## Summary
- Update golangci-lint v2.9.0 → v2.10.1, misspell v0.7.0 → v0.8.0,
actionlint v1.7.10 → v1.7.11
- Fix 20 new QF1012 staticcheck findings by using `fmt.Fprintf` instead
of `WriteString(fmt.Sprintf(...))`
- Fix SA1019: replace deprecated `ecdsa.PublicKey` field access with
`PublicKey.Bytes()` for JWK encoding, with SEC 1 validation and curve
derived from signing algorithm
- Add unit test for `ToJWK()` covering P-256, P-384, and P-521 curves,
also verifying correct coordinate padding per RFC 7518
- Remove dead staticcheck linter exclusion for "argument x is
overwritten before first use"
## Test plan
- [x] `make lint-go` passes with 0 issues
- [x] `go test ./services/oauth2_provider/ -run
TestECDSASigningKeyToJWK` passes for all curves
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
The banner allows site operators to communicate important announcements
(e.g., maintenance windows, policy updates, service notices) directly
within the UI.
The maintenance mode only allows admin to access the web UI.
* Fix#2345
* Fix#9618
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This patch adds the created_by filter to the SearchIssues method.
tea cli has an option to filter by author when listing issues, but it's
not working. The tea command line creates this request for the API when
using the author filter:
```
$ tea issue list -l local --kind pull -A danigm -vvv http://localhost:3000/api/v1/repos/issues/search?created_by=danigm&labels=&limit=30&milestones=&page=1&state=open&type=pulls
```
This patch fixes the API to allow this kind of queries from go-sdk and
tea cli.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Replace the external easymde.min.css import with an inlined and
lazy-loaded CSS file that uses proper theme variables for border colors.
All EasyMDE/CodeMirror rules are scoped under `.EasyMDEContainer`,
removing the need for !important overrides.
- Fixes easymde borders, these were broken since a while now
- Scope all easymde styles to .EasyMDEContainer
- Inline easymde.min.css and codemirror.css into web_src/css/easymde.css
- Lazy-load the CSS alongside the JS in switchToEasyMDE()
- Fix .editor-toolbar and .CodeMirror border colors to use
--color-input-border matching textarea inputs
- Remove unused gutter, line number, and other unconfigured styles
- Move .editor-loading to codeeditor.css where it belongs
<img width="891" height="518" alt="image"
src="https://github.com/user-attachments/assets/87495de5-7872-4645-90e7-96fe0f782f02"
/>
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Adds validation constraints to repository creation inputs, enforcing
max-length limits for labels/license/readme and enum validation for
trust model and object format. Updates both the API option struct and
the web form struct to keep validation consistent.
Fixes#36727
Git is lowercasing the `fatal: Not a valid object name` error message
to follow its CodingGuidelines. This change makes the string matching
case-insensitive so it works with both the current and future Git
versions.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Add workflow dependencies visualization
Related to #26062
This PR adds an interactive visualization component that displays job
dependencies in Gitea Actions workflow runs. It helps users understand
complex pipeline structures at a glance, addressing the difficulty of
comprehending dependency chains in current Gitea UI.
---------
Signed-off-by: Semenets V. Pavel <p.semenets@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This change tightens relative URL validation to reject raw backslashes
and `%5c` (encoded backslash), since browsers and URL normalizers can
treat backslashes as path separators. That normalization can turn
seemingly relative paths into scheme-relative URLs, creating
open-redirect risk.
Visiting below URL to reproduce the problem.
http://localhost:3000/user/login?redirect_to=/a/../\example.comhttp://localhost:3000/user/login?redirect_to=/a/../%5cexample.com
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
## Summary
- Move `cors.X_FRAME_OPTIONS` to `security.X_FRAME_OPTIONS` (old
location still works with a deprecation warning)
- Support `"unset"` as a special value to remove the `X-Frame-Options`
header entirely
- Remove `X-Frame-Options` header from API responses (only set for
web/HTML responses)
## Migration
If you had customized `cors.X_FRAME_OPTIONS`, move it to the
`[security]` section. The old location is deprecated and will be removed
in a future release.
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
The jobparser sub package in act is only used by Gitea. Move it to Gitea
to make it more easier to maintain.
---------
Co-authored-by: Christopher Homberger <christopher.homberger@web.de>
When display or search branch's pushed time, we should use
`updated_unix` rather than `commit_time`.
Fix#36633
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: silverwind <me@silverwind.io>
Newbies often use the "Close with Comments" button instead of deleting
their comment. Icon should prevent mis-clicks.
---------
Co-authored-by: Yuriy.Khlynovskiy <yuriy.khlynovskiy@incomsystem.ru>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Based on my recent experience of both using AI tools and reviewing
AI-generated pull requests. Partially based on
https://typescript-eslint.io/contributing/ai-policy/.
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: TheFox0x7 <thefox0x7@gmail.com>
- Replace the e2e tests initialization with a simple bash script,
removing the previous Go harness.
- `make test-e2e` is the single entry point. It always starts a fully
isolated ephemeral Gitea instance with its own temp directory, SQLite
database, and config — no interference with the developer's running
instance.
- A separate `gitea-e2e` binary is built via `EXECUTABLE_E2E` using
`TEST_TAGS` (auto-includes sqlite with `CGO_ENABLED=1`), keeping the
developer's regular `gitea` binary untouched.
- No more split into database-specific e2e tests. Test timeouts are
strict, can be relaxed later if needed.
- Simplified and streamlined the playwright config and test files.
- Remove all output generation of playwright and all references to
visual testing.
- Tests run on Chrome locally, Chrome + Firefox on CI.
- Simplified CI workflow — visible separate steps for frontend, backend,
and test execution.
- All exported env vars use `GITEA_TEST_E2E_*` prefix.
- Use `GITEA_TEST_E2E_FLAGS` to pass flags to playwright, e.g.
`GITEA_TEST_E2E_FLAGS="--ui" make test-e2e` for UI mode or
`GITEA_TEST_E2E_FLAGS="--headed" make test-e2e` for headed mode.
- Use `GITEA_TEST_E2E_DEBUG=1 make test-e2e` to show Gitea server
output.
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This is the result of a full-repo review to look for `style` attributes
that can be replaced with tailwind or other methods. I will manually
validate later.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Workflows triggered by pull_request_review events (approved, rejected,
comment) complete successfully but never create a commit status on the
PR. This makes them invisible in the merge checks UI, breaking any CI
gate that re-evaluates on review submission.
The commit status handler's switch statement was missing the three
review event types, so they fell through to the default case which
returned empty strings. Additionally, review events use
PullRequestPayload but IsPullRequest() returns false for them (Event()
returns "pull_request_approved" etc. instead of "pull_request"), so
GetPullRequestEventPayload() refuses to parse their payload.
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
Co-authored-by: silverwind <me@silverwind.io>
[`colord`](https://github.com/omgovich/colord) is significantly smaller
than [`tinycolor2`](https://github.com/bgrins/TinyColor) (~4KB vs ~29KB
minified) and ships its own TypeScript types, removing the need for
`@types/tinycolor2`.
Behaviour is exactly the same for our use cases. By using `.alpha(1)` we
force the function to always output 6-digit hex format (it would output
8-digit for non-opaque colors).
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Change `security-check` not break the build which is a major
inconvenience as it breaks CI on all PRs.
https://github.com/go-gitea/gitea/security/dependabot already provides a
clean overview of outstanding security issues in dependencies and I'm
using it all the time to find and update vulnerable dependencies.
This simplifies the Makefile by removing the whole-file wrapping that
creates a tempdir introduced by
https://github.com/go-gitea/gitea/pull/11126. REPO_TEST_DIR is removed
as well.
Also clean up a lot of legacy code: unnecessary XSS test, incorrect test
env init, unused "_old_uid" hack, etc
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Fixes: https://github.com/go-gitea/gitea/issues/36612
This new setting controls which workflow directories are searched. The
default value matches the previous hardcoded behaviour.
This allows users for example to exclude `.github/workflows` from being
picked up by Actions in mirrored repositories by setting `WORKFLOW_DIRS
= .gitea/workflows`.
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Rewrite `build/generate-go-licenses.go` to use `go list -m -json all`
and read license files directly from the Go module cache instead of
relying on the buggy `google/go-licenses` tool.
This removes the need for CGO, GOOS=linux, and the intermediate temp
directory, while being like 100 times faster than before:
```
$ rm assets/go-licenses.json && time make assets/go-licenses.json
go run build/generate-go-licenses.go assets/go-licenses.json
make assets/go-licenses.json 0.21s user 0.22s system 173% cpu 0.247 total
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Clean up linter configs, removing redundant rules or dead disables. One
new rule enabled, no violations. Many revive rules had same or better
rules in staticcheck or govet.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Giteabot <teabot@gitea.io>
In #32562, I incorrectly assigned mismatched `repo_id` values to the
`action_run` and `action_run_job` fixtures used in
`TestActionsCollaborativeOwner`. The changes introduced in #36173 will
cause the test to fail. This PR removes the incorrect fixtures and
switches to using mock workflows to test the relevant functionality.
Steps defined with `run:` or `uses:` without an explicit `name:` now
display with a "Run <cmd>" prefix in the Actions log UI, matching GitHub
Actions behavior.
<img width="311" height="236" alt="image"
src="https://github.com/user-attachments/assets/9fde83f5-c43a-4732-ac55-0f4e1fbc1314"
/>
---------
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Fixes: https://github.com/go-gitea/gitea/issues/36543
When running `make watch`, the backend may start before webpack finishes
building CSS theme files. Since themes were loaded once via sync.Once,
they would never reload, breaking the theme selector and showing a
persistent error on the admin page.
In dev mode, themes are now reloaded from disk on each access so they
become available as soon as webpack finishes. Production behavior is
unchanged where themes are loaded once and cached via sync.Once.
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Starting with v1.26, Gitea uses a JSON configuration file format instead
of the INI format used in v1.25 and earlier versions.
Because of this fundamental format change, a clean translation backport
to the v1.25 branch (or earlier release branches) is not feasible.The
recommended approach is:
- Wait until the release/v1.26 branch is created after the official
v1.26 release.
- Then introduce a new JSON-based configuration (or
migration/compatibility layer) on top of that branch.
Fixes: https://github.com/go-gitea/gitea/issues/21045
- Move heatmap data loading from synchronous server-side rendering to
async client-side fetch via dedicated JSON endpoints
- Dashboard and user profile pages no longer block on the expensive
heatmap DB query during HTML generation
- Use compact `[[timestamp,count]]` JSON format instead of
`[{"timestamp":N,"contributions":N}]` to reduce payload size
- Public API (`/api/v1/users/{username}/heatmap`) remains unchanged
- Heatmap rendering is unchanged, still shows a spinner as before, which
will now spin a litte bit longer.
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
