce lint errors, this
hides the unnecessary lint gutter on markdown files.
3. Verified all languages linter enablement, all accurate.
4. Refactor `getLinterExtension` to not rely on file extensions.
5. Include jsonc/json5 extensions in regex.
---
This PR was written with the help of Claude Opus 4.7
---------
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Nicolas <bircni@icloud.com>
Clean up legacy copied&pasted code, introduce the unique "database
connection" function. Move migration testing helper function
PrepareTestEnv to a separate package.
By the way, remove "shadow connection secrets" tricks: showing
connection string on UI is useless
---------
Co-authored-by: Nicolas <bircni@icloud.com>
## Summary
This PR adds support for updating pull mirror authentication via the
repository edit API and UI.
It introduces new mirror authentication fields in _EditRepoOption_,
updates the API logic to safely handle partial credential updates, and
fixes the web settings flow so that the existing remote username is
preserved when only the password is changed.
### What changed
- added _auth_username_, _auth_password_, and _auth_token_ to
EditRepoOption
- updated the repository edit API to apply mirror auth changes via
_updateMirror_
- preserved existing username/password when only part of the auth
payload is provided
- used oauth2 as the default username when _auth_token_ is provided
- kept stored mirror URLs sanitized in DB and API responses
- updated Swagger schema for the new API fields
- added API integration tests for password-only and token-only updates
- added a web settings test to ensure username preservation on partial
updates
## Why
Some use cases require automated synchronization of pull mirrors, for
example in CI/CD pipelines or integrations with external systems.
At the same time, many organizations enforce security policies that
require periodic token rotation (e.g., monthly).
Currently, mirror credentials can only be updated via the UI, which
makes automation difficult.
## This change enables:
- automated token rotation
- avoiding manual updates via the UI
- easier integration with secret management systems
## Testing
- added integration coverage for mirror auth updates via _PATCH
/api/v1/repos/{owner}/{repo}_
- added web settings tests for password-only updates preserving the
existing username
## Result
Ability to automate auth update
<img width="2400" height="1245" alt="1"
src="https://github.com/user-attachments/assets/67fd5cca-9cb3-4536-b0e2-4d09b8ebff0f"
/>
<img width="962" height="932" alt="image"
src="https://github.com/user-attachments/assets/5d548f5d-aadf-4807-ba52-9c29df93a4cc"
/>
Generative AI was used to help with making this PR.
##
1. only trigger docker-dryrun arm64&riscv64 when dockerfile changes
2. de-duplicate "contents: read" permission for most workflows
3. merge various "lint-*" jobs into one job
4. add missing lint targets to the "lint" (all) target
1. Rename CompareInfo.MergeBase to CompareBase, it is not merge base
2. Remove unused template variables `ctx.Data["Username"]` and
`ctx.Data["Reponame"]`
3. Decouple some template variable accesses, use typed struct
---------
Co-authored-by: Nicolas <bircni@icloud.com>
Add a build-time conversion step that transforms the existing Swagger
2.0 spec into an OpenAPI 3.0 spec. The OAS3 spec is served alongside the
existing Swagger 2.0 spec, enabling API clients that require OAS3 to
generate code directly from Gitea's API.
This is not to be an answer to how gitea handles OAS3 long term,
but a way to use what we have to move a step forward.
---------
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Avoid per-item DB queries in ListRuns, ListJobs, and ListActionTasks by
batch-loading trigger users, repositories, and task attributes before
the conversion loop. Remove ReferencesGitRepo from the /actions route
group since no task/run endpoints use it.
Added tests for these endpoints as well.
---------
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Adds a new `DEFAULT_TITLE_SOURCE` option under
`[repository.pull-request]` with three values:
- `first-commit` (default): uses the oldest commit summary, current
behavior since v1.26
- `auto`: normalizes branch name as title for multi-commit PRs (just
like GitHub), use commit summary for single-commit PRs
Closes: #37463
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
Co-authored-by: Nicolas <bircni@icloud.com>
This fixes the scheduled action panic when an event payload is JSON
`null` by initializing the payload map before adding `schedule`. It also
adds regression coverage for the null-payload case.
Fixes#37447.
Testing:
- `go test -tags 'sqlite sqlite_unlock_notify' ./services/actions -run
'^TestWithScheduleInEventPayload$' -count=1`
- Local note: this agent ran the command as root with a temporary
`GITEA_TEST_CONF=custom/conf/app-test-root.ini` file that only set
`I_AM_BEING_UNSAFE_RUNNING_AS_ROOT = true`.
Authorship: cyphercodes; AI assistance disclosed: Hermes Agent
(GPT-5.5).
---------
Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com>
Co-authored-by: Hermes Agent (GPT-5.5) <hermes-agent@users.noreply.github.com>
Co-authored-by: Nicolas <bircni@icloud.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Giteabot <teabot@gitea.io>
After using CSP nonce, the "onerror" doesn't work anymore. Change it to
use a global variable to detect
Also help users like #37379 to catch errors more easily.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Make the watch, star, and fork buttons in the repo header consistent for
logged-out users:
- Apply the same look to all three buttons (number labels
included), instead of only the action button being grayed.
- Clicking any of them while logged out now leads to the login page
(with a redirect back) instead of being inert.
- Split the per-button markup out of `header.tmpl` into a dedicated
`templates/repo/header/` folder (`fork.tmpl`, `star.tmpl`,
`watch.tmpl`).
---------
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Adds a dedicated endpoint for replying to pull request review comments,
```
POST /repos/{owner}/{repo}/pulls/{index}/comments/{id}/replies
{ "body": "..." }
```
The reply is threaded under the same review as the parent comment.
Ref: https://gitea.com/gitea/gitea-mcp/issues/129
Fixes: https://github.com/go-gitea/gitea/issues/37419
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Nicolas <bircni@icloud.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
