The stopwatch navbar icon and popup were only rendered by the server
when a stopwatch was already active at page load. If a tab was opened
before the stopwatch started, `initStopwatch()` found no
`.active-stopwatch` element in the DOM, returned early, and never
registered a SharedWorker listener. As a result the WebSocket push
from the stopwatch notifier had nowhere to land and the icon never
appeared.
Fix by always rendering both the icon anchor and the popup skeleton in
the navbar (hidden with `tw-hidden` when no stopwatch is active).
`initStopwatch()` can now set up the SharedWorker in every tab, and
`updateStopwatchData` can call `showElem`/`hideElem` as stopwatch state
changes arrive in real time.
Also add `onShow` to `createTippy` so the popup content is re-cloned
from the (JS-updated) original each time the tooltip opens, keeping
it current even when the stopwatch was started after page load.
Add a new e2e test (`stopwatch appears via real-time push`) that
verifies the icon appears after `apiStartStopwatch` is called with
the page already loaded.
- Add WsSource class to eventsource.sharedworker.ts for WebSocket transport
- Remove websocket.sharedworker.ts (functionality merged into eventsource.sharedworker.ts)
- Add export{} to declare websocket.sharedworker.ts as an ES module,
preventing TypeScript TS2451 redeclaration errors caused by global
scope conflicts with eventsource.sharedworker.ts
- Always delete port from sourcesByPort on close regardless of remaining
subscriber count, preventing MessagePort keys from leaking in the Map
- Remove `export {}` which caused webpack to tree-shake the entire
SharedWorker bundle, resulting in an empty JS file with no connect
handler — root cause of WebSocket never opening
- Rename SharedWorker instance from 'notification-worker' to
'notification-worker-ws' to force browser to create a fresh worker
instance instead of reusing a cached empty one
reqSignIn sends a 303 redirect which breaks WebSocket upgrade; use the
same pattern as /user/events: register the route without middleware and
return 401 inside the handler when the user is not signed in.
Also fix copyright year to 2026 in all three new Go files and add a
console.warn for malformed JSON in the SharedWorker.
- Move /-/ws route inside reqSignIn middleware group; remove manual
ctx.IsSigned check from handler (auth is now enforced by the router)
- Fix scheduleReconnect() to schedule using current delay then double,
so first reconnect fires after 50ms not 100ms (reported by silverwind)
- Replace sourcesByPort.set(port, null) with delete() to prevent
MessagePort retention after tab close (memory leak fix)
- Centralize topic naming in pubsub.UserTopic() — removes duplication
between the notifier and the WebSocket handler
- Skip DB polling in notifier when broker has no active subscribers
to avoid unnecessary load on idle instances
- Hold RLock for the full Publish fan-out loop to prevent a race
where cancel() closes a channel between slice read and send
assets/go-licenses.json was missing the license entry for the newly
added github.com/coder/websocket dependency. Running make tidy
regenerates this file via build/generate-go-licenses.go.
Replace timeutil.TimeStampNow() calls in the websocket notifier with a
nowTS() helper that reads time.Now().Unix() directly. TimeStampNow reads
a package-level mock variable that TestIncomingEmail writes concurrently,
causing a race detected by the race detector in test-pgsql CI.
Add a thin in-memory pubsub broker and a SharedWorker-based WebSocket
client to deliver real-time notification count updates. This replaces
the SSE path for notification-count events with a persistent WebSocket
connection shared across all tabs.
New files:
- services/pubsub/broker.go: fan-out pubsub broker (DefaultBroker singleton)
- services/websocket/notifier.go: polls notification counts, publishes to broker
- routers/web/websocket/websocket.go: /-/ws endpoint, per-user topic subscription
- web_src/js/features/websocket.sharedworker.ts: SharedWorker with exponential
backoff reconnect (50ms initial, 10s max, reconnect on close and error)
Modified files:
- routers/init.go: register websocket_service.Init()
- routers/web/web.go: add GET /-/ws route
- services/context/response.go: add Hijack() to forward http.Hijacker
so coder/websocket can upgrade the connection
- web_src/js/features/notification.ts: port from SSE SharedWorker to WS SharedWorker
- webpack.config.ts: add websocket.sharedworker entry point
Part of RFC #36942.
## ⚠️ BREAKING ⚠️
- delete reaction endpoints is changed to return 204 No Content rather
than 200 with no content.
## Summary
Add swagger:enum annotations and migrate all enum comments from the
deprecated comma-separated format to JSON arrays. Introduce
NotifySubjectStateType with open/closed/merged values. Fix delete
reaction endpoints to return 204 instead of 200.
When a checkbox is toggled in the markup preview tab, the change is now
synced back to the editor textarea. Extracted a `toggleTasklistCheckbox`
helper to deduplicate the byte-offset toggle logic.
---------
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>
With Gitea 1.25.4 the workflow event for in_progress was not triggered
for Gitea Actions.
Fixes#36906
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
I tried to tighten the AI contribution policy and make the expectations
around AI-assisted submissions clearer.
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Giteabot <teabot@gitea.io>
Co-authored-by: silverwind <me@silverwind.io>
Replace webpack with Vite 8 as the frontend bundler. Frontend build is
around 3-4 times faster than before. Will work on all platforms
including riscv64 (via wasm).
`iife.js` is a classic render-blocking script in `<head>` (handles web
components/early DOM setup). `index.js` is loaded as a `type="module"`
script in the footer. All other JS chunks are also module scripts
(supported in all browsers since 2018).
Entry filenames are content-hashed (e.g. `index.C6Z2MRVQ.js`) and
resolved at runtime via the Vite manifest, eliminating the `?v=` cache
busting (which was unreliable in some scenarios like vscode dev build).
Replaces: https://github.com/go-gitea/gitea/pull/36896
Fixes: https://github.com/go-gitea/gitea/issues/17793
Signed-off-by: silverwind <me@silverwind.io>
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Use shared repo permission resolution for Actions task users in issue
label remove and clear paths, and add a regression test for deleting
issue labels with a Gitea Actions token.
This fixes issue label deletion when the request is authenticated with a
Gitea Actions token.
Fixes#37011
The bug was that the delete path re-resolved repository permissions
using the normal user permission helper, which does not handle Actions
task users. As a result, `DELETE
/api/v1/repos/{owner}/{repo}/issues/{index}/labels/{id}` could return
`500` for Actions tokens even though label listing and label addition
worked.
---------
Co-authored-by: Codex <codex@openai.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
Add and modify more instruction for common problems in this codebase and
made the force-push instruction more strict.
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>
- Optimize refreshAccesses with cross-comparison to minimize DB operations
- Fix db.Find syntax in refreshAccesses optimization
- Add test for refreshAccesses update path and fix db.Find syntax
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
`navigator.language` can be `undefined` in headless browsers (e.g.
Playwright Firefox), causing `RangeError: invalid language tag:
"undefined"` in `Intl.DateTimeFormat` within the `relative-time` web
component.
Also adds an e2e test that verifies `relative-time` renders correctly
and a shared `assertNoJsError` helper.
Bug is als present in https://github.com/github/relative-time-element
but (incorrectly) masked there.
Fixes: https://github.com/go-gitea/gitea/issues/25324
---------
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
- Tweak serverity background and border colors
- Use default text color instead of per-severity text colors.
- Replace `saturate` filter with semibold font weight on message headers.
- Fix navbar double border when a notification is present.
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>
1. Remove non-functional `label:enabled` selector (`:enabled` only works
on [form controls](https://html.spec.whatwg.org/multipage/semantics-other.html#concept-element-disabled), not labels)
2. Remove `cursor: auto` which caused an I-beam text selection cursor on checkbox labels. The default browser styles work find and show regular cursor.
3. Remove `cursor: pointer` on checkbox itself, opinionated and not needed.
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>
Add e2e tests for the three server push features:
- **Notification count**: verifies badge appears when another user
creates an issue
- **Stopwatch**: verifies stopwatch element is rendered when a stopwatch
is active
- **Logout propagation**: verifies logout in one tab triggers redirect
in another
Tests are transport-agnostic in preparation for a future WebSocket
migration.
---------
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This PR fixes `notifyWorkflowJobStatusUpdate` to send
`WorkflowRunStatusUpdate` for each affected workflow run instead of only
the first run in the input job list.
Add support for error, warning, notice, and debug log commands with bold
label prefixes and colored backgrounds matching GitHub's style. Parse
both `##[cmd]` and `::cmd args::` formats.
Also improved the severity colors globally and added a devtest page for
these.
---------
Co-authored-by: Claude (claude-opus-4-6) <noreply@anthropic.com>
Detect URLs in Actions log output and render them as clickable links,
similar to how GitHub Actions handles this. Pre-existing links from
ansi_up's OSC 8 parsing are also kept intact.
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (claude-opus-4-6) <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Pass `ServeHeaderOptions` by value instead of pointer across all call
sites — no nil-check semantics are needed and the struct is small enough
that copying is fine.
## Changes
- **`services/context/base.go`**: `SetServeHeaders` and `ServeContent`
accept `ServeHeaderOptions` (value, not pointer); internal unsafe
pointer cast replaced with a clean type conversion
- **`routers/api/packages/helper/helper.go`**: `ServePackageFile`
variadic changed from `...*context.ServeHeaderOptions` to
`...context.ServeHeaderOptions`; internal variable is now a value type
- **All call sites** (13 files): `&context.ServeHeaderOptions{...}` →
`context.ServeHeaderOptions{...}`
Before/after at the definition level:
```go
// Before
func (b *Base) SetServeHeaders(opt *ServeHeaderOptions) { ... }
func (b *Base) ServeContent(r io.ReadSeeker, opts *ServeHeaderOptions) { ... }
func ServePackageFile(..., forceOpts ...*context.ServeHeaderOptions) { ... }
// After
func (b *Base) SetServeHeaders(opts ServeHeaderOptions) { ... }
func (b *Base) ServeContent(r io.ReadSeeker, opts ServeHeaderOptions) { ... }
func ServePackageFile(..., forceOpts ...context.ServeHeaderOptions) { ... }
```
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: wxiaoguang <2114189+wxiaoguang@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
- content_encoding contains a slash => v4 artifact
- updated proto files to support mime_type and no longer return errors for upload-artifact v7
- json and txt files are now previewed in browser
- normalized content-disposition header creation
- azure blob storage uploads directly in servedirect mode (no proxying data)
- normalize content-disposition headers based on go mime package
- getting both filename and filename* encoding is done via custom code
Closes#36829
-----
Signed-off-by: ChristopherHX <christopher.homberger@web.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This is a step towards potentially splitting command groups into their
own folders to clean up `cmd/` as one folder for all cli commands.
Returning fresh command instances will also aid in adding tests as you
don't need to concern yourself with the whole command tree being one
mutable variable.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Remove `user-select: none` from checkbox labels to allow text selection
which is sometimes useful.
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>
When the email field was submitted as empty in org settings (web and
API), the previous guard `if form.Email != ""` silently skipped the
update, making it impossible to remove a contact email after it was set.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
To align with how GitHub requires additional explicit user interaction
to make a repo private, including informing them of implications on what
happens if they do.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
