Commit Graph

19 Commits

Author SHA1 Message Date
silverwind 638e4bce09 chore: upgrade go-swagger to v0.35.0 and enforce zero swagger warnings (#38299)
Updates `go-swagger` to v0.35.0 and makes swagger generation and
validation warning-free, with the build now failing on any warning
(`go-swagger` itself exits `0` on warnings).

- Generation passes `--enable-allof-compounding` (keeps `$ref` fields
bare, no spec change) and `--skip-enum-desc` (drops the enum description
that duplicates `x-go-enum-desc` and was the only source of `allOf`
noise in the OpenAPI 3.0 output).
- Fixed warnings at the source: dropped `swagger:strfmt` where it
conflicts with `required: true` (`required` kept, `time.Time` still maps
to `date-time`), fixed a malformed `units_map` example, moved the
`parameterBodies` injection hack to `swagger:parameters`, and removed
unused responses.

Fixes: https://github.com/go-gitea/gitea/issues/12508

---------

Co-authored-by: bircni <bircni@icloud.com>
2026-07-01 21:07:34 +00:00
Zettat123 f46c9a9769 feat(actions): support owner-level and global scoped workflows (#38154)
## Summary

This PR adds **scoped workflows** to Gitea Actions. Workflows defined
centrally in a "source" repository that automatically run on every
repository in scope: an organization's repositories, or (for instance
admins) every repository on the instance. Each scoped run executes in
the consuming repository's own context (its runners, secrets, and
branch) while its content is read from the source repository, so an org
or instance can mandate shared CI across many repositories without
copying workflow files into each one.

An owner or instance admin registers source repositories on a settings
page and can mark individual workflows as **required**. A required
scoped workflow cannot be opted out by a consuming repository and gates
its pull-request merges; an optional one can be disabled per repository.
Scoped workflows live under a dedicated `SCOPED_WORKFLOW_DIRS` (default
`.gitea/scoped_workflows`), kept separate from regular `WORKFLOW_DIRS`.

## Main changes

### Configuration 
New `SCOPED_WORKFLOW_DIRS` setting, validated to not overlap with
`WORKFLOW_DIRS`. Default: `.gitea/scoped_workflows`

### Data model & migration
- New `action_scoped_workflow_source` table mapping a registering owner
(`owner_id`, where `0` = instance-level) to a source repository, with a
per-workflow `WorkflowConfigs` map.
- `ActionRun` gains `WorkflowRepoID` / `WorkflowCommitSHA` (the pinned
content source) and an `IsScopedRun` flag.

###  Detection & run creation
On consumer events, scoped workflows from the effective sources (the
owner's own sources plus instance-level ones) are matched and turned
into runs that execute in the consumer's context, with content pinned to
the source repo's default-branch commit.

`on: workflow_run` and `on: schedule` are currently not supported.

###  Opt-out
A consuming repository can disable an optional scoped workflow (tracked
separately from regular `DisabledWorkflows`); required scoped workflows
can never be disabled, opted out, or bypassed.

###  Commit status 
A scoped run's status context format is `"<source repo full name>:
<workflow display name> / <job> (<event>)"`
(for example: `my-org/scoped-workflows: db-tests / test-sqlite
(pull_request)`),
keeping it distinct from a same-named repo-level workflow and from other
sources.

###  Required status checks
Admins mark workflows required and supply status-check patterns.
`EffectiveRequiredContexts` appends those patterns to the branch
protection's required contexts and they are matched
must-present-and-pass. If the status checks from scoped workflows fail,
the PR cannot be merged.

NOTE: scoped workflows' required status checks patterns can protect any
target branch that has a protection rule, even though the rule's "Status
Check" is disabled. A target branch with no protection rule cannot be
protected.

<details>
  <summary>Screenshots</summary>

<img width="1400" alt="image"
src="https://github.com/user-attachments/assets/a5d1db33-15ec-487e-93be-2bc04b4e6643"
/>

</details>


###  Reusable workflows (`uses:`)
A scoped workflow's local `uses: ./...` resolves against the source
repository. `uses:` directory validation honors the
instance-configurable `WORKFLOW_DIRS` and `SCOPED_WORKFLOW_DIRS`
(previously hardcoded to `.gitea`/`.github/workflows`).

###  Manual dispatch
`workflow_dispatch` is supported for scoped workflows (web and API),
resolving inputs/content from the source repo.

###  Performance
A process-local LRU cache keyed by source repo ID for the per-source
workflow parse, so instance-level and owner-level sources don't open the
source repo and parse workflow files on every event.

### UI
Org / user / admin pages to register and remove sources, search
repositories, and mark workflows required with their status-check
patterns. The repository Actions sidebar groups scoped workflows by
source with owner/instance labels and required/disabled badges.

<details>
  <summary>Screenshots</summary>

Scoped workflows setting page:

<img width="1600" alt="image"
src="https://github.com/user-attachments/assets/9d19f667-97a5-4935-92b2-e53f105e3642"
/>


Consumer repo's Actions runs list:

<img width="1600" alt="image"
src="https://github.com/user-attachments/assets/a77241f9-0aa9-41aa-ba73-12a9a688cb64"
/>

- `Owner`: this is a owner-level scoped workflows source repo
- `Global`: this is a global scoped workflows source repo
- `Required`: this scoped workflow is required, repo admin cannot
disable it

</details>

---

Docs: https://gitea.com/gitea/docs/pulls/447

---------

Co-authored-by: bircni <bircni@icloud.com>
2026-06-28 09:31:35 +00:00
Eyüp Can Akman ef927f9fa3 feat(api): support ref suffixes in compare (#38148)
Compare API requests with a `^` or `~N` revision suffix (for example
`compare/main...feature^`) were rejected with `400 Unsupported
comparison syntax: ref with suffix`. The fix resolves the suffix to a
commit before comparing, so `base...head^` and `~N` work on either side,
the same as git.

Only `^`/`~N` navigation is resolved. Pull request creation still
requires plain branch refs, and the web compare page keeps rejecting
suffixes since its branch selectors need separate UI work.

Closes #33943
2026-06-24 05:38:02 +00:00
Rafail Giavrimis 052feee34a feat: add raw diff/patch endpoint for repository comparisons (#37632)
## Summary

Adds `GET
/repos/{owner}/{repo}/compare/{basehead}.{diffType:diff|patch}`,
mirroring the existing `/git/commits/{sha}.{diffType}` endpoint but for
comparisons between two arbitrary refs.

The new endpoint streams a raw unified diff or `git format-patch` output
between any two refs:

GET /repos/{owner}/{repo}/compare/main...feature.diff
GET /repos/{owner}/{repo}/compare/v1.0..v1.1.patch
GET /repos/{owner}/{repo}/compare/abc1234...def5678.diff

Resolves #5561, #13416 and #17165.

AI was used while creating this PR. Automated tests were added as per
the contribution policy.

---------

Co-authored-by: bircni <bircni@icloud.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-15 09:37:15 -07:00
bircni 55250407dd feat(org): add team visibility so org members can discover teams (#37680)
Closes #37670.

Today, org members in Gitea only see teams they're a member of. In
larger orgs that hurts onboarding and discoverability — there's no way
to look up which team owns what without asking around. GitHub solves
this with a per-team visibility setting; this PR brings the same model
to Gitea.

## What changes

- Every team gets a `visibility` setting:
- `private` *(default)* — only team members and org owners can see the
team. Same as today's behavior.
- `limited` — listable by any member of the organization. Members and
the repos the team has access to are visible too. Non-org-members still
see nothing.
  - `public` — listable by any signed-in user.
- The Owners team visibility is fixed and cannot be changed via
settings.
- Existing teams default to `private`, so this is a no-op for anyone who
doesn't change anything.

## API

- `Team`, `CreateTeamOption`, `EditTeamOption` all gain a `visibility`
field (string enum: `private` | `limited` | `public`).
- `GET /orgs/{org}/teams` and `/orgs/{org}/teams/search` now apply the
same visibility rules as the web UI:
  - site admins and org owners still see every team
- other org members see their own teams plus any `limited` or `public`
team
  - `private` teams are no longer leaked through these endpoints
- Swagger/OpenAPI specs regenerated.

## UI

View from admin2 (not an owner):
<img width="1669" height="726"
src="https://github.com/user-attachments/assets/daf4bccb-644b-4426-b178-71963aeaf73b"
/>

View from admin (owner):

<img width="2559" height="863"
src="https://github.com/user-attachments/assets/4f22cebc-e9df-4fd2-8ed4-724d31fadb7a"
/>

---------

Signed-off-by: bircni <bircni@icloud.com>
Co-authored-by: TheFox0x7 <thefox0x7@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-06-14 19:07:25 +00:00
TheFox0x7 c6167d1ff5 feat(api): add token introspection and self-deletion endpoint (#37995)
Adds a /api/v1/token endpoint that allows tokens to introspect and
delete themselves.
partially fixes: https://github.com/go-gitea/gitea/issues/33583

Assisted-by: Mistral Vibe:mistral-medium-3.5

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-06-14 20:05:18 +02:00
bn-zr fefb6f3219 feat(api): Add GET /repos/{owner}/{repo}/actions/workflows/{workflow_id}/runs (#37196)
- Add GET /repos/{owner}/{repo}/actions/workflows/{workflow_id}/runs
endpoint, matching the
https://docs.github.com/en/rest/actions/workflow-runs?apiVersion=2026-03-10#list-workflow-runs-for-a-workflow

---------

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: bircni <bircni@icloud.com>
2026-06-11 17:12:30 +00:00
Lunny Xiao 49a0d19fa3 feat(api): Add assignees APIs (#37330)
Follow
https://docs.github.com/en/enterprise-server@3.20/rest/issues/assignees?apiVersion=2022-11-28

Fix #33576 

And it also fixed some possible dead-lock problem.

---------

Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Nicolas <bircni@icloud.com>
Co-authored-by: Zettat123 <zettat123@gmail.com>
2026-06-09 06:12:09 +00:00
Giteabot 60abea17a2 chore(deps): update module github.com/go-swagger/go-swagger to v0.34.0 (#38028)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[github.com/go-swagger/go-swagger](https://redirect.github.com/go-swagger/go-swagger)
| `v0.33.2` → `v0.34.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-swagger%2fgo-swagger/v0.34.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-swagger%2fgo-swagger/v0.33.2/v0.34.0?slim=true)
|

---

### Release Notes

<details>
<summary>go-swagger/go-swagger
(github.com/go-swagger/go-swagger)</summary>

###
[`v0.34.0`](https://redirect.github.com/go-swagger/go-swagger/releases/tag/v0.34.0)

[Compare
Source](https://redirect.github.com/go-swagger/go-swagger/compare/v0.33.2...v0.34.0)

go-swagger release 0.34.0

***

Released on 2026 May 29

#####
[0.34.0](https://redirect.github.com/go-swagger/go-swagger/tree/v0.34.0)
- 2026-05-28

Major refactoring. Focus on improving runtime (e.g.generated client) and
codescan (e.g. generated spec).

**Full Changelog**:
<https://github.com/go-swagger/go-swagger/compare/v0.33.2...v0.34.0>

42 commits in this release.

***

##### <!-- 00 -->Implemented enhancements

- feat(client): added method to configure client-side custom
producers/consumers by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3351](https://redirect.github.com/go-swagger/go-swagger/pull/3351)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/4068f65b0403f90092e78269f89ef7cb26d6eb2f)

##### <!-- 01 -->Fixed bugs

- fix(client): moved internal fields in generated Params (timeout,
Context) to their own struct. by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3349](https://redirect.github.com/go-swagger/go-swagger/pull/3349)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/a81068f5d52d4b560654f8e17748b6a79ec1425e)
- fix(client): added operation with context to client interface. by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3348](https://redirect.github.com/go-swagger/go-swagger/pull/3348)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/d5e5d3020b83f4a9b895ae31a93cb121f989e4a6)
- fix(codescan): upgraded codescan for swagger generate spec. by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3347](https://redirect.github.com/go-swagger/go-swagger/pull/3347)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/971f2aa56ad48d927ab9d21de794edf1c43d22b7)
- fix(client): generated client uses more idiomatic SubmitContext by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3342](https://redirect.github.com/go-swagger/go-swagger/pull/3342)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/01d8f1358f8ab94c4b7c3a1caf50e1d0b11b26c6)
- fix: adapted to runtime v0.32.x by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3341](https://redirect.github.com/go-swagger/go-swagger/pull/3341)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/ba25bfa2cc0822973d9f48f5976721ffc8c499fc)
- fix: handle operator characters in enum constants (fixes
[#&#8203;1047](https://redirect.github.com/go-swagger/go-swagger/issues/1047))
by [@&#8203;Abzaek](https://redirect.github.com/Abzaek) in
[#&#8203;3330](https://redirect.github.com/go-swagger/go-swagger/pull/3330)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/4856feb230eba01352d2bb310f03b26827d34a5e)

##### <!-- 02 -->Refactor

- refact(codegen): more concise server binding of form parameters. by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3339](https://redirect.github.com/go-swagger/go-swagger/pull/3339)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/036e31515a687b8a237bcf2d938a7ae36dc55fd1)
- refact(generator): split template repository, funcmaps and langage by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3316](https://redirect.github.com/go-swagger/go-swagger/pull/3316)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/4d659c0b5e0724cb78b413a564619792fe4dd23e)

##### <!-- 03 -->Documentation

- doc: announcements before cutting v0.34.0 by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3352](https://redirect.github.com/go-swagger/go-swagger/pull/3352)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/9b15dfe858b6b20747fb24b672707ee817481f11)
- doc(faq): added explanations about why mixin can't support yaml
anchors by [@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3340](https://redirect.github.com/go-swagger/go-swagger/pull/3340)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/0dd20f7852a35f3ebf4ea552cef66ae7296801a2)
- codegen(cli): fixed missing dependencies in CLI doc template by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3309](https://redirect.github.com/go-swagger/go-swagger/pull/3309)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/b1cc87b266a8351b4fc4534d5116c11a1daadbc1)

##### <!-- 05 -->Code quality

- chore: move generated code to use the new swag api. by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3336](https://redirect.github.com/go-swagger/go-swagger/pull/3336)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/ba47cff06d55b38579a1f2e34a2e4e8691dd90b0)
- chore(generator): migrated to the new go-openapi/swag api. by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3335](https://redirect.github.com/go-swagger/go-swagger/pull/3335)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/83bced44f9c028141dd698838da0e5409d0ed49b)
- chore(lint): relint code base (pass 1) by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3331](https://redirect.github.com/go-swagger/go-swagger/pull/3331)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/8a020f05985758bcb2535e36984ab03c62109fed)
- ci: reenact linting (was temporarily disabled to swallow large diffs)
by [@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3304](https://redirect.github.com/go-swagger/go-swagger/pull/3304)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/8cd187ba00b80a021c0493e55906b6835a985458)
- doc: post-release by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3302](https://redirect.github.com/go-swagger/go-swagger/pull/3302)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/746308f71fe2d5e722b151a0ede49f84ecfaa3ea)

##### <!-- 07 -->Miscellaneous tasks

- test: fix fake flaky test reporting by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3350](https://redirect.github.com/go-swagger/go-swagger/pull/3350)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/747db03403e881e53baecd5c2f40a074e15697bf)
- ci: drop peter-evans sign-commits to avoid per-file API uploads by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3346](https://redirect.github.com/go-swagger/go-swagger/pull/3346)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/480a0bdbf54484562cef642132b929a9e5c03d4a)
- ci: checkout examples before configuring bot credentials by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3345](https://redirect.github.com/go-swagger/go-swagger/pull/3345)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/6dda1280feee830fadbed93e6c896000fe92acdf)
- ci: fix cross-workflow artifact download permission by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3344](https://redirect.github.com/go-swagger/go-swagger/pull/3344)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/5981d75858c489b8f82974c47f7fa7089deb66d2)
- ci: fix examples regeneration auto-PR by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3343](https://redirect.github.com/go-swagger/go-swagger/pull/3343)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/f50d895b3a304b8a0657a4e8612fc53e6ff370dc)
- chore(diff): moved cmd/swagger/commands/diff to its own package by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3308](https://redirect.github.com/go-swagger/go-swagger/pull/3308)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/6e059188a45c84e64591b7cb915f4205d6f7a8a1)
- chore(codescan): moved the codescan package in a separate repo by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3307](https://redirect.github.com/go-swagger/go-swagger/pull/3307)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/eeca5fc9ff118d7be5d76d52855a082b04f13d91)
- ci: added workflow to regen examples and push the changes to the exam…
by [@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3305](https://redirect.github.com/go-swagger/go-swagger/pull/3305)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/9203e37e731b131c5d89a78209d549960b7c0a1c)

##### <!-- 08 -->Security

- docs: add comprehensive documentation for API Browser (issue
[#&#8203;2401](https://redirect.github.com/go-swagger/go-swagger/issues/2401))
by [@&#8203;dashitongzhi](https://redirect.github.com/dashitongzhi) in
[#&#8203;3338](https://redirect.github.com/go-swagger/go-swagger/pull/3338)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/b594d144ef999cb830cc9cb32d1c3617d5d93a36)
- ci: enhanced regen examples workflow by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3306](https://redirect.github.com/go-swagger/go-swagger/pull/3306)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/e1c611ed9e0739d0395b8e08922ddfb48a6e257d)
- doc: move examples by
[@&#8203;fredbi](https://redirect.github.com/fredbi) in
[#&#8203;3303](https://redirect.github.com/go-swagger/go-swagger/pull/3303)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/c32e2d574a1272c97c18aaddbeed294f62fdca31)

##### <!-- 0A -->Updates

- chore(deps): bump the development-dependencies group with 10 updates
by
[@&#8203;dependabot\[bot\]](https://redirect.github.com/dependabot\[bot])
in
[#&#8203;3337](https://redirect.github.com/go-swagger/go-swagger/pull/3337)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/9f68bcccf8a6ab943fa954764e749bd8e3b67684)
- chore(deps): bump the development-dependencies group with 2 updates by
[@&#8203;dependabot\[bot\]](https://redirect.github.com/dependabot\[bot])
in
[#&#8203;3329](https://redirect.github.com/go-swagger/go-swagger/pull/3329)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/9286ac262e487f54fbeea64798790b463f27a7cc)
- chore(deps): bump golang from `f853308` to `91eda97` in the
development-dependencies group across 1 directory by
[@&#8203;dependabot\[bot\]](https://redirect.github.com/dependabot\[bot])
in
[#&#8203;3328](https://redirect.github.com/go-swagger/go-swagger/pull/3328)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/a4f355cfded251a4d9fc4a3f06b0aed72314c2a4)
- chore(deps): bump the development-dependencies group with 4 updates by
[@&#8203;dependabot\[bot\]](https://redirect.github.com/dependabot\[bot])
in
[#&#8203;3327](https://redirect.github.com/go-swagger/go-swagger/pull/3327)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/1078819e42db2fdf56b7fd724f911b5b32f0ed42)
- chore(deps): bump the development-dependencies group with 3 updates by
[@&#8203;dependabot\[bot\]](https://redirect.github.com/dependabot\[bot])
in
[#&#8203;3326](https://redirect.github.com/go-swagger/go-swagger/pull/3326)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/e4b5c8fe1fe5869e2da495e9e363032cfee9b85f)
- chore(deps): bump the development-dependencies group with 5 updates by
[@&#8203;dependabot\[bot\]](https://redirect.github.com/dependabot\[bot])
in
[#&#8203;3325](https://redirect.github.com/go-swagger/go-swagger/pull/3325)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/30da59f48a8baf6a04a667191355c5aacbb1f6f1)
- chore(deps): bump golang from `27f8293` to `f853308` in the
development-dependencies group across 1 directory by
[@&#8203;dependabot\[bot\]](https://redirect.github.com/dependabot\[bot])
in
[#&#8203;3324](https://redirect.github.com/go-swagger/go-swagger/pull/3324)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/faffaccee8fc0843fa35ce757b19643b15b20551)
- chore(deps): bump the development-dependencies group with 6 updates by
[@&#8203;dependabot\[bot\]](https://redirect.github.com/dependabot\[bot])
in
[#&#8203;3323](https://redirect.github.com/go-swagger/go-swagger/pull/3323)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/5bbf90b257203d40a28d40d68f38411b0b0ab06e)
- chore(deps): bump golang from `c2a1f7b` to `27f8293` in the
development-dependencies group across 1 directory by
[@&#8203;dependabot\[bot\]](https://redirect.github.com/dependabot\[bot])
in
[#&#8203;3322](https://redirect.github.com/go-swagger/go-swagger/pull/3322)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/d25d6f2da06f02c38565d2bed1a4c45c41b4b539)
- chore(deps): bump the development-dependencies group with 2 updates by
[@&#8203;dependabot\[bot\]](https://redirect.github.com/dependabot\[bot])
in
[#&#8203;3321](https://redirect.github.com/go-swagger/go-swagger/pull/3321)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/cedb38213dc4bfeb6c6f2fccb0211e596c777faf)
- chore(deps): bump golang from `2389ebf` to `c2a1f7b` in the
development-dependencies group across 1 directory by
[@&#8203;dependabot\[bot\]](https://redirect.github.com/dependabot\[bot])
in
[#&#8203;3320](https://redirect.github.com/go-swagger/go-swagger/pull/3320)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/3815953bf63523fd72c9f9dad337f3d7990fd7bd)
- chore(deps): bump the development-dependencies group with 4 updates by
[@&#8203;dependabot\[bot\]](https://redirect.github.com/dependabot\[bot])
in
[#&#8203;3318](https://redirect.github.com/go-swagger/go-swagger/pull/3318)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/126ceeb6180966caba0429435d94b0fb1a1e8c14)
- chore(deps): bump the development-dependencies group with 6 updates by
[@&#8203;dependabot\[bot\]](https://redirect.github.com/dependabot\[bot])
in
[#&#8203;3317](https://redirect.github.com/go-swagger/go-swagger/pull/3317)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/af43211eec84e29e817f3e990cf8084fb45ebec0)
- chore(deps): bump the development-dependencies group with 4 updates by
[@&#8203;dependabot\[bot\]](https://redirect.github.com/dependabot\[bot])
in
[#&#8203;3315](https://redirect.github.com/go-swagger/go-swagger/pull/3315)
[...](https://redirect.github.com/go-swagger/go-swagger/commit/0f32c03e4982ed564cfd9d9593a4cfa1c1304d40)

***

##### People who contributed to this release

- [@&#8203;Abzaek](https://redirect.github.com/Abzaek)
- [@&#8203;dashitongzhi](https://redirect.github.com/dashitongzhi)
- [@&#8203;fredbi](https://redirect.github.com/fredbi)

***

##### New Contributors

- [@&#8203;dashitongzhi](https://redirect.github.com/dashitongzhi) made
their first contribution
in
[#&#8203;3338](https://redirect.github.com/go-swagger/go-swagger/pull/3338)
- [@&#8203;Abzaek](https://redirect.github.com/Abzaek) made their first
contribution
in
[#&#8203;3330](https://redirect.github.com/go-swagger/go-swagger/pull/3330)

***

**[go-swagger](https://redirect.github.com/go-swagger/go-swagger)
license terms**

[![License][license-badge]][license-url]

[license-badge]:
http://img.shields.io/badge/license-Apache%20v2-orange.svg

[license-url]:
https://redirect.github.com/go-swagger/go-swagger/?tab=Apache-2.0-1-ov-file#readme

***

Released by
[GoReleaser](https://redirect.github.com/goreleaser/goreleaser).

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Only on Monday (`* * * * 1`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

---------

Co-authored-by: Nicolas <bircni@icloud.com>
2026-06-08 20:41:45 +00:00
Harsh Mahajan 792fa5eeba feat(api): add q parameter to list branches API for server-side filtering (#37982)
The GET /repos/{owner}/{repo}/branches endpoint currently has no way to
filter branches by name server-side, forcing API consumers to paginate
through all branches and filter client-side.

The UI already supports branch search (added in
[#27055](https://github.com/go-gitea/gitea/pull/27055)). The underlying
DB layer has a Keyword field on FindBranchOptions in
models/git/branch_list.go that does a LIKE %keyword% SQL filter, it just
wasn't wired up to the API handler.

This PR exposes a ?q= query parameter on the endpoint that maps to
FindBranchOptions.Keyword.

Example:

```GET /repos/owner/repo/branches?q=feature ```
Closes #37981

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-06-03 16:21:48 -07:00
Lunny Xiao 61b1a39efe chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873) 2026-05-26 15:49:31 -07:00
Mohamed Sekour bf1b54c3e3 fix(api): handle partial failures in push mirror synchronization gracefully (#37782)
This MR fixes an issue in the sync push mirrors endpoint.

Previously, when triggering the synchronization of all push mirrors for
a specific repository, the entire operation would stop if a single
mirror failed for any reason. As a result, the remaining mirrors were
not processed.

With this fix, failures on individual push mirrors no longer abort the
whole synchronization process.

---------

Signed-off-by: Nicolas <bircni@icloud.com>
Co-authored-by: Nicolas <bircni@icloud.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
2026-05-22 09:53:19 +00:00
Nicolas eb93981d45 feat: Add bypass allowlist for branch protection (#36514)
- Introduce a “Bypass Protection Allowlist” on branch rules
(users/teams) alongside admins, with BlockAdminMergeOverride
  still respected.
- Surface the allowlist in API (create/edit options, structs) and
settings UI; merge box now shows the red button +
  message for bypass-capable users.
- Apply bypass logic to merge checks and pre-receive so allowlisted
users can override unmet approvals/status checks/
  protected files when force-merging.
- Add migration for new columns, locale strings, and unit tests (bypass
helper; queue test tweak).

<img width="1069" height="218" alt="image"
src="https://github.com/user-attachments/assets/0b61bc2a-a27f-47f3-a923-613688008e65"
/>


Fixes #36476

---------

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Giteabot <teabot@gitea.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Codex GPT-5.3 <codex@openai.com>
Co-authored-by: GPT-5.2 <noreply@openai.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
2026-05-16 14:23:42 +00:00
Nicolas 34fd3c9f06 feat: Add default PR branch update style setting (#37410)
Adds repository-level settings for pull request branch updates so admins
can choose the default update method and disable merge or rebase
updates.

<img width="1025" height="158"
src="https://github.com/user-attachments/assets/d030973b-0ddd-4035-b04f-145c445084d7"
/>

---------

Co-authored-by: OpenAI Codex (GPT-5) <codex@openai.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-05-16 10:06:40 +00:00
Matt Schoen a564f0587a feat(api): add sort and order query parameters to job list endpoints (#37672)
Adds `sort` and `order` query parameters to all action job list API
endpoints (`/admin/actions/jobs`, `/repos/{owner}/{repo}/actions/jobs`,
`/repos/{owner}/{repo}/actions/runs/{run}/jobs`, `/user/actions/jobs`),
following the existing `OrderByMap` pattern used by repo/user search
endpoints.

- Default is `id` / `asc` (backwards compatible — matches previous DB
natural order)
- Only `id` sort field for now; the map is extensible for future fields
- Returns 422 for invalid sort/order values
- `ToOrders()` returns empty string when `OrderBy` is unset, so internal
callers (webhook dispatch, concurrency checks) are unaffected

Closes: #37666
Supersedes: #37667
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: silverwind <me@silverwind.io>
2026-05-13 13:11:02 +00:00
pomidorry 67f86bc3fe feat(api): add last_sync to repository API (#37566)
This PR adds a new repository API field, `mirror_last_sync_at`, to
expose the timestamp of the last successful pull mirror sync.

Unlike `mirror_updated`, this field does not affect mirror scheduling
and is updated only after a successful pull sync. Failed sync attempts
leave the value unchanged.

What changed

- added `mirror_last_sync_at` to the repository API response
- updated pull mirror sync flow to persist the timestamp only on
successful sync
- kept `mirror_updated` behavior unchanged for queue/scheduling purposes

`mirror_updated` is currently tied to mirror queue behavior, so it
cannot safely represent the last successful sync time. The new field
makes that state explicit for API consumers without changing scheduling
semantics.

---------

Signed-off-by: pomidorry <106489913+Pomidorry@users.noreply.github.com>
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
2026-05-10 20:07:56 +00:00
pomidorry 02b1b8a549 Add mirror auth updates to repo edit API and settings (#37468)
## Summary

This PR adds support for updating pull mirror authentication via the
repository edit API and UI.

It introduces new mirror authentication fields in _EditRepoOption_,
updates the API logic to safely handle partial credential updates, and
fixes the web settings flow so that the existing remote username is
preserved when only the password is changed.

### What changed
- added _auth_username_, _auth_password_, and _auth_token_ to
EditRepoOption
- updated the repository edit API to apply mirror auth changes via
_updateMirror_
- preserved existing username/password when only part of the auth
payload is provided
- used oauth2 as the default username when _auth_token_ is provided
- kept stored mirror URLs sanitized in DB and API responses
- updated Swagger schema for the new API fields
- added API integration tests for password-only and token-only updates
- added a web settings test to ensure username preservation on partial
updates

## Why

Some use cases require automated synchronization of pull mirrors, for
example in CI/CD pipelines or integrations with external systems.

At the same time, many organizations enforce security policies that
require periodic token rotation (e.g., monthly).

Currently, mirror credentials can only be updated via the UI, which
makes automation difficult.

## This change enables:

- automated token rotation
- avoiding manual updates via the UI
- easier integration with secret management systems
## Testing
- added integration coverage for mirror auth updates via _PATCH
/api/v1/repos/{owner}/{repo}_
- added web settings tests for password-only updates preserving the
existing username

## Result
Ability to automate auth update
<img width="2400" height="1245" alt="1"
src="https://github.com/user-attachments/assets/67fd5cca-9cb3-4536-b0e2-4d09b8ebff0f"
/>
<img width="962" height="932" alt="image"
src="https://github.com/user-attachments/assets/5d548f5d-aadf-4807-ba52-9c29df93a4cc"
/>

Generative AI was used to help with making this PR.
##
2026-05-01 11:00:03 +00:00
Icy Avocado 81692ceafa Allow multiple projects per issue and pull requests (#36784)
Add ability to add and remove multiple projects per issue
and pull request.

Resolve #12974

---------

Signed-off-by: Icy Avocado <avocado@ovacoda.com>
Co-authored-by: Tyrone Yeh <siryeh@gmail.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: OpenCode (gpt-5.2-codex) <opencode@openai.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
2026-04-30 22:38:05 +08:00
Myers Carpenter 9e031eb3df Serve OpenAPI 3.0 spec at /openapi.v1.json (#37038)
Add a build-time conversion step that transforms the existing Swagger
2.0 spec into an OpenAPI 3.0 spec. The OAS3 spec is served alongside the
existing Swagger 2.0 spec, enabling API clients that require OAS3 to
generate code directly from Gitea's API.

This is not to be an answer to how gitea handles OAS3 long term,
but a way to use what we have to move a step forward.

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-04-29 20:47:52 +08:00