mirror of
https://github.com/go-gitea/gitea.git
synced 2026-06-01 19:15:36 +02:00
20903 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
silverwind
|
28096162fa
|
chore(css): remove unneeded CSS vendor prefixes (#37903)
Removes redundant/obsolete WebKit prefixes: - `-webkit-mask-*` — duplicate the unprefixed `mask-*` siblings already present; every supported browser handles unprefixed CSS Masking longhands. - `-webkit-overflow-scrolling: touch` — a no-op outside iOS Safari <13. Browser floor (all support unprefixed `mask`): Chrome 120+, Safari 15.4+, Firefox 53+, and PaleMoon/Goanna (verified: unprefixed `mask` longhands implemented unconditionally in UXP). --- This PR was written with the help of Claude Opus 4.8 Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com> |
||
|
silverwind
|
82cf75b68a
|
enhance(markup): improve issue title rendering (#37908) | ||
Zettat123
|
0359746abe
|
feat(actions)!: improve support for reusable workflows (#37478)
## Summary This PR improves reusable workflow support for Gitea Actions. The parsing of the called workflow now happens on Gitea side, not on the runner. When the caller becomes ready, Gitea fetches the called workflow source, parses it, and inserts each child job into the database as a `ActionRunJob` linked to the caller via `ParentCallJobID`. As a result, every callee job is dispatched as its own task and its logs surface as an independent job entry in the UI, rather than being inlined into the caller's "Set up job" step. This PR supports two kinds of `uses` : - same-repo call: `uses: ./.gitea/workflows/foo.yaml` - cross-repo call: `uses: OWNER/REPO/.gitea/workflows/foo.yaml@REF` ## **⚠️ BREAKING ⚠️** External reusable workflows (`uses: https://other-gitea-instance/OWNER/REPO/.gitea/workflows/test.yaml@REF`) are no longer supported. To keep using them, clone the repositories to the local instance. ## Main changes ### Execution model - Each caller job carries `IsReusableCaller=true` and won't be fetched by runners. - `ParentCallJobID` can link a called job to its caller. - Caller status is derived from its direct children. ### Workflow syntax - `jobparser` now supports parsing `on: workflow_call` trigger with `inputs:`, `outputs:`, and `secrets:` declarations. - **Max nesting depth**: capped at `MaxReusableCallLevels = 9`, which means a top-level caller may have at most 9 nested callers below it. - **Cycle prevention**: at expansion time, `checkCallerChain` walks the caller's ancestor chain via `ParentCallJobID` and rejects if the same `uses:` string appears anywhere upstream (`reusable workflow call cycle detected`). This catches both direct (`A -> A`) and indirect (`A -> B -> A`) cycles. ### Cross-repo access - To share reusable workflows from private repos, use `Collaborative Owners` introduced by #32562 ### Rerun semantics - `expandRerunJobIDs` partitions the latest attempt's jobs into: - a **rerun set**: jobs being rerun + downstream siblings within the same scope. - an **ancestor set**: reusable callers whose only *some* descendants are being rerun (the caller itself is not). - Cloning behavior for callers in `execRerunPlan`: - **Caller is fully rerun** (caller's `AttemptJobID` in `rerunSet`): none of its descendants are cloned. The caller is cloned with `IsCallerExpanded=false`, and re-expansion (which reinserts the children fresh) happens later when the resolver brings the caller to `Waiting` again. - **Caller is in ancestor set** (only some descendants rerun): the caller is pass-through (`Status` will be updated by its fresh children). Its non-rerun descendants are also pass-through clones (point `SourceTaskID` at the original task). Their `ParentCallJobID` is remapped to the new attempt's caller row. ### UI - Job list in `RepoActionView.vue` is now tree-shaped: callers indent their children. Callers default to collapsed. - New caller detail page using `WorkflowGraph` to show direct children only; the run summary's `WorkflowGraph` shows top-level callers and their immediate descendants. ### Known trade-offs - **Caller expansion runs inside the enclosing write transaction.** `expandReusableWorkflowCaller` performs a git read of the called workflow while holding the row locks that update the caller and insert its children. This is intentional: the caller-row update and child-row inserts must commit atomically. None of the call sites is hot (each caller is expanded once per attempt), so the trade-off is acceptable. - **A malformed `if:` expression on a job leaves it `Blocked` silently.** `evaluateJobIf` now runs server-side as part of resolver passes; deterministic expression errors (typos, undefined context fields) are logged but do not surface in the UI. This is the same behavior the resolver already had for concurrency-expression errors. Distinguishing transient DB errors from user-authored expression errors and writing the latter back as `StatusFailure` is a follow-up. #### Screenshots <img width="1600" alt="image" src="https://github.com/user-attachments/assets/bfaa9b7a-07e9-4127-8de9-a81f86e82828" /> <img width="1600" alt="image" src="https://github.com/user-attachments/assets/8af109b3-ef28-4b53-aaad-d4632b923224" /> ## References - https://docs.github.com/en/actions/how-tos/reuse-automations/reuse-workflows - https://docs.github.com/en/actions/reference/workflows-and-actions/reusing-workflow-configurations --- Replace #36388 --------- Signed-off-by: Zettat123 <zettat123@gmail.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
silverwind
|
2960d6889c
|
ci: stabilize Elasticsearch tests (#37906)
At a 512m heap the CI Elasticsearch GC-thrashes under the jobs' memory pressure and goes unresponsive, flaking `test-unit` (ES indexer tests time out) and `test-mysql` (the ES-backed issue indexer blocks the per-test queue flush). Raise the heap to 1g and disable ML + the startup GeoIP download. Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com> |
||
Nicolas
|
a342206a21
|
fix(locales): Replace hardcoded strings (#37788)
The Workflow Dependencies graph in the Actions run details view had hard-coded English strings. Also in projects view and contributors view I found some hard-coded strings. The other items in the issue #37787 (Summary / All jobs / Run Details / Workflow file / Triggered via / Total duration) were already wired through ctx.Locale.Tr; their translations just need to land in the non-English locale_*.json files via the translation pipeline. Fixes #37787 --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com> |
||
Giteabot
|
d07a42e777
|
fix(deps): update module golang.org/x/image to v0.41.0 [security] (#37904)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) | [`v0.40.0` → `v0.41.0`](https://cs.opensource.google/go/x/image/+/refs/tags/v0.40.0...refs/tags/v0.41.0) |  |  | --- ### Panic when reading out of bound palette index in golang.org/x/image/bmp [CVE-2026-42500](https://nvd.nist.gov/vuln/detail/CVE-2026-42500) / [GO-2026-5031](https://pkg.go.dev/vuln/GO-2026-5031) <details> <summary>More information</summary> #### Details Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image. #### Severity Unknown #### References - [https://go.dev/issue/79576](https://go.dev/issue/79576) - [https://groups.google.com/g/golang-announce/c/uhYX90BlBvI](https://groups.google.com/g/golang-announce/c/uhYX90BlBvI) - [https://go.dev/cl/781500](https://go.dev/cl/781500) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5031) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Excessive resource consumption in PackBits decompression in golang.org/x/image/tiff [CVE-2026-46599](https://nvd.nist.gov/vuln/detail/CVE-2026-46599) / [GO-2026-5032](https://pkg.go.dev/vuln/GO-2026-5032) <details> <summary>More information</summary> #### Details The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data. #### Severity Unknown #### References - [https://go.dev/issue/79577](https://go.dev/issue/79577) - [https://go.dev/cl/759960](https://go.dev/cl/759960) - [https://groups.google.com/g/golang-announce/c/uhYX90BlBvI](https://groups.google.com/g/golang-announce/c/uhYX90BlBvI) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5032) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Nicolas
|
dd59c68486
|
feat(actions): bulk delete, disable and enable runners in admin UI (#37869)
Adds bulk actions on the site-admin runner list (`/-/admin/actions/runners`). Site admins can now select multiple runners and **Delete**, **Disable**, or **Enable** them in one go instead of clicking through each runner's edit page. Scope is intentionally limited to the admin page. The user, org, and repo runner pages keep their existing per-row UX — the shared list template gates the bulk UI behind an `AllowBulkActions` flag set only by the admin handler. ## Screenshots <img width="1582" height="353" src="https://github.com/user-attachments/assets/2125661f-aac0-4168-990a-97995a26abd2" /> --------- Signed-off-by: Nicolas <bircni@icloud.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
silverwind
|
dafc9e127a
|
chore: update giteabot to v1.0.3 (#37896)
Bump the pinned `giteabot` action to the [`v1.0.3`](https://github.com/go-gitea/giteabot/releases/tag/v1.0.3) release in both `giteabot.yml` and `giteabot-backport.yml`. v1.0.3 moves label/state queries off the search API on top of the existing retry logic. --- This PR was written with the help of Claude Opus 4.8 Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com> |
||
|
Zettat123
|
949119c1dd
|
fix(actions): exclude workflow_call from workflow trigger detection (#37894)
Gitea now only allows `workflow_dispatch.inputs`. If a workflow contains
`workflow_call.inputs`, the workflow cannot be triggered, even though
the `on:` section contains other trigger events.
|
||
|
Nicolas
|
da3e192eaf
|
fix(actions): keep action run title clickable when commit subject is a URL (#37867)
- When a commit subject is a bare URL, `linkProcessor` wrapped it in its own `<a>` to that URL. Because HTML cannot nest anchors, the wrapping default link (the action run / commit link) was lost and the action title became unclickable — clicking it sent the user to the URL from the commit message instead of the action log. - Drop `linkProcessor` from `PostProcessCommitMessageSubject` so the whole subject stays wrapped in the default link. URLs in subjects now render as text inside that link; URLs in commit bodies are unaffected. Fixes #37865 --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
Pascal Zimmermann
|
ea723fe482
|
enhance: Migrate remaining gopkg.in/yaml.v3 usages to go.yaml.in/yaml/v4 (#37866)
### Description Replaces all remaining direct `gopkg.in/yaml.v3` imports with `go.yaml.in/yaml/v4` across models, modules, routers, services, and integration tests. `gopkg.in/yaml.v3` moves from a direct to an indirect dependency in `go.mod`. #### API compatibility The yaml.Node type, node.Kind/node.Content traversal style (modules/markup/markdown/convertyaml.go), and the UnmarshalYAML(*yaml.Node) interface signature (modules/optional/serialization.go) are all preserved in v4 — no call-site changes were required beyond the import path. **Related:** - https://github.com/go-gitea/gitea/pull/36564#issuecomment-4526536805 --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com> |
||
Jorge Ortiz
|
90d443b46c
|
fix(actions): reject workflow_dispatch for workflows without that trigger (#37660)
## Summary Fixes #37528 This PR makes the workflow dispatch API reject workflows that do not declare `workflow_dispatch`. Previously, `POST /repos/{owner}/{repo}/actions/workflows/{workflow_id}/dispatches` could create an `ActionRun` for a workflow that only declared another event such as `push`. The service now validates that the target workflow has a `workflow_dispatch` trigger before inserting the run. The API maps that validation failure to `422 Unprocessable Entity`, matching existing validation failures in this handler. The regression test creates a push-only workflow, dispatches it through the public API, asserts the `workflow_dispatch` validation message, and verifies that no run was inserted. ## Disclosure Developed with assistance from OpenAI Codex. --------- Co-authored-by: Nicolas <bircni@icloud.com> |
||
Lunny Xiao
|
428ee9fcce
|
fix(testing): Fix random failure test (#37887)
Fix the flaky npm package web view test that compared rendered HTML as a raw string. Fix https://github.com/go-gitea/gitea/actions/runs/26524574688/job/78124662707?pr=36564 --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
Zettat123
|
49f88a4b9e
|
feat(repo): split repository creation limit into user and org scopes (#37872)
## Background `MAX_CREATION_LIMIT` applies to whoever owns a new repository, with no distinction between individual users and organizations. Admins who want different limits for the two - most commonly "block personal repos but let orgs create freely" - currently have to set per-user / per-org overrides on every entity. ## Changes Adds two new `[repository]` settings: - `USER_MAX_CREATION_LIMIT`: global limit for individual users - `ORG_MAX_CREATION_LIMIT`: global limit for organizations `MAX_CREATION_LIMIT` is kept as a shortcut: when set, it becomes the default value for both new keys. When the new keys are explicitly configured, they take precedence. Deployments that only set `MAX_CREATION_LIMIT` see behavior identical to now. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|
silverwind
|
52fef74291
|
fix(frontend): resolve Vite assets by manifest source path (#37836)
In dev mode `/api/swagger` returned HTTP 500 (`Failed to locate local path for managed asset URI: css/swagger.css`): the backend synthesised asset keys from the Vite entry name instead of reading the manifest, which only worked by coincidence and broke once a source file name diverged from its entry name. This keys the manifest by its source path (e.g. `web_src/js/index.ts`) and resolves entries directly — hashed `file` in prod, dev-server source in dev. A new `AssetCSSLinks` helper renders a JS entry's stylesheet `<link>` tags from the manifest (the entry's CSS plus the CSS of its statically-imported chunks). Fixes: https://github.com/go-gitea/gitea/issues/37830 Fixes: https://github.com/go-gitea/gitea/pull/37832 Fixes: https://github.com/go-gitea/gitea/pull/37876 Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: prakhar0x01 <prakharporwal2004@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
Nicolas
|
db04bcb31a
|
enhance(actions): set descriptive browser tab title on run view (#37870) | ||
Sumit
|
9e0e9e45ac
|
fix: support ##[command] log prefix in action run UI (#37882)
The Actions log parser only recognized `[command]`, so runner command output emitted as `##[command] ...` was not shown in expanded step logs. Add `##[command]` support to `LogLinePrefixCommandMap` in `web_src/js/components/ActionRunView.ts` and cover it with a regression test in `web_src/js/components/ActionRunView.test.ts`. Changes - Fixes Actions UI log rendering for runner command output - Adds support for ##[command] in the Actions log parser - Ensures runner echo ... lines are rendered when expanding step logs - Includes a regression test covering ##[command] foo parsing Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|
silverwind
|
3c73da51b9
|
test: fix flaky issue-comment close test (#37880)
After posting a comment the page reloads via fetch-action. Clicking
"Close Issue" before the form re-initializes triggers a native form
submit, which navigates to the raw JSON redirect response
(`{"redirect":...}`) instead of the issue, so "Reopen Issue" never
appears and the test times out (observed on Firefox in CI).
Wait for the comment button to become disabled — which only happens once
the form re-initializes — before clicking "Close Issue".
---
This PR was written with the help of Claude Opus 4.7
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Nicolas <bircni@icloud.com>
|
||
|
silverwind
|
b4407e36aa
|
fix(actions): ack re-sent UpdateLog finalize idempotently (#37885)
Fixes https://github.com/go-gitea/gitea/issues/37871, full backwards and forwards compatible with runners. Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|
GiteaBot
|
e5ce5bfae5 | [skip ci] Updated translations via Crowdin | ||
|
Lunny Xiao
|
0a3e7483a4
|
chore: Move gitea sdk from code.gitea.io/sdk/gitea -> gitea.dev/sdk (#37855)
- Use gitea.dev/sdk instead of code.gitea.io/sdk/gitea - Use gitea.dev/actions-proto-def instead of code.gitea.io/actions-proto-def |
||
|
silverwind
|
f810e882a4
|
chore(deps): update chroma, regexp2 v2, replace dimiro1/reply (#37858)
- Update `github.com/alecthomas/chroma/v2` to `v2.25.0`. - Migrate `github.com/dlclark/regexp2` to `/v2` (incorporates https://github.com/go-gitea/gitea/pull/37664); drop the renovate pin. - Replace the unmaintained `github.com/dimiro1/reply` (the last consumer of `regexp2` v1 in our own code) with a small built-in reply parser for incoming mail. Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> Co-authored-by: Nicolas <bircni@icloud.com> |
||
wxiaoguang
|
729c4b8813
|
chore: clarify SSH clone URL related config options (#37877)
move "SSH_PORT" alongside "SSH_DOMAIN" and explain more |
||
Chongyi Zheng
|
b7a3c7a3be
|
chore: remove mssql x509negativeserial workaround (#37853)
The following TLS handshake error is fixed by newer versions of mssql (refer to https://github.com/microsoft/mssql-docker/issues/895#issuecomment-2737646391) ``` TLS Handshake failed: tls: failed to parse certificate from server: x509: negative serial number ``` Based on https://github.com/microsoft/go-sqlcmd/issues/755#issuecomment-4491676993, newer versions of mssql don't have this problem. And there're changes going to mssql driver side to make this error more explicit https://github.com/microsoft/go-mssqldb/pull/356. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
GiteaBot
|
9e7fadb089 | [skip ci] Updated translations via Crowdin | ||
|
Lunny Xiao
|
61b1a39efe
|
chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873) | ||
|
Nicolas
|
a03e0364eb
|
feat(actions): add branch filters to run list (#37826)
## Summary - Add a Branch filter dropdown to the repo Actions run list web UI - Wire `?branch=` query param through the web handler, matching the existing REST API filter behavior - Source the Branch dropdown from the indexed `branch` table (filtering out deleted branches) instead of scanning `action_run.ref`, addressing review feedback about unindexed columns The Event filter was dropped after review: a static list of supported events was noisy as UX, and querying distinct values from `action_run.trigger_event` is slow because the column is not indexed. `FindRunOptions.TriggerEvent` is kept for the REST API. Closes #25042 --------- Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
wxiaoguang
|
4a6db5a7c2
|
fix: http content file render (#37850)
Fix #37849 --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> |
||
|
silverwind
|
3223d919b0
|
test: fix flaky TestResourceIndex and reduce its runtime (#37847)
The modernc SQLite driver (default since https://github.com/go-gitea/gitea/pull/37562) returns `SQLITE_BUSY` once the busy timeout is reached, unlike mattn which waited indefinitely. `TestResourceIndex` fires many concurrent `NewIssue` writers, but SQLite serializes all writers, so they queue on a single `BEGIN IMMEDIATE` write lock. Under `-race` (modernc is much slower) the goroutines at the back of the queue exceeded the hardcoded 5s test timeout, producing `database is locked (5) (SQLITE_BUSY)`. Changes: - Reduce the concurrent inserts from 25 to 10. Since SQLite serializes writers, the extra goroutines only deepen the busy-lock queue without adding coverage. 10 still exercises concurrent index allocation while cutting the test's `-race` runtime ~3x (2.76s to 0.86s locally). - Share the busy-timeout constant: export `DefaultSQLiteBusyTimeout` (20s, the production default) and reference it from the test engine instead of the hardcoded `5000`. Observed flake: https://github.com/go-gitea/gitea/actions/runs/26394082930/job/77690496092 --- This PR was written with the help of Claude Opus 4.7 --------- Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
Giteabot
|
5badd1bdee
|
fix(deps): update go dependencies (#37851)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[connectrpc.com/connect](https://redirect.github.com/connectrpc/connect-go)
| `v1.19.2` → `v1.20.0` |
|
|
| [gitea.com/gitea/runner](https://gitea.com/gitea/runner) | `v1.0.4` →
`v1.0.5` |
|
|
|
[gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go)
| `v2.29.0` → `v2.30.0` |
|
|
---
### Release Notes
<details>
<summary>connectrpc/connect-go (connectrpc.com/connect)</summary>
###
[`v1.20.0`](https://redirect.github.com/connectrpc/connect-go/releases/tag/v1.20.0)
[Compare
Source](https://redirect.github.com/connectrpc/connect-go/compare/v1.19.2...v1.20.0)
#### What's Changed
##### Other changes
- Bump minimum supported Go version to 1.25 by
[@​jonbodner-buf](https://redirect.github.com/jonbodner-buf) in
[#​922](https://redirect.github.com/connectrpc/connect-go/issues/922)
- Update Unary-Get query parameter order to match spec recommendation by
[@​oliversun9](https://redirect.github.com/oliversun9) in
[#​926](https://redirect.github.com/connectrpc/connect-go/issues/926)
#### New Contributors
- [@​jonbodner-buf](https://redirect.github.com/jonbodner-buf)
made their first contribution in
[#​922](https://redirect.github.com/connectrpc/connect-go/issues/922)
**Full Changelog**:
<https://github.com/connectrpc/connect-go/compare/v1.19.2...v1.20.0>
</details>
<details>
<summary>gitea/runner (gitea.com/gitea/runner)</summary>
### [`v1.0.5`](https://gitea.com/gitea/runner/releases/tag/v1.0.5)
[Compare Source](https://gitea.com/gitea/runner/compare/v1.0.4...v1.0.5)
#### Changelog
- fix(deps): update module connectrpc.com/connect to v1.20.0
([#​985](https://redirect.github.com/gitea/runner/issues/985))
- update docker cli to v29.5.2
([#​984](https://redirect.github.com/gitea/runner/issues/984))
- feat: add cache.offline\_mode to reuse cached actions
([#​966](https://redirect.github.com/gitea/runner/issues/966))
- Remove stale Gitea 1.20 compatibility shims
([#​978](https://redirect.github.com/gitea/runner/issues/978))
- fix(deps): update module github.com/docker/cli to v29.5.1+incompatible
([#​979](https://redirect.github.com/gitea/runner/issues/979))
- fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1
([#​980](https://redirect.github.com/gitea/runner/issues/980))
</details>
<details>
<summary>gitlab-org/api/client-go
(gitlab.com/gitlab-org/api/client-go/v2)</summary>
###
[`v2.30.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.30.0)
[Compare
Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.29.0...v2.30.0)
#### 2.30.0
##### 🚀 Features
- feat(orbit): add GetDsl for /api/v4/orbit/schema/dsl
([!2901](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2901))
by [Michael Angelo Rivera](https://gitlab.com/michaelangeloio)
###
[2.30.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.29.0...v2.30.0)
(2026-05-20)
##### Features
* **orbit:** add GetDsl for /api/v4/orbit/schema/dsl
([530031c](
|
||
|
Giteabot
|
326db5c932
|
chore(deps): update dependency @stylistic/stylelint-plugin to v5.2.0 (#37852)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@stylistic/stylelint-plugin](https://redirect.github.com/stylelint-stylistic/stylelint-stylistic) | [`5.1.0` → `5.2.0`](https://renovatebot.com/diffs/npm/@stylistic%2fstylelint-plugin/5.1.0/5.2.0) |  |  | --- ### Release Notes <details> <summary>stylelint-stylistic/stylelint-stylistic (@​stylistic/stylelint-plugin)</summary> ### [`v5.2.0`](https://redirect.github.com/stylelint-stylistic/stylelint-stylistic/blob/HEAD/CHANGELOG.md#520--20260520) [Compare Source](https://redirect.github.com/stylelint-stylistic/stylelint-stylistic/compare/v5.1.0...v5.2.0) ##### Added - The `declaration-block-semicolon-newline-before` rule is now autofixable. ##### Fixed - An exception for an empty custom property value has been added to the `declaration-block-semicolon-newline-before` and `declaration-colon-space-after` rules: the `--custom-prop: ;` and `--custom-prop:;` variants are now considered valid (see [#​50](https://redirect.github.com/stylelint-stylistic/stylelint-stylistic/issues/50)). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Giteabot
|
1c130d2eb6
|
chore(deps): update npm dependencies (#37848)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.1.3` → `11.2.1`](https://renovatebot.com/diffs/npm/pnpm/11.1.3/11.2.1) |  |  | | [stylelint](https://stylelint.io) ([source](https://redirect.github.com/stylelint/stylelint)) | [`17.11.1` → `17.12.0`](https://renovatebot.com/diffs/npm/stylelint/17.11.1/17.12.0) |  |  | --- ### Release Notes <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.2.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1121) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.2.0...v11.2.1) ##### Patch Changes - Mark optional subdependency snapshots of config dependencies with `optional: true` in the env lockfile, matching how optional dependencies are recorded elsewhere in `pnpm-lock.yaml`. Previously, snapshots for the platform-specific subdeps pulled in via a config dep's `optionalDependencies` were written as empty objects, which was inconsistent with the rest of the lockfile and made it look like those non-host platform variants were required. - Fix `pickRegistryForPackage` returning the wrong registry for an unscoped `npm:` alias under a scoped local name. A manifest entry like `"@​private/foo": "npm:lodash@^1"` was routing the `lodash` fetch through `registries["@​private"]`, even though `lodash` is unscoped and doesn't live on that registry. The npm-alias branch now returns the alias target's own scope (or `null` for an unscoped target, falling through to `registries.default`) instead of leaking into the local key's scope. - Don't print "Installing config dependencies..." when config dependencies are already installed and nothing needs to be fetched, re-linked, or removed. ### [`v11.2.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1120) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.1.3...v11.2.0) ##### Minor Changes - **Experimental:** Adding [`@pnpm/pacquet`](https://npmx.dev/package/@​pnpm/pacquet) (the Rust port of pnpm) to `configDependencies` in `pnpm-workspace.yaml` now delegates the materialization phase of `pnpm install` to the pacquet binary. pnpm still owns dependency resolution; pacquet only fetches and imports from the freshly-written lockfile. This is an opt-in preview of the Rust install engine [#​11723](https://redirect.github.com/pnpm/pnpm/issues/11723). To configure pacquet in a project, run: ``` pnpm add @​pnpm/pacquet --config ``` You'll see changes in `pnpm-workspace.yaml` and `pnpm-lock.yaml` that should be committed. If you experience any issues with pacquet, please let us know by mentioning this in the GitHub issue you create. - `configDependencies` now resolve and install one level of `optionalDependencies` declared by the config dependency, with `os`/`cpu`/`libc` platform filtering applied at install time. This unlocks the esbuild/swc-style pattern where a package ships platform-specific binaries via `optionalDependencies` — a config dependency can now do the same and have the matching binary symlinked next to it in the global virtual store, so `require('pkg-platform-arch')` from inside the config dependency resolves correctly. The env lockfile records all platform variants regardless of host platform, so it remains portable across machines. Each entry in a config dependency's `optionalDependencies` must declare an exact version — ranges and tags are rejected to keep installs reproducible. - Implement the documented `pnpm login --scope <scope>` flag. The scope is normalized (a leading `@` is added if missing; blank values are ignored) and an `@<scope>:registry=<registry>` mapping is written to the pnpm auth file alongside the auth token. Subsequent installs of `@<scope>/*` packages then route to the chosen registry. Previously `pnpm login --scope foo` errored with `Unknown option: 'scope'` despite the flag being listed in the online documentation [#​11716](https://redirect.github.com/pnpm/pnpm/issues/11716). - `pnpm outdated` and `pnpm update --interactive` now report Node.js, Deno, and Bun runtimes installed as project dependencies (`runtime:` specifiers). Previously these were silently skipped. ##### Patch Changes - Fix `cafile=<relative-path>` in `.npmrc` being read from the wrong directory when pnpm is invoked from a different cwd (e.g. `pnpm --dir <project> install` from a CI wrapper or monorepo script). The path is now resolved against the directory of the `.npmrc` that declared it, not `process.cwd()`. Before this fix the CA file silently failed to load — the install proceeded without the configured CA and the user only saw TLS errors against a private registry, with no log line tying back to the wrongly resolved path [#​11624](https://redirect.github.com/pnpm/pnpm/issues/11624). - Fix `config.registry` getting a trailing slash appended when `registry` is set in `.npmrc` and no `registries.default` is provided by `pnpm-workspace.yaml`. The sync from `registries.default` to `config.registry` introduced in [#​11744](https://redirect.github.com/pnpm/pnpm/issues/11744) now only fires when the workspace manifest actually contributes a different default. - Fix global add/update to handle minimumReleaseAge policy violations instead of surfacing an internal resolver guardrail error. - Fix two crashes with `injectWorkspacePackages: true` when the lockfile has been pruned (e.g. by `turbo prune --docker`): - `Cannot use 'in' operator to search for 'directory' in undefined`: a peer-dependency-variant injected snapshot inherits its `resolution` from the base `packages:` entry; when a pruner drops that base entry the readers crash. `convertToLockfileObject` now reconstructs the directory resolution from the `file:` depPath at load time — a single normalization point, so every reader sees a fully-formed snapshot. - `ERR_PNPM_ENOENT` on `node_modules/.bin/<tool>`: after `prepare`/`postinstall`, `runLifecycleHooksConcurrently` re-imported each injected workspace package; the `scanDir`-into-`filesMap` workaround fed target-internal paths to the importer, which the `makeEmptyDir` fast path ([#​11088](https://redirect.github.com/pnpm/pnpm/issues/11088)) then wiped. Drop the workaround and pass `keepModulesDir: true` so the importer preserves the target's existing `node_modules` (bin links + transitive deps) and source files keep their hardlinks. - Fixed `pnpm login` and `pnpm logout` ignoring `registries.default` from `pnpm-workspace.yaml` [#​10099](https://redirect.github.com/pnpm/pnpm/issues/10099). - Fix the `minimumReleaseAge` (publishedBy) maturity shortcut to be inclusive at the cutoff. Previously, abbreviated metadata whose `modified` field equalled the cutoff fell off the fast path and triggered a full-metadata re-fetch (or a `MISSING_TIME` error when full metadata wasn't permitted). Since `modified` is an upper bound on every version's publish time, `modified == publishedBy` already implies every version passes the per-version `<=` filter in `filterPkgMetadataByPublishDate`, so the shortcut now accepts the boundary case directly. Strictly `>` (was `>=`) at the rejection branch. - Honor `publishConfig.access` when publishing packages. </details> <details> <summary>stylelint/stylelint (stylelint)</summary> ### [`v17.12.0`](https://redirect.github.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#17120---2026-05-20) [Compare Source](https://redirect.github.com/stylelint/stylelint/compare/17.11.1...17.12.0) It fixes 3 bugs, including a false negative one. - Fixed: `block-no-empty` reported range when using comments ([#​9294](https://redirect.github.com/stylelint/stylelint/pull/9294)) ([@​romainmenke](https://redirect.github.com/romainmenke)). - Fixed: `declaration-property-value-no-unknown` false negatives for custom properties defined in reference files ([#​9292](https://redirect.github.com/stylelint/stylelint/pull/9292)) ([@​romainmenke](https://redirect.github.com/romainmenke)). - Fixed: `value-keyword-layout-mappings` false positives for `caption-side` ([#​9293](https://redirect.github.com/stylelint/stylelint/pull/9293)) ([@​romainmenke](https://redirect.github.com/romainmenke)). </details> --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Giteabot
|
821d3c4672
|
fix(deps): update module github.com/google/go-github/v86 to v87 (#37845) | ||
|
Nicolas
|
d93bbcc0a6
|
feat(actions): List workflows that were executed once but got removed from the default branch (#37835) | ||
|
Giteabot
|
2775158024
|
chore(deps): update module github.com/air-verse/air to v1.65.2 (#37840)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/air-verse/air](https://redirect.github.com/air-verse/air) | `v1.65.1` → `v1.65.2` |  |  | --- ### Release Notes <details> <summary>air-verse/air (github.com/air-verse/air)</summary> ### [`v1.65.2`](https://redirect.github.com/air-verse/air/releases/tag/v1.65.2) [Compare Source](https://redirect.github.com/air-verse/air/compare/v1.65.1...v1.65.2) ##### What's Changed - docs: clarify Go install binary path by [@​xiantang](https://redirect.github.com/xiantang) in [#​900](https://redirect.github.com/air-verse/air/pull/900) - fix: keep app running until rebuild succeeds by [@​mariusvniekerk](https://redirect.github.com/mariusvniekerk) in [#​897](https://redirect.github.com/air-verse/air/pull/897) - docs: add Scoop install instructions by [@​xiantang](https://redirect.github.com/xiantang) in [#​901](https://redirect.github.com/air-verse/air/pull/901) - Resolve root directory if symlinked by [@​caleb-fringer](https://redirect.github.com/caleb-fringer) in [#​742](https://redirect.github.com/air-verse/air/pull/742) - Add stale issue workflow by [@​xiantang](https://redirect.github.com/xiantang) in [#​902](https://redirect.github.com/air-verse/air/pull/902) ##### New Contributors - [@​mariusvniekerk](https://redirect.github.com/mariusvniekerk) made their first contribution in [#​897](https://redirect.github.com/air-verse/air/pull/897) - [@​caleb-fringer](https://redirect.github.com/caleb-fringer) made their first contribution in [#​742](https://redirect.github.com/air-verse/air/pull/742) **Full Changelog**: <https://github.com/air-verse/air/compare/v1.65.1...v1.65.2> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Chongyi Zheng
|
0b3d7e2ba3
|
chore(deps): use maintained html2text package directly (#37842)
Currently unmaintained package `github.com/jaytaylor/html2text` is replaced using `replace` directive. Instead, the correct package `github.com/Necoro/html2text` should be referenced directly in code. --------- Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
Giteabot
|
7daab82344
|
chore(deps): update redis:latest docker digest to 48e78eb (#37838)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | redis | service | digest | `94ea4f5` → `48e78eb` | --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Giteabot
|
1b1113b509
|
fix(deps): update go dependencies (#37841)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [gitea.com/gitea/runner](https://gitea.com/gitea/runner) | `v1.0.3` → `v1.0.4` |  |  | | [github.com/SaveTheRbtz/zstd-seekable-format-go/pkg](https://redirect.github.com/SaveTheRbtz/zstd-seekable-format-go) | `v0.8.0` → `v0.8.3` |  |  | | [github.com/jhillyerd/enmime/v2](https://redirect.github.com/jhillyerd/enmime) | `v2.3.0` → `v2.4.0` |  |  | | [gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go) | `v2.26.0` → `v2.29.0` |  |  | --- ### Release Notes <details> <summary>gitea/runner (gitea.com/gitea/runner)</summary> ### [`v1.0.4`](https://gitea.com/gitea/runner/releases/tag/v1.0.4) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.3...v1.0.4) #### Changelog - Fix token use with schemaless Gitea instance ([#​977](https://redirect.github.com/gitea/runner/issues/977)) - Add OCI `source` and `version` labels to images ([#​975](https://redirect.github.com/gitea/runner/issues/975)) - fix(parse\_env\_file): support env-file lines larger than 64 KiB ([#​974](https://redirect.github.com/gitea/runner/issues/974)) - Fix host cleanup, volume allowlist, cache upload, and action host edge cases ([#​970](https://redirect.github.com/gitea/runner/issues/970)) - Remove dead code from `act/` ([#​971](https://redirect.github.com/gitea/runner/issues/971)) - fix: Return if executors length is zero in ParallelExecutor ([#​960](https://redirect.github.com/gitea/runner/issues/960)) - feat: make pseudo-TTY allocation opt-in ([#​961](https://redirect.github.com/gitea/runner/issues/961)) - fix(deps): update module github.com/docker/cli to v29.5.0+incompatible ([#​969](https://redirect.github.com/gitea/runner/issues/969)) - Simplify kubernetes dind example allowing for default docker config in workflows ([#​709](https://redirect.github.com/gitea/runner/issues/709)) - chore(deps): bump `retry-go`, `golangci-lint`, `govulncheck` ([#​965](https://redirect.github.com/gitea/runner/issues/965)) - fix(deps): bump `docker` deps, switch to `moby/moby` ([#​943](https://redirect.github.com/gitea/runner/issues/943)) - fix: respect proxy env vars in runner client ([#​962](https://redirect.github.com/gitea/runner/issues/962)) </details> <details> <summary>jhillyerd/enmime (github.com/jhillyerd/enmime/v2)</summary> ### [`v2.4.0`](https://redirect.github.com/jhillyerd/enmime/releases/tag/v2.4.0) [Compare Source](https://redirect.github.com/jhillyerd/enmime/compare/v2.3.0...v2.4.0) #### What's Changed - feat!: Refactor EnvelopeFromPart()'s scope by [@​bgedney](https://redirect.github.com/bgedney) in [#​392](https://redirect.github.com/jhillyerd/enmime/pull/392) - chore: rm unused func by [@​aleksandr4842](https://redirect.github.com/aleksandr4842) in [#​393](https://redirect.github.com/jhillyerd/enmime/pull/393) - chore: bump Go (1.25.x) & deps by [@​jhillyerd](https://redirect.github.com/jhillyerd) in [#​394](https://redirect.github.com/jhillyerd/enmime/pull/394) #### New Contributors - [@​bgedney](https://redirect.github.com/bgedney) made their first contribution in [#​392](https://redirect.github.com/jhillyerd/enmime/pull/392) - [@​aleksandr4842](https://redirect.github.com/aleksandr4842) made their first contribution in [#​393](https://redirect.github.com/jhillyerd/enmime/pull/393) **Full Changelog**: <https://github.com/jhillyerd/enmime/compare/v2.3.0...v2.4.0> </details> <details> <summary>gitlab-org/api/client-go (gitlab.com/gitlab-org/api/client-go/v2)</summary> ### [`v2.29.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.29.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.28.0...v2.29.0) #### 2.29.0 ##### 🚀 Features - Add support for project setting `protect_merge_request_pipelines` ([!2896](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2896)) by [Gatla Vishweshwar Reddy](https://gitlab.com/gatlavishweshwarreddy26) ##### 🐛 Bug Fixes - fix(orbit): add QueryRaw for streaming llm/GOON response body verbatim ([!2897](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2897)) by [Dmitry Gruzd](https://gitlab.com/dgruzd) ### [2.29.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.28.0...v2.29.0) (2026-05-19) ##### Bug Fixes * **orbit:** add QueryRaw for streaming llm/GOON response body verbatim ([a849302]( |
||
|
Giteabot
|
953090fda4
|
fix(deps): update npm dependencies (#37844)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @​codemirror/legacy-modes | [`6.5.2` → `6.5.3`](https://renovatebot.com/diffs/npm/@codemirror%2flegacy-modes/6.5.2/6.5.3) |  |  | | @​codemirror/view | [`6.42.1` → `6.43.0`](https://renovatebot.com/diffs/npm/@codemirror%2fview/6.42.1/6.43.0) |  |  | | [@primer/octicons](https://primer.style/octicons) ([source](https://redirect.github.com/primer/octicons)) | [`19.25.0` → `19.26.0`](https://renovatebot.com/diffs/npm/@primer%2focticons/19.25.0/19.26.0) |  |  | | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`25.7.0` → `25.9.1`](https://renovatebot.com/diffs/npm/@types%2fnode/25.7.0/25.9.1) |  |  | | [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | [`8.59.3` → `8.59.4`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.59.3/8.59.4) |  |  | | [@vitejs/plugin-vue](https://redirect.github.com/vitejs/vite-plugin-vue/tree/main/packages/plugin-vue#readme) ([source](https://redirect.github.com/vitejs/vite-plugin-vue/tree/HEAD/packages/plugin-vue)) | [`6.0.6` → `6.0.7`](https://renovatebot.com/diffs/npm/@vitejs%2fplugin-vue/6.0.6/6.0.7) |  |  | | [clippie](https://redirect.github.com/silverwind/clippie) | [`4.1.15` → `4.2.0`](https://renovatebot.com/diffs/npm/clippie/4.1.15/4.2.0) |  |  | | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`10.3.0` → `10.4.0`](https://renovatebot.com/diffs/npm/eslint/10.3.0/10.4.0) |  |  | | [eslint-plugin-playwright](https://redirect.github.com/mskelton/eslint-plugin-playwright) | [`2.10.2` → `2.10.4`](https://renovatebot.com/diffs/npm/eslint-plugin-playwright/2.10.2/2.10.4) |  |  | | [katex](https://katex.org) ([source](https://redirect.github.com/KaTeX/KaTeX)) | [`0.16.46` → `0.16.47`](https://renovatebot.com/diffs/npm/katex/0.16.46/0.16.47) |  |  | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.1.1` → `11.1.3`](https://renovatebot.com/diffs/npm/pnpm/11.1.1/11.1.3) |  |  | | [postcss](https://postcss.org/) ([source](https://redirect.github.com/postcss/postcss)) | [`8.5.14` → `8.5.15`](https://renovatebot.com/diffs/npm/postcss/8.5.14/8.5.15) |  |  | | [rolldown-license-plugin](https://redirect.github.com/silverwind/rolldown-license-plugin) | [`3.0.5` → `3.0.7`](https://renovatebot.com/diffs/npm/rolldown-license-plugin/3.0.5/3.0.7) |  |  | | [stylelint](https://stylelint.io) ([source](https://redirect.github.com/stylelint/stylelint)) | [`17.11.0` → `17.11.1`](https://renovatebot.com/diffs/npm/stylelint/17.11.0/17.11.1) |  |  | | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.59.3` → `8.59.4`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.3/8.59.4) |  |  | | [updates](https://redirect.github.com/silverwind/updates) | [`17.16.11` → `17.16.13`](https://renovatebot.com/diffs/npm/updates/17.16.11/17.16.13) |  |  | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`8.0.12` → `8.0.13`](https://renovatebot.com/diffs/npm/vite/8.0.12/8.0.13) |  |  | | [vitest](https://vitest.dev) ([source](https://redirect.github.com/vitest-dev/vitest/tree/HEAD/packages/vitest)) | [`4.1.6` → `4.1.7`](https://renovatebot.com/diffs/npm/vitest/4.1.6/4.1.7) |  |  | | [vue-tsc](https://redirect.github.com/vuejs/language-tools) ([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc)) | [`3.2.9` → `3.3.1`](https://renovatebot.com/diffs/npm/vue-tsc/3.2.9/3.3.1) |  |  | --- ### Release Notes <details> <summary>primer/octicons (@​primer/octicons)</summary> ### [`v19.26.0`](https://redirect.github.com/primer/octicons/blob/HEAD/CHANGELOG.md#19260) [Compare Source](https://redirect.github.com/primer/octicons/compare/v19.25.0...v19.26.0) ##### Minor Changes - [#​1197](https://redirect.github.com/primer/octicons/pull/1197) [`b45f1d35`]( |
||
|
Giteabot
|
420a6eb5ab
|
chore(deps): update dependency zizmor to v1.25.2 (#37839)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [zizmor](https://docs.zizmor.sh) ([source](https://redirect.github.com/zizmorcore/zizmor)) | `==1.25.1` → `==1.25.2` |  |  | --- ### Release Notes <details> <summary>zizmorcore/zizmor (zizmor)</summary> ### [`v1.25.2`](https://redirect.github.com/zizmorcore/zizmor/releases/tag/v1.25.2) [Compare Source](https://redirect.github.com/zizmorcore/zizmor/compare/v1.25.1...v1.25.2) #### Bug Fixes 🐛[🔗](https://docs.zizmor.sh/release-notes/#bug-fixes) - Fixed a bug where the [unpinned-tools](https://docs.zizmor.sh/audits/#unpinned-tools) audit would incorrectly flag the [aquasecurity/trivy-action](https://redirect.github.com/aquasecurity/trivy-action) action as installing an unpinned tool version, rather than [aquasecurity/setup-trivy](https://redirect.github.com/aquasecurity/setup-trivy) ([#​2018](https://redirect.github.com/zizmorcore/zizmor/issues/2018)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Nicolas
|
bc6054b56d
|
enhance(actions): show workflow name from YAML instead of filename (#37833)
Use the workflow's YAML `name:` field for display in the workflow sidebar and run list, falling back to the filename when no name is set. Closes https://github.com/go-gitea/gitea/issues/31458 Closes https://github.com/go-gitea/gitea/issues/25912 Closes https://github.com/go-gitea/gitea/pull/31474 |
||
Thomas Hallock
|
6f4027a6be
|
fix(packages): render markdown links relative to linked repo (#37676)
Package-page markdown (READMEs, descriptions, release notes) was rendered as a plain document, so relative links and images resolved against the site root and 404'd. This renders it in the context of the package's linked repository instead, falling back to plain rendering when the package has no linked repo. For a README link `[usage](docs/usage.md)` in a package linked to `user/repo` (default branch `main`): | | Resolved link | |---|---| | Before | `/docs/usage.md` | | After | `/user/repo/src/branch/main/docs/usage.md` | For an npm monorepo package with `repository.directory: packages/foo`, an image `` resolves to `/user/repo/src/branch/main/packages/foo/logo.png`. Applied to every package content template that renders markdown: `cargo`, `chef`, `composer`, `npm`, `nuget`, `pub`, `pypi`. Links resolve against the repository default branch (metadata records no publish commit). Only the web package detail page is affected; registry API responses are unchanged. Note: as part of restructuring `npm.tmpl`, the package description and README now render as separate sections instead of the README replacing the description, matching the existing `cargo`/`composer`/`pub` layout. Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
GiteaBot
|
748d4a8040 | [skip ci] Updated translations via Crowdin | ||
|
silverwind
|
7d8bfb8dc6
|
test: run TestAPIRepoMigrate offline via a local clone source (#37817)
`TestAPIRepoMigrate` migrated from `https://github.com/go-gitea/test_repo.git`, so it required internet access, was slow, and could hit GitHub rate limits. It now clones a local fixture repo (`user2/repo1`) served by the `onGiteaRun` test server, split into two subtests: - `Permitted` (`AllowLocalNetworks=true`) — the success/permission cases, cloning the local repo. - `DisallowedHost` (`AllowLocalNetworks=false`) — the private-IP rejection cases. The split is needed because those two settings are mutually exclusive. The clone address is built from the live listener (`u`) so it can't drift from the bound host/port. The permission matrix and disallowed-host assertions are unchanged. Test is now roughly 2.5 times as fast with while asserting the same as before without a GitHub dependency. --- This PR was written with the help of Claude Opus 4.7 Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
Nicolas
|
8d6124a68a
|
ci: FIX sync PR labels from the conventional-commit title (#37784) (#37825)
If this also doesnt work we need to revert it ig --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
Nicolas
|
c9ce7e447c
|
feat(actions): add before/after to PR synchronize event payload (#37827)
## Summary - Add `before` and `after` fields to `PullRequestPayload` for `synchronize` events - Thread push old/new commit SHAs through the PR synchronize notifier path (regular and Agit flows) - Populate the fields in webhook and Actions event payloads so workflows can access them via `github.event.before` and `github.event.after` Fixes #33395 --------- Co-authored-by: Cursor <cursoragent@cursor.com> |
||
|
Nicolas
|
cdee9f5e10
|
ci: sync PR labels from the conventional-commit title (#37784)
Syncs `type/*` and `pr/breaking` labels from the PR title (Conventional Commits) and folds the existing title lint into the same workflow so labeling only runs once the title is valid. - `tools/pr-title.ts`: shared title parser and label mapping. - `tools/set-pr-labels.ts`: adds/removes labels via the GitHub API. `type/*` and `pr/breaking` are fully synced (added and removed); `skip-changelog` (chore/ci) and `topic/build` (build) are only added, never auto-removed, so manual labeling is preserved. - `pull-labeler.yml` now hosts `lint-pr-title` and `set-pr-labels` (`needs: lint-pr-title`) under `pull_request_target`, required so fork PRs get a writable token. Base-branch checkout only; no PR-head code runs in the elevated context. - Removes the superseded `pull-pr-title.yml` and the CI-only `lint-pr-title` Makefile target. --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> |
||
|
GiteaBot
|
d8a45db3dd | [skip ci] Updated translations via Crowdin | ||
|
silverwind
|
502d3c1f9d
|
ci: tweak files-changed, add free-disk-space (#37819)
Reduces CI minutes consumption by narrowing the `files-changed` filters. - DB matrix (`pgsql`/`mysql`/`mssql`/`unit`) now runs only on real backend changes. `test-sqlite` stays gated on `actions`, so it remains the smoke check that validates CI-infra changes (composite-action edits, workflow edits, renovate action-pin bumps) without spinning up the full matrix. - Fix the `templates` filter: the SVG template linter is `tools/lint-templates-svg.ts`, so the `tools/lint-templates-*.js` glob matched nothing. - Add missed paths: `tsconfig.json` and `tools/generate-svg-vscode-extensions.json` to `frontend`, `eslint.json.config.ts` to `json`, and `.github/actions/docker-dryrun/**` to `docker`. --- This PR was written with the help of Claude Opus 4.7 --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
silverwind
|
a290d81eab
|
ci: cap Elasticsearch heap in db-tests (#37816)
Elasticsearch JVM heap defaults to ~50% of detected host RAM, typically way too much for our little tests and it starved the other runner processes from memory. Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |