test: run TestAPIRepoMigrate offline via a local clone source (#37817)

`TestAPIRepoMigrate` migrated from
`https://github.com/go-gitea/test_repo.git`, so it required internet
access, was slow, and could hit GitHub rate limits.

It now clones a local fixture repo (`user2/repo1`) served by the
`onGiteaRun` test server, split into two subtests:

- `Permitted` (`AllowLocalNetworks=true`) — the success/permission
cases, cloning the local repo.
- `DisallowedHost` (`AllowLocalNetworks=false`) — the private-IP
rejection cases.

The split is needed because those two settings are mutually exclusive.
The clone address is built from the live listener (`u`) so it can't
drift from the bound host/port. The permission matrix and
disallowed-host assertions are unchanged.

Test is now roughly 2.5 times as fast with while asserting the same as
before without a GitHub dependency.

---
This PR was written with the help of Claude Opus 4.7

Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Nicolas <bircni@icloud.com>

tests/integration/api_repo_test.go

@@ -351,48 +351,52 @@ func TestAPIGetRepoByIDUnauthorized(t *testing.T) {
 }
 
 func TestAPIRepoMigrate(t *testing.T) {
-	testCases := []struct {
-		ctxUserID, userID  int64
-		cloneURL, repoName string
-		expectedStatus     int
-	}{
-		{ctxUserID: 1, userID: 2, cloneURL: "https://github.com/go-gitea/test_repo.git", repoName: "git-admin", expectedStatus: http.StatusCreated},
-		{ctxUserID: 2, userID: 2, cloneURL: "https://github.com/go-gitea/test_repo.git", repoName: "git-own", expectedStatus: http.StatusCreated},
-		{ctxUserID: 2, userID: 1, cloneURL: "https://github.com/go-gitea/test_repo.git", repoName: "git-bad", expectedStatus: http.StatusForbidden},
-		{ctxUserID: 2, userID: 3, cloneURL: "https://github.com/go-gitea/test_repo.git", repoName: "git-org", expectedStatus: http.StatusCreated},
-		{ctxUserID: 2, userID: 6, cloneURL: "https://github.com/go-gitea/test_repo.git", repoName: "git-bad-org", expectedStatus: http.StatusForbidden},
-		{ctxUserID: 2, userID: 3, cloneURL: "https://localhost:3000/user/test_repo.git", repoName: "private-ip", expectedStatus: http.StatusUnprocessableEntity},
-		{ctxUserID: 2, userID: 3, cloneURL: "https://10.0.0.1/user/test_repo.git", repoName: "private-ip", expectedStatus: http.StatusUnprocessableEntity},
-	}
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		// migrate from a local fixture repo (user2/repo1) via the live listener so the test runs offline
+		repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+		cloneAddr := fmt.Sprintf("%s%s/%s.git", u.String(), repo1.OwnerName, repo1.Name)
 
-	defer tests.PrepareTestEnv(t)()
-	defer test.MockVariableValue(&setting.Migrations.AllowLocalNetworks, false)()
-	require.NoError(t, migrations.Init())
-
-	for _, testCase := range testCases {
-		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: testCase.ctxUserID})
-		session := loginUser(t, user.Name)
-		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-		req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate", &api.MigrateRepoOptions{
-			CloneAddr:   testCase.cloneURL,
-			RepoOwnerID: testCase.userID,
-			RepoName:    testCase.repoName,
-		}).AddTokenAuth(token)
-		resp := MakeRequest(t, req, NoExpectedStatus)
-		if resp.Code == http.StatusUnprocessableEntity {
-			respJSON := DecodeJSON(t, resp, map[string]string{})
-			switch respJSON["message"] {
-			case "Remote visit addressed rate limitation.":
-				t.Log("test hit github rate limitation")
-			case "You can not import from disallowed hosts.":
-				assert.Equal(t, "private-ip", testCase.repoName)
-			default:
-				assert.FailNow(t, "unexpected error", "unexpected error '%v' on url '%s'", respJSON["message"], testCase.cloneURL)
+		t.Run("Permitted", func(t *testing.T) {
+			// migrations.Init builds the host allowlist from AllowLocalNetworks, so set it first
+			defer test.MockVariableValue(&setting.Migrations.AllowLocalNetworks, true)()
+			require.NoError(t, migrations.Init())
+			for _, testCase := range []struct {
+				ctxUserID, ownerID int64
+				repoName           string
+				expectedStatus     int
+			}{
+				{ctxUserID: 1, ownerID: 2, repoName: "git-admin", expectedStatus: http.StatusCreated},
+				{ctxUserID: 2, ownerID: 2, repoName: "git-own", expectedStatus: http.StatusCreated},
+				{ctxUserID: 2, ownerID: 1, repoName: "git-bad", expectedStatus: http.StatusForbidden},
+				{ctxUserID: 2, ownerID: 3, repoName: "git-org", expectedStatus: http.StatusCreated},
+				{ctxUserID: 2, ownerID: 6, repoName: "git-bad-org", expectedStatus: http.StatusForbidden},
+			} {
+				user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: testCase.ctxUserID})
+				token := getTokenForLoggedInUser(t, loginUser(t, user.Name), auth_model.AccessTokenScopeWriteRepository)
+				req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate", &api.MigrateRepoOptions{
+					CloneAddr:   cloneAddr,
+					RepoOwnerID: testCase.ownerID,
+					RepoName:    testCase.repoName,
+				}).AddTokenAuth(token)
+				MakeRequest(t, req, testCase.expectedStatus)
 			}
-		} else {
-			assert.Equal(t, testCase.expectedStatus, resp.Code)
-		}
-	}
+		})
+
+		t.Run("DisallowedHost", func(t *testing.T) {
+			defer test.MockVariableValue(&setting.Migrations.AllowLocalNetworks, false)()
+			require.NoError(t, migrations.Init())
+			token := getTokenForLoggedInUser(t, loginUser(t, "user2"), auth_model.AccessTokenScopeWriteRepository)
+			for _, cloneURL := range []string{"https://localhost:3000/user/test_repo.git", "https://10.0.0.1/user/test_repo.git"} {
+				req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate", &api.MigrateRepoOptions{
+					CloneAddr:   cloneURL,
+					RepoOwnerID: 3,
+					RepoName:    "private-ip",
+				}).AddTokenAuth(token)
+				resp := MakeRequest(t, req, http.StatusUnprocessableEntity)
+				assert.Equal(t, "You can not import from disallowed hosts.", DecodeJSON(t, resp, map[string]string{})["message"])
+			}
+		})
+	})
 }
 
 func TestAPIRepoMigrateConflict(t *testing.T) {