fix attachment file size limit in server backend (#35519)

fix #35512

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

cmd/serv.go

@@ -13,7 +13,6 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
-	"time"
 	"unicode"
 
 	asymkey_model "code.gitea.io/gitea/models/asymkey"
@@ -32,7 +31,6 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/services/lfs"
 
-	"github.com/golang-jwt/jwt/v5"
 	"github.com/kballard/go-shellquote"
 	"github.com/urfave/cli/v3"
 )
@@ -133,27 +131,6 @@ func getAccessMode(verb, lfsVerb string) perm.AccessMode {
 	return perm.AccessModeNone
 }
 
-func getLFSAuthToken(ctx context.Context, lfsVerb string, results *private.ServCommandResults) (string, error) {
-	now := time.Now()
-	claims := lfs.Claims{
-		RegisteredClaims: jwt.RegisteredClaims{
-			ExpiresAt: jwt.NewNumericDate(now.Add(setting.LFS.HTTPAuthExpiry)),
-			NotBefore: jwt.NewNumericDate(now),
-		},
-		RepoID: results.RepoID,
-		Op:     lfsVerb,
-		UserID: results.UserID,
-	}
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-
-	// Sign and get the complete encoded token as a string using the secret
-	tokenString, err := token.SignedString(setting.LFS.JWTSecretBytes)
-	if err != nil {
-		return "", fail(ctx, "Failed to sign JWT Token", "Failed to sign JWT token: %v", err)
-	}
-	return "Bearer " + tokenString, nil
-}
-
 func runServ(ctx context.Context, c *cli.Command) error {
 	// FIXME: This needs to internationalised
 	setup(ctx, c.Bool("debug"))
@@ -283,7 +260,7 @@ func runServ(ctx context.Context, c *cli.Command) error {
 
 	// LFS SSH protocol
 	if verb == git.CmdVerbLfsTransfer {
-		token, err := getLFSAuthToken(ctx, lfsVerb, results)
+		token, err := lfs.GetLFSAuthTokenWithBearer(lfs.AuthTokenOptions{Op: lfsVerb, UserID: results.UserID, RepoID: results.RepoID})
 		if err != nil {
 			return err
 		}
@@ -294,7 +271,7 @@ func runServ(ctx context.Context, c *cli.Command) error {
 	if verb == git.CmdVerbLfsAuthenticate {
 		url := fmt.Sprintf("%s%s/%s.git/info/lfs", setting.AppURL, url.PathEscape(results.OwnerName), url.PathEscape(results.RepoName))
 
-		token, err := getLFSAuthToken(ctx, lfsVerb, results)
+		token, err := lfs.GetLFSAuthTokenWithBearer(lfs.AuthTokenOptions{Op: lfsVerb, UserID: results.UserID, RepoID: results.RepoID})
 		if err != nil {
 			return err
 		}

custom/conf/app.example.ini

@@ -1343,6 +1343,10 @@ LEVEL = Info
 ;; Dont mistake it for Reactions.
 ;CUSTOM_EMOJIS = gitea, codeberg, gitlab, git, github, gogs
 ;;
+;; Comma separated list of enabled emojis, for example: smile, thumbsup, thumbsdown
+;; Leave it empty to enable all emojis.
+;ENABLED_EMOJIS =
+;;
 ;; Whether the full name of the users should be shown where possible. If the full name isn't set, the username will be used.
 ;DEFAULT_SHOW_FULL_NAME = false
 ;;

models/asymkey/ssh_key.go

@@ -67,13 +67,6 @@ func (key *PublicKey) OmitEmail() string {
 	return strings.Join(strings.Split(key.Content, " ")[:2], " ")
 }
 
-// AuthorizedString returns formatted public key string for authorized_keys file.
-//
-// TODO: Consider dropping this function
-func (key *PublicKey) AuthorizedString() string {
-	return AuthorizedStringForKey(key)
-}
-
 func addKey(ctx context.Context, key *PublicKey) (err error) {
 	if len(key.Fingerprint) == 0 {
 		key.Fingerprint, err = CalcFingerprint(key.Content)

models/asymkey/ssh_key_authorized_keys.go

@@ -17,29 +17,13 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
+
+	"golang.org/x/crypto/ssh"
 )
 
-//  _____          __  .__                 .__                  .___
-// /  _  \  __ ___/  |_|  |__   ___________|__|_______ ____   __| _/
-// /  /_\  \|  |  \   __\  |  \ /  _ \_  __ \  \___   // __ \ / __ |
-// /    |    \  |  /|  | |   Y  (  <_> )  | \/  |/    /\  ___// /_/ |
-// \____|__  /____/ |__| |___|  /\____/|__|  |__/_____ \\___  >____ |
-//         \/                 \/                      \/    \/     \/
-// ____  __.
-// |    |/ _|____ ___.__. ______
-// |      <_/ __ <   |  |/  ___/
-// |    |  \  ___/\___  |\___ \
-// |____|__ \___  > ____/____  >
-//         \/   \/\/         \/
-//
-// This file contains functions for creating authorized_keys files
-//
-// There is a dependence on the database within RegeneratePublicKeys however most of these functions probably belong in a module
-
-const (
-	tplCommentPrefix = `# gitea public key`
-	tplPublicKey     = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict %s` + "\n"
-)
+// AuthorizedStringCommentPrefix is a magic tag
+// some functions like RegeneratePublicKeys needs this tag to skip the keys generated by Gitea, while keep other keys
+const AuthorizedStringCommentPrefix = `# gitea public key`
 
 var sshOpLocker sync.Mutex
 
@@ -50,17 +34,45 @@ func WithSSHOpLocker(f func() error) error {
 }
 
 // AuthorizedStringForKey creates the authorized keys string appropriate for the provided key
-func AuthorizedStringForKey(key *PublicKey) string {
+func AuthorizedStringForKey(key *PublicKey) (string, error) {
 	sb := &strings.Builder{}
-	_ = setting.SSH.AuthorizedKeysCommandTemplateTemplate.Execute(sb, map[string]any{
+	_, err := writeAuthorizedStringForKey(key, sb)
+	return sb.String(), err
+}
+
+// WriteAuthorizedStringForValidKey writes the authorized key for the provided key. If the key is invalid, it does nothing.
+func WriteAuthorizedStringForValidKey(key *PublicKey, w io.Writer) error {
+	validKey, err := writeAuthorizedStringForKey(key, w)
+	if !validKey {
+		log.Debug("WriteAuthorizedStringForValidKey: key %s is not valid: %v", key, err)
+		return nil
+	}
+	return err
+}
+
+func writeAuthorizedStringForKey(key *PublicKey, w io.Writer) (keyValid bool, err error) {
+	const tpl = AuthorizedStringCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict %s %s` + "\n"
+	pubKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(key.Content))
+	if err != nil {
+		return false, err
+	}
+	// now the key is valid, the code below could only return template/IO related errors
+	sbCmd := &strings.Builder{}
+	err = setting.SSH.AuthorizedKeysCommandTemplateTemplate.Execute(sbCmd, map[string]any{
 		"AppPath":     util.ShellEscape(setting.AppPath),
 		"AppWorkPath": util.ShellEscape(setting.AppWorkPath),
 		"CustomConf":  util.ShellEscape(setting.CustomConf),
 		"CustomPath":  util.ShellEscape(setting.CustomPath),
 		"Key":         key,
 	})
-
-	return fmt.Sprintf(tplPublicKey, util.ShellEscape(sb.String()), key.Content)
+	if err != nil {
+		return true, err
+	}
+	sshCommandEscaped := util.ShellEscape(sbCmd.String())
+	sshKeyMarshalled := strings.TrimSpace(string(ssh.MarshalAuthorizedKey(pubKey)))
+	sshKeyComment := fmt.Sprintf("user-%d", key.OwnerID)
+	_, err = fmt.Fprintf(w, tpl, sshCommandEscaped, sshKeyMarshalled, sshKeyComment)
+	return true, err
 }
 
 // appendAuthorizedKeysToFile appends new SSH keys' content to authorized_keys file.
@@ -112,7 +124,7 @@ func appendAuthorizedKeysToFile(keys ...*PublicKey) error {
 		if key.Type == KeyTypePrincipal {
 			continue
 		}
-		if _, err = f.WriteString(key.AuthorizedString()); err != nil {
+		if err = WriteAuthorizedStringForValidKey(key, f); err != nil {
 			return err
 		}
 	}
@@ -120,10 +132,9 @@ func appendAuthorizedKeysToFile(keys ...*PublicKey) error {
 }
 
 // RegeneratePublicKeys regenerates the authorized_keys file
-func RegeneratePublicKeys(ctx context.Context, t io.StringWriter) error {
+func RegeneratePublicKeys(ctx context.Context, t io.Writer) error {
 	if err := db.GetEngine(ctx).Where("type != ?", KeyTypePrincipal).Iterate(new(PublicKey), func(idx int, bean any) (err error) {
-		_, err = t.WriteString((bean.(*PublicKey)).AuthorizedString())
-		return err
+		return WriteAuthorizedStringForValidKey(bean.(*PublicKey), t)
 	}); err != nil {
 		return err
 	}
@@ -144,11 +155,11 @@ func RegeneratePublicKeys(ctx context.Context, t io.StringWriter) error {
 		scanner := bufio.NewScanner(f)
 		for scanner.Scan() {
 			line := scanner.Text()
-			if strings.HasPrefix(line, tplCommentPrefix) {
+			if strings.HasPrefix(line, AuthorizedStringCommentPrefix) {
 				scanner.Scan()
 				continue
 			}
-			_, err = t.WriteString(line + "\n")
+			_, err = io.WriteString(t, line+"\n")
 			if err != nil {
 				return err
 			}

models/git/commit_status.go

@@ -30,17 +30,21 @@ import (
 
 // CommitStatus holds a single Status of a single Commit
 type CommitStatus struct {
-	ID          int64                          `xorm:"pk autoincr"`
-	Index       int64                          `xorm:"INDEX UNIQUE(repo_sha_index)"`
-	RepoID      int64                          `xorm:"INDEX UNIQUE(repo_sha_index)"`
-	Repo        *repo_model.Repository         `xorm:"-"`
-	State       commitstatus.CommitStatusState `xorm:"VARCHAR(7) NOT NULL"`
-	SHA         string                         `xorm:"VARCHAR(64) NOT NULL INDEX UNIQUE(repo_sha_index)"`
-	TargetURL   string                         `xorm:"TEXT"`
-	Description string                         `xorm:"TEXT"`
-	ContextHash string                         `xorm:"VARCHAR(64) index"`
-	Context     string                         `xorm:"TEXT"`
-	Creator     *user_model.User               `xorm:"-"`
+	ID     int64                          `xorm:"pk autoincr"`
+	Index  int64                          `xorm:"INDEX UNIQUE(repo_sha_index)"`
+	RepoID int64                          `xorm:"INDEX UNIQUE(repo_sha_index)"`
+	Repo   *repo_model.Repository         `xorm:"-"`
+	State  commitstatus.CommitStatusState `xorm:"VARCHAR(7) NOT NULL"`
+	SHA    string                         `xorm:"VARCHAR(64) NOT NULL INDEX UNIQUE(repo_sha_index)"`
+
+	// TargetURL points to the commit status page reported by a CI system
+	// If Gitea Actions is used, it is a relative link like "{RepoLink}/actions/runs/{RunID}/jobs{JobID}"
+	TargetURL string `xorm:"TEXT"`
+
+	Description string           `xorm:"TEXT"`
+	ContextHash string           `xorm:"VARCHAR(64) index"`
+	Context     string           `xorm:"TEXT"`
+	Creator     *user_model.User `xorm:"-"`
 	CreatorID   int64
 
 	CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
@@ -211,21 +215,45 @@ func (status *CommitStatus) LocaleString(lang translation.Locale) string {
 
 // HideActionsURL set `TargetURL` to an empty string if the status comes from Gitea Actions
 func (status *CommitStatus) HideActionsURL(ctx context.Context) {
+	if _, ok := status.cutTargetURLGiteaActionsPrefix(ctx); ok {
+		status.TargetURL = ""
+	}
+}
+
+func (status *CommitStatus) cutTargetURLGiteaActionsPrefix(ctx context.Context) (string, bool) {
 	if status.RepoID == 0 {
-		return
+		return "", false
 	}
 
 	if status.Repo == nil {
 		if err := status.loadRepository(ctx); err != nil {
 			log.Error("loadRepository: %v", err)
-			return
+			return "", false
 		}
 	}
 
 	prefix := status.Repo.Link() + "/actions"
-	if strings.HasPrefix(status.TargetURL, prefix) {
-		status.TargetURL = ""
+	return strings.CutPrefix(status.TargetURL, prefix)
+}
+
+// ParseGiteaActionsTargetURL parses the commit status target URL as Gitea Actions link
+func (status *CommitStatus) ParseGiteaActionsTargetURL(ctx context.Context) (runID, jobID int64, ok bool) {
+	s, ok := status.cutTargetURLGiteaActionsPrefix(ctx)
+	if !ok {
+		return 0, 0, false
 	}
+
+	parts := strings.Split(s, "/") // expect: /runs/{runID}/jobs/{jobID}
+	if len(parts) < 5 || parts[1] != "runs" || parts[3] != "jobs" {
+		return 0, 0, false
+	}
+
+	runID, err1 := strconv.ParseInt(parts[2], 10, 64)
+	jobID, err2 := strconv.ParseInt(parts[4], 10, 64)
+	if err1 != nil || err2 != nil {
+		return 0, 0, false
+	}
+	return runID, jobID, true
 }
 
 // CalcCommitStatus returns commit status state via some status, the commit statues should order by id desc

models/organization/org.go

@@ -429,6 +429,10 @@ func HasOrgOrUserVisible(ctx context.Context, orgOrUser, user *user_model.User)
 		return true
 	}
 
+	if !setting.Service.RequireSignInViewStrict && orgOrUser.Visibility == structs.VisibleTypePublic {
+		return true
+	}
+
 	if (orgOrUser.Visibility == structs.VisibleTypePrivate || user.IsRestricted) && !OrgFromUser(orgOrUser).hasMemberWithUserID(ctx, user.ID) {
 		return false
 	}

models/organization/org_test.go

@@ -13,7 +13,9 @@ import (
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/test"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -382,6 +384,12 @@ func TestHasOrgVisibleTypePublic(t *testing.T) {
 	assert.True(t, test1) // owner of org
 	assert.True(t, test2) // user not a part of org
 	assert.True(t, test3) // logged out user
+
+	restrictedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29, IsRestricted: true})
+	require.True(t, restrictedUser.IsRestricted)
+	assert.True(t, organization.HasOrgOrUserVisible(t.Context(), org.AsUser(), restrictedUser))
+	defer test.MockVariableValue(&setting.Service.RequireSignInViewStrict, true)()
+	assert.False(t, organization.HasOrgOrUserVisible(t.Context(), org.AsUser(), restrictedUser))
 }
 
 func TestHasOrgVisibleTypeLimited(t *testing.T) {

models/perm/access/access.go

@@ -13,6 +13,8 @@ import (
 	"code.gitea.io/gitea/models/perm"
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/structs"
 
 	"xorm.io/builder"
 )
@@ -41,7 +43,12 @@ func accessLevel(ctx context.Context, user *user_model.User, repo *repo_model.Re
 		restricted = user.IsRestricted
 	}
 
-	if !restricted && !repo.IsPrivate {
+	if err := repo.LoadOwner(ctx); err != nil {
+		return mode, err
+	}
+
+	repoIsFullyPublic := !setting.Service.RequireSignInViewStrict && repo.Owner.Visibility == structs.VisibleTypePublic && !repo.IsPrivate
+	if (restricted && repoIsFullyPublic) || (!restricted && !repo.IsPrivate) {
 		mode = perm.AccessModeRead
 	}
 

models/perm/access/access_test.go

@@ -12,6 +12,7 @@ import (
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/setting"
 
 	"github.com/stretchr/testify/assert"
 )
@@ -51,7 +52,14 @@ func TestAccessLevel(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, perm_model.AccessModeNone, level)
 
-	// restricted user has no access to a public repo
+	// restricted user has default access to a public repo if no sign-in is required
+	setting.Service.RequireSignInViewStrict = false
+	level, err = access_model.AccessLevel(t.Context(), user29, repo1)
+	assert.NoError(t, err)
+	assert.Equal(t, perm_model.AccessModeRead, level)
+
+	// restricted user has no access to a public repo if sign-in is required
+	setting.Service.RequireSignInViewStrict = true
 	level, err = access_model.AccessLevel(t.Context(), user29, repo1)
 	assert.NoError(t, err)
 	assert.Equal(t, perm_model.AccessModeNone, level)

models/repo/repo_list.go

@@ -642,6 +642,17 @@ func SearchRepositoryIDsByCondition(ctx context.Context, cond builder.Cond) ([]i
 		Find(&repoIDs)
 }
 
+func userAllPublicRepoCond(cond builder.Cond, orgVisibilityLimit []structs.VisibleType) builder.Cond {
+	return cond.Or(builder.And(
+		builder.Eq{"`repository`.is_private": false},
+		// Aren't in a private organisation or limited organisation if we're not logged in
+		builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(
+			builder.And(
+				builder.Eq{"type": user_model.UserTypeOrganization},
+				builder.In("visibility", orgVisibilityLimit)),
+		))))
+}
+
 // AccessibleRepositoryCondition takes a user a returns a condition for checking if a repository is accessible
 func AccessibleRepositoryCondition(user *user_model.User, unitType unit.Type) builder.Cond {
 	cond := builder.NewCond()
@@ -651,15 +662,8 @@ func AccessibleRepositoryCondition(user *user_model.User, unitType unit.Type) bu
 		if user == nil || user.ID <= 0 {
 			orgVisibilityLimit = append(orgVisibilityLimit, structs.VisibleTypeLimited)
 		}
-		// 1. Be able to see all non-private repositories that either:
-		cond = cond.Or(builder.And(
-			builder.Eq{"`repository`.is_private": false},
-			// 2. Aren't in an private organisation or limited organisation if we're not logged in
-			builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(
-				builder.And(
-					builder.Eq{"type": user_model.UserTypeOrganization},
-					builder.In("visibility", orgVisibilityLimit)),
-			))))
+		// 1. Be able to see all non-private repositories
+		cond = userAllPublicRepoCond(cond, orgVisibilityLimit)
 	}
 
 	if user != nil {
@@ -683,6 +687,9 @@ func AccessibleRepositoryCondition(user *user_model.User, unitType unit.Type) bu
 		if !user.IsRestricted {
 			// 5. Be able to see all public repos in private organizations that we are an org_user of
 			cond = cond.Or(userOrgPublicRepoCond(user.ID))
+		} else if !setting.Service.RequireSignInViewStrict {
+			orgVisibilityLimit := []structs.VisibleType{structs.VisibleTypePrivate, structs.VisibleTypeLimited}
+			cond = userAllPublicRepoCond(cond, orgVisibilityLimit)
 		}
 	}
 

models/repo/repo_list_test.go

@@ -10,9 +10,14 @@ import (
 	"code.gitea.io/gitea/models/db"
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/optional"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/test"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func getTestCases() []struct {
@@ -182,7 +187,16 @@ func getTestCases() []struct {
 
 func TestSearchRepository(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
+	t.Run("SearchRepositoryPublic", testSearchRepositoryPublic)
+	t.Run("SearchRepositoryPublicRestricted", testSearchRepositoryRestricted)
+	t.Run("SearchRepositoryPrivate", testSearchRepositoryPrivate)
+	t.Run("SearchRepositoryNonExistingOwner", testSearchRepositoryNonExistingOwner)
+	t.Run("SearchRepositoryWithInDescription", testSearchRepositoryWithInDescription)
+	t.Run("SearchRepositoryNotInDescription", testSearchRepositoryNotInDescription)
+	t.Run("SearchRepositoryCases", testSearchRepositoryCases)
+}
 
+func testSearchRepositoryPublic(t *testing.T) {
 	// test search public repository on explore page
 	repos, count, err := repo_model.SearchRepositoryByName(t.Context(), repo_model.SearchRepoOptions{
 		ListOptions: db.ListOptions{
@@ -211,9 +225,54 @@ func TestSearchRepository(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, int64(2), count)
 	assert.Len(t, repos, 2)
+}
 
+func testSearchRepositoryRestricted(t *testing.T) {
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	restrictedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29, IsRestricted: true})
+
+	performSearch := func(t *testing.T, user *user_model.User) (publicRepoIDs []int64) {
+		repos, count, err := repo_model.SearchRepositoryByName(t.Context(), repo_model.SearchRepoOptions{
+			ListOptions: db.ListOptions{Page: 1, PageSize: 10000},
+			Actor:       user,
+		})
+		require.NoError(t, err)
+		assert.Len(t, repos, int(count))
+		for _, repo := range repos {
+			require.NoError(t, repo.LoadOwner(t.Context()))
+			if repo.Owner.Visibility == structs.VisibleTypePublic && !repo.IsPrivate {
+				publicRepoIDs = append(publicRepoIDs, repo.ID)
+			}
+		}
+		return publicRepoIDs
+	}
+
+	normalPublicRepoIDs := performSearch(t, user2)
+	require.Greater(t, len(normalPublicRepoIDs), 10) // quite a lot
+
+	t.Run("RestrictedUser-NoSignInRequirement", func(t *testing.T) {
+		// restricted user can also see public repositories if no "required sign-in"
+		repoIDs := performSearch(t, restrictedUser)
+		assert.ElementsMatch(t, normalPublicRepoIDs, repoIDs)
+	})
+
+	defer test.MockVariableValue(&setting.Service.RequireSignInViewStrict, true)()
+
+	t.Run("NormalUser-RequiredSignIn", func(t *testing.T) {
+		// normal user can still see all public repos, not affected by "required sign-in"
+		repoIDs := performSearch(t, user2)
+		assert.ElementsMatch(t, normalPublicRepoIDs, repoIDs)
+	})
+	t.Run("RestrictedUser-RequiredSignIn", func(t *testing.T) {
+		// restricted user can see only their own repo
+		repoIDs := performSearch(t, restrictedUser)
+		assert.Equal(t, []int64{4}, repoIDs)
+	})
+}
+
+func testSearchRepositoryPrivate(t *testing.T) {
 	// test search private repository on explore page
-	repos, count, err = repo_model.SearchRepositoryByName(t.Context(), repo_model.SearchRepoOptions{
+	repos, count, err := repo_model.SearchRepositoryByName(t.Context(), repo_model.SearchRepoOptions{
 		ListOptions: db.ListOptions{
 			Page:     1,
 			PageSize: 10,
@@ -242,16 +301,18 @@ func TestSearchRepository(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, int64(3), count)
 	assert.Len(t, repos, 3)
+}
 
-	// Test non existing owner
-	repos, count, err = repo_model.SearchRepositoryByName(t.Context(), repo_model.SearchRepoOptions{OwnerID: unittest.NonexistentID})
+func testSearchRepositoryNonExistingOwner(t *testing.T) {
+	repos, count, err := repo_model.SearchRepositoryByName(t.Context(), repo_model.SearchRepoOptions{OwnerID: unittest.NonexistentID})
 
 	assert.NoError(t, err)
 	assert.Empty(t, repos)
 	assert.Equal(t, int64(0), count)
+}
 
-	// Test search within description
-	repos, count, err = repo_model.SearchRepository(t.Context(), repo_model.SearchRepoOptions{
+func testSearchRepositoryWithInDescription(t *testing.T) {
+	repos, count, err := repo_model.SearchRepository(t.Context(), repo_model.SearchRepoOptions{
 		ListOptions: db.ListOptions{
 			Page:     1,
 			PageSize: 10,
@@ -266,9 +327,10 @@ func TestSearchRepository(t *testing.T) {
 		assert.Equal(t, "test_repo_14", repos[0].Name)
 	}
 	assert.Equal(t, int64(1), count)
+}
 
-	// Test NOT search within description
-	repos, count, err = repo_model.SearchRepository(t.Context(), repo_model.SearchRepoOptions{
+func testSearchRepositoryNotInDescription(t *testing.T) {
+	repos, count, err := repo_model.SearchRepository(t.Context(), repo_model.SearchRepoOptions{
 		ListOptions: db.ListOptions{
 			Page:     1,
 			PageSize: 10,
@@ -281,7 +343,9 @@ func TestSearchRepository(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Empty(t, repos)
 	assert.Equal(t, int64(0), count)
+}
 
+func testSearchRepositoryCases(t *testing.T) {
 	testCases := getTestCases()
 
 	for _, testCase := range testCases {

models/repo/upload.go

@@ -127,16 +127,9 @@ func DeleteUploads(ctx context.Context, uploads ...*Upload) (err error) {
 
 	for _, upload := range uploads {
 		localPath := upload.LocalPath()
-		isFile, err := util.IsFile(localPath)
-		if err != nil {
-			log.Error("Unable to check if %s is a file. Error: %v", localPath, err)
-		}
-		if !isFile {
-			continue
-		}
-
 		if err := util.Remove(localPath); err != nil {
-			return fmt.Errorf("remove upload: %w", err)
+			// just continue, don't fail the whole operation if a file is missing (removed by others)
+			log.Error("unable to remove upload file %s: %v", localPath, err)
 		}
 	}
 

modules/emoji/emoji.go

@@ -8,7 +8,9 @@ import (
 	"io"
 	"sort"
 	"strings"
-	"sync"
+	"sync/atomic"
+
+	"code.gitea.io/gitea/modules/setting"
 )
 
 // Gemoji is a set of emoji data.
@@ -23,74 +25,78 @@ type Emoji struct {
 	SkinTones      bool
 }
 
-var (
-	// codeMap provides a map of the emoji unicode code to its emoji data.
-	codeMap map[string]int
+type globalVarsStruct struct {
+	codeMap       map[string]int    // emoji unicode code to its emoji data.
+	aliasMap      map[string]int    // the alias to its emoji data.
+	emptyReplacer *strings.Replacer // string replacer for emoji codes, used for finding emoji positions.
+	codeReplacer  *strings.Replacer // string replacer for emoji codes.
+	aliasReplacer *strings.Replacer // string replacer for emoji aliases.
+}
 
-	// aliasMap provides a map of the alias to its emoji data.
-	aliasMap map[string]int
+var globalVarsStore atomic.Pointer[globalVarsStruct]
 
-	// emptyReplacer is the string replacer for emoji codes.
-	emptyReplacer *strings.Replacer
+func globalVars() *globalVarsStruct {
+	vars := globalVarsStore.Load()
+	if vars != nil {
+		return vars
+	}
+	// although there can be concurrent calls, the result should be the same, and there is no performance problem
+	vars = &globalVarsStruct{}
+	vars.codeMap = make(map[string]int, len(GemojiData))
+	vars.aliasMap = make(map[string]int, len(GemojiData))
 
-	// codeReplacer is the string replacer for emoji codes.
-	codeReplacer *strings.Replacer
+	// process emoji codes and aliases
+	codePairs := make([]string, 0)
+	emptyPairs := make([]string, 0)
+	aliasPairs := make([]string, 0)
 
-	// aliasReplacer is the string replacer for emoji aliases.
-	aliasReplacer *strings.Replacer
+	// sort from largest to small so we match combined emoji first
+	sort.Slice(GemojiData, func(i, j int) bool {
+		return len(GemojiData[i].Emoji) > len(GemojiData[j].Emoji)
+	})
 
-	once sync.Once
-)
-
-func loadMap() {
-	once.Do(func() {
-		// initialize
-		codeMap = make(map[string]int, len(GemojiData))
-		aliasMap = make(map[string]int, len(GemojiData))
-
-		// process emoji codes and aliases
-		codePairs := make([]string, 0)
-		emptyPairs := make([]string, 0)
-		aliasPairs := make([]string, 0)
-
-		// sort from largest to small so we match combined emoji first
-		sort.Slice(GemojiData, func(i, j int) bool {
-			return len(GemojiData[i].Emoji) > len(GemojiData[j].Emoji)
-		})
-
-		for i, e := range GemojiData {
-			if e.Emoji == "" || len(e.Aliases) == 0 {
-				continue
-			}
-
-			// setup codes
-			codeMap[e.Emoji] = i
-			codePairs = append(codePairs, e.Emoji, ":"+e.Aliases[0]+":")
-			emptyPairs = append(emptyPairs, e.Emoji, e.Emoji)
-
-			// setup aliases
-			for _, a := range e.Aliases {
-				if a == "" {
-					continue
-				}
-
-				aliasMap[a] = i
-				aliasPairs = append(aliasPairs, ":"+a+":", e.Emoji)
-			}
+	for idx, emoji := range GemojiData {
+		if emoji.Emoji == "" || len(emoji.Aliases) == 0 {
+			continue
 		}
 
-		// create replacers
-		emptyReplacer = strings.NewReplacer(emptyPairs...)
-		codeReplacer = strings.NewReplacer(codePairs...)
-		aliasReplacer = strings.NewReplacer(aliasPairs...)
-	})
+		// process aliases
+		firstAlias := ""
+		for _, alias := range emoji.Aliases {
+			if alias == "" {
+				continue
+			}
+			enabled := len(setting.UI.EnabledEmojisSet) == 0 || setting.UI.EnabledEmojisSet.Contains(alias)
+			if !enabled {
+				continue
+			}
+			if firstAlias == "" {
+				firstAlias = alias
+			}
+			vars.aliasMap[alias] = idx
+			aliasPairs = append(aliasPairs, ":"+alias+":", emoji.Emoji)
+		}
+
+		// process emoji code
+		if firstAlias != "" {
+			vars.codeMap[emoji.Emoji] = idx
+			codePairs = append(codePairs, emoji.Emoji, ":"+emoji.Aliases[0]+":")
+			emptyPairs = append(emptyPairs, emoji.Emoji, emoji.Emoji)
+		}
+	}
+
+	// create replacers
+	vars.emptyReplacer = strings.NewReplacer(emptyPairs...)
+	vars.codeReplacer = strings.NewReplacer(codePairs...)
+	vars.aliasReplacer = strings.NewReplacer(aliasPairs...)
+	globalVarsStore.Store(vars)
+	return vars
 }
 
 // FromCode retrieves the emoji data based on the provided unicode code (ie,
 // "\u2618" will return the Gemoji data for "shamrock").
 func FromCode(code string) *Emoji {
-	loadMap()
-	i, ok := codeMap[code]
+	i, ok := globalVars().codeMap[code]
 	if !ok {
 		return nil
 	}
@@ -102,12 +108,11 @@ func FromCode(code string) *Emoji {
 // "alias" or ":alias:" (ie, "shamrock" or ":shamrock:" will return the Gemoji
 // data for "shamrock").
 func FromAlias(alias string) *Emoji {
-	loadMap()
 	if strings.HasPrefix(alias, ":") && strings.HasSuffix(alias, ":") {
 		alias = alias[1 : len(alias)-1]
 	}
 
-	i, ok := aliasMap[alias]
+	i, ok := globalVars().aliasMap[alias]
 	if !ok {
 		return nil
 	}
@@ -119,15 +124,13 @@ func FromAlias(alias string) *Emoji {
 // alias (in the form of ":alias:") (ie, "\u2618" will be converted to
 // ":shamrock:").
 func ReplaceCodes(s string) string {
-	loadMap()
-	return codeReplacer.Replace(s)
+	return globalVars().codeReplacer.Replace(s)
 }
 
 // ReplaceAliases replaces all aliases of the form ":alias:" with its
 // corresponding unicode value.
 func ReplaceAliases(s string) string {
-	loadMap()
-	return aliasReplacer.Replace(s)
+	return globalVars().aliasReplacer.Replace(s)
 }
 
 type rememberSecondWriteWriter struct {
@@ -163,7 +166,6 @@ func (n *rememberSecondWriteWriter) WriteString(s string) (int, error) {
 
 // FindEmojiSubmatchIndex returns index pair of longest emoji in a string
 func FindEmojiSubmatchIndex(s string) []int {
-	loadMap()
 	secondWriteWriter := rememberSecondWriteWriter{}
 
 	// A faster and clean implementation would copy the trie tree formation in strings.NewReplacer but
@@ -175,7 +177,7 @@ func FindEmojiSubmatchIndex(s string) []int {
 	// Therefore we can simply take the index of the second write as our first emoji
 	//
 	// FIXME: just copy the trie implementation from strings.NewReplacer
-	_, _ = emptyReplacer.WriteString(&secondWriteWriter, s)
+	_, _ = globalVars().emptyReplacer.WriteString(&secondWriteWriter, s)
 
 	// if we wrote less than twice then we never "replaced"
 	if secondWriteWriter.writecount < 2 {

modules/emoji/emoji_test.go

@@ -7,14 +7,13 @@ package emoji
 import (
 	"testing"
 
+	"code.gitea.io/gitea/modules/container"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/test"
+
 	"github.com/stretchr/testify/assert"
 )
 
-func TestDumpInfo(t *testing.T) {
-	t.Logf("codes: %d", len(codeMap))
-	t.Logf("aliases: %d", len(aliasMap))
-}
-
 func TestLookup(t *testing.T) {
 	a := FromCode("\U0001f37a")
 	b := FromCode("🍺")
@@ -24,7 +23,6 @@ func TestLookup(t *testing.T) {
 	assert.Equal(t, a, b)
 	assert.Equal(t, b, c)
 	assert.Equal(t, c, d)
-	assert.Equal(t, a, d)
 
 	m := FromCode("\U0001f44d")
 	n := FromAlias(":thumbsup:")
@@ -32,7 +30,20 @@ func TestLookup(t *testing.T) {
 
 	assert.Equal(t, m, n)
 	assert.Equal(t, m, o)
-	assert.Equal(t, n, o)
+
+	defer test.MockVariableValue(&setting.UI.EnabledEmojisSet, container.SetOf("thumbsup"))()
+	defer globalVarsStore.Store(nil)
+	globalVarsStore.Store(nil)
+	a = FromCode("\U0001f37a")
+	c = FromAlias(":beer:")
+	m = FromCode("\U0001f44d")
+	n = FromAlias(":thumbsup:")
+	o = FromAlias("+1")
+	assert.Nil(t, a)
+	assert.Nil(t, c)
+	assert.NotNil(t, m)
+	assert.NotNil(t, n)
+	assert.Nil(t, o)
 }
 
 func TestReplacers(t *testing.T) {

modules/git/hook.go

@@ -47,30 +47,16 @@ func GetHook(repoPath, name string) (*Hook, error) {
 		name: name,
 		path: filepath.Join(repoPath, filepath.Join("hooks", name+".d", name)),
 	}
-	isFile, err := util.IsFile(h.path)
-	if err != nil {
-		return nil, err
-	}
-	if isFile {
-		data, err := os.ReadFile(h.path)
-		if err != nil {
-			return nil, err
-		}
+	if data, err := os.ReadFile(h.path); err == nil {
 		h.IsActive = true
 		h.Content = string(data)
 		return h, nil
+	} else if !os.IsNotExist(err) {
+		return nil, err
 	}
 
 	samplePath := filepath.Join(repoPath, "hooks", name+".sample")
-	isFile, err = util.IsFile(samplePath)
-	if err != nil {
-		return nil, err
-	}
-	if isFile {
-		data, err := os.ReadFile(samplePath)
-		if err != nil {
-			return nil, err
-		}
+	if data, err := os.ReadFile(samplePath); err == nil {
 		h.Sample = string(data)
 	}
 	return h, nil

modules/git/utils.go

@@ -6,7 +6,6 @@ package git
 import (
 	"crypto/sha1"
 	"encoding/hex"
-	"io"
 	"strconv"
 	"strings"
 	"sync"
@@ -68,32 +67,6 @@ func ParseBool(value string) (result, valid bool) {
 	return intValue != 0, true
 }
 
-// LimitedReaderCloser is a limited reader closer
-type LimitedReaderCloser struct {
-	R io.Reader
-	C io.Closer
-	N int64
-}
-
-// Read implements io.Reader
-func (l *LimitedReaderCloser) Read(p []byte) (n int, err error) {
-	if l.N <= 0 {
-		_ = l.C.Close()
-		return 0, io.EOF
-	}
-	if int64(len(p)) > l.N {
-		p = p[0:l.N]
-	}
-	n, err = l.R.Read(p)
-	l.N -= int64(n)
-	return n, err
-}
-
-// Close implements io.Closer
-func (l *LimitedReaderCloser) Close() error {
-	return l.C.Close()
-}
-
 func HashFilePathForWebUI(s string) string {
 	h := sha1.New()
 	_, _ = h.Write([]byte(s))

modules/markup/html_emoji.go

@@ -5,6 +5,7 @@ package markup
 
 import (
 	"strings"
+	"unicode"
 
 	"code.gitea.io/gitea/modules/emoji"
 	"code.gitea.io/gitea/modules/setting"
@@ -66,26 +67,31 @@ func emojiShortCodeProcessor(ctx *RenderContext, node *html.Node) {
 		}
 		m[0] += start
 		m[1] += start
-
 		start = m[1]
 
 		alias := node.Data[m[0]:m[1]]
-		alias = strings.ReplaceAll(alias, ":", "")
-		converted := emoji.FromAlias(alias)
-		if converted == nil {
-			// check if this is a custom reaction
-			if _, exist := setting.UI.CustomEmojisMap[alias]; exist {
-				replaceContent(node, m[0], m[1], createCustomEmoji(ctx, alias))
-				node = node.NextSibling.NextSibling
-				start = 0
-				continue
-			}
+
+		var nextChar byte
+		if m[1] < len(node.Data) {
+			nextChar = node.Data[m[1]]
+		}
+		if nextChar == ':' || unicode.IsLetter(rune(nextChar)) || unicode.IsDigit(rune(nextChar)) {
 			continue
 		}
 
-		replaceContent(node, m[0], m[1], createEmoji(ctx, converted.Emoji, converted.Description))
-		node = node.NextSibling.NextSibling
-		start = 0
+		alias = strings.Trim(alias, ":")
+		converted := emoji.FromAlias(alias)
+		if converted != nil {
+			// standard emoji
+			replaceContent(node, m[0], m[1], createEmoji(ctx, converted.Emoji, converted.Description))
+			node = node.NextSibling.NextSibling
+			start = 0 // restart searching start since node has changed
+		} else if _, exist := setting.UI.CustomEmojisMap[alias]; exist {
+			// custom reaction
+			replaceContent(node, m[0], m[1], createCustomEmoji(ctx, alias))
+			node = node.NextSibling.NextSibling
+			start = 0 // restart searching start since node has changed
+		}
 	}
 }
 

modules/markup/html_test.go

@@ -357,12 +357,9 @@ func TestRender_emoji(t *testing.T) {
 		`<p><span class="emoji" aria-label="smiling face with sunglasses">😎</span><span class="emoji" aria-label="zany face">🤪</span><span class="emoji" aria-label="locked with key">🔐</span><span class="emoji" aria-label="money-mouth face">🤑</span><span class="emoji" aria-label="red question mark">❓</span></p>`)
 
 	// should match nothing
-	test(
-		"2001:0db8:85a3:0000:0000:8a2e:0370:7334",
-		`<p>2001:0db8:85a3:0000:0000:8a2e:0370:7334</p>`)
-	test(
-		":not exist:",
-		`<p>:not exist:</p>`)
+	test(":100:200", `<p>:100:200</p>`)
+	test("std::thread::something", `<p>std::thread::something</p>`)
+	test(":not exist:", `<p>:not exist:</p>`)
 }
 
 func TestRender_ShortLinks(t *testing.T) {

modules/setting/attachment.go

@@ -16,9 +16,13 @@ var Attachment AttachmentSettingType
 func loadAttachmentFrom(rootCfg ConfigProvider) (err error) {
 	Attachment = AttachmentSettingType{
 		AllowedTypes: ".avif,.cpuprofile,.csv,.dmp,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.json,.jsonc,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.webp,.xls,.xlsx,.zip",
-		MaxSize:      2048,
-		MaxFiles:     5,
-		Enabled:      true,
+
+		// FIXME: this size is used for both "issue attachment" and "release attachment"
+		// The design is not right, these two should be different settings
+		MaxSize: 2048,
+
+		MaxFiles: 5,
+		Enabled:  true,
 	}
 	sec, _ := rootCfg.GetSection("attachment")
 	if sec == nil {

modules/setting/config_provider.go

@@ -202,11 +202,11 @@ func NewConfigProviderFromFile(file string) (ConfigProvider, error) {
 	loadedFromEmpty := true
 
 	if file != "" {
-		isFile, err := util.IsFile(file)
+		isExist, err := util.IsExist(file)
 		if err != nil {
-			return nil, fmt.Errorf("unable to check if %q is a file. Error: %v", file, err)
+			return nil, fmt.Errorf("unable to check if %q exists: %v", file, err)
 		}
-		if isFile {
+		if isExist {
 			if err = cfg.Append(file); err != nil {
 				return nil, fmt.Errorf("failed to load config file %q: %v", file, err)
 			}

modules/setting/ui.go

@@ -33,6 +33,8 @@ var UI = struct {
 	ReactionsLookup         container.Set[string] `ini:"-"`
 	CustomEmojis            []string
 	CustomEmojisMap         map[string]string `ini:"-"`
+	EnabledEmojis           []string
+	EnabledEmojisSet        container.Set[string] `ini:"-"`
 	SearchRepoDescription   bool
 	OnlyShowRelevantRepos   bool
 	ExploreDefaultSort      string `ini:"EXPLORE_PAGING_DEFAULT_SORT"`
@@ -169,4 +171,5 @@ func loadUIFrom(rootCfg ConfigProvider) {
 	for _, emoji := range UI.CustomEmojis {
 		UI.CustomEmojisMap[emoji] = ":" + emoji + ":"
 	}
+	UI.EnabledEmojisSet = container.SetOf(UI.EnabledEmojis...)
 }

modules/util/error.go

@@ -16,6 +16,7 @@ var (
 	ErrPermissionDenied = errors.New("permission denied")       // also implies HTTP 403
 	ErrNotExist         = errors.New("resource does not exist") // also implies HTTP 404
 	ErrAlreadyExist     = errors.New("resource already exists") // also implies HTTP 409
+	ErrContentTooLarge  = errors.New("content exceeds limit")   // also implies HTTP 413
 
 	// ErrUnprocessableContent implies HTTP 422, the syntax of the request content is correct,
 	// but the server is unable to process the contained instructions

modules/util/path.go

@@ -115,15 +115,10 @@ func IsDir(dir string) (bool, error) {
 	return false, err
 }
 
-// IsFile returns true if given path is a file,
-// or returns false when it's a directory or does not exist.
-func IsFile(filePath string) (bool, error) {
-	f, err := os.Stat(filePath)
+func IsRegularFile(filePath string) (bool, error) {
+	f, err := os.Lstat(filePath)
 	if err == nil {
-		return !f.IsDir(), nil
-	}
-	if os.IsNotExist(err) {
-		return false, nil
+		return f.Mode().IsRegular(), nil
 	}
 	return false, err
 }

options/locale/locale_en-US.ini

@@ -1969,6 +1969,9 @@ pulls.status_checks_requested = Required
 pulls.status_checks_details = Details
 pulls.status_checks_hide_all = Hide all checks
 pulls.status_checks_show_all = Show all checks
+pulls.status_checks_approve_all = Approve all workflows
+pulls.status_checks_need_approvals = %d workflow awaiting approval
+pulls.status_checks_need_approvals_helper = The workflow will only run after approval from the repository maintainer.
 pulls.update_branch = Update branch by merge
 pulls.update_branch_rebase = Update branch by rebase
 pulls.update_branch_success = Branch update was successful
@@ -3890,6 +3893,7 @@ workflow.has_workflow_dispatch = This workflow has a workflow_dispatch event tri
 workflow.has_no_workflow_dispatch = Workflow '%s' has no workflow_dispatch event trigger.
 
 need_approval_desc = Need approval to run workflows for fork pull request.
+approve_all_success = All workflow runs are approved successfully.
 
 variables = Variables
 variables.management = Variables Management

routers/api/v1/repo/issue_attachment.go

@@ -4,6 +4,7 @@
 package repo
 
 import (
+	"errors"
 	"net/http"
 
 	issues_model "code.gitea.io/gitea/models/issues"
@@ -11,6 +12,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web"
 	attachment_service "code.gitea.io/gitea/services/attachment"
 	"code.gitea.io/gitea/services/context"
@@ -154,6 +156,8 @@ func CreateIssueAttachment(ctx *context.APIContext) {
 	//     "$ref": "#/responses/error"
 	//   "404":
 	//     "$ref": "#/responses/error"
+	//   "413":
+	//     "$ref": "#/responses/error"
 	//   "422":
 	//     "$ref": "#/responses/validationError"
 	//   "423":
@@ -181,7 +185,8 @@ func CreateIssueAttachment(ctx *context.APIContext) {
 		filename = query
 	}
 
-	attachment, err := attachment_service.UploadAttachment(ctx, file, setting.Attachment.AllowedTypes, header.Size, &repo_model.Attachment{
+	uploaderFile := attachment_service.NewLimitedUploaderKnownSize(file, header.Size)
+	attachment, err := attachment_service.UploadAttachmentGeneralSizeLimit(ctx, uploaderFile, setting.Attachment.AllowedTypes, &repo_model.Attachment{
 		Name:       filename,
 		UploaderID: ctx.Doer.ID,
 		RepoID:     ctx.Repo.Repository.ID,
@@ -190,6 +195,8 @@ func CreateIssueAttachment(ctx *context.APIContext) {
 	if err != nil {
 		if upload.IsErrFileTypeForbidden(err) {
 			ctx.APIError(http.StatusUnprocessableEntity, err)
+		} else if errors.Is(err, util.ErrContentTooLarge) {
+			ctx.APIError(http.StatusRequestEntityTooLarge, err)
 		} else {
 			ctx.APIErrorInternal(err)
 		}

routers/api/v1/repo/issue_comment_attachment.go

@@ -13,6 +13,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web"
 	attachment_service "code.gitea.io/gitea/services/attachment"
 	"code.gitea.io/gitea/services/context"
@@ -161,6 +162,8 @@ func CreateIssueCommentAttachment(ctx *context.APIContext) {
 	//     "$ref": "#/responses/forbidden"
 	//   "404":
 	//     "$ref": "#/responses/error"
+	//   "413":
+	//     "$ref": "#/responses/error"
 	//   "422":
 	//     "$ref": "#/responses/validationError"
 	//   "423":
@@ -189,7 +192,8 @@ func CreateIssueCommentAttachment(ctx *context.APIContext) {
 		filename = query
 	}
 
-	attachment, err := attachment_service.UploadAttachment(ctx, file, setting.Attachment.AllowedTypes, header.Size, &repo_model.Attachment{
+	uploaderFile := attachment_service.NewLimitedUploaderKnownSize(file, header.Size)
+	attachment, err := attachment_service.UploadAttachmentGeneralSizeLimit(ctx, uploaderFile, setting.Attachment.AllowedTypes, &repo_model.Attachment{
 		Name:       filename,
 		UploaderID: ctx.Doer.ID,
 		RepoID:     ctx.Repo.Repository.ID,
@@ -199,6 +203,8 @@ func CreateIssueCommentAttachment(ctx *context.APIContext) {
 	if err != nil {
 		if upload.IsErrFileTypeForbidden(err) {
 			ctx.APIError(http.StatusUnprocessableEntity, err)
+		} else if errors.Is(err, util.ErrContentTooLarge) {
+			ctx.APIError(http.StatusRequestEntityTooLarge, err)
 		} else {
 			ctx.APIErrorInternal(err)
 		}

routers/api/v1/repo/release_attachment.go

@@ -4,7 +4,7 @@
 package repo
 
 import (
-	"io"
+	"errors"
 	"net/http"
 	"strings"
 
@@ -12,6 +12,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web"
 	attachment_service "code.gitea.io/gitea/services/attachment"
 	"code.gitea.io/gitea/services/context"
@@ -191,6 +192,8 @@ func CreateReleaseAttachment(ctx *context.APIContext) {
 	//     "$ref": "#/responses/error"
 	//   "404":
 	//     "$ref": "#/responses/notFound"
+	//   "413":
+	//     "$ref": "#/responses/error"
 
 	// Check if attachments are enabled
 	if !setting.Attachment.Enabled {
@@ -205,10 +208,8 @@ func CreateReleaseAttachment(ctx *context.APIContext) {
 	}
 
 	// Get uploaded file from request
-	var content io.ReadCloser
 	var filename string
-	var size int64 = -1
-
+	var uploaderFile *attachment_service.UploaderFile
 	if strings.HasPrefix(strings.ToLower(ctx.Req.Header.Get("Content-Type")), "multipart/form-data") {
 		file, header, err := ctx.Req.FormFile("attachment")
 		if err != nil {
@@ -217,15 +218,14 @@ func CreateReleaseAttachment(ctx *context.APIContext) {
 		}
 		defer file.Close()
 
-		content = file
-		size = header.Size
 		filename = header.Filename
 		if name := ctx.FormString("name"); name != "" {
 			filename = name
 		}
+		uploaderFile = attachment_service.NewLimitedUploaderKnownSize(file, header.Size)
 	} else {
-		content = ctx.Req.Body
 		filename = ctx.FormString("name")
+		uploaderFile = attachment_service.NewLimitedUploaderMaxBytesReader(ctx.Req.Body, ctx.Resp)
 	}
 
 	if filename == "" {
@@ -234,7 +234,7 @@ func CreateReleaseAttachment(ctx *context.APIContext) {
 	}
 
 	// Create a new attachment and save the file
-	attach, err := attachment_service.UploadAttachment(ctx, content, setting.Repository.Release.AllowedTypes, size, &repo_model.Attachment{
+	attach, err := attachment_service.UploadAttachmentGeneralSizeLimit(ctx, uploaderFile, setting.Repository.Release.AllowedTypes, &repo_model.Attachment{
 		Name:       filename,
 		UploaderID: ctx.Doer.ID,
 		RepoID:     ctx.Repo.Repository.ID,
@@ -245,6 +245,12 @@ func CreateReleaseAttachment(ctx *context.APIContext) {
 			ctx.APIError(http.StatusBadRequest, err)
 			return
 		}
+
+		if errors.Is(err, util.ErrContentTooLarge) {
+			ctx.APIError(http.StatusRequestEntityTooLarge, err)
+			return
+		}
+
 		ctx.APIErrorInternal(err)
 		return
 	}

routers/private/key.go

@@ -45,7 +45,7 @@ func UpdatePublicKeyInRepo(ctx *context.PrivateContext) {
 	ctx.PlainText(http.StatusOK, "success")
 }
 
-// AuthorizedPublicKeyByContent searches content as prefix (leak e-mail part)
+// AuthorizedPublicKeyByContent searches content as prefix (without comment part)
 // and returns public key found.
 func AuthorizedPublicKeyByContent(ctx *context.PrivateContext) {
 	content := ctx.FormString("content")
@@ -57,5 +57,14 @@ func AuthorizedPublicKeyByContent(ctx *context.PrivateContext) {
 		})
 		return
 	}
-	ctx.PlainText(http.StatusOK, publicKey.AuthorizedString())
+
+	authorizedString, err := asymkey_model.AuthorizedStringForKey(publicKey)
+	if err != nil {
+		ctx.JSON(http.StatusInternalServerError, private.Response{
+			Err:     err.Error(),
+			UserMsg: "invalid public key",
+		})
+		return
+	}
+	ctx.PlainText(http.StatusOK, authorizedString)
 }

routers/web/repo/actions/view.go

@@ -606,33 +606,53 @@ func Cancel(ctx *context_module.Context) {
 func Approve(ctx *context_module.Context) {
 	runIndex := getRunIndex(ctx)
 
-	current, jobs := getRunJobs(ctx, runIndex, -1)
+	approveRuns(ctx, []int64{runIndex})
 	if ctx.Written() {
 		return
 	}
-	run := current.Run
-	doer := ctx.Doer
 
-	var updatedJobs []*actions_model.ActionRunJob
+	ctx.JSONOK()
+}
+
+func approveRuns(ctx *context_module.Context, runIndexes []int64) {
+	doer := ctx.Doer
+	repo := ctx.Repo.Repository
+
+	updatedJobs := make([]*actions_model.ActionRunJob, 0)
+	runMap := make(map[int64]*actions_model.ActionRun, len(runIndexes))
+	runJobs := make(map[int64][]*actions_model.ActionRunJob, len(runIndexes))
 
 	err := db.WithTx(ctx, func(ctx context.Context) (err error) {
-		run.NeedApproval = false
-		run.ApprovedBy = doer.ID
-		if err := actions_model.UpdateRun(ctx, run, "need_approval", "approved_by"); err != nil {
-			return err
-		}
-		for _, job := range jobs {
-			job.Status, err = actions_service.PrepareToStartJobWithConcurrency(ctx, job)
+		for _, runIndex := range runIndexes {
+			run, err := actions_model.GetRunByIndex(ctx, repo.ID, runIndex)
 			if err != nil {
 				return err
 			}
-			if job.Status == actions_model.StatusWaiting {
-				n, err := actions_model.UpdateRunJob(ctx, job, nil, "status")
+			runMap[run.ID] = run
+			run.Repo = repo
+			run.NeedApproval = false
+			run.ApprovedBy = doer.ID
+			if err := actions_model.UpdateRun(ctx, run, "need_approval", "approved_by"); err != nil {
+				return err
+			}
+			jobs, err := actions_model.GetRunJobsByRunID(ctx, run.ID)
+			if err != nil {
+				return err
+			}
+			runJobs[run.ID] = jobs
+			for _, job := range jobs {
+				job.Status, err = actions_service.PrepareToStartJobWithConcurrency(ctx, job)
 				if err != nil {
 					return err
 				}
-				if n > 0 {
-					updatedJobs = append(updatedJobs, job)
+				if job.Status == actions_model.StatusWaiting {
+					n, err := actions_model.UpdateRunJob(ctx, job, nil, "status")
+					if err != nil {
+						return err
+					}
+					if n > 0 {
+						updatedJobs = append(updatedJobs, job)
+					}
 				}
 			}
 		}
@@ -643,7 +663,9 @@ func Approve(ctx *context_module.Context) {
 		return
 	}
 
-	actions_service.CreateCommitStatusForRunJobs(ctx, current.Run, jobs...)
+	for runID, run := range runMap {
+		actions_service.CreateCommitStatusForRunJobs(ctx, run, runJobs[runID]...)
+	}
 
 	if len(updatedJobs) > 0 {
 		job := updatedJobs[0]
@@ -654,8 +676,6 @@ func Approve(ctx *context_module.Context) {
 		_ = job.LoadAttributes(ctx)
 		notify_service.WorkflowJobStatusUpdate(ctx, job.Run.Repo, job.Run.TriggerUser, job, nil)
 	}
-
-	ctx.JSONOK()
 }
 
 func Delete(ctx *context_module.Context) {
@@ -818,6 +838,42 @@ func ArtifactsDownloadView(ctx *context_module.Context) {
 	}
 }
 
+func ApproveAllChecks(ctx *context_module.Context) {
+	repo := ctx.Repo.Repository
+	commitID := ctx.FormString("commit_id")
+
+	commitStatuses, err := git_model.GetLatestCommitStatus(ctx, repo.ID, commitID, db.ListOptionsAll)
+	if err != nil {
+		ctx.ServerError("GetLatestCommitStatus", err)
+		return
+	}
+	runs, err := actions_service.GetRunsFromCommitStatuses(ctx, commitStatuses)
+	if err != nil {
+		ctx.ServerError("GetRunsFromCommitStatuses", err)
+		return
+	}
+
+	runIndexes := make([]int64, 0, len(runs))
+	for _, run := range runs {
+		if run.NeedApproval {
+			runIndexes = append(runIndexes, run.Index)
+		}
+	}
+
+	if len(runIndexes) == 0 {
+		ctx.JSONOK()
+		return
+	}
+
+	approveRuns(ctx, runIndexes)
+	if ctx.Written() {
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("actions.approve_all_success"))
+	ctx.JSONOK()
+}
+
 func DisableWorkflowFile(ctx *context_module.Context) {
 	disableOrEnableWorkflowFile(ctx, false)
 }

routers/web/repo/attachment.go

@@ -45,7 +45,8 @@ func uploadAttachment(ctx *context.Context, repoID int64, allowedTypes string) {
 	}
 	defer file.Close()
 
-	attach, err := attachment.UploadAttachment(ctx, file, allowedTypes, header.Size, &repo_model.Attachment{
+	uploaderFile := attachment.NewLimitedUploaderKnownSize(file, header.Size)
+	attach, err := attachment.UploadAttachmentGeneralSizeLimit(ctx, uploaderFile, allowedTypes, &repo_model.Attachment{
 		Name:       header.Filename,
 		UploaderID: ctx.Doer.ID,
 		RepoID:     repoID,

routers/web/repo/commit.go

@@ -276,20 +276,24 @@ func Diff(ctx *context.Context) {
 	userName := ctx.Repo.Owner.Name
 	repoName := ctx.Repo.Repository.Name
 	commitID := ctx.PathParam("sha")
-	var (
-		gitRepo *git.Repository
-		err     error
-	)
+
+	diffBlobExcerptData := &gitdiff.DiffBlobExcerptData{
+		BaseLink:      ctx.Repo.RepoLink + "/blob_excerpt",
+		DiffStyle:     ctx.FormString("style"),
+		AfterCommitID: commitID,
+	}
+	gitRepo := ctx.Repo.GitRepo
+	var gitRepoStore gitrepo.Repository = ctx.Repo.Repository
 
 	if ctx.Data["PageIsWiki"] != nil {
-		gitRepo, err = gitrepo.OpenRepository(ctx, ctx.Repo.Repository.WikiStorageRepo())
+		var err error
+		gitRepoStore = ctx.Repo.Repository.WikiStorageRepo()
+		gitRepo, err = gitrepo.RepositoryFromRequestContextOrOpen(ctx, gitRepoStore)
 		if err != nil {
 			ctx.ServerError("Repo.GitRepo.GetCommit", err)
 			return
 		}
-		defer gitRepo.Close()
-	} else {
-		gitRepo = ctx.Repo.GitRepo
+		diffBlobExcerptData.BaseLink = ctx.Repo.RepoLink + "/wiki/blob_excerpt"
 	}
 
 	commit, err := gitRepo.GetCommit(commitID)
@@ -324,7 +328,7 @@ func Diff(ctx *context.Context) {
 		ctx.NotFound(err)
 		return
 	}
-	diffShortStat, err := gitdiff.GetDiffShortStat(ctx, ctx.Repo.Repository, gitRepo, "", commitID)
+	diffShortStat, err := gitdiff.GetDiffShortStat(ctx, gitRepoStore, gitRepo, "", commitID)
 	if err != nil {
 		ctx.ServerError("GetDiffShortStat", err)
 		return
@@ -360,6 +364,7 @@ func Diff(ctx *context.Context) {
 	ctx.Data["Title"] = commit.Summary() + " · " + base.ShortSha(commitID)
 	ctx.Data["Commit"] = commit
 	ctx.Data["Diff"] = diff
+	ctx.Data["DiffBlobExcerptData"] = diffBlobExcerptData
 
 	if !fileOnly {
 		diffTree, err := gitdiff.GetDiffTree(ctx, gitRepo, false, parentCommitID, commitID)

routers/web/repo/compare.go

@@ -14,6 +14,7 @@ import (
 	"net/http"
 	"net/url"
 	"path/filepath"
+	"sort"
 	"strings"
 
 	"code.gitea.io/gitea/models/db"
@@ -43,6 +44,7 @@ import (
 	"code.gitea.io/gitea/services/context/upload"
 	"code.gitea.io/gitea/services/gitdiff"
 	pull_service "code.gitea.io/gitea/services/pull"
+	user_service "code.gitea.io/gitea/services/user"
 )
 
 const (
@@ -638,6 +640,11 @@ func PrepareCompareDiff(
 	}
 	ctx.Data["DiffShortStat"] = diffShortStat
 	ctx.Data["Diff"] = diff
+	ctx.Data["DiffBlobExcerptData"] = &gitdiff.DiffBlobExcerptData{
+		BaseLink:      ci.HeadRepo.Link() + "/blob_excerpt",
+		DiffStyle:     ctx.FormString("style"),
+		AfterCommitID: headCommitID,
+	}
 	ctx.Data["DiffNotAvailable"] = diffShortStat.NumFiles == 0
 
 	if !fileOnly {
@@ -865,6 +872,28 @@ func CompareDiff(ctx *context.Context) {
 	ctx.HTML(http.StatusOK, tplCompare)
 }
 
+// attachCommentsToLines attaches comments to their corresponding diff lines
+func attachCommentsToLines(section *gitdiff.DiffSection, lineComments map[int64][]*issues_model.Comment) {
+	for _, line := range section.Lines {
+		if comments, ok := lineComments[int64(line.LeftIdx*-1)]; ok {
+			line.Comments = append(line.Comments, comments...)
+		}
+		if comments, ok := lineComments[int64(line.RightIdx)]; ok {
+			line.Comments = append(line.Comments, comments...)
+		}
+		sort.SliceStable(line.Comments, func(i, j int) bool {
+			return line.Comments[i].CreatedUnix < line.Comments[j].CreatedUnix
+		})
+	}
+}
+
+// attachHiddenCommentIDs calculates and attaches hidden comment IDs to expand buttons
+func attachHiddenCommentIDs(section *gitdiff.DiffSection, lineComments map[int64][]*issues_model.Comment) {
+	for _, line := range section.Lines {
+		gitdiff.FillHiddenCommentIDsForDiffLine(line, lineComments)
+	}
+}
+
 // ExcerptBlob render blob excerpt contents
 func ExcerptBlob(ctx *context.Context) {
 	commitID := ctx.PathParam("sha")
@@ -874,19 +903,26 @@ func ExcerptBlob(ctx *context.Context) {
 	idxRight := ctx.FormInt("right")
 	leftHunkSize := ctx.FormInt("left_hunk_size")
 	rightHunkSize := ctx.FormInt("right_hunk_size")
-	anchor := ctx.FormString("anchor")
 	direction := ctx.FormString("direction")
 	filePath := ctx.FormString("path")
 	gitRepo := ctx.Repo.GitRepo
+
+	diffBlobExcerptData := &gitdiff.DiffBlobExcerptData{
+		BaseLink:      ctx.Repo.RepoLink + "/blob_excerpt",
+		DiffStyle:     ctx.FormString("style"),
+		AfterCommitID: commitID,
+	}
+
 	if ctx.Data["PageIsWiki"] == true {
 		var err error
-		gitRepo, err = gitrepo.OpenRepository(ctx, ctx.Repo.Repository.WikiStorageRepo())
+		gitRepo, err = gitrepo.RepositoryFromRequestContextOrOpen(ctx, ctx.Repo.Repository.WikiStorageRepo())
 		if err != nil {
 			ctx.ServerError("OpenRepository", err)
 			return
 		}
-		defer gitRepo.Close()
+		diffBlobExcerptData.BaseLink = ctx.Repo.RepoLink + "/wiki/blob_excerpt"
 	}
+
 	chunkSize := gitdiff.BlobExcerptChunkSize
 	commit, err := gitRepo.GetCommit(commitID)
 	if err != nil {
@@ -947,10 +983,43 @@ func ExcerptBlob(ctx *context.Context) {
 			section.Lines = append(section.Lines, lineSection)
 		}
 	}
+
+	diffBlobExcerptData.PullIssueIndex = ctx.FormInt64("pull_issue_index")
+	if diffBlobExcerptData.PullIssueIndex > 0 {
+		if !ctx.Repo.CanRead(unit.TypePullRequests) {
+			ctx.NotFound(nil)
+			return
+		}
+
+		issue, err := issues_model.GetIssueByIndex(ctx, ctx.Repo.Repository.ID, diffBlobExcerptData.PullIssueIndex)
+		if err != nil {
+			log.Error("GetIssueByIndex error: %v", err)
+		} else if issue.IsPull {
+			// FIXME: DIFF-CONVERSATION-DATA: the following data assignment is fragile
+			ctx.Data["Issue"] = issue
+			ctx.Data["CanBlockUser"] = func(blocker, blockee *user_model.User) bool {
+				return user_service.CanBlockUser(ctx, ctx.Doer, blocker, blockee)
+			}
+			// and "diff/comment_form.tmpl" (reply comment) needs them
+			ctx.Data["PageIsPullFiles"] = true
+			ctx.Data["AfterCommitID"] = diffBlobExcerptData.AfterCommitID
+
+			allComments, err := issues_model.FetchCodeComments(ctx, issue, ctx.Doer, ctx.FormBool("show_outdated"))
+			if err != nil {
+				log.Error("FetchCodeComments error: %v", err)
+			} else {
+				if lineComments, ok := allComments[filePath]; ok {
+					attachCommentsToLines(section, lineComments)
+					attachHiddenCommentIDs(section, lineComments)
+				}
+			}
+		}
+	}
+
 	ctx.Data["section"] = section
 	ctx.Data["FileNameHash"] = git.HashFilePathForWebUI(filePath)
-	ctx.Data["AfterCommitID"] = commitID
-	ctx.Data["Anchor"] = anchor
+	ctx.Data["DiffBlobExcerptData"] = diffBlobExcerptData
+
 	ctx.HTML(http.StatusOK, tplBlobExcerpt)
 }
 

routers/web/repo/compare_test.go

@@ -0,0 +1,40 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package repo
+
+import (
+	"testing"
+
+	issues_model "code.gitea.io/gitea/models/issues"
+	"code.gitea.io/gitea/services/gitdiff"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAttachCommentsToLines(t *testing.T) {
+	section := &gitdiff.DiffSection{
+		Lines: []*gitdiff.DiffLine{
+			{LeftIdx: 5, RightIdx: 10},
+			{LeftIdx: 6, RightIdx: 11},
+		},
+	}
+
+	lineComments := map[int64][]*issues_model.Comment{
+		-5: {{ID: 100, CreatedUnix: 1000}},                               // left side comment
+		10: {{ID: 200, CreatedUnix: 2000}},                               // right side comment
+		11: {{ID: 300, CreatedUnix: 1500}, {ID: 301, CreatedUnix: 2500}}, // multiple comments
+	}
+
+	attachCommentsToLines(section, lineComments)
+
+	// First line should have left and right comments
+	assert.Len(t, section.Lines[0].Comments, 2)
+	assert.Equal(t, int64(100), section.Lines[0].Comments[0].ID)
+	assert.Equal(t, int64(200), section.Lines[0].Comments[1].ID)
+
+	// Second line should have two comments, sorted by creation time
+	assert.Len(t, section.Lines[1].Comments, 2)
+	assert.Equal(t, int64(300), section.Lines[1].Comments[0].ID)
+	assert.Equal(t, int64(301), section.Lines[1].Comments[1].ID)
+}

routers/web/repo/editor_uploader.go

@@ -41,6 +41,8 @@ func UploadFileToServer(ctx *context.Context) {
 		return
 	}
 
+	// FIXME: need to check the file size according to setting.Repository.Upload.FileMaxSize
+
 	uploaded, err := repo_model.NewUpload(ctx, name, buf, file)
 	if err != nil {
 		ctx.ServerError("NewUpload", err)

routers/web/repo/issue_view.go

@@ -437,6 +437,9 @@ func ViewIssue(ctx *context.Context) {
 
 func ViewPullMergeBox(ctx *context.Context) {
 	issue := prepareIssueViewLoad(ctx)
+	if ctx.Written() {
+		return
+	}
 	if !issue.IsPull {
 		ctx.NotFound(nil)
 		return

routers/web/repo/pull.go

@@ -38,6 +38,7 @@ import (
 	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/utils"
 	shared_user "code.gitea.io/gitea/routers/web/shared/user"
+	actions_service "code.gitea.io/gitea/services/actions"
 	asymkey_service "code.gitea.io/gitea/services/asymkey"
 	"code.gitea.io/gitea/services/automerge"
 	"code.gitea.io/gitea/services/context"
@@ -311,6 +312,14 @@ func prepareMergedViewPullInfo(ctx *context.Context, issue *issues_model.Issue)
 	return compareInfo
 }
 
+type pullCommitStatusCheckData struct {
+	MissingRequiredChecks   []string          // list of missing required checks
+	IsContextRequired       func(string) bool // function to check whether a context is required
+	RequireApprovalRunCount int               // number of workflow runs that require approval
+	CanApprove              bool              // whether the user can approve workflow runs
+	ApproveLink             string            // link to approve all checks
+}
+
 // prepareViewPullInfo show meta information for a pull request preview page
 func prepareViewPullInfo(ctx *context.Context, issue *issues_model.Issue) *pull_service.CompareInfo {
 	ctx.Data["PullRequestWorkInProgressPrefixes"] = setting.Repository.PullRequest.WorkInProgressPrefixes
@@ -456,6 +465,11 @@ func prepareViewPullInfo(ctx *context.Context, issue *issues_model.Issue) *pull_
 		return nil
 	}
 
+	statusCheckData := &pullCommitStatusCheckData{
+		ApproveLink: fmt.Sprintf("%s/actions/approve-all-checks?commit_id=%s", repo.Link(), sha),
+	}
+	ctx.Data["StatusCheckData"] = statusCheckData
+
 	commitStatuses, err := git_model.GetLatestCommitStatus(ctx, repo.ID, sha, db.ListOptionsAll)
 	if err != nil {
 		ctx.ServerError("GetLatestCommitStatus", err)
@@ -465,6 +479,20 @@ func prepareViewPullInfo(ctx *context.Context, issue *issues_model.Issue) *pull_
 		git_model.CommitStatusesHideActionsURL(ctx, commitStatuses)
 	}
 
+	runs, err := actions_service.GetRunsFromCommitStatuses(ctx, commitStatuses)
+	if err != nil {
+		ctx.ServerError("GetRunsFromCommitStatuses", err)
+		return nil
+	}
+	for _, run := range runs {
+		if run.NeedApproval {
+			statusCheckData.RequireApprovalRunCount++
+		}
+	}
+	if statusCheckData.RequireApprovalRunCount > 0 {
+		statusCheckData.CanApprove = ctx.Repo.CanWrite(unit.TypeActions)
+	}
+
 	if len(commitStatuses) > 0 {
 		ctx.Data["LatestCommitStatuses"] = commitStatuses
 		ctx.Data["LatestCommitStatus"] = git_model.CalcCommitStatus(commitStatuses)
@@ -486,9 +514,9 @@ func prepareViewPullInfo(ctx *context.Context, issue *issues_model.Issue) *pull_
 				missingRequiredChecks = append(missingRequiredChecks, requiredContext)
 			}
 		}
-		ctx.Data["MissingRequiredChecks"] = missingRequiredChecks
+		statusCheckData.MissingRequiredChecks = missingRequiredChecks
 
-		ctx.Data["is_context_required"] = func(context string) bool {
+		statusCheckData.IsContextRequired = func(context string) bool {
 			for _, c := range pb.StatusCheckContexts {
 				if c == context {
 					return true
@@ -827,6 +855,12 @@ func viewPullFiles(ctx *context.Context, beforeCommitID, afterCommitID string) {
 	}
 
 	ctx.Data["Diff"] = diff
+	ctx.Data["DiffBlobExcerptData"] = &gitdiff.DiffBlobExcerptData{
+		BaseLink:       ctx.Repo.RepoLink + "/blob_excerpt",
+		PullIssueIndex: pull.Index,
+		DiffStyle:      ctx.FormString("style"),
+		AfterCommitID:  afterCommitID,
+	}
 	ctx.Data["DiffNotAvailable"] = diffShortStat.NumFiles == 0
 
 	if ctx.IsSigned && ctx.Doer != nil {

routers/web/web.go

@@ -1459,6 +1459,7 @@ func registerWebRoutes(m *web.Router) {
 		m.Post("/enable", reqRepoAdmin, actions.EnableWorkflowFile)
 		m.Post("/run", reqRepoActionsWriter, actions.Run)
 		m.Get("/workflow-dispatch-inputs", reqRepoActionsWriter, actions.WorkflowDispatchInputs)
+		m.Post("/approve-all-checks", reqRepoActionsWriter, actions.ApproveAllChecks)
 
 		m.Group("/runs/{run}", func() {
 			m.Combo("").

services/actions/commit_status.go

@@ -18,6 +18,7 @@ import (
 	actions_module "code.gitea.io/gitea/modules/actions"
 	"code.gitea.io/gitea/modules/commitstatus"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/util"
 	webhook_module "code.gitea.io/gitea/modules/webhook"
 	commitstatus_service "code.gitea.io/gitea/services/repository/commitstatus"
 
@@ -52,6 +53,33 @@ func CreateCommitStatusForRunJobs(ctx context.Context, run *actions_model.Action
 	}
 }
 
+func GetRunsFromCommitStatuses(ctx context.Context, statuses []*git_model.CommitStatus) ([]*actions_model.ActionRun, error) {
+	runMap := make(map[int64]*actions_model.ActionRun)
+	for _, status := range statuses {
+		runIndex, _, ok := status.ParseGiteaActionsTargetURL(ctx)
+		if !ok {
+			continue
+		}
+		_, ok = runMap[runIndex]
+		if !ok {
+			run, err := actions_model.GetRunByIndex(ctx, status.RepoID, runIndex)
+			if err != nil {
+				if errors.Is(err, util.ErrNotExist) {
+					// the run may be deleted manually, just skip it
+					continue
+				}
+				return nil, fmt.Errorf("GetRunByIndex: %w", err)
+			}
+			runMap[runIndex] = run
+		}
+	}
+	runs := make([]*actions_model.ActionRun, 0, len(runMap))
+	for _, run := range runMap {
+		runs = append(runs, run)
+	}
+	return runs, nil
+}
+
 func getCommitStatusEventNameAndCommitID(run *actions_model.ActionRun) (event, commitID string, _ error) {
 	switch run.Event {
 	case webhook_module.HookEventPush:

services/asymkey/ssh_key_authorized_principals.go

@@ -25,10 +25,7 @@ import (
 // There is a dependence on the database within RewriteAllPrincipalKeys & RegeneratePrincipalKeys
 // The sshOpLocker is used from ssh_key_authorized_keys.go
 
-const (
-	authorizedPrincipalsFile = "authorized_principals"
-	tplCommentPrefix         = `# gitea public key`
-)
+const authorizedPrincipalsFile = "authorized_principals"
 
 // RewriteAllPrincipalKeys removes any authorized principal and rewrite all keys from database again.
 // Note: db.GetEngine(ctx).Iterate does not get latest data after insert/delete, so we have to call this function
@@ -90,10 +87,9 @@ func rewriteAllPrincipalKeys(ctx context.Context) error {
 	return util.Rename(tmpPath, fPath)
 }
 
-func regeneratePrincipalKeys(ctx context.Context, t io.StringWriter) error {
+func regeneratePrincipalKeys(ctx context.Context, t io.Writer) error {
 	if err := db.GetEngine(ctx).Where("type = ?", asymkey_model.KeyTypePrincipal).Iterate(new(asymkey_model.PublicKey), func(idx int, bean any) (err error) {
-		_, err = t.WriteString((bean.(*asymkey_model.PublicKey)).AuthorizedString())
-		return err
+		return asymkey_model.WriteAuthorizedStringForValidKey(bean.(*asymkey_model.PublicKey), t)
 	}); err != nil {
 		return err
 	}
@@ -114,11 +110,11 @@ func regeneratePrincipalKeys(ctx context.Context, t io.StringWriter) error {
 		scanner := bufio.NewScanner(f)
 		for scanner.Scan() {
 			line := scanner.Text()
-			if strings.HasPrefix(line, tplCommentPrefix) {
+			if strings.HasPrefix(line, asymkey_model.AuthorizedStringCommentPrefix) {
 				scanner.Scan()
 				continue
 			}
-			_, err = t.WriteString(line + "\n")
+			_, err = io.WriteString(t, line+"\n")
 			if err != nil {
 				return err
 			}

services/attachment/attachment.go

@@ -6,11 +6,14 @@ package attachment
 import (
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"io"
+	"net/http"
 
 	"code.gitea.io/gitea/models/db"
 	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/storage"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/services/context/upload"
@@ -28,27 +31,56 @@ func NewAttachment(ctx context.Context, attach *repo_model.Attachment, file io.R
 		attach.UUID = uuid.New().String()
 		size, err := storage.Attachments.Save(attach.RelativePath(), file, size)
 		if err != nil {
-			return fmt.Errorf("Create: %w", err)
+			return fmt.Errorf("Attachments.Save: %w", err)
 		}
 		attach.Size = size
-
 		return db.Insert(ctx, attach)
 	})
 
 	return attach, err
 }
 
-// UploadAttachment upload new attachment into storage and update database
-func UploadAttachment(ctx context.Context, file io.Reader, allowedTypes string, fileSize int64, attach *repo_model.Attachment) (*repo_model.Attachment, error) {
+type UploaderFile struct {
+	rd         io.ReadCloser
+	size       int64
+	respWriter http.ResponseWriter
+}
+
+func NewLimitedUploaderKnownSize(r io.Reader, size int64) *UploaderFile {
+	return &UploaderFile{rd: io.NopCloser(r), size: size}
+}
+
+func NewLimitedUploaderMaxBytesReader(r io.ReadCloser, w http.ResponseWriter) *UploaderFile {
+	return &UploaderFile{rd: r, size: -1, respWriter: w}
+}
+
+func UploadAttachmentGeneralSizeLimit(ctx context.Context, file *UploaderFile, allowedTypes string, attach *repo_model.Attachment) (*repo_model.Attachment, error) {
+	return uploadAttachment(ctx, file, allowedTypes, setting.Attachment.MaxSize<<20, attach)
+}
+
+func uploadAttachment(ctx context.Context, file *UploaderFile, allowedTypes string, maxFileSize int64, attach *repo_model.Attachment) (*repo_model.Attachment, error) {
+	src := file.rd
+	if file.size < 0 {
+		src = http.MaxBytesReader(file.respWriter, src, maxFileSize)
+	}
 	buf := make([]byte, 1024)
-	n, _ := util.ReadAtMost(file, buf)
+	n, _ := util.ReadAtMost(src, buf)
 	buf = buf[:n]
 
 	if err := upload.Verify(buf, attach.Name, allowedTypes); err != nil {
 		return nil, err
 	}
 
-	return NewAttachment(ctx, attach, io.MultiReader(bytes.NewReader(buf), file), fileSize)
+	if maxFileSize >= 0 && file.size > maxFileSize {
+		return nil, util.ErrorWrap(util.ErrContentTooLarge, "attachment exceeds limit %d", maxFileSize)
+	}
+
+	attach, err := NewAttachment(ctx, attach, io.MultiReader(bytes.NewReader(buf), src), file.size)
+	var maxBytesError *http.MaxBytesError
+	if errors.As(err, &maxBytesError) {
+		return nil, util.ErrorWrap(util.ErrContentTooLarge, "attachment exceeds limit %d", maxFileSize)
+	}
+	return attach, err
 }
 
 // UpdateAttachment updates an attachment, verifying that its name is among the allowed types.

services/automergequeue/automergequeue.go

@@ -5,6 +5,7 @@ package automergequeue
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	issues_model "code.gitea.io/gitea/models/issues"
@@ -17,7 +18,7 @@ var AutoMergeQueue *queue.WorkerPoolQueue[string]
 
 var AddToQueue = func(pr *issues_model.PullRequest, sha string) {
 	log.Trace("Adding pullID: %d to the pull requests patch checking queue with sha %s", pr.ID, sha)
-	if err := AutoMergeQueue.Push(fmt.Sprintf("%d_%s", pr.ID, sha)); err != nil {
+	if err := AutoMergeQueue.Push(fmt.Sprintf("%d_%s", pr.ID, sha)); err != nil && !errors.Is(err, queue.ErrAlreadyInQueue) {
 		log.Error("Error adding pullID: %d to the pull requests patch checking queue %v", pr.ID, err)
 	}
 }

services/context/api.go

@@ -229,8 +229,7 @@ func APIContexter() func(http.Handler) http.Handler {
 
 			// If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid.
 			if ctx.Req.Method == http.MethodPost && strings.Contains(ctx.Req.Header.Get("Content-Type"), "multipart/form-data") {
-				if err := ctx.Req.ParseMultipartForm(setting.Attachment.MaxSize << 20); err != nil && !strings.Contains(err.Error(), "EOF") { // 32MB max size
-					ctx.APIErrorInternal(err)
+				if !ctx.ParseMultipartForm() {
 					return
 				}
 			}

services/context/base.go

@@ -4,6 +4,7 @@
 package context
 
 import (
+	"errors"
 	"fmt"
 	"html/template"
 	"io"
@@ -42,6 +43,20 @@ type Base struct {
 	Locale translation.Locale
 }
 
+func (b *Base) ParseMultipartForm() bool {
+	err := b.Req.ParseMultipartForm(32 << 20)
+	if err != nil {
+		// TODO: all errors caused by client side should be ignored (connection closed).
+		if !errors.Is(err, io.EOF) && !errors.Is(err, io.ErrUnexpectedEOF) {
+			// Errors caused by server side (disk full) should be logged.
+			log.Error("Failed to parse request multipart form for %s: %v", b.Req.RequestURI, err)
+		}
+		b.HTTPError(http.StatusInternalServerError, "failed to parse request multipart form")
+		return false
+	}
+	return true
+}
+
 // AppendAccessControlExposeHeaders append headers by name to "Access-Control-Expose-Headers" header
 func (b *Base) AppendAccessControlExposeHeaders(names ...string) {
 	val := b.RespHeader().Get("Access-Control-Expose-Headers")

services/context/context.go

@@ -186,8 +186,7 @@ func Contexter() func(next http.Handler) http.Handler {
 
 			// If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid.
 			if ctx.Req.Method == http.MethodPost && strings.Contains(ctx.Req.Header.Get("Content-Type"), "multipart/form-data") {
-				if err := ctx.Req.ParseMultipartForm(setting.Attachment.MaxSize << 20); err != nil && !strings.Contains(err.Error(), "EOF") { // 32MB max size
-					ctx.ServerError("ParseMultipartForm", err)
+				if !ctx.ParseMultipartForm() {
 					return
 				}
 			}

services/doctor/authorizedkeys.go

@@ -20,8 +20,6 @@ import (
 	asymkey_service "code.gitea.io/gitea/services/asymkey"
 )
 
-const tplCommentPrefix = `# gitea public key`
-
 func checkAuthorizedKeys(ctx context.Context, logger log.Logger, autofix bool) error {
 	if setting.SSH.StartBuiltinServer || !setting.SSH.CreateAuthorizedKeysFile {
 		return nil
@@ -47,7 +45,7 @@ func checkAuthorizedKeys(ctx context.Context, logger log.Logger, autofix bool) e
 	scanner := bufio.NewScanner(f)
 	for scanner.Scan() {
 		line := scanner.Text()
-		if strings.HasPrefix(line, tplCommentPrefix) {
+		if strings.HasPrefix(line, asymkey_model.AuthorizedStringCommentPrefix) {
 			continue
 		}
 		linesInAuthorizedKeys.Add(line)
@@ -67,7 +65,7 @@ func checkAuthorizedKeys(ctx context.Context, logger log.Logger, autofix bool) e
 	scanner = bufio.NewScanner(regenerated)
 	for scanner.Scan() {
 		line := scanner.Text()
-		if strings.HasPrefix(line, tplCommentPrefix) {
+		if strings.HasPrefix(line, asymkey_model.AuthorizedStringCommentPrefix) {
 			continue
 		}
 		if linesInAuthorizedKeys.Contains(line) {

services/gitdiff/gitdiff.go

@@ -22,19 +22,21 @@ import (
 	git_model "code.gitea.io/gitea/models/git"
 	issues_model "code.gitea.io/gitea/models/issues"
 	pull_model "code.gitea.io/gitea/models/pull"
-	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/analyze"
+	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/charset"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/git/attribute"
 	"code.gitea.io/gitea/modules/git/gitcmd"
 	"code.gitea.io/gitea/modules/gitrepo"
 	"code.gitea.io/gitea/modules/highlight"
+	"code.gitea.io/gitea/modules/htmlutil"
 	"code.gitea.io/gitea/modules/lfs"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/optional"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/svg"
 	"code.gitea.io/gitea/modules/translation"
 	"code.gitea.io/gitea/modules/util"
 
@@ -67,18 +69,6 @@ const (
 	DiffFileCopy
 )
 
-// DiffLineExpandDirection represents the DiffLineSection expand direction
-type DiffLineExpandDirection uint8
-
-// DiffLineExpandDirection possible values.
-const (
-	DiffLineExpandNone DiffLineExpandDirection = iota + 1
-	DiffLineExpandSingle
-	DiffLineExpandUpDown
-	DiffLineExpandUp
-	DiffLineExpandDown
-)
-
 // DiffLine represents a line difference in a DiffSection.
 type DiffLine struct {
 	LeftIdx     int // line number, 1-based
@@ -99,6 +89,8 @@ type DiffLineSectionInfo struct {
 	RightIdx      int
 	LeftHunkSize  int
 	RightHunkSize int
+
+	HiddenCommentIDs []int64 // IDs of hidden comments in this section
 }
 
 // DiffHTMLOperation is the HTML version of diffmatchpatch.Diff
@@ -153,8 +145,7 @@ func (d *DiffLine) GetLineTypeMarker() string {
 	return ""
 }
 
-// GetBlobExcerptQuery builds query string to get blob excerpt
-func (d *DiffLine) GetBlobExcerptQuery() string {
+func (d *DiffLine) getBlobExcerptQuery() string {
 	query := fmt.Sprintf(
 		"last_left=%d&last_right=%d&"+
 			"left=%d&right=%d&"+
@@ -167,19 +158,88 @@ func (d *DiffLine) GetBlobExcerptQuery() string {
 	return query
 }
 
-// GetExpandDirection gets DiffLineExpandDirection
-func (d *DiffLine) GetExpandDirection() DiffLineExpandDirection {
+func (d *DiffLine) getExpandDirection() string {
 	if d.Type != DiffLineSection || d.SectionInfo == nil || d.SectionInfo.LeftIdx-d.SectionInfo.LastLeftIdx <= 1 || d.SectionInfo.RightIdx-d.SectionInfo.LastRightIdx <= 1 {
-		return DiffLineExpandNone
+		return ""
 	}
 	if d.SectionInfo.LastLeftIdx <= 0 && d.SectionInfo.LastRightIdx <= 0 {
-		return DiffLineExpandUp
+		return "up"
 	} else if d.SectionInfo.RightIdx-d.SectionInfo.LastRightIdx > BlobExcerptChunkSize && d.SectionInfo.RightHunkSize > 0 {
-		return DiffLineExpandUpDown
+		return "updown"
 	} else if d.SectionInfo.LeftHunkSize <= 0 && d.SectionInfo.RightHunkSize <= 0 {
-		return DiffLineExpandDown
+		return "down"
 	}
-	return DiffLineExpandSingle
+	return "single"
+}
+
+type DiffBlobExcerptData struct {
+	BaseLink       string
+	IsWikiRepo     bool
+	PullIssueIndex int64
+	DiffStyle      string
+	AfterCommitID  string
+}
+
+func (d *DiffLine) RenderBlobExcerptButtons(fileNameHash string, data *DiffBlobExcerptData) template.HTML {
+	dataHiddenCommentIDs := strings.Join(base.Int64sToStrings(d.SectionInfo.HiddenCommentIDs), ",")
+	anchor := fmt.Sprintf("diff-%sK%d", fileNameHash, d.SectionInfo.RightIdx)
+
+	makeButton := func(direction, svgName string) template.HTML {
+		style := util.IfZero(data.DiffStyle, "unified")
+		link := data.BaseLink + "/" + data.AfterCommitID + fmt.Sprintf("?style=%s&direction=%s&anchor=%s", url.QueryEscape(style), direction, url.QueryEscape(anchor)) + "&" + d.getBlobExcerptQuery()
+		if data.PullIssueIndex > 0 {
+			link += fmt.Sprintf("&pull_issue_index=%d", data.PullIssueIndex)
+		}
+		return htmlutil.HTMLFormat(
+			`<button class="code-expander-button" hx-target="closest tr" hx-get="%s" data-hidden-comment-ids=",%s,">%s</button>`,
+			link, dataHiddenCommentIDs, svg.RenderHTML(svgName),
+		)
+	}
+	var content template.HTML
+
+	if len(d.SectionInfo.HiddenCommentIDs) > 0 {
+		tooltip := fmt.Sprintf("%d hidden comment(s)", len(d.SectionInfo.HiddenCommentIDs))
+		content += htmlutil.HTMLFormat(`<span class="code-comment-more" data-tooltip-content="%s">%d</span>`, tooltip, len(d.SectionInfo.HiddenCommentIDs))
+	}
+
+	expandDirection := d.getExpandDirection()
+	if expandDirection == "up" || expandDirection == "updown" {
+		content += makeButton("up", "octicon-fold-up")
+	}
+	if expandDirection == "updown" || expandDirection == "down" {
+		content += makeButton("down", "octicon-fold-down")
+	}
+	if expandDirection == "single" {
+		content += makeButton("single", "octicon-fold")
+	}
+	return htmlutil.HTMLFormat(`<div class="code-expander-buttons" data-expand-direction="%s">%s</div>`, expandDirection, content)
+}
+
+// FillHiddenCommentIDsForDiffLine finds comment IDs that are in the hidden range of an expand button
+func FillHiddenCommentIDsForDiffLine(line *DiffLine, lineComments map[int64][]*issues_model.Comment) {
+	if line.Type != DiffLineSection {
+		return
+	}
+
+	var hiddenCommentIDs []int64
+	for commentLineNum, comments := range lineComments {
+		if commentLineNum < 0 {
+			// ATTENTION: BLOB-EXCERPT-COMMENT-RIGHT: skip left-side, unchanged lines always use "right (proposed)" side for comments
+			continue
+		}
+		lineNum := int(commentLineNum)
+		isEndOfFileExpansion := line.SectionInfo.RightHunkSize == 0
+		inRange := lineNum > line.SectionInfo.LastRightIdx &&
+			(isEndOfFileExpansion && lineNum <= line.SectionInfo.RightIdx ||
+				!isEndOfFileExpansion && lineNum < line.SectionInfo.RightIdx)
+
+		if inRange {
+			for _, comment := range comments {
+				hiddenCommentIDs = append(hiddenCommentIDs, comment.ID)
+			}
+		}
+	}
+	line.SectionInfo.HiddenCommentIDs = hiddenCommentIDs
 }
 
 func getDiffLineSectionInfo(treePath, line string, lastLeftIdx, lastRightIdx int) *DiffLineSectionInfo {
@@ -485,6 +545,8 @@ func (diff *Diff) LoadComments(ctx context.Context, issue *issues_model.Issue, c
 					sort.SliceStable(line.Comments, func(i, j int) bool {
 						return line.Comments[i].CreatedUnix < line.Comments[j].CreatedUnix
 					})
+					// Mark expand buttons that have comments in hidden lines
+					FillHiddenCommentIDsForDiffLine(line, lineCommits)
 				}
 			}
 		}
@@ -1281,7 +1343,7 @@ type DiffShortStat struct {
 	NumFiles, TotalAddition, TotalDeletion int
 }
 
-func GetDiffShortStat(ctx context.Context, repo *repo_model.Repository, gitRepo *git.Repository, beforeCommitID, afterCommitID string) (*DiffShortStat, error) {
+func GetDiffShortStat(ctx context.Context, repoStorage gitrepo.Repository, gitRepo *git.Repository, beforeCommitID, afterCommitID string) (*DiffShortStat, error) {
 	afterCommit, err := gitRepo.GetCommit(afterCommitID)
 	if err != nil {
 		return nil, err
@@ -1293,7 +1355,7 @@ func GetDiffShortStat(ctx context.Context, repo *repo_model.Repository, gitRepo
 	}
 
 	diff := &DiffShortStat{}
-	diff.NumFiles, diff.TotalAddition, diff.TotalDeletion, err = gitrepo.GetDiffShortStatByCmdArgs(ctx, repo, nil, actualBeforeCommitID.String(), afterCommitID)
+	diff.NumFiles, diff.TotalAddition, diff.TotalDeletion, err = gitrepo.GetDiffShortStatByCmdArgs(ctx, repoStorage, nil, actualBeforeCommitID.String(), afterCommitID)
 	if err != nil {
 		return nil, err
 	}
@@ -1386,6 +1448,75 @@ func CommentAsDiff(ctx context.Context, c *issues_model.Comment) (*Diff, error)
 	return diff, nil
 }
 
+// GeneratePatchForUnchangedLine creates a patch showing code context for an unchanged line
+func GeneratePatchForUnchangedLine(gitRepo *git.Repository, commitID, treePath string, line int64, contextLines int) (string, error) {
+	commit, err := gitRepo.GetCommit(commitID)
+	if err != nil {
+		return "", fmt.Errorf("GetCommit: %w", err)
+	}
+
+	entry, err := commit.GetTreeEntryByPath(treePath)
+	if err != nil {
+		return "", fmt.Errorf("GetTreeEntryByPath: %w", err)
+	}
+
+	blob := entry.Blob()
+	dataRc, err := blob.DataAsync()
+	if err != nil {
+		return "", fmt.Errorf("DataAsync: %w", err)
+	}
+	defer dataRc.Close()
+
+	return generatePatchForUnchangedLineFromReader(dataRc, treePath, line, contextLines)
+}
+
+// generatePatchForUnchangedLineFromReader is the testable core logic that generates a patch from a reader
+func generatePatchForUnchangedLineFromReader(reader io.Reader, treePath string, line int64, contextLines int) (string, error) {
+	// Calculate line range (commented line + lines above it)
+	commentLine := int(line)
+	if line < 0 {
+		commentLine = int(-line)
+	}
+	startLine := max(commentLine-contextLines, 1)
+	endLine := commentLine
+
+	// Read only the needed lines efficiently
+	scanner := bufio.NewScanner(reader)
+	currentLine := 0
+	var lines []string
+	for scanner.Scan() {
+		currentLine++
+		if currentLine >= startLine && currentLine <= endLine {
+			lines = append(lines, scanner.Text())
+		}
+		if currentLine > endLine {
+			break
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		return "", fmt.Errorf("scanner error: %w", err)
+	}
+
+	if len(lines) == 0 {
+		return "", fmt.Errorf("no lines found in range %d-%d", startLine, endLine)
+	}
+
+	// Generate synthetic patch
+	var patchBuilder strings.Builder
+	patchBuilder.WriteString(fmt.Sprintf("diff --git a/%s b/%s\n", treePath, treePath))
+	patchBuilder.WriteString(fmt.Sprintf("--- a/%s\n", treePath))
+	patchBuilder.WriteString(fmt.Sprintf("+++ b/%s\n", treePath))
+	patchBuilder.WriteString(fmt.Sprintf("@@ -%d,%d +%d,%d @@\n", startLine, len(lines), startLine, len(lines)))
+
+	for _, lineContent := range lines {
+		patchBuilder.WriteString(" ")
+		patchBuilder.WriteString(lineContent)
+		patchBuilder.WriteString("\n")
+	}
+
+	return patchBuilder.String(), nil
+}
+
 // CommentMustAsDiff executes AsDiff and logs the error instead of returning
 func CommentMustAsDiff(ctx context.Context, c *issues_model.Comment) *Diff {
 	if c == nil {

services/gitdiff/gitdiff_test.go

@@ -640,3 +640,346 @@ func TestNoCrashes(t *testing.T) {
 		ParsePatch(t.Context(), setting.Git.MaxGitDiffLines, setting.Git.MaxGitDiffLineCharacters, setting.Git.MaxGitDiffFiles, strings.NewReader(testcase.gitdiff), "")
 	}
 }
+
+func TestGeneratePatchForUnchangedLineFromReader(t *testing.T) {
+	tests := []struct {
+		name         string
+		content      string
+		treePath     string
+		line         int64
+		contextLines int
+		want         string
+		wantErr      bool
+	}{
+		{
+			name:         "single line with context",
+			content:      "line1\nline2\nline3\nline4\nline5\n",
+			treePath:     "test.txt",
+			line:         3,
+			contextLines: 1,
+			want: `diff --git a/test.txt b/test.txt
+--- a/test.txt
++++ b/test.txt
+@@ -2,2 +2,2 @@
+ line2
+ line3
+`,
+		},
+		{
+			name:         "negative line number (left side)",
+			content:      "line1\nline2\nline3\nline4\nline5\n",
+			treePath:     "test.txt",
+			line:         -3,
+			contextLines: 1,
+			want: `diff --git a/test.txt b/test.txt
+--- a/test.txt
++++ b/test.txt
+@@ -2,2 +2,2 @@
+ line2
+ line3
+`,
+		},
+		{
+			name:         "line near start of file",
+			content:      "line1\nline2\nline3\n",
+			treePath:     "test.txt",
+			line:         2,
+			contextLines: 5,
+			want: `diff --git a/test.txt b/test.txt
+--- a/test.txt
++++ b/test.txt
+@@ -1,2 +1,2 @@
+ line1
+ line2
+`,
+		},
+		{
+			name:         "first line with context",
+			content:      "line1\nline2\nline3\n",
+			treePath:     "test.txt",
+			line:         1,
+			contextLines: 3,
+			want: `diff --git a/test.txt b/test.txt
+--- a/test.txt
++++ b/test.txt
+@@ -1,1 +1,1 @@
+ line1
+`,
+		},
+		{
+			name:         "zero context lines",
+			content:      "line1\nline2\nline3\n",
+			treePath:     "test.txt",
+			line:         2,
+			contextLines: 0,
+			want: `diff --git a/test.txt b/test.txt
+--- a/test.txt
++++ b/test.txt
+@@ -2,1 +2,1 @@
+ line2
+`,
+		},
+		{
+			name:         "multi-line context",
+			content:      "package main\n\nfunc main() {\n  fmt.Println(\"Hello\")\n}\n",
+			treePath:     "main.go",
+			line:         4,
+			contextLines: 2,
+			want: `diff --git a/main.go b/main.go
+--- a/main.go
++++ b/main.go
+@@ -2,3 +2,3 @@
+<SP>
+ func main() {
+   fmt.Println("Hello")
+`,
+		},
+		{
+			name:         "empty file",
+			content:      "",
+			treePath:     "empty.txt",
+			line:         1,
+			contextLines: 1,
+			wantErr:      true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			reader := strings.NewReader(tt.content)
+			got, err := generatePatchForUnchangedLineFromReader(reader, tt.treePath, tt.line, tt.contextLines)
+			if tt.wantErr {
+				assert.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				assert.Equal(t, strings.ReplaceAll(tt.want, "<SP>", " "), got)
+			}
+		})
+	}
+}
+
+func TestCalculateHiddenCommentIDsForLine(t *testing.T) {
+	tests := []struct {
+		name         string
+		line         *DiffLine
+		lineComments map[int64][]*issues_model.Comment
+		expected     []int64
+	}{
+		{
+			name: "comments in hidden range",
+			line: &DiffLine{
+				Type: DiffLineSection,
+				SectionInfo: &DiffLineSectionInfo{
+					LastRightIdx: 10,
+					RightIdx:     20,
+				},
+			},
+			lineComments: map[int64][]*issues_model.Comment{
+				15: {{ID: 100}, {ID: 101}},
+				12: {{ID: 102}},
+			},
+			expected: []int64{100, 101, 102},
+		},
+		{
+			name: "comments outside hidden range",
+			line: &DiffLine{
+				Type: DiffLineSection,
+				SectionInfo: &DiffLineSectionInfo{
+					LastRightIdx: 10,
+					RightIdx:     20,
+				},
+			},
+			lineComments: map[int64][]*issues_model.Comment{
+				5:  {{ID: 100}},
+				25: {{ID: 101}},
+			},
+			expected: nil,
+		},
+		{
+			name: "negative line numbers (left side)",
+			line: &DiffLine{
+				Type: DiffLineSection,
+				SectionInfo: &DiffLineSectionInfo{
+					LastRightIdx: 10,
+					RightIdx:     20,
+				},
+			},
+			lineComments: map[int64][]*issues_model.Comment{
+				-15: {{ID: 100}}, // Left-side comment, should NOT be counted
+				15:  {{ID: 101}}, // Right-side comment, should be counted
+			},
+			expected: []int64{101}, // Only right-side comment
+		},
+		{
+			name: "boundary conditions - normal expansion (both boundaries exclusive)",
+			line: &DiffLine{
+				Type: DiffLineSection,
+				SectionInfo: &DiffLineSectionInfo{
+					LastRightIdx:  10,
+					RightIdx:      20,
+					RightHunkSize: 5, // Normal case: next section has content
+				},
+			},
+			lineComments: map[int64][]*issues_model.Comment{
+				10: {{ID: 100}}, // at LastRightIdx (visible line), should NOT be included
+				20: {{ID: 101}}, // at RightIdx (visible line), should NOT be included
+				11: {{ID: 102}}, // just inside range, should be included
+				19: {{ID: 103}}, // just inside range, should be included
+			},
+			expected: []int64{102, 103},
+		},
+		{
+			name: "boundary conditions - end of file expansion (RightIdx inclusive)",
+			line: &DiffLine{
+				Type: DiffLineSection,
+				SectionInfo: &DiffLineSectionInfo{
+					LastRightIdx:  54,
+					RightIdx:      70,
+					RightHunkSize: 0, // End of file: no more content after
+				},
+			},
+			lineComments: map[int64][]*issues_model.Comment{
+				54: {{ID: 54}}, // at LastRightIdx (visible line), should NOT be included
+				70: {{ID: 70}}, // at RightIdx (last hidden line), SHOULD be included
+				60: {{ID: 60}}, // inside range, should be included
+			},
+			expected: []int64{60, 70}, // Lines 60 and 70 are hidden
+		},
+		{
+			name: "real-world scenario - start of file with hunk",
+			line: &DiffLine{
+				Type: DiffLineSection,
+				SectionInfo: &DiffLineSectionInfo{
+					LastRightIdx:  0,  // No previous visible section
+					RightIdx:      26, // Line 26 is first visible line of hunk
+					RightHunkSize: 9,  // Normal hunk with content
+				},
+			},
+			lineComments: map[int64][]*issues_model.Comment{
+				1:  {{ID: 1}},  // Line 1 is hidden
+				26: {{ID: 26}}, // Line 26 is visible (hunk start) - should NOT be hidden
+				10: {{ID: 10}}, // Line 10 is hidden
+				15: {{ID: 15}}, // Line 15 is hidden
+			},
+			expected: []int64{1, 10, 15}, // Lines 1, 10, 15 are hidden; line 26 is visible
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			FillHiddenCommentIDsForDiffLine(tt.line, tt.lineComments)
+			assert.ElementsMatch(t, tt.expected, tt.line.SectionInfo.HiddenCommentIDs)
+		})
+	}
+}
+
+func TestDiffLine_RenderBlobExcerptButtons(t *testing.T) {
+	tests := []struct {
+		name             string
+		line             *DiffLine
+		fileNameHash     string
+		data             *DiffBlobExcerptData
+		expectContains   []string
+		expectNotContain []string
+	}{
+		{
+			name: "expand up button with hidden comments",
+			line: &DiffLine{
+				Type: DiffLineSection,
+				SectionInfo: &DiffLineSectionInfo{
+					LastRightIdx:     0,
+					RightIdx:         26,
+					LeftIdx:          26,
+					LastLeftIdx:      0,
+					LeftHunkSize:     0,
+					RightHunkSize:    0,
+					HiddenCommentIDs: []int64{100},
+				},
+			},
+			fileNameHash: "abc123",
+			data: &DiffBlobExcerptData{
+				BaseLink:      "/repo/blob_excerpt",
+				AfterCommitID: "commit123",
+				DiffStyle:     "unified",
+			},
+			expectContains: []string{
+				"octicon-fold-up",
+				"direction=up",
+				"code-comment-more",
+				"1 hidden comment(s)",
+			},
+		},
+		{
+			name: "expand up and down buttons with pull request",
+			line: &DiffLine{
+				Type: DiffLineSection,
+				SectionInfo: &DiffLineSectionInfo{
+					LastRightIdx:     10,
+					RightIdx:         50,
+					LeftIdx:          10,
+					LastLeftIdx:      5,
+					LeftHunkSize:     5,
+					RightHunkSize:    5,
+					HiddenCommentIDs: []int64{200, 201},
+				},
+			},
+			fileNameHash: "def456",
+			data: &DiffBlobExcerptData{
+				BaseLink:       "/repo/blob_excerpt",
+				AfterCommitID:  "commit456",
+				DiffStyle:      "split",
+				PullIssueIndex: 42,
+			},
+			expectContains: []string{
+				"octicon-fold-down",
+				"octicon-fold-up",
+				"direction=down",
+				"direction=up",
+				`data-hidden-comment-ids=",200,201,"`, // use leading and trailing commas to ensure exact match by CSS selector `attr*=",id,"`
+				"pull_issue_index=42",
+				"2 hidden comment(s)",
+			},
+		},
+		{
+			name: "no hidden comments",
+			line: &DiffLine{
+				Type: DiffLineSection,
+				SectionInfo: &DiffLineSectionInfo{
+					LastRightIdx:     10,
+					RightIdx:         20,
+					LeftIdx:          10,
+					LastLeftIdx:      5,
+					LeftHunkSize:     5,
+					RightHunkSize:    5,
+					HiddenCommentIDs: nil,
+				},
+			},
+			fileNameHash: "ghi789",
+			data: &DiffBlobExcerptData{
+				BaseLink:      "/repo/blob_excerpt",
+				AfterCommitID: "commit789",
+			},
+			expectContains: []string{
+				"code-expander-button",
+			},
+			expectNotContain: []string{
+				"code-comment-more",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := tt.line.RenderBlobExcerptButtons(tt.fileNameHash, tt.data)
+			resultStr := string(result)
+
+			for _, expected := range tt.expectContains {
+				assert.Contains(t, resultStr, expected, "Expected to contain: %s", expected)
+			}
+
+			for _, notExpected := range tt.expectNotContain {
+				assert.NotContains(t, resultStr, notExpected, "Expected NOT to contain: %s", notExpected)
+			}
+		})
+	}
+}

services/lfs/server.go

@@ -18,6 +18,7 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
+	"time"
 
 	actions_model "code.gitea.io/gitea/models/actions"
 	auth_model "code.gitea.io/gitea/models/auth"
@@ -54,6 +55,33 @@ type Claims struct {
 	jwt.RegisteredClaims
 }
 
+type AuthTokenOptions struct {
+	Op     string
+	UserID int64
+	RepoID int64
+}
+
+func GetLFSAuthTokenWithBearer(opts AuthTokenOptions) (string, error) {
+	now := time.Now()
+	claims := Claims{
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(now.Add(setting.LFS.HTTPAuthExpiry)),
+			NotBefore: jwt.NewNumericDate(now),
+		},
+		RepoID: opts.RepoID,
+		Op:     opts.Op,
+		UserID: opts.UserID,
+	}
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+
+	// Sign and get the complete encoded token as a string using the secret
+	tokenString, err := token.SignedString(setting.LFS.JWTSecretBytes)
+	if err != nil {
+		return "", fmt.Errorf("failed to sign LFS JWT token: %w", err)
+	}
+	return "Bearer " + tokenString, nil
+}
+
 // DownloadLink builds a URL to download the object.
 func (rc *requestContext) DownloadLink(p lfs_module.Pointer) string {
 	return setting.AppURL + path.Join(url.PathEscape(rc.User), url.PathEscape(rc.Repo+".git"), "info/lfs/objects", url.PathEscape(p.Oid))
@@ -559,9 +587,6 @@ func authenticate(ctx *context.Context, repository *repo_model.Repository, autho
 }
 
 func handleLFSToken(ctx stdCtx.Context, tokenSHA string, target *repo_model.Repository, mode perm_model.AccessMode) (*user_model.User, error) {
-	if !strings.Contains(tokenSHA, ".") {
-		return nil, nil
-	}
 	token, err := jwt.ParseWithClaims(tokenSHA, &Claims{}, func(t *jwt.Token) (any, error) {
 		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
 			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
@@ -569,7 +594,7 @@ func handleLFSToken(ctx stdCtx.Context, tokenSHA string, target *repo_model.Repo
 		return setting.LFS.JWTSecretBytes, nil
 	})
 	if err != nil {
-		return nil, nil
+		return nil, errors.New("invalid token")
 	}
 
 	claims, claimsOk := token.Claims.(*Claims)

services/lfs/server_test.go

@@ -0,0 +1,51 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package lfs
+
+import (
+	"strings"
+	"testing"
+
+	perm_model "code.gitea.io/gitea/models/perm"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	"code.gitea.io/gitea/services/contexttest"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestMain(m *testing.M) {
+	unittest.MainTest(m)
+}
+
+func TestAuthenticate(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+	repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+
+	token2, _ := GetLFSAuthTokenWithBearer(AuthTokenOptions{Op: "download", UserID: 2, RepoID: 1})
+	_, token2, _ = strings.Cut(token2, " ")
+	ctx, _ := contexttest.MockContext(t, "/")
+
+	t.Run("handleLFSToken", func(t *testing.T) {
+		u, err := handleLFSToken(ctx, "", repo1, perm_model.AccessModeRead)
+		require.Error(t, err)
+		assert.Nil(t, u)
+
+		u, err = handleLFSToken(ctx, "invalid", repo1, perm_model.AccessModeRead)
+		require.Error(t, err)
+		assert.Nil(t, u)
+
+		u, err = handleLFSToken(ctx, token2, repo1, perm_model.AccessModeRead)
+		require.NoError(t, err)
+		assert.EqualValues(t, 2, u.ID)
+	})
+
+	t.Run("authenticate", func(t *testing.T) {
+		const prefixBearer = "Bearer "
+		assert.False(t, authenticate(ctx, repo1, "", true, false))
+		assert.False(t, authenticate(ctx, repo1, prefixBearer+"invalid", true, false))
+		assert.True(t, authenticate(ctx, repo1, prefixBearer+token2, true, false))
+	})
+}

services/mailer/incoming/incoming_handler.go

@@ -6,6 +6,7 @@ package incoming
 import (
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
 
 	issues_model "code.gitea.io/gitea/models/issues"
@@ -85,7 +86,9 @@ func (h *ReplyHandler) Handle(ctx context.Context, content *MailContent, doer *u
 	attachmentIDs := make([]string, 0, len(content.Attachments))
 	if setting.Attachment.Enabled {
 		for _, attachment := range content.Attachments {
-			a, err := attachment_service.UploadAttachment(ctx, bytes.NewReader(attachment.Content), setting.Attachment.AllowedTypes, int64(len(attachment.Content)), &repo_model.Attachment{
+			attachmentBuf := bytes.NewReader(attachment.Content)
+			uploaderFile := attachment_service.NewLimitedUploaderKnownSize(attachmentBuf, attachmentBuf.Size())
+			a, err := attachment_service.UploadAttachmentGeneralSizeLimit(ctx, uploaderFile, setting.Attachment.AllowedTypes, &repo_model.Attachment{
 				Name:       attachment.Name,
 				UploaderID: doer.ID,
 				RepoID:     issue.Repo.ID,
@@ -95,6 +98,11 @@ func (h *ReplyHandler) Handle(ctx context.Context, content *MailContent, doer *u
 					log.Info("Skipping disallowed attachment type: %s", attachment.Name)
 					continue
 				}
+				if errors.Is(err, util.ErrContentTooLarge) {
+					log.Info("Skipping attachment exceeding size limit: %s", attachment.Name)
+					continue
+				}
+
 				return err
 			}
 			attachmentIDs = append(attachmentIDs, a.UUID)

services/pull/review.go

@@ -22,6 +22,7 @@ import (
 	"code.gitea.io/gitea/modules/optional"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
+	"code.gitea.io/gitea/services/gitdiff"
 	notify_service "code.gitea.io/gitea/services/notify"
 )
 
@@ -283,6 +284,15 @@ func createCodeComment(ctx context.Context, doer *user_model.User, repo *repo_mo
 			log.Error("Error whilst generating patch: %v", err)
 			return nil, err
 		}
+
+		// If patch is still empty (unchanged line), generate code context
+		if patch == "" && commitID != "" {
+			patch, err = gitdiff.GeneratePatchForUnchangedLine(gitRepo, commitID, treePath, line, setting.UI.CodeCommentLines)
+			if err != nil {
+				// Log the error but don't fail comment creation
+				log.Debug("Unable to generate patch for unchanged line (file=%s, line=%d, commit=%s): %v", treePath, line, commitID, err)
+			}
+		}
 	}
 	return issues_model.CreateComment(ctx, &issues_model.CreateCommentOptions{
 		Type:        issues_model.CommentTypeCode,

services/repository/generate.go

@@ -13,6 +13,7 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 
 	git_model "code.gitea.io/gitea/models/git"
@@ -40,29 +41,41 @@ type expansion struct {
 	Transformers []transformer
 }
 
-var defaultTransformers = []transformer{
-	{Name: "SNAKE", Transform: xstrings.ToSnakeCase},
-	{Name: "KEBAB", Transform: xstrings.ToKebabCase},
-	{Name: "CAMEL", Transform: xstrings.ToCamelCase},
-	{Name: "PASCAL", Transform: xstrings.ToPascalCase},
-	{Name: "LOWER", Transform: strings.ToLower},
-	{Name: "UPPER", Transform: strings.ToUpper},
-	{Name: "TITLE", Transform: util.ToTitleCase},
-}
+var globalVars = sync.OnceValue(func() (ret struct {
+	defaultTransformers    []transformer
+	fileNameSanitizeRegexp *regexp.Regexp
+},
+) {
+	ret.defaultTransformers = []transformer{
+		{Name: "SNAKE", Transform: xstrings.ToSnakeCase},
+		{Name: "KEBAB", Transform: xstrings.ToKebabCase},
+		{Name: "CAMEL", Transform: xstrings.ToCamelCase},
+		{Name: "PASCAL", Transform: xstrings.ToPascalCase},
+		{Name: "LOWER", Transform: strings.ToLower},
+		{Name: "UPPER", Transform: strings.ToUpper},
+		{Name: "TITLE", Transform: util.ToTitleCase},
+	}
 
-func generateExpansion(ctx context.Context, src string, templateRepo, generateRepo *repo_model.Repository, sanitizeFileName bool) string {
+	// invalid filename contents, based on https://github.com/sindresorhus/filename-reserved-regex
+	// "COM10" needs to be opened with UNC "\\.\COM10" on Windows, so itself is valid
+	ret.fileNameSanitizeRegexp = regexp.MustCompile(`(?i)[<>:"/\\|?*\x{0000}-\x{001F}]|^(con|prn|aux|nul|com\d|lpt\d)$`)
+	return ret
+})
+
+func generateExpansion(ctx context.Context, src string, templateRepo, generateRepo *repo_model.Repository) string {
+	transformers := globalVars().defaultTransformers
 	year, month, day := time.Now().Date()
 	expansions := []expansion{
 		{Name: "YEAR", Value: strconv.Itoa(year), Transformers: nil},
 		{Name: "MONTH", Value: fmt.Sprintf("%02d", int(month)), Transformers: nil},
-		{Name: "MONTH_ENGLISH", Value: month.String(), Transformers: defaultTransformers},
+		{Name: "MONTH_ENGLISH", Value: month.String(), Transformers: transformers},
 		{Name: "DAY", Value: fmt.Sprintf("%02d", day), Transformers: nil},
-		{Name: "REPO_NAME", Value: generateRepo.Name, Transformers: defaultTransformers},
-		{Name: "TEMPLATE_NAME", Value: templateRepo.Name, Transformers: defaultTransformers},
+		{Name: "REPO_NAME", Value: generateRepo.Name, Transformers: transformers},
+		{Name: "TEMPLATE_NAME", Value: templateRepo.Name, Transformers: transformers},
 		{Name: "REPO_DESCRIPTION", Value: generateRepo.Description, Transformers: nil},
 		{Name: "TEMPLATE_DESCRIPTION", Value: templateRepo.Description, Transformers: nil},
-		{Name: "REPO_OWNER", Value: generateRepo.OwnerName, Transformers: defaultTransformers},
-		{Name: "TEMPLATE_OWNER", Value: templateRepo.OwnerName, Transformers: defaultTransformers},
+		{Name: "REPO_OWNER", Value: generateRepo.OwnerName, Transformers: transformers},
+		{Name: "TEMPLATE_OWNER", Value: templateRepo.OwnerName, Transformers: transformers},
 		{Name: "REPO_LINK", Value: generateRepo.Link(), Transformers: nil},
 		{Name: "TEMPLATE_LINK", Value: templateRepo.Link(), Transformers: nil},
 		{Name: "REPO_HTTPS_URL", Value: generateRepo.CloneLinkGeneral(ctx).HTTPS, Transformers: nil},
@@ -80,32 +93,23 @@ func generateExpansion(ctx context.Context, src string, templateRepo, generateRe
 	}
 
 	return os.Expand(src, func(key string) string {
-		if expansion, ok := expansionMap[key]; ok {
-			if sanitizeFileName {
-				return fileNameSanitize(expansion)
-			}
-			return expansion
+		if val, ok := expansionMap[key]; ok {
+			return val
 		}
 		return key
 	})
 }
 
-// GiteaTemplate holds information about a .gitea/template file
-type GiteaTemplate struct {
-	Path    string
-	Content []byte
-
-	globs []glob.Glob
+// giteaTemplateFileMatcher holds information about a .gitea/template file
+type giteaTemplateFileMatcher struct {
+	LocalFullPath string
+	globs         []glob.Glob
 }
 
-// Globs parses the .gitea/template globs or returns them if they were already parsed
-func (gt *GiteaTemplate) Globs() []glob.Glob {
-	if gt.globs != nil {
-		return gt.globs
-	}
-
+func newGiteaTemplateFileMatcher(fullPath string, content []byte) *giteaTemplateFileMatcher {
+	gt := &giteaTemplateFileMatcher{LocalFullPath: fullPath}
 	gt.globs = make([]glob.Glob, 0)
-	scanner := bufio.NewScanner(bytes.NewReader(gt.Content))
+	scanner := bufio.NewScanner(bytes.NewReader(content))
 	for scanner.Scan() {
 		line := strings.TrimSpace(scanner.Text())
 		if line == "" || strings.HasPrefix(line, "#") {
@@ -113,73 +117,91 @@ func (gt *GiteaTemplate) Globs() []glob.Glob {
 		}
 		g, err := glob.Compile(line, '/')
 		if err != nil {
-			log.Info("Invalid glob expression '%s' (skipped): %v", line, err)
+			log.Debug("Invalid glob expression '%s' (skipped): %v", line, err)
 			continue
 		}
 		gt.globs = append(gt.globs, g)
 	}
-	return gt.globs
+	return gt
 }
 
-func readGiteaTemplateFile(tmpDir string) (*GiteaTemplate, error) {
-	gtPath := filepath.Join(tmpDir, ".gitea", "template")
-	if _, err := os.Stat(gtPath); os.IsNotExist(err) {
+func (gt *giteaTemplateFileMatcher) HasRules() bool {
+	return len(gt.globs) != 0
+}
+
+func (gt *giteaTemplateFileMatcher) Match(s string) bool {
+	for _, g := range gt.globs {
+		if g.Match(s) {
+			return true
+		}
+	}
+	return false
+}
+
+func readGiteaTemplateFile(tmpDir string) (*giteaTemplateFileMatcher, error) {
+	localPath := filepath.Join(tmpDir, ".gitea", "template")
+	if _, err := os.Stat(localPath); os.IsNotExist(err) {
 		return nil, nil
 	} else if err != nil {
 		return nil, err
 	}
 
-	content, err := os.ReadFile(gtPath)
+	content, err := os.ReadFile(localPath)
 	if err != nil {
 		return nil, err
 	}
 
-	return &GiteaTemplate{Path: gtPath, Content: content}, nil
+	return newGiteaTemplateFileMatcher(localPath, content), nil
 }
 
-func processGiteaTemplateFile(ctx context.Context, tmpDir string, templateRepo, generateRepo *repo_model.Repository, giteaTemplateFile *GiteaTemplate) error {
-	if err := util.Remove(giteaTemplateFile.Path); err != nil {
-		return fmt.Errorf("remove .giteatemplate: %w", err)
+func substGiteaTemplateFile(ctx context.Context, tmpDir, tmpDirSubPath string, templateRepo, generateRepo *repo_model.Repository) error {
+	tmpFullPath := filepath.Join(tmpDir, tmpDirSubPath)
+	if ok, err := util.IsRegularFile(tmpFullPath); !ok {
+		return err
 	}
-	if len(giteaTemplateFile.Globs()) == 0 {
+
+	content, err := os.ReadFile(tmpFullPath)
+	if err != nil {
+		return err
+	}
+	if err := util.Remove(tmpFullPath); err != nil {
+		return err
+	}
+
+	generatedContent := generateExpansion(ctx, string(content), templateRepo, generateRepo)
+	substSubPath := filepath.Clean(filePathSanitize(generateExpansion(ctx, tmpDirSubPath, templateRepo, generateRepo)))
+	newLocalPath := filepath.Join(tmpDir, substSubPath)
+	regular, err := util.IsRegularFile(newLocalPath)
+	if canWrite := regular || os.IsNotExist(err); !canWrite {
+		return nil
+	}
+	if err := os.MkdirAll(filepath.Dir(newLocalPath), 0o755); err != nil {
+		return err
+	}
+	return os.WriteFile(newLocalPath, []byte(generatedContent), 0o644)
+}
+
+func processGiteaTemplateFile(ctx context.Context, tmpDir string, templateRepo, generateRepo *repo_model.Repository, fileMatcher *giteaTemplateFileMatcher) error {
+	if err := util.Remove(fileMatcher.LocalFullPath); err != nil {
+		return fmt.Errorf("unable to remove .gitea/template: %w", err)
+	}
+	if !fileMatcher.HasRules() {
 		return nil // Avoid walking tree if there are no globs
 	}
-	tmpDirSlash := strings.TrimSuffix(filepath.ToSlash(tmpDir), "/") + "/"
-	return filepath.WalkDir(tmpDirSlash, func(path string, d os.DirEntry, walkErr error) error {
+
+	return filepath.WalkDir(tmpDir, func(fullPath string, d os.DirEntry, walkErr error) error {
 		if walkErr != nil {
 			return walkErr
 		}
-
 		if d.IsDir() {
 			return nil
 		}
-
-		base := strings.TrimPrefix(filepath.ToSlash(path), tmpDirSlash)
-		for _, g := range giteaTemplateFile.Globs() {
-			if g.Match(base) {
-				content, err := os.ReadFile(path)
-				if err != nil {
-					return err
-				}
-
-				generatedContent := []byte(generateExpansion(ctx, string(content), templateRepo, generateRepo, false))
-				if err := os.WriteFile(path, generatedContent, 0o644); err != nil {
-					return err
-				}
-
-				substPath := filepath.FromSlash(filepath.Join(tmpDirSlash, generateExpansion(ctx, base, templateRepo, generateRepo, true)))
-
-				// Create parent subdirectories if needed or continue silently if it exists
-				if err = os.MkdirAll(filepath.Dir(substPath), 0o755); err != nil {
-					return err
-				}
-
-				// Substitute filename variables
-				if err = os.Rename(path, substPath); err != nil {
-					return err
-				}
-				break
-			}
+		tmpDirSubPath, err := filepath.Rel(tmpDir, fullPath)
+		if err != nil {
+			return err
+		}
+		if fileMatcher.Match(filepath.ToSlash(tmpDirSubPath)) {
+			return substGiteaTemplateFile(ctx, tmpDir, tmpDirSubPath, templateRepo, generateRepo)
 		}
 		return nil
 	}) // end: WalkDir
@@ -219,13 +241,13 @@ func generateRepoCommit(ctx context.Context, repo, templateRepo, generateRepo *r
 	}
 
 	// Variable expansion
-	giteaTemplateFile, err := readGiteaTemplateFile(tmpDir)
+	fileMatcher, err := readGiteaTemplateFile(tmpDir)
 	if err != nil {
 		return fmt.Errorf("readGiteaTemplateFile: %w", err)
 	}
 
-	if giteaTemplateFile != nil {
-		err = processGiteaTemplateFile(ctx, tmpDir, templateRepo, generateRepo, giteaTemplateFile)
+	if fileMatcher != nil {
+		err = processGiteaTemplateFile(ctx, tmpDir, templateRepo, generateRepo, fileMatcher)
 		if err != nil {
 			return err
 		}
@@ -317,12 +339,17 @@ func (gro GenerateRepoOptions) IsValid() bool {
 		gro.IssueLabels || gro.ProtectedBranch // or other items as they are added
 }
 
-var fileNameSanitizeRegexp = regexp.MustCompile(`(?i)\.\.|[<>:\"/\\|?*\x{0000}-\x{001F}]|^(con|prn|aux|nul|com\d|lpt\d)$`)
-
-// Sanitize user input to valid OS filenames
-//
-//		Based on https://github.com/sindresorhus/filename-reserved-regex
-//	 Adds ".." to prevent directory traversal
-func fileNameSanitize(s string) string {
-	return strings.TrimSpace(fileNameSanitizeRegexp.ReplaceAllString(s, "_"))
+func filePathSanitize(s string) string {
+	fields := strings.Split(filepath.ToSlash(s), "/")
+	for i, field := range fields {
+		field = strings.TrimSpace(strings.TrimSpace(globalVars().fileNameSanitizeRegexp.ReplaceAllString(field, "_")))
+		if strings.HasPrefix(field, "..") {
+			field = "__" + field[2:]
+		}
+		if strings.EqualFold(field, ".git") {
+			field = "_" + field[1:]
+		}
+		fields[i] = field
+	}
+	return filepath.FromSlash(strings.Join(fields, "/"))
 }

services/repository/generate_test.go

@@ -4,13 +4,18 @@
 package repository
 
 import (
+	"os"
+	"path/filepath"
 	"testing"
 
+	repo_model "code.gitea.io/gitea/models/repo"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
-var giteaTemplate = []byte(`
+func TestGiteaTemplate(t *testing.T) {
+	giteaTemplate := []byte(`
 # Header
 
 # All .go files
@@ -23,48 +28,153 @@ text/*.txt
 **/modules/*
 `)
 
-func TestGiteaTemplate(t *testing.T) {
-	gt := GiteaTemplate{Content: giteaTemplate}
-	assert.Len(t, gt.Globs(), 3)
+	gt := newGiteaTemplateFileMatcher("", giteaTemplate)
+	assert.Len(t, gt.globs, 3)
 
 	tt := []struct {
 		Path  string
 		Match bool
 	}{
 		{Path: "main.go", Match: true},
-		{Path: "a/b/c/d/e.go", Match: true},
-		{Path: "main.txt", Match: false},
-		{Path: "a/b.txt", Match: false},
+		{Path: "sub/sub/foo.go", Match: true},
+
+		{Path: "a.txt", Match: false},
 		{Path: "text/a.txt", Match: true},
-		{Path: "text/b.txt", Match: true},
-		{Path: "text/c.json", Match: false},
+		{Path: "sub/text/a.txt", Match: false},
+		{Path: "text/a.json", Match: false},
+
 		{Path: "a/b/c/modules/README.md", Match: true},
 		{Path: "a/b/c/modules/d/README.md", Match: false},
 	}
 
 	for _, tc := range tt {
-		t.Run(tc.Path, func(t *testing.T) {
-			match := false
-			for _, g := range gt.Globs() {
-				if g.Match(tc.Path) {
-					match = true
-					break
-				}
-			}
-			assert.Equal(t, tc.Match, match)
-		})
+		assert.Equal(t, tc.Match, gt.Match(tc.Path), "path: %s", tc.Path)
 	}
 }
 
-func TestFileNameSanitize(t *testing.T) {
-	assert.Equal(t, "test_CON", fileNameSanitize("test_CON"))
-	assert.Equal(t, "test CON", fileNameSanitize("test CON "))
-	assert.Equal(t, "__traverse__", fileNameSanitize("../traverse/.."))
-	assert.Equal(t, "http___localhost_3003_user_test.git", fileNameSanitize("http://localhost:3003/user/test.git"))
-	assert.Equal(t, "_", fileNameSanitize("CON"))
-	assert.Equal(t, "_", fileNameSanitize("con"))
-	assert.Equal(t, "_", fileNameSanitize("\u0000"))
-	assert.Equal(t, "目标", fileNameSanitize("目标"))
+func TestFilePathSanitize(t *testing.T) {
+	assert.Equal(t, "test_CON", filePathSanitize("test_CON"))
+	assert.Equal(t, "test CON", filePathSanitize("test CON "))
+	assert.Equal(t, "__/traverse/__", filePathSanitize(".. /traverse/ .."))
+	assert.Equal(t, "./__/a/_git/b_", filePathSanitize("./../a/.git/ b: "))
+	assert.Equal(t, "_", filePathSanitize("CoN"))
+	assert.Equal(t, "_", filePathSanitize("LpT1"))
+	assert.Equal(t, "_", filePathSanitize("CoM1"))
+	assert.Equal(t, "_", filePathSanitize("\u0000"))
+	assert.Equal(t, "目标", filePathSanitize("目标"))
+	// unlike filepath.Clean, it only sanitizes, doesn't change the separator layout
+	assert.Equal(t, "", filePathSanitize("")) //nolint:testifylint // for easy reading
+	assert.Equal(t, ".", filePathSanitize("."))
+	assert.Equal(t, "/", filePathSanitize("/"))
+}
+
+func TestProcessGiteaTemplateFile(t *testing.T) {
+	tmpDir := filepath.Join(t.TempDir(), "gitea-template-test")
+
+	assertFileContent := func(path, expected string) {
+		data, err := os.ReadFile(filepath.Join(tmpDir, path))
+		if expected == "" {
+			assert.ErrorIs(t, err, os.ErrNotExist)
+			return
+		}
+		require.NoError(t, err)
+		assert.Equal(t, expected, string(data), "file content mismatch for %s", path)
+	}
+
+	assertSymLink := func(path, expected string) {
+		link, err := os.Readlink(filepath.Join(tmpDir, path))
+		if expected == "" {
+			assert.ErrorIs(t, err, os.ErrNotExist)
+			return
+		}
+		require.NoError(t, err)
+		assert.Equal(t, expected, link, "symlink target mismatch for %s", path)
+	}
+
+	require.NoError(t, os.MkdirAll(tmpDir+"/.gitea", 0o755))
+	require.NoError(t, os.WriteFile(tmpDir+"/.gitea/template", []byte("*\ninclude/**"), 0o644))
+	require.NoError(t, os.MkdirAll(tmpDir+"/sub", 0o755))
+	require.NoError(t, os.MkdirAll(tmpDir+"/include/foo/bar", 0o755))
+
+	require.NoError(t, os.WriteFile(tmpDir+"/sub/link-target", []byte("link target content from ${TEMPLATE_NAME}"), 0o644))
+	require.NoError(t, os.WriteFile(tmpDir+"/include/foo/bar/test.txt", []byte("include subdir ${TEMPLATE_NAME}"), 0o644))
+
+	// case-1
+	{
+		require.NoError(t, os.WriteFile(tmpDir+"/normal", []byte("normal content"), 0o644))
+		require.NoError(t, os.WriteFile(tmpDir+"/template", []byte("template from ${TEMPLATE_NAME}"), 0o644))
+	}
+
+	// case-2
+	{
+		require.NoError(t, os.Symlink(tmpDir+"/sub/link-target", tmpDir+"/link"))
+	}
+
+	// case-3
+	{
+		require.NoError(t, os.WriteFile(tmpDir+"/subst-${REPO_NAME}", []byte("dummy subst repo name"), 0o644))
+	}
+
+	// case-4
+	assertSubstTemplateName := func(normalContent, toLinkContent, fromLinkContent string) {
+		assertFileContent("subst-${TEMPLATE_NAME}-normal", normalContent)
+		assertFileContent("subst-${TEMPLATE_NAME}-to-link", toLinkContent)
+		assertFileContent("subst-${TEMPLATE_NAME}-from-link", fromLinkContent)
+	}
+	{
+		// will succeed
+		require.NoError(t, os.WriteFile(tmpDir+"/subst-${TEMPLATE_NAME}-normal", []byte("dummy subst template name normal"), 0o644))
+		// will skil if the path subst result is a link
+		require.NoError(t, os.WriteFile(tmpDir+"/subst-${TEMPLATE_NAME}-to-link", []byte("dummy subst template name to link"), 0o644))
+		require.NoError(t, os.Symlink(tmpDir+"/sub/link-target", tmpDir+"/subst-TemplateRepoName-to-link"))
+		// will be skipped since the source is a symlink
+		require.NoError(t, os.Symlink(tmpDir+"/sub/link-target", tmpDir+"/subst-${TEMPLATE_NAME}-from-link"))
+		// pre-check
+		assertSubstTemplateName("dummy subst template name normal", "dummy subst template name to link", "link target content from ${TEMPLATE_NAME}")
+	}
+
+	// process the template files
+	{
+		templateRepo := &repo_model.Repository{Name: "TemplateRepoName"}
+		generatedRepo := &repo_model.Repository{Name: "/../.gIt/name"}
+		fileMatcher, _ := readGiteaTemplateFile(tmpDir)
+		err := processGiteaTemplateFile(t.Context(), tmpDir, templateRepo, generatedRepo, fileMatcher)
+		require.NoError(t, err)
+		assertFileContent("include/foo/bar/test.txt", "include subdir TemplateRepoName")
+	}
+
+	// the lin target should never be modified, and since it is in a subdirectory, it is not affected by the template either
+	assertFileContent("sub/link-target", "link target content from ${TEMPLATE_NAME}")
+
+	// case-1
+	{
+		assertFileContent("no-such", "")
+		assertFileContent("normal", "normal content")
+		assertFileContent("template", "template from TemplateRepoName")
+	}
+
+	// case-2
+	{
+		// symlink with templates should be preserved (not read or write)
+		assertSymLink("link", tmpDir+"/sub/link-target")
+	}
+
+	// case-3
+	{
+		assertFileContent("subst-${REPO_NAME}", "")
+		assertFileContent("subst-/__/_gIt/name", "dummy subst repo name")
+	}
+
+	// case-4
+	{
+		// the paths with templates should have been removed, subst to a regular file, succeed, the link is preserved
+		assertSubstTemplateName("", "", "link target content from ${TEMPLATE_NAME}")
+		assertFileContent("subst-TemplateRepoName-normal", "dummy subst template name normal")
+		// subst to a link, skip, and the target is unchanged
+		assertSymLink("subst-TemplateRepoName-to-link", tmpDir+"/sub/link-target")
+		// subst from a link, skip, and the target is unchanged
+		assertSymLink("subst-${TEMPLATE_NAME}-from-link", tmpDir+"/sub/link-target")
+	}
 }
 
 func TestTransformers(t *testing.T) {
@@ -82,9 +192,9 @@ func TestTransformers(t *testing.T) {
 	}
 
 	input := "Abc_Def-XYZ"
-	assert.Len(t, defaultTransformers, len(cases))
+	assert.Len(t, globalVars().defaultTransformers, len(cases))
 	for i, c := range cases {
-		tf := defaultTransformers[i]
+		tf := globalVars().defaultTransformers[i]
 		require.Equal(t, c.name, tf.Name)
 		assert.Equal(t, c.expected, tf.Transform(input), "case %s", c.name)
 	}

templates/repo/diff/blob_excerpt.tmpl

@@ -1,28 +1,10 @@
-{{$blobExcerptLink := print $.RepoLink (Iif $.PageIsWiki "/wiki" "") "/blob_excerpt/" (PathEscape $.AfterCommitID) (QueryBuild "?" "anchor" $.Anchor)}}
+{{$diffBlobExcerptData := .DiffBlobExcerptData}}
+{{$canCreateComment := and ctx.RootData.SignedUserID $diffBlobExcerptData.PullIssueIndex}}
 {{if $.IsSplitStyle}}
 	{{range $k, $line := $.section.Lines}}
-	<tr class="{{.GetHTMLDiffLineType}}-code nl-{{$k}} ol-{{$k}} line-expanded">
+	<tr class="{{.GetHTMLDiffLineType}}-code nl-{{$k}} ol-{{$k}} line-expanded" data-line-type="{{.GetHTMLDiffLineType}}">
 		{{if eq .GetType 4}}
-			{{$expandDirection := $line.GetExpandDirection}}
-			<td class="lines-num lines-num-old" data-line-num="{{if $line.LeftIdx}}{{$line.LeftIdx}}{{end}}">
-				<div class="code-expander-buttons" data-expand-direction="{{$expandDirection}}">
-				{{if or (eq $expandDirection 3) (eq $expandDirection 5)}}
-					<button class="code-expander-button" hx-target="closest tr" hx-get="{{$blobExcerptLink}}&{{$line.GetBlobExcerptQuery}}&style=split&direction=down">
-						{{svg "octicon-fold-down"}}
-					</button>
-				{{end}}
-				{{if or (eq $expandDirection 3) (eq $expandDirection 4)}}
-					<button class="code-expander-button" hx-target="closest tr" hx-get="{{$blobExcerptLink}}&{{$line.GetBlobExcerptQuery}}&style=split&direction=up">
-						{{svg "octicon-fold-up"}}
-					</button>
-				{{end}}
-				{{if eq $expandDirection 2}}
-					<button class="code-expander-button" hx-target="closest tr" hx-get="{{$blobExcerptLink}}&{{$line.GetBlobExcerptQuery}}&style=split">
-						{{svg "octicon-fold"}}
-					</button>
-				{{end}}
-				</div>
-			</td>
+			<td class="lines-num lines-num-old">{{$line.RenderBlobExcerptButtons $.FileNameHash $diffBlobExcerptData}}</td>
 			<td colspan="7" class="lines-code lines-code-old">
 				{{- $inlineDiff := $.section.GetComputedInlineDiffFor $line ctx.Locale -}}
 				{{- template "repo/diff/section_code" dict "diff" $inlineDiff -}}
@@ -33,6 +15,12 @@
 			<td class="lines-escape lines-escape-old">{{if and $line.LeftIdx $inlineDiff.EscapeStatus.Escaped}}<button class="toggle-escape-button btn interact-bg" title="{{template "repo/diff/escape_title" dict "diff" $inlineDiff}}"></button>{{end}}</td>
 			<td class="lines-type-marker lines-type-marker-old">{{if $line.LeftIdx}}<span class="tw-font-mono" data-type-marker=""></span>{{end}}</td>
 			<td class="lines-code lines-code-old">
+				{{/* ATTENTION: BLOB-EXCERPT-COMMENT-RIGHT: here it intentially use "right" side to comment, because the backend code depends on the assumption that the comment only happens on right side*/}}
+				{{- if and $canCreateComment $line.RightIdx -}}
+					<button type="button" aria-label="{{ctx.Locale.Tr "repo.diff.comment.add_line_comment"}}" class="ui primary button add-code-comment add-code-comment-right{{if (not $line.CanComment)}} tw-invisible{{end}}" data-side="right" data-idx="{{$line.RightIdx}}">
+						{{- svg "octicon-plus" -}}
+					</button>
+				{{- end -}}
 				{{- if $line.LeftIdx -}}
 					{{- template "repo/diff/section_code" dict "diff" $inlineDiff -}}
 				{{- else -}}
@@ -43,6 +31,11 @@
 			<td class="lines-escape lines-escape-new">{{if and $line.RightIdx $inlineDiff.EscapeStatus.Escaped}}<button class="toggle-escape-button btn interact-bg" title="{{template "repo/diff/escape_title" dict "diff" $inlineDiff}}"></button>{{end}}</td>
 			<td class="lines-type-marker lines-type-marker-new">{{if $line.RightIdx}}<span class="tw-font-mono" data-type-marker=""></span>{{end}}</td>
 			<td class="lines-code lines-code-new">
+				{{- if and $canCreateComment $line.RightIdx -}}
+					<button type="button" aria-label="{{ctx.Locale.Tr "repo.diff.comment.add_line_comment"}}" class="ui primary button add-code-comment add-code-comment-right{{if (not $line.CanComment)}} tw-invisible{{end}}" data-side="right" data-idx="{{$line.RightIdx}}">
+						{{- svg "octicon-plus" -}}
+					</button>
+				{{- end -}}
 				{{- if $line.RightIdx -}}
 					{{- template "repo/diff/section_code" dict "diff" $inlineDiff -}}
 				{{- else -}}
@@ -51,31 +44,26 @@
 			</td>
 		{{end}}
 	</tr>
+	{{if $line.Comments}}
+		<tr class="add-comment" data-line-type="{{.GetHTMLDiffLineType}}">
+			<td class="add-comment-left" colspan="4">
+				{{if eq $line.GetCommentSide "previous"}}
+					{{template "repo/diff/conversation" dict "." $ "comments" $line.Comments}}
+				{{end}}
+			</td>
+			<td class="add-comment-right" colspan="4">
+				{{if eq $line.GetCommentSide "proposed"}}
+					{{template "repo/diff/conversation" dict "." $ "comments" $line.Comments}}
+				{{end}}
+			</td>
+		</tr>
+	{{end}}
 	{{end}}
 {{else}}
 	{{range $k, $line := $.section.Lines}}
-	<tr class="{{.GetHTMLDiffLineType}}-code nl-{{$k}} ol-{{$k}} line-expanded">
+	<tr class="{{.GetHTMLDiffLineType}}-code nl-{{$k}} ol-{{$k}} line-expanded" data-line-type="{{.GetHTMLDiffLineType}}">
 		{{if eq .GetType 4}}
-			{{$expandDirection := $line.GetExpandDirection}}
-			<td colspan="2" class="lines-num">
-				<div class="code-expander-buttons" data-expand-direction="{{$expandDirection}}">
-					{{if or (eq $expandDirection 3) (eq $expandDirection 5)}}
-						<button class="code-expander-button" hx-target="closest tr" hx-get="{{$blobExcerptLink}}&{{$line.GetBlobExcerptQuery}}&style=unified&direction=down">
-							{{svg "octicon-fold-down"}}
-						</button>
-					{{end}}
-					{{if or (eq $expandDirection 3) (eq $expandDirection 4)}}
-						<button class="code-expander-button" hx-target="closest tr" hx-get="{{$blobExcerptLink}}&{{$line.GetBlobExcerptQuery}}&style=unified&direction=up">
-							{{svg "octicon-fold-up"}}
-						</button>
-					{{end}}
-					{{if eq $expandDirection 2}}
-						<button class="code-expander-button" hx-target="closest tr" hx-get="{{$blobExcerptLink}}&{{$line.GetBlobExcerptQuery}}&style=unified">
-							{{svg "octicon-fold"}}
-						</button>
-					{{end}}
-				</div>
-			</td>
+			<td colspan="2" class="lines-num">{{$line.RenderBlobExcerptButtons $.FileNameHash $diffBlobExcerptData}}</td>
 		{{else}}
 			<td class="lines-num lines-num-old" data-line-num="{{if $line.LeftIdx}}{{$line.LeftIdx}}{{end}}"><span rel="{{if $line.LeftIdx}}diff-{{$.FileNameHash}}L{{$line.LeftIdx}}{{end}}"></span></td>
 			<td class="lines-num lines-num-new" data-line-num="{{if $line.RightIdx}}{{$line.RightIdx}}{{end}}"><span rel="{{if $line.RightIdx}}diff-{{$.FileNameHash}}R{{$line.RightIdx}}{{end}}"></span></td>
@@ -83,7 +71,21 @@
 		{{$inlineDiff := $.section.GetComputedInlineDiffFor $line ctx.Locale}}
 		<td class="lines-escape">{{if $inlineDiff.EscapeStatus.Escaped}}<button class="toggle-escape-button btn interact-bg" title="{{template "repo/diff/escape_title" dict "diff" $inlineDiff}}"></button>{{end}}</td>
 		<td class="lines-type-marker"><span class="tw-font-mono" data-type-marker="{{$line.GetLineTypeMarker}}"></span></td>
-		<td class="lines-code{{if (not $line.RightIdx)}} lines-code-old{{end}}"><code {{if $inlineDiff.EscapeStatus.Escaped}}class="code-inner has-escaped" title="{{template "repo/diff/escape_title" dict "diff" $inlineDiff}}"{{else}}class="code-inner"{{end}}>{{$inlineDiff.Content}}</code></td>
+		<td class="lines-code{{if (not $line.RightIdx)}} lines-code-old{{end}}">
+			{{- if and $canCreateComment -}}
+				<button type="button" aria-label="{{ctx.Locale.Tr "repo.diff.comment.add_line_comment"}}" class="ui primary button add-code-comment add-code-comment-{{if $line.RightIdx}}right{{else}}left{{end}}{{if (not $line.CanComment)}} tw-invisible{{end}}" data-side="{{if $line.RightIdx}}right{{else}}left{{end}}" data-idx="{{if $line.RightIdx}}{{$line.RightIdx}}{{else}}{{$line.LeftIdx}}{{end}}">
+					{{- svg "octicon-plus" -}}
+				</button>
+			{{- end -}}
+			<code {{if $inlineDiff.EscapeStatus.Escaped}}class="code-inner has-escaped" title="{{template "repo/diff/escape_title" dict "diff" $inlineDiff}}"{{else}}class="code-inner"{{end}}>{{$inlineDiff.Content}}</code>
+		</td>
 	</tr>
+	{{if $line.Comments}}
+		<tr class="add-comment" data-line-type="{{.GetHTMLDiffLineType}}">
+			<td class="add-comment-left add-comment-right" colspan="5">
+				{{template "repo/diff/conversation" dict "." $ "comments" $line.Comments}}
+			</td>
+		</tr>
+	{{end}}
 	{{end}}
 {{end}}

templates/repo/diff/section_split.tmpl

@@ -1,5 +1,5 @@
 {{$file := .file}}
-{{$blobExcerptLink := print (or ctx.RootData.CommitRepoLink ctx.RootData.RepoLink) (Iif $.root.PageIsWiki "/wiki" "") "/blob_excerpt/" (PathEscape $.root.AfterCommitID) "?"}}
+{{$diffBlobExcerptData := $.root.DiffBlobExcerptData}}
 <colgroup>
 	<col width="50">
 	<col width="10">
@@ -16,26 +16,8 @@
 		{{if or (ne .GetType 2) (not $hasmatch)}}
 			<tr class="{{.GetHTMLDiffLineType}}-code nl-{{$k}} ol-{{$k}}" data-line-type="{{.GetHTMLDiffLineType}}">
 				{{if eq .GetType 4}}
-					{{$expandDirection := $line.GetExpandDirection}}
-					<td class="lines-num lines-num-old">
-						<div class="code-expander-buttons" data-expand-direction="{{$expandDirection}}">
-						{{if or (eq $expandDirection 3) (eq $expandDirection 5)}}
-							<button class="code-expander-button" hx-target="closest tr" hx-get="{{$blobExcerptLink}}&{{$line.GetBlobExcerptQuery}}&style=split&direction=down&&anchor=diff-{{$file.NameHash}}K{{$line.SectionInfo.RightIdx}}">
-								{{svg "octicon-fold-down"}}
-							</button>
-						{{end}}
-						{{if or (eq $expandDirection 3) (eq $expandDirection 4)}}
-							<button class="code-expander-button" hx-target="closest tr" hx-get="{{$blobExcerptLink}}&{{$line.GetBlobExcerptQuery}}&style=split&direction=up&anchor=diff-{{$file.NameHash}}K{{$line.SectionInfo.RightIdx}}">
-								{{svg "octicon-fold-up"}}
-							</button>
-						{{end}}
-						{{if eq $expandDirection 2}}
-							<button class="code-expander-button" hx-target="closest tr" hx-get="{{$blobExcerptLink}}&{{$line.GetBlobExcerptQuery}}&style=split&anchor=diff-{{$file.NameHash}}K{{$line.SectionInfo.RightIdx}}">
-								{{svg "octicon-fold"}}
-							</button>
-						{{end}}
-						</div>
-					</td>{{$inlineDiff := $section.GetComputedInlineDiffFor $line ctx.Locale}}
+					{{$inlineDiff := $section.GetComputedInlineDiffFor $line ctx.Locale}}
+					<td class="lines-num lines-num-old">{{$line.RenderBlobExcerptButtons $file.NameHash $diffBlobExcerptData}}</td>
 					<td class="lines-escape lines-escape-old">{{if $inlineDiff.EscapeStatus.Escaped}}<button class="toggle-escape-button btn interact-bg" title="{{template "repo/diff/escape_title" dict "diff" $inlineDiff}}"></button>{{end}}</td>
 					<td colspan="6" class="lines-code lines-code-old">{{template "repo/diff/section_code" dict "diff" $inlineDiff}}</td>
 				{{else if and (eq .GetType 3) $hasmatch}}{{/* DEL */}}

templates/repo/diff/section_unified.tmpl

@@ -1,7 +1,6 @@
 {{$file := .file}}
-{{$repoLink := or ctx.RootData.CommitRepoLink ctx.RootData.RepoLink}}
-{{$afterCommitID := or $.root.AfterCommitID "no-after-commit-id"}}{{/* this tmpl is also used by the PR Conversation page, so the "AfterCommitID" may not exist */}}
-{{$blobExcerptLink := print $repoLink (Iif $.root.PageIsWiki "/wiki" "") "/blob_excerpt/" (PathEscape $afterCommitID) "?"}}
+{{/* this tmpl is also used by the PR Conversation page, so the "AfterCommitID" and "DiffBlobExcerptData" may not exist */}}
+{{$diffBlobExcerptData := $.root.DiffBlobExcerptData}}
 <colgroup>
 	<col width="50">
 	<col width="50">
@@ -14,26 +13,7 @@
 		<tr class="{{.GetHTMLDiffLineType}}-code nl-{{$k}} ol-{{$k}}" data-line-type="{{.GetHTMLDiffLineType}}">
 			{{if eq .GetType 4}}
 				{{if $.root.AfterCommitID}}
-					{{$expandDirection := $line.GetExpandDirection}}
-					<td colspan="2" class="lines-num">
-						<div class="code-expander-buttons" data-expand-direction="{{$expandDirection}}">
-							{{if or (eq $expandDirection 3) (eq $expandDirection 5)}}
-								<button class="code-expander-button" hx-target="closest tr" hx-get="{{$blobExcerptLink}}&{{$line.GetBlobExcerptQuery}}&style=unified&direction=down&anchor=diff-{{$file.NameHash}}K{{$line.SectionInfo.RightIdx}}">
-									{{svg "octicon-fold-down"}}
-								</button>
-							{{end}}
-							{{if or (eq $expandDirection 3) (eq $expandDirection 4)}}
-								<button class="code-expander-button" hx-target="closest tr" hx-get="{{$blobExcerptLink}}&{{$line.GetBlobExcerptQuery}}&style=unified&direction=up&anchor=diff-{{$file.NameHash}}K{{$line.SectionInfo.RightIdx}}">
-									{{svg "octicon-fold-up"}}
-								</button>
-							{{end}}
-							{{if eq $expandDirection 2}}
-								<button class="code-expander-button" hx-target="closest tr" hx-get="{{$blobExcerptLink}}&{{$line.GetBlobExcerptQuery}}&style=unified&anchor=diff-{{$file.NameHash}}K{{$line.SectionInfo.RightIdx}}">
-									{{svg "octicon-fold"}}
-								</button>
-							{{end}}
-						</div>
-					</td>
+					<td colspan="2" class="lines-num">{{$line.RenderBlobExcerptButtons $file.NameHash $diffBlobExcerptData}}</td>
 				{{else}}
 					{{/* for code file preview page or comment diffs on pull comment pages, do not show the expansion arrows */}}
 					<td colspan="2" class="lines-num"></td>

templates/repo/issue/view_content/conversation.tmpl

@@ -1,3 +1,8 @@
+{{/* FIXME: DIFF-CONVERSATION-DATA: in the future this template should be refactor to avoid called by {{... "." $}}
+At the moment, two kinds of request handler call this template:
+* ExcerptBlob -> blob_excerpt.tmpl -> this
+* Other compare and diff pages -> ... -> {section_unified.tmpl|section_split.tmpl} -> this)
+The variables in "ctx.Data" are different in each case, making this template fragile, hard to read and maintain. */}}
 {{if len .comments}}
 	{{$comment := index .comments 0}}
 	{{$invalid := $comment.Invalidated}}

templates/repo/issue/view_content/pull_merge_box.tmpl

@@ -31,9 +31,8 @@
 		{{template "repo/pulls/status" (dict
 			"CommitStatus" .LatestCommitStatus
 			"CommitStatuses" .LatestCommitStatuses
-			"MissingRequiredChecks" .MissingRequiredChecks
 			"ShowHideChecks" true
-			"is_context_required" .is_context_required
+			"StatusCheckData" .StatusCheckData
 		)}}
 		</div>
 		{{end}}

templates/repo/pulls/status.tmpl

@@ -1,11 +1,10 @@
 {{/* Template Attributes:
 * CommitStatus: summary of all commit status state
 * CommitStatuses: all commit status elements
-* MissingRequiredChecks: commit check contexts that are required by branch protection but not present
 * ShowHideChecks: whether use a button to show/hide the checks
-* is_context_required: Used in pull request commit status check table
+* StatusCheckData: additional status check data, see backend pullCommitStatusCheckData struct
 */}}
-
+{{$statusCheckData := .StatusCheckData}}
 {{if .CommitStatus}}
 <div class="commit-status-panel">
 	<div class="ui top attached header commit-status-header">
@@ -33,25 +32,43 @@
 		{{end}}
 	</div>
 
+	{{if and $statusCheckData $statusCheckData.RequireApprovalRunCount}}
+		<div class="ui attached segment flex-text-block tw-justify-between" id="approve-status-checks">
+			<div>
+				<strong>
+					{{ctx.Locale.Tr "repo.pulls.status_checks_need_approvals" $statusCheckData.RequireApprovalRunCount}}
+				</strong>
+				<p>{{ctx.Locale.Tr "repo.pulls.status_checks_need_approvals_helper"}}</p>
+			</div>
+			{{if $statusCheckData.CanApprove}}
+				<button class="ui basic button link-action" data-url="{{$statusCheckData.ApproveLink}}">
+					{{ctx.Locale.Tr "repo.pulls.status_checks_approve_all"}}
+				</button>
+			{{end}}
+		</div>
+	{{end}}
+
 	<div class="commit-status-list">
 		{{range .CommitStatuses}}
 			<div class="commit-status-item">
 				{{template "repo/commit_status" .}}
 				<div class="status-context gt-ellipsis">{{.Context}} <span class="text light-2">{{.Description}}</span></div>
 				<div class="ui status-details">
-					{{if $.is_context_required}}
-						{{if (call $.is_context_required .Context)}}<div class="ui label">{{ctx.Locale.Tr "repo.pulls.status_checks_requested"}}</div>{{end}}
+					{{if and $statusCheckData $statusCheckData.IsContextRequired}}
+						{{if (call $statusCheckData.IsContextRequired .Context)}}<div class="ui label">{{ctx.Locale.Tr "repo.pulls.status_checks_requested"}}</div>{{end}}
 					{{end}}
 					<span>{{if .TargetURL}}<a href="{{.TargetURL}}">{{ctx.Locale.Tr "repo.pulls.status_checks_details"}}</a>{{end}}</span>
 				</div>
 			</div>
 		{{end}}
-		{{range .MissingRequiredChecks}}
-			<div class="commit-status-item">
-				{{svg "octicon-dot-fill" 18 "commit-status icon text yellow"}}
-				<div class="status-context gt-ellipsis">{{.}}</div>
-				<div class="ui label">{{ctx.Locale.Tr "repo.pulls.status_checks_requested"}}</div>
-			</div>
+		{{if $statusCheckData}}
+			{{range $statusCheckData.MissingRequiredChecks}}
+				<div class="commit-status-item">
+					{{svg "octicon-dot-fill" 18 "commit-status icon text yellow"}}
+					<div class="status-context gt-ellipsis">{{.}}</div>
+					<div class="ui label">{{ctx.Locale.Tr "repo.pulls.status_checks_requested"}}</div>
+				</div>
+			{{end}}
 		{{end}}
 	</div>
 </div>

templates/swagger/v1_json.tmpl

@@ -9569,6 +9569,9 @@
           "404": {
             "$ref": "#/responses/error"
           },
+          "413": {
+            "$ref": "#/responses/error"
+          },
           "422": {
             "$ref": "#/responses/validationError"
           },
@@ -10194,6 +10197,9 @@
           "404": {
             "$ref": "#/responses/error"
           },
+          "413": {
+            "$ref": "#/responses/error"
+          },
           "422": {
             "$ref": "#/responses/validationError"
           },
@@ -15510,6 +15516,9 @@
           },
           "404": {
             "$ref": "#/responses/notFound"
+          },
+          "413": {
+            "$ref": "#/responses/error"
           }
         }
       }

tests/integration/actions_approve_test.go

@@ -0,0 +1,146 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"encoding/base64"
+	"fmt"
+	"net/http"
+	"net/url"
+	"testing"
+	"time"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	auth_model "code.gitea.io/gitea/models/auth"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestApproveAllRunsOnPullRequestPage(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		// user2 is the owner of the base repo
+		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		user2Session := loginUser(t, user2.Name)
+		user2Token := getTokenForLoggedInUser(t, user2Session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
+		// user4 is the owner of the fork repo
+		user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+		user4Session := loginUser(t, user4.Name)
+		user4Token := getTokenForLoggedInUser(t, loginUser(t, user4.Name), auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
+
+		apiBaseRepo := createActionsTestRepo(t, user2Token, "approve-all-runs", false)
+		baseRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: apiBaseRepo.ID})
+		user2APICtx := NewAPITestContext(t, baseRepo.OwnerName, baseRepo.Name, auth_model.AccessTokenScopeWriteRepository)
+		defer doAPIDeleteRepository(user2APICtx)(t)
+
+		runner := newMockRunner()
+		runner.registerAsRepoRunner(t, baseRepo.OwnerName, baseRepo.Name, "mock-runner", []string{"ubuntu-latest"}, false)
+
+		// init workflows
+		wf1TreePath := ".gitea/workflows/pull_1.yml"
+		wf1FileContent := `name: Pull 1
+on: pull_request
+jobs:
+  unit-test:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo unit-test
+`
+		opts1 := getWorkflowCreateFileOptions(user2, baseRepo.DefaultBranch, "create %s"+wf1TreePath, wf1FileContent)
+		createWorkflowFile(t, user2Token, baseRepo.OwnerName, baseRepo.Name, wf1TreePath, opts1)
+		wf2TreePath := ".gitea/workflows/pull_2.yml"
+		wf2FileContent := `name: Pull 2
+on: pull_request
+jobs:
+  integration-test:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo integration-test
+`
+		opts2 := getWorkflowCreateFileOptions(user2, baseRepo.DefaultBranch, "create %s"+wf2TreePath, wf2FileContent)
+		createWorkflowFile(t, user2Token, baseRepo.OwnerName, baseRepo.Name, wf2TreePath, opts2)
+
+		// user4 forks the repo
+		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/forks", baseRepo.OwnerName, baseRepo.Name),
+			&api.CreateForkOption{
+				Name: util.ToPointer("approve-all-runs-fork"),
+			}).AddTokenAuth(user4Token)
+		resp := MakeRequest(t, req, http.StatusAccepted)
+		var apiForkRepo api.Repository
+		DecodeJSON(t, resp, &apiForkRepo)
+		forkRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: apiForkRepo.ID})
+		user4APICtx := NewAPITestContext(t, user4.Name, forkRepo.Name, auth_model.AccessTokenScopeWriteRepository)
+		defer doAPIDeleteRepository(user4APICtx)(t)
+
+		// user4 creates a pull request from branch "bugfix/user4"
+		doAPICreateFile(user4APICtx, "user4-fix.txt", &api.CreateFileOptions{
+			FileOptions: api.FileOptions{
+				NewBranchName: "bugfix/user4",
+				Message:       "create user4-fix.txt",
+				Author: api.Identity{
+					Name:  user4.Name,
+					Email: user4.Email,
+				},
+				Committer: api.Identity{
+					Name:  user4.Name,
+					Email: user4.Email,
+				},
+				Dates: api.CommitDateOptions{
+					Author:    time.Now(),
+					Committer: time.Now(),
+				},
+			},
+			ContentBase64: base64.StdEncoding.EncodeToString([]byte("user4-fix")),
+		})(t)
+		apiPull, err := doAPICreatePullRequest(user4APICtx, baseRepo.OwnerName, baseRepo.Name, baseRepo.DefaultBranch, user4.Name+":bugfix/user4")(t)
+		assert.NoError(t, err)
+
+		// check runs
+		run1 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{RepoID: baseRepo.ID, TriggerUserID: user4.ID, WorkflowID: "pull_1.yml"})
+		assert.True(t, run1.NeedApproval)
+		assert.Equal(t, actions_model.StatusBlocked, run1.Status)
+		run2 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{RepoID: baseRepo.ID, TriggerUserID: user4.ID, WorkflowID: "pull_2.yml"})
+		assert.True(t, run2.NeedApproval)
+		assert.Equal(t, actions_model.StatusBlocked, run2.Status)
+
+		// user4 cannot see the approve button
+		req = NewRequest(t, "GET", fmt.Sprintf("/%s/%s/pulls/%d", baseRepo.OwnerName, baseRepo.Name, apiPull.Index))
+		resp = user4Session.MakeRequest(t, req, http.StatusOK)
+		htmlDoc := NewHTMLParser(t, resp.Body)
+		assert.Zero(t, htmlDoc.doc.Find("#approve-status-checks button.link-action").Length())
+
+		// user2 can see the approve button
+		req = NewRequest(t, "GET", fmt.Sprintf("/%s/%s/pulls/%d", baseRepo.OwnerName, baseRepo.Name, apiPull.Index))
+		resp = user2Session.MakeRequest(t, req, http.StatusOK)
+		htmlDoc = NewHTMLParser(t, resp.Body)
+		dataURL, exist := htmlDoc.doc.Find("#approve-status-checks button.link-action").Attr("data-url")
+		assert.True(t, exist)
+		assert.Equal(t,
+			fmt.Sprintf("%s/actions/approve-all-checks?commit_id=%s",
+				baseRepo.Link(), apiPull.Head.Sha),
+			dataURL,
+		)
+
+		// user2 approves all runs
+		req = NewRequestWithValues(t, "POST", dataURL,
+			map[string]string{
+				"_csrf": GetUserCSRFToken(t, user2Session),
+			})
+		user2Session.MakeRequest(t, req, http.StatusOK)
+
+		// check runs
+		run1 = unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: run1.ID})
+		assert.False(t, run1.NeedApproval)
+		assert.Equal(t, user2.ID, run1.ApprovedBy)
+		assert.Equal(t, actions_model.StatusWaiting, run1.Status)
+		run2 = unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: run2.ID})
+		assert.False(t, run2.NeedApproval)
+		assert.Equal(t, user2.ID, run2.ApprovedBy)
+		assert.Equal(t, actions_model.StatusWaiting, run2.Status)
+	})
+}

tests/integration/api_comment_attachment_test.go

@@ -6,7 +6,6 @@ package integration
 import (
 	"bytes"
 	"fmt"
-	"io"
 	"mime/multipart"
 	"net/http"
 	"testing"
@@ -95,15 +94,13 @@ func TestAPICreateCommentAttachment(t *testing.T) {
 	session := loginUser(t, repoOwner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
 
-	filename := "image.png"
-	buff := generateImg()
 	body := &bytes.Buffer{}
 
 	// Setup multi-part
 	writer := multipart.NewWriter(body)
-	part, err := writer.CreateFormFile("attachment", filename)
+	part, err := writer.CreateFormFile("attachment", "image.png")
 	assert.NoError(t, err)
-	_, err = io.Copy(part, &buff)
+	_, err = part.Write(testGeneratePngBytes())
 	assert.NoError(t, err)
 	err = writer.Close()
 	assert.NoError(t, err)

tests/integration/api_issue_attachment_test.go

@@ -6,7 +6,6 @@ package integration
 import (
 	"bytes"
 	"fmt"
-	"io"
 	"mime/multipart"
 	"net/http"
 	"testing"
@@ -72,15 +71,13 @@ func TestAPICreateIssueAttachment(t *testing.T) {
 	session := loginUser(t, repoOwner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
 
-	filename := "image.png"
-	buff := generateImg()
 	body := &bytes.Buffer{}
 
 	// Setup multi-part
 	writer := multipart.NewWriter(body)
-	part, err := writer.CreateFormFile("attachment", filename)
+	part, err := writer.CreateFormFile("attachment", "image.png")
 	assert.NoError(t, err)
-	_, err = io.Copy(part, &buff)
+	_, err = part.Write(testGeneratePngBytes())
 	assert.NoError(t, err)
 	err = writer.Close()
 	assert.NoError(t, err)

tests/integration/api_releases_test.go

@@ -9,6 +9,7 @@ import (
 	"io"
 	"mime/multipart"
 	"net/http"
+	"net/http/httptest"
 	"net/url"
 	"strings"
 	"testing"
@@ -18,7 +19,9 @@ import (
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/gitrepo"
+	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/test"
 	"code.gitea.io/gitea/tests"
 
 	"github.com/stretchr/testify/assert"
@@ -294,67 +297,70 @@ func TestAPIDeleteReleaseByTagName(t *testing.T) {
 
 func TestAPIUploadAssetRelease(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
+	defer test.MockVariableValue(&setting.Attachment.MaxSize, 1)()
 
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
 	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
 	session := loginUser(t, owner.LowerName)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
 
-	r := createNewReleaseUsingAPI(t, token, owner, repo, "release-tag", "", "Release Tag", "test")
+	bufImageBytes := testGeneratePngBytes()
+	bufLargeBytes := bytes.Repeat([]byte{' '}, 2*1024*1024)
 
-	filename := "image.png"
-	buff := generateImg()
-
-	assetURL := fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d/assets", owner.Name, repo.Name, r.ID)
+	release := createNewReleaseUsingAPI(t, token, owner, repo, "release-tag", "", "Release Tag", "test")
+	assetURL := fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d/assets", owner.Name, repo.Name, release.ID)
 
 	t.Run("multipart/form-data", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
+		const filename = "image.png"
 
-		body := &bytes.Buffer{}
+		performUpload := func(t *testing.T, uploadURL string, buf []byte, expectedStatus int) *httptest.ResponseRecorder {
+			body := &bytes.Buffer{}
+			writer := multipart.NewWriter(body)
+			part, err := writer.CreateFormFile("attachment", filename)
+			assert.NoError(t, err)
+			_, err = io.Copy(part, bytes.NewReader(bufImageBytes))
+			assert.NoError(t, err)
+			err = writer.Close()
+			assert.NoError(t, err)
 
-		writer := multipart.NewWriter(body)
-		part, err := writer.CreateFormFile("attachment", filename)
-		assert.NoError(t, err)
-		_, err = io.Copy(part, bytes.NewReader(buff.Bytes()))
-		assert.NoError(t, err)
-		err = writer.Close()
-		assert.NoError(t, err)
+			req := NewRequestWithBody(t, http.MethodPost, uploadURL, bytes.NewReader(body.Bytes())).
+				AddTokenAuth(token).
+				SetHeader("Content-Type", writer.FormDataContentType())
+			return MakeRequest(t, req, http.StatusCreated)
+		}
 
-		req := NewRequestWithBody(t, http.MethodPost, assetURL, bytes.NewReader(body.Bytes())).
-			AddTokenAuth(token).
-			SetHeader("Content-Type", writer.FormDataContentType())
-		resp := MakeRequest(t, req, http.StatusCreated)
+		performUpload(t, assetURL, bufLargeBytes, http.StatusRequestEntityTooLarge)
 
-		var attachment *api.Attachment
-		DecodeJSON(t, resp, &attachment)
-
-		assert.Equal(t, filename, attachment.Name)
-		assert.EqualValues(t, 104, attachment.Size)
-
-		req = NewRequestWithBody(t, http.MethodPost, assetURL+"?name=test-asset", bytes.NewReader(body.Bytes())).
-			AddTokenAuth(token).
-			SetHeader("Content-Type", writer.FormDataContentType())
-		resp = MakeRequest(t, req, http.StatusCreated)
-
-		var attachment2 *api.Attachment
-		DecodeJSON(t, resp, &attachment2)
-
-		assert.Equal(t, "test-asset", attachment2.Name)
-		assert.EqualValues(t, 104, attachment2.Size)
+		t.Run("UploadDefaultName", func(t *testing.T) {
+			resp := performUpload(t, assetURL, bufImageBytes, http.StatusCreated)
+			var attachment api.Attachment
+			DecodeJSON(t, resp, &attachment)
+			assert.Equal(t, filename, attachment.Name)
+			assert.EqualValues(t, 104, attachment.Size)
+		})
+		t.Run("UploadWithName", func(t *testing.T) {
+			resp := performUpload(t, assetURL+"?name=test-asset", bufImageBytes, http.StatusCreated)
+			var attachment api.Attachment
+			DecodeJSON(t, resp, &attachment)
+			assert.Equal(t, "test-asset", attachment.Name)
+			assert.EqualValues(t, 104, attachment.Size)
+		})
 	})
 
 	t.Run("application/octet-stream", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		req := NewRequestWithBody(t, http.MethodPost, assetURL, bytes.NewReader(buff.Bytes())).
-			AddTokenAuth(token)
+		req := NewRequestWithBody(t, http.MethodPost, assetURL, bytes.NewReader(bufImageBytes)).AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusBadRequest)
 
-		req = NewRequestWithBody(t, http.MethodPost, assetURL+"?name=stream.bin", bytes.NewReader(buff.Bytes())).
-			AddTokenAuth(token)
+		req = NewRequestWithBody(t, http.MethodPost, assetURL+"?name=stream.bin", bytes.NewReader(bufLargeBytes)).AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusRequestEntityTooLarge)
+
+		req = NewRequestWithBody(t, http.MethodPost, assetURL+"?name=stream.bin", bytes.NewReader(bufImageBytes)).AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusCreated)
 
-		var attachment *api.Attachment
+		var attachment api.Attachment
 		DecodeJSON(t, resp, &attachment)
 
 		assert.Equal(t, "stream.bin", attachment.Name)

tests/integration/attachment_test.go

@@ -7,7 +7,6 @@ import (
 	"bytes"
 	"image"
 	"image/png"
-	"io"
 	"mime/multipart"
 	"net/http"
 	"strings"
@@ -21,22 +20,21 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func generateImg() bytes.Buffer {
-	// Generate image
+func testGeneratePngBytes() []byte {
 	myImage := image.NewRGBA(image.Rect(0, 0, 32, 32))
 	var buff bytes.Buffer
-	png.Encode(&buff, myImage)
-	return buff
+	_ = png.Encode(&buff, myImage)
+	return buff.Bytes()
 }
 
-func createAttachment(t *testing.T, session *TestSession, csrf, repoURL, filename string, buff bytes.Buffer, expectedStatus int) string {
+func testCreateIssueAttachment(t *testing.T, session *TestSession, csrf, repoURL, filename string, content []byte, expectedStatus int) string {
 	body := &bytes.Buffer{}
 
 	// Setup multi-part
 	writer := multipart.NewWriter(body)
 	part, err := writer.CreateFormFile("file", filename)
 	assert.NoError(t, err)
-	_, err = io.Copy(part, &buff)
+	_, err = part.Write(content)
 	assert.NoError(t, err)
 	err = writer.Close()
 	assert.NoError(t, err)
@@ -57,14 +55,14 @@ func createAttachment(t *testing.T, session *TestSession, csrf, repoURL, filenam
 func TestCreateAnonymousAttachment(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	session := emptyTestSession(t)
-	createAttachment(t, session, GetAnonymousCSRFToken(t, session), "user2/repo1", "image.png", generateImg(), http.StatusSeeOther)
+	testCreateIssueAttachment(t, session, GetAnonymousCSRFToken(t, session), "user2/repo1", "image.png", testGeneratePngBytes(), http.StatusSeeOther)
 }
 
 func TestCreateIssueAttachment(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	const repoURL = "user2/repo1"
 	session := loginUser(t, "user2")
-	uuid := createAttachment(t, session, GetUserCSRFToken(t, session), repoURL, "image.png", generateImg(), http.StatusOK)
+	uuid := testCreateIssueAttachment(t, session, GetUserCSRFToken(t, session), repoURL, "image.png", testGeneratePngBytes(), http.StatusOK)
 
 	req := NewRequest(t, "GET", repoURL+"/issues/new")
 	resp := session.MakeRequest(t, req, http.StatusOK)

tests/integration/cmd_keys_test.go

@@ -30,7 +30,7 @@ func Test_CmdKeys(t *testing.T) {
 				"with_key",
 				[]string{"keys", "-e", "git", "-u", "git", "-t", "ssh-rsa", "-k", "AAAAB3NzaC1yc2EAAAADAQABAAABgQDWVj0fQ5N8wNc0LVNA41wDLYJ89ZIbejrPfg/avyj3u/ZohAKsQclxG4Ju0VirduBFF9EOiuxoiFBRr3xRpqzpsZtnMPkWVWb+akZwBFAx8p+jKdy4QXR/SZqbVobrGwip2UjSrri1CtBxpJikojRIZfCnDaMOyd9Jp6KkujvniFzUWdLmCPxUE9zhTaPu0JsEP7MW0m6yx7ZUhHyfss+NtqmFTaDO+QlMR7L2QkDliN2Jl3Xa3PhuWnKJfWhdAq1Cw4oraKUOmIgXLkuiuxVQ6mD3AiFupkmfqdHq6h+uHHmyQqv3gU+/sD8GbGAhf6ftqhTsXjnv1Aj4R8NoDf9BS6KRkzkeun5UisSzgtfQzjOMEiJtmrep2ZQrMGahrXa+q4VKr0aKJfm+KlLfwm/JztfsBcqQWNcTURiCFqz+fgZw0Ey/de0eyMzldYTdXXNRYCKjs9bvBK+6SSXRM7AhftfQ0ZuoW5+gtinPrnmoOaSCEJbAiEiTO/BzOHgowiM="},
 				false,
-				"# gitea public key\ncommand=\"" + setting.AppPath + " --config=" + util.ShellEscape(setting.CustomConf) + " serv key-1\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWVj0fQ5N8wNc0LVNA41wDLYJ89ZIbejrPfg/avyj3u/ZohAKsQclxG4Ju0VirduBFF9EOiuxoiFBRr3xRpqzpsZtnMPkWVWb+akZwBFAx8p+jKdy4QXR/SZqbVobrGwip2UjSrri1CtBxpJikojRIZfCnDaMOyd9Jp6KkujvniFzUWdLmCPxUE9zhTaPu0JsEP7MW0m6yx7ZUhHyfss+NtqmFTaDO+QlMR7L2QkDliN2Jl3Xa3PhuWnKJfWhdAq1Cw4oraKUOmIgXLkuiuxVQ6mD3AiFupkmfqdHq6h+uHHmyQqv3gU+/sD8GbGAhf6ftqhTsXjnv1Aj4R8NoDf9BS6KRkzkeun5UisSzgtfQzjOMEiJtmrep2ZQrMGahrXa+q4VKr0aKJfm+KlLfwm/JztfsBcqQWNcTURiCFqz+fgZw0Ey/de0eyMzldYTdXXNRYCKjs9bvBK+6SSXRM7AhftfQ0ZuoW5+gtinPrnmoOaSCEJbAiEiTO/BzOHgowiM= user2@localhost\n",
+				"# gitea public key\ncommand=\"" + setting.AppPath + " --config=" + util.ShellEscape(setting.CustomConf) + " serv key-1\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWVj0fQ5N8wNc0LVNA41wDLYJ89ZIbejrPfg/avyj3u/ZohAKsQclxG4Ju0VirduBFF9EOiuxoiFBRr3xRpqzpsZtnMPkWVWb+akZwBFAx8p+jKdy4QXR/SZqbVobrGwip2UjSrri1CtBxpJikojRIZfCnDaMOyd9Jp6KkujvniFzUWdLmCPxUE9zhTaPu0JsEP7MW0m6yx7ZUhHyfss+NtqmFTaDO+QlMR7L2QkDliN2Jl3Xa3PhuWnKJfWhdAq1Cw4oraKUOmIgXLkuiuxVQ6mD3AiFupkmfqdHq6h+uHHmyQqv3gU+/sD8GbGAhf6ftqhTsXjnv1Aj4R8NoDf9BS6KRkzkeun5UisSzgtfQzjOMEiJtmrep2ZQrMGahrXa+q4VKr0aKJfm+KlLfwm/JztfsBcqQWNcTURiCFqz+fgZw0Ey/de0eyMzldYTdXXNRYCKjs9bvBK+6SSXRM7AhftfQ0ZuoW5+gtinPrnmoOaSCEJbAiEiTO/BzOHgowiM= user-2\n",
 			},
 			{"invalid", []string{"keys", "--not-a-flag=git"}, true, "Incorrect Usage: flag provided but not defined: -not-a-flag\n\n"},
 		}

web_src/css/repo.css

@@ -532,6 +532,10 @@ td .commit-summary {
   color: var(--color-text-light);
 }
 
+.repository.view.issue .comment-list .timeline-item .comment-text-line .ui.label {
+  line-height: 1.5; /* label has background, so it can't use parent's line-height */
+}
+
 .repository.view.issue .comment-list .timeline-item .comment-text-line a {
   color: inherit;
 }
@@ -654,8 +658,8 @@ td .commit-summary {
 
 .repository.view.issue .comment-list .code-comment .comment-header {
   background: transparent;
-  border-bottom: 0 !important;
-  padding: 0 !important;
+  border-bottom: 0;
+  padding: 0;
 }
 
 .repository.view.issue .comment-list .code-comment .comment-content {
@@ -1311,6 +1315,10 @@ td .commit-summary {
   gap: 0.25em;
 }
 
+.comment-header.avatar-content-left-arrow::after {
+  border-right-color: var(--color-box-header);
+}
+
 .comment-header.arrow-top::before,
 .comment-header.arrow-top::after {
   transform: rotate(90deg);

web_src/css/review.css

@@ -115,6 +115,23 @@
   color: var(--color-text);
 }
 
+.code-expander-buttons {
+  position: relative;
+}
+
+.code-expander-buttons .code-comment-more {
+  position: absolute;
+  line-height: 12px;
+  padding: 2px 4px;
+  font-size: 10px;
+  background-color: var(--color-primary);
+  color: var(--color-primary-contrast);
+  border-radius: 8px !important;
+  left: -12px;
+  top: 6px;
+  text-align: center;
+}
+
 .code-expander-button {
   border: none;
   color: var(--color-text-light);
@@ -127,8 +144,8 @@
   flex: 1;
 }
 
-/* expand direction 3 is both ways with two buttons */
-.code-expander-buttons[data-expand-direction="3"] .code-expander-button {
+/* expand direction "updown" is both ways with two buttons */
+.code-expander-buttons[data-expand-direction="updown"] .code-expander-button {
   height: 18px;
 }
 

web_src/js/components/RepoActionView.vue

@@ -565,7 +565,7 @@ export default defineComponent({
           </div>
           <div class="job-info-header-right">
             <div class="ui top right pointing dropdown custom jump item" @click.stop="menuVisible = !menuVisible" @keyup.enter="menuVisible = !menuVisible">
-              <button class="btn gt-interact-bg tw-p-2">
+              <button class="ui button tw-px-3">
                 <SvgIcon name="octicon-gear" :size="18"/>
               </button>
               <div class="menu transition action-job-menu" :class="{visible: menuVisible}" v-if="menuVisible" v-cloak>
@@ -667,6 +667,7 @@ export default defineComponent({
 
 .action-commit-summary {
   display: flex;
+  align-items: center;
   flex-wrap: wrap;
   gap: 5px;
   margin-left: 28px;

web_src/js/components/RepoCodeFrequency.vue

@@ -148,7 +148,7 @@ const options: ChartOptions<'line'> = {
       {{ isLoading ? locale.loadingTitle : errorText ? locale.loadingTitleFailed: `Code frequency over the history of ${repoLink.slice(1)}` }}
     </div>
     <div class="tw-flex ui segment main-graph">
-      <div v-if="isLoading || errorText !== ''" class="gt-tc tw-m-auto">
+      <div v-if="isLoading || errorText !== ''" class="tw-m-auto">
         <div v-if="isLoading">
           <SvgIcon name="octicon-sync" class="tw-mr-2 circular-spin"/>
           {{ locale.loadingInfo }}

web_src/js/components/RepoContributors.vue

@@ -379,7 +379,7 @@ export default defineComponent({
       </div>
     </div>
     <div class="tw-flex ui segment main-graph">
-      <div v-if="isLoading || errorText !== ''" class="gt-tc tw-m-auto">
+      <div v-if="isLoading || errorText !== ''" class="tw-m-auto">
         <div v-if="isLoading">
           <SvgIcon name="octicon-sync" class="tw-mr-2 circular-spin"/>
           {{ locale.loadingInfo }}

web_src/js/components/RepoRecentCommits.vue

@@ -126,7 +126,7 @@ const options: ChartOptions<'bar'> = {
       {{ isLoading ? locale.loadingTitle : errorText ? locale.loadingTitleFailed: "Number of commits in the past year" }}
     </div>
     <div class="tw-flex ui segment main-graph">
-      <div v-if="isLoading || errorText !== ''" class="gt-tc tw-m-auto">
+      <div v-if="isLoading || errorText !== ''" class="tw-m-auto">
         <div v-if="isLoading">
           <SvgIcon name="octicon-sync" class="tw-mr-2 circular-spin"/>
           {{ locale.loadingInfo }}

web_src/js/features/repo-diff.ts

@@ -9,7 +9,7 @@ import {submitEventSubmitter, queryElemSiblings, hideElem, showElem, animateOnce
 import {POST, GET} from '../modules/fetch.ts';
 import {createTippy} from '../modules/tippy.ts';
 import {invertFileFolding} from './file-fold.ts';
-import {parseDom} from '../utils.ts';
+import {parseDom, sleep} from '../utils.ts';
 import {registerGlobalSelectorFunc} from '../modules/observer.ts';
 
 const {i18n} = window.config;
@@ -218,21 +218,46 @@ function initRepoDiffShowMore() {
   });
 }
 
-async function loadUntilFound() {
-  const hashTargetSelector = window.location.hash;
-  if (!hashTargetSelector.startsWith('#diff-') && !hashTargetSelector.startsWith('#issuecomment-')) {
-    return;
-  }
+async function onLocationHashChange() {
+  // try to scroll to the target element by the current hash
+  const currentHash = window.location.hash;
+  if (!currentHash.startsWith('#diff-') && !currentHash.startsWith('#issuecomment-')) return;
 
-  while (true) {
+  // avoid reentrance when we are changing the hash to scroll and trigger ":target" selection
+  const attrAutoScrollRunning = 'data-auto-scroll-running';
+  if (document.body.hasAttribute(attrAutoScrollRunning)) return;
+
+  const targetElementId = currentHash.substring(1);
+  while (currentHash === window.location.hash) {
     // use getElementById to avoid querySelector throws an error when the hash is invalid
     // eslint-disable-next-line unicorn/prefer-query-selector
-    const targetElement = document.getElementById(hashTargetSelector.substring(1));
+    const targetElement = document.getElementById(targetElementId);
     if (targetElement) {
+      // need to change hash to re-trigger ":target" CSS selector, let's manually scroll to it
       targetElement.scrollIntoView();
+      document.body.setAttribute(attrAutoScrollRunning, 'true');
+      window.location.hash = '';
+      window.location.hash = currentHash;
+      setTimeout(() => document.body.removeAttribute(attrAutoScrollRunning), 0);
       return;
     }
 
+    // If looking for a hidden comment, try to expand the section that contains it
+    const issueCommentPrefix = '#issuecomment-';
+    if (currentHash.startsWith(issueCommentPrefix)) {
+      const commentId = currentHash.substring(issueCommentPrefix.length);
+      const expandButton = document.querySelector<HTMLElement>(`.code-expander-button[data-hidden-comment-ids*=",${commentId},"]`);
+      if (expandButton) {
+        // avoid infinite loop, do not re-click the button if already clicked
+        const attrAutoLoadClicked = 'data-auto-load-clicked';
+        if (expandButton.hasAttribute(attrAutoLoadClicked)) return;
+        expandButton.setAttribute(attrAutoLoadClicked, 'true');
+        expandButton.click();
+        await sleep(500); // Wait for HTMX to load the content. FIXME: need to drop htmx in the future
+        continue; // Try again to find the element
+      }
+    }
+
     // the button will be refreshed after each "load more", so query it every time
     const showMoreButton = document.querySelector('#diff-show-more-files');
     if (!showMoreButton) {
@@ -246,8 +271,8 @@ async function loadUntilFound() {
 }
 
 function initRepoDiffHashChangeListener() {
-  window.addEventListener('hashchange', loadUntilFound);
-  loadUntilFound();
+  window.addEventListener('hashchange', onLocationHashChange);
+  onLocationHashChange();
 }
 
 export function initRepoDiffView() {