Add changelog for v1.16.2 (#18840 )

Add changelog for v1.16.2 Co-authored-by: 6543 <6543@obermui.de>
Fix ldap user sync missed email in email_address table (#18786 ) (#18876 )
2025-11-05 18:32:41 +09:00 · 2022-02-24 20:03:08 +01:00 · 2022-02-24 19:07:52 +01:00 · 2022-02-24 16:59:50 +08:00 · 2022-02-24 09:22:46 +08:00 · 2022-02-22 18:04:57 -05:00
90 changed files with 1254 additions and 500 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -13,12 +13,25 @@ trigger:
    - tag
    - pull_request

+volumes:
+  - name: deps
+    temp: {}
+
 steps:
  - name: deps-frontend
-    pull: always
    image: node:16
+    pull: always
    commands:
-      - make node_modules
+      - make deps-frontend
+
+  - name: deps-backend
+    image: golang:1.17
+    pull: always
+    commands:
+      - make deps-backend
+    volumes:
+      - name: deps
+        path: /go

  - name: lint-frontend
    image: node:16
@@ -27,17 +40,17 @@ steps:
    depends_on: [deps-frontend]

  - name: lint-backend
-    pull: always
    image: gitea/test_env:linux-amd64  # https://gitea.com/gitea/test-env
+    pull: always
    commands:
      - make lint-backend
    environment:
      GOPROXY: https://goproxy.cn # proxy.golang.org is blocked in China, this proxy is not
      GOSUMDB: sum.golang.org
      TAGS: bindata sqlite sqlite_unlock_notify
+    depends_on: [deps-backend]

  - name: lint-backend-windows
-    pull: always
    image: gitea/test_env:linux-amd64  # https://gitea.com/gitea/test-env
    commands:
      - make golangci-lint vet
@@ -47,9 +60,9 @@ steps:
      TAGS: bindata sqlite sqlite_unlock_notify
      GOOS: windows
      GOARCH: amd64
+    depends_on: [deps-backend]

  - name: lint-backend-gogit
-    pull: always
    image: gitea/test_env:linux-amd64  # https://gitea.com/gitea/test-env
    commands:
      - make lint-backend
@@ -57,6 +70,7 @@ steps:
      GOPROXY: https://goproxy.cn # proxy.golang.org is blocked in China, this proxy is not
      GOSUMDB: sum.golang.org
      TAGS: bindata gogit sqlite sqlite_unlock_notify
+    depends_on: [deps-backend]

  - name: checks-frontend
    image: node:16
@@ -65,11 +79,13 @@ steps:
    depends_on: [deps-frontend]

  - name: checks-backend
-    pull: always
    image: golang:1.17
    commands:
      - make checks-backend
-    depends_on: [lint-backend]
+    depends_on: [deps-backend]
+    volumes:
+      - name: deps
+        path: /go

  - name: test-frontend
    image: node:16
@@ -84,14 +100,17 @@ steps:
    depends_on: [test-frontend]

  - name: build-backend-no-gcc
-    pull: always
    image: golang:1.16 # this step is kept as the lowest version of golang that we support
+    pull: always
    environment:
      GO111MODULE: on
      GOPROXY: https://goproxy.cn
    commands:
      - go build -o gitea_no_gcc # test if build succeeds without the sqlite tag
-    depends_on: [checks-backend]
+    depends_on: [deps-backend, checks-backend]
+    volumes:
+      - name: deps
+        path: /go

  - name: build-backend-arm64
    image: golang:1.17
@@ -104,7 +123,10 @@ steps:
    commands:
      - make backend # test cross compile
      - rm ./gitea # clean
-    depends_on: [checks-backend]
+    depends_on: [deps-backend, checks-backend]
+    volumes:
+      - name: deps
+        path: /go

  - name: build-backend-windows
    image: golang:1.17
@@ -116,7 +138,10 @@ steps:
      TAGS: bindata gogit
    commands:
      - go build -o gitea_windows
-    depends_on: [checks-backend]
+    depends_on: [deps-backend, checks-backend]
+    volumes:
+      - name: deps
+        path: /go

  - name: build-backend-386
    image: golang:1.17
@@ -127,7 +152,10 @@ steps:
      GOARCH: 386
    commands:
      - go build -o gitea_linux_386 # test if compatible with 32 bit
-    depends_on: [checks-backend]
+    depends_on: [deps-backend, checks-backend]
+    volumes:
+      - name: deps
+        path: /go

 ---
 kind: pipeline
@@ -147,21 +175,28 @@ trigger:
    - tag
    - pull_request

+volumes:
+  - name: deps
+    temp: {}
+
 services:
  - name: mysql
    image: mysql:5.7
+    pull: always
    environment:
      MYSQL_ALLOW_EMPTY_PASSWORD: yes
      MYSQL_DATABASE: test

  - name: mysql8
    image: mysql:8
+    pull: always
    environment:
      MYSQL_ALLOW_EMPTY_PASSWORD: yes
      MYSQL_DATABASE: testgitea

  - name: mssql
    image: mcr.microsoft.com/mssql/server:latest
+    pull: always
    environment:
      ACCEPT_EULA: Y
      MSSQL_PID: Standard
@@ -169,14 +204,17 @@ services:

  - name: ldap
    image: gitea/test-openldap:latest
+    pull: always

  - name: elasticsearch
+    image: elasticsearch:7.5.0
+    pull: always
    environment:
      discovery.type: single-node
-    image: elasticsearch:7.5.0

  - name: minio
    image: minio/minio:RELEASE.2021-03-12T00-00-47Z
+    pull: always
    commands:
    - minio server /data
    environment:
@@ -186,6 +224,7 @@ services:
 steps:
  - name: fetch-tags
    image: docker:git
+    pull: always
    commands:
      - git fetch --tags --force
    when:
@@ -193,19 +232,28 @@ steps:
        exclude:
          - pull_request

-  - name: tag-pre-condition
+  - name: deps-backend
+    image: golang:1.17
    pull: always
+    commands:
+      - make deps-backend
+    volumes:
+      - name: deps
+        path: /go
+
+  - name: tag-pre-condition
    image: drone/git
+    pull: always
    commands:
      - git update-ref refs/heads/tag_test ${DRONE_COMMIT_SHA}

  - name: prepare-test-env
    image: gitea/test_env:linux-amd64  # https://gitea.com/gitea/test-env
+    pull: always
    commands:
      - ./build/test-env-prepare.sh

  - name: build
-    pull: always
    image: gitea/test_env:linux-amd64  # https://gitea.com/gitea/test-env
    user: gitea
    commands:
@@ -215,8 +263,10 @@ steps:
      GOPROXY: https://goproxy.cn # proxy.golang.org is blocked in China, this proxy is not
      GOSUMDB: sum.golang.org
      TAGS: bindata sqlite sqlite_unlock_notify
-    depends_on:
-      - prepare-test-env
+    depends_on: [deps-backend, prepare-test-env]
+    volumes:
+      - name: deps
+        path: /go

  - name: unit-test
    image: gitea/test_env:linux-amd64  # https://gitea.com/gitea/test-env
@@ -229,9 +279,12 @@ steps:
      RACE_ENABLED: true
      GITHUB_READ_TOKEN:
        from_secret: github_read_token
+    depends_on: [deps-backend, prepare-test-env]
+    volumes:
+      - name: deps
+        path: /go

  - name: unit-test-gogit
-    pull: always
    image: gitea/test_env:linux-amd64  # https://gitea.com/gitea/test-env
    user: gitea
    commands:
@@ -242,6 +295,10 @@ steps:
      RACE_ENABLED: true
      GITHUB_READ_TOKEN:
        from_secret: github_read_token
+    depends_on: [deps-backend, prepare-test-env]
+    volumes:
+      - name: deps
+        path: /go

  - name: test-mysql
    image: gitea/test_env:linux-amd64  # https://gitea.com/gitea/test-env
@@ -255,8 +312,10 @@ steps:
      TEST_LDAP: 1
      USE_REPO_TEST_DIR: 1
      TEST_INDEXER_CODE_ES_URL: "http://elastic:changeme@elasticsearch:9200"
-    depends_on:
-      - build
+    depends_on: [build]
+    volumes:
+      - name: deps
+        path: /go

  - name: test-mysql8
    image: gitea/test_env:linux-amd64  # https://gitea.com/gitea/test-env
@@ -269,8 +328,10 @@ steps:
      RACE_ENABLED: true
      TEST_LDAP: 1
      USE_REPO_TEST_DIR: 1
-    depends_on:
-      - build
+    depends_on: [build]
+    volumes:
+      - name: deps
+        path: /go

  - name: test-mssql
    image: gitea/test_env:linux-amd64  # https://gitea.com/gitea/test-env
@@ -283,8 +344,10 @@ steps:
      RACE_ENABLED: true
      TEST_LDAP: 1
      USE_REPO_TEST_DIR: 1
-    depends_on:
-      - build
+    depends_on: [build]
+    volumes:
+      - name: deps
+        path: /go

  - name: generate-coverage
    image: golang:1.17
@@ -293,9 +356,7 @@ steps:
    environment:
      GOPROXY: https://goproxy.cn
      TAGS: bindata
-    depends_on:
-      - unit-test
-      - test-mysql
+    depends_on: [unit-test, test-mysql]
    when:
      branch:
        - main
@@ -304,15 +365,14 @@ steps:
        - pull_request

  - name: coverage-codecov
+    image: woodpeckerci/plugin-codecov:next-alpine
    pull: always
-    image: plugins/codecov
    settings:
      files:
        - coverage.all
      token:
        from_secret: codecov_token
-    depends_on:
-      - generate-coverage
+    depends_on: [generate-coverage]
    when:
      branch:
        - main
@@ -337,6 +397,10 @@ trigger:
    - tag
    - pull_request

+volumes:
+  - name: deps
+    temp: {}
+
 services:
  - name: pgsql
    pull: default
@@ -352,6 +416,7 @@ services:
 steps:
  - name: fetch-tags
    image: docker:git
+    pull: always
    commands:
      - git fetch --tags --force
    when:
@@ -359,13 +424,22 @@ steps:
        exclude:
          - pull_request

+  - name: deps-backend
+    image: golang:1.17
+    pull: always
+    commands:
+      - make deps-backend
+    volumes:
+      - name: deps
+        path: /go
+
  - name: prepare-test-env
    image: gitea/test_env:linux-arm64  # https://gitea.com/gitea/test-env
+    pull: always
    commands:
      - ./build/test-env-prepare.sh

  - name: build
-    pull: always
    image: gitea/test_env:linux-arm64  # https://gitea.com/gitea/test-env
    user: gitea
    commands:
@@ -375,8 +449,10 @@ steps:
      GOPROXY: https://goproxy.cn # proxy.golang.org is blocked in China, this proxy is not
      GOSUMDB: sum.golang.org
      TAGS: bindata gogit sqlite sqlite_unlock_notify
-    depends_on:
-      - prepare-test-env
+    depends_on: [deps-backend, prepare-test-env]
+    volumes:
+      - name: deps
+        path: /go

  - name: test-sqlite
    image: gitea/test_env:linux-arm64  # https://gitea.com/gitea/test-env
@@ -389,8 +465,10 @@ steps:
      RACE_ENABLED: true
      TEST_TAGS: gogit sqlite sqlite_unlock_notify
      USE_REPO_TEST_DIR: 1
-    depends_on:
-      - build
+    depends_on: [build]
+    volumes:
+      - name: deps
+        path: /go

  - name: test-pgsql
    image: gitea/test_env:linux-arm64  # https://gitea.com/gitea/test-env
@@ -404,8 +482,10 @@ steps:
      TEST_TAGS: gogit
      TEST_LDAP: 1
      USE_REPO_TEST_DIR: 1
-    depends_on:
-      - build
+    depends_on: [build]
+    volumes:
+      - name: deps
+        path: /go

 ---
 kind: pipeline
@@ -425,8 +505,8 @@ trigger:

 steps:
  - name: download
-    pull: always
    image: jonasfranz/crowdin
+    pull: always
    settings:
      download: true
      export_dir: options/locale/
@@ -437,14 +517,14 @@ steps:
        from_secret: crowdin_key

  - name: update
-    pull: default
    image: alpine:3.13
+    pull: always
    commands:
      - ./build/update-locales.sh

  - name: push
-    pull: always
    image: appleboy/drone-git-push
+    pull: always
    settings:
      author_email: "teabot@gitea.io"
      author_name: GiteaBot
@@ -457,8 +537,8 @@ steps:
        from_secret: git_push_ssh_key

  - name: upload_translations
-    pull: always
    image: jonasfranz/crowdin
+    pull: always
    settings:
      files:
        locale_en-US.ini: options/locale/locale_en-US.ini
@@ -488,12 +568,13 @@ trigger:
 steps:
  - name: download
    image: golang:1.17
+    pull: always
    commands:
      - timeout -s ABRT 40m make generate-license generate-gitignore

  - name: push
-    pull: always
    image: appleboy/drone-git-push
+    pull: always
    settings:
      author_email: "teabot@gitea.io"
      author_name: GiteaBot
@@ -529,15 +610,35 @@ depends_on:
  - testing-amd64
  - testing-arm64

+volumes:
+  - name: deps
+    temp: {}
+
 steps:
  - name: fetch-tags
    image: docker:git
+    pull: always
    commands:
      - git fetch --tags --force

-  - name: static
+  - name: deps-frontend
+    image: node:16
    pull: always
+    commands:
+      - make deps-frontend
+
+  - name: deps-backend
+    image: golang:1.17
+    pull: always
+    commands:
+      - make deps-backend
+    volumes:
+      - name: deps
+        path: /go
+
+  - name: static
    image: techknowlogick/xgo:go-1.17.x
+    pull: always
    commands:
      - curl -sL https://deb.nodesource.com/setup_16.x | bash - && apt-get install -y nodejs
      - export PATH=$PATH:$GOPATH/bin
@@ -545,10 +646,13 @@ steps:
    environment:
      GOPROXY: https://goproxy.cn # proxy.golang.org is blocked in China, this proxy is not
      TAGS: bindata sqlite sqlite_unlock_notify
+    volumes:
+      - name: deps
+        path: /go

  - name: gpg-sign
-    pull: always
    image: plugins/gpgsign:1
+    pull: always
    settings:
      detach_sign: true
      excludes:
@@ -562,8 +666,8 @@ steps:
        from_secret: gpgsign_passphrase

  - name: release-branch
-    pull: always
    image: woodpeckerci/plugin-s3:latest
+    pull: always
    settings:
      acl: public-read
      bucket: gitea-artifacts
@@ -624,16 +728,35 @@ depends_on:
  - testing-arm64
  - testing-amd64

+volumes:
+  - name: deps
+    temp: {}
+
 steps:
  - name: fetch-tags
-    pull: default
    image: docker:git
+    pull: always
    commands:
      - git fetch --tags --force

-  - name: static
+  - name: deps-frontend
+    image: node:16
    pull: always
+    commands:
+      - make deps-frontend
+
+  - name: deps-backend
+    image: golang:1.17
+    pull: always
+    commands:
+      - make deps-backend
+    volumes:
+      - name: deps
+        path: /go
+
+  - name: static
    image: techknowlogick/xgo:go-1.17.x
+    pull: always
    commands:
      - curl -sL https://deb.nodesource.com/setup_16.x | bash - && apt-get install -y nodejs
      - export PATH=$PATH:$GOPATH/bin
@@ -641,10 +764,14 @@ steps:
    environment:
      GOPROXY: https://goproxy.cn # proxy.golang.org is blocked in China, this proxy is not
      TAGS: bindata sqlite sqlite_unlock_notify
+    depends_on: [fetch-tags]
+    volumes:
+      - name: deps
+        path: /go

  - name: gpg-sign
-    pull: always
    image: plugins/gpgsign:1
+    pull: always
    settings:
      detach_sign: true
      excludes:
@@ -656,10 +783,11 @@ steps:
        from_secret: gpgsign_key
      GPGSIGN_PASSPHRASE:
        from_secret: gpgsign_passphrase
+    depends_on: [static]

  - name: release-tag
-    pull: always
    image: woodpeckerci/plugin-s3:latest
+    pull: always
    settings:
      acl: public-read
      bucket: gitea-artifacts
@@ -673,16 +801,18 @@ steps:
        from_secret: aws_access_key_id
      AWS_SECRET_ACCESS_KEY:
        from_secret: aws_secret_access_key
+    depends_on: [gpg-sign]

  - name: github
-    pull: always
    image: plugins/github-release:1
+    pull: always
    settings:
      files:
        - "dist/release/*"
    environment:
      GITHUB_TOKEN:
        from_secret: github_token
+    depends_on: [gpg-sign]

 ---
 kind: pipeline
@@ -704,16 +834,16 @@ trigger:

 steps:
  - name: build-docs
-    pull: always
    image: plugins/hugo:latest
+    pull: always
    commands:
      - apk add --no-cache make bash curl
      - cd docs
      - make trans-copy clean build

  - name: publish-docs
-    pull: always
    image: techknowlogick/drone-netlify:latest
+    pull: always
    settings:
      path: docs/public/
      site_id: d2260bae-7861-4c02-8646-8f6440b12672
@@ -749,12 +879,13 @@ trigger:
 steps:
  - name: fetch-tags
    image: docker:git
+    pull: always
    commands:
      - git fetch --tags --force

  - name: publish
-    pull: always
    image: techknowlogick/drone-docker:latest
+    pull: always
    settings:
      auto_tag: true
      auto_tag_suffix: linux-amd64
@@ -811,12 +942,13 @@ trigger:
 steps:
  - name: fetch-tags
    image: docker:git
+    pull: always
    commands:
      - git fetch --tags --force

  - name: publish
-    pull: always
    image: techknowlogick/drone-docker:latest
+    pull: always
    settings:
      auto_tag: false
      tags: dev-linux-amd64
@@ -872,12 +1004,13 @@ trigger:
 steps:
  - name: fetch-tags
    image: docker:git
+    pull: always
    commands:
      - git fetch --tags --force

  - name: publish
-    pull: always
    image: techknowlogick/drone-docker:latest
+    pull: always
    settings:
      auto_tag: false
      tags: ${DRONE_BRANCH##release/v}-dev-linux-amd64
@@ -929,8 +1062,8 @@ trigger:

 steps:
  - name: dryrun
-    pull: always
    image: techknowlogick/drone-docker:latest
+    pull: always
    settings:
      dry_run: true
      repo: gitea/gitea
@@ -967,12 +1100,13 @@ trigger:
 steps:
  - name: fetch-tags
    image: docker:git
+    pull: always
    commands:
      - git fetch --tags --force

  - name: publish
-    pull: always
    image: techknowlogick/drone-docker:latest
+    pull: always
    settings:
      auto_tag: true
      auto_tag_suffix: linux-arm64
@@ -1029,12 +1163,13 @@ trigger:
 steps:
  - name: fetch-tags
    image: docker:git
+    pull: always
    commands:
      - git fetch --tags --force

  - name: publish
-    pull: always
    image: techknowlogick/drone-docker:latest
+    pull: always
    settings:
      auto_tag: false
      tags: dev-linux-arm64
@@ -1090,12 +1225,13 @@ trigger:
 steps:
  - name: fetch-tags
    image: docker:git
+    pull: always
    commands:
      - git fetch --tags --force

  - name: publish
-    pull: always
    image: techknowlogick/drone-docker:latest
+    pull: always
    settings:
      auto_tag: false
      tags: ${DRONE_BRANCH##release/v}-dev-linux-arm64
@@ -1140,8 +1276,8 @@ platform:

 steps:
  - name: manifest-rootless
-    pull: always
    image: plugins/manifest
+    pull: always
    settings:
      auto_tag: true
      ignore_missing: true
@@ -1186,6 +1322,7 @@ steps:
  - name: manifest-rootless
    pull: always
    image: plugins/manifest
+    pull: always
    settings:
      auto_tag: false
      ignore_missing: true
@@ -1260,8 +1397,8 @@ depends_on:

 steps:
  - name: discord
-    pull: always
    image: appleboy/drone-discord:1.2.4
+    pull: always
    settings:
      message: "{{#success build.status}} ✅  Build #{{build.number}} of `{{repo.name}}` succeeded.\n\n📝 Commit by {{commit.author}} on `{{commit.branch}}`:\n``` {{commit.message}} ```\n\n🌐 {{ build.link }} {{else}} ❌  Build #{{build.number}} of `{{repo.name}}` failed.\n\n📝 Commit by {{commit.author}} on `{{commit.branch}}`:\n``` {{commit.message}} ```\n\n🌐 {{ build.link }} {{/success}}\n"
      webhook_id:
--- a/.gitignore
+++ b/.gitignore
@@ -36,6 +36,8 @@ _testmain.go
 coverage.all
 cpu.out

+/modules/migration/bindata.go
+/modules/migration/bindata.go.hash
 /modules/options/bindata.go
 /modules/options/bindata.go.hash
 /modules/public/bindata.go
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -23,6 +23,10 @@ linters:

 run:
  timeout: 3m
+  skip-dirs:
+    - node_modules
+    - public
+    - web_src

 linters-settings:
  gocritic:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,54 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.io).

+## [1.16.2](https://github.com/go-gitea/gitea/releases/tag/v1.16.2) - 2022-02-24
+
+* ENHANCEMENTS
+  * Show fullname on issue edits and gpg/ssh signing info (#18828)
+  * Immediately Hammer if second kill is sent (#18823) (#18826)
+  * Allow mermaid render error to wrap (#18791)
+* BUGFIXES
+  * Fix ldap user sync missed email in email_address table (#18786) (#18876) 
+  * Update assignees check to include any writing team and change org sidebar (#18680) (#18873)
+  * Don't report signal: killed errors in serviceRPC (#18850) (#18865)
+  * Fix bug where certain LDAP settings were reverted (#18859)
+  * Update go-org to 1.6.0 (#18824) (#18839)
+  * Fix login with email for ldap users (#18800) (#18836)
+  * Fix bug for get user by email (#18834)
+  * Fix panic in EscapeReader (#18820) (#18821)
+  * Fix ldap loginname (#18789) (#18804)
+  * Remove redundant call to UpdateRepoStats during migration (#18591) (#18794)
+  * In disk_channel queues synchronously push to disk on shutdown (#18415) (#18788)
+  * Fix template bug of LFS lock (#18784) (#18787)
+  * Attempt to fix the webauthn migration again - part 3 (#18770) (#18771)
+  * Send mail to issue/pr assignee/reviewer also when OnMention is set (#18707) (#18765)
+  * Fix a broken link in commits_list_small.tmpl (#18763) (#18764)
+  * Increase the size of the webauthn_credential credential_id field (#18739) (#18756)
+  * Prevent dangling GetAttribute calls (#18754) (#18755)
+  * Fix isempty detection of git repository (#18746) (#18750)
+  * Fix source code line highlighting on external tracker (#18729) (#18740)
+  * Prevent double encoding of branch names in delete branch (#18714) (#18738)
+  * Always set PullRequestWorkInProgressPrefixes in PrepareViewPullInfo (#18713) (#18737)
+  * Fix forked repositories missed tags (#18719) (#18735)
+  * Fix release typo (#18728) (#18731)
+  * Separate the details links of commit-statuses in headers (#18661) (#18730)
+  * Update object repo with the migrated repository (#18684) (#18726)
+  * Fix bug for version update hint (#18701) (#18705)
+  * Fix issue with docker-rootless shimming script (#18690) (#18699)
+  * Let `MinUnitAccessMode` return correct perm (#18675) (#18689)
+  * Prevent security failure due to bad APP_ID (#18678) (#18682)
+  * Restart zero worker if there is still work to do (#18658) (#18672)
+  * If rendering has failed due to a net.OpError stop rendering (#18642) (#18645)
+* TESTING
+  * Ensure git tag tests and others create test repos in tmpdir (#18447) (#18767)
+* BUILD
+  * Reduce CI go module downloads, add make targets (#18708, #18475, #18443) (#18741)
+* MISC
+  * Put buttons back in org dashboard (#18817) (#18825)
+  * Various Mermaid improvements (#18776) (#18780)
+  * C preprocessor colors improvement (#18671) (#18696)
+  * Fix the missing i18n key for update checker (#18646) (#18665)
+
 ## [1.16.1](https://github.com/go-gitea/gitea/releases/tag/v1.16.1) - 2022-02-06

 * SECURITY
--- a/18
+++ b/18
@@ -166,6 +166,9 @@ help:
 	@echo " - watch-backend                    watch backend files and continuously rebuild"
 	@echo " - clean                            delete backend and integration files"
 	@echo " - clean-all                        delete backend, frontend and integration files"
+	@echo " - deps                             install dependencies"
+	@echo " - deps-frontend                    install frontend dependencies"
+	@echo " - deps-backend                     install backend dependencies"
 	@echo " - lint                             lint everything"
 	@echo " - lint-frontend                    lint frontend files"
 	@echo " - lint-backend                     lint backend files"
@@ -396,6 +399,11 @@ test-sqlite-migration:  migrations.sqlite.test migrations.individual.sqlite.test
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./migrations.sqlite.test
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./migrations.individual.sqlite.test

+.PHONY: test-sqlite-migration\#%
+test-sqlite-migration\#%:  migrations.sqlite.test migrations.individual.sqlite.test generate-ini-sqlite
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./migrations.individual.sqlite.test -test.run $(subst .,/,$*)
+
+
 generate-ini-mysql:
 	sed -e 's|{{TEST_MYSQL_HOST}}|${TEST_MYSQL_HOST}|g' \
 		-e 's|{{TEST_MYSQL_DBNAME}}|${TEST_MYSQL_DBNAME}|g' \
@@ -656,6 +664,16 @@ docs:
 	fi
 	cd docs; make trans-copy clean build-offline;

+.PHONY: deps
+deps: deps-frontend deps-backend
+
+.PHONY: deps-frontend
+deps-frontend: node_modules
+
+.PHONY: deps-backend
+deps-backend:
+	$(GO) mod download
+
 node_modules: package-lock.json
 	npm install --no-save
 	@touch node_modules
--- a/contrib/fhs-compliant-script/gitea
+++ b/contrib/fhs-compliant-script/gitea
@@ -33,10 +33,8 @@ for i in "$@"; do
 done

 if [ -z "$APP_INI_SET" ]; then
-	CONF_ARG="-c \"$APP_INI\""
+	CONF_ARG=("-c" "${GITEA_APP_INI:-$APP_INI}")
 fi

 # Provide FHS compliant defaults
-GITEA_WORK_DIR="${GITEA_WORK_DIR:-$WORK_DIR}" exec -a "$0" "$GITEA" $CONF_ARG "$@"
-
-
+GITEA_WORK_DIR="${GITEA_WORK_DIR:-$WORK_DIR}" exec -a "$0" "$GITEA" "${CONF_ARG[@]}"  "$@"
--- a/docker/rootless/usr/local/bin/gitea
+++ b/docker/rootless/usr/local/bin/gitea
@@ -32,11 +32,9 @@ for i in "$@"; do
 done

 if [ -z "$APP_INI_SET" ]; then
-	CONF_ARG="-c \"${GITEA_APP_INI:-$APP_INI}\""
+	CONF_ARG=("-c" "${GITEA_APP_INI:-$APP_INI}")
 fi


 # Provide docker defaults
-GITEA_WORK_DIR="${GITEA_WORK_DIR:-$WORK_DIR}" exec -a "$0" "$GITEA" $CONF_ARG "$@"
-
-
+GITEA_WORK_DIR="${GITEA_WORK_DIR:-$WORK_DIR}" exec -a "$0" "$GITEA" "${CONF_ARG[@]}" "$@"
--- a/go.mod
+++ b/go.mod
@@ -85,7 +85,7 @@ require (
 	github.com/mrjones/oauth v0.0.0-20190623134757-126b35219450 // indirect
 	github.com/msteinert/pam v0.0.0-20201130170657-e61372126161
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646
-	github.com/niklasfasching/go-org v1.5.0
+	github.com/niklasfasching/go-org v1.6.0
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/oliamb/cutter v0.2.2
 	github.com/olivere/elastic/v7 v7.0.25
@@ -122,9 +122,9 @@ require (
 	go.uber.org/multierr v1.7.0 // indirect
 	go.uber.org/zap v1.19.0 // indirect
 	golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871
-	golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2
+	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd
 	golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914
-	golang.org/x/sys v0.0.0-20211117180635-dee7805ff2e1
+	golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e
 	golang.org/x/text v0.3.7
 	golang.org/x/time v0.0.0-20210611083556-38a9dc6acbc6 // indirect
 	golang.org/x/tools v0.1.0
--- a/go.sum
+++ b/go.sum
@@ -202,6 +202,7 @@ github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/chaseadamsio/goorgeous v2.0.0+incompatible/go.mod h1:6QaC0vFoKWYDth94dHFNgRT2YkT5FHdQp/Yx15aAAi0=
 github.com/chi-middleware/proxy v1.1.1 h1:4HaXUp8o2+bhHr1OhVy+VjN0+L7/07JDcn6v7YrTjrQ=
 github.com/chi-middleware/proxy v1.1.1/go.mod h1:jQwMEJct2tz9VmtCELxvnXoMfa+SOdikvbVJVHv/M+0=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
@@ -912,8 +913,8 @@ github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OS
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6Oo2LfFZAehjjQMERAvZLEDnQ=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/niklasfasching/go-org v1.5.0 h1:V8IwoSPm/d61bceyWFxxnQLtlvNT+CjiYIhtZLdnMF0=
-github.com/niklasfasching/go-org v1.5.0/go.mod h1:sSb8ylwnAG+h8MGFDB3R1D5bxf8wA08REfhjShg3kjA=
+github.com/niklasfasching/go-org v1.6.0 h1:NCWpmDDNjHNsrei6VmnYXzOiyZUxV8LVU19REGQ8dKA=
+github.com/niklasfasching/go-org v1.6.0/go.mod h1:gSHyFcAbr2thIpfljLsP/BB8uwAMyooq6ydIrUDdOCs=
 github.com/nwaples/rardecode v1.1.0 h1:vSxaY8vQhOcVr4mm5e8XllHWTiM4JF507A0Katqw7MQ=
 github.com/nwaples/rardecode v1.1.0/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWkRpHbbfGS0=
 github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78=
@@ -1032,8 +1033,9 @@ github.com/rs/xid v1.3.0 h1:6NjYksEUlhurdVehpc7S7dk6DAmcKv8V9gG0FsVN2U4=
 github.com/rs/xid v1.3.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
 github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc=
-github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
+github.com/russross/blackfriday v1.6.0 h1:KqfZb0pUVN2lYqZUYRddxF4OR8ZMURnJIG5Y3VRLtww=
+github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -1353,8 +1355,9 @@ golang.org/x/net v0.0.0-20210326060303-6b1517762897/go.mod h1:uSPa2vr4CLtc/ILN5o
 golang.org/x/net v0.0.0-20210331060903-cb1fcc7394e5/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 h1:CIJ76btIcR3eFI5EgSo6k1qKw9KJexJuRLI9G7Hp5wE=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1460,11 +1463,13 @@ golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211117180635-dee7805ff2e1 h1:kwrAHlwJ0DUBZwQ238v+Uod/3eZ8B2K5rYsUHBQvzmI=
 golang.org/x/sys v0.0.0-20211117180635-dee7805ff2e1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
--- a/integrations/mssql.ini.tmpl
+++ b/integrations/mssql.ini.tmpl
@@ -83,7 +83,7 @@ PROVIDER_CONFIG = integrations/gitea-integration-mssql/data/sessions

 [log]
 MODE                 = test,file
-ROOT_PATH            = mssql-log
+ROOT_PATH            = {{REPO_TEST_DIR}}mssql-log
 ROUTER               = ,
 XORM                 = file
 ENABLE_SSH_LOG       = true
--- a/integrations/mysql.ini.tmpl
+++ b/integrations/mysql.ini.tmpl
@@ -101,7 +101,7 @@ PROVIDER_CONFIG = integrations/gitea-integration-mysql/data/sessions

 [log]
 MODE                 = test,file
-ROOT_PATH            = mysql-log
+ROOT_PATH            = {{REPO_TEST_DIR}}mysql-log
 ROUTER               = ,
 XORM                 = file
 ENABLE_SSH_LOG       = true
--- a/integrations/mysql8.ini.tmpl
+++ b/integrations/mysql8.ini.tmpl
@@ -80,7 +80,7 @@ PROVIDER_CONFIG = integrations/gitea-integration-mysql8/data/sessions

 [log]
 MODE                 = test,file
-ROOT_PATH            = mysql8-log
+ROOT_PATH            = {{REPO_TEST_DIR}}mysql8-log
 ROUTER               = ,
 XORM                 = file
 ENABLE_SSH_LOG       = true
--- a/integrations/pgsql.ini.tmpl
+++ b/integrations/pgsql.ini.tmpl
@@ -84,7 +84,7 @@ PROVIDER_CONFIG = integrations/gitea-integration-pgsql/data/sessions

 [log]
 MODE                 = test,file
-ROOT_PATH            = pgsql-log
+ROOT_PATH            = {{REPO_TEST_DIR}}pgsql-log
 ROUTER               = ,
 XORM                 = file
 ENABLE_SSH_LOG       = true
--- a/integrations/signin_test.go
+++ b/integrations/signin_test.go
@@ -51,8 +51,6 @@ func TestSignin(t *testing.T) {
 		{username: "wrongUsername", password: "password", message: i18n.Tr("en", "form.username_password_incorrect")},
 		{username: "user15", password: "wrongPassword", message: i18n.Tr("en", "form.username_password_incorrect")},
 		{username: "user1@example.com", password: "wrongPassword", message: i18n.Tr("en", "form.username_password_incorrect")},
-		// test for duplicate email
-		{username: "user2@example.com", password: "password", message: i18n.Tr("en", "form.email_been_used")},
 	}

 	for _, s := range samples {
--- a/integrations/sqlite.ini.tmpl
+++ b/integrations/sqlite.ini.tmpl
@@ -79,7 +79,7 @@ PROVIDER_CONFIG = integrations/gitea-integration-sqlite/data/sessions

 [log]
 MODE                 = test,file
-ROOT_PATH            = sqlite-log
+ROOT_PATH            = {{REPO_TEST_DIR}}sqlite-log
 ROUTER               = ,
 XORM                 = file
 ENABLE_SSH_LOG       = true
--- a/models/auth/webauthn.go
+++ b/models/auth/webauthn.go
@@ -43,7 +43,7 @@ type WebAuthnCredential struct {
 	Name            string
 	LowerName       string `xorm:"unique(s)"`
 	UserID          int64  `xorm:"INDEX unique(s)"`
-	CredentialID    string `xorm:"INDEX"`
+	CredentialID    string `xorm:"INDEX VARCHAR(410)"`
 	PublicKey       []byte
 	AttestationType string
 	AAGUID          []byte
--- a/models/issues/content_history.go
+++ b/models/issues/content_history.go
@@ -137,6 +137,7 @@ func QueryIssueContentHistoryEditedCountMap(dbCtx context.Context, issueID int64
 type IssueContentListItem struct {
 	UserID         int64
 	UserName       string
+	UserFullName   string
 	UserAvatarLink string

 	HistoryID      int64
@@ -148,7 +149,7 @@ type IssueContentListItem struct {
 // FetchIssueContentHistoryList fetch list
 func FetchIssueContentHistoryList(dbCtx context.Context, issueID, commentID int64) ([]*IssueContentListItem, error) {
 	res := make([]*IssueContentListItem, 0)
-	err := db.GetEngine(dbCtx).Select("u.id as user_id, u.name as user_name,"+
+	err := db.GetEngine(dbCtx).Select("u.id as user_id, u.name as user_name, u.full_name as user_full_name,"+
 		"h.id as history_id, h.edited_unix, h.is_first_created, h.is_deleted").
 		Table([]string{"issue_content_history", "h"}).
 		Join("LEFT", []string{"user", "u"}, "h.poster_id = u.id").
--- a/models/issues/content_history_test.go
+++ b/models/issues/content_history_test.go
@@ -43,8 +43,9 @@ func TestContentHistory(t *testing.T) {
 		when the refactor of models are done, this test will be possible to be run then with a real `User` model.
 	*/
 	type User struct {
-		ID   int64
-		Name string
+		ID       int64
+		Name     string
+		FullName string
 	}
 	_ = dbEngine.Sync2(&User{})

--- a/models/migrate.go
+++ b/models/migrate.go
@@ -52,10 +52,6 @@ func InsertIssues(issues ...*Issue) error {
 			return err
 		}
 	}
-	err = UpdateRepoStats(ctx, issues[0].RepoID)
-	if err != nil {
-		return err
-	}
 	return committer.Commit()
 }

@@ -147,11 +143,6 @@ func InsertPullRequests(prs ...*PullRequest) error {
 			return err
 		}
 	}
-
-	err = UpdateRepoStats(ctx, prs[0].Issue.RepoID)
-	if err != nil {
-		return err
-	}
 	return committer.Commit()
 }

--- a/models/migrate_test.go
+++ b/models/migrate_test.go
@@ -32,8 +32,9 @@ func TestMigrate_InsertMilestones(t *testing.T) {
 	unittest.CheckConsistencyFor(t, &Milestone{})
 }

-func assertCreateIssues(t *testing.T, reponame string, isPull bool) {
+func assertCreateIssues(t *testing.T, isPull bool) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
+	reponame := "repo1"
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{Name: reponame}).(*repo_model.Repository)
 	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID}).(*user_model.User)
 	label := unittest.AssertExistsAndLoadBean(t, &Label{ID: 1}).(*Label)
@@ -63,38 +64,14 @@ func assertCreateIssues(t *testing.T, reponame string, isPull bool) {

 	i := unittest.AssertExistsAndLoadBean(t, &Issue{Title: title}).(*Issue)
 	unittest.AssertExistsAndLoadBean(t, &Reaction{Type: "heart", UserID: owner.ID, IssueID: i.ID})
-
-	labelModified := unittest.AssertExistsAndLoadBean(t, &Label{ID: 1}).(*Label)
-	assert.EqualValues(t, label.NumIssues+1, labelModified.NumIssues)
-	assert.EqualValues(t, label.NumClosedIssues+1, labelModified.NumClosedIssues)
-
-	milestoneModified := unittest.AssertExistsAndLoadBean(t, &Milestone{ID: milestone.ID}).(*Milestone)
-	assert.EqualValues(t, milestone.NumIssues+1, milestoneModified.NumIssues)
-	assert.EqualValues(t, milestone.NumClosedIssues+1, milestoneModified.NumClosedIssues)
 }

 func TestMigrate_CreateIssuesIsPullFalse(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
-	reponame := "repo1"
-	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{Name: reponame}).(*repo_model.Repository)
-
-	assertCreateIssues(t, reponame, false)
-
-	repoModified := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: repo.ID}).(*repo_model.Repository)
-	assert.EqualValues(t, repo.NumIssues+1, repoModified.NumIssues)
-	assert.EqualValues(t, repo.NumClosedIssues+1, repoModified.NumClosedIssues)
+	assertCreateIssues(t, false)
 }

 func TestMigrate_CreateIssuesIsPullTrue(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
-	reponame := "repo1"
-	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{Name: reponame}).(*repo_model.Repository)
-
-	assertCreateIssues(t, reponame, true)
-
-	repoModified := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: repo.ID}).(*repo_model.Repository)
-	assert.EqualValues(t, repo.NumPulls+1, repoModified.NumPulls)
-	assert.EqualValues(t, repo.NumClosedPulls+1, repoModified.NumClosedPulls)
+	assertCreateIssues(t, true)
 }

 func TestMigrate_InsertIssueComments(t *testing.T) {
--- a/models/migrations/fixtures/Test_remigrateU2FCredentials/expected_webauthn_credential.yml
+++ b/models/migrations/fixtures/Test_remigrateU2FCredentials/expected_webauthn_credential.yml
@@ -0,0 +1,12 @@
+-
+  id: 1
+  credential_id: "TVHE44TOH7DF7V48SEAIT3EMMJ7TGBOQ289E5AQB34S98LFCUFJ7U2NAVI8RJG6K2F4TC8AQ8KBNO7AGEOQOL9NE43GR63HTEHJSLOG="
+-
+  id: 2
+  credential_id: "TVHE44TOH7DF7V48SEAIT3EMMJ7TGBOQ289E5AQB34S98LFCUFJ7U2NAVI8RJG6K2F4TC8AQ8KBNO7AGEOQOL9NE43GR63HTEHJSLOG="
+-
+  id: 3
+  credential_id: "TVHE44TOH7DF7V48SEAIT3EMMJ7TGBOQ289E5AQB34S98LFCUFJ7U2NAVI8RJG6K2F4TC8AQ8KBNO7AGEOQOL9NE43GR63HTEHJSLOG="
+-
+  id: 4
+  credential_id: "TVHE44TOH7DF7V48SEAIT3EMMJ7TGBOQ289E5AQB34S98LFCUFJ7U2NAVI8RJG6K2F4TC8AQ8KBNO7AGEOQOL9NE43GR63HTEHJSLOG="
--- a/models/migrations/fixtures/Test_remigrateU2FCredentials/u2f_registration.yml
+++ b/models/migrations/fixtures/Test_remigrateU2FCredentials/u2f_registration.yml
@@ -0,0 +1,21 @@
+-
+  id: 1
+  name: "u2fkey-correctly-migrated"
+  user_id: 1
+  raw: 0x05040d0967a2cad045011631187576492a0beb5b377954b4f694c5afc8bdf25270f87f09a9ab6ce9c282f447ba71b2f2bae2105b32b847e0704f310f48644e3eddf240efe2e213b889daf3fc88e3952e8dd6b4cfd82f1a1212e2ab4b19389455ecf3e67f0aeafc91b9c0d413c9d6215a45177c1d5076358aa6ee20e1b30e3d7467cae2308202bd308201a5a00302010202041e8f8734300d06092a864886f70d01010b0500302e312c302a0603550403132359756269636f2055324620526f6f742043412053657269616c203435373230303633313020170d3134303830313030303030305a180f32303530303930343030303030305a306e310b300906035504061302534531123010060355040a0c0959756269636f20414231223020060355040b0c1941757468656e74696361746f72204174746573746174696f6e3127302506035504030c1e59756269636f205532462045452053657269616c203531323732323734303059301306072a8648ce3d020106082a8648ce3d03010703420004a879f82338ed1494bac0704bcc7fc663d1b271715976243101c7605115d7c1529e281c1c67322d384b5cd55dd3e9818d5fd85c22af326e0c64fc20afe33f2366a36c306a302206092b0601040182c40a020415312e332e362e312e342e312e34313438322e312e373013060b2b0601040182e51c0201010404030204303021060b2b0601040182e51c010104041204102fc0579f811347eab116bb5a8db9202a300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008693ff62df0d5779d4748d7fc8d10227318a8e580e6a3a57c108e94e03c38568b366894fce5624be4a3efd7f34118b3d993743f792a1989160c8fc9ae0b04e3df9ee15e3e88c04fc82a8dcbf5818e108dcc2968577ae79ff662b94734e3dec4597305d73e6e55ee2beb9cd9678ca0935e533eb638f8e26fabb817cda441fbe9831832ae5f6e2ad992f9ebbdb4c62238b8f8d7ab481d6d3263bcdbf9e4a57550370988ad5813440fa032cadb6723cadd8f8d7ba809f75b43cffa0a5b9add14232ef9d9e14812638233c4ca4a873b9f8ac98e32ba19167606e15909fcddb4a2dffbdae4620249f9a6646ac81e4832d1119febfaa731a882da25a77827d46d190173046022100b579338a44c236d3f214b2e150011a08cf251193ecfae2244edb0a5794e9b301022100fab468862c47d98204d437cf2be8c54a5a4ecd1ebb1c61a6c23da7b9c75f6841
+  counter: 0
+- id: 2
+  name: "u2fkey-incorrectly-migrated"
+  user_id: 1
+  raw: 0x05040d0967a2cad045011631187576492a0beb5b377954b4f694c5afc8bdf25270f87f09a9ab6ce9c282f447ba71b2f2bae2105b32b847e0704f310f48644e3eddf240efe2e213b889daf3fc88e3952e8dd6b4cfd82f1a1212e2ab4b19389455ecf3e67f0aeafc91b9c0d413c9d6215a45177c1d5076358aa6ee20e1b30e3d7467cae2308202bd308201a5a00302010202041e8f8734300d06092a864886f70d01010b0500302e312c302a0603550403132359756269636f2055324620526f6f742043412053657269616c203435373230303633313020170d3134303830313030303030305a180f32303530303930343030303030305a306e310b300906035504061302534531123010060355040a0c0959756269636f20414231223020060355040b0c1941757468656e74696361746f72204174746573746174696f6e3127302506035504030c1e59756269636f205532462045452053657269616c203531323732323734303059301306072a8648ce3d020106082a8648ce3d03010703420004a879f82338ed1494bac0704bcc7fc663d1b271715976243101c7605115d7c1529e281c1c67322d384b5cd55dd3e9818d5fd85c22af326e0c64fc20afe33f2366a36c306a302206092b0601040182c40a020415312e332e362e312e342e312e34313438322e312e373013060b2b0601040182e51c0201010404030204303021060b2b0601040182e51c010104041204102fc0579f811347eab116bb5a8db9202a300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008693ff62df0d5779d4748d7fc8d10227318a8e580e6a3a57c108e94e03c38568b366894fce5624be4a3efd7f34118b3d993743f792a1989160c8fc9ae0b04e3df9ee15e3e88c04fc82a8dcbf5818e108dcc2968577ae79ff662b94734e3dec4597305d73e6e55ee2beb9cd9678ca0935e533eb638f8e26fabb817cda441fbe9831832ae5f6e2ad992f9ebbdb4c62238b8f8d7ab481d6d3263bcdbf9e4a57550370988ad5813440fa032cadb6723cadd8f8d7ba809f75b43cffa0a5b9add14232ef9d9e14812638233c4ca4a873b9f8ac98e32ba19167606e15909fcddb4a2dffbdae4620249f9a6646ac81e4832d1119febfaa731a882da25a77827d46d190173046022100b579338a44c236d3f214b2e150011a08cf251193ecfae2244edb0a5794e9b301022100fab468862c47d98204d437cf2be8c54a5a4ecd1ebb1c61a6c23da7b9c75f6841
+  counter: 0
+- id: 3
+  name: "u2fkey-deleted"
+  user_id: 1
+  raw: 0x05040d0967a2cad045011631187576492a0beb5b377954b4f694c5afc8bdf25270f87f09a9ab6ce9c282f447ba71b2f2bae2105b32b847e0704f310f48644e3eddf240efe2e213b889daf3fc88e3952e8dd6b4cfd82f1a1212e2ab4b19389455ecf3e67f0aeafc91b9c0d413c9d6215a45177c1d5076358aa6ee20e1b30e3d7467cae2308202bd308201a5a00302010202041e8f8734300d06092a864886f70d01010b0500302e312c302a0603550403132359756269636f2055324620526f6f742043412053657269616c203435373230303633313020170d3134303830313030303030305a180f32303530303930343030303030305a306e310b300906035504061302534531123010060355040a0c0959756269636f20414231223020060355040b0c1941757468656e74696361746f72204174746573746174696f6e3127302506035504030c1e59756269636f205532462045452053657269616c203531323732323734303059301306072a8648ce3d020106082a8648ce3d03010703420004a879f82338ed1494bac0704bcc7fc663d1b271715976243101c7605115d7c1529e281c1c67322d384b5cd55dd3e9818d5fd85c22af326e0c64fc20afe33f2366a36c306a302206092b0601040182c40a020415312e332e362e312e342e312e34313438322e312e373013060b2b0601040182e51c0201010404030204303021060b2b0601040182e51c010104041204102fc0579f811347eab116bb5a8db9202a300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008693ff62df0d5779d4748d7fc8d10227318a8e580e6a3a57c108e94e03c38568b366894fce5624be4a3efd7f34118b3d993743f792a1989160c8fc9ae0b04e3df9ee15e3e88c04fc82a8dcbf5818e108dcc2968577ae79ff662b94734e3dec4597305d73e6e55ee2beb9cd9678ca0935e533eb638f8e26fabb817cda441fbe9831832ae5f6e2ad992f9ebbdb4c62238b8f8d7ab481d6d3263bcdbf9e4a57550370988ad5813440fa032cadb6723cadd8f8d7ba809f75b43cffa0a5b9add14232ef9d9e14812638233c4ca4a873b9f8ac98e32ba19167606e15909fcddb4a2dffbdae4620249f9a6646ac81e4832d1119febfaa731a882da25a77827d46d190173046022100b579338a44c236d3f214b2e150011a08cf251193ecfae2244edb0a5794e9b301022100fab468862c47d98204d437cf2be8c54a5a4ecd1ebb1c61a6c23da7b9c75f6841
+  counter: 0
+- id: 4
+  name: "u2fkey-wrong-user-id"
+  user_id: 2
+  raw: 0x05040d0967a2cad045011631187576492a0beb5b377954b4f694c5afc8bdf25270f87f09a9ab6ce9c282f447ba71b2f2bae2105b32b847e0704f310f48644e3eddf240efe2e213b889daf3fc88e3952e8dd6b4cfd82f1a1212e2ab4b19389455ecf3e67f0aeafc91b9c0d413c9d6215a45177c1d5076358aa6ee20e1b30e3d7467cae2308202bd308201a5a00302010202041e8f8734300d06092a864886f70d01010b0500302e312c302a0603550403132359756269636f2055324620526f6f742043412053657269616c203435373230303633313020170d3134303830313030303030305a180f32303530303930343030303030305a306e310b300906035504061302534531123010060355040a0c0959756269636f20414231223020060355040b0c1941757468656e74696361746f72204174746573746174696f6e3127302506035504030c1e59756269636f205532462045452053657269616c203531323732323734303059301306072a8648ce3d020106082a8648ce3d03010703420004a879f82338ed1494bac0704bcc7fc663d1b271715976243101c7605115d7c1529e281c1c67322d384b5cd55dd3e9818d5fd85c22af326e0c64fc20afe33f2366a36c306a302206092b0601040182c40a020415312e332e362e312e342e312e34313438322e312e373013060b2b0601040182e51c0201010404030204303021060b2b0601040182e51c010104041204102fc0579f811347eab116bb5a8db9202a300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008693ff62df0d5779d4748d7fc8d10227318a8e580e6a3a57c108e94e03c38568b366894fce5624be4a3efd7f34118b3d993743f792a1989160c8fc9ae0b04e3df9ee15e3e88c04fc82a8dcbf5818e108dcc2968577ae79ff662b94734e3dec4597305d73e6e55ee2beb9cd9678ca0935e533eb638f8e26fabb817cda441fbe9831832ae5f6e2ad992f9ebbdb4c62238b8f8d7ab481d6d3263bcdbf9e4a57550370988ad5813440fa032cadb6723cadd8f8d7ba809f75b43cffa0a5b9add14232ef9d9e14812638233c4ca4a873b9f8ac98e32ba19167606e15909fcddb4a2dffbdae4620249f9a6646ac81e4832d1119febfaa731a882da25a77827d46d190173046022100b579338a44c236d3f214b2e150011a08cf251193ecfae2244edb0a5794e9b301022100fab468862c47d98204d437cf2be8c54a5a4ecd1ebb1c61a6c23da7b9c75f6841
+  counter: 0
--- a/models/migrations/fixtures/Test_remigrateU2FCredentials/webauthn_credential.yml
+++ b/models/migrations/fixtures/Test_remigrateU2FCredentials/webauthn_credential.yml
@@ -0,0 +1,30 @@
+-
+  id: 1
+  lower_name: "u2fkey-correctly-migrated"
+  name: "u2fkey-correctly-migrated"
+  user_id: 1
+  credential_id: "TVHE44TOH7DF7V48SEAIT3EMMJ7TGBOQ289E5AQB34S98LFCUFJ7U2NAVI8RJG6K2F4TC8AQ8KBNO7AGEOQOL9NE43GR63HTEHJSLOG="
+  public_key: 0x040d0967a2cad045011631187576492a0beb5b377954b4f694c5afc8bdf25270f87f09a9ab6ce9c282f447ba71b2f2bae2105b32b847e0704f310f48644e3eddf2
+  attestation_type: 'fido-u2f'
+  sign_count: 1
+  clone_warning: false
+-
+  id: 2
+  lower_name: "u2fkey-incorrectly-migrated"
+  name: "u2fkey-incorrectly-migrated"
+  user_id: 1
+  credential_id: "TVHE44TOH7DF7V48SEAIT3EMMJ7TGBOQ289E5AQB34S98LFCUFJ7U2NAVI8RJG6K2F4TC8A"
+  public_key: 0x040d0967a2cad045011631187576492a0beb5b377954b4f694c5afc8bdf25270f87f09a9ab6ce9c282f447ba71b2f2bae2105b32b847e0704f310f48644e3eddf2
+  attestation_type: 'fido-u2f'
+  sign_count: 1
+  clone_warning: false
+-
+  id: 4
+  lower_name: "u2fkey-wrong-user-id"
+  name: "u2fkey-wrong-user-id"
+  user_id: 1
+  credential_id: "THIS SHOULD CHANGE"
+  public_key: 0x040d0967a2cad045011631187576492a0beb5b377954b4f694c5afc8bdf25270f87f09a9ab6ce9c282f447ba71b2f2bae2105b32b847e0704f310f48644e3eddf2
+  attestation_type: 'fido-u2f'
+  sign_count: 1
+  clone_warning: false
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -367,9 +367,13 @@ var migrations = []Migration{
 	// v206 -> v207
 	NewMigration("Add authorize column to team_unit table", addAuthorizeColForTeamUnit),
 	// v207 -> v208
-	NewMigration("Add webauthn table and migrate u2f data to webauthn", addWebAuthnCred),
+	NewMigration("Add webauthn table and migrate u2f data to webauthn - NO-OPED", addWebAuthnCred),
 	// v208 -> v209
-	NewMigration("Use base32.HexEncoding instead of base64 encoding for cred ID as it is case insensitive", useBase32HexForCredIDInWebAuthnCredential),
+	NewMigration("Use base32.HexEncoding instead of base64 encoding for cred ID as it is case insensitive - NO-OPED", useBase32HexForCredIDInWebAuthnCredential),
+	// v209 -> v210
+	NewMigration("Increase WebAuthentication CredentialID size to 410 - NO-OPED", increaseCredentialIDTo410),
+	// v210 -> v211
+	NewMigration("v208 was completely broken - remigrate", remigrateU2FCredentials),
 }

 // GetCurrentDBVersion returns the current db version
@@ -450,9 +454,12 @@ Please try upgrading to a lower version first (suggested v1.6.4), then upgrade t

 	// Downgrading Gitea's database version not supported
 	if int(v-minDBVersion) > len(migrations) {
-		msg := fmt.Sprintf("Downgrading database version from '%d' to '%d' is not supported and may result in loss of data integrity.\nIf you really know what you're doing, execute `UPDATE version SET version=%d WHERE id=1;`\n",
-			v, minDBVersion+len(migrations), minDBVersion+len(migrations))
-		fmt.Fprint(os.Stderr, msg)
+		msg := fmt.Sprintf("Your database (migration version: %d) is for a newer Gita, you can not use the newer database for this old Gitea release (%d).", v, minDBVersion+len(migrations))
+		msg += "\nGitea will exit to keep your database safe and unchanged. Please use the correct Gitea release, do not change the migration version manually (incorrect manual operation may lose data)."
+		if !setting.IsProd {
+			msg += fmt.Sprintf("\nIf you are in development and really know what you're doing, you can force changing the migration version by executing: UPDATE version SET version=%d WHERE id=1;", minDBVersion+len(migrations))
+		}
+		_, _ = fmt.Fprintln(os.Stderr, msg)
 		log.Fatal(msg)
 		return nil
 	}
--- a/models/migrations/v207.go
+++ b/models/migrations/v207.go
@@ -5,87 +5,11 @@
 package migrations

 import (
-	"crypto/elliptic"
-	"encoding/base64"
-	"strings"
-
-	"code.gitea.io/gitea/modules/timeutil"
-
-	"github.com/tstranex/u2f"
 	"xorm.io/xorm"
 )

 func addWebAuthnCred(x *xorm.Engine) error {
-
-	// Create webauthnCredential table
-	type webauthnCredential struct {
-		ID              int64 `xorm:"pk autoincr"`
-		Name            string
-		LowerName       string `xorm:"unique(s)"`
-		UserID          int64  `xorm:"INDEX unique(s)"`
-		CredentialID    string `xorm:"INDEX"`
-		PublicKey       []byte
-		AttestationType string
-		AAGUID          []byte
-		SignCount       uint32 `xorm:"BIGINT"`
-		CloneWarning    bool
-		CreatedUnix     timeutil.TimeStamp `xorm:"INDEX created"`
-		UpdatedUnix     timeutil.TimeStamp `xorm:"INDEX updated"`
-	}
-	if err := x.Sync2(&webauthnCredential{}); err != nil {
-		return err
-	}
-
-	// Now migrate the old u2f registrations to the new format
-	type u2fRegistration struct {
-		ID          int64 `xorm:"pk autoincr"`
-		Name        string
-		UserID      int64 `xorm:"INDEX"`
-		Raw         []byte
-		Counter     uint32             `xorm:"BIGINT"`
-		CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
-		UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
-	}
-
-	var start int
-	regs := make([]*u2fRegistration, 0, 50)
-	for {
-		err := x.OrderBy("id").Limit(50, start).Find(&regs)
-		if err != nil {
-			return err
-		}
-
-		for _, reg := range regs {
-			parsed := new(u2f.Registration)
-			err = parsed.UnmarshalBinary(reg.Raw)
-			if err != nil {
-				continue
-			}
-
-			c := &webauthnCredential{
-				ID:              reg.ID,
-				Name:            reg.Name,
-				LowerName:       strings.ToLower(reg.Name),
-				UserID:          reg.UserID,
-				CredentialID:    base64.RawStdEncoding.EncodeToString(parsed.KeyHandle),
-				PublicKey:       elliptic.Marshal(elliptic.P256(), parsed.PubKey.X, parsed.PubKey.Y),
-				AttestationType: "fido-u2f",
-				AAGUID:          []byte{},
-				SignCount:       reg.Counter,
-			}
-
-			_, err := x.Insert(c)
-			if err != nil {
-				return err
-			}
-		}
-
-		if len(regs) < 50 {
-			break
-		}
-		start += 50
-		regs = regs[:0]
-	}
+	// NO-OP Don't migrate here - let v210 do this.

 	return nil
 }
--- a/models/migrations/v208.go
+++ b/models/migrations/v208.go
@@ -5,47 +5,10 @@
 package migrations

 import (
-	"encoding/base32"
-	"encoding/base64"
-
 	"xorm.io/xorm"
 )

 func useBase32HexForCredIDInWebAuthnCredential(x *xorm.Engine) error {
-
-	// Create webauthnCredential table
-	type webauthnCredential struct {
-		ID           int64  `xorm:"pk autoincr"`
-		CredentialID string `xorm:"INDEX"`
-	}
-	if err := x.Sync2(&webauthnCredential{}); err != nil {
-		return err
-	}
-
-	var start int
-	regs := make([]*webauthnCredential, 0, 50)
-	for {
-		err := x.OrderBy("id").Limit(50, start).Find(&regs)
-		if err != nil {
-			return err
-		}
-
-		for _, reg := range regs {
-			credID, _ := base64.RawStdEncoding.DecodeString(reg.CredentialID)
-			reg.CredentialID = base32.HexEncoding.EncodeToString(credID)
-
-			_, err := x.Update(reg)
-			if err != nil {
-				return err
-			}
-		}
-
-		if len(regs) < 50 {
-			break
-		}
-		start += 50
-		regs = regs[:0]
-	}
-
+	// noop
 	return nil
 }
--- a/models/migrations/v209.go
+++ b/models/migrations/v209.go
@@ -0,0 +1,17 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"xorm.io/xorm"
+)
+
+func increaseCredentialIDTo410(x *xorm.Engine) error {
+	// no-op
+	// V208 is badly broken
+	// So now we have to no-op again.
+
+	return nil
+}
--- a/models/migrations/v210.go
+++ b/models/migrations/v210.go
@@ -0,0 +1,172 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"crypto/elliptic"
+	"encoding/base32"
+	"fmt"
+	"strings"
+
+	"code.gitea.io/gitea/modules/timeutil"
+	"github.com/tstranex/u2f"
+
+	"xorm.io/xorm"
+	"xorm.io/xorm/schemas"
+)
+
+// v208 migration was completely broken
+func remigrateU2FCredentials(x *xorm.Engine) error {
+	// Create webauthnCredential table
+	type webauthnCredential struct {
+		ID              int64 `xorm:"pk autoincr"`
+		Name            string
+		LowerName       string `xorm:"unique(s)"`
+		UserID          int64  `xorm:"INDEX unique(s)"`
+		CredentialID    string `xorm:"INDEX VARCHAR(410)"` // CredentalID in U2F is at most 255bytes / 5 * 8 = 408 - add a few extra characters for safety
+		PublicKey       []byte
+		AttestationType string
+		AAGUID          []byte
+		SignCount       uint32 `xorm:"BIGINT"`
+		CloneWarning    bool
+		CreatedUnix     timeutil.TimeStamp `xorm:"INDEX created"`
+		UpdatedUnix     timeutil.TimeStamp `xorm:"INDEX updated"`
+	}
+	if err := x.Sync2(&webauthnCredential{}); err != nil {
+		return err
+	}
+
+	switch x.Dialect().URI().DBType {
+	case schemas.MYSQL:
+		_, err := x.Exec("ALTER TABLE webauthn_credential MODIFY COLUMN credential_id VARCHAR(410)")
+		if err != nil {
+			return err
+		}
+	case schemas.ORACLE:
+		_, err := x.Exec("ALTER TABLE webauthn_credential MODIFY credential_id VARCHAR(410)")
+		if err != nil {
+			return err
+		}
+	case schemas.MSSQL:
+		// This column has an index on it. I could write all of the code to attempt to change the index OR
+		// I could just use recreate table.
+		sess := x.NewSession()
+		if err := sess.Begin(); err != nil {
+			_ = sess.Close()
+			return err
+		}
+
+		if err := recreateTable(sess, new(webauthnCredential)); err != nil {
+			_ = sess.Close()
+			return err
+		}
+		if err := sess.Commit(); err != nil {
+			_ = sess.Close()
+			return err
+		}
+		if err := sess.Close(); err != nil {
+			return err
+		}
+	case schemas.POSTGRES:
+		_, err := x.Exec("ALTER TABLE webauthn_credential ALTER COLUMN credential_id TYPE VARCHAR(410)")
+		if err != nil {
+			return err
+		}
+	default:
+		// SQLite doesn't support ALTER COLUMN, and it already makes String _TEXT_ by default so no migration needed
+		// nor is there any need to re-migrate
+	}
+
+	exist, err := x.IsTableExist("u2f_registration")
+	if err != nil {
+		return err
+	}
+	if !exist {
+		return nil
+	}
+
+	// Now migrate the old u2f registrations to the new format
+	type u2fRegistration struct {
+		ID          int64 `xorm:"pk autoincr"`
+		Name        string
+		UserID      int64 `xorm:"INDEX"`
+		Raw         []byte
+		Counter     uint32             `xorm:"BIGINT"`
+		CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
+		UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
+	}
+
+	var start int
+	regs := make([]*u2fRegistration, 0, 50)
+	for {
+		err := x.OrderBy("id").Limit(50, start).Find(&regs)
+		if err != nil {
+			return err
+		}
+
+		err = func() error {
+			sess := x.NewSession()
+			defer sess.Close()
+			if err := sess.Begin(); err != nil {
+				return fmt.Errorf("unable to allow start session. Error: %w", err)
+			}
+			if x.Dialect().URI().DBType == schemas.MSSQL {
+				if _, err := sess.Exec("SET IDENTITY_INSERT `webauthn_credential` ON"); err != nil {
+					return fmt.Errorf("unable to allow identity insert on webauthn_credential. Error: %w", err)
+				}
+			}
+			for _, reg := range regs {
+				parsed := new(u2f.Registration)
+				err = parsed.UnmarshalBinary(reg.Raw)
+				if err != nil {
+					continue
+				}
+				remigrated := &webauthnCredential{
+					ID:              reg.ID,
+					Name:            reg.Name,
+					LowerName:       strings.ToLower(reg.Name),
+					UserID:          reg.UserID,
+					CredentialID:    base32.HexEncoding.EncodeToString(parsed.KeyHandle),
+					PublicKey:       elliptic.Marshal(elliptic.P256(), parsed.PubKey.X, parsed.PubKey.Y),
+					AttestationType: "fido-u2f",
+					AAGUID:          []byte{},
+					SignCount:       reg.Counter,
+					UpdatedUnix:     reg.UpdatedUnix,
+					CreatedUnix:     reg.CreatedUnix,
+				}
+
+				has, err := sess.ID(reg.ID).Where("id = ?", reg.ID).Get(new(webauthnCredential))
+				if err != nil {
+					return fmt.Errorf("unable to get webauthn_credential[%d]. Error: %w", reg.ID, err)
+				}
+				if !has {
+					_, err = sess.Insert(remigrated)
+					if err != nil {
+						return fmt.Errorf("unable to (re)insert webauthn_credential[%d]. Error: %w", reg.ID, err)
+					}
+
+					continue
+				}
+
+				_, err = sess.ID(remigrated.ID).AllCols().Update(remigrated)
+				if err != nil {
+					return fmt.Errorf("unable to update webauthn_credential[%d]. Error: %w", reg.ID, err)
+				}
+			}
+			return sess.Commit()
+		}()
+		if err != nil {
+			return err
+		}
+
+		if len(regs) < 50 {
+			break
+		}
+		start += 50
+		regs = regs[:0]
+	}
+
+	return nil
+}
--- a/models/migrations/v210_test.go
+++ b/models/migrations/v210_test.go
@@ -0,0 +1,74 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/modules/timeutil"
+	"github.com/stretchr/testify/assert"
+	"xorm.io/xorm/schemas"
+)
+
+func Test_remigrateU2FCredentials(t *testing.T) {
+	// Create webauthnCredential table
+	type WebauthnCredential struct {
+		ID              int64 `xorm:"pk autoincr"`
+		Name            string
+		LowerName       string `xorm:"unique(s)"`
+		UserID          int64  `xorm:"INDEX unique(s)"`
+		CredentialID    string `xorm:"INDEX VARCHAR(410)"` // CredentalID in U2F is at most 255bytes / 5 * 8 = 408 - add a few extra characters for safety
+		PublicKey       []byte
+		AttestationType string
+		SignCount       uint32 `xorm:"BIGINT"`
+		CloneWarning    bool
+	}
+
+	// Now migrate the old u2f registrations to the new format
+	type U2fRegistration struct {
+		ID          int64 `xorm:"pk autoincr"`
+		Name        string
+		UserID      int64 `xorm:"INDEX"`
+		Raw         []byte
+		Counter     uint32             `xorm:"BIGINT"`
+		CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
+		UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
+	}
+
+	type ExpectedWebauthnCredential struct {
+		ID           int64  `xorm:"pk autoincr"`
+		CredentialID string `xorm:"INDEX VARCHAR(410)"` // CredentalID in U2F is at most 255bytes / 5 * 8 = 408 - add a few extra characters for safety
+	}
+
+	// Prepare and load the testing database
+	x, deferable := prepareTestEnv(t, 0, new(WebauthnCredential), new(U2fRegistration), new(ExpectedWebauthnCredential))
+	if x == nil || t.Failed() {
+		defer deferable()
+		return
+	}
+	defer deferable()
+
+	if x.Dialect().URI().DBType == schemas.SQLITE {
+		return
+	}
+
+	// Run the migration
+	if err := remigrateU2FCredentials(x); err != nil {
+		assert.NoError(t, err)
+		return
+	}
+
+	expected := []ExpectedWebauthnCredential{}
+	if err := x.Table("expected_webauthn_credential").Asc("id").Find(&expected); !assert.NoError(t, err) {
+		return
+	}
+
+	got := []ExpectedWebauthnCredential{}
+	if err := x.Table("webauthn_credential").Select("id, credential_id").Asc("id").Find(&got); !assert.NoError(t, err) {
+		return
+	}
+
+	assert.EqualValues(t, expected, got)
+}
--- a/models/repo.go
+++ b/models/repo.go
@@ -150,27 +150,56 @@ func getRepoAssignees(ctx context.Context, repo *repo_model.Repository) (_ []*us
 	}

 	e := db.GetEngine(ctx)
-	accesses := make([]*Access, 0, 10)
-	if err = e.
+	userIDs := make([]int64, 0, 10)
+	if err = e.Table("access").
 		Where("repo_id = ? AND mode >= ?", repo.ID, perm.AccessModeWrite).
-		Find(&accesses); err != nil {
+		Select("id").
+		Find(&userIDs); err != nil {
 		return nil, err
 	}

+	additionalUserIDs := make([]int64, 0, 10)
+	if err = e.Table("team_user").
+		Join("INNER", "team_repo", "`team_repo`.team_id = `team_user`.team_id").
+		Join("INNER", "team_unit", "`team_unit`.team_id = `team_user`.team_id").
+		Where("`team_repo`.repo_id = ? AND `team_unit`.access_mode >= ?", repo.ID, perm.AccessModeWrite).
+		Distinct("`team_user`.uid").
+		Select("`team_user`.uid").
+		Find(&additionalUserIDs); err != nil {
+		return nil, err
+	}
+
+	uidMap := map[int64]bool{}
+	i := 0
+	for _, uid := range userIDs {
+		if uidMap[uid] {
+			continue
+		}
+		uidMap[uid] = true
+		userIDs[i] = uid
+		i++
+	}
+	userIDs = userIDs[:i]
+	userIDs = append(userIDs, additionalUserIDs...)
+
+	for _, uid := range additionalUserIDs {
+		if uidMap[uid] {
+			continue
+		}
+		userIDs[i] = uid
+		i++
+	}
+	userIDs = userIDs[:i]
+
 	// Leave a seat for owner itself to append later, but if owner is an organization
 	// and just waste 1 unit is cheaper than re-allocate memory once.
-	users := make([]*user_model.User, 0, len(accesses)+1)
-	if len(accesses) > 0 {
-		userIDs := make([]int64, len(accesses))
-		for i := 0; i < len(accesses); i++ {
-			userIDs[i] = accesses[i].UserID
-		}
-
+	users := make([]*user_model.User, 0, len(userIDs)+1)
+	if len(userIDs) > 0 {
 		if err = e.In("id", userIDs).Find(&users); err != nil {
 			return nil, err
 		}
 	}
-	if !repo.Owner.IsOrganization() {
+	if !repo.Owner.IsOrganization() && !uidMap[repo.OwnerID] {
 		users = append(users, repo.Owner)
 	}

--- a/models/unit/unit.go
+++ b/models/unit/unit.go
@@ -328,7 +328,12 @@ func AllUnitKeyNames() []string {
 // MinUnitAccessMode returns the minial permission of the permission map
 func MinUnitAccessMode(unitsMap map[Type]perm.AccessMode) perm.AccessMode {
 	res := perm.AccessModeNone
-	for _, mode := range unitsMap {
+	for t, mode := range unitsMap {
+		// Don't allow `TypeExternal{Tracker,Wiki}` to influence this as they can only be set to READ perms.
+		if t == TypeExternalTracker || t == TypeExternalWiki {
+			continue
+		}
+
 		// get the minial permission great than AccessModeNone except all are AccessModeNone
 		if mode > perm.AccessModeNone && (res == perm.AccessModeNone || mode < res) {
 			res = mode
--- a/models/user/user.go
+++ b/models/user/user.go
@@ -827,8 +827,9 @@ func validateUser(u *User) error {
 	return ValidateEmail(u.Email)
 }

-func updateUser(ctx context.Context, u *User, changePrimaryEmail bool) error {
-	if err := validateUser(u); err != nil {
+func updateUser(ctx context.Context, u *User, changePrimaryEmail bool, cols ...string) error {
+	err := validateUser(u)
+	if err != nil {
 		return err
 	}

@@ -860,15 +861,35 @@ func updateUser(ctx context.Context, u *User, changePrimaryEmail bool) error {
 		}); err != nil {
 			return err
 		}
+	} else { // check if primary email in email_address table
+		primaryEmailExist, err := e.Where("uid=? AND is_primary=?", u.ID, true).Exist(&EmailAddress{})
+		if err != nil {
+			return err
+		}
+
+		if !primaryEmailExist {
+			if _, err = e.Insert(&EmailAddress{
+				Email:       u.Email,
+				UID:         u.ID,
+				IsActivated: true,
+				IsPrimary:   true,
+			}); err != nil {
+				return err
+			}
+		}
 	}

-	_, err := e.ID(u.ID).AllCols().Update(u)
+	if len(cols) == 0 {
+		_, err = e.ID(u.ID).AllCols().Update(u)
+	} else {
+		_, err = e.ID(u.ID).Cols(cols...).Update(u)
+	}
 	return err
 }

 // UpdateUser updates user's information.
-func UpdateUser(u *User, emailChanged bool) error {
-	return updateUser(db.DefaultContext, u, emailChanged)
+func UpdateUser(u *User, emailChanged bool, cols ...string) error {
+	return updateUser(db.DefaultContext, u, emailChanged, cols...)
 }

 // UpdateUserCols update user according special columns
@@ -1104,19 +1125,9 @@ func GetUserByEmailContext(ctx context.Context, email string) (*User, error) {
 	}

 	email = strings.ToLower(email)
-	// First try to find the user by primary email
-	user := &User{Email: email}
-	has, err := db.GetEngine(ctx).Get(user)
-	if err != nil {
-		return nil, err
-	}
-	if has {
-		return user, nil
-	}
-
 	// Otherwise, check in alternative list for activated email addresses
-	emailAddress := &EmailAddress{Email: email, IsActivated: true}
-	has, err = db.GetEngine(ctx).Get(emailAddress)
+	emailAddress := &EmailAddress{LowerEmail: email, IsActivated: true}
+	has, err := db.GetEngine(ctx).Get(emailAddress)
 	if err != nil {
 		return nil, err
 	}
--- a/models/user/user_test.go
+++ b/models/user/user_test.go
@@ -235,6 +235,20 @@ func TestCreateUserInvalidEmail(t *testing.T) {
 	assert.True(t, IsErrEmailInvalid(err))
 }

+func TestCreateUserEmailAlreadyUsed(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	user := unittest.AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)
+
+	// add new user with user2's email
+	user.Name = "testuser"
+	user.LowerName = strings.ToLower(user.Name)
+	user.ID = 0
+	err := CreateUser(user)
+	assert.Error(t, err)
+	assert.True(t, IsErrEmailAlreadyUsed(err))
+}
+
 func TestGetUserIDsByNames(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())

--- a/modules/charset/escape.go
+++ b/modules/charset/escape.go
@@ -74,6 +74,7 @@ readingloop:
 	for err == nil {
 		n, err = text.Read(buf[readStart:])
 		bs := buf[:n+readStart]
+		n = len(bs)
 		i := 0

 		for i < len(bs) {
--- a/modules/charset/escape_test.go
+++ b/modules/charset/escape_test.go
@@ -200,3 +200,12 @@ func TestEscapeControlReader(t *testing.T) {
 		})
 	}
 }
+
+func TestEscapeControlReader_panic(t *testing.T) {
+	bs := make([]byte, 0, 20479)
+	bs = append(bs, 'A')
+	for i := 0; i < 6826; i++ {
+		bs = append(bs, []byte("—")...)
+	}
+	_, _ = EscapeControlBytes(bs)
+}
--- a/modules/context/context.go
+++ b/modules/context/context.go
@@ -9,9 +9,11 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
+	"errors"
 	"html"
 	"html/template"
 	"io"
+	"net"
 	"net/http"
 	"net/url"
 	"path"
@@ -264,6 +266,12 @@ func (ctx *Context) ServerError(logMsg string, logErr error) {
 func (ctx *Context) serverErrorInternal(logMsg string, logErr error) {
 	if logErr != nil {
 		log.ErrorWithSkip(2, "%s: %v", logMsg, logErr)
+		if errors.Is(logErr, &net.OpError{}) {
+			// This is an error within the underlying connection
+			// and further rendering will not work so just return
+			return
+		}
+
 		if !setting.IsProd {
 			ctx.Data["ErrorMsg"] = logErr
 		}
--- a/modules/git/commit_info_test.go
+++ b/modules/git/commit_info_test.go
@@ -16,20 +16,25 @@ import (
 	"github.com/stretchr/testify/assert"
 )

-const testReposDir = "tests/repos/"
-const benchmarkReposDir = "benchmark/repos/"
+const (
+	testReposDir = "tests/repos/"
+)

-func cloneRepo(url, dir, name string) (string, error) {
-	repoDir := filepath.Join(dir, name)
-	if _, err := os.Stat(repoDir); err == nil {
-		return repoDir, nil
+func cloneRepo(url, name string) (string, error) {
+	repoDir, err := os.MkdirTemp("", name)
+	if err != nil {
+		return "", err
 	}
-	return repoDir, Clone(url, repoDir, CloneRepoOptions{
+	if err := Clone(url, repoDir, CloneRepoOptions{
 		Mirror:  false,
 		Bare:    false,
 		Quiet:   true,
 		Timeout: 5 * time.Minute,
-	})
+	}); err != nil {
+		_ = util.RemoveAll(repoDir)
+		return "", err
+	}
+	return repoDir, nil
 }

 func testGetCommitsInfo(t *testing.T, repo1 *Repository) {
@@ -59,20 +64,35 @@ func testGetCommitsInfo(t *testing.T, repo1 *Repository) {
 	}
 	for _, testCase := range testCases {
 		commit, err := repo1.GetCommit(testCase.CommitID)
-		assert.NoError(t, err)
+		if err != nil {
+			assert.NoError(t, err, "Unable to get commit: %s from testcase due to error: %v", testCase.CommitID, err)
+			// no point trying to do anything else for this test.
+			continue
+		}
 		assert.NotNil(t, commit)
 		assert.NotNil(t, commit.Tree)
 		assert.NotNil(t, commit.Tree.repo)

 		tree, err := commit.Tree.SubTree(testCase.Path)
+		if err != nil {
+			assert.NoError(t, err, "Unable to get subtree: %s of commit: %s from testcase due to error: %v", testCase.Path, testCase.CommitID, err)
+			// no point trying to do anything else for this test.
+			continue
+		}
+
 		assert.NotNil(t, tree, "tree is nil for testCase CommitID %s in Path %s", testCase.CommitID, testCase.Path)
 		assert.NotNil(t, tree.repo, "repo is nil for testCase CommitID %s in Path %s", testCase.CommitID, testCase.Path)

-		assert.NoError(t, err)
 		entries, err := tree.ListEntries()
-		assert.NoError(t, err)
-		commitsInfo, treeCommit, err := entries.GetCommitsInfo(context.Background(), commit, testCase.Path, nil)
-		assert.NoError(t, err)
+		if err != nil {
+			assert.NoError(t, err, "Unable to get entries of subtree: %s in commit: %s from testcase due to error: %v", testCase.Path, testCase.CommitID, err)
+			// no point trying to do anything else for this test.
+			continue
+		}
+
+		// FIXME: Context.TODO() - if graceful has started we should use its Shutdown context otherwise use install signals in TestMain.
+		commitsInfo, treeCommit, err := entries.GetCommitsInfo(context.TODO(), commit, testCase.Path, nil)
+		assert.NoError(t, err, "Unable to get commit information for entries of subtree: %s in commit: %s from testcase due to error: %v", testCase.Path, testCase.CommitID, err)
 		if err != nil {
 			t.FailNow()
 		}
@@ -98,40 +118,52 @@ func TestEntries_GetCommitsInfo(t *testing.T) {

 	testGetCommitsInfo(t, bareRepo1)

-	clonedPath, err := cloneRepo(bareRepo1Path, testReposDir, "repo1_TestEntries_GetCommitsInfo")
-	assert.NoError(t, err)
+	clonedPath, err := cloneRepo(bareRepo1Path, "repo1_TestEntries_GetCommitsInfo")
+	if err != nil {
+		assert.NoError(t, err)
+	}
 	defer util.RemoveAll(clonedPath)
 	clonedRepo1, err := OpenRepository(clonedPath)
-	assert.NoError(t, err)
+	if err != nil {
+		assert.NoError(t, err)
+	}
 	defer clonedRepo1.Close()

 	testGetCommitsInfo(t, clonedRepo1)
 }

 func BenchmarkEntries_GetCommitsInfo(b *testing.B) {
-	benchmarks := []struct {
+	type benchmarkType struct {
 		url  string
 		name string
-	}{
+	}
+
+	benchmarks := []benchmarkType{
 		{url: "https://github.com/go-gitea/gitea.git", name: "gitea"},
 		{url: "https://github.com/ethantkoenig/manyfiles.git", name: "manyfiles"},
 		{url: "https://github.com/moby/moby.git", name: "moby"},
 		{url: "https://github.com/golang/go.git", name: "go"},
 		{url: "https://github.com/torvalds/linux.git", name: "linux"},
 	}
-	for _, benchmark := range benchmarks {
+
+	doBenchmark := func(benchmark benchmarkType) {
 		var commit *Commit
 		var entries Entries
 		var repo *Repository
-		if repoPath, err := cloneRepo(benchmark.url, benchmarkReposDir, benchmark.name); err != nil {
+		repoPath, err := cloneRepo(benchmark.url, benchmark.name)
+		if err != nil {
 			b.Fatal(err)
-		} else if repo, err = OpenRepository(repoPath); err != nil {
+		}
+		defer util.RemoveAll(repoPath)
+
+		if repo, err = OpenRepository(repoPath); err != nil {
 			b.Fatal(err)
-		} else if commit, err = repo.GetBranchCommit("master"); err != nil {
-			repo.Close()
+		}
+		defer repo.Close()
+
+		if commit, err = repo.GetBranchCommit("master"); err != nil {
 			b.Fatal(err)
 		} else if entries, err = commit.Tree.ListEntries(); err != nil {
-			repo.Close()
 			b.Fatal(err)
 		}
 		entries.Sort()
@@ -144,6 +176,9 @@ func BenchmarkEntries_GetCommitsInfo(b *testing.B) {
 				}
 			}
 		})
-		repo.Close()
+	}
+
+	for _, benchmark := range benchmarks {
+		doBenchmark(benchmark)
 	}
 }
--- a/modules/git/repo.go
+++ b/modules/git/repo.go
@@ -80,20 +80,19 @@ func InitRepository(repoPath string, bare bool) error {
 // IsEmpty Check if repository is empty.
 func (repo *Repository) IsEmpty() (bool, error) {
 	var errbuf, output strings.Builder
-	if err := NewCommandContext(repo.Ctx, "rev-list", "--all", "--count", "--max-count=1").RunWithContext(&RunContext{
+	if err := NewCommandContext(repo.Ctx, "show-ref", "--head", "^HEAD$").RunWithContext(&RunContext{
 		Timeout: -1,
 		Dir:     repo.Path,
 		Stdout:  &output,
 		Stderr:  &errbuf,
 	}); err != nil {
+		if err.Error() == "exit status 1" && errbuf.String() == "" {
+			return true, nil
+		}
 		return true, fmt.Errorf("check empty: %v - %s", err, errbuf.String())
 	}

-	c, err := strconv.Atoi(strings.TrimSpace(output.String()))
-	if err != nil {
-		return true, fmt.Errorf("check empty: convert %s to count failed: %v", output.String(), err)
-	}
-	return c == 0, nil
+	return strings.TrimSpace(output.String()) == "", nil
 }

 // CloneRepoOptions options when clone a repository
--- a/modules/git/repo_attribute.go
+++ b/modules/git/repo_attribute.go
@@ -87,7 +87,7 @@ func (repo *Repository) CheckAttribute(opts CheckAttributeOpts) (map[string]map[
 		return nil, fmt.Errorf("wrong number of fields in return from check-attr")
 	}

-	var name2attribute2info = make(map[string]map[string]string)
+	name2attribute2info := make(map[string]map[string]string)

 	for i := 0; i < (len(fields) / 3); i++ {
 		filename := string(fields[3*i])
@@ -179,17 +179,21 @@ func (c *CheckAttributeReader) Init(ctx context.Context) error {
 // Run run cmd
 func (c *CheckAttributeReader) Run() error {
 	defer func() {
-		_ = c.Close()
+		_ = c.stdinReader.Close()
+		_ = c.stdOut.Close()
 	}()
 	stdErr := new(bytes.Buffer)
 	err := c.cmd.RunInDirTimeoutEnvFullPipelineFunc(c.env, -1, c.Repo.Path, c.stdOut, stdErr, c.stdinReader, func(_ context.Context, _ context.CancelFunc) error {
-		close(c.running)
+		select {
+		case <-c.running:
+		default:
+			close(c.running)
+		}
 		return nil
 	})
 	if err != nil && c.ctx.Err() != nil && err.Error() != "signal: killed" {
 		return fmt.Errorf("failed to run attr-check. Error: %w\nStderr: %s", err, stdErr.String())
 	}
-
 	return nil
 }

@@ -229,10 +233,8 @@ func (c *CheckAttributeReader) CheckPath(path string) (rs map[string]string, err

 // Close close pip after use
 func (c *CheckAttributeReader) Close() error {
-	err := c.stdinWriter.Close()
-	_ = c.stdinReader.Close()
-	_ = c.stdOut.Close()
 	c.cancel()
+	err := c.stdinWriter.Close()
 	select {
 	case <-c.running:
 	default:
--- a/modules/git/repo_compare_test.go
+++ b/modules/git/repo_compare_test.go
@@ -17,17 +17,33 @@ import (

 func TestGetFormatPatch(t *testing.T) {
 	bareRepo1Path := filepath.Join(testReposDir, "repo1_bare")
-	clonedPath, err := cloneRepo(bareRepo1Path, testReposDir, "repo1_TestGetFormatPatch")
+	clonedPath, err := cloneRepo(bareRepo1Path, "repo1_TestGetFormatPatch")
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
 	defer util.RemoveAll(clonedPath)
-	assert.NoError(t, err)
+
 	repo, err := OpenRepository(clonedPath)
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
 	defer repo.Close()
-	assert.NoError(t, err)
+
 	rd := &bytes.Buffer{}
 	err = repo.GetPatch("8d92fc95^", "8d92fc95", rd)
-	assert.NoError(t, err)
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
+
 	patchb, err := io.ReadAll(rd)
-	assert.NoError(t, err)
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
+
 	patch := string(patchb)
 	assert.Regexp(t, "^From 8d92fc95", patch)
 	assert.Contains(t, patch, "Subject: [PATCH] Add file2.txt")
@@ -37,17 +53,25 @@ func TestReadPatch(t *testing.T) {
 	// Ensure we can read the patch files
 	bareRepo1Path := filepath.Join(testReposDir, "repo1_bare")
 	repo, err := OpenRepository(bareRepo1Path)
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
 	defer repo.Close()
-	assert.NoError(t, err)
 	// This patch doesn't exist
 	noFile, err := repo.ReadPatchCommit(0)
 	assert.Error(t, err)
+
 	// This patch is an empty one (sometimes it's a 404)
 	noCommit, err := repo.ReadPatchCommit(1)
 	assert.Error(t, err)
+
 	// This patch is legit and should return a commit
 	oldCommit, err := repo.ReadPatchCommit(2)
-	assert.NoError(t, err)
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}

 	assert.Empty(t, noFile)
 	assert.Empty(t, noCommit)
@@ -58,23 +82,45 @@ func TestReadPatch(t *testing.T) {
 func TestReadWritePullHead(t *testing.T) {
 	// Ensure we can write SHA1 head corresponding to PR and open them
 	bareRepo1Path := filepath.Join(testReposDir, "repo1_bare")
-	repo, err := OpenRepository(bareRepo1Path)
-	assert.NoError(t, err)
+
+	// As we are writing we should clone the repository first
+	clonedPath, err := cloneRepo(bareRepo1Path, "TestReadWritePullHead")
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
+	defer util.RemoveAll(clonedPath)
+
+	repo, err := OpenRepository(clonedPath)
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
 	defer repo.Close()
+
 	// Try to open non-existing Pull
 	_, err = repo.GetRefCommitID(PullPrefix + "0/head")
 	assert.Error(t, err)
+
 	// Write a fake sha1 with only 40 zeros
 	newCommit := "feaf4ba6bc635fec442f46ddd4512416ec43c2c2"
 	err = repo.SetReference(PullPrefix+"1/head", newCommit)
-	assert.NoError(t, err)
-	// Remove file after the test
-	defer func() {
-		_ = repo.RemoveReference(PullPrefix + "1/head")
-	}()
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
+
 	// Read the file created
 	headContents, err := repo.GetRefCommitID(PullPrefix + "1/head")
-	assert.NoError(t, err)
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
+
 	assert.Len(t, string(headContents), 40)
 	assert.True(t, string(headContents) == newCommit)
+
+	// Remove file after the test
+	err = repo.RemoveReference(PullPrefix + "1/head")
+	assert.NoError(t, err)
 }
--- a/modules/git/repo_language_stats_nogogit.go
+++ b/modules/git/repo_language_stats_nogogit.go
@@ -88,7 +88,10 @@ func (repo *Repository) GetLanguageStats(commitID string) (map[string]int64, err
 					}
 				}()
 			}
-			defer cancel()
+			defer func() {
+				_ = checker.Close()
+				cancel()
+			}()
 		}
 	}

--- a/modules/git/repo_tag_test.go
+++ b/modules/git/repo_tag_test.go
@@ -16,11 +16,17 @@ import (
 func TestRepository_GetTags(t *testing.T) {
 	bareRepo1Path := filepath.Join(testReposDir, "repo1_bare")
 	bareRepo1, err := OpenRepository(bareRepo1Path)
-	assert.NoError(t, err)
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
 	defer bareRepo1.Close()

 	tags, total, err := bareRepo1.GetTagInfos(0, 0)
-	assert.NoError(t, err)
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
 	assert.Len(t, tags, 1)
 	assert.Equal(t, len(tags), total)
 	assert.EqualValues(t, "test", tags[0].Name)
@@ -31,40 +37,75 @@ func TestRepository_GetTags(t *testing.T) {
 func TestRepository_GetTag(t *testing.T) {
 	bareRepo1Path := filepath.Join(testReposDir, "repo1_bare")

-	clonedPath, err := cloneRepo(bareRepo1Path, testReposDir, "repo1_TestRepository_GetTag")
-	assert.NoError(t, err)
+	clonedPath, err := cloneRepo(bareRepo1Path, "TestRepository_GetTag")
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
 	defer util.RemoveAll(clonedPath)

 	bareRepo1, err := OpenRepository(clonedPath)
-	assert.NoError(t, err)
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
 	defer bareRepo1.Close()

+	// LIGHTWEIGHT TAGS
 	lTagCommitID := "6fbd69e9823458e6c4a2fc5c0f6bc022b2f2acd1"
 	lTagName := "lightweightTag"
-	bareRepo1.CreateTag(lTagName, lTagCommitID)

-	aTagCommitID := "8006ff9adbf0cb94da7dad9e537e53817f9fa5c0"
-	aTagName := "annotatedTag"
-	aTagMessage := "my annotated message \n - test two line"
-	bareRepo1.CreateAnnotatedTag(aTagName, aTagMessage, aTagCommitID)
-	aTagID, _ := bareRepo1.GetTagID(aTagName)
+	// Create the lightweight tag
+	err = bareRepo1.CreateTag(lTagName, lTagCommitID)
+	if err != nil {
+		assert.NoError(t, err, "Unable to create the lightweight tag: %s for ID: %s. Error: %v", lTagName, lTagCommitID, err)
+		return
+	}

+	// and try to get the Tag for lightweight tag
 	lTag, err := bareRepo1.GetTag(lTagName)
-	assert.NoError(t, err)
-	assert.NotNil(t, lTag)
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
 	if lTag == nil {
+		assert.NotNil(t, lTag)
 		assert.FailNow(t, "nil lTag: %s", lTagName)
+		return
 	}
 	assert.EqualValues(t, lTagName, lTag.Name)
 	assert.EqualValues(t, lTagCommitID, lTag.ID.String())
 	assert.EqualValues(t, lTagCommitID, lTag.Object.String())
 	assert.EqualValues(t, "commit", lTag.Type)

+	// ANNOTATED TAGS
+	aTagCommitID := "8006ff9adbf0cb94da7dad9e537e53817f9fa5c0"
+	aTagName := "annotatedTag"
+	aTagMessage := "my annotated message \n - test two line"
+
+	// Create the annotated tag
+	err = bareRepo1.CreateAnnotatedTag(aTagName, aTagMessage, aTagCommitID)
+	if err != nil {
+		assert.NoError(t, err, "Unable to create the annotated tag: %s for ID: %s. Error: %v", aTagName, aTagCommitID, err)
+		return
+	}
+
+	// Now try to get the tag for the annotated Tag
+	aTagID, err := bareRepo1.GetTagID(aTagName)
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
+
 	aTag, err := bareRepo1.GetTag(aTagName)
-	assert.NoError(t, err)
-	assert.NotNil(t, aTag)
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
 	if aTag == nil {
+		assert.NotNil(t, aTag)
 		assert.FailNow(t, "nil aTag: %s", aTagName)
+		return
 	}
 	assert.EqualValues(t, aTagName, aTag.Name)
 	assert.EqualValues(t, aTagID, aTag.ID.String())
@@ -72,26 +113,47 @@ func TestRepository_GetTag(t *testing.T) {
 	assert.EqualValues(t, aTagCommitID, aTag.Object.String())
 	assert.EqualValues(t, "tag", aTag.Type)

+	// RELEASE TAGS
+
 	rTagCommitID := "8006ff9adbf0cb94da7dad9e537e53817f9fa5c0"
 	rTagName := "release/" + lTagName
-	bareRepo1.CreateTag(rTagName, rTagCommitID)
+
+	err = bareRepo1.CreateTag(rTagName, rTagCommitID)
+	if err != nil {
+		assert.NoError(t, err, "Unable to create the  tag: %s for ID: %s. Error: %v", rTagName, rTagCommitID, err)
+		return
+	}
+
 	rTagID, err := bareRepo1.GetTagID(rTagName)
-	assert.NoError(t, err)
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
 	assert.EqualValues(t, rTagCommitID, rTagID)
+
 	oTagID, err := bareRepo1.GetTagID(lTagName)
-	assert.NoError(t, err)
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
 	assert.EqualValues(t, lTagCommitID, oTagID)
 }

 func TestRepository_GetAnnotatedTag(t *testing.T) {
 	bareRepo1Path := filepath.Join(testReposDir, "repo1_bare")

-	clonedPath, err := cloneRepo(bareRepo1Path, testReposDir, "repo1_TestRepository_GetTag")
-	assert.NoError(t, err)
+	clonedPath, err := cloneRepo(bareRepo1Path, "TestRepository_GetAnnotatedTag")
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
 	defer util.RemoveAll(clonedPath)

 	bareRepo1, err := OpenRepository(clonedPath)
-	assert.NoError(t, err)
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
 	defer bareRepo1.Close()

 	lTagCommitID := "6fbd69e9823458e6c4a2fc5c0f6bc022b2f2acd1"
@@ -106,7 +168,10 @@ func TestRepository_GetAnnotatedTag(t *testing.T) {

 	// Try an annotated tag
 	tag, err := bareRepo1.GetAnnotatedTag(aTagID)
-	assert.NoError(t, err)
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
 	assert.NotNil(t, tag)
 	assert.EqualValues(t, aTagName, tag.Name)
 	assert.EqualValues(t, aTagID, tag.ID.String())
--- a/modules/graceful/manager.go
+++ b/modules/graceful/manager.go
@@ -192,6 +192,7 @@ func (g *Manager) RunAtHammer(hammer func()) {
 }
 func (g *Manager) doShutdown() {
 	if !g.setStateTransition(stateRunning, stateShuttingDown) {
+		g.DoImmediateHammer()
 		return
 	}
 	g.lock.Lock()
--- a/modules/graceful/manager_unix.go
+++ b/modules/graceful/manager_unix.go
@@ -168,8 +168,12 @@ func (g *Manager) DoGracefulRestart() {
 	if setting.GracefulRestartable {
 		log.Info("PID: %d. Forking...", os.Getpid())
 		err := g.doFork()
-		if err != nil && err.Error() != "another process already forked. Ignoring this one" {
-			log.Error("Error whilst forking from PID: %d : %v", os.Getpid(), err)
+		if err != nil {
+			if err.Error() == "another process already forked. Ignoring this one" {
+				g.DoImmediateHammer()
+			} else {
+				log.Error("Error whilst forking from PID: %d : %v", os.Getpid(), err)
+			}
 		}
 	} else {
 		log.Info("PID: %d. Not set restartable. Shutting down...", os.Getpid())
--- a/modules/notification/mail/mail.go
+++ b/modules/notification/mail/mail.go
@@ -115,7 +115,7 @@ func (m *mailNotifier) NotifyPullRequestCodeComment(pr *models.PullRequest, comm

 func (m *mailNotifier) NotifyIssueChangeAssignee(doer *user_model.User, issue *models.Issue, assignee *user_model.User, removed bool, comment *models.Comment) {
 	// mail only sent to added assignees and not self-assignee
-	if !removed && doer.ID != assignee.ID && assignee.EmailNotifications() == user_model.EmailNotificationsEnabled {
+	if !removed && doer.ID != assignee.ID && (assignee.EmailNotifications() == user_model.EmailNotificationsEnabled || assignee.EmailNotifications() == user_model.EmailNotificationsOnMention) {
 		ct := fmt.Sprintf("Assigned #%d.", issue.Index)
 		if err := mailer.SendIssueAssignedMail(issue, doer, ct, comment, []*user_model.User{assignee}); err != nil {
 			log.Error("Error in SendIssueAssignedMail for issue[%d] to assignee[%d]: %v", issue.ID, assignee.ID, err)
@@ -124,7 +124,7 @@ func (m *mailNotifier) NotifyIssueChangeAssignee(doer *user_model.User, issue *m
 }

 func (m *mailNotifier) NotifyPullReviewRequest(doer *user_model.User, issue *models.Issue, reviewer *user_model.User, isRequest bool, comment *models.Comment) {
-	if isRequest && doer.ID != reviewer.ID && reviewer.EmailNotifications() == user_model.EmailNotificationsEnabled {
+	if isRequest && doer.ID != reviewer.ID && (reviewer.EmailNotifications() == user_model.EmailNotificationsEnabled || reviewer.EmailNotifications() == user_model.EmailNotificationsOnMention) {
 		ct := fmt.Sprintf("Requested to review %s.", issue.HTMLURL())
 		if err := mailer.SendIssueAssignedMail(issue, doer, ct, comment, []*user_model.User{reviewer}); err != nil {
 			log.Error("Error in SendIssueAssignedMail for issue[%d] to reviewer[%d]: %v", issue.ID, reviewer.ID, err)
--- a/modules/queue/queue_bytefifo.go
+++ b/modules/queue/queue_bytefifo.go
@@ -195,9 +195,11 @@ loop:
 	}
 }

-var errQueueEmpty = fmt.Errorf("empty queue")
-var errEmptyBytes = fmt.Errorf("empty bytes")
-var errUnmarshal = fmt.Errorf("failed to unmarshal")
+var (
+	errQueueEmpty = fmt.Errorf("empty queue")
+	errEmptyBytes = fmt.Errorf("empty bytes")
+	errUnmarshal  = fmt.Errorf("failed to unmarshal")
+)

 func (q *ByteFIFOQueue) doPop() error {
 	q.lock.Lock()
--- a/modules/queue/queue_disk_channel.go
+++ b/modules/queue/queue_disk_channel.go
@@ -251,8 +251,8 @@ func (q *PersistableChannelQueue) Shutdown() {
 	q.channelQueue.Wait()
 	q.internal.(*LevelQueue).Wait()
 	// Redirect all remaining data in the chan to the internal channel
-	close(q.channelQueue.dataChan)
 	log.Trace("PersistableChannelQueue: %s Redirecting remaining data", q.delayedStarter.name)
+	close(q.channelQueue.dataChan)
 	for data := range q.channelQueue.dataChan {
 		_ = q.internal.Push(data)
 		atomic.AddInt64(&q.channelQueue.numInQueue, -1)
--- a/modules/queue/queue_disk_channel_test.go
+++ b/modules/queue/queue_disk_channel_test.go
@@ -188,5 +188,4 @@ func TestPersistableChannelQueue(t *testing.T) {
 	for _, callback := range callbacks {
 		callback()
 	}
-
 }
--- a/modules/queue/unique_queue_disk_channel.go
+++ b/modules/queue/unique_queue_disk_channel.go
@@ -238,13 +238,12 @@ func (q *PersistableChannelUniqueQueue) Shutdown() {
 	q.channelQueue.Wait()
 	q.internal.(*LevelUniqueQueue).Wait()
 	// Redirect all remaining data in the chan to the internal channel
-	go func() {
-		log.Trace("PersistableChannelUniqueQueue: %s Redirecting remaining data", q.delayedStarter.name)
-		for data := range q.channelQueue.dataChan {
-			_ = q.internal.Push(data)
-		}
-		log.Trace("PersistableChannelUniqueQueue: %s Done Redirecting remaining data", q.delayedStarter.name)
-	}()
+	close(q.channelQueue.dataChan)
+	log.Trace("PersistableChannelUniqueQueue: %s Redirecting remaining data", q.delayedStarter.name)
+	for data := range q.channelQueue.dataChan {
+		_ = q.internal.Push(data)
+	}
+	log.Trace("PersistableChannelUniqueQueue: %s Done Redirecting remaining data", q.delayedStarter.name)

 	log.Debug("PersistableChannelUniqueQueue: %s Shutdown", q.delayedStarter.name)
 }
--- a/modules/queue/workerpool.go
+++ b/modules/queue/workerpool.go
@@ -87,6 +87,20 @@ func (p *WorkerPool) Push(data Data) {
 	}
 }

+// HasNoWorkerScaling will return true if the queue has no workers, and has no worker boosting
+func (p *WorkerPool) HasNoWorkerScaling() bool {
+	p.lock.Lock()
+	defer p.lock.Unlock()
+	return p.hasNoWorkerScaling()
+}
+
+func (p *WorkerPool) hasNoWorkerScaling() bool {
+	return p.numberOfWorkers == 0 && (p.boostTimeout == 0 || p.boostWorkers == 0 || p.maxNumberOfWorkers == 0)
+}
+
+// zeroBoost will add a temporary boost worker for a no worker queue
+// p.lock must be locked at the start of this function BUT it will be unlocked by the end of this function
+// (This is because addWorkers has to be called whilst unlocked)
 func (p *WorkerPool) zeroBoost() {
 	ctx, cancel := context.WithTimeout(p.baseCtx, p.boostTimeout)
 	mq := GetManager().GetManagedQueue(p.qid)
@@ -277,6 +291,21 @@ func (p *WorkerPool) addWorkers(ctx context.Context, cancel context.CancelFunc,
 				p.cond.Broadcast()
 				cancel()
 			}
+
+			select {
+			case <-p.baseCtx.Done():
+				// Don't warn if the baseCtx is shutdown
+			default:
+				if p.hasNoWorkerScaling() {
+					log.Warn(
+						"Queue: %d is configured to be non-scaling and has no workers - this configuration is likely incorrect.", p.qid)
+				} else if p.numberOfWorkers == 0 && atomic.LoadInt64(&p.numInQueue) > 0 {
+					// OK there are no workers but... there's still work to be done -> Reboost
+					p.zeroBoost()
+					// p.lock will be unlocked by zeroBoost
+					return
+				}
+			}
 			p.lock.Unlock()
 		}()
 	}
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -1022,8 +1022,13 @@ func loadFromConf(allowEmpty bool, extraConfig string) {
 		UI.CustomEmojisMap[emoji] = ":" + emoji + ":"
 	}

-	sec = Cfg.Section("U2F")
-	U2F.AppID = sec.Key("APP_ID").MustString(strings.TrimSuffix(AppURL, "/"))
+	// FIXME: DEPRECATED to be removed in v1.18.0
+	U2F.AppID = strings.TrimSuffix(AppURL, "/")
+	if Cfg.Section("U2F").HasKey("APP_ID") {
+		U2F.AppID = Cfg.Section("U2F").Key("APP_ID").MustString(strings.TrimSuffix(AppURL, "/"))
+	} else if Cfg.Section("u2f").HasKey("APP_ID") {
+		U2F.AppID = Cfg.Section("u2f").Key("APP_ID").MustString(strings.TrimSuffix(AppURL, "/"))
+	}
 }

 func parseAuthorizedPrincipalsAllow(values []string) ([]string, bool) {
@@ -1162,7 +1167,6 @@ func MakeManifestData(appName, appURL, absoluteAssetURL string) []byte {
 			},
 		},
 	})
-
 	if err != nil {
 		log.Error("unable to marshal manifest JSON. Error: %v", err)
 		return make([]byte, 0)
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -2334,6 +2334,7 @@ first_page = First
 last_page = Last
 total = Total: %d

+dashboard.new_version_hint = Gitea %s is now available, you are running %s. Check the <a target="_blank" rel="noreferrer" href="https://blog.gitea.io">blog</a> for more details.
 dashboard.statistic = Summary
 dashboard.operations = Maintenance Operations
 dashboard.system_status = System Status
@@ -2407,6 +2408,7 @@ dashboard.last_gc_pause = Last GC Pause
 dashboard.gc_times = GC Times
 dashboard.delete_old_actions = Delete all old actions from database
 dashboard.delete_old_actions.started = Delete all old actions from database started.
+dashboard.update_checker = Update checker

 users.user_manage_panel = User Account Management
 users.new_account = Create User Account
--- a/options/locale/locale_zh-CN.ini
+++ b/options/locale/locale_zh-CN.ini
@@ -673,8 +673,8 @@ last_used=上次使用在
 no_activity=没有最近活动
 can_read_info=读取
 can_write_info=写入
-key_state_desc=7 天内使用过该密钥 
-token_state_desc=7 天内使用过该密钥 
+key_state_desc=7 天内使用过该密钥
+token_state_desc=7 天内使用过该密钥
 principal_state_desc=7 天内使用过该规则
 show_openid=在个人信息上显示
 hide_openid=在个人信息上隐藏
@@ -855,7 +855,7 @@ watchers=关注者
 stargazers=称赞者
 forks=派生仓库
 pick_reaction=选择你的表情
-reactions_more=再加载 %d 
+reactions_more=再加载 %d
 unit_disabled=站点管理员已禁用此仓库单元。
 language_other=其它
 adopt_search=输入用户名以搜索未被收录的仓库... (留空以查找全部)
@@ -2334,6 +2334,7 @@ first_page=首页
 last_page=末页
 total=总计：%d

+dashboard.new_version_hint = Gitea %s 可以更新了，您正在运行 %s。请检查 <a target="_blank" rel="noreferrer" href="https://blog.gitea.io">博客</a> 查看更多详情。
 dashboard.statistic=摘要
 dashboard.operations=维护操作
 dashboard.system_status=系统状态
--- a/package-lock.json
+++ b/package-lock.json
@@ -23,7 +23,7 @@
        "less": "4.1.2",
        "less-loader": "10.2.0",
        "license-checker-webpack-plugin": "0.2.1",
-        "mermaid": "8.13.10",
+        "mermaid": "8.14.0",
        "mini-css-extract-plugin": "2.5.2",
        "monaco-editor": "0.31.1",
        "monaco-editor-webpack-plugin": "7.0.1",
@@ -3435,9 +3435,9 @@
      }
    },
    "node_modules/dompurify": {
-      "version": "2.3.4",
-      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.3.4.tgz",
-      "integrity": "sha512-6BVcgOAVFXjI0JTjEvZy901Rghm+7fDQOrNIcxB4+gdhj6Kwp6T9VBhBY/AbagKHJocRkDYGd6wvI+p4/10xtQ=="
+      "version": "2.3.5",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.3.5.tgz",
+      "integrity": "sha512-kD+f8qEaa42+mjdOpKeztu9Mfx5bv9gVLO6K9jRx4uGvh6Wv06Srn4jr1wPNY2OOUGGSKHNFN+A8MA3v0E0QAQ=="
    },
    "node_modules/domutils": {
      "version": "2.8.0",
@@ -6797,15 +6797,15 @@
      }
    },
    "node_modules/mermaid": {
-      "version": "8.13.10",
-      "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-8.13.10.tgz",
-      "integrity": "sha512-2ANep359uML87+wiYaWSu83eg9Qc0xCLnNJdCh100m4v0orS3fp8SScsZLcDSElRGHi+1zuVJsEEVEWH05+COQ==",
+      "version": "8.14.0",
+      "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-8.14.0.tgz",
+      "integrity": "sha512-ITSHjwVaby1Li738sxhF48sLTxcNyUAoWfoqyztL1f7J6JOLpHOuQPNLBb6lxGPUA0u7xP9IRULgvod0dKu35A==",
      "dependencies": {
        "@braintree/sanitize-url": "^3.1.0",
        "d3": "^7.0.0",
        "dagre": "^0.8.5",
        "dagre-d3": "^0.6.4",
-        "dompurify": "2.3.4",
+        "dompurify": "2.3.5",
        "graphlib": "^2.1.8",
        "khroma": "^1.4.1",
        "moment-mini": "^2.24.0",
@@ -12547,9 +12547,9 @@
      }
    },
    "dompurify": {
-      "version": "2.3.4",
-      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.3.4.tgz",
-      "integrity": "sha512-6BVcgOAVFXjI0JTjEvZy901Rghm+7fDQOrNIcxB4+gdhj6Kwp6T9VBhBY/AbagKHJocRkDYGd6wvI+p4/10xtQ=="
+      "version": "2.3.5",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.3.5.tgz",
+      "integrity": "sha512-kD+f8qEaa42+mjdOpKeztu9Mfx5bv9gVLO6K9jRx4uGvh6Wv06Srn4jr1wPNY2OOUGGSKHNFN+A8MA3v0E0QAQ=="
    },
    "domutils": {
      "version": "2.8.0",
@@ -15033,15 +15033,15 @@
      "integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg=="
    },
    "mermaid": {
-      "version": "8.13.10",
-      "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-8.13.10.tgz",
-      "integrity": "sha512-2ANep359uML87+wiYaWSu83eg9Qc0xCLnNJdCh100m4v0orS3fp8SScsZLcDSElRGHi+1zuVJsEEVEWH05+COQ==",
+      "version": "8.14.0",
+      "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-8.14.0.tgz",
+      "integrity": "sha512-ITSHjwVaby1Li738sxhF48sLTxcNyUAoWfoqyztL1f7J6JOLpHOuQPNLBb6lxGPUA0u7xP9IRULgvod0dKu35A==",
      "requires": {
        "@braintree/sanitize-url": "^3.1.0",
        "d3": "^7.0.0",
        "dagre": "^0.8.5",
        "dagre-d3": "^0.6.4",
-        "dompurify": "2.3.4",
+        "dompurify": "2.3.5",
        "graphlib": "^2.1.8",
        "khroma": "^1.4.1",
        "moment-mini": "^2.24.0",
--- a/package.json
+++ b/package.json
@@ -23,7 +23,7 @@
    "less": "4.1.2",
    "less-loader": "10.2.0",
    "license-checker-webpack-plugin": "0.2.1",
-    "mermaid": "8.13.10",
+    "mermaid": "8.14.0",
    "mini-css-extract-plugin": "2.5.2",
    "monaco-editor": "0.31.1",
    "monaco-editor-webpack-plugin": "7.0.1",
--- a/routers/api/v1/repo/migrate.go
+++ b/routers/api/v1/repo/migrate.go
@@ -203,7 +203,7 @@ func Migrate(ctx *context.APIContext) {
 		}
 	}()

-	if _, err = migrations.MigrateRepository(graceful.GetManager().HammerContext(), ctx.User, repoOwner.Name, opts, nil); err != nil {
+	if repo, err = migrations.MigrateRepository(graceful.GetManager().HammerContext(), ctx.User, repoOwner.Name, opts, nil); err != nil {
 		handleMigrateError(ctx, repoOwner, remoteAddr, err)
 		return
 	}
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -311,6 +311,7 @@ func TeamMembers(ctx *context.Context) {
 		ctx.ServerError("GetMembers", err)
 		return
 	}
+	ctx.Data["Units"] = unit_model.Units
 	ctx.HTML(http.StatusOK, tplTeamMembers)
 }

@@ -323,6 +324,7 @@ func TeamRepositories(ctx *context.Context) {
 		ctx.ServerError("GetRepositories", err)
 		return
 	}
+	ctx.Data["Units"] = unit_model.Units
 	ctx.HTML(http.StatusOK, tplTeamRepositories)
 }

--- a/routers/web/repo/http.go
+++ b/routers/web/repo/http.go
@@ -103,7 +103,7 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 	}

 	isWiki := false
-	var unitType = unit.TypeCode
+	unitType := unit.TypeCode
 	var wikiRepoName string
 	if strings.HasSuffix(reponame, ".wiki") {
 		isWiki = true
@@ -456,7 +456,6 @@ func serviceRPC(h serviceHandler, service string) {
 		if err := h.r.Body.Close(); err != nil {
 			log.Error("serviceRPC: Close: %v", err)
 		}
-
 	}()

 	if !hasAccess(service, h, true) {
@@ -467,7 +466,7 @@ func serviceRPC(h serviceHandler, service string) {
 	h.w.Header().Set("Content-Type", fmt.Sprintf("application/x-git-%s-result", service))

 	var err error
-	var reqBody = h.r.Body
+	reqBody := h.r.Body

 	// Handle GZIP.
 	if h.r.Header.Get("Content-Encoding") == "gzip" {
@@ -502,7 +501,9 @@ func serviceRPC(h serviceHandler, service string) {
 	cmd.Stderr = &stderr

 	if err := cmd.Run(); err != nil {
-		log.Error("Fail to serve RPC(%s) in %s: %v - %s", service, h.dir, err, stderr.String())
+		if err.Error() != "signal: killed" {
+			log.Error("Fail to serve RPC(%s) in %s: %v - %s", service, h.dir, err, stderr.String())
+		}
 		return
 	}
 }
--- a/routers/web/repo/issue_content_history.go
+++ b/routers/web/repo/issue_content_history.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"html"
 	"net/http"
+	"strings"

 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/models/db"
@@ -16,6 +17,7 @@ import (
 	"code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"

 	"github.com/sergi/go-diff/diffmatchpatch"
@@ -68,9 +70,15 @@ func GetContentHistoryList(ctx *context.Context) {
 			actionText = i18n.Tr(lang, "repo.issues.content_history.edited")
 		}
 		timeSinceText := timeutil.TimeSinceUnix(item.EditedUnix, lang)
+
+		username := item.UserName
+		if setting.UI.DefaultShowFullName && strings.TrimSpace(item.UserFullName) != "" {
+			username = strings.TrimSpace(item.UserFullName)
+		}
+
 		results = append(results, map[string]interface{}{
 			"name": fmt.Sprintf("<img class='ui avatar image' src='%s'><strong>%s</strong> %s %s",
-				html.EscapeString(item.UserAvatarLink), html.EscapeString(item.UserName), actionText, timeSinceText),
+				html.EscapeString(item.UserAvatarLink), html.EscapeString(username), actionText, timeSinceText),
 			"value": item.HistoryID,
 		})
 	}
--- a/routers/web/repo/pull.go
+++ b/routers/web/repo/pull.go
@@ -392,6 +392,8 @@ func PrepareMergedViewPullInfo(ctx *context.Context, issue *models.Issue) *git.C

 // PrepareViewPullInfo show meta information for a pull request preview page
 func PrepareViewPullInfo(ctx *context.Context, issue *models.Issue) *git.CompareInfo {
+	ctx.Data["PullRequestWorkInProgressPrefixes"] = setting.Repository.PullRequest.WorkInProgressPrefixes
+
 	repo := ctx.Repo.Repository
 	pull := issue.PullRequest

@@ -575,8 +577,6 @@ func PrepareViewPullInfo(ctx *context.Context, issue *models.Issue) *git.Compare
 		ctx.Data["IsNothingToCompare"] = true
 	}

-	ctx.Data["PullRequestWorkInProgressPrefixes"] = setting.Repository.PullRequest.WorkInProgressPrefixes
-
 	if pull.IsWorkInProgress() {
 		ctx.Data["IsPullWorkInProgress"] = true
 		ctx.Data["WorkInProgressPrefix"] = pull.GetWorkInProgressPrefix()
--- a/routers/web/repo/view.go
+++ b/routers/web/repo/view.go
@@ -465,6 +465,7 @@ func renderFile(ctx *context.Context, entry *git.TreeEntry, treeLink, rawLink st
 			return
 		}
 		ctx.Data["LFSLockOwner"] = u.DisplayName()
+		ctx.Data["LFSLockOwnerHomeLink"] = u.HomeLink()
 		ctx.Data["LFSLockHint"] = ctx.Tr("repo.editor.this_file_locked")
 	}

--- a/services/auth/signin.go
+++ b/services/auth/signin.go
@@ -24,17 +24,18 @@ import (
 func UserSignIn(username, password string) (*user_model.User, *auth.Source, error) {
 	var user *user_model.User
 	if strings.Contains(username, "@") {
-		user = &user_model.User{Email: strings.ToLower(strings.TrimSpace(username))}
+		emailAddress := user_model.EmailAddress{LowerEmail: strings.ToLower(strings.TrimSpace(username))}
 		// check same email
-		cnt, err := db.Count(user)
+		has, err := db.GetEngine(db.DefaultContext).Where("is_activated=?", true).Get(&emailAddress)
 		if err != nil {
 			return nil, nil, err
 		}
-		if cnt > 1 {
-			return nil, nil, user_model.ErrEmailAlreadyUsed{
+		if !has {
+			return nil, nil, user_model.ErrEmailAddressNotExist{
 				Email: user.Email,
 			}
 		}
+		user = &user_model.User{ID: emailAddress.UID}
 	} else {
 		trimmedUsername := strings.TrimSpace(username)
 		if len(trimmedUsername) == 0 {
@@ -64,7 +65,7 @@ func UserSignIn(username, password string) (*user_model.User, *auth.Source, erro
 			return nil, nil, smtp.ErrUnsupportedLoginType
 		}

-		user, err := authenticator.Authenticate(user, username, password)
+		user, err := authenticator.Authenticate(user, user.LoginName, password)
 		if err != nil {
 			return nil, nil, err
 		}
--- a/services/auth/source/ldap/source_authenticate.go
+++ b/services/auth/source/ldap/source_authenticate.go
@@ -19,10 +19,14 @@ import (
 // Authenticate queries if login/password is valid against the LDAP directory pool,
 // and create a local user if success when enabled.
 func (source *Source) Authenticate(user *user_model.User, userName, password string) (*user_model.User, error) {
-	sr := source.SearchEntry(userName, password, source.authSource.Type == auth.DLDAP)
+	loginName := userName
+	if user != nil {
+		loginName = user.LoginName
+	}
+	sr := source.SearchEntry(loginName, password, source.authSource.Type == auth.DLDAP)
 	if sr == nil {
 		// User not in LDAP, do nothing
-		return nil, user_model.ErrUserNotExist{Name: userName}
+		return nil, user_model.ErrUserNotExist{Name: loginName}
 	}

 	isAttributeSSHPublicKeySet := len(strings.TrimSpace(source.AttributeSSHPublicKey)) > 0
--- a/services/auth/source/ldap/source_sync.go
+++ b/services/auth/source/ldap/source_sync.go
@@ -143,6 +143,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 				log.Trace("SyncExternalUsers[%s]: Updating user %s", source.authSource.Name, usr.Name)

 				usr.FullName = fullName
+				emailChanged := usr.Email != su.Mail
 				usr.Email = su.Mail
 				// Change existing admin flag only if AdminFilter option is set
 				if len(source.AdminFilter) > 0 {
@@ -154,7 +155,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 				}
 				usr.IsActive = true

-				err = user_model.UpdateUserCols(db.DefaultContext, usr, "full_name", "email", "is_admin", "is_restricted", "is_active")
+				err = user_model.UpdateUser(usr, emailChanged, "full_name", "email", "is_admin", "is_restricted", "is_active")
 				if err != nil {
 					log.Error("SyncExternalUsers[%s]: Error updating user %s: %v", source.authSource.Name, usr.Name, err)
 				}
--- a/services/gitdiff/gitdiff.go
+++ b/services/gitdiff/gitdiff.go
@@ -190,9 +190,11 @@ var (
 	codeTagSuffix     = []byte(`</span>`)
 )

-var unfinishedtagRegex = regexp.MustCompile(`<[^>]*$`)
-var trailingSpanRegex = regexp.MustCompile(`<span\s*[[:alpha:]="]*?[>]?$`)
-var entityRegex = regexp.MustCompile(`&[#]*?[0-9[:alpha:]]*$`)
+var (
+	unfinishedtagRegex = regexp.MustCompile(`<[^>]*$`)
+	trailingSpanRegex  = regexp.MustCompile(`<span\s*[[:alpha:]="]*?[>]?$`)
+	entityRegex        = regexp.MustCompile(`&[#]*?[0-9[:alpha:]]*$`)
+)

 // shouldWriteInline represents combinations where we manually write inline changes
 func shouldWriteInline(diff diffmatchpatch.Diff, lineType DiffLineType) bool {
@@ -206,7 +208,6 @@ func shouldWriteInline(diff diffmatchpatch.Diff, lineType DiffLineType) bool {
 }

 func fixupBrokenSpans(diffs []diffmatchpatch.Diff) []diffmatchpatch.Diff {
-
 	// Create a new array to store our fixed up blocks
 	fixedup := make([]diffmatchpatch.Diff, 0, len(diffs))

@@ -658,10 +659,10 @@ func (diffFile *DiffFile) GetTailSection(gitRepo *git.Repository, leftCommitID,
 			LastRightIdx: lastLine.RightIdx,
 			LeftIdx:      leftLineCount,
 			RightIdx:     rightLineCount,
-		}}
+		},
+	}
 	tailSection := &DiffSection{FileName: diffFile.Name, Lines: []*DiffLine{tailDiffLine}}
 	return tailSection
-
 }

 func getCommitFileLineCount(commit *git.Commit, filePath string) int {
@@ -942,8 +943,8 @@ parsingLoop:
 	// TODO: There are numerous issues with this:
 	// - we might want to consider detecting encoding while parsing but...
 	// - we're likely to fail to get the correct encoding here anyway as we won't have enough information
-	var diffLineTypeBuffers = make(map[DiffLineType]*bytes.Buffer, 3)
-	var diffLineTypeDecoders = make(map[DiffLineType]*encoding.Decoder, 3)
+	diffLineTypeBuffers := make(map[DiffLineType]*bytes.Buffer, 3)
+	diffLineTypeDecoders := make(map[DiffLineType]*encoding.Decoder, 3)
 	diffLineTypeBuffers[DiffLinePlain] = new(bytes.Buffer)
 	diffLineTypeBuffers[DiffLineAdd] = new(bytes.Buffer)
 	diffLineTypeBuffers[DiffLineDel] = new(bytes.Buffer)
@@ -1420,6 +1421,7 @@ func GetDiff(gitRepo *git.Repository, opts *DiffOptions, files ...string) (*Diff
 				}()
 			}
 			defer func() {
+				_ = checker.Close()
 				cancel()
 			}()
 		}
@@ -1539,7 +1541,8 @@ func GetWhitespaceFlag(whiteSpaceBehavior string) string {
 		"ignore-all":    "-w",
 		"ignore-change": "-b",
 		"ignore-eol":    "--ignore-space-at-eol",
-		"":              ""}
+		"":              "",
+	}

 	return whitespaceFlags[whiteSpaceBehavior]
 }
--- a/services/mirror/mirror.go
+++ b/services/mirror/mirror.go
@@ -59,11 +59,13 @@ func Update(ctx context.Context, pullLimit, pushLimit int) error {

 	handler := func(idx int, bean interface{}, limit int) error {
 		var item SyncRequest
+		var repo *repo_model.Repository
 		if m, ok := bean.(*repo_model.Mirror); ok {
 			if m.Repo == nil {
 				log.Error("Disconnected mirror found: %d", m.ID)
 				return nil
 			}
+			repo = m.Repo
 			item = SyncRequest{
 				Type:   PullMirrorType,
 				RepoID: m.RepoID,
@@ -73,6 +75,7 @@ func Update(ctx context.Context, pullLimit, pushLimit int) error {
 				log.Error("Disconnected push-mirror found: %d", m.ID)
 				return nil
 			}
+			repo = m.Repo
 			item = SyncRequest{
 				Type:   PushMirrorType,
 				RepoID: m.RepoID,
@@ -89,17 +92,16 @@ func Update(ctx context.Context, pullLimit, pushLimit int) error {
 		default:
 		}

-		// Check if this request is already in the queue
-		has, err := mirrorQueue.Has(&item)
-		if err != nil {
-			return err
-		}
-		if has {
-			return nil
-		}
-
 		// Push to the Queue
 		if err := mirrorQueue.Push(&item); err != nil {
+			if err == queue.ErrAlreadyInQueue {
+				if item.Type == PushMirrorType {
+					log.Trace("PushMirrors for %-v already queued for sync", repo)
+				} else {
+					log.Trace("PullMirrors for %-v already queued for sync", repo)
+				}
+				return nil
+			}
 			return err
 		}

@@ -110,23 +112,29 @@ func Update(ctx context.Context, pullLimit, pushLimit int) error {
 		return nil
 	}

+	pullMirrorsRequested := 0
 	if pullLimit != 0 {
+		requested = 0
 		if err := repo_model.MirrorsIterate(func(idx int, bean interface{}) error {
 			return handler(idx, bean, pullLimit)
 		}); err != nil && err != errLimit {
 			log.Error("MirrorsIterate: %v", err)
 			return err
 		}
+		pullMirrorsRequested, requested = requested, 0
 	}
+	pushMirrorsRequested := 0
 	if pushLimit != 0 {
+		requested = 0
 		if err := repo_model.PushMirrorsIterate(func(idx int, bean interface{}) error {
 			return handler(idx, bean, pushLimit)
 		}); err != nil && err != errLimit {
 			log.Error("PushMirrorsIterate: %v", err)
 			return err
 		}
+		pushMirrorsRequested, requested = requested, 0
 	}
-	log.Trace("Finished: Update")
+	log.Trace("Finished: Update: %d pull mirrors and %d push mirrors queued", pullMirrorsRequested, pushMirrorsRequested)
 	return nil
 }

--- a/services/repository/fork.go
+++ b/services/repository/fork.go
@@ -143,7 +143,17 @@ func ForkRepository(doer, owner *user_model.User, opts ForkRepoOptions) (_ *repo
 		log.Error("Failed to update size for repository: %v", err)
 	}
 	if err := repo_model.CopyLanguageStat(opts.BaseRepo, repo); err != nil {
-		log.Error("Copy language stat from oldRepo failed")
+		log.Error("Copy language stat from oldRepo failed: %v", err)
+	}
+
+	gitRepo, err := git.OpenRepositoryCtx(git.DefaultContext, repo.RepoPath())
+	if err != nil {
+		log.Error("Open created git repository failed: %v", err)
+	} else {
+		defer gitRepo.Close()
+		if err := repo_module.SyncReleasesWithTags(repo, gitRepo); err != nil {
+			log.Error("Sync releases from git tags failed: %v", err)
+		}
 	}

 	notification.NotifyForkRepository(doer, opts.BaseRepo, repo)
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -27,7 +27,7 @@
 					<div class="inline required field {{if .Err_SecurityProtocol}}error{{end}}">
 						<label>{{.i18n.Tr "admin.auths.security_protocol"}}</label>
 						<div class="ui selection security-protocol dropdown">
-							<input type="hidden" id="security_protocol" name="security_protocol" value="{{$cfg.SecurityProtocol}}">
+							<input type="hidden" id="security_protocol" name="security_protocol" value="{{$cfg.SecurityProtocol.Int}}">
 							<div class="text">{{$cfg.SecurityProtocolName}}</div>
 							{{svg "octicon-triangle-down" 14 "dropdown icon"}}
 							<div class="menu">
--- a/templates/admin/dashboard.tmpl
+++ b/templates/admin/dashboard.tmpl
@@ -5,7 +5,7 @@
 		{{template "base/alert" .}}
 		{{if .NeedUpdate}}
 			<div class="ui negative message flash-error">
-				<p>"Gitea {{.RemoteVersion | Str2html}} is now available, you are running {{.AppVer | Str2html}}. Check the <a href="https://blog.gitea.io">blog</a> for more details.</p>
+				<p>{{.i18n.Tr "admin.dashboard.new_version_hint" (.RemoteVersion | Str2html) (AppVer | Str2html)}}</p>
 			</div>
 		{{end}}
 		<h4 class="ui top attached header">
--- a/templates/mail/issue/assigned.tmpl
+++ b/templates/mail/issue/assigned.tmpl
@@ -9,7 +9,7 @@
 </head>

 {{$repo_url := printf "<a href='%s'>%s</a>" (Escape .Issue.Repo.HTMLURL) (Escape .Issue.Repo.FullName)}}
-{{$link := printf "<a href='%s'>#%d</a>" (Escape .Link) (Escape .Issue.Index)}}
+{{$link := printf "<a href='%s'>#%d</a>" (Escape .Link) .Issue.Index}}
 <body>
 	<p>
 		{{if .IsPull}}
--- a/templates/org/home.tmpl
+++ b/templates/org/home.tmpl
@@ -29,6 +29,15 @@
 			</div>

 			<div class="ui five wide column">
+				{{if .CanCreateOrgRepo}}
+					<div class="center aligned">
+						<a class="ui green button" href="{{AppSubUrl}}/repo/create?org={{.Org.ID}}">{{.i18n.Tr "new_repo"}}</a>
+						{{if not .DisableNewPullMirrors}}
+							<a class="ui green button" href="{{AppSubUrl}}/repo/migrate?org={{.Org.ID}}&mirror=1">{{.i18n.Tr "new_migrate"}}</a>
+						{{end}}
+					</div>
+					<div class="ui divider"></div>
+				{{end}}
 				<h4 class="ui top attached header df">
 					<strong class="f1">{{.i18n.Tr "org.people"}}</strong>
 					{{if .IsOrganizationMember}}
--- a/templates/org/team/sidebar.tmpl
+++ b/templates/org/team/sidebar.tmpl
@@ -25,31 +25,55 @@
 				<span class="text grey italic">{{.i18n.Tr "org.teams.no_desc"}}</span>
 			{{end}}
 		</div>
-
-		<div class="item">
-			{{if eq .Team.LowerName "owners"}}
+		{{if eq .Team.LowerName "owners"}}
+			<div class="item">
 				{{.i18n.Tr "org.teams.owners_permission_desc" | Str2html}}
-			{{else if (eq .Team.AccessMode 1)}}
-				{{if .Team.IncludesAllRepositories}}
-					{{.i18n.Tr "org.teams.all_repositories_read_permission_desc" | Str2html}}
+			</div>
+		{{else}}
+			<div class="item">
+				<h3>{{.i18n.Tr "org.team_access_desc"}}</h3>
+				<ul>
+					{{if .Team.IncludesAllRepositories}}
+						<li>{{.i18n.Tr "org.teams.all_repositories" | Str2html}}
+					{{else}}
+						<li>{{.i18n.Tr "org.teams.specific_repositories" | Str2html}}
+					{{end}}
+					{{if .Team.CanCreateOrgRepo}}
+						<li>{{.i18n.Tr "org.teams.can_create_org_repo"}}
+					{{end}}
+				</ul>
+				{{if (eq .Team.AccessMode 2)}}
+					<h3>{{.i18n.Tr "org.settings.permission"}}</h3>
+					{{.i18n.Tr "org.teams.write_permission_desc"}}
+				{{else if (eq .Team.AccessMode 3)}}
+					<h3>{{.i18n.Tr "org.settings.permission"}}</h3>
+					{{.i18n.Tr "org.teams.admin_permission_desc"}}
 				{{else}}
-					{{.i18n.Tr "org.teams.read_permission_desc" | Str2html}}
+					<table class="ui table">
+						<thead>
+							<tr>
+								<th>{{.i18n.Tr "units.unit"}}</th>
+								<th>{{.i18n.Tr "org.team_permission_desc"}}</th>
+							</tr>
+						</thead>
+						<tbody>
+							{{range $t, $unit := $.Units}}
+								{{if and (lt $unit.MaxPerm 2) (not $unit.Type.UnitGlobalDisabled)}}
+									<tr>
+										<td><strong>{{$.i18n.Tr $unit.NameKey}}</strong></td>
+										<td>{{if eq ($.Team.UnitAccessMode $unit.Type) 0 -}}
+										{{$.i18n.Tr "org.teams.none_access"}}
+										{{- else if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1) -}}
+										{{$.i18n.Tr "org.teams.read_access"}}
+										{{- else if eq ($.Team.UnitAccessMode $unit.Type) 2 -}}
+										{{$.i18n.Tr "org.teams.write_access"}}
+										{{- end}}</td>
+									</tr>
+								{{end}}
+							{{end}}
+						</tbody>
+					</table>
 				{{end}}
-			{{else if (eq .Team.AccessMode 2)}}
-				{{if .Team.IncludesAllRepositories}}
-					{{.i18n.Tr "org.teams.all_repositories_write_permission_desc" | Str2html}}
-				{{else}}
-					{{.i18n.Tr "org.teams.write_permission_desc" | Str2html}}
-				{{end}}
-			{{else if (eq .Team.AccessMode 3)}}
-				{{if .Team.IncludesAllRepositories}}
-					{{.i18n.Tr "org.teams.all_repositories_admin_permission_desc" | Str2html}}
-				{{else}}
-					{{.i18n.Tr "org.teams.admin_permission_desc" | Str2html}}
-				{{end}}
-			{{end}}
-			{{if .Team.CanCreateOrgRepo}}
-				<br><br>{{.i18n.Tr "org.teams.create_repo_permission_desc" | Str2html}}
 			{{end}}
 		</div>
 	</div>
--- a/templates/repo/branch/list.tmpl
+++ b/templates/repo/branch/list.tmpl
@@ -121,9 +121,9 @@
 										{{end}}
 										{{if and $.IsWriter (not $.IsMirror) (not $.Repository.IsArchived) (not .IsProtected)}}
 											{{if .IsDeleted}}
-												<a class="ui basic jump button icon tooltip undo-button" href data-url="{{$.Link}}/restore?branch_id={{.DeletedBranch.ID}}&name={{PathEscapeSegments .DeletedBranch.Name}}" data-content="{{$.i18n.Tr "repo.branch.restore" (.Name)}}" data-position="top right"><span class="text blue">{{svg "octicon-reply"}}</span></a>
+												<a class="ui basic jump button icon tooltip undo-button" href data-url="{{$.Link}}/restore?branch_id={{.DeletedBranch.ID}}&name={{.DeletedBranch.Name}}" data-content="{{$.i18n.Tr "repo.branch.restore" (.Name)}}" data-position="top right"><span class="text blue">{{svg "octicon-reply"}}</span></a>
 											{{else}}
-												<a class="ui basic jump button icon tooltip delete-button delete-branch-button" href data-url="{{$.Link}}/delete?name={{PathEscapeSegments .Name}}" data-content="{{$.i18n.Tr "repo.branch.delete" (.Name)}}" data-position="top right" data-name="{{.Name}}">
+												<a class="ui basic jump button icon tooltip delete-button delete-branch-button" href data-url="{{$.Link}}/delete?name={{.Name}}" data-content="{{$.i18n.Tr "repo.branch.delete" (.Name)}}" data-position="top right" data-name="{{.Name}}">
 													{{svg "octicon-trash"}}
 												</a>
 											{{end}}
--- a/templates/repo/commit_page.tmpl
+++ b/templates/repo/commit_page.tmpl
@@ -93,12 +93,12 @@
 								<span class="ui text mr-3">{{.i18n.Tr "repo.commits.signed_by_untrusted_user_unmatched"}}:</span>
 							{{end}}
 							{{avatar .Verification.SigningUser 28}}
-							<a href="{{.Verification.SigningUser.HomeLink}}"><strong>{{.Verification.SigningUser.Name}}</strong></a>
+							<a href="{{.Verification.SigningUser.HomeLink}}"><strong>{{.Verification.SigningUser.GetDisplayName}}</strong></a>
 						{{else}}
 							<span title="{{.i18n.Tr "gpg.default_key"}}">{{svg "gitea-lock-cog"}}</span>
 							<span class="ui text">{{.i18n.Tr "repo.commits.signed_by"}}:</span>
 							{{avatarByEmail .Verification.SigningEmail "" 28}}
-							<strong>{{.Verification.SigningUser.Name}}</strong>
+							<strong>{{.Verification.SigningUser.GetDisplayName}}</strong>
 						{{end}}
 					{{else}}
 						{{svg "gitea-unlock" 16 "mr-3"}}
--- a/templates/repo/commit_statuses.tmpl
+++ b/templates/repo/commit_statuses.tmpl
@@ -2,11 +2,11 @@
 <div class="ui popup very wide fixed basic commit-statuses">
 	<div class="ui relaxed list divided">
 		{{range .Statuses}}
-			<div class="ui item singular-status">
+			<div class="ui item singular-status df">
 				<span>{{template "repo/commit_status" .}}</span>
-				<span class="ui">{{.Context}} <span class="text grey">{{.Description}}</span></span>
+				<span class="ui f1">{{.Context}} <span class="text grey">{{.Description}}</span></span>
 				{{if .TargetURL}}
-					<div class="ui right"><a href="{{.TargetURL}}" target="_blank" rel="noopener noreferrer">{{$.root.i18n.Tr "repo.pulls.status_checks_details"}}</a></div>
+					<div class="ui"><a href="{{.TargetURL}}" target="_blank" rel="noopener noreferrer">{{$.root.i18n.Tr "repo.pulls.status_checks_details"}}</a></div>
 				{{end}}
 			</div>
 		{{end}}
--- a/templates/repo/commits_list_small.tmpl
+++ b/templates/repo/commits_list_small.tmpl
@@ -6,7 +6,7 @@
 	<div class="singular-commit" id="{{$tag}}">
 		<span class="badge badge-commit">{{svg "octicon-git-commit"}}</span>
 		{{if .User}}
-			<a href="{.User.HomeLink}}">
+			<a href="{{.User.HomeLink}}">
 				{{avatar .User}}
 			</a>
 		{{else}}
--- a/templates/repo/release/list.tmpl
+++ b/templates/repo/release/list.tmpl
@@ -40,7 +40,7 @@
 										<a class="archive-link mr-3" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.zip" rel="nofollow">{{svg "octicon-file-zip" 16 "mr-2"}}ZIP</a>
 										<a class="archive-link mr-3" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.tar.gz" rel="nofollow">{{svg "octicon-file-zip" 16 "mr-2"}}TAR.GZ</a>
 										{{if (and $.CanCreateRelease $release.IsTag)}}
-											<a class="mr-3" href="{{$.RepoLink}}/releases/new?tag={{.TagName | PathEscapeSegments}}">{{svg "octicon-tag" 16 "mr-2"}}{{$.i18n.Tr "repo.release.new_release"}}</a>
+											<a class="mr-3" href="{{$.RepoLink}}/releases/new?tag={{.TagName}}">{{svg "octicon-tag" 16 "mr-2"}}{{$.i18n.Tr "repo.release.new_release"}}</a>
 										{{end}}
 										{{if (and ($.Permission.CanWrite $.UnitTypeCode) $release.IsTag)}}
 											<a class="ui red delete-button mr-3" data-url="{{$.RepoLink}}/tags/delete" data-id="{{.ID}}">
--- a/templates/repo/view_file.tmpl
+++ b/templates/repo/view_file.tmpl
@@ -24,7 +24,7 @@
 					{{if .LFSLock}}
 						<div class="file-info-entry ui tooltip" data-content="{{.LFSLockHint}}">
 							{{svg "octicon-lock" 16 "mr-2"}}
-							<a href="{{.LFSLock.Owner.HomeLink}}">{{.LFSLockOwner}}</a>
+							<a href="{{.LFSLockOwnerHomeLink}}">{{.LFSLockOwner}}</a>
 						</div>
 					{{end}}
 				</div>
--- a/templates/user/dashboard/feeds.tmpl
+++ b/templates/user/dashboard/feeds.tmpl
@@ -73,7 +73,7 @@
 							{{$.i18n.Tr "action.comment_pull" ((printf "%s/pulls/%s" .GetRepoLink $index) |Escape) $index (.ShortRepoPath|Escape) | Str2html}}
 						{{else if eq .GetOpType 24}}
 							{{ $linkText := .Content | RenderEmoji }}
-							{{$.i18n.Tr "action.publish_release" (.GetRepoLink|Escape) ((printf "%s/release/tag/%s" .GetRepoLink .GetTag)|Escape) (.ShortRepoPath|Escape) $linkText | Str2html}}
+							{{$.i18n.Tr "action.publish_release" (.GetRepoLink|Escape) ((printf "%s/releases/tag/%s" .GetRepoLink .GetTag)|Escape) (.ShortRepoPath|Escape) $linkText | Str2html}}
 						{{else if eq .GetOpType 25}}
 							{{ $index := index .GetIssueInfos 0}}
 							{{ $reviewer := index .GetIssueInfos 1}}
--- a/web_src/js/features/repo-code.js
+++ b/web_src/js/features/repo-code.js
@@ -15,11 +15,14 @@ function selectRange($list, $select, $from) {
  const $issue = $('a.ref-in-new-issue');
  const $copyPermalink = $('a.copy-line-permalink');

-  if ($issue.length === 0 || $copyPermalink.length === 0) {
+  if ($copyPermalink.length === 0) {
    return;
  }

-  const updateIssueHref = function(anchor) {
+  const updateIssueHref = function (anchor) {
+    if ($issue.length === 0) {
+      return;
+    }
    let href = $issue.attr('href');
    href = `${href.replace(/%23L\d+$|%23L\d+-L\d+$/, '')}%23${anchor}`;
    $issue.attr('href', href);
--- a/web_src/js/features/user-auth-webauthn.js
+++ b/web_src/js/features/user-auth-webauthn.js
@@ -24,6 +24,19 @@ export function initUserAuthWebAuthn() {
        .then((credential) => {
          verifyAssertion(credential);
        }).catch((err) => {
+          // Try again... without the appid
+          if (makeAssertionOptions.publicKey.extensions && makeAssertionOptions.publicKey.extensions.appid) {
+            delete makeAssertionOptions.publicKey.extensions['appid'];
+            navigator.credentials.get({
+              publicKey: makeAssertionOptions.publicKey
+            })
+              .then((credential) => {
+                verifyAssertion(credential);
+              }).catch((err) => {
+                webAuthnError('general', err.message);
+              });
+            return;
+          }
          webAuthnError('general', err.message);
        });
    }).fail(() => {
--- a/web_src/js/markup/mermaid.js
+++ b/web_src/js/markup/mermaid.js
@@ -1,5 +1,11 @@
+import {isDarkTheme} from '../utils.js';
 const {mermaidMaxSourceCharacters} = window.config;

+const iframeCss = `
+  body {margin: 0; padding: 0}
+  #mermaid {display: block; margin: 0 auto}
+`;
+
 function displayError(el, err) {
  el.closest('pre').classList.remove('is-loading');
  const errorNode = document.createElement('div');
@@ -15,26 +21,22 @@ export async function renderMermaid() {
  const {default: mermaid} = await import(/* webpackChunkName: "mermaid" */'mermaid');

  mermaid.initialize({
-    mermaid: {
-      startOnLoad: false,
-    },
-    flowchart: {
-      useMaxWidth: true,
-      htmlLabels: false,
-    },
-    theme: 'neutral',
+    startOnLoad: false,
+    theme: isDarkTheme() ? 'dark' : 'neutral',
    securityLevel: 'strict',
  });

  for (const el of els) {
-    if (mermaidMaxSourceCharacters >= 0 && el.textContent.length > mermaidMaxSourceCharacters) {
-      displayError(el, new Error(`Mermaid source of ${el.textContent.length} characters exceeds the maximum allowed length of ${mermaidMaxSourceCharacters}.`));
+    const source = el.textContent;
+
+    if (mermaidMaxSourceCharacters >= 0 && source.length > mermaidMaxSourceCharacters) {
+      displayError(el, new Error(`Mermaid source of ${source.length} characters exceeds the maximum allowed length of ${mermaidMaxSourceCharacters}.`));
      continue;
    }

    let valid;
    try {
-      valid = mermaid.parse(el.textContent);
+      valid = mermaid.parse(source);
    } catch (err) {
      displayError(el, err);
    }
@@ -45,10 +47,17 @@ export async function renderMermaid() {
    }

    try {
-      mermaid.init(undefined, el, (id) => {
-        const svg = document.getElementById(id);
-        svg.classList.add('mermaid-chart');
-        svg.closest('pre').replaceWith(svg);
+      // can't use bindFunctions here because we can't cross the iframe boundary. This
+      // means js-based interactions won't work but they aren't intended to work either
+      mermaid.mermaidAPI.render('mermaid', source, (svgStr) => {
+        const heightStr = (svgStr.match(/height="(.+?)"/) || [])[1];
+        if (!heightStr) return displayError(el, new Error('Could not determine chart height'));
+        const iframe = document.createElement('iframe');
+        iframe.classList.add('markup-render');
+        iframe.sandbox = 'allow-scripts';
+        iframe.style.height = `${Math.ceil(parseFloat(heightStr))}px`;
+        iframe.srcdoc = `<html><head><style>${iframeCss}</style></head><body>${svgStr}</body></html>`;
+        el.closest('pre').replaceWith(iframe);
      });
    } catch (err) {
      displayError(el, err);
--- a/web_src/less/_base.less
+++ b/web_src/less/_base.less
@@ -6,6 +6,7 @@
  /* other variables */
  --border-radius: .28571429rem;
  --opacity-disabled: .55;
+  --height-loading: 12rem;
  --color-primary: #4183c4;
  --color-primary-dark-1: #3876b3;
  --color-primary-dark-2: #31699f;
--- a/web_src/less/animations.less
+++ b/web_src/less/animations.less
@@ -30,7 +30,7 @@

 .markup pre.is-loading,
 .editor-loading.is-loading {
-  height: 12rem;
+  height: var(--height-loading);
 }

@keyframes fadein {
--- a/web_src/less/chroma/dark.less
+++ b/web_src/less/chroma/dark.less
@@ -54,7 +54,7 @@
 .chroma .c1 { color: #6a737d; } /* CommentSingle */
 .chroma .cs { color: #637d; } /* CommentSpecial */
 .chroma .cp { color: #fc6; } /* CommentPreproc */
-.chroma .cpf { color: #fc6; } /* CommentPreprocFile */
+.chroma .cpf { color: #03dfff; } /* CommentPreprocFile */
 .chroma .gd { color: #fff; background-color: #5f3737; } /* GenericDeleted */
 .chroma .ge { color: #ef5; } /* GenericEmph */
 .chroma .gr { color: #f33; } /* GenericError */
--- a/web_src/less/chroma/light.less
+++ b/web_src/less/chroma/light.less
@@ -53,8 +53,8 @@
 .chroma .cm { color: #999988; } /* CommentMultiline */
 .chroma .c1 { color: #6a737d; } /* CommentSingle */
 .chroma .cs { color: #999999; } /* CommentSpecial */
-.chroma .cp { color: #999999; } /* CommentPreproc */
-.chroma .cpf { color: #999999; } /* CommentPreprocFile */
+.chroma .cp { color: #109295; } /* CommentPreproc */
+.chroma .cpf { color: #4c4dbc; } /* CommentPreprocFile */
 .chroma .gd { color: #000000; background-color: #ffdddd; } /* GenericDeleted */
 .chroma .ge { color: #000000; } /* GenericEmph */
 .chroma .gr { color: #aa0000; } /* GenericError */
--- a/web_src/less/index.less
+++ b/web_src/less/index.less
@@ -10,7 +10,6 @@
@import "./features/codeeditor.less";
@import "./features/projects.less";
@import "./markup/content.less";
-@import "./markup/mermaid.less";
@import "./markup/codecopy.less";
@import "./code/linebutton.less";

--- a/web_src/less/markup/content.less
+++ b/web_src/less/markup/content.less
@@ -536,13 +536,21 @@
  }
 }

+.markup-render {
+  display: block;
+  border: none;
+  width: 100%;
+  height: var(--height-loading); // actual height is set in JS after loading
+  overflow: hidden;
+}
+
 .markup-block-error {
  margin-bottom: 0 !important;
  border-bottom-left-radius: 0 !important;
  border-bottom-right-radius: 0 !important;
  box-shadow: none !important;
  font-size: 85% !important;
-  white-space: pre !important;
+  white-space: pre-wrap !important;
  padding: .5rem 1rem !important;
  text-align: left !important;
 }
--- a/web_src/less/markup/mermaid.less
+++ b/web_src/less/markup/mermaid.less
@@ -1,13 +0,0 @@
-.mermaid-chart {
-  display: flex;
-  justify-content: center;
-  align-items: center;
-  padding: 1rem;
-  margin: 1rem auto;
-  height: auto;
-}
-
-/* mermaid's errorRenderer seems to unavoidably spew stuff into <body>, hide it */
-body > div[id*="mermaid-"] {
-  display: none !important;
-}
--- a/web_src/less/themes/theme-arc-green.less
+++ b/web_src/less/themes/theme-arc-green.less
@@ -455,10 +455,6 @@ img[src$="/img/matrix.svg"] {
  filter: invert(80%);
 }

-.mermaid-chart {
-  filter: invert(84%) hue-rotate(180deg);
-}
-
 .is-loading::after {
  border-color: #4a4c58 #4a4c58 #d7d7da #d7d7da;
 }
Author	SHA1	Message	Date
Lunny Xiao	8ebf0e68ec	Add changelog for v1.16.2 (#18840 ) Add changelog for v1.16.2 Co-authored-by: 6543 <6543@obermui.de>	2022-02-24 20:03:08 +01:00
Lunny Xiao	3685cc7660	Fix ldap user sync missed email in email_address table (#18786 ) (#18876 ) * Fix ldap user sync missed email in email_address table (#18786)	2022-02-24 19:07:52 +01:00
zeripath	9d9ccdbe43	Don't report signal: killed errors in serviceRPC (#18850 ) (#18865 ) Backport #18850 Fix #18849 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>	2022-02-24 16:59:50 +08:00
zeripath	81b29d6263	Update assignees check to include any writing team and change org sidebar (#18680 ) (#18873 ) Backport #18680 Following the merging of #17811 teams can now have differing write and readonly permissions, however the assignee list will not include teams which have mixed perms. Further the org sidebar is no longer helpful as it can't describe these mixed permissions situations. Fix #18572 Signed-off-by: Andrew Thornton <art27@cantab.net>	2022-02-24 09:22:46 +08:00
Lunny Xiao	6591f87b28	Fix login with email for ldap users (#18800 ) (#18836 ) `authenticator.Authenticate` has assume the login name is not an email, but `username` maybe an email. So when we find the user via email address, we should use `user.LoginName` instead of `username` which is an email address. Co-authored-by: techknowlogick <techknowlogick@gitea.io>	2022-02-22 18:04:57 -05:00
Lunny Xiao	efc78c18c1	Fix ldap edit bug (#18859 )	2022-02-22 17:31:29 -05:00
Lunny Xiao	f5a3c0dd6c	Fix ldap loginname (#18789 ) (#18804 ) * Use email_address table to check user's email when login with email adress * Update services/auth/signin.go * Fix test * Fix test * Fix logging in with ldap username != loginname * Fix if user does not exist yet * Make more clear this is loginName * Fix formatting Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Johan Van de Wauw <johan@gisky.be> Co-authored-by: zeripath <art27@cantab.net>	2022-02-22 14:33:06 +01:00
zeripath	382101ecc7	In disk_channel queues synchronously push to disk on shutdown (#18415 ) (#18788 ) Partial Backport of #18415 Instead of using an asynchronous goroutine to push to disk on shutdown just close the datachan and immediately push to the disk. Prevents messages of incompletely flushed queues. Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>	2022-02-22 20:08:35 +08:00
Lunny Xiao	86c3481eff	Fix bug for get user by email (#18834 ) Backport #18833 Fix #18830	2022-02-21 18:34:22 +00:00
zeripath	039eb66c8c	Update go-org to 1.6.0 (#18824 ) (#18839 ) Backport #18824 Fix #14074 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>	2022-02-21 22:21:43 +08:00
Wim	36148ed083	Show fullname on issue edits and gpg/ssh signing info (#18828 ) Co-authored-by: zeripath <art27@cantab.net>	2022-02-20 21:47:17 +00:00
Lunny Xiao	db4c7dcf15	Put buttons back in org dashboard (#18817 ) (#18825 ) Backport #18817 Fix #18523	2022-02-20 19:51:01 +00:00
zeripath	bec566282e	Immediately Hammer if second kill is sent (#18823 ) (#18826 ) Backport #18823 Currently Gitea will wait for HammerTime or nice shutdown if kill -1 or kill -2 is sent. We should just immediately hammer if there is a second kill. Signed-off-by: Andrew Thornton <art27@cantab.net>	2022-02-20 01:37:52 +08:00
zeripath	fa9be55018	Fix panic in EscapeReader (#18820 ) (#18821 ) Backport #18820 There is a potential panic due to a mistaken resetting of the length parameter when multibyte characters go over a read boundary. Signed-off-by: Andrew Thornton <art27@cantab.net>	2022-02-19 23:34:32 +08:00
singuliere	458239b46d	remove redundant call to UpdateRepoStats during migration (#18591 ) (#18794 ) There is no need to call UpdateRepoStats in the InsertIssues and InsertPullRequests function. They are only called during migration by the CreateIssues and CreateReviews methods of the gitea uploader. The UpdateRepoStats function will be called by the Finish method of the gitea uploader after all reviews and issues are inserted. Calling it before is therefore redundant and the associated SQL requests are not cheap. The statistics tests done after inserting an issue or a pull request are also removed. They predate the implementation of UpdateRepoStats, back when the calculation of the statistics was an integral part of the migration function. The UpdateRepoStats is now tested independantly and these tests are no longer necessary. Signed-off-by: singuliere <singuliere@autistici.org> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>	2022-02-17 17:57:05 +00:00
silverwind	ae85ee1c6f	Allow mermaid render error to wrap (#18791 )	2022-02-17 15:42:29 +08:00
zeripath	08d5a836ef	Attempt to fix the webauthn migration again - part 3 (#18770 ) (#18771 ) Backport #18770 v208.go is seriously broken as it misses an ID() check. We need to no-op and remigrate all of the u2f keys. See #18756 Signed-off-by: Andrew Thornton <art27@cantab.net>	2022-02-16 21:15:49 +00:00
Lunny Xiao	ad789542b8	Fix template bug of LFS lock (#18784 ) (#18787 ) Backport #18784 Fix #18782	2022-02-16 17:16:04 +00:00
silverwind	1f7802db97	Various Mermaid improvements (#18776 ) (#18780 ) * Various Mermaid improvments - Render into iframe for improved security - Use built-in dark theme instead of color inversion - Remove flexbox attributes, resulting in more consistent size rendering - Update API usage and update to latest version * restart ci * misc tweaks * remove unneccesary declaration * make it work without allow-same-origin, add loading=lazy * remove loading attribute, does not seem to work * rename variable * skip roundtrip to DOM for rendering * don't guess chart height * update comment to make it clear it's intentional * tweak * replace deprecated 'scrolling' property * remove unused css file Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>	2022-02-16 17:26:53 +08:00
zeripath	c876124efe	Ensure git tag tests and others create test repos in tmpdir (#18447 ) (#18767 ) Backport #18447 * Ensure git tag tests and other create test repos in tmpdir There are a few places where tests appear to reuse testing repos which causes random CI failures. This PR simply changes these tests to ensure that cloning always happens into new temporary directories. Fix #18444 * Change log root for integration tests to use the REPO_TEST_DIR There is a potential race in the drone integration tests whereby test-mysql etc will start writing to log files causing make test-check fail. Fix #18077 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de>	2022-02-15 19:16:38 +08:00
zeripath	3a78ac4b32	Increase the size of the webauthn_credential credential_id field (#18739 ) (#18756 ) * Increase the size of the webauthn_credential credential_id field (#18739) Backport #18739 Unfortunately credentialIDs in u2f are 255 bytes long which with base32 encoding becomes 408 bytes. The default size of a xorm string field is only a VARCHAR(255) This problem is not apparent on SQLite because strings get mapped to TEXT there. Fix #18727 Signed-off-by: Andrew Thornton <art27@cantab.net> * Ignore the migrate if u2f_registration is not exist (#18760) Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>	2022-02-14 21:08:49 +00:00
zeripath	7ebc3da7cb	Prevent dangling GetAttribute calls (#18754 ) (#18755 ) * Prevent dangling GetAttribute calls It appears possible that there could be a hang due to unread data from the repo-attribute command pipes. This PR simply closes these during the defer. Signed-off-by: Andrew Thornton <art27@cantab.net> * move close into the defer Signed-off-by: Andrew Thornton <art27@cantab.net> * lets try again Signed-off-by: Andrew Thornton <art27@cantab.net>	2022-02-14 15:27:55 -05:00
zeripath	2e36ba0a00	Send mail to issue/pr assignee/reviewer also when OnMention is set (#18707 ) (#18765 ) Backport #18707 Addresses #17892, where emails notifications are not sent to assignees (issue and PR) and reviewers (PR) when they have the email setting Only email on mention enabled. From the user experience perspective, when a user gets a issue/PR assigned or a PR review request, he/she would expect to be implicitly mentioned since the assignment or request is personal and targeting a single person only. Thus I see #17892 as a bug. Could we therefore mark this ticket as such? The changed code just explicitly checks for the EmailNotificationsOnMention setting beside the existing EmailNotificationsEnabled check. Too rude? @lunny mentioned a mock mail server for tests, is there something ready. How could I make use of it? See #12774 (comment) Fix #17892 Co-authored-by: flozzone <flozzone@gmail.com>	2022-02-14 21:13:41 +08:00
wxiaoguang	69a158dcc2	Fix a broken link in `commits_list_small.tmpl` (#18764 )	2022-02-14 12:03:51 +00:00
Lunny Xiao	913d6f3ff3	Fix isempty detection of git repository (#18746 ) (#18750 ) * Fix isempty detection of git repository * Fix IsEmpty check	2022-02-14 00:33:35 +08:00
zeripath	044cb09ae8	Prevent double encoding of branch names in delete branch (#18714 ) (#18738 ) Backport #18714 * Prevent double encoding of branch names in delete branch There is a double encoding issue in branch template whereby the branch name ends up double encoded. Fix #18709 Signed-off-by: Andrew Thornton <art27@cantab.net> * and tag name Signed-off-by: Andrew Thornton <art27@cantab.net> * And fix #18704 Signed-off-by: Andrew Thornton <art27@cantab.net>	2022-02-12 15:17:45 +00:00
Lunny Xiao	9da8e478dd	Fix forked repositories missed tags (#18719 ) (#18735 ) * Fix forked repositories missed tags * Add missed close * Use ctx Co-authored-by: 6543 <6543@obermui.de>	2022-02-12 13:48:38 +00:00
zeripath	c8f3672a88	Always set PullRequestWorkInProgressPrefixes in PrepareViewPullInfo (#18713 ) (#18737 ) Backport #18713 Move setting PullRequestWorkInProgressPrefixes to the start of PrepareViewPullInfo. Fix #18706 Signed-off-by: Andrew Thornton <art27@cantab.net>	2022-02-12 12:55:34 +00:00
Jimmy Praet	edf85b820d	Fix source code line highlighting (#18729 ) (#18740 ) Backport #18729 When the issues repo unit is disabled, or an external issue tracker is used, there is no "a.ref-in-new-issue". Fixes #18721 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>	2022-02-12 12:24:49 +00:00
silverwind	c04a4afac1	Reduce CI go module downloads, add make targets (#18708 , #18475 , #18443 ) (#18741 ) Backport #18708 Backport #18475 Backport #18443 The CI currently downloads all go modules in each pipeline step because go modules reside outside the project directory. Fix this by introducing a volume for the `/go` directory [1] so modules are only downloaded once per pipeline using a new `deps-backend` make target. For completeness, I also included new `deps` and `deps-frontend` targets and the frontend one is also triggered explicitly on CI where needed. [1] https://docs.drone.io/pipeline/kubernetes/examples/language/golang/#dependencies * Also backports #18475 and #18443 so that is was able to merge cleanly. Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick <techknowlogick@gitea.io>	2022-02-12 10:43:08 +00:00
zeripath	65ad6362d7	Separate the details links of commit-statuses in headers (#18661 ) (#18730 ) Backport #18661	2022-02-12 11:40:55 +08:00
Lunny Xiao	f9a0ae1dd4	Fix release typo (#18728 ) (#18731 )	2022-02-11 20:15:34 -05:00
wxiaoguang	fb26b01688	Update object repo with the migrated repository (#18684 ) (#18726 ) When migrating a repository (from GitHub) using the API (POST `repos/migrate`), the Code Indexer is not updated. Searching in the user interface will not return any results. When migrating the same repository using +/New Migration in the web interface, the search index is updated and searching works as expected. Caused by the fact that object `repo` is never updated with the migrated repo so `setting.Indexer.RepoIndexerEnabled && !repo.IsEmpty` in `modules/notification/indexer/indexer.go:NotifyMigrateRepository` always evaluates to `false`. Tested with gitea:1.16.1, MariaDB:10, Breve in `Run Mode: Dev`. Co-authored-by: Hugo Hoitink <10838836+hoitih@users.noreply.github.com>	2022-02-11 17:23:41 +01:00
Lunny Xiao	63628fdf1c	Fix bug for version update hint (#18701 ) (#18705 ) * Fix bug for version update hint (#18701) * Add translation for zh-CN Co-authored-by: silverwind <me@silverwind.io>	2022-02-10 18:35:24 +00:00
zeripath	2e317d3f6e	Prevent security failure due to bad APP_ID (#18678 ) (#18682 ) Backport #18678 WebAuthn may cause a security exception if the provided APP_ID is not allowed for the current origin. Therefore we should reattempt authentication without the appid extension. Also we should allow [u2f] as-well as [U2F] sections. Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>	2022-02-10 16:17:44 +01:00
zeripath	ce69882180	Fix issue with docker-rootless shimming script (#18690 ) (#18699 ) Backport #18690 There is a problem with the current shimming script in that it will double quote the provided GITEA_APP_INI due to a mistake in the bash. Here we change this to use a bash array. Fix https://gitea.com/gitea/helm-chart/issues/287 Signed-off-by: Andrew Thornton <art27@cantab.net>	2022-02-10 19:37:53 +08:00
silverwind	649abeda40	C preprocessor colors improvement (#18671 ) (#18696 ) * C preprocessor colors improvement Fixes #18670 * Update web_src/less/chroma/light.less Co-authored-by: KN4CK3R <admin@oldschoolhack.me> * typo missing semi * add color for #include filenames Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Bruno Raoult <braoult@users.noreply.github.com> Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>	2022-02-10 10:12:03 +08:00
Gusted	4cfd62cddf	Let return correct perm (#18675 ) (#18689 ) Backport of #18675	2022-02-09 20:19:48 +00:00
zeripath	38fc6c75f3	Restart zero worker if there is still work to do (#18658 ) (#18672 ) * Restart zero worker if there is still work to do (#18658) Backport #18658 It is possible for the zero worker to timeout before all the work is finished. This may mean that work may take a long time to complete because a worker will only be induced on repushing. Also ensure that requested count is reset after pulls and push mirror sync requests and add some more trace logging to the queue push. Fix #18607 Signed-off-by: Andrew Thornton <art27@cantab.net> * Update modules/queue/workerpool.go	2022-02-08 23:28:21 +02:00
wxiaoguang	8671602ba9	Backport: fix the missing i18n key for update checker (#18646 ) (#18665 )	2022-02-08 11:03:47 +02:00
wxiaoguang	3d08e3a08c	No longer show the db-downgrade SQL in production (#18654 )	2022-02-07 15:07:11 +01:00
zeripath	d4a075d738	If rendering has failed due to a net.OpError stop rendering (#18642 ) (#18645 ) Backport #18642 When a net.OpError occurs during rendering the underlying connection is essentially dead and therefore attempting to render further data will only cause further errors. Therefore in serverErrorInternal detect if the passed in error is an OpError and if so do not attempt any further rendering. Fix #18629 Signed-off-by: Andrew Thornton <art27@cantab.net>	2022-02-07 09:25:05 +08:00