Add support for error, warning, notice, and debug log commands with bold
label prefixes and colored backgrounds matching GitHub's style. Parse
both `##[cmd]` and `::cmd args::` formats.
Also improved the severity colors globally and added a devtest page for
these.
---------
Co-authored-by: Claude (claude-opus-4-6) <noreply@anthropic.com>
When the email field was submitted as empty in org settings (web and
API), the previous guard `if form.Email != ""` silently skipped the
update, making it impossible to remove a contact email after it was set.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
To align with how GitHub requires additional explicit user interaction
to make a repo private, including informing them of implications on what
happens if they do.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
When opening a Actions run without a job in the path (`/actions/runs/{run}`),
show a run summary.
---------
Signed-off-by: Nicolas <bircni@icloud.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
## Overview
This PR introduces granular permission controls for Gitea Actions tokens
(`GITEA_TOKEN`), aligning Gitea's security model with GitHub Actions
standards while maintaining compatibility with Gitea's unique repository
unit system.
It addresses the need for finer access control by allowing
administrators and repository owners to define default token
permissions, set maximum permission ceilings, and control
cross-repository access within organizations.
## Key Features
### 1. Granular Token Permissions
- **Standard Keyword Support**: Implements support for the
`permissions:` keyword in workflow and job YAML files (e.g., `contents:
read`, `issues: write`).
- **Permission Modes**:
- **Permissive**: Default write access for most units (backwards
compatible).
- **Restricted**: Default read-only access for `contents` and
`packages`, with no access to other units.
- ~~**Custom**: Allows defining specific default levels for each unit
type (Code, Issues, PRs, Packages, etc.).~~**EDIT removed UI was
confusing**
- **Clamping Logic**: Workflow-defined permissions are automatically
"clamped" by repository or organization-level maximum settings.
Workflows cannot escalate their own permissions beyond these limits.
### 2. Organization & Repository Settings
- **Settings UI**: Added new settings pages at both Organization and
Repository levels to manage Actions token defaults and maximums.
- **Inheritance**: Repositories can be configured to "Follow
organization-level configuration," simplifying management across large
organizations.
- **Cross-Repository Access**: Added a policy to control whether Actions
workflows can access other repositories or packages within the same
organization. This can be set to "None," "All," or restricted to a
"Selected" list of repositories.
### 3. Security Hardening
- **Fork Pull Request Protection**: Tokens for workflows triggered by
pull requests from forks are strictly enforced as read-only, regardless
of repository settings.
- ~~**Package Access**: Actions tokens can now only access packages
explicitly linked to a repository, with cross-repo access governed by
the organization's security policy.~~ **EDIT removed
https://github.com/go-gitea/gitea/pull/36173#issuecomment-3873675346**
- **Git Hook Integration**: Propagates Actions Task IDs to git hooks to
ensure that pushes performed by Actions tokens respect the specific
permissions granted at runtime.
### 4. Technical Implementation
- **Permission Persistence**: Parsed permissions are calculated at job
creation and stored in the `action_run_job` table. This ensures the
token's authority is deterministic throughout the job's lifecycle.
- **Parsing Priority**: Implemented a priority system in the YAML parser
where the broad `contents` scope is applied first, allowing granular
scopes like `code` or `releases` to override it for precise control.
- **Re-runs**: Permissions are re-evaluated during a job re-run to
incorporate any changes made to repository settings in the interim.
### How to Test
1. **Unit Tests**: Run `go test ./services/actions/...` and `go test
./models/repo/...` to verify parsing logic and permission clamping.
2. **Integration Tests**: Comprehensive tests have been added to
`tests/integration/actions_job_token_test.go` covering:
- Permissive vs. Restricted mode behavior.
- YAML `permissions:` keyword evaluation.
- Organization cross-repo access policies.
- Resource access (Git, API, and Packages) under various permission
configs.
3. **Manual Verification**:
- Navigate to **Site/Org/Repo Settings -> Actions -> General**.
- Change "Default Token Permissions" and verify that newly triggered
workflows reflect these changes in their `GITEA_TOKEN` capabilities.
- Attempt a cross-repo API call from an Action and verify the Org policy
is enforced.
## Documentation
Added a PR in gitea's docs for this :
https://gitea.com/gitea/docs/pulls/318
## UI:
<img width="1366" height="619" alt="Screenshot 2026-01-24 174112"
src="https://github.com/user-attachments/assets/bfa29c9a-4ea5-4346-9410-16d491ef3d44"
/>
<img width="1360" height="621" alt="Screenshot 2026-01-24 174048"
src="https://github.com/user-attachments/assets/d5ec46c8-9a13-4874-a6a4-fb379936cef5"
/>
/fixes #24635
/claim #24635
---------
Signed-off-by: Excellencedev <ademiluyisuccessandexcellence@gmail.com>
Signed-off-by: ChristopherHX <christopher.homberger@web.de>
Signed-off-by: silverwind <me@silverwind.io>
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: ChristopherHX <christopher.homberger@web.de>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Zettat123 <zettat123@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Replace the `@github/relative-time-element` npm dependency with a
vendored, simplified implementation.
- Support 24h format rendering [PR
329](https://github.com/github/relative-time-element/pull/329)
- Enable `::selection` styling in Firefox [PR
341](https://github.com/github/relative-time-element/pull/341)
- Remove timezone from tooltips (It's always local timezone)
- Clean up previous `title` workaround in tippy
- Remove unused features
- Use native `Intl.DurationFormat` with fallback for older browsers,
remove dead polyfill
- Add MIT license header to vendored file
- Add unit tests
- Add dedicated devtest page for all component variants
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude claude-opus-4-6 20250630 <noreply@anthropic.com>
This PR migrates the web Actions run/job routes from index-based
`runIndex` or `jobIndex` to database IDs.
**⚠️ BREAKING ⚠️**: Existing saved links/bookmarks that use the old
index-based URLs will no longer resolve after this change.
Improvements of this change:
- Previously, `jobIndex` depended on list order, making it hard to
locate a specific job. Using `jobID` provides stable addressing.
- Web routes now align with API, which already use IDs.
- Behavior is closer to GitHub, which exposes run/job IDs in URLs.
- Provides a cleaner base for future features without relying on list
order.
- #36388 this PR improves the support for reusable workflows. If a job
uses a reusable workflow, it may contain multiple child jobs, which
makes relying on job index to locate a job much more complicated
---------
Signed-off-by: Zettat123 <zettat123@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
The logic of "URLJoin" is unclear and it is often abused.
Also:
* Correct the `resolveLinkRelative` behavior
* Fix missing "PathEscape" in `ToTag`
* Fix more FIXMEs, and add new FIXMEs for newly found problems
* Refactor "auth page common template data"
Eliminate a few database queries on all issue and pull request pages by
moving mention autocomplete data to async JSON endpoints fetched
on-demand when the user types `@`.
See https://github.com/go-gitea/gitea/pull/36739#issuecomment-3963184858
for the full table of affected pages.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
The design of DefaultShowFullName has some problems, which make the UI
inconsistent, see the new comment in code
This PR does a clean up for various legacy problems, and clarify some
"user name display" behaviors.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This PR adds official REST API endpoints to rerun Gitea Actions workflow
runs and individual jobs:
* POST /api/v1/repos/{owner}/{repo}/actions/runs/{run}/rerun
* POST /api/v1/repos/{owner}/{repo}/actions/runs/{run}/jobs/{job_id}/rerun
It reuses the existing rerun behavior from the web UI and exposes it
through stable API routes.
---------
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
Use flex-container layout and wrap the actions runs list with `ui top
attached header` and `ui attached segment` to add a background. Display
the total workflow run count in the header.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
After many years, "activitypub" is still "in progress" and no real
progress for end users. So it is not mature.
Temporarily mark the endpoints as "501 not implemented",
and wait until the whole design is stable and usable.
Any user with **read access** to a comment can now copy its raw markdown
source via the `···` context menu — no edit permission required.
Closes#36722.
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
At logout time, if the user authenticated via OIDC, we look up the
provider's `end_session_endpoint` (already discovered by Goth from the
OIDC metadata) and redirect there with `client_id` and
`post_logout_redirect_uri`.
Non-OIDC OAuth2 providers (GitHub, GitLab, etc.) are unaffected — they
fall back to local-only logout.
Fix#14270
---------
Signed-off-by: Nikita Vakula <nikita.vakula@alpsalpine.com>
Co-authored-by: Nikita Vakula <nikita.vakula@alpsalpine.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
I was testing typos-cli and fixed some misspelled wording here.
All changes are internal — no public API fields, database columns,
locale keys, or migration names are affected.
## Summary
Replace combinations of `tw-flex tw-items-center` (with optional
`tw-gap-*`) with semantic `flex-text-block` or `flex-text-inline`
classes across 15 template files.
This follows the refactoring direction outlined in #35015 ("Refactor
legacy `tw-flex tw-items-center tw-gap-xx` to `flex-text-block` or
`flex-text-inline`").
## Changes
### Replacement rules applied:
- `tw-flex tw-items-center tw-gap-2` → `flex-text-block` (both have
`gap: 0.5rem`)
- `tw-flex tw-items-center tw-gap-1` → `flex-text-inline` (both have
`gap: 0.25rem`)
- `tw-flex tw-items-center` (no explicit gap) → `flex-text-block` where
the element is block-level and children benefit from the default gap
- `tw-flex tw-items-center` (inline context, e.g. `<a>`, `<span>`) →
`flex-text-inline`
### Files modified (15):
- `templates/admin/config.tmpl` — config page dt elements
- `templates/admin/repo/unadopted.tmpl` — unadopted repo list items
- `templates/base/head_navbar.tmpl` — active stopwatch popup
- `templates/org/header.tmpl` — org header action buttons
- `templates/org/home.tmpl` — member/team count links
- `templates/org/settings/labels.tmpl` — labels page header
- `templates/repo/branch/list.tmpl` — branch list header
- `templates/repo/commits_table.tmpl` — commits table header
- `templates/repo/diff/box.tmpl` — diff detail box
- `templates/repo/diff/new_review.tmpl` — review form header
- `templates/repo/issue/card.tmpl` — issue card unpin button
- `templates/repo/issue/view_content/attachments.tmpl` — attachment file
size
- `templates/repo/migrate/migrate.tmpl` — migration service cards
- `templates/shared/user/org_profile_avatar.tmpl` — org profile header
- `templates/webhook/new.tmpl` — webhook type dropdown text
### What was NOT changed:
- Elements with `tw-justify-between` or `tw-justify-center` (these need
additional classes)
- Elements whose children use explicit margins (`tw-mr-*`, `tw-ml-*`)
that would conflict with the gap from flex-text classes
- Fomantic UI form elements with special layout requirements
## Notes
- This PR was created with AI assistance (Claude). All changes were
reviewed individually to ensure semantic correctness and zero unintended
visual changes.
- No functional changes — purely CSS class refactoring.
Closes: part of #35015
Signed-off-by: xiaox315 <xiaox315@users.noreply.github.com>
Co-authored-by: xiaox315 <xiaox315@users.noreply.github.com>
* Fix#35685
* Fix#35627
* Fix#31112
Introduce "fipped" config value type, remove unused setting variables.
Make DisableGravatar=true by defult, remove useless config options from
the "Install" page.
The legacy config options are still kept because they are still the
fallback values for the system config options.
---------
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Description
This PR adds a branch_count field to the repository API response.
Currently, clients have to fetch all branches via /branches just to
determine the total number of branches. This addition brings Gitea
closer to parity with GitLab's API and improves efficiency for UI/CLI
clients that need this metric.
Linked Issue
Fixes#35351
Changes
API Structs: Added BranchCount field to Repository struct in
modules/structs/repo.go.
Database Logic: Implemented CountBranches in models/git/branch.go using
XORM for efficient counting.
Service Layer: Updated the ToRepo conversion logic in
services/convert/repository.go to populate the new field during API
serialisation.
Tests: Added a new unit test TestCountBranches in
models/git/branch_test.go to verify counts (including handling of
deleted branches).
Screenshots
<img width="196" height="121" alt="Screenshot 2026-02-24 at 21 41 07"
src="https://github.com/user-attachments/assets/cd023e92-f338-448b-9e49-0a5d54cc96c2"
/>
Testing
Manually verified the output using curl against a local Gitea instance.
Verified that adding a branch increments the count and deleting a branch
(soft-delete) decrements it.
Ran backend linting: make lint-backend (Passed).
Ran specific unit test: go test -v -tags "sqlite sqlite_unlock_notify"
./models/git -run TestCountBranches (Passed).
Co-authored-by: silverwind <me@silverwind.io>
Lazy-load 3 Vue components that are safe to defer (no pop-in effects).
This reduces `index-domready` from 515 KiB to 502 KiB (-2.5%).
The old `vue3-calendar-heatmap` vendor chunk (264 KiB) that previously
loaded on every page is eliminated entirely — it was mostly duplicate
`tippy.js` and `vue` copies that webpack had split out. The actual
heatmap library is only ~12 KiB minified, now inlined into the
`ActivityHeatmap` async chunk.
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
The banner allows site operators to communicate important announcements
(e.g., maintenance windows, policy updates, service notices) directly
within the UI.
The maintenance mode only allows admin to access the web UI.
* Fix#2345
* Fix#9618
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This patch adds the created_by filter to the SearchIssues method.
tea cli has an option to filter by author when listing issues, but it's
not working. The tea command line creates this request for the API when
using the author filter:
```
$ tea issue list -l local --kind pull -A danigm -vvv http://localhost:3000/api/v1/repos/issues/search?created_by=danigm&labels=&limit=30&milestones=&page=1&state=open&type=pulls
```
This patch fixes the API to allow this kind of queries from go-sdk and
tea cli.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Adds validation constraints to repository creation inputs, enforcing
max-length limits for labels/license/readme and enum validation for
trust model and object format. Updates both the API option struct and
the web form struct to keep validation consistent.
Add workflow dependencies visualization
Related to #26062
This PR adds an interactive visualization component that displays job
dependencies in Gitea Actions workflow runs. It helps users understand
complex pipeline structures at a glance, addressing the difficulty of
comprehending dependency chains in current Gitea UI.
---------
Signed-off-by: Semenets V. Pavel <p.semenets@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
When display or search branch's pushed time, we should use
`updated_unix` rather than `commit_time`.
Fix#36633
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: silverwind <me@silverwind.io>
Newbies often use the "Close with Comments" button instead of deleting
their comment. Icon should prevent mis-clicks.
---------
Co-authored-by: Yuriy.Khlynovskiy <yuriy.khlynovskiy@incomsystem.ru>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Fixes: https://github.com/go-gitea/gitea/issues/21045
- Move heatmap data loading from synchronous server-side rendering to
async client-side fetch via dedicated JSON endpoints
- Dashboard and user profile pages no longer block on the expensive
heatmap DB query during HTML generation
- Use compact `[[timestamp,count]]` JSON format instead of
`[{"timestamp":N,"contributions":N}]` to reduce payload size
- Public API (`/api/v1/users/{username}/heatmap`) remains unchanged
- Heatmap rendering is unchanged, still shows a spinner as before, which
will now spin a litte bit longer.
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Fixes: https://github.com/go-gitea/gitea/issues/34865
1. When opening a PR from a branch with multiple commits, use the first
(oldest) commit's title as the default title instead of the branch name
2. Fix autofocus on PR title input field
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This pull request adds milestone filtering support to both repository
and organization project boards. Users can now filter project issues by
milestone, similar to how they filter by label or assignee. The
implementation includes backend changes to fetch and filter milestones,
as well as frontend updates to display a milestone filter dropdown in
the project board UI.
**Milestone filtering support:**
* Added support for filtering project board issues by milestone in both
repository and organization contexts, including handling for "no
milestone" and "all milestones" options. (`routers/web/repo/projects.go`
[[1]](diffhunk://#diff-5cba331a1ddf1eea017178cfefaaff9ad72a4b05797fb84bf508b0939aae2972R316-R330)
[[2]](diffhunk://#diff-5cba331a1ddf1eea017178cfefaaff9ad72a4b05797fb84bf508b0939aae2972R421-R441);
`routers/web/org/projects.go`
[[3]](diffhunk://#diff-f4279417070a8e33829c338abeb42877500377f490abb1495ae6357d50b6a765R344-R357)
[[4]](diffhunk://#diff-f4279417070a8e33829c338abeb42877500377f490abb1495ae6357d50b6a765R433-R485)
* Updated the project board template to include a milestone filter
dropdown, displaying open and closed milestones and integrating with the
query string for filtering. (`templates/projects/view.tmpl`
[[1]](diffhunk://#diff-e2c7e14d247ce381c352263a8fa639b8341690ff85f6dbebfa166ee3306542feL8-R8)
[[2]](diffhunk://#diff-e2c7e14d247ce381c352263a8fa639b8341690ff85f6dbebfa166ee3306542feR19-R58)
Solves Issue #35224
---------
Signed-off-by: josetduarte <6619440+josetduarte@users.noreply.github.com>
Co-authored-by: joseduarte <joseduarte@aidhound.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Adds three `<select>` controls on top right for indent style, indent
size, and line wrap to the code editor (`_edit`), diff patch editor
(`_diffpatch`) and git hook editor (`/settings/hooks/git/pre-receive`).
The git hooks editor is restyled to wrap the content in a box. Also
included is a bugfix for the git hooks editor where monaco was not
initialized correctly.
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
We've been cutting down on the "striped" tables (where rows are using
alternate row background colors). This completely removes them as I
think such a design looks outdated.
The removal of selectors starting with `.ui[class*="very
basic"].table:not(.striped)` is needed because of a specificity issue in
the CSS where table cells would otherwise render with incorrect padding.
Example of one affected table:
<img width="1027" height="224" alt="image"
src="https://github.com/user-attachments/assets/2f3006ca-99a1-4655-afdb-b7cd9e5f19c7"
/>
This adds a per-repository default PR base branch and wires it through
PR entry points. It updates compare links and recently pushed branch
prompts to respect the configured base branch, and prevents auto-merge
cleanup from deleting the configured base branch on same-repo PRs.
## Behavior changes
- New PR compare links on repo home/issue list and branch list honor the
configured default PR base branch.
- The "recently pushed new branches" prompt now compares against the
configured base branch.
- Auto-merge branch cleanup skips deleting the configured base branch
(same-repo PRs only).
---------
Signed-off-by: Louis <116039387+tototomate123@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
