This PR contains the following updates:
| Package | Type | Update | Change | Pending |
|---|---|---|---|---|
| [bitnamilegacy/minio](https://redirect.github.com/bitnami/containers)
([source](https://redirect.github.com/bitnami/containers/tree/HEAD/bitnami/minio))
| service | minor | `2021.3.17` → `2021.12.29` | |
| [bitnamilegacy/minio](https://redirect.github.com/bitnami/containers)
([source](https://redirect.github.com/bitnami/containers/tree/HEAD/bitnami/minio))
| service | minor | `2023.8.31` → `2023.12.23` | |
| [bitnamilegacy/mysql](https://redirect.github.com/bitnami/containers)
([source](https://redirect.github.com/bitnami/containers/tree/HEAD/bitnami/mysql))
| service | minor | `8.0` → `8.4` | |
|
[renovatebot/github-action](https://redirect.github.com/renovatebot/github-action)
| action | patch | `v46.1.10` → `v46.1.12` | `v46.1.13` |
---
### Release Notes
<details>
<summary>renovatebot/github-action (renovatebot/github-action)</summary>
###
[`v46.1.12`](https://redirect.github.com/renovatebot/github-action/releases/tag/v46.1.12)
[Compare
Source](https://redirect.github.com/renovatebot/github-action/compare/v46.1.11...v46.1.12)
##### Bug Fixes
- **deps:** update dependency
[@​actions/core](https://redirect.github.com/actions/core) to
v3.0.1
([e8a6055](e8a6055d6d))
##### Documentation
- update references to renovatebot/github-action to v46.1.11
([317011a](317011a6ef))
##### Miscellaneous Chores
- **deps:** update dependency typescript-eslint to v8.59.0
([8e3560a](8e3560ab95))
##### Continuous Integration
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.142.0
([0fee00d](0fee00dc59))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.142.1
([c7cfc88](c7cfc88250))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.144.0
([39e7d09](39e7d09c7b))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.145.0
([0bbd415](0bbd415a9c))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.146.0
([889c739](889c7399ca))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.147.0
([7addce6](7addce6f1e))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.150.0
([804ce16](804ce1618f))
###
[`v46.1.11`](https://redirect.github.com/renovatebot/github-action/releases/tag/v46.1.11)
[Compare
Source](https://redirect.github.com/renovatebot/github-action/compare/v46.1.10...v46.1.11)
##### Documentation
- update references to renovatebot/github-action to v46.1.10
([0b264d2](0b264d27f8))
##### Miscellaneous Chores
- **deps:** update actions/setup-node action to v6.4.0
([951a814](951a81487a))
- **deps:** update dependency prettier to v3.8.3
([a763833](a763833a7d))
- **deps:** update dependency typescript-eslint to v8.58.2
([119d68e](119d68e8f6))
##### Build System
- **deps:** lock file maintenance
([f82feed](f82feedb56))
##### Continuous Integration
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.132.3
([99cc805](99cc805d75))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.133.0
([a63d39b](a63d39be1e))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.135.0
([955b000](955b0000ba))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.136.0
([65167cd](65167cdb3f))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.136.1
([7b21b86](7b21b86ced))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.136.3
([28a2dc0](28a2dc07b8))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.137.0
([b0cf2a4](b0cf2a4c91))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.138.0
([3700882](3700882c45))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.138.1
([f516ce2](f516ce2f92))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.138.3
([3411548](3411548d9c))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.0
([5201886](5201886b45))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.1
([5856263](5856263af8))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.4
([999691d](999691d7f3))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.5
([f703a54](f703a54130))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.6
([3ba85c2](3ba85c2979))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.7
([96f2f09](96f2f09b9d))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.139.8
([5af45e5](5af45e5b84))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.140.0
([01e9139](01e91393d3))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.141.0
([814a2a4](814a2a47c0))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.141.1
([fb3abdf](fb3abdf7fa))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.141.2
([e3a9af5](e3a9af55ac))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.141.5
([4f14b2f](4f14b2f81d))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.141.6
([2357784](2357784955))
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- Only on Monday (`* * * * 1`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
Run `nolyfill` as a renovate post-upgrade step alongside `make svg`, so
npm dep bumps keep `pnpm.overrides` in sync.
---
This PR was written with the help of Claude Opus 4.7
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Almost done
`pull_merge_box.tmpl` only has about 80 lines now, and (almost) all
variable accesses are strictly typed.
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Nicolas <bircni@icloud.com>
Fixes#37446.
The job-status resolver in `checkJobsOfCurrentRunAttempt` only
considered `needs` and job-level concurrency when transitioning jobs out
of `Blocked`. When something drove the resolver against a run blocked
solely by workflow-level concurrency — for example, a sibling run in the
same group entering the queue and triggering `EmitJobsIfReadyByRun` —
the run's job silently became `Waiting` while another run still held the
concurrency group, and the runner could pick it up, defeating the
concurrency guarantee.
The fix bails out of the resolver when the run's latest attempt is still
blocked by run-level concurrency. `checkRunConcurrency` re-evaluates
when the holding run finishes.
Covered by a unit test
(`Test_checkJobsOfCurrentRunAttempt_RunLevelConcurrencyKeepsJobsBlocked`
in `services/actions/job_emitter_test.go`) that sets up a Running holder
attempt and a Blocked sibling attempt in the same concurrency group
directly in the DB, calls `checkJobsOfCurrentRunAttempt`, and asserts
the blocked job stays `Blocked`. Fails on master, passes with the fix.
---
This PR was written with the help of Claude Opus 4.7
---------
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
- Remove spurious context.ReferencesGitRepo(true) from /actions route group
- ToActionTask: restore targeted loads (LoadJob/LoadRun/LoadRepo) instead
of LoadAttributes which unnecessarily loads task steps; use
httplib.MakeAbsoluteURL(ctx, ...) for the URL field
- ToActionWorkflowRun: replace run.LoadAttributes with direct repo
assignment + LoadTriggerUser to avoid redundant language-stats query;
restore attempt.Run = run before attempt.LoadAttributes to prevent
redundant DB re-fetch; restore ctx to APIURL/HTMLURL calls
- ToActionWorkflowJob: restore ctx to APIURL and HTMLURL calls
Co-Authored-By: Claude <claude-sonnet-4-6@anthropic.com>
Replace the duplicated inline cancel logic in the web Cancel handler
with a call to actions_service.CancelRun, which encapsulates the same
transaction, commit status update, and notification logic.
Co-Authored-By: Claude Sonnet (claude-sonnet-4-6) <claude-sonnet-4-6@anthropic.com>
GetWorkflowRunLogsStream (POST /runs/{run}/logs) and its supporting
code are moved to feature/runner-logs-stream-api for a standalone PR
where the POST-vs-GET design question can be resolved independently.
Removed from this branch:
- GetWorkflowRunLogsStream handler and route
- getRunJobsAndCurrent helper (only used by the stream handler)
- services/actions/log.go (ReadStepLogs)
- ActionLogCursor/Request/StepLine/Step/Response structs
- TestAPIActionsGetWorkflowRunLogsStream integration test
- Regenerated swagger specs accordingly
Co-Authored-By: Claude Sonnet <claude-sonnet-4-6@anthropic.com>
- Add reqToken/reqRepoReader to GET log download endpoints for consistency
with the POST streaming endpoint
- Remove spurious LoadRepos call in DownloadActionsRunAllJobLogs; jobs are
already scoped to the repo by the query and Repo is never read
- Refactor reader.Close() in zip loop to use a closure with defer
- Update copyright year to 2026 on new services/actions/{cancel,log}.go
- Add TestAPIActionsListUserWorkflows and TestAPIActionsListRepoWorkflows
as standalone top-level tests (were dropped when breaking up the
orchestrator)
- Add idempotency assertion to TestAPIActionsApproveWorkflowRun: approving
an already-approved run returns 400
Co-Authored-By: Claude Sonnet <claude-sonnet-4-6@anthropic.com>
- Cast org.Visibility.String() to api.UserVisibility in ToOrganization
- Cast t.AccessMode.ToString() to api.AccessLevelName in ToTeams
- Update webhook notifier to pass repo to ToActionWorkflowRun
Co-Authored-By: Claude Sonnet 4.6 <claude-sonnet-4-6@anthropic.com>
- Cancel and approve workflow runs via POST /runs/{run}/cancel|approve
- Download all job logs as zip via GET /runs/{run}/logs
- Download individual job log via GET /runs/{run}/jobs/{job_id}/logs
- Stream live log cursors via POST /runs/{run}/logs
- Add CreatedAt field to ActionWorkflowRun API response
- Extract shared log streaming and cancel logic into services/actions
- Move streaming log types to modules/structs
- Add Swagger documentation for all new endpoints
- Add integration tests with subtests for all new endpoints
Co-Authored-By: Claude Sonnet 4.6 <claude-sonnet-4-6@anthropic.com>
The migration repository model now carries Website alongside Description, the GitHub/Gitea downloaders populate it, and mirror finalization persists both description and website so the About section is not empty after creating a mirror.
Fixes#37495
---------
Signed-off-by: cyphercodes <cyphercodes@users.noreply.github.com>
Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Purpose:
1. Make the whole code base have unified "item" layout
2. Clarify our "list" styles: "flex-relaxed-list", "flex-divided-list"
3. Prepare to replace legacy "ui relaxed list"
* https://github.com/go-gitea/gitea/pull/37445#discussion_r3144458865
4. Prepare for refactoring the "pull merge box", it needs the
"flex-divided-list"
* related to "Refactor pull request view (*)" like #37451
5. Fix legacy abuses of "flex-list", e.g.: repo home sidebar
When running `gitea dump` with output routed to stdout (--file -),
deprecation warnings from loadAvatarsFrom were written to stdout,
corrupting the archive stream.
Root cause: PrepareConsoleLoggerLevel (called in app.Before) sets up a
console logger via SetConsoleLogger, which used WriterConsoleOption{}
defaulting Stderr to false (i.e. stdout). This logger is installed
before the dump subcommand can redirect logging to stderr in runDump.
Fix: use WriterConsoleOption{Stderr: true} in SetConsoleLogger so all
early CLI diagnostic output goes to stderr from the start. This is
correct for all subcommands — diagnostic/log output should never pollute
stdout.
---------
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Nicolas <bircni@icloud.com>
After the Webpack-to-Vite migration (#37002), mCaptcha stopped working
entirely on the registration page, throwing an error:
`TypeError: setting getter-only property "INPUT_NAME"`
This fix stops trying to mutate the read-only INPUT_NAME export. Instead
it probes for the Widget constructor at module.default (direct) or
module.default.default (CJS-wrapped), constructs the widget, and then
renames the hidden input element it creates to m-captcha-response which
is the field name Gitea's backend reads from the submitted form.
Generative AI was used to help with making this PR.
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
Drops `github.com/olivere/elastic/v7` (unmaintained) and replaces it
with a small in-house wrapper that speaks the Elasticsearch REST API
directly via `net/http`. The subset used by Gitea (`_cluster/health`,
`_bulk`, `_doc`, `_delete_by_query`, `_refresh`, `_search`, `HEAD`/`PUT`
index) is stable across the targeted servers, so no client library is
needed.
**Targets tested**
- Elasticsearch 7, 8, 9
- OpenSearch 1, 2, 3
**Why not `go-elasticsearch`?**
The official client enforces an `X-Elastic-Product` server-identity
check that OpenSearch deliberately fails, which would force shipping a
transport shim to defeat it. Going direct over `net/http` removes that
fight along with several MB of transitive deps (`elastic-transport-go`,
`go.opentelemetry.io/otel{,/metric,/trace}`, `auto/sdk`, `easyjson`,
`intern`, `logr`, `stdr`).
Replaces: #30755
Fixes: https://github.com/go-gitea/gitea/issues/30752
---
This PR was written with the help of Claude Opus 4.7
---------
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
1. Make the content area stretch the box, enabling text selection to
start over empty space.
2. Disable linter for markdown, it can never produce lint errors, this
hides the unnecessary lint gutter on markdown files.
3. Verified all languages linter enablement, all accurate.
4. Refactor `getLinterExtension` to not rely on file extensions.
5. Include jsonc/json5 extensions in regex.
---
This PR was written with the help of Claude Opus 4.7
---------
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Nicolas <bircni@icloud.com>
Clean up legacy copied&pasted code, introduce the unique "database
connection" function. Move migration testing helper function
PrepareTestEnv to a separate package.
By the way, remove "shadow connection secrets" tricks: showing
connection string on UI is useless
---------
Co-authored-by: Nicolas <bircni@icloud.com>
## Summary
This PR adds support for updating pull mirror authentication via the
repository edit API and UI.
It introduces new mirror authentication fields in _EditRepoOption_,
updates the API logic to safely handle partial credential updates, and
fixes the web settings flow so that the existing remote username is
preserved when only the password is changed.
### What changed
- added _auth_username_, _auth_password_, and _auth_token_ to
EditRepoOption
- updated the repository edit API to apply mirror auth changes via
_updateMirror_
- preserved existing username/password when only part of the auth
payload is provided
- used oauth2 as the default username when _auth_token_ is provided
- kept stored mirror URLs sanitized in DB and API responses
- updated Swagger schema for the new API fields
- added API integration tests for password-only and token-only updates
- added a web settings test to ensure username preservation on partial
updates
## Why
Some use cases require automated synchronization of pull mirrors, for
example in CI/CD pipelines or integrations with external systems.
At the same time, many organizations enforce security policies that
require periodic token rotation (e.g., monthly).
Currently, mirror credentials can only be updated via the UI, which
makes automation difficult.
## This change enables:
- automated token rotation
- avoiding manual updates via the UI
- easier integration with secret management systems
## Testing
- added integration coverage for mirror auth updates via _PATCH
/api/v1/repos/{owner}/{repo}_
- added web settings tests for password-only updates preserving the
existing username
## Result
Ability to automate auth update
<img width="2400" height="1245" alt="1"
src="https://github.com/user-attachments/assets/67fd5cca-9cb3-4536-b0e2-4d09b8ebff0f"
/>
<img width="962" height="932" alt="image"
src="https://github.com/user-attachments/assets/5d548f5d-aadf-4807-ba52-9c29df93a4cc"
/>
Generative AI was used to help with making this PR.
##
1. only trigger docker-dryrun arm64&riscv64 when dockerfile changes
2. de-duplicate "contents: read" permission for most workflows
3. merge various "lint-*" jobs into one job
4. add missing lint targets to the "lint" (all) target
1. Rename CompareInfo.MergeBase to CompareBase, it is not merge base
2. Remove unused template variables `ctx.Data["Username"]` and
`ctx.Data["Reponame"]`
3. Decouple some template variable accesses, use typed struct
---------
Co-authored-by: Nicolas <bircni@icloud.com>
Add a build-time conversion step that transforms the existing Swagger
2.0 spec into an OpenAPI 3.0 spec. The OAS3 spec is served alongside the
existing Swagger 2.0 spec, enabling API clients that require OAS3 to
generate code directly from Gitea's API.
This is not to be an answer to how gitea handles OAS3 long term,
but a way to use what we have to move a step forward.
---------
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Avoid per-item DB queries in ListRuns, ListJobs, and ListActionTasks by
batch-loading trigger users, repositories, and task attributes before
the conversion loop. Remove ReferencesGitRepo from the /actions route
group since no task/run endpoints use it.
Added tests for these endpoints as well.
---------
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Adds a new `DEFAULT_TITLE_SOURCE` option under
`[repository.pull-request]` with three values:
- `first-commit` (default): uses the oldest commit summary, current
behavior since v1.26
- `auto`: normalizes branch name as title for multi-commit PRs (just
like GitHub), use commit summary for single-commit PRs
Closes: #37463
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
Co-authored-by: Nicolas <bircni@icloud.com>
This fixes the scheduled action panic when an event payload is JSON
`null` by initializing the payload map before adding `schedule`. It also
adds regression coverage for the null-payload case.
Fixes#37447.
Testing:
- `go test -tags 'sqlite sqlite_unlock_notify' ./services/actions -run
'^TestWithScheduleInEventPayload$' -count=1`
- Local note: this agent ran the command as root with a temporary
`GITEA_TEST_CONF=custom/conf/app-test-root.ini` file that only set
`I_AM_BEING_UNSAFE_RUNNING_AS_ROOT = true`.
Authorship: cyphercodes; AI assistance disclosed: Hermes Agent
(GPT-5.5).
---------
Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com>
Co-authored-by: Hermes Agent (GPT-5.5) <hermes-agent@users.noreply.github.com>
Co-authored-by: Nicolas <bircni@icloud.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Giteabot <teabot@gitea.io>
After using CSP nonce, the "onerror" doesn't work anymore. Change it to
use a global variable to detect
Also help users like #37379 to catch errors more easily.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Make the watch, star, and fork buttons in the repo header consistent for
logged-out users:
- Apply the same look to all three buttons (number labels
included), instead of only the action button being grayed.
- Clicking any of them while logged out now leads to the login page
(with a redirect back) instead of being inert.
- Split the per-button markup out of `header.tmpl` into a dedicated
`templates/repo/header/` folder (`fork.tmpl`, `star.tmpl`,
`watch.tmpl`).
---------
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
