Commit Graph

412 Commits

Author SHA1 Message Date
wxiaoguang
92e7e98c56 Update x/crypto package and make builtin SSH use default parameters (#34667) 2025-06-09 19:51:02 +00:00
badhezi
0534eddd16 Use run-name and evaluate workflow variables (#34301)
This addresses https://github.com/go-gitea/gitea/issues/34247
depends on https://gitea.com/gitea/act/pulls/137

I couldn't find any previous implementation for `run-name` support on
workflows so I created one.

Key points:
All dispatched workflows, scheduled workflows and detected workflows
(from different hooks) will use and evaluate `run-name` if exists, with
the corresponding gitea context and variables. This will be used as the
Action run title and replace the default commit message being used
today.

Had to change act package jobparser (see link above)
and create two helpers
3a1320c70d/models/actions/utils.go (L86)
and
3a1320c70d/services/actions/context.go (L169)
to pass the correct types to
[GenerateGiteaContext](https://github.com/go-gitea/gitea/pull/34301/files#diff-9c9c27cb61a33e55ad33dc2c2e6a3521957a3e5cc50ddf652fdcd1def87b044dR86)
and
[WithGitContext](65c232c4a5/pkg/jobparser/jobparser.go (L84))
respectively.

<img width="1336" alt="Screenshot 2025-04-28 at 17 13 01"
src="https://github.com/user-attachments/assets/73cb03d0-23a0-4858-a466-bbf0748cea98"
/>
2025-05-20 02:24:10 +00:00
Lunny Xiao
2a660b4a1b Upgrade go-github v61 -> v71 (#34385)
There will be a possible bug when migrating from Github
https://github.com/google/go-github/issues/3229
This PR upgrades go-github from v61 to v71 to resolve that problem.
2025-05-06 20:10:14 -07:00
Mingzhu Yan
7bd2ce7109 fix go version (#34299)
go cmd will download and cache a copy of the Go toolchain, go1.24 is not
a valid version since https://github.com/golang/go/issues/57631.
2025-04-29 12:24:53 +00:00
Lunny Xiao
648df8a5e1 Fix the ci build (#34309)
Fix
https://github.com/go-gitea/gitea/actions/runs/14722306878/job/41318217870

A fork has been created under https://gitea.com/gitea/go-xsd-duration
2025-04-28 20:47:16 -07:00
wxiaoguang
58d2a87c6c update go&js dependencies (#34262) 2025-04-23 21:22:40 +00:00
Lunny Xiao
42f45f1489 Update net package (#34228) 2025-04-17 06:06:58 -04:00
Rowan Bohde
c57304ac3f Add middleware for request prioritization (#33951)
This adds a middleware for overload protection that is intended to help protect against malicious scrapers.
It does this via [`codel`](https://github.com/bohde/codel), which will perform the following:

1. Limit the number of in-flight requests to some user-defined max
2. When in-flight requests have reached their begin queuing requests.
    Logged-in requests having priority above logged-out requests
3. Once a request has been queued for too long,
    it has a probabilistic chance to be rejected based on how overloaded the entire system is.

When a server experiences more traffic than it can handle,
this keeps latency low for logged-in users and rejects just
enough requests from logged-out users to not overload the service.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
2025-04-14 16:25:48 +02:00
wxiaoguang
32258e0f22 Update go mod dependencies (#33988)
blevesearch is skipped because it causes errors

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
2025-03-25 05:51:52 +00:00
TheFox0x7
189873719b update jwt and redis packages (#33984) 2025-03-23 10:13:16 -04:00
Lunny Xiao
65bb837fa2 Upgrade golang net from 0.35.0 -> 0.36.0 (#33795) 2025-03-04 23:25:09 +01:00
Lunny Xiao
2c8bdd2233 Upgrade act to 0.261.4 and actions-proto-go to v0.4.1 (#33760)
Include https://gitea.com/gitea/act/pulls/129 Fix #33657 
And https://gitea.com/gitea/actions-proto-def/pulls/14
2025-03-01 20:02:58 +00:00
Lunny Xiao
ae4a3d7708 upgrade go-crypto from 1.1.5 to 1.1.6 (#33745)
Fix #33296

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2025-02-28 14:06:47 +00:00
techknowlogick
7535af20da bump x/crypto & x/oauth2 (#33704) 2025-02-24 20:15:18 +00:00
wxiaoguang
e6759f356d Update Go dependencies (skip blevesearch, meilisearch) (#33655) 2025-02-20 22:10:54 +08:00
techknowlogick
d88b012525 go1.24 (#33562)
update to use go1.24

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2025-02-13 18:00:00 +08:00
wxiaoguang
517a367abe Use ProtonMail/go-crypto to replace keybase/go-crypto (#33402)
Fix #33400

The keybase/go-crypto is no longer maintained and it generates malformed
signatures, ProtonMail/go-crypto is the actively maintained fork.
2025-01-27 09:14:08 +08:00
yp05327
124079871b Convert github.com/xanzy/go-gitlab into gitlab.com/gitlab-org/api/client-go (#33126)
Fix #32985
2025-01-08 13:10:43 +08:00
wxiaoguang
386c1ed908 Refactor HTMLFormat, update chroma render, fix js error (#33136)
A small refactor to improve HTMLFormat, to help to prevent low-level
mistakes.

And fix #33141, fix #33139
2025-01-08 03:44:32 +00:00
Rowan Bohde
a8e7caedfa add submodule diff links (#33097)
This adds links to submodules in diffs, similar to the existing link
when viewing a repo at a specific commit. It does this by expanding diff
parsing to recognize changes to submodules, and find the specific refs
that are added, deleted or changed.

Related #25888

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2025-01-08 01:38:30 +00:00
wxiaoguang
df9d1fe8c5 Trivial fixes (#33103)
1. remove `gock` dependency, it is not needed
2. fix a regression from org private profile readme
2025-01-04 22:25:50 +00:00
Lunny Xiao
8eecca3478 Remove aws go sdk package dependency (#33029)
This PR removed the dependency of `github.com/aws/aws-sdk-go/aws`

Patially fix for #33023
2024-12-30 06:30:28 +00:00
wxiaoguang
dafadf0028 Refactor fixture loading for testing (#33024)
To help binary size and testing performance
2024-12-30 04:06:57 +00:00
techknowlogick
420cda18e6 bump x/net (#32896) 2024-12-18 22:40:04 +00:00
wxiaoguang
2910f384d5 Fix misuse of PublicKeyCallback (#32810)
Only upgrading the ssh package is not enough.
2024-12-13 03:57:37 +00:00
Lunny Xiao
39a01016cd Upgrade dependency crypto library (#32750) 2024-12-11 13:07:48 -05:00
Lunny Xiao
5ab7aa700f Use new mail package instead of an unmintained one (#32682)
Resolve #18664
2024-12-05 06:33:43 +08:00
wxiaoguang
0aedb03996 Fix LFS route mock, realm, middleware names (#32488)
1. move "internal-lfs" route mock to "common-lfs"
2. fine tune tests
3. fix "realm" strings, according to RFC:
https://datatracker.ietf.org/doc/html/rfc2617:
    * realm       = "realm" "=" realm-value
    * realm-value = quoted-string
4. clarify some names of the middlewares, rename `ignXxx` to `optXxx` to
match `reqXxx`, and rename ambiguous `requireSignIn` to `reqGitSignIn`
2024-11-13 16:58:09 +08:00
silverwind
cad313e64f Update github.com/meilisearch/meilisearch-go (#32484)
Result of `go get -u github.com/meilisearch/meilisearch-go && make
tidy`.

Fixes: https://github.com/go-gitea/gitea/security/dependabot/78
2024-11-12 15:55:01 -05:00
Royce Remer
54146e62c0 Make LFS http_client parallel within a batch. (#32369)
Signed-off-by: Royce Remer <royceremer@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-11-04 04:49:08 +00:00
wxiaoguang
5e6523aa57 Update go dependencies (#32389) 2024-10-31 12:05:54 +00:00
YR Chen
08c963c921 Update github.com/go-enry/go-enry to v2.9.1 (#32295)
`go-enry` v2.9.1 includes latest file patterns from Linguist, which can
identify more generated file type, eg. `pdm.lock`.
2024-10-19 20:51:55 +08:00
Lunny Xiao
fa35ace9fb Fix bug when there are multiple triggers with workflow dispatch (#32200) 2024-10-07 03:50:38 +00:00
yp05327
70b7df0e5e Support repo license (#24872)
Close #278
Close #24076

## Solutions:
- Use
[google/licenseclassifier](https://github.com/google/licenseclassifier/)
Test result between
[google/licensecheck](https://github.com/google/licensecheck) and
[go-license-detector](https://github.com/go-enry/go-license-detector):
https://github.com/go-gitea/gitea/pull/24872#issuecomment-1560361167
Test result between
[google/licensecheck](https://github.com/google/licensecheck) and
[google/licenseclassifier](https://github.com/google/licenseclassifier/):
https://github.com/go-gitea/gitea/pull/24872#issuecomment-1576092178
- Generate License Convert Name List to avoid import license templates
with same contents
Gitea automatically get latest license data from[
spdx/license-list-data](https://github.com/spdx/license-list-data).
But unfortunately, some license templates have same contents. #20915
[click here to see the
list](https://github.com/go-gitea/gitea/pull/24872#issuecomment-1584141684)
So we will generate a list of these license templates with same contents
and create a new file to save the result when using `make
generate-license`. (Need to decide the save path)
- Save License info into a new table `repo_license`
Can easily support searching repo by license in the future.

## Screen shot
Single License:

![image](https://github.com/go-gitea/gitea/assets/18380374/41260bd7-0b4c-4038-8592-508706cffa9f)

Multiple Licenses:

![image](https://github.com/go-gitea/gitea/assets/18380374/34ce2f73-7e18-446b-9b96-ecc4fb61bd70)

Triggers:
- [x] Push commit to default branch
- [x] Create repo
- [x] Mirror repo
- [x] When Default Branch is changed, licenses should be updated

Todo:
- [x] Save Licenses info in to DB when there's a change to license file
in the commit
- [x] DB Migration
- [x] A nominal test?
- [x] Select which library to
use(https://github.com/go-gitea/gitea/pull/24872#issuecomment-1560361167)
- [x] API Support
- [x] Add repo license table
- ~Select license in settings if there are several licenses(Not
recommended)~
- License board(later, not in this PR)

![image](https://github.com/go-gitea/gitea/assets/18380374/2c3c3bf8-bcc2-4c6d-8ce0-81d1a9733878)

---------

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Denys Konovalov <kontakt@denyskon.de>
Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: 6543 <m.huber@kithara.com>
Co-authored-by: a1012112796 <1012112796@qq.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.com>
2024-10-01 15:25:08 -04:00
Manuel Valls Fernández
5015de4d9a Bump minio-go to latest version (#32156)
Current minio-go version has issues with S3 compatible storages like
Backblaze or Wasabi. This was fixed in
https://github.com/minio/minio-go/pull/1980 .
2024-09-30 09:57:48 +08:00
ConcurrentCrab
8a9fd7f771 Add pure SSH LFS support (#31516)
Fixes #17554
/claim #17554

Docs PR https://gitea.com/gitea/docs/pulls/49

To test, run pushes like: `GIT_TRACE=1` git push. The trace output
should mention "pure SSH connection".
2024-09-27 10:27:37 -04:00
Lunny Xiao
8cdf4e29c4 Fix CI (#32062) 2024-09-17 19:35:59 +00:00
Zettat123
def1c9670b Support migration from AWS CodeCommit (#31981)
This PR adds support for migrating repos from [AWS
CodeCommit](https://docs.aws.amazon.com/codecommit/latest/userguide/welcome.html).

The access key ID and secret access key are required to get repository
information and pull requests. And [HTTPS Git
credentials](https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-gc.html)
are required to clone the repository.

<img
src="https://github.com/user-attachments/assets/82ecb2d0-8d43-42b0-b5af-f5347a13b9d0"
width="680" />

The AWS CodeCommit icon is from [AWS Architecture
Icons](https://aws.amazon.com/architecture/icons/).

<img
src="https://github.com/user-attachments/assets/3c44d21f-d753-40f5-9eae-5d3589e0d50d"
width="320" />
2024-09-11 07:49:42 +08:00
techknowlogick
d9a7748cdc bump to go 1.23 (#31855) 2024-09-10 02:23:07 +00:00
Wim
01dec7577a Remove SHA1 for support for ssh rsa signing (#31857)
https://github.com/go-fed/httpsig seems to be unmaintained. 

Switch to github.com/42wim/httpsig which has removed deprecated crypto
and default sha256 signing for ssh rsa.

No impact for those that use ed25519 ssh certificates.

This is a breaking change for:
- gitea.com/gitea/tea (go-sdk) - I'll be sending a PR there too
- activitypub using deprecated crypto (is this actually used?)
2024-09-07 18:05:18 -04:00
Lunny Xiao
d8f3498875 Upgrade cache to v0.2.1 (#32003)
Fix #31757
2024-09-07 17:12:37 +00:00
Jason Song
1e4be0945b Introduce globallock as distributed locks (#31908)
To help #31813, but do not replace it, since this PR just introduces the
new module but misses some work:

- New option in settings. `#31813` has done it.
- Use the locks in business logic. `#31813` has done it.

So I think the most efficient way is to merge this PR first (if it's
acceptable) and then finish #31813.

## Design principles

### Use spinlock even in memory implementation

In actual use cases, users may cancel requests. `sync.Mutex` will block
the goroutine until the lock is acquired even if the request is
canceled. And the spinlock is more suitable for this scenario since it's
possible to give up the lock acquisition.

Although the spinlock consumes more CPU resources, I think it's
acceptable in most cases.

### Do not expose the mutex to callers

If we expose the mutex to callers, it's possible for callers to reuse
the mutex, which causes more complexity.

For example:
```go
lock := GetLocker(key)
lock.Lock()
// ...
// even if the lock is unlocked, we cannot GC the lock,
// since the caller may still use it again.
lock.Unlock()
lock.Lock()
// ...
lock.Unlock()

// callers have to GC the lock manually.
RemoveLocker(key)
```

That's why
https://github.com/go-gitea/gitea/pull/31813#discussion_r1721200549

In this PR, we only expose `ReleaseFunc` to callers. So callers just
need to call `ReleaseFunc` to release the lock, and do not need to care
about the lock's lifecycle.
```go
_, release, err := locker.Lock(ctx, key)
if err != nil {
    return err
}
// ...
release()

// if callers want to lock again, they have to re-acquire the lock.
_, release, err := locker.Lock(ctx, key)
// ...
```

In this way, it's also much easier for redis implementation to extend
the mutex automatically, so that callers do not need to care about the
lock's lifecycle. See also
https://github.com/go-gitea/gitea/pull/31813#discussion_r1722659743

### Use "release" instead of "unlock"

For "unlock", it has the meaning of "unlock an acquired lock". So it's
not acceptable to call "unlock" when failed to acquire the lock, or call
"unlock" multiple times. It causes more complexity for callers to decide
whether to call "unlock" or not.

So we use "release" instead of "unlock" to make it clear. Whether the
lock is acquired or not, callers can always call "release", and it's
also safe to call "release" multiple times.

But the code DO NOT expect callers to not call "release" after acquiring
the lock. If callers forget to call "release", it will cause resource
leak. That's why it's always safe to call "release" without extra
checks: to avoid callers to forget to call it.

### Acquired locks could be lost

Unlike `sync.Mutex` which will be locked forever once acquired until
calling `Unlock`, in the new module, the acquired lock could be lost.

For example, the caller has acquired the lock, and it holds the lock for
a long time since auto-extending is working for redis. However, it lost
the connection to the redis server, and it's impossible to extend the
lock anymore.

If the caller don't stop what it's doing, another instance which can
connect to the redis server could acquire the lock, and do the same
thing, which could cause data inconsistency.

So the caller should know what happened, the solution is to return a new
context which will be canceled if the lock is lost or released:

```go
ctx, release, err := locker.Lock(ctx, key)
if err != nil {
    return err
}
defer release()
// ...
DoSomething(ctx)

// the lock is lost now, then ctx has been canceled.

// Failed, since ctx has been canceled.
DoSomethingElse(ctx)
```

### Multiple ways to use the lock

1. Regular way

```go
ctx, release, err := Lock(ctx, key)
if err != nil {
    return err
}
defer release()
// ...
```

2. Early release

```go
ctx, release, err := Lock(ctx, key)
if err != nil {
    return err
}
defer release()
// ...
// release the lock earlier and reset the context back
ctx = release()
// continue to do something else
// ...
```

3. Functional way

```go
if err := LockAndDo(ctx, key, func(ctx context.Context) error {
    // ...
    return nil
}); err != nil {
    return err
}
```
2024-08-26 22:27:57 +08:00
Jason Song
33cc5837a6 Support compression for Actions logs (#31761)
Support compression for Actions logs to save storage space and
bandwidth. Inspired by
https://github.com/go-gitea/gitea/issues/24256#issuecomment-1521153015

The biggest challenge is that the compression format should support
[seekable](https://github.com/facebook/zstd/blob/dev/contrib/seekable_format/zstd_seekable_compression_format.md).
So when users are viewing a part of the log lines, Gitea doesn't need to
download the whole compressed file and decompress it.

That means gzip cannot help here. And I did research, there aren't too
many choices, like bgzip and xz, but I think zstd is the most popular
one. It has an implementation in Golang with
[zstd](https://github.com/klauspost/compress/tree/master/zstd) and
[zstd-seekable-format-go](https://github.com/SaveTheRbtz/zstd-seekable-format-go),
and what is better is that it has good compatibility: a seekable format
zstd file can be read by a regular zstd reader.

This PR introduces a new package `zstd` to combine and wrap the two
packages, to provide a unified and easy-to-use API.

And a new setting `LOG_COMPRESSION` is added to the config, although I
don't see any reason why not to use compression, I think's it's a good
idea to keep the default with `none` to be consistent with old versions.

`LOG_COMPRESSION` takes effect for only new log files, it adds `.zst` as
an extension to the file name, so Gitea can determine if it needs
decompression according to the file name when reading. Old files will
keep the format since it's not worth converting them, as they will be
cleared after #31735.

<img width="541" alt="image"
src="https://github.com/user-attachments/assets/e9598764-a4e0-4b68-8c2b-f769265183c9">
2024-08-09 10:10:30 +08:00
Lunny Xiao
237b981164 Upgrade bleve to 2.4.2 (#31762) 2024-08-02 19:32:31 +00:00
techknowlogick
ba9589a92d fix redis dep (#31662)
fix https://github.com/go-gitea/gitea/issues/31658
2024-07-19 20:10:31 +00:00
Lunny Xiao
0d08bb6112 Upgrade xorm to v1.3.9 and improve some migrations Sync (#29899)
Co-authored-by: 6543 <6543@obermui.de>
2024-07-14 17:15:59 -04:00
silverwind
b270b30aeb Update golang.org/x/image to v0.18.0 (#31541)
Result of `go get -u  golang.org/x/image && make tidy`

Fixes: https://github.com/go-gitea/gitea/security/dependabot/67
2024-07-02 15:41:14 -04:00
techknowlogick
a4899ffa24 bump golang deps (#31422) 2024-06-24 13:26:42 +00:00
Yarden Shoham
9c8092807a Switch to upstream of gorilla/feeds (#31400)
They merged the PR we waited for.

- Reference: https://github.com/gorilla/feeds/pull/107
- Follows: https://github.com/go-gitea/gitea/pull/28860

Signed-off-by: Yarden Shoham <git@yardenshoham.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-06-18 16:05:28 +08:00
silverwind
24dace8f76 Update golang.org/x/net (#31260)
Result of `go get -u golang.org/x/net && make tidy`. ~~Fixes
https://pkg.go.dev/vuln/GO-2024-2887.~~
2024-06-06 04:29:42 +00:00