mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-10 23:41:21 +09:00
3d2bbd25ecca4525183ea0984c769a6acea353a4
21078 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
3d2bbd25ec | [skip ci] Updated translations via Crowdin | ||
|
|
7745720292 |
feat: extend <video> tag allowed attributes (#38279)
autoplay is useless nowadays without "muted" as browsers won't autoplay unmuted videos. Similarly, other attributes are also commonly used and harmless to keep. <!-- Before submitting: - Target the `main` branch; release branches are for backports only. - Use a Conventional Commits title, e.g. `fix(repo): handle empty branch names`. - Read the contributing guidelines: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md - Documentation changes go to https://gitea.com/gitea/docs Describe your change below and link any issue it fixes. --> --------- Signed-off-by: Avinash Thakur <19588421+80avin@users.noreply.github.com> |
||
|
|
d46d0540d0 |
fix(actions): include all aggregable run statuses in status filter (#38280)
The **Status** filter dropdown on the repository Actions run list does not let you filter for **Blocked** runs (nor **Cancelled** or **Skipped**). These statuses are missing from the dropdown even though a run can legitimately end up in any of them. A run's status is computed by `aggregateJobStatus`, which can return `Blocked`, `Cancelled` and `Skipped`. Because the filter dropdown only offered Success, Failure, Waiting, Running and Cancelling, runs in those other states existed but were impossible to filter for. |
||
|
|
e449018730 |
non-shallow clone for snapcraft
Signed-off-by: techknowlogick <techknowlogick@gitea.com> |
||
|
|
e1cdb71845 |
fix(archiver): use serializable repo-archive queue payload (#38273)
After upgrading from 1.25.x to 1.26.x, `repo-archive` workers can fail to unmarshal queued items: ``` Failed to unmarshal item from queue "repo-archive": json: unable to unmarshal into Go convert.Conversion within "/Repo/Units/0/Config": cannot derive concrete type for nil interface with finite type set ``` `ArchiveRequest` started embedding `*repo_model.Repository` in 1.26, which does not round-trip through the JSON queue. This change stores a minimal `archiveQueueItem` (`RepoID`, `Type`, `CommitID`, `Paths`) in `repo-archive` and loads the repository in the worker. `UnmarshalJSON` accepts legacy payloads that used `RepoID` or embedded `Repo.id`. Fixes #38272 <!-- Before submitting: - Target the `main` branch; release branches are for backports only. - Use a Conventional Commits title, e.g. `fix(repo): handle empty branch names`. - Read the contributing guidelines: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md - Documentation changes go to https://gitea.com/gitea/docs Describe your change below and link any issue it fixes. --> --------- Co-authored-by: bircni <bircni@icloud.com> |
||
|
|
a64131e22d |
chore: update eslint plugins and config (#38264)
1. Bump all eslint dependencies, enable some of the new unicorn rules 2. Remove `eslint-plugin-de-morgan`, it sometimes causes readability issues 3. Disable some of the unicorn rules that are known to produce false-positives 4. Remove obsolete type cast 5. Fix one violation of https://github.com/sindresorhus/eslint-plugin-unicorn/blob/main/docs/rules/prefer-dom-node-replace-children.md --------- Signed-off-by: silverwind <me@silverwind.io> |
||
|
|
0f0a38c1b9 | [skip ci] Updated translations via Crowdin | ||
|
|
535f791166 |
ci: regenerate codemirror languages on renovate npm updates (#38267)
Adds `make generate-codemirror-languages` to the npm group's `postUpgradeTasks` in `renovate.json5`, so renovate regenerates `assets/codemirror-languages.json` whenever `@codemirror/language-data` (or any npm dep) updates — mirroring the existing `make svg` handling. Also reformats the `fileFilters` arrays multi-line and regenerates the asset to pick up current upstream linguist languages. |
||
|
|
b34a09be38 |
build: fix snapcraft release (#38260)
Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: silverwind <me@silverwind.io> |
||
|
|
6f2e328c85 |
chore(deps): update dependency js-yaml to v5 (#38262)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [js-yaml](https://redirect.github.com/nodeca/js-yaml) | [`4.2.0` → `5.1.0`](https://renovatebot.com/diffs/npm/js-yaml/4.2.0/5.1.0) |  |  | --- ### Release Notes <details> <summary>nodeca/js-yaml (js-yaml)</summary> ### [`v5.1.0`](https://redirect.github.com/nodeca/js-yaml/blob/HEAD/CHANGELOG.md#510---2026-06-23) [Compare Source](https://redirect.github.com/nodeca/js-yaml/compare/5.0.0...5.1.0) ##### Added - Collection tags can finalize an incrementally populated carrier into a different result value. ##### Changed - \[breaking] `quoteStyle` now selects the preferred quote style; use the restored `forceQuotes` option to force quoting non-key strings. ### [`v5.0.0`](https://redirect.github.com/nodeca/js-yaml/blob/HEAD/CHANGELOG.md#500---2026-06-20) [Compare Source](https://redirect.github.com/nodeca/js-yaml/compare/4.3.0...5.0.0) ##### Added - Added named exports for schemas, tags, parser events and AST utilities. - Reworked `JSON_SCHEMA` and `CORE_SCHEMA` with spec-compliant scalar resolution rules, and added `YAML11_SCHEMA`. - Added `realMapTag` for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them. - Added `dump()` `transform` option for changing the generated AST before rendering. - Added `dump()` options `seqInlineFirst`, `flowBracketPadding`, `flowSkipCommaSpace`, `flowSkipColonSpace`, `quoteFlowKeys`, `quoteStyle` and `tagBeforeAnchor`. - Added formal data layers (events and AST) for modular data pipelines. - Added low-level parser (to events), presenter and visitor APIs. - Added the [YAML Test Suite](https://redirect.github.com/yaml/yaml-test-suite) to the test set. ##### Changed - See the [migration guide](docs/migrate_v4_to_v5.md) for upgrade notes. - Rewritten in TypeScript and reorganized the public API around flat named exports. - Reduced the set of exported schemas: - YAML 1.2 schemas: `CORE_SCHEMA` (loader default), `JSON_SCHEMA`, `FAILSAFE_SCHEMA`. - `YAML11_SCHEMA`, a combination of all YAML 1.1 tags (YAML 1.1 does not specify a schema, only "types"). - `load`/`dump` default behaviour is now specified exactly via schemas: - `load` uses `CORE_SCHEMA`, without `!!merge` by default. - `dump` uses `YAML11_SCHEMA` + `CORE_SCHEMA` for the quoting check, to guarantee backward compatibility by default. - `!!set` is now loaded as a JavaScript `Set`. - Replaced the `Type` API with a tags API. Similar, but more precise and simpler. See examples for details. Tags can be defined via `defineScalarTag()`, `defineSequenceTag()` and `defineMappingTag()`, or as a spread + override of an existing tag. - Renamed `Schema.extend()` to `Schema.withTags()`. - Expanded YAML 1.2 conformance and improved handling of directives, document markers, block keys, multiline scalars, tag syntax and other things. - `load()` now throws on empty input instead of returning `undefined`. - Moved browser builds to the `js-yaml/browser` export. - Deprecated the `loadAll` signature with an iterator (still works, but is a candidate for removal). ##### Removed - Removed deprecated `safeLoad()`, `safeLoadAll()` and `safeDump()` exports. - Removed `DEFAULT_SCHEMA` and the nested `types` export. - Removed loader options `onWarning`, `legacy` and `listener`. - Removed dumper options `styles`, `replacer`, `noCompatMode`, `condenseFlow`, `quotingType` and `forceQuotes`. Renamed `noArrayIndent` to `seqNoIndent`. Formatting and representation are now configured through presenter options, schemas and tag definitions. See migration guide on how to replace. - Removed support for importing internal files from `lib/`. ### [`v4.3.0`](https://redirect.github.com/nodeca/js-yaml/blob/HEAD/CHANGELOG.md#430-3150---2026-06-27) [Compare Source](https://redirect.github.com/nodeca/js-yaml/compare/4.2.0...4.3.0) ##### Security - Backported `maxTotalMergeKeys` option. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: silverwind <me@silverwind.io> |
||
|
|
55983320ed |
chore(deps): update actions/cache action to v6 (#38261)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/cache](https://redirect.github.com/actions/cache) | action | major | `v5.0.5` → `v6.1.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/37531) for more information. --- ### Release Notes <details> <summary>actions/cache (actions/cache)</summary> ### [`v6.1.0`](https://redirect.github.com/actions/cache/releases/tag/v6.1.0) [Compare Source](https://redirect.github.com/actions/cache/compare/v6.0.0...v6.1.0) ##### What's Changed - Bump [@​actions/cache](https://redirect.github.com/actions/cache) to v6.1.0 - handle read-only cache access by [@​jasongin](https://redirect.github.com/jasongin) in [#​1768](https://redirect.github.com/actions/cache/pull/1768) **Full Changelog**: <https://github.com/actions/cache/compare/v6...v6.1.0> ### [`v6`](https://redirect.github.com/actions/cache/compare/v6.0.0...v6.0.0) [Compare Source](https://redirect.github.com/actions/cache/compare/v6.0.0...v6.0.0) ### [`v6.0.0`](https://redirect.github.com/actions/cache/releases/tag/v6.0.0) [Compare Source](https://redirect.github.com/actions/cache/compare/v5.1.0...v6.0.0) ##### What's Changed - Update packages, migrate to ESM by [@​Samirat](https://redirect.github.com/Samirat) in [#​1760](https://redirect.github.com/actions/cache/pull/1760) **Full Changelog**: <https://github.com/actions/cache/compare/v5...v6.0.0> ### [`v5.1.0`](https://redirect.github.com/actions/cache/releases/tag/v5.1.0) [Compare Source](https://redirect.github.com/actions/cache/compare/v5.0.5...v5.1.0) ##### What's Changed - Bump [@​actions/cache](https://redirect.github.com/actions/cache) to v5.1.0 - handle read-only cache access by [@​jasongin](https://redirect.github.com/jasongin) in [#​1775](https://redirect.github.com/actions/cache/pull/1775) **Full Changelog**: <https://github.com/actions/cache/compare/v5...v5.1.0> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
|
6ae42ca9c4 |
fix(deps): update module gitlab.com/gitlab-org/api/client-go/v2 to v2.42.0 (#38266)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go) | `v2.40.1` → `v2.42.0` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/37531) for more information. --- ### Release Notes <details> <summary>gitlab-org/api/client-go (gitlab.com/gitlab-org/api/client-go/v2)</summary> ### [`v2.42.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.42.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.41.0...v2.42.0) #### 2.42.0 ##### 🚀 Features - Add missing fields to project level jira integration ([!2925](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2925)) by [Heidi Berry](https://gitlab.com/heidi.berry) ### [2.42.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.41.0...v2.42.0) (2026-06-24) ### [`v2.41.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.41.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.40.1...v2.41.0) #### 2.41.0 ##### 🚀 Features - Add missing attributes and endpoints to group ([!2905](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2905)) by [Jimmy Spagnola](https://gitlab.com/jspagnola) ##### 🔄 Other Changes - chore(deps): update docker docker tag to v29.5.3 ([!2924](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2924)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [2.41.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.40.1...v2.41.0) (2026-06-23) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->v1.28.0-dev |
||
|
|
5e5f5f3116 |
fix(deps): update go dependencies (#38194)
Update go deps and fix discovered issues Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
|
4ce63a1d57 |
chore: various UI problems (#38263)
1. fix dirty "list" styles for "githooks" and "webhooks" 2. fix git hook edit page layout 3. fix codemirror editor styles 4. fix incorrect "ui attached header" width |
||
|
|
07b18467c0 |
fix: update npm dependencies, fix misc issues (#38257)
Update all npm dependencies and fix discovered issues. Co-authored-by: bircni <bircni@icloud.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
|
e68ee61879 |
chore(deps): update action dependencies (#38258)
This PR contains the following updates: | Package | Type | Update | Change | Pending | |---|---|---|---|---| | [actions/setup-go](https://redirect.github.com/actions/setup-go) | action | minor | `v6.4.0` → `v6.5.0` | | | [go-gitea/giteabot](https://redirect.github.com/go-gitea/giteabot) | action | patch | `v1.0.3` → `v1.0.4` | | | redis | service | digest | `a505f8b` → `c904002` | | | [renovatebot/github-action](https://redirect.github.com/renovatebot/github-action) | action | patch | `v46.1.15` → `v46.1.16` | `v46.1.17` | --- ### Release Notes <details> <summary>actions/setup-go (actions/setup-go)</summary> ### [`v6.5.0`](https://redirect.github.com/actions/setup-go/releases/tag/v6.5.0) [Compare Source](https://redirect.github.com/actions/setup-go/compare/v6.4.0...v6.5.0) ##### What's Changed ##### Dependency update - Upgrade actions dependencies by [@​priyagupta108](https://redirect.github.com/priyagupta108) with [@​Copilot](https://redirect.github.com/Copilot) in [#​744](https://redirect.github.com/actions/setup-go/pull/744) - Upgrade [@​types/node](https://redirect.github.com/types/node) and typescript-eslint dependencies to resolve npm audit findings by [@​HarithaVattikuti](https://redirect.github.com/HarithaVattikuti) in [#​755](https://redirect.github.com/actions/setup-go/pull/755) - Upgrade [@​actions/cache](https://redirect.github.com/actions/cache) to 5.1.0, log cache write denied by [@​jasongin](https://redirect.github.com/jasongin) in [#​758](https://redirect.github.com/actions/setup-go/pull/758) - Upgrade version to 6.5.0 in package.json and package-lock.json by [@​HarithaVattikuti](https://redirect.github.com/HarithaVattikuti) in [#​762](https://redirect.github.com/actions/setup-go/pull/762) ##### New Contributors - [@​priyagupta108](https://redirect.github.com/priyagupta108) with [@​Copilot](https://redirect.github.com/Copilot) made their first contribution in [#​744](https://redirect.github.com/actions/setup-go/pull/744) - [@​jasongin](https://redirect.github.com/jasongin) made their first contribution in [#​758](https://redirect.github.com/actions/setup-go/pull/758) **Full Changelog**: <https://github.com/actions/setup-go/compare/v6...v6.5.0> </details> <details> <summary>go-gitea/giteabot (go-gitea/giteabot)</summary> ### [`v1.0.4`](https://redirect.github.com/go-gitea/giteabot/releases/tag/v1.0.4) [Compare Source](https://redirect.github.com/go-gitea/giteabot/compare/v1.0.3...v1.0.4) ##### What's Changed - Keep lgtm status up to date on fork and backport PRs by [@​silverwind](https://redirect.github.com/silverwind) in [#​9](https://redirect.github.com/go-gitea/giteabot/pull/9) **Full Changelog**: <https://github.com/go-gitea/giteabot/compare/v1.0.3...v1.0.4> </details> <details> <summary>renovatebot/github-action (renovatebot/github-action)</summary> ### [`v46.1.16`](https://redirect.github.com/renovatebot/github-action/releases/tag/v46.1.16) [Compare Source](https://redirect.github.com/renovatebot/github-action/compare/v46.1.15...v46.1.16) ##### Documentation - update references to renovatebot/github-action to v46.1.15 ([0013591](https://redirect.github.com/renovatebot/github-action/commit/00135917fdbb8f382071ce3f27c8432ad0f75c2a)) ##### Miscellaneous Chores - **deps:** update dependency [@​types/node](https://redirect.github.com/types/node) to v24.13.0 ([358d0a4](https://redirect.github.com/renovatebot/github-action/commit/358d0a480c37ecd2b23ab66dcd5170452917642c)) - **deps:** update dependency [@​types/node](https://redirect.github.com/types/node) to v24.13.1 ([783fe90](https://redirect.github.com/renovatebot/github-action/commit/783fe90b5a88b8a02d5d6c9bb65c01e36b110545)) - **deps:** update dependency [@​types/node](https://redirect.github.com/types/node) to v24.13.2 ([74b1acf](https://redirect.github.com/renovatebot/github-action/commit/74b1acf27101775dfaf2793c89c214898cd33520)) - **deps:** update dependency [@​types/node](https://redirect.github.com/types/node) to v24.13.2 ([#​1049](https://redirect.github.com/renovatebot/github-action/issues/1049)) ([23dcba0](https://redirect.github.com/renovatebot/github-action/commit/23dcba0a91738a6e394d2e991c307937406b6587)) - **deps:** update dependency esbuild to v0.28.1 \[security] ([#​1041](https://redirect.github.com/renovatebot/github-action/issues/1041)) ([54012bd](https://redirect.github.com/renovatebot/github-action/commit/54012bd29e2a1a395bbffede3e46a836aebc3e47)) - **deps:** update dependency lint-staged to v17 ([#​1051](https://redirect.github.com/renovatebot/github-action/issues/1051)) ([6a9f6dc](https://redirect.github.com/renovatebot/github-action/commit/6a9f6dc5beb03977800c57cd92b5ca15bfc67439)) - **deps:** update dependency npm-run-all2 to v9 ([#​1052](https://redirect.github.com/renovatebot/github-action/issues/1052)) ([8757a4e](https://redirect.github.com/renovatebot/github-action/commit/8757a4e574f6d5c0ba3fd6a6706c420c5c96e1c9)) - **deps:** update dependency npm-run-all2 to v9.0.2 ([2c2c4e5](https://redirect.github.com/renovatebot/github-action/commit/2c2c4e5c89b4c5bfdd31288b8f30d8acf0a3c4a3)) - **deps:** update linters to v8.60.1 ([d40e1b7](https://redirect.github.com/renovatebot/github-action/commit/d40e1b7d86f5ce052321dee875f215d0c0db3443)) - **deps:** update linters to v8.61.0 ([#​1043](https://redirect.github.com/renovatebot/github-action/issues/1043)) ([1e06192](https://redirect.github.com/renovatebot/github-action/commit/1e061929c42cf0828b24480be6f542ba6ccf88a3)) - **deps:** update node.js to v24.17.0 ([#​1050](https://redirect.github.com/renovatebot/github-action/issues/1050)) ([2cf33bc](https://redirect.github.com/renovatebot/github-action/commit/2cf33bc523576895fa380cf8af2e05336c943486)) - **deps:** update pnpm to v10.34.2 ([#​1048](https://redirect.github.com/renovatebot/github-action/issues/1048)) ([63ebb9d](https://redirect.github.com/renovatebot/github-action/commit/63ebb9d84b858604f205265f37e642256bf5f295)) - **deps:** update pnpm to v10.34.3 ([#​1054](https://redirect.github.com/renovatebot/github-action/issues/1054)) ([cd3436d](https://redirect.github.com/renovatebot/github-action/commit/cd3436d028bc86910e9cbf348b1c975a58d90135)) - **deps:** update pnpm/action-setup action to v6 ([#​1053](https://redirect.github.com/renovatebot/github-action/issues/1053)) ([77e5805](https://redirect.github.com/renovatebot/github-action/commit/77e58054f1f031a8b4f80dcbbd00f65e45643d09)) - **deps:** update prettier packages to v3.8.4 ([#​1045](https://redirect.github.com/renovatebot/github-action/issues/1045)) ([d688888](https://redirect.github.com/renovatebot/github-action/commit/d688888385cd5bd04a70a7889c8112b7d960512b)) - **deps:** update semantic-release monorepo to v25.0.4 ([#​1046](https://redirect.github.com/renovatebot/github-action/issues/1046)) ([d2dacc8](https://redirect.github.com/renovatebot/github-action/commit/d2dacc89959d7963d77f06ffadf0abcf1265fdc7)) - **deps:** update semantic-release monorepo to v25.0.5 ([#​1047](https://redirect.github.com/renovatebot/github-action/issues/1047)) ([d91f80c](https://redirect.github.com/renovatebot/github-action/commit/d91f80c864d00b0ddc134c949cf464395ef1afaa)) ##### Build System - **deps:** lock file maintenance ([26f827f](https://redirect.github.com/renovatebot/github-action/commit/26f827fdc5121b9d4fbe1cf8dcb76d6efe58b78b)) ##### Continuous Integration - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.214.6 ([f3fd163](https://redirect.github.com/renovatebot/github-action/commit/f3fd1634318528e2c0bf9402ad11ced1e2583cc4)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.216.1 ([8cf15ee](https://redirect.github.com/renovatebot/github-action/commit/8cf15ee083f561ff061f991a7ae7daeef11b0243)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.216.2 ([29c9f31](https://redirect.github.com/renovatebot/github-action/commit/29c9f31e4a3ad4f169bbfaf78a3fcbba9569e275)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.216.4 ([400f75c](https://redirect.github.com/renovatebot/github-action/commit/400f75cbdb0a8ec5364c9f3f22932c79c91ec56f)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.217.0 ([2aea29e](https://redirect.github.com/renovatebot/github-action/commit/2aea29ebc0bebd74676a36c246d9dffc8635aa2a)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.217.1 ([268f254](https://redirect.github.com/renovatebot/github-action/commit/268f25430113d2f91e6ab0244171726aff45791d)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.218.0 ([ebcc800](https://redirect.github.com/renovatebot/github-action/commit/ebcc800ccdcbca03d3939d07cd5170dcbe3fddf1)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.219.0 ([a61593e](https://redirect.github.com/renovatebot/github-action/commit/a61593e15cdcaa203cdf199b01785cbde1b3393b)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.220.0 ([#​1037](https://redirect.github.com/renovatebot/github-action/issues/1037)) ([0d198c1](https://redirect.github.com/renovatebot/github-action/commit/0d198c1f3cedd5d962195b498b53d23de67b3c7f)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.222.0 ([46f2bd6](https://redirect.github.com/renovatebot/github-action/commit/46f2bd6ed2f60e6e68085b7ccb0d408e498ad646)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.222.1 ([90deabf](https://redirect.github.com/renovatebot/github-action/commit/90deabf8530cd43db786bef00bb6a5bbbf66e372)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.224.0 ([22d7b5c](https://redirect.github.com/renovatebot/github-action/commit/22d7b5c57aa60ca4659f5f24d368812e789f1141)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.224.1 ([39a2ba1](https://redirect.github.com/renovatebot/github-action/commit/39a2ba1236cbe85d17c776505eda386398144ed2)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.225.0 ([c2f08ab](https://redirect.github.com/renovatebot/github-action/commit/c2f08ab1a1834784134b79fa3a30b83132ff5c51)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.226.1 ([75a5340](https://redirect.github.com/renovatebot/github-action/commit/75a5340ae6e848edb49abbeb7343434c84fd144c)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.227.0 ([da1079a](https://redirect.github.com/renovatebot/github-action/commit/da1079ac41ddf8ac9d473f3110b9bc2d20e8c823)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.227.1 ([26a0ce7](https://redirect.github.com/renovatebot/github-action/commit/26a0ce7c73154e11c6677da35bd23ddf1c77a704)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.228.0 ([9dd450f](https://redirect.github.com/renovatebot/github-action/commit/9dd450fe094737324c6740847d34d21d0a12670e)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.228.1 ([066bf0a](https://redirect.github.com/renovatebot/github-action/commit/066bf0aa9449c5bd4e2315df33f2986b10299ee7)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.229.0 ([edd7e4f](https://redirect.github.com/renovatebot/github-action/commit/edd7e4f83edd2652f40ed3d13236296a75cb9d9c)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.229.1 ([64e44a4](https://redirect.github.com/renovatebot/github-action/commit/64e44a4239e1eade784cf0abd54ffc4e82cb40e1)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.229.2 ([dce4d1b](https://redirect.github.com/renovatebot/github-action/commit/dce4d1b6ba43914d91ab2a2a713fd384298a42fe)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.230.0 ([30fd043](https://redirect.github.com/renovatebot/github-action/commit/30fd04394d4dfe018df48314de0036334d88d119)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.230.1 ([425d313](https://redirect.github.com/renovatebot/github-action/commit/425d313d98c58c11780a712fbee72a7e35d25b92)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.231.0 ([ae939aa](https://redirect.github.com/renovatebot/github-action/commit/ae939aab83afa3d641843d1d04300091752e09a8)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.231.1 ([cac502d](https://redirect.github.com/renovatebot/github-action/commit/cac502de33fd8931d15a849d8eff67d8b75d253c)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.231.2 ([242a56f](https://redirect.github.com/renovatebot/github-action/commit/242a56f27d85117d4b0703ff1e381aaafdc0488e)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.231.3 ([3b66329](https://redirect.github.com/renovatebot/github-action/commit/3b6632905280f6bc2656245b3916333c3c224c99)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.232.0 ([c0502ab](https://redirect.github.com/renovatebot/github-action/commit/c0502aba634bf921fa2af4eb4a052318991265bd)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.232.1 ([d46a7eb](https://redirect.github.com/renovatebot/github-action/commit/d46a7ebfc5129ac009353beed92152c3ddc4ce3b)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.233.1 ([b476f30](https://redirect.github.com/renovatebot/github-action/commit/b476f3002f23f603eb89450785a8ce68037ebf20)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.233.2 ([bc50ad1](https://redirect.github.com/renovatebot/github-action/commit/bc50ad1e38f4e32bed5288aec6e9c303a5e81117)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.233.3 ([908f92d](https://redirect.github.com/renovatebot/github-action/commit/908f92dbc49eaefff1e0c8771aa41a957268baa5)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.233.4 ([a48bc32](https://redirect.github.com/renovatebot/github-action/commit/a48bc32b6b570fe1fa55975fda7205bbbb98afa3)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.234.0 ([c929092](https://redirect.github.com/renovatebot/github-action/commit/c929092dcc2e71fcddf23dc5c9d2cdf70ed17ed4)) - **deps:** update ghcr.io/zizmorcore/zizmor docker tag to v1.26.1 ([#​1055](https://redirect.github.com/renovatebot/github-action/issues/1055)) ([c878bfb](https://redirect.github.com/renovatebot/github-action/commit/c878bfb5430ce52efc451671e7887a2b5d755ffc)) - **deps:** update zizmorcore/zizmor-action action to v0.5.7 ([996e7bc](https://redirect.github.com/renovatebot/github-action/commit/996e7bc84761f298cb8bc5c765895b6db953876b)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
|
0c67849e68 |
fix(packages): validate debian distribution and component names (#38116)
**Newline injection into the Debian Release and Packages indices** The `distribution` and `component` come straight from the request path and are written line by line into the generated `Release` and `Packages` files (the `Suite`/`Codename`/`Components` lines and the `Filename: pool/<distribution>/<component>/...` line), but `UploadPackageFile` only checked they were non-empty. `ctx.PathParam` url-decodes the segment, so an encoded newline such as `main%0AInjected-Field: x` is accepted, stored and then re-emitted for that distribution, which lets an authenticated uploader forge extra fields in the index apt consumes. Restricted both values to a conservative name pattern in the handler, since that is the layer that accepts them; this should also keep the pool paths well formed. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
|
762c674bc5 |
chore(deps): update python dependencies (#38256)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [djlint](https://redirect.github.com/djlint/djLint) | `==1.39.2` → `==1.39.4` |  |  | | [zizmor](https://docs.zizmor.sh) ([source](https://redirect.github.com/zizmorcore/zizmor)) | `==1.25.2` → `==1.26.1` |  |  | --- ### Release Notes <details> <summary>djlint/djLint (djlint)</summary> ### [`v1.39.4`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1394---2026-06-24) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.39.3...v1.39.4) ##### Fix - Fix crashes in mypyc-compiled wheels. ### [`v1.39.3`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1393---2026-06-23) [Compare Source](https://redirect.github.com/djlint/djLint/compare/v1.39.2...v1.39.3) ##### Fix - Use Click instead of tqdm for progress output, send progress to stderr, respect `--quiet`, and honor `NO_COLOR`. Remove direct `colorama` and `tqdm` dependencies now that Click handles CLI colors and progress. - Avoid false H025 reports after self-closing tags in Django templates. - Avoid false H025 reports for multiline Go template attributes. - Keep Django child-template reformatting idempotent when inline control blocks also appear inside HTML attributes. - Respect whitespace-control dashes when applying `blank_line_after_tag` and `blank_line_before_tag`. </details> <details> <summary>zizmorcore/zizmor (zizmor)</summary> ### [`v1.26.1`](https://redirect.github.com/zizmorcore/zizmor/releases/tag/v1.26.1) [Compare Source](https://redirect.github.com/zizmorcore/zizmor/compare/v1.26.0...v1.26.1) This is a small corrective release for [1.26.0](https://docs.zizmor.sh/release-notes/#​1260). ### [`v1.26.0`](https://redirect.github.com/zizmorcore/zizmor/releases/tag/v1.26.0) [Compare Source](https://redirect.github.com/zizmorcore/zizmor/compare/v1.25.2...v1.26.0) #### New Features 🌈[🔗](https://docs.zizmor.sh/release-notes/#new-features) - New audit: [typosquat-uses](https://docs.zizmor.sh/audits/#typosquat-uses) detects uses: clauses that reference likely typoed actions ([#​1985](https://redirect.github.com/zizmorcore/zizmor/issues/1985)) Many thanks to [@​andrew](https://redirect.github.com/andrew) for proposing and implementing this improvement! - New audit: [unsound-ternary](https://docs.zizmor.sh/audits/#unsound-ternary) detects pseudo-ternary expressions that don't evaluate as expected ([#​2085](https://redirect.github.com/zizmorcore/zizmor/issues/2085)) Many thanks to [@​terror](https://redirect.github.com/terror) for proposing and implementing this improvement! - New audit: [adhoc-packages](https://docs.zizmor.sh/audits/#adhoc-packages) detects run: steps that install packages in an ad-hoc manner ([#​2061](https://redirect.github.com/zizmorcore/zizmor/issues/2061)) Many thanks to [@​connorshea](https://redirect.github.com/connorshea) for proposing and implementing this improvement! #### Enhancements 🌱[🔗](https://docs.zizmor.sh/release-notes/#enhancements) - The [cache-poisoning](https://docs.zizmor.sh/audits/#cache-poisoning) audit now detects additional cache disablement heuristics ([#​2053](https://redirect.github.com/zizmorcore/zizmor/issues/2053)) - The [known-vulnerable-actions](https://docs.zizmor.sh/audits/#known-vulnerable-actions) audit is now configurable. See [the configuration documentation](https://docs.zizmor.sh/audits/#known-vulnerable-actions-configuration) for details ([#​2084](https://redirect.github.com/zizmorcore/zizmor/issues/2084)) - The [excessive-permissions](https://docs.zizmor.sh/audits/#excessive-permissions) audit is now aware of the code-quality permission ([#​2088](https://redirect.github.com/zizmorcore/zizmor/issues/2088)) - The [unpinned-uses](https://docs.zizmor.sh/audits/#unpinned-uses) audit's auto-fix now uses the fully qualified version tag (e.g. # v6.0.2) when fixing a major-version ref (e.g. [@​v6](https://redirect.github.com/v6)) ([#​2127](https://redirect.github.com/zizmorcore/zizmor/issues/2127)) #### Performance Improvements 🚄[🔗](https://docs.zizmor.sh/release-notes/#performance-improvements) - Most online audits are significantly faster, thanks to more precise retry handling ([#​2036](https://redirect.github.com/zizmorcore/zizmor/issues/2036)) Bug Fixes 🐛[🔗](https://docs.zizmor.sh/release-notes/#bug-fixes) - Fixed a bug where zizmor's LSP would not recognize dependabot.yaml files in its default configuration ([#​2026](https://redirect.github.com/zizmorcore/zizmor/issues/2026)) Many thanks to [@​fionn](https://redirect.github.com/fionn) for implementing this fix! - Fixed a bug where [ref-version-mismatch](https://docs.zizmor.sh/audits/#ref-version-mismatch) would fail to fully match some version comments ([#​2040](https://redirect.github.com/zizmorcore/zizmor/issues/2040)) - Fixed a bug where [dependabot-cooldown](https://docs.zizmor.sh/audits/#dependabot-cooldown) would fail to honor the user's configured days when performing autofixes ([#​2055](https://redirect.github.com/zizmorcore/zizmor/issues/2055)) - Steps and jobs gated by statically-false if: conditions (e.g. if: false, if: ${{ false }}) are now skipped during auditing, since they cannot execute ([#​2059](https://redirect.github.com/zizmorcore/zizmor/issues/2059), [#​2069](https://redirect.github.com/zizmorcore/zizmor/issues/2069)) - Fixed a bug where [ref-version-mismatch](https://docs.zizmor.sh/audits/#ref-version-mismatch) would fail to identify some valid version comments ([#​2073](https://redirect.github.com/zizmorcore/zizmor/issues/2073)) - Fixed a bug where [unpinned-images](https://docs.zizmor.sh/audits/#unpinned-images) would incorrectly flag empty matrix expansions as unpinned container image references ([#​2102](https://redirect.github.com/zizmorcore/zizmor/issues/2102)) - Fixed a bug where [unpinned-images](https://docs.zizmor.sh/audits/#unpinned-images) would incorrectly flag some matrix expansions as unpinned ([#​2098](https://redirect.github.com/zizmorcore/zizmor/issues/2098)) - The SARIF (--format=sarif) and GitHub Annotations (--format=github) output formats now provide more correct/useful paths, particularly when the user provides a relative path as input to zizmor rather than zizmor . ([#​1748](https://redirect.github.com/zizmorcore/zizmor/issues/1748), [#​2095](https://redirect.github.com/zizmorcore/zizmor/issues/2095)) #### Changes ⚠️[🔗](https://docs.zizmor.sh/release-notes/#changes) - The [impostor-commit](https://docs.zizmor.sh/audits/#impostor-commit) audit no longer suggests auto-fixes, to avoid incorrectly minimizing the amount of manual remediation work needed ([#​2054](https://redirect.github.com/zizmorcore/zizmor/issues/2054)) - The JSON and SARIF outputs no longer contain a misleading prefix key ([#​2095](https://redirect.github.com/zizmorcore/zizmor/issues/2095)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
|
8ff71a5e52 |
fix: flex divided list item shrink (#38255)
don't make the items shrink since they are used as list items. fix #38220 |
||
|
|
8343c47bd1 | [skip ci] Updated translations via Crowdin | ||
|
|
c6b2394585 |
fix(actions): authenticate snapcraft before nightly remote build (#38252)
The `release-nightly-snapcraft` workflow’s `build-and-publish` job was
failing because `snapcraft remote-build` fell back to interactive
Launchpad authorization in CI. This change makes authentication explicit
and non-interactive before the remote build step.
- **Workflow change**
- Add an `Authenticate snapcraft` step before `Remote build`.
- Run `snapcraft login --with` using the existing
`SNAPCRAFT_STORE_CREDENTIALS` secret.
- Pin that step to `shell: bash` to support process substitution.
- **Why this fixes the failure**
- Prevents CI from entering browser-based Launchpad auth flow.
- Ensures `remote-build` runs with preloaded credentials.
```yaml
- name: Authenticate snapcraft
shell: bash
env:
SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_STORE_CREDENTIALS }}
run: snapcraft login --with <(printf '%s' "$SNAPCRAFT_STORE_CREDENTIALS")
```
---------
Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
||
|
|
4f41ad7b91 |
revert(sign): restore gpg (#38251)
partially revert sigstore signing to avoid causing breaking change for v1.27 |
||
|
|
4812e35486 |
fix(api): respect since/until when counting commits for X-Total-Count (#38204)
The repository commits API (`GET /repos/{owner}/{repo}/commits`) accepts
`since` and `until` query parameters and filters the returned page of
commits by commit date. However, the `X-Total-Count` and `X-Total`
response headers reported the *unfiltered* total number of commits, so
the advertised total could be far larger than the number of commits
actually returned for the requested date range. With a range that
matches no commits, the page is correctly empty while the headers still
claim the full repository total.
## Root cause
`gitrepo.CommitsCount` declared `Since` and `Until` options and the API
handler populated them, but the function never appended
`--since`/`--until` to the underlying `git rev-list --count` invocation.
The date filters were silently dropped, so the count always reflected
the entire revision history.
## Fix
Pass the `Since`/`Until` options through to `git rev-list`, mirroring
the existing commit-listing path (`commitsByRangeWithTime`). The
reported total now matches the filtered range used to build the page.
## Testing
Added `TestCommitsCountWithSinceUntil` in
`modules/gitrepo/commit_test.go`, a table-driven unit test against the
`repo1_bare` fixture covering `since`, `until`, and a bounded
`since`+`until` range. It fails on the pre-fix code (every case returns
the full count of 3) and passes after the change. Existing
`CommitsCount` tests remain green.
## Notes
- No new settings, no default changes; this corrects an incorrect header
value and is backward compatible. Clients that depend on `since`/`until`
already filter the returned commits, and the headers now agree with that
filtering.
Fixes #35886.
---
*AI-assistance disclosure:* this change was developed with the
assistance of Claude Code (Claude Opus 4.8). I have reviewed and
understand the change and take responsibility for it.
|
||
|
|
98c61942aa |
build(sign): move to sigstore (#38250)
drops signing with gpg in favor of sigstore based artifact signing |
||
|
|
cc1df1976b | fix: codemirror regressions (#38248) | ||
|
|
1c718da16c |
fix(api): support HEAD requests on all API GET endpoints (#38245)
Fixes #38226 ## Summary Add `chi_middleware.GetHead` as the first `BeforeRouting` middleware on the API router. This makes every API `GET` endpoint automatically handle `HEAD` requests, as required by RFC 9110 §9.3.2. Previously, `HEAD` requests to endpoints like `GET /repos/{owner}/{repo}/git/commits/{sha}` returned `405 Method Not Allowed`. The web router already used this same middleware (see `routers/web/web.go:261`), so this aligns API behaviour with the web router. ## Changes - `routers/api/v1/api.go`: add `chi_middleware.GetHead` middleware to the API router - `tests/integration/api_repo_git_commits_test.go`: add `TestAPIReposGitCommitsHEAD` verifying HEAD returns 200 on a valid ref and 404 (not 405) on a missing ref |
||
|
|
ce8cf22af9 |
fix(actions): don't swallow HTML entities into linkified URLs (#38239)
In the Actions log viewer, a double-quoted URL renders with a stray extra `;` after it. Reported in `gitea/runner#1046` Remove the buggy AI slop `linkifyURLs` and use new approach to process URLs in text --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
|
5b9251150c |
fix(actions): address workflow status badge review feedback (#38241)
Follow https://github.com/go-gitea/gitea/pull/38196#discussion_r3487219492 --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: bircni <bircni@icloud.com> |
||
|
|
1d43b736b5 |
fix(actions): deny fork-PR cross-repo access via collaborative owner (#38214)
### What
`GetActionsUserRepoPermission` (`models/perm/access/repo_permission.go`)
decides whether an Actions task token may access a target repo. Its
cross-repo branches each enforce a fork-PR discriminator — except the
collaborative-owner branch, which was missing the
`!task.IsForkPullRequest` guard that its sibling
`checkSameOwnerCrossRepoAccess` has.
As a result, when a private repo **B** lists owner **A** as a
collaborative owner, an attacker-controlled fork pull-request workflow
whose base repo is owned by A was granted code-read on B — i.e. the
fork's workflow could clone a third private repository it has no rights
to (read-only confidentiality breach).
### Fix
Add the same fork-PR guard the sibling path already enforces:
```go
if taskRepo.IsPrivate && !task.IsForkPullRequest {
actionsUnit := repo.MustGetUnit(ctx, unit.TypeActions)
if actionsUnit.ActionsConfig().IsCollaborativeOwner(taskRepo.OwnerID) {
return maxPerm, nil
}
}
```
|
||
|
|
f46c9a9769 |
feat(actions): support owner-level and global scoped workflows (#38154)
## Summary This PR adds **scoped workflows** to Gitea Actions. Workflows defined centrally in a "source" repository that automatically run on every repository in scope: an organization's repositories, or (for instance admins) every repository on the instance. Each scoped run executes in the consuming repository's own context (its runners, secrets, and branch) while its content is read from the source repository, so an org or instance can mandate shared CI across many repositories without copying workflow files into each one. An owner or instance admin registers source repositories on a settings page and can mark individual workflows as **required**. A required scoped workflow cannot be opted out by a consuming repository and gates its pull-request merges; an optional one can be disabled per repository. Scoped workflows live under a dedicated `SCOPED_WORKFLOW_DIRS` (default `.gitea/scoped_workflows`), kept separate from regular `WORKFLOW_DIRS`. ## Main changes ### Configuration New `SCOPED_WORKFLOW_DIRS` setting, validated to not overlap with `WORKFLOW_DIRS`. Default: `.gitea/scoped_workflows` ### Data model & migration - New `action_scoped_workflow_source` table mapping a registering owner (`owner_id`, where `0` = instance-level) to a source repository, with a per-workflow `WorkflowConfigs` map. - `ActionRun` gains `WorkflowRepoID` / `WorkflowCommitSHA` (the pinned content source) and an `IsScopedRun` flag. ### Detection & run creation On consumer events, scoped workflows from the effective sources (the owner's own sources plus instance-level ones) are matched and turned into runs that execute in the consumer's context, with content pinned to the source repo's default-branch commit. `on: workflow_run` and `on: schedule` are currently not supported. ### Opt-out A consuming repository can disable an optional scoped workflow (tracked separately from regular `DisabledWorkflows`); required scoped workflows can never be disabled, opted out, or bypassed. ### Commit status A scoped run's status context format is `"<source repo full name>: <workflow display name> / <job> (<event>)"` (for example: `my-org/scoped-workflows: db-tests / test-sqlite (pull_request)`), keeping it distinct from a same-named repo-level workflow and from other sources. ### Required status checks Admins mark workflows required and supply status-check patterns. `EffectiveRequiredContexts` appends those patterns to the branch protection's required contexts and they are matched must-present-and-pass. If the status checks from scoped workflows fail, the PR cannot be merged. NOTE: scoped workflows' required status checks patterns can protect any target branch that has a protection rule, even though the rule's "Status Check" is disabled. A target branch with no protection rule cannot be protected. <details> <summary>Screenshots</summary> <img width="1400" alt="image" src="https://github.com/user-attachments/assets/a5d1db33-15ec-487e-93be-2bc04b4e6643" /> </details> ### Reusable workflows (`uses:`) A scoped workflow's local `uses: ./...` resolves against the source repository. `uses:` directory validation honors the instance-configurable `WORKFLOW_DIRS` and `SCOPED_WORKFLOW_DIRS` (previously hardcoded to `.gitea`/`.github/workflows`). ### Manual dispatch `workflow_dispatch` is supported for scoped workflows (web and API), resolving inputs/content from the source repo. ### Performance A process-local LRU cache keyed by source repo ID for the per-source workflow parse, so instance-level and owner-level sources don't open the source repo and parse workflow files on every event. ### UI Org / user / admin pages to register and remove sources, search repositories, and mark workflows required with their status-check patterns. The repository Actions sidebar groups scoped workflows by source with owner/instance labels and required/disabled badges. <details> <summary>Screenshots</summary> Scoped workflows setting page: <img width="1600" alt="image" src="https://github.com/user-attachments/assets/9d19f667-97a5-4935-92b2-e53f105e3642" /> Consumer repo's Actions runs list: <img width="1600" alt="image" src="https://github.com/user-attachments/assets/a77241f9-0aa9-41aa-ba73-12a9a688cb64" /> - `Owner`: this is a owner-level scoped workflows source repo - `Global`: this is a global scoped workflows source repo - `Required`: this scoped workflow is required, repo admin cannot disable it </details> --- Docs: https://gitea.com/gitea/docs/pulls/447 --------- Co-authored-by: bircni <bircni@icloud.com> |
||
|
|
c9920b7bd0 |
fix(oauth): restrict introspection to the token's client (#38042)
Bind OAuth token introspection responses to the authenticated client. Return an inactive response when the token grant belongs to a different OAuth application to avoid leaking token metadata across clients. Add integration coverage for cross-client introspection attempts against both access tokens and refresh tokens. Assisted-by: GPT-5.4 |
||
|
|
0319358e5e | fix(web): Correctly align the "disabled" label on larger workflow names (#38240) | ||
|
|
9540292596 |
feat(actions): add workflow status badge modal (#38196)
- Add a Create Status Badge button for selected Actions workflows. - Show badge URL, Markdown, and HTML snippets backed by the existing workflow badge route. ## Screenshots <img width="553" height="470" alt="dyn-a5d565ab915b9ffb6c02ac68113494b0" src="https://github.com/user-attachments/assets/43b4ceb9-bbd1-4024-b058-d85ec8325e88" /> <img width="349" height="156" alt="grafik" src="https://github.com/user-attachments/assets/6eaec62d-ffb0-45c0-b63d-866a41a66005" /> Fixes https://github.com/go-gitea/gitea/issues/31462 --------- Signed-off-by: guanzi008 <245205080@qq.com> Co-authored-by: bircni <bircni@icloud.com> |
||
|
|
d392fb1438 |
fix(packages): accept npm "repository" and "bin" in string form (#38236)
## What npm allows `repository` and `bin` in `package.json` to be either an object or a plain string (npm docs: [repository](https://docs.npmjs.com/cli/v11/configuring-npm/package-json#repository), [bin](https://docs.npmjs.com/cli/v11/configuring-npm/package-json#bin)). The npm registry creator modeled `repository` as a struct and `bin` as `map[string]string`, so publishing a package whose `package.json` uses the string form failed with: ``` json: cannot unmarshal string into Go struct field PackageMetadataVersion.PackageMetadata.versions.bin of type map[string]string ``` ## Fix `modules/packages/npm/creator.go`: add `UnmarshalJSON` to `Repository` (string → `URL`) and a `Bin` type with `UnmarshalJSON` (string → a single command named after the package, per npm semantics), mirroring the existing `License` / `User` string-or-object handling. The stored `Metadata` field types are unchanged. `bundledDependencies` as a boolean (also noted in #38235) is left out of scope — it is rare and semantically different (`true` = bundle all deps). ## Test `TestParsePackage/ValidRepositoryAndBinAsString` parses a package with string `repository` and `bin`: it fails on `main` with the error above and passes with this change. The full `modules/packages/npm` suite is green and `gofmt` is clean. Fixes #38235 _AI disclosure: prepared with AI assistance; I reviewed and verified it (reproduction + tests) and can explain and defend the change._ |
||
|
|
0f5102427e |
fix(actions): ensure all waiting jobs get runners in large workflows (#38200)
## Summary Fixes two related bugs that cause jobs in large workflows (50+ parallel jobs) to never get a runner assigned even though runners are free. ### Bug 1 — Concurrent runner race When N runners all poll `FetchTask` with a stale `tasksVersion` simultaneously, they all query the same waiting job list sorted by `(updated, id)` and all pick **job #1**. Only one wins the `UPDATE WHERE task_id=0` optimistic lock; the rest return empty-handed but still receive `latestVersion` in the response. They then consider themselves "up to date" and skip `PickTask` on every subsequent poll, leaving jobs #2–50 permanently unassigned. **Fix:** `CreateTaskForRunner` now iterates through all matching waiting jobs. When the optimistic lock fails on job #1, it immediately tries job #2, then #3, etc., each in its own independent transaction so a failed attempt rolls back cleanly before the next candidate is tried. `PickTask` no longer wraps this call in an outer `db.WithTx` (which caused `halfCommitter` entanglement that prevented per-attempt rollbacks). ### Bug 2 — Idle runner doesn't re-check after finishing a task `tasks_version` only bumps when a job transitions **to** waiting (new workflow triggered, blocked→unblocked). After a runner finishes its current task it polls `FetchTask` with `tasksVersion == latestVersion`, so the server skips `PickTask` entirely — the remaining 45 waiting jobs are invisible to the now-idle runner. **Fix:** Also call `IncreaseTaskVersion` in `UpdateRunJob` when a (non-reusable-caller) job transitions to a **done** state. Idle runners then see a version mismatch on their next poll and attempt `PickTask`, picking up the remaining jobs. |
||
|
|
cbe1b703dc |
refactor: Use db.Get[] instead of db.GetEngine(ctx).Get(bean) to avoid zero value fetching wrong database record (#37977)
This PR replaces a set of struct-based `Get` lookups with explicit `db.Get` / `db.Exist` conditions in places where zero-value fields can lead to ambiguous matches or incorrect records being returned. The main goal is to make read paths deterministic and avoid accidentally matching the wrong row when only part of a struct is populated. ### What changed - replace many `db.GetEngine(ctx).Get(bean)` calls with explicit `builder.Eq` conditions across models such as actions, admin tasks, issues, pull requests, repositories, users, packages, redirects, watches, stars, and follows - use quoted column names where needed for reserved fields like `index`, `type`, and `name` - add dedicated user lookup helpers for: - primary email - OAuth login source / login name - update sign-in and OAuth-related flows to use explicit individual-user lookups instead of partially populated `User` structs - tighten package property and Terraform lock lookups to avoid ambiguous reads and updates - keep existing fallback behavior where needed, while removing reliance on zero-value struct matching ### User-facing impact These changes primarily affect authentication and account lookup paths: - email/username sign-in now re-fetches users through explicit keys - OAuth2 auto-linking now resolves users by name or primary email explicitly - OAuth2 login/sync now looks up users by login source, login type, and login name explicitly - non-individual accounts are no longer implicitly matched through partial user lookups in these flows This should reduce the risk of incorrect account matches and make query behavior more predictable across the codebase. --------- Co-authored-by: bircni <bircni@icloud.com> |
||
|
|
d5e6f273f0 |
fix(migrations): prevent path traversal in repository restore (#38215)
## Problem The repository restorer (`services/migrations/restore.go`) builds `file://` URLs for release attachments and PR patches by joining user-supplied paths from `release.yml` and `pull_request.yml` onto the dump directory: ```go *asset.DownloadURL = "file://" + filepath.Join(r.baseDir, *asset.DownloadURL) pr.PatchURL = "file://" + filepath.Join(r.baseDir, pr.PatchURL) ``` `filepath.Join` cleans the path, so a crafted relative value such as `../../../../etc/passwd` resolves to an absolute path **outside** the dump directory. `uri.Open` then reads it via `os.Open` and stores the content as a release attachment, which is retrievable through the API — an arbitrary file read (Local File Inclusion) from a dump archive supplied to `restore-repo`. ## Fix Add a `localFileURL` helper that resolves the relative path against `baseDir` and rejects anything that escapes it. Malicious entries are skipped with a warning so a legitimate restore still completes; in-dump files keep working unchanged. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
|
15ee850ede |
perf(web): sort the action_run query by a repo-scoped index when possible (#38155)
The `index` column is unique per repo, but the `id` column is scoped to
the whole table
https://github.com/go-gitea/gitea/blob/240d0efa7e3860dfde0eb94932287602cbfae533/models/migrations/v1_27/v331.go#L62-L67.
We have over 60000 action runs in our repo and loading the "Actions" tab
has been very slow, so scoping the sort to the repo helps it load much
faster
## Summary of perf change
Ran tests based on commit
|
||
|
|
16c3216dc6 |
fix: js string split (#38233)
fix #38229 |
||
|
|
b565f3e00a |
fix(deps): update module golang.org/x/image to v0.43.0 [security] (#38219)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) | [`v0.42.0` → `v0.43.0`](https://cs.opensource.google/go/x/image/+/refs/tags/v0.42.0...refs/tags/v0.43.0) |  |  | --- ### Panic on VP8 alpha channel size mismatch in x/image/webp in golang.org/x/image [CVE-2026-46601](https://nvd.nist.gov/vuln/detail/CVE-2026-46601) / [GO-2026-5061](https://pkg.go.dev/vuln/GO-2026-5061) <details> <summary>More information</summary> #### Details The webp decoder can panic when processing a VP8 chunk with dimensions that do not match the canvas size. #### Severity Unknown #### References - [https://go.dev/cl/787681](https://go.dev/cl/787681) - [https://go.dev/issue/79869](https://go.dev/issue/79869) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5061) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Lack of limit on tile sizes in x/image/tiff in golang.org/x/image [CVE-2026-46602](https://nvd.nist.gov/vuln/detail/CVE-2026-46602) / [GO-2026-5062](https://pkg.go.dev/vuln/GO-2026-5062) <details> <summary>More information</summary> #### Details The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption. #### Severity Unknown #### References - [https://go.dev/cl/788422](https://go.dev/cl/788422) - [https://go.dev/issue/79905](https://go.dev/issue/79905) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5062) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Panic decoding image with out-of-bounds strip offset in x/image/tiff in golang.org/x/image [CVE-2026-46604](https://nvd.nist.gov/vuln/detail/CVE-2026-46604) / [GO-2026-5066](https://pkg.go.dev/vuln/GO-2026-5066) <details> <summary>More information</summary> #### Details The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset. #### Severity Unknown #### References - [https://go.dev/cl/788421](https://go.dev/cl/788421) - [https://go.dev/issue/80122](https://go.dev/issue/80122) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5066) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
|
122ebcf0a8 | fix(api): deny private org member enumeration via /members (#38213) | ||
|
|
1b0992eb2e | fix(actions): fix 500 error when canceling a canceling task (#38223) | ||
|
|
c2f130d352 |
fix(mssql): convert legacy DATETIME columns to DATETIME2 (#38216)
## Problem On MSSQL databases created by old Gitea versions, the real datetime columns `external_login_user.expires_at` and `lfs_lock.created` were created as `DATETIME`. `DATETIME` parses datetime literals in a locale-dependent way, so the ISO string `'YYYY-MM-DD HH:MM:SS'` that xorm sends fails to convert when the session language is not English (e.g. German defaults to `dmy`): ``` mssql: Bei der Konvertierung eines nvarchar-Datentyps in einen datetime-Datentyp liegt der Wert außerhalb des gültigen Bereichs. ``` This breaks linking an external (OAuth/Keycloak) account to an existing user, and LFS lock creation, with a 500 error. ## Fix Current xorm already maps `time.Time` to the locale-independent `DATETIME2` for new installs, so only legacy databases are affected. This adds migration `341` that converts these columns to `DATETIME2` on legacy MSSQL databases (no-op on other databases and on columns already using `DATETIME2`). A full audit of persisted `time.Time` columns in `models/` confirmed these two are the only real datetime columns affected — every other time value is stored as a unix-timestamp integer. A regression test (MSSQL-only, mirroring the existing v338 pattern) downgrades the columns to legacy `DATETIME`, runs the migration, asserts the type becomes `DATETIME2`, and verifies an ISO datetime insert succeeds under `SET LANGUAGE German`. Fixes #38211 |
||
|
|
2e1be0b114 |
fix(deps): update npm dependencies (#38203)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [asciinema-player](https://redirect.github.com/asciinema/asciinema-player) | [`3.15.1` → `3.16.0`](https://renovatebot.com/diffs/npm/asciinema-player/3.15.1/3.16.0) |  |  | | [eslint-plugin-sonarjs](https://redirect.github.com/SonarSource/SonarJS/blob/master/packages/analysis/src/jsts/rules/README.md) ([source](https://redirect.github.com/SonarSource/SonarJS)) | [`4.0.3` → `4.1.0`](https://renovatebot.com/diffs/npm/eslint-plugin-sonarjs/4.0.3/4.1.0) |  |  | | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`20.10.5` → `20.10.6`](https://renovatebot.com/diffs/npm/happy-dom/20.10.5/20.10.6) |  |  | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.7.0` → `11.8.0`](https://renovatebot.com/diffs/npm/pnpm/11.7.0/11.8.0) |  |  | --- ### Release Notes <details> <summary>asciinema/asciinema-player (asciinema-player)</summary> ### [`v3.16.0`](https://redirect.github.com/asciinema/asciinema-player/releases/tag/v3.16.0): 3.16.0 [Compare Source](https://redirect.github.com/asciinema/asciinema-player/compare/v3.15.1...v3.16.0) This is a significant release, with a new keystroke overlay and major improvements to recording playback. Notable changes: - New optional keystroke overlay, toggled with the `k` key - New `cursorMode` option: `"blinking"`, `"steady"` or `"hidden"` - TypeScript definitions included in the npm package - More reliable loading, playback, seeking, stepping and looping - Recording load failures are now emitted via the `error` event - Audio loading failures no longer prevent recording playback - Improved rendering of Powerline and box-drawing symbols - Improved accessibility of control bar buttons - Standalone bundle is now compatible with LibreJS #### Keystroke overlay The new [`keystrokeOverlay`](https://docs.asciinema.org/manual/player/options/#keystrokeoverlay) option displays keys pressed during a recording: ```javascript AsciinemaPlayer.create("/demo.cast", document.getElementById("demo"), { keystrokeOverlay: true }); ``` Recent keystrokes are shown in the lower-right corner. Consecutive text input is grouped, while repeated special keys use a counter, such as `Ret × 3`. The overlay is disabled by default and can be toggled during playback with the `k` key. It requires a recording containing input events (`asciinema rec --capture-input ...`). Demo: [](https://asciinema.org/a/1258082) #### Cursor mode The new [`cursorMode`](https://docs.asciinema.org/manual/player/options/#cursormode) option controls cursor visibility: ```javascript AsciinemaPlayer.create("/demo.cast", document.getElementById("demo"), { cursorMode: "steady" }); ``` Supported modes are `"blinking"` (the default), `"steady"` and `"hidden"`. #### Playback improvements The recording playback engine has been significantly reworked. This fixes several edge cases involving reverse stepping, marker pauses, looping, seeking, posters and audio playback. Missing or invalid audio now falls back to terminal-only playback. Fatal recording load errors are emitted through the new [`error`](https://docs.asciinema.org/manual/player/api/#error-event) event. `getCurrentTime()` and `getDuration()` now return their values directly, as documented. #### TypeScript support The npm package now includes TypeScript definitions for the player API, options, recording sources, parsers and events. </details> <details> <summary>SonarSource/SonarJS (eslint-plugin-sonarjs)</summary> ### [`v4.1.0`](https://redirect.github.com/SonarSource/SonarJS/compare/93ac7229b60beb637a7d91644c086f3b854072d9...4ce51a6eec04a87ee57b30792c3103823aad5bdb) [Compare Source](https://redirect.github.com/SonarSource/SonarJS/compare/93ac7229b60beb637a7d91644c086f3b854072d9...4ce51a6eec04a87ee57b30792c3103823aad5bdb) </details> <details> <summary>capricorn86/happy-dom (happy-dom)</summary> ### [`v20.10.6`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.10.6) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.10.5...v20.10.6) ##### :construction\_worker\_man: Patch fixes - Await NodeJS internal ReadableStream promise during teardown - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​2217](https://redirect.github.com/capricorn86/happy-dom/issues/2217) </details> <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.8.0`](https://redirect.github.com/pnpm/pnpm/releases/tag/v11.8.0): pnpm 11.8 [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.7.0...v11.8.0) #### Minor Changes - [`c112b61`](https://redirect.github.com/pnpm/pnpm/commit/c112b61): Added a `--dry-run` option to `pnpm install`. It runs a full dependency resolution and reports what an install would change, but writes nothing to disk (no lockfile, no `node_modules`) and always exits with code 0. This mirrors the preview semantics of `npm install --dry-run` [#​7340](https://redirect.github.com/pnpm/pnpm/issues/7340). - [`179ebc4`](https://redirect.github.com/pnpm/pnpm/commit/179ebc4): `pnpm run --no-bail` now exits with a non-zero exit code when any of the executed scripts fail, while still running every matched script to completion. This makes the exit-code behavior of `--no-bail` consistent between recursive and non-recursive runs (recursive runs already failed at the end). Previously, a non-recursive `pnpm run --no-bail` always exited with code 0, even when a script failed [#​8013](https://redirect.github.com/pnpm/pnpm/issues/8013). - [`0474a9c`](https://redirect.github.com/pnpm/pnpm/commit/0474a9c): Added support for generating Node.js package maps at `node_modules/.package-map.json` during isolated and hoisted installs. Added the `node-experimental-package-map` setting to inject the generated map into pnpm-managed Node.js script environments, and the `node-package-map-type` setting to choose between `standard` and `loose` package maps. - [`dcededc`](https://redirect.github.com/pnpm/pnpm/commit/dcededc): `pnpm sbom` now marks components reachable only through `devDependencies` with CycloneDX `scope: "excluded"` and the `cdx:npm:package:development` property. The `excluded` scope documents "component usage for test and other non-runtime purposes", which matches the semantics of a devDependency; the property is the CycloneDX npm-taxonomy marker emitted by `@cyclonedx/cyclonedx-npm`, so both modern (scope) and existing (property) consumers are covered. Components reachable at runtime (including installed `optionalDependencies`) omit `scope` and default to `required`. - [`1495cb0`](https://redirect.github.com/pnpm/pnpm/commit/1495cb0): Added per-package SBOM generation with `--out` and `--split` flags. Use `--out out/%s.cdx.json` to write one SBOM per workspace package to individual files, or `--split` for NDJSON output to stdout. When `--filter` selects a single package, the SBOM root component now uses that package's metadata. Workspace inter-dependencies (`workspace:` protocol) and their transitive dependencies are included. Author, repository, and license fall back to the root manifest when the package doesn't define them. - [`293921a`](https://redirect.github.com/pnpm/pnpm/commit/293921a): feat(view): support searching project manifest upward when package name is omitted When running `pnpm view` without a package name, the command now searches upward for the nearest project manifest (`package.json`, `package.yaml`, or `package.json5`) and uses its `name` field. If the manifest exists but lacks a `name` field, an error is thrown. This change also replaces the `find-up` dependency with `empathic` for improved performance and consistency across workspace tools. #### Patch Changes - [`29ab905`](https://redirect.github.com/pnpm/pnpm/commit/29ab905): Fixed `pnpm update` overriding the version range policy of a named catalog whose name parses as a version (e.g. `catalog:express4-21`). The `catalog:` reference carries no pinning of its own, so the prefix from the catalog entry (such as `~`) is now preserved instead of being widened to `^` [#​10321](https://redirect.github.com/pnpm/pnpm/issues/10321). - [`bee4bf4`](https://redirect.github.com/pnpm/pnpm/commit/bee4bf4): Security: validate config dependency names and versions from the env lockfile (`pnpm-lock.yaml`) before using them to build filesystem paths. A committed lockfile with a traversal-shaped `configDependencies` name (such as `../../PWNED`) or version (such as `../../../PWNED`) could previously cause `pnpm install` to create symlinks or write package files outside `node_modules/.pnpm-config` and the store. Names must now be valid npm package names and versions must be exact semver versions; the same validation is applied to optional subdependencies of config dependencies, and to the legacy workspace-manifest format before any lockfile is written. See [GHSA-qrv3-253h-g69c](https://redirect.github.com/pnpm/pnpm/security/advisories/GHSA-qrv3-253h-g69c). - [`96bdd57`](https://redirect.github.com/pnpm/pnpm/commit/96bdd57): Fix `link:` workspace protocol switching to `file:` after `pnpm rm` is run from inside a workspace package whose target workspace dependency has its own dependencies, when `injectWorkspacePackages: true` is set. Follow-up to [#​10575](https://redirect.github.com/pnpm/pnpm/pull/10575), which fixed the same symptom for workspace packages without dependencies. - [`302a2f7`](https://redirect.github.com/pnpm/pnpm/commit/302a2f7): No longer warn about using both `packageManager` and `devEngines.packageManager` when the two fields pin the same package manager at the same version with the same integrity hash (e.g. both `pnpm@11.5.1+sha512.…`). Previously the hash was stripped from the legacy `packageManager` field but not from `devEngines.packageManager`, so even identical specifications looked like a mismatch [#​12028](https://redirect.github.com/pnpm/pnpm/issues/12028). The warning still fires on any genuine divergence, and several cases now state the specific reason instead of a single generic message: a different package manager, a different version, or contradictory integrity hashes for the same version. - [`3f0fb21`](https://redirect.github.com/pnpm/pnpm/commit/3f0fb21): Fixed the progress line showing leftover characters from external processes that write to the terminal between progress updates (e.g. an SSH passphrase prompt would leave a fragment like `added 0sa':`). The interactive reporter now redraws each frame in place, erasing to the end of the display before reprinting, so any such remnants are cleared [#​12350](https://redirect.github.com/pnpm/pnpm/issues/12350). - [`564619f`](https://redirect.github.com/pnpm/pnpm/commit/564619f): Fixed `pnpm approve-builds` reporting "no packages awaiting approval" when a build-script dependency whose approval was revoked (e.g. after `git stash` drops the `allowBuilds` from `pnpm-workspace.yaml`) is re-added. The revoked packages are now correctly recorded in `.modules.yaml` so `approve-builds` can find them. [#​12221](https://redirect.github.com/pnpm/pnpm/issues/12221) - [`3d1fd20`](https://redirect.github.com/pnpm/pnpm/commit/3d1fd20): Skip the redundant "target bin directory already contains an exe called node" warning on Windows when the existing `node.exe` already matches the target (same hard link or identical content) [pnpm/pnpm#12203](https://redirect.github.com/pnpm/pnpm/issues/12203). - [`1b02b47`](https://redirect.github.com/pnpm/pnpm/commit/1b02b47): Fix macOS Gatekeeper blocking native binaries (`.node`, `.dylib`, `.so`) by removing the `com.apple.quarantine` extended attribute after importing them from the store. When pnpm imports files from its content-addressable store into `node_modules`, macOS preserves extended attributes, including `com.apple.quarantine`. If this xattr is present on a store blob (e.g. it was first written under a Gatekeeper-enabled app such as a Git client), it propagates to `node_modules`, and Gatekeeper blocks the native binary from loading even though pnpm already verified the file's integrity against the lockfile. After importing a package, pnpm now strips `com.apple.quarantine` from its native binaries, matching Homebrew's behaviour of dropping quarantine from verified downloads. The cleanup is macOS-only, runs in a single batched `xattr` call per package, is restricted to native binaries (other files are untouched), and is non-fatal (it logs a warning on unexpected errors). Fixes [#​11056](https://redirect.github.com/pnpm/pnpm/issues/11056) - [`61969fb`](https://redirect.github.com/pnpm/pnpm/commit/61969fb): Fix `pnpm install` with `optimisticRepeatInstall` incorrectly reporting `Already up to date` when `pnpm-lock.yaml` changed but project manifests did not. This affected workflows such as checking out or restoring only the lockfile [#​12100](https://redirect.github.com/pnpm/pnpm/issues/12100). Also fixes `checkDepsStatus` to use the correct lockfile path when `useGitBranchLockfile` is enabled, so the optimistic fast-path and lockfile modification detection work with `pnpm-lock.<branch>.yaml` files instead of always stat'ing `pnpm-lock.yaml`. Merge-conflict detection now reads the resolved lockfile name as well, and with `mergeGitBranchLockfiles` enabled every `pnpm-lock.*.yaml` is scanned for modifications and conflicts. The git branch is now resolved by reading `.git/HEAD` directly (no process spawn) and uses the workspace directory rather than `process.cwd()`. - [`5c12968`](https://redirect.github.com/pnpm/pnpm/commit/5c12968): Fix recursive updates of transitive dependencies when the update command mixes transitive dependency patterns with direct dependency selectors. For example, `pnpm up -r "@​babel/core" uuid` now updates matching transitive `@babel/core` dependencies even when `uuid` is a direct dependency selector [#​12103](https://redirect.github.com/pnpm/pnpm/issues/12103). - [`9d79ba1`](https://redirect.github.com/pnpm/pnpm/commit/9d79ba1): Register the `pnpm update --no-save` flag in the CLI help and option parser. - [`0474a9c`](https://redirect.github.com/pnpm/pnpm/commit/0474a9c): Fixed `pnpm import` for Yarn v2 lockfiles when `js-yaml` v4 is installed. - [`9e0c375`](https://redirect.github.com/pnpm/pnpm/commit/9e0c375): Fixed `pnpm install` repeatedly prompting to remove and reinstall `node_modules` in a workspace package when `enableGlobalVirtualStore` is enabled. The post-install build step recorded a per-project `node_modules/.pnpm` virtual store directory in `node_modules/.modules.yaml`, overwriting the global `<storeDir>/links` value the install step had written. The next install then detected a virtual-store mismatch (`ERR_PNPM_UNEXPECTED_VIRTUAL_STORE`). The build step now derives the same global virtual store directory as the install step [#​12307](https://redirect.github.com/pnpm/pnpm/issues/12307). - [`223d060`](https://redirect.github.com/pnpm/pnpm/commit/223d060): Document the `--cpu`, `--os` and `--libc` flags in the output of `pnpm install --help`. These flags were already supported but were only documented on the website [#​12359](https://redirect.github.com/pnpm/pnpm/issues/12359). - [`e85aea2`](https://redirect.github.com/pnpm/pnpm/commit/e85aea2): Avoid reading `README.md` from disk when publishing if the publish manifest already provides a `readme` field. The README is now only read lazily, inside `createExportableManifest`, when it is actually needed. - [`3188ae7`](https://redirect.github.com/pnpm/pnpm/commit/3188ae7): Fixed `pnpm peers check` to accept loose peer dependency ranges such as `>=3.16.0 || >=4.0.0-` when the installed peer version satisfies the range [#​12149](https://redirect.github.com/pnpm/pnpm/issues/12149). - [`531f2a3`](https://redirect.github.com/pnpm/pnpm/commit/531f2a3): Fixed `pnpm update` rewriting a `workspace:` dependency that points at a local path (e.g. `workspace:../packages/foo/dist`) into a normalized `link:` or version-range specifier. Such specifiers are now preserved verbatim when the workspace protocol is preserved [#​3902](https://redirect.github.com/pnpm/pnpm/issues/3902). - [`fe66535`](https://redirect.github.com/pnpm/pnpm/commit/fe66535): Fixed a lockfile non-convergence bug where an incremental install kept a duplicate transitive dependency that a fresh install would not produce. When a package is reused from the lockfile, its child edges are taken verbatim and bypass the preferred-versions walk, so a transitive dependency could stay pinned to an older version even after a direct dependency resolved to a higher version that satisfies the same range. The resolver now refreshes such a stale pin to the higher direct-dependency version during resolution — so the older version is never resolved or fetched, and the incremental result converges to the fresh one. - [`6d35338`](https://redirect.github.com/pnpm/pnpm/commit/6d35338): `pnpm install` detects changes inside local file dependencies again. The optimistic repeat-install fast path only tracks manifest and lockfile modification times, so edits inside a local dependency's directory (or a repacked local tarball) were reported as "Already up to date". Projects with local file dependencies (`file:` and bare local path or tarball specifiers, declared directly or through `pnpm.overrides`) now always run a full install, which refetches those dependencies, matching pnpm v10 behavior [#​11795](https://redirect.github.com/pnpm/pnpm/issues/11795). - [`4ca9247`](https://redirect.github.com/pnpm/pnpm/commit/4ca9247): Preserve the existing Node.js runtime version prefix when resolving `node@runtime:<range>` to a concrete version. - [`30c7590`](https://redirect.github.com/pnpm/pnpm/commit/30c7590): Create shorter CAFS temporary package directories to leave room for lifecycle scripts that create IPC socket paths under TMPDIR. - [`13815ad`](https://redirect.github.com/pnpm/pnpm/commit/13815ad): Reporter output (warnings, progress) for `pnpm store` and `pnpm config` subcommands now goes to stderr instead of stdout. This fixes scripts that capture their stdout (e.g. `PNPM_STORE=$(pnpm store path)`, `pnpm config list --json | jq`) from getting warnings mixed into the result. - [`1c05876`](https://redirect.github.com/pnpm/pnpm/commit/1c05876): Avoid relinking unchanged child dependencies and remove stale child links during warm installs. - [`817f99d`](https://redirect.github.com/pnpm/pnpm/commit/817f99d): Fixed lockfile churn where a package's `transitivePeerDependencies` could be dropped (and shift between packages) when the package participates in a dependency cycle. A cycle re-entry resolves against truncated children, so it must not be cached as "pure"; otherwise sibling occurrences of the same package short-circuit and lose transitive peers depending on traversal order [#​5108](https://redirect.github.com/pnpm/pnpm/issues/5108). - [`eba03e0`](https://redirect.github.com/pnpm/pnpm/commit/eba03e0): Fix `pnpm install` reporting "Already up to date" after a catalog entry in `pnpm-workspace.yaml` was reverted to a previous version. After an update modified a catalog, the workspace state cache stored the pre-update catalog versions, so reverting the entry back to its original version was not detected as an outdated state [#​12418](https://redirect.github.com/pnpm/pnpm/issues/12418). - [`3b54d79`](https://redirect.github.com/pnpm/pnpm/commit/3b54d79): `pnpm update` now keeps lockfile `overrides` that resolve through a catalog in sync with the catalog. Previously, when an override referenced a catalog (e.g. `overrides: { foo: 'catalog:' }`) and `pnpm update` bumped that catalog entry, the lockfile's `catalogs` advanced while the resolved `overrides` kept the old version. The resulting lockfile was internally inconsistent, so a later `pnpm install --frozen-lockfile` failed with `ERR_PNPM_LOCKFILE_CONFIG_MISMATCH`. - [`9d0a300`](https://redirect.github.com/pnpm/pnpm/commit/9d0a300): Fixed `pnpm version --recursive` so it honors the workspace selection. In recursive mode the version bump now applies to the packages resolved from the workspace filter (`selectedProjectsGraph`), matching the behavior of `pnpm publish --recursive`, instead of always bumping every workspace package [#​11348](https://redirect.github.com/pnpm/pnpm/issues/11348). <!-- sponsors --> #### Platinum Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://bit.cloud/?utm_source=pnpm&utm_medium=release_notes" target="_blank" rel="noopener noreferrer"><img src="https://pnpm.io/img/users/bit.svg" width="80" alt="Bit"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://openai.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank" rel="noopener noreferrer"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/openai_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/openai_light.svg" /> <img src="https://pnpm.io/img/users/openai_dark.svg" width="160" alt="OpenAI" /> </picture> </a> </td> </tr> </tbody> </table> #### Gold Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://sanity.io/?utm_source=pnpm&utm_medium=release_notes" target="_blank" rel="noopener noreferrer"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/sanity.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/sanity_light.svg" /> <img src="https://pnpm.io/img/users/sanity.svg" width="120" alt="Sanity" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://discord.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank" rel="noopener noreferrer"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/discord.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/discord_light.svg" /> <img src="https://pnpm.io/img/users/discord.svg" width="220" alt="Discord" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://vite.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank" rel="noopener noreferrer"><img src="https://pnpm.io/img/users/vitejs.svg" width="42" alt="Vite"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://serpapi.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank" rel="noopener noreferrer"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/serpapi_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/serpapi_light.svg" /> <img src="https://pnpm.io/img/users/serpapi_dark.svg" width="160" alt="SerpApi" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://coderabbit.ai/?utm_source=pnpm&utm_medium=release_notes" target="_blank" rel="noopener noreferrer"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/coderabbit.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/coderabbit_light.svg" /> <img src="https://pnpm.io/img/users/coderabbit.svg" width="220" alt="CodeRabbit" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://stackblitz.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank" rel="noopener noreferrer"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/stackblitz.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/stackblitz_light.svg" /> <img src="https://pnpm.io/img/users/stackblitz.svg" width="190" alt="Stackblitz" /> </picture> </a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://workleap.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank" rel="noopener noreferrer"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/workleap.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/workleap_light.svg" /> <img src="https://pnpm.io/img/users/workleap.svg" width="190" alt="Workleap" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://nx.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank" rel="noopener noreferrer"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/nx.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/nx_light.svg" /> <img src="https://pnpm.io/img/users/nx.svg" width="50" alt="Nx" /> </picture> </a> </td> </tr> </tbody> </table> <!-- sponsors end --> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
|
ef927f9fa3 |
feat(api): support ref suffixes in compare (#38148)
Compare API requests with a `^` or `~N` revision suffix (for example `compare/main...feature^`) were rejected with `400 Unsupported comparison syntax: ref with suffix`. The fix resolves the suffix to a commit before comparing, so `base...head^` and `~N` work on either side, the same as git. Only `^`/`~N` navigation is resolved. Pull request creation still requires plain branch refs, and the web compare page keeps rejecting suffixes since its branch selectors need separate UI work. Closes #33943 |
||
|
|
59d4825a95 | chore(deps): update module golang.org/x/vuln to v1.4.0 (#38201) | ||
|
|
10da460c1b | [skip ci] Updated translations via Crowdin | ||
|
|
2003cf4e87 | chore(deps): update actions/checkout action to v7 (#38199) | ||
|
|
736ab982c8 |
enhance: allow builtin default git config options to be overridden (#38172)
This is really a follow-up to [#38148](https://github.com/go-gitea/gitea/pull/35305) , instead of having specific mappings of options for git configurations, just honor any user-provided gitconfig. I include a test which points out the specific config I have which was previously not honored, but more generally this means that gitea now only *adds* new gitconfig and never overwrites any config provided under `[git.config]`. --------- Signed-off-by: Royce Remer <royceremer@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
|
08a18d36a6 | [skip ci] Updated translations via Crowdin |