Add changelog for 1.21.4 (#28812)

Backport #28816 by @JakobDev

This is a little bugfix. Inline code is usually rendered in issue
titles, but it is missing in the activity tab.

Before:
![Screenshot 2024-01-16 at 14-20-51
Test](https://github.com/go-gitea/gitea/assets/15185051/383370f3-0fb2-49de-81cc-014e5cf86727)
After:

![grafik](https://github.com/go-gitea/gitea/assets/15185051/83eaf973-ce9a-44ce-beea-2db49fc8bd73)

Co-authored-by: JakobDev <jakobdev@gmx.de>

.changelog.yml

@@ -13,46 +13,42 @@ groups:
   -
     name: BREAKING
     labels:
-      - kind/breaking
+      - pr/breaking
   -
     name: SECURITY
     labels:
-      - kind/security
+      - topic/security
   -
     name: FEATURES
     labels:
-      - kind/feature
+      - type/feature
   -
     name: API
     labels:
-      - kind/api
+      - modifies/api
   -
     name: ENHANCEMENTS
     labels:
-      - kind/enhancement
-      - kind/refactor
-      - kind/ui
+      - type/enhancement
+      - type/refactoring
+      - topic/ui
   -
     name: BUGFIXES
     labels:
-      - kind/bug
+      - type/bug
   -
     name: TESTING
     labels:
-      - kind/testing
-  -
-    name: TRANSLATION
-    labels:
-      - kind/translation
+      - type/testing
   -
     name: BUILD
     labels:
-      - kind/build
-      - kind/lint
+      - topic/build
+      - topic/code-linting
   -
     name: DOCS
     labels:
-      - kind/docs
+      - type/docs
   -
     name: MISC
     default: true

.github/labeler.yml

@@ -1,35 +1,36 @@
-kind/docs:
+modifies/docs:
   - "**/*.md"
   - "docs/**"
 
-kind/ui:
+modifies/frontend:
   - "web_src/**/*"
+
+modifies/templates:
   - all: ["templates/**", "!templates/swagger/v1_json.tmpl"]
 
-kind/api:
-  - "templates/swagger/v1_json.tmpl"
+modifies/api:
   - "routers/api/**"
+  - "templates/swagger/v1_json.tmpl"
 
-kind/build:
+modifies/cli:
+  - "cmd/**"
+
+modifies/translation:
+  - "options/locale/*.ini"
+
+modifies/migrations:
+  - "models/migrations/**/*"
+
+modifies/internal:
   - "Makefile"
   - "Dockerfile"
   - "Dockerfile.rootless"
   - "docker/**"
   - "webpack.config.js"
-
-theme/package-registry:
-  - "modules/packages/**"
-  - "services/packages/**"
-  - "routers/api/packages/**"
-  - "routers/web/shared/packages/**"
-
-kind/cli:
-  - "cmd/**"
-
-kind/lint:
   - ".eslintrc.yaml"
   - ".golangci.yml"
   - ".markdownlint.yaml"
   - ".spectral.yaml"
   - ".stylelintrc.yaml"
   - ".yamllint.yaml"
+  - ".github/**"

.github/workflows/release-tag-rc.yml

@@ -44,7 +44,7 @@ jobs:
       - name: Get cleaned branch name
         id: clean_name
         run: |
-          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
+          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//')
           echo "Cleaned name is ${REF_NAME}"
           echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT"
       - name: configure aws
@@ -56,6 +56,10 @@ jobs:
       - name: upload binaries to s3
         run: |
           aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
+      - name: Install GH CLI
+        uses: dev-hanz-ops/install-gh-cli-action@v0.1.0
+        with:
+          gh-cli-version: 2.39.1
       - name: create github release
         run: |
           gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --draft --notes-from-tag dist/release/*
@@ -74,6 +78,8 @@ jobs:
         id: meta
         with:
           images: gitea/gitea
+          flavor: |
+            latest=false
           # 1.2.3-rc0
           tags: |
             type=semver,pattern={{version}}
@@ -105,6 +111,7 @@ jobs:
           images: gitea/gitea
           # each tag below will have the suffix of -rootless
           flavor: |
+            latest=false
             suffix=-rootless
           # 1.2.3-rc0
           tags: |

.github/workflows/release-tag-version.yml

@@ -46,7 +46,7 @@ jobs:
       - name: Get cleaned branch name
         id: clean_name
         run: |
-          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
+          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//')
           echo "Cleaned name is ${REF_NAME}"
           echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT"
       - name: configure aws
@@ -58,9 +58,13 @@ jobs:
       - name: upload binaries to s3
         run: |
           aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
+      - name: Install GH CLI
+        uses: dev-hanz-ops/install-gh-cli-action@v0.1.0
+        with:
+          gh-cli-version: 2.39.1
       - name: create github release
         run: |
-          gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --draft --notes-from-tag dist/release/*
+          gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --notes-from-tag dist/release/*
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
   docker-rootful:
@@ -82,7 +86,6 @@ jobs:
           # 1.2
           # 1.2.3
           tags: |
-            type=raw,value=latest
             type=semver,pattern={{major}}
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{version}}
@@ -114,14 +117,13 @@ jobs:
           images: gitea/gitea
           # each tag below will have the suffix of -rootless
           flavor: |
-            suffix=-rootless
+            suffix=-rootless,onlatest=true
           # this will generate tags in the following format (with -rootless suffix added):
           # latest
           # 1
           # 1.2
           # 1.2.3
           tags: |
-            type=raw,value=latest
             type=semver,pattern={{major}}
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{version}}

CHANGELOG.md

@@ -4,6 +4,602 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.com).
 
+## [1.21.4](https://github.com/go-gitea/gitea/releases/tag/1.21.4) - 2024-01-16
+
+* SECURITY
+  * Update github.com/cloudflare/circl (#28789) (#28790)
+  * Require token for GET subscription endpoint (#28765) (#28768)
+* BUGFIXES
+  * Use refname:strip-2 instead of refname:short when syncing tags (#28797) (#28811)
+  * Fix links in issue card (#28806) (#28807)
+  * Fix nil pointer panic when exec some gitea cli command (#28791) (#28795)
+  * Require token for GET subscription endpoint (#28765) (#28778)
+  * Fix button size in "attached header right" (#28770) (#28774)
+  * Fix `convert.ToTeams` on empty input (#28426) (#28767)
+  * Hide code related setting options in repository when code unit is disabled (#28631) (#28749)
+  * Fix incorrect URL for "Reference in New Issue" (#28716) (#28723)
+  * Fix panic when parsing empty pgsql host (#28708) (#28709)
+  * Upgrade xorm to new version which supported update join for all supported databases (#28590) (#28668)
+  * Fix alpine package files are not rebuilt (#28638) (#28665)
+  * Avoid cycle-redirecting user/login page (#28636) (#28658)
+  * Fix empty ref for cron workflow runs (#28640) (#28647)
+  * Remove unnecessary syncbranchToDB with tests (#28624) (#28629)
+  * Use known issue IID to generate new PR index number when migrating from GitLab (#28616) (#28618)
+  * Fix flex container width (#28603) (#28605)
+  * Fix the scroll behavior for emoji/mention list (#28597) (#28601)
+  * Fix wrong due date rendering in issue list page (#28588) (#28591)
+  * Fix `status_check_contexts` matching bug (#28582) (#28589)
+  * Fix 500 error of searching commits (#28576) (#28579)
+  * Use information from previous blame parts (#28572) (#28577)
+  * Update mermaid for 1.21 (#28571)
+  * Fix 405 method not allowed CORS / OIDC (#28583) (#28586) (#28587) (#28611)
+  * Fix `GetCommitStatuses` (#28787) (#28804)
+  * Forbid removing the last admin user (#28337) (#28793)
+  * Fix schedule tasks bugs (#28691) (#28780)
+  * Fix issue dependencies (#27736) (#28776)
+  * Fix system webhooks API bug (#28531) (#28666)
+  * Fix when private user following user, private user will not be counted in his own view (#28037) (#28792)
+  * Render code block in activity tab (#28816) (#28818)
+* ENHANCEMENTS
+  * Rework markup link rendering (#26745) (#28803)
+  * Modernize merge button (#28140) (#28786)
+  * Speed up loading the dashboard on mysql/mariadb (#28546) (#28784)
+  * Assign pull request to project during creation (#28227) (#28775)
+  * Show description as tooltip instead of title for labels (#28754) (#28766)
+  * Make template `DateTime` show proper tooltip (#28677) (#28683)
+  * Switch destination directory for apt signing keys (#28639) (#28642)
+  * Include heap pprof in diagnosis report to help debugging memory leaks (#28596) (#28599)
+* DOCS
+  * Suggest to use Type=simple for systemd service (#28717) (#28722)
+  * Extend description for ARTIFACT_RETENTION_DAYS (#28626) (#28630)
+* MISC
+  * Add -F to commit search to treat keywords as strings (#28744) (#28748)
+  * Add download attribute to release attachments (#28739) (#28740)
+  * Concatenate error in `checkIfPRContentChanged` (#28731) (#28737)
+  * Improve 1.21 document for Database Preparation (#28643) (#28644)
+
+## [1.21.3](https://github.com/go-gitea/gitea/releases/tag/1.21.3) - 2023-12-21
+
+* SECURITY
+  * Update golang.org/x/crypto (#28519)
+* API
+  * chore(api): support ignore password if login source type is LDAP for creating user API (#28491) (#28525)
+  * Add endpoint for not implemented Docker auth (#28457) (#28462)
+* ENHANCEMENTS
+  * Add option to disable ambiguous unicode characters detection (#28454) (#28499)
+  * Refactor SSH clone URL generation code (#28421) (#28480)
+  * Polyfill SubmitEvent for PaleMoon (#28441) (#28478)
+* BUGFIXES
+  * Fix the issue ref rendering for wiki (#28556) (#28559)
+  * Fix duplicate ID when deleting repo (#28520) (#28528)
+  * Only check online runner when detecting matching runners in workflows (#28286) (#28512)
+  * Initalize stroage for orphaned repository doctor (#28487) (#28490)
+  * Fix possible nil pointer access (#28428) (#28440)
+  * Don't show unnecessary citation JS error on UI (#28433) (#28437)
+* DOCS
+  * Update actions document about comparsion as Github Actions (#28560) (#28564)
+  * Fix documents for "custom/public/assets/" (#28465) (#28467)
+* MISC
+  * Fix inperformant query on retrifing review from database. (#28552) (#28562)
+  * Improve the prompt for "ssh-keygen sign" (#28509) (#28510)
+  * Update docs for DISABLE_QUERY_AUTH_TOKEN (#28485) (#28488)
+  * Fix Chinese translation of config cheat sheet[API] (#28472) (#28473)
+  * Retry SSH key verification with additional CRLF if it failed (#28392) (#28464)
+
+## [1.21.2](https://github.com/go-gitea/gitea/releases/tag/1.21.2) - 2023-12-12
+
+* SECURITY
+  * Rebuild with recently released golang version
+  * Fix missing check (#28406) (#28411)
+  * Do some missing checks (#28423) (#28432)
+* BUGFIXES
+  * Fix margin in server signed signature verification view (#28379) (#28381)
+  * Fix object does not exist error when checking citation file (#28314) (#28369)
+  * Use `filepath` instead of `path` to create SQLite3 database file (#28374) (#28378)
+  * Fix the runs will not be displayed bug when the main branch have no workflows but other branches have (#28359) (#28365)
+  * Handle repository.size column being NULL in migration v263 (#28336) (#28363)
+  * Convert git commit summary to valid UTF8. (#28356) (#28358)
+  * Fix migration panic due to an empty review comment diff (#28334) (#28362)
+  * Add `HEAD` support for rpm repo files (#28309) (#28360)
+  * Fix RPM/Debian signature key creation (#28352) (#28353)
+  * Keep profile tab when clicking on Language (#28320) (#28331)
+  * Fix missing issue search index update when changing status (#28325) (#28330)
+  * Fix wrong link in `protect_branch_name_pattern_desc` (#28313) (#28315)
+  * Read `previous` info from git blame (#28306) (#28310)
+  * Ignore "non-existing" errors when getDirectorySize calculates the size (#28276) (#28285)
+  * Use appSubUrl for OAuth2 callback URL tip (#28266) (#28275)
+  * Meilisearch: require all query terms to be matched (#28293) (#28296)
+  * Fix required error for token name (#28267) (#28284)
+  * Fix issue will be detected as pull request when checking `First-time contributor` (#28237) (#28271)
+  * Use full width for project boards (#28225) (#28245)
+  * Increase "version" when update the setting value to a same value as before (#28243) (#28244)
+  * Also sync DB branches on push if necessary (#28361) (#28403)
+  * Make gogit Repository.GetBranchNames consistent (#28348) (#28386)
+  * Recover from panic in cron task (#28409) (#28425)
+  * Deprecate query string auth tokens (#28390) (#28430)
+* ENHANCEMENTS
+  * Improve doctor cli behavior (#28422) (#28424)
+  * Fix margin in server signed signature verification view (#28379) (#28381)
+  * Refactor template empty checks (#28351) (#28354)
+  * Read `previous` info from git blame (#28306) (#28310)
+  * Use full width for project boards (#28225) (#28245)
+  * Enable system users search via the API (#28013) (#28018)
+
+## [1.21.1](https://github.com/go-gitea/gitea/releases/tag/1.21.1) - 2023-11-26
+
+* SECURITY
+  * Fix comment permissions (#28213) (#28216)
+* BUGFIXES
+  * Fix delete-orphaned-repos (#28200) (#28202)
+  * Make CORS work for oauth2 handlers (#28184) (#28185)
+  * Fix missing buttons (#28179) (#28181)
+  * Fix no ActionTaskOutput table waring (#28149) (#28152)
+  * Fix empty action run title (#28113) (#28148)
+  * Use "is-loading" to avoid duplicate form submit for code comment (#28143) (#28147)
+  * Fix Matrix and MSTeams nil dereference (#28089) (#28105)
+  * Fix incorrect pgsql conn builder behavior (#28085) (#28098)
+  * Fix system config cache expiration timing (#28072) (#28090)
+  * Restricted users only see repos in orgs which their team was assigned to (#28025) (#28051)
+* API
+  * Fix permissions for Token DELETE endpoint to match GET and POST (#27610) (#28099)
+* ENHANCEMENTS
+  * Do not display search box when there's no packages yet (#28146) (#28159)
+  * Add missing `packages.cleanup.success` (#28129) (#28132)
+* DOCS
+  * Docs: Replace deprecated IS_TLS_ENABLED mailer setting in email setup (#28205) (#28208)
+  * Fix the description about the default setting for action in quick start document (#28160) (#28168)
+  * Add guide page to actions when there's no workflows (#28145) (#28153)
+* MISC
+  * Use full width for PR comparison (#28182) (#28186)
+
+## [1.21.0](https://github.com/go-gitea/gitea/releases/tag/v1.21.0) - 2023-11-14
+
+* BREAKING
+  * Restrict certificate type for builtin SSH server (#26789)
+  * Refactor to use urfave/cli/v2 (#25959)
+  * Move public asset files to the proper directory (#25907)
+  * Remove commit status running and warning to align GitHub (#25839) (partially reverted: Restore warning commit status (#27504) (#27529))
+  * Remove "CHARSET" config option for MySQL, always use "utf8mb4" (#25413)
+  * Set SSH_AUTHORIZED_KEYS_BACKUP to false (#25412)
+* FEATURES
+  * User details page (#26713)
+  * Chore(actions): support cron schedule task (#26655)
+  * Support rebuilding issue indexer manually (#26546)
+  * Allow to archive labels (#26478)
+  * Add disable workflow feature (#26413)
+  * Support `.git-blame-ignore-revs` file (#26395)
+  * Pre-register OAuth2 applications for git credential helpers (#26291)
+  * Add `Retry` button when creating a mirror-repo fails (#26228)
+  * Artifacts retention and auto clean up (#26131)
+  * Serve pre-defined files in "public", add "security.txt", add CORS header for ".well-known" (#25974)
+  * Implement auto-cancellation of concurrent jobs if the event is push (#25716)
+  * Newly pushed branches hints on repository home page (#25715)
+  * Display branch commit status (#25608)
+  * Add direct serving of package content (#25543)
+  * Add commits dropdown in PR files view and allow commit by commit review (#25528)
+  * Allow package cleanup from admin page (#25307)
+  * Batch delete issue and improve tippy opts (#25253)
+  * Show branches and tags that contain a commit (#25180)
+  * Add actor and status dropdowns to run list (#25118)
+  * Allow Organisations to have a E-Mail (#25082)
+  * Add codeowners feature (#24910)
+  * Actions Artifacts support uploading multiple files and directories (#24874)
+  * Support configuration variables on Gitea Actions (#24724)
+  * Support downloading raw task logs (#24451)
+* API
+  * Unify two factor check (#27915) (#27929)
+  * Fix package webhook (#27839) (#27855)
+  * Fix/upload artifact error windows (#27802) (#27840)
+  * Fix bad method call when deleting user secrets via API (#27829) (#27831)
+  * Do not force creation of _cargo-index repo on publish (#27266) (#27765)
+  * Delete repos of org when purge delete user (#27273) (#27728)
+  * Fix org team endpoint (#27721) (#27727)
+  * Api: GetPullRequestCommits: return file list (#27483) (#27539)
+  * Don't let API add 2 exclusive labels from same scope (#27433) (#27460)
+  * Redefine the meaning of column is_active to make Actions Registration Token generation easier (#27143) (#27304)
+  * Fix PushEvent NullPointerException jenkinsci/github-plugin (#27203) (#27251)
+  * Fix organization field being null in POST /orgs/{orgid}/teams (#27150) (#27163)
+  * Allow empty Conan files (#27092)
+  * Fix token endpoints ignore specified account (#27080)
+  * Reduce usage of `db.DefaultContext` (#27073) (#27083) (#27089) (#27103) (#27262) (#27265) (#27347) (#26076)
+  * Make SSPI auth mockable (#27036)
+  * Extract auth middleware from service (#27028)
+  * Add `RemoteAddress` to mirrors (#26952)
+  * Feat(API): add routes and functions for managing user's secrets (#26909)
+  * Feat(API): add secret deletion functionality for repository (#26808)
+  * Feat(API): add route and implementation for creating/updating repository secret (#26766)
+  * Add Upload URL to release API (#26663)
+  * Feat(API): update and delete secret for managing organization secrets (#26660)
+  * Feat: implement organization secret creation API (#26566)
+  * Add API route to list org secrets (#26485)
+  * Set commit id when ref used explicitly (#26447)
+  * PATCH branch-protection updates check list even when checks are disabled (#26351)
+  * Add file status for API "Get a single commit from a repository" (#16205) (#25831)
+  * Add API for changing Avatars (#25369)
+* BUGFIXES
+  * Fix viewing wiki commit on empty repo (#28040) (#28044)
+  * Enable system users for comment.LoadPoster (#28014) (#28032)
+  * Fixed duplicate attachments on dump on windows (#28019) (#28031)
+  * Fix wrong xorm Delete usage(backport for 1.21) (#28002)
+  * Add word-break to repo description in home page (#27924) (#27957)
+  * Fix rendering assignee changed comments without assignee (#27927) (#27952)
+  * Add word break to release title (#27942) (#27947)
+  * Fix JS NPE when viewing specific range of PR commits (#27912) (#27923)
+  * Show correct commit sha when viewing single commit diff (#27916) (#27921)
+  * Fix 500 when deleting a dismissed review (#27903) (#27910)
+  * Fix DownloadFunc when migrating releases (#27887) (#27890)
+  * Fix http protocol auth (#27875) (#27876)
+  * Refactor postgres connection string building (#27723) (#27869)
+  * Close all hashed buffers (#27787) (#27790)
+  * Fix label render containing invalid HTML (#27752) (#27762)
+  * Fix duplicate project board when hitting `enter` key (#27746) (#27751)
+  * Fix `link-action` redirect network error (#27734) (#27749)
+  * Fix sticky diff header background (#27697) (#27712)
+  * Always delete existing scheduled action tasks (#27662) (#27688)
+  * Support allowed hosts for webhook to work with proxy (#27655) (#27675)
+  * Fix poster is not loaded in get default merge message (#27657) (#27666)
+  * Improve dropdown button alignment and fix hover bug (#27632) (#27637)
+  * Improve retrying index issues (#27554) (#27634)
+  * Fix 404 when deleting Docker package with an internal version (#27615) (#27630)
+  * Backport manually for a tmpl issue in v1.21 (#27612)
+  * Don't show Link to TOTP if not set up (#27585) (#27588)
+  * Fix data-race bug when accessing task.LastRun (#27584) (#27586)
+  * Fix attachment download bug (#27486) (#27571)
+  * Respect SSH.KeygenPath option when calculating ssh key fingerprints (#27536) (#27551)
+  * Improve dropdown's behavior when there is a search input in menu (#27526) (#27534)
+  * Fix panic in storageHandler (#27446) (#27479)
+  * When comparing with an non-exist repository, return 404 but 500 (#27437) (#27442)
+  * Fix pr template (#27436) (#27440)
+  * Fix git 2.11 error when checking IsEmpty (#27393) (#27397)
+  * Allow get release download files and lfs files with oauth2 token format (#26430) (#27379)
+  * Fix missing ctx for GetRepoLink in dashboard (#27372) (#27375)
+  * Absolute positioned checkboxes  overlay floated elements (#26870) (#27366)
+  * Introduce fixes and more rigorous tests for 'Show on a map' feature (#26803) (#27365)
+  * Fix repo count in org action settings (#27245) (#27353)
+  * Add logs for data broken of comment review (#27326) (#27345)
+  * Fix the approval count of PR when there is no protection branch rule (#27272) (#27343)
+  * Fix Bug in Issue Config when only contact links are set (#26521) (#27334)
+  * Improve issue history dialog and make poster can delete their own history (#27323) (#27327)
+  * Fix orphan check for deleted branch (#27310) (#27321)
+  * Fix protected branch icon location (#26576) (#27317)
+  * Fix yaml test (#27297) (#27303)
+  * Fix some animation bugs (#27287) (#27294)
+  * Fix incorrect change from #27231 (#27275) (#27282)
+  * Add missing public user visibility in user details page (#27246) (#27250)
+  * Fix EOL handling in web editor (#27141) (#27234)
+  * Fix issues on action runners page (#27226) (#27233)
+  * Quote table `release` in sql queries (#27205) (#27218)
+  * Fix release URL in webhooks (#27182) (#27185)
+  * Fix review request number and add more tests (#27104) (#27168)
+  * Fix the variable regexp pattern on web page (#27161) (#27164)
+  * Fix: treat tab "overview" as "repositories" in user profiles without readme (#27124)
+  * Fix NPE when editing OAuth2 applications (#27078)
+  * Fix the incorrect route path in the user edit page. (#27007)
+  * Fix the secret regexp pattern on web page (#26910)
+  * Allow users with write permissions for issues to add attachments with API (#26837)
+  * Make "link-action" backend code respond correct JSON content (#26680)
+  * Use line-height: normal by default (#26635)
+  * Fix NPM packages name validation (#26595)
+  * Rewrite the DiffFileTreeItem and fix misalignment (#26565)
+  * Return empty when searching issues with no repos (#26545)
+  * Explain SearchOptions and fix ToSearchOptions (#26542)
+  * Add missing triggers to update issue indexer (#26539)
+  * Handle base64 decoding correctly to avoid panic (#26483)
+  * Avoiding accessing undefined mentionValues (#26461)
+  * Fix incorrect redirection in new issue using references (#26440)
+  * Fix the bug when getting files changed for `pull_request_target` event (#26320)
+  * Remove IsWarning in  tmpl (#26120)
+  * Fix loading `LFS_JWT_SECRET` from wrong section (#26109)
+  * Fixing redirection issue for logged-in users (#26105)
+  * Improve "gitea doctor" sub-command and fix "help" commands (#26072)
+  * Fix the truncate and alignment problem for some admin tables (#26042)
+  * Update minimum password length requirements (#25946)
+  * Do not "guess" the file encoding/BOM when using API to upload files (#25828)
+  * Restructure issue list template, styles (#25750)
+  * Fix `ref` for workflows triggered by `pull_request_target` (#25743)
+  * Fix issues indexer document mapping (#25619)
+  * Use JSON response for "user/logout" (#25522)
+  * Fix migrate page layout on mobile (#25507)
+  * Link to existing PR when trying to open a new PR on the same branches (#25494)
+  * Do not publish docker release images on `-dev` tags (#25471)
+  * Support `pull_request_target` event (#25229)
+  * Modify the content format of the Feishu webhook (#25106)
+* ENHANCEMENTS
+  * Render email addresses as such if followed by punctuation (#27987) (#27992)
+  * Show error toast when file size exceeds the limits (#27985) (#27986)
+  * Fix citation error when the file size is larger than 1024 bytes (#27958) (#27965)
+  * Remove action runners on user deletion (#27902) (#27908)
+  * Remove set tabindex on view issue (#27892) (#27896)
+  * Reduce margin/padding on flex-list items and divider (#27872) (#27874)
+  * Change katex limits (#27823) (#27868)
+  * Clean up template locale usage (#27856) (#27857)
+  * Add dedicated class for empty placeholders (#27788) (#27792)
+  * Add gap between diff boxes (#27776) (#27781)
+  * Fix incorrect "tab" parameter for repo search sub-template (#27755) (#27764)
+  * Enable followCursor for language stats bar (#27713) (#27739)
+  * Improve diff tree spacing (#27714) (#27719)
+  * Feed UI Improvements (#27356) (#27717)
+  * Improve feed icons and feed merge text color (#27498) (#27716)
+  * [FIX] resolve confusing colors in languages stats by insert a gap (#27704) (#27715)
+  * Add doctor dbconsistency fix to delete repos with no owner (#27290) (#27693)
+  * Fix required checkboxes in issue forms (#27592) (#27692)
+  * Hide archived labels by default from the suggestions when assigning labels for an issue (#27451) (#27661)
+  * Cleanup repo details icons/labels (#27644) (#27654)
+  * Keep filter when showing unfiltered results on explore page (#27192) (#27589)
+  * Show manual cron run's last time (#27544) (#27577)
+  * Revert "Fix pr template (#27436)" (#27567)
+  * Increase queue length (#27555) (#27562)
+  * Avoid run change title process when the title is same (#27467) (#27558)
+  * Remove max-width and add hide text overflow (#27359) (#27550)
+  * Add hover background to wiki list page (#27507) (#27521)
+  * Fix mermaid flowchart margin issue (#27503) (#27516)
+  * Refactor system setting (#27000) (#27452)
+  * Fix  missing `ctx`  in new_form.tmpl  (#27434) (#27438)
+  * Add Index to `action.user_id` (#27403) (#27425)
+  * Don't use subselect in `DeleteIssuesByRepoID` (#27332) (#27408)
+  * Add support for HEAD ref in /src/branch and /src/commit routes (#27384) (#27407)
+  * Make Actions tasks/jobs timeouts configurable by the user (#27400) (#27402)
+  * Hide archived labels when filtering by labels on the issue list (#27115) (#27381)
+  * Highlight user details link (#26998) (#27376)
+  * Add protected branch name description (#27257) (#27351)
+  * Improve tree not found page (#26570) (#27346)
+  * Add Index to `comment.dependent_issue_id` (#27325) (#27340)
+  * Improve branch list UI (#27319) (#27324)
+  * Fix divider in subscription page (#27298) (#27301)
+  * Add missed return to actions view fetch (#27289) (#27293)
+  * Backport ctx locale refactoring manually (#27231) (#27259) (#27260)
+  * Disable `Test Delivery` and `Replay` webhook buttons when webhook is inactive (#27211) (#27253)
+  * Use mask-based fade-out effect for `.new-menu` (#27181) (#27243)
+  * Cleanup locale function usage (#27227) (#27240)
+  * Fix z-index on markdown completion (#27237) (#27239)
+  * Fix Fomantic UI dropdown icon bug when there is a search input in menu (#27225) (#27228)
+  * Allow copying issue comment link on archived repos and when not logged in (#27193) (#27210)
+  * Fix: text decorator on issue sidebar menu label (#27206) (#27209)
+  * Fix dropdown icon position (#27175) (#27177)
+  * Add index to `issue_user.issue_id` (#27154) (#27158)
+  * Increase auth provider icon size on login page (#27122)
+  * Remove a `gt-float-right` and some unnecessary helpers (#27110)
+  * Change green buttons to primary color (#27099)
+  * Use db.WithTx for AddTeamMember to avoid ctx abuse (#27095)
+  * Use `print` instead of `printf` (#27093)
+  * Remove the useless function `GetUserIssueStats` and move relevant tests to `indexer_test.go` (#27067)
+  * Search branches (#27055)
+  * Display all user types and org types on admin management UI (#27050)
+  * Ui correction in mobile view nav bar left aligned items. (#27046)
+  * Chroma color tweaks (#26978)
+  * Move some functions to service layer (#26969)
+  * Improve "language stats" UI (#26968)
+  * Replace `util.SliceXxx`  with `slices.Xxx` (#26958)
+  * Refactor dashboard/feed.tmpl (#26956)
+  * Move repository deletion to service layer (#26948)
+  * Fix the missing repo count (#26942)
+  * Improve hint when uploading a too large avatar (#26935)
+  * Extract common code to new template (#26933)
+  * Move createrepository from module to service layer (#26927)
+  * Move notification interface to services layer (#26915)
+  * Move feed notification service layer (#26908)
+  * Move ui notification to service layer (#26907)
+  * Move indexer notification to service layer (#26906)
+  * Move mail notification logic to service layer (#26905)
+  * Extract common code to new template (#26903)
+  * Show queue's active worker number (#26896)
+  * Fix media description render for orgmode (#26895)
+  * Remove CSS `has` selector and improve various styles (#26891)
+  * Relocate the `RSS user feed` button (#26882)
+  * Refactor "shortsha" (#26877)
+  * Refactor `og:description` to limit the max length (#26876)
+  * Move web/api context related testing function into a separate package (#26859)
+  * Redable error on S3 storage connection failure (#26856)
+  * Improve opengraph previews (#26851)
+  * Add more descriptive error on forgot password page (#26848)
+  * Show always repo count in header (#26842)
+  * Remove "TODO" tasks from CSS file (#26835)
+  * Render code blocks in repo description (#26830)
+  * Minor dashboard tweaks, fix flex-list margins (#26829)
+  * Remove polluted `.ui.right` (#26825)
+  * Display archived labels specially when listing labels (#26820)
+  * Remove polluted ".ui.left" style (#26809)
+  * Make it posible to customize nav text color via css var (#26807)
+  * Refactor lfs requests (#26783)
+  * Improve flex list item padding (#26779)
+  * Remove fomantic `text` module (#26777)
+  * Remove fomantic `item` module (#26775)
+  * Remove redundant nil check in `WalkGitLog` (#26773)
+  * Reduce some allocations in type conversion (#26772)
+  * Refactor some CSS styles and simplify code (#26771)
+  * Unify `border-radius` behavior (#26770)
+  * Improve modal dialog UI (#26764)
+  * Allow "latest" to be used in release vTag when downloading file (#26748)
+  * Adding hint `Archived` to archive label. (#26741)
+  * Move `modules/mirror` to `services` (#26737)
+  * Add "dir=auto" for input/textarea elements by default (#26735)
+  * Add auth-required to config.json for Cargo http registry (#26729)
+  * Simplify helper CSS classes and avoid abuse (#26728)
+  * Make web context initialize correctly for different cases (#26726)
+  * Focus editor on "Write" tab click (#26714)
+  * Remove incorrect CSS helper classes (#26712)
+  * Fix review bar misalignment (#26711)
+  * Add reverseproxy auth for API back with default disabled (#26703)
+  * Add default label in branch select list (#26697)
+  * Improve Image Diff UI (#26696)
+  * Fixed text overflow in dropdown menu (#26694)
+  * [Refactor] getIssueStatsChunk to move inner function into own one (#26671)
+  * Remove fomantic loader module (#26670)
+  * Add `member`, `collaborator`, `contributor`, and `first-time contributor` roles and tooltips (#26658)
+  * Improve some flex layouts (#26649)
+  * Improve the branch selector tab UI (#26631)
+  * Improve show role (#26621)
+  * Remove avatarHTML from template helpers (#26598)
+  * Allow text selection in actions step header (#26588)
+  * Improve translation of milestone filters (#26569)
+  * Add optimistic lock to ActionRun table (#26563)
+  * Update team invitation email link (#26550)
+  * Differentiate better between user settings and admin settings (#26538)
+  * Check disabled workflow when rerun jobs (#26535)
+  * Improve deadline icon location in milestone list page (#26532)
+  * Improve repo sub menu (#26531)
+  * Fix the display of org level badges (#26504)
+  * Rename `Sync2` -> `Sync` (#26479)
+  * Fix stderr usages (#26477)
+  * Remove fomantic transition module (#26469)
+  * Refactor tests (#26464)
+  * Refactor project templates (#26448)
+  * Fall back to esbuild for css minify (#26445)
+  * Always show usernames in reaction tooltips (#26444)
+  * Use correct pull request commit link instead of a generic commit link (#26434)
+  * Refactor "editorconfig" (#26391)
+  * Make `user-content-* ` consistent with github (#26388)
+  * Remove unnecessary template helper repoAvatar (#26387)
+  * Remove unnecessary template helper DisableGravatar (#26386)
+  * Use template context function for avatar rendering (#26385)
+  * Rename code_langauge.go to code_language.go (#26377)
+  * Use more `IssueList` instead of `[]*Issue` (#26369)
+  * Do not highlight `#number` in documents (#26365)
+  * Fix display problems of members and teams unit (#26363)
+  * Fix 404 error when remove self from an organization (#26362)
+  * Improve CLI and messages (#26341)
+  * Refactor backend SVG package and add tests (#26335)
+  * Add link to job details and tooltip to commit status in repo list in dashboard (#26326)
+  * Use yellow if an approved review is stale (#26312)
+  * Remove commit load branches and tags in wiki repo (#26304)
+  * Add highlight to selected repos in milestone dashboard (#26300)
+  * Delete `issue_service.CreateComment` (#26298)
+  * Do not show Profile README when repository is private (#26295)
+  * Tweak actions menu (#26278)
+  * Start using template context function (#26254)
+  * Use calendar icon for `Joined on...` in profiles (#26215)
+  * Add 'Show on a map' button to Location in profile, fix layout (#26214)
+  * Render plaintext task list items for markdown files (#26186)
+  * Add tooltip to describe LFS table column and color `delete LFS file` button red (#26181)
+  * Release attachments duplicated check (#26176)
+  * De-emphasize issue sidebar buttons (#26171)
+  * Fixing the align of commit stats in commit_page template. (#26161)
+  * Allow editing push mirrors after creation (#26151)
+  * Move web JSON functions to web context and simplify code (#26132)
+  * Refactor improve NoBetterThan (#26126)
+  * Improve clickable area in repo action view page (#26115)
+  * Add context parameter to some database functions (#26055)
+  * Docusaurus-ify (#26051)
+  * Improve text for empty issue/pr description (#26047)
+  * Categorize admin settings sidebar panel (#26030)
+  * Remove redundant "RouteMethods" method (#26024)
+  * Refactor and enhance issue indexer to support both searching, filtering and paging (#26012)
+  * Add a link to OpenID Issuer URL in WebFinger response (#26000)
+  * Fix UI for release tag page / wiki page / subscription page (#25948)
+  * Support copy protected branch from template repository (#25889)
+  * Improve display of Labels/Projects/Assignees sort options (#25886)
+  * Fix margin on the new/edit project page. (#25885)
+  * Show image size on view page (#25884)
+  * Remove ref name in PR commits page (#25876)
+  * Allow the use of alternative net.Listener implementations by downstreams (#25855)
+  * Refactor "Content" for file uploading (#25851)
+  * Add error info if no user can fork the repo (#25820)
+  * Show edit title button on commits tab of PR, too (#25791)
+  * Introduce `flex-list` & `flex-item` elements for Gitea UI (#25790)
+  * Don't stack PR tab menu on small screens (#25789)
+  * Repository Archived text title center align (#25767)
+  * Make route middleware/handler mockable (#25766)
+  * Move issue filters to shared template (#25729)
+  * Use frontend fetch for branch dropdown component (#25719)
+  * Add open/closed field support for issue index (#25708)
+  * Some less naked returns (#25682)
+  * Fix inconsistent user profile layout across tabs (#25625)
+  * Get latest commit statuses from database instead of git data on dashboard for repositories (#25605)
+  * Adding  branch-name copy  to clipboard branches screen. (#25596)
+  * Update emoji set to Unicode 15 (#25595)
+  * Move some files under repo/setting (#25585)
+  * Add custom ansi colors and CSS variables for them (#25546)
+  * Add log line anchor for action logs (#25532)
+  * Use flex instead of float for sort button and search input (#25519)
+  * Update octicons and use `octicon-file-directory-symlink` (#25453)
+  * Add toasts to UI (#25449)
+  * Fine tune project board label colors and modal content background (#25419)
+  * Import additional secrets via file uri (#25408)
+  * Switch to ansi_up for ansi rendering in actions (#25401)
+  * Store and use seconds for timeline time comments (#25392)
+  * Support displaying diff stats in PR tab bar (#25387)
+  * Use fetch form action for lock/unlock/pin/unpin on sidebar (#25380)
+  * Refactor: TotalTimes return seconds (#25370)
+  * Navbar styling rework (#25343)
+  * Introduce shared template for search inputs (#25338)
+  * Only show 'Manage Account Links' when necessary (#25311)
+  * Improve 'Privacy' section in profile settings (#25309)
+  * Substitute variables in path names of template repos too (#25294)
+  * Fix tags line no margin see #25255 (#25280)
+  * Use fetch to send requests to create issues/comments (#25258)
+  * Change form actions to fetch for submit review box (#25219)
+  * Improve AJAX link and modal confirm dialog (#25210)
+  * Reduce unnecessary DB queries for Actions tasks (#25199)
+  * Disable `Create column` button while the column name is empty (#25192)
+  * Refactor indexer (#25174)
+  * Adjust style for action run list (align icons, adjust padding) (#25170)
+  * Remove duplicated functions when deleting a branch (#25128)
+  * Make confusable character warning less jarring (#25069)
+  * Highlight viewed files differently in the PR filetree (#24956)
+  * Support changing labels of Actions runner without re-registration (#24806)
+  * Fix duplicate Reviewed-by trailers (#24796)
+  * Resolve issue with sort icons on admin/users and admin/runners (#24360)
+  * Split lfs size from repository size (#22900)
+  * Sync branches into databases (#22743)
+  * Disable run user change in installation page (#22499)
+  * Add merge files files to GetCommitFileStatus (#20515)
+  * Show OpenID Connect and OAuth on signup page (#20242)
+* SECURITY
+  * Dont leak private users via extensions (#28023) (#28029)
+  * Expanded minimum RSA Keylength to 3072 (#26604)
+* TESTING
+  * Add user secrets API integration tests (#27832) (#27852)
+  * Add tests for db indexer in indexer_test.go (#27087)
+  * Speed up TestEventSourceManagerRun (#26262)
+  * Add unit test for user renaming (#26261)
+  * Add some Wiki unit tests (#26260)
+  * Improve unit test for caching (#26185)
+  * Add unit test for `HashAvatar` (#25662)
+* TRANSLATION
+  * Backport translations to v1.21 (#27899)
+  * Fix issues in translation file (#27699) (#27737)
+  * Add locale for deleted head branch (#26296)
+  * Improve multiple strings in en-US locale (#26213)
+  * Fix broken translations for package documantion (#25742)
+  * Correct translation wrong format (#25643)
+* BUILD
+  * Dockerfile small refactor (#27757) (#27826)
+  * Fix build errors on BSD (in BSDMakefile) (#27594) (#27608)
+  * Fully replace drone with actions (#27556) (#27575)
+  * Enable markdownlint `no-duplicate-header` (#27500) (#27506)
+  * Enable production source maps for index.js, fix CSS sourcemaps (#27291) (#27295)
+  * Update snap package (#27021)
+  * Bump go to 1.21 (#26608)
+  * Bump xgo to go-1.21.x and node to 20 in release-version (#26589)
+  * Add template linting via djlint (#25212)
+* DOCS
+  * Change default size of issue/pr attachments and repo file (#27946) (#28017)
+  * Remove `known issue` section in Gitea Actions Doc (#27930) (#27938)
+  * Remove outdated paragraphs when comparing Gitea Actions to GitHub Actions (#27119)
+  * Update brew installation documentation since gitea moved to brew core package (#27070)
+  * Actions are no longer experimental, so enable them by default (#27054)
+  * Add a documentation note for Windows Service (#26938)
+  * Add sparse url in cargo package guide (#26937)
+  * Update nginx recommendations (#26924)
+  * Update backup instructions to align with archive structure (#26902)
+  * Expanding documentation in queue.go (#26889)
+  * Update info regarding internet connection for build (#26776)
+  * Docs: template variables (#26547)
+  * Update index doc (#26455)
+  * Update zh-cn documentation (#26406)
+  * Fix typos and grammer problems for actions documentation (#26328)
+  * Update documentation for 1.21 actions (#26317)
+  * Doc update swagger doc for POST /orgs/{org}/teams (#26155)
+  * Doc sync authentication.md to zh-cn (#26117)
+  * Doc guide the user to create the appropriate level runner (#26091)
+  * Make organization redirect warning more clear (#26077)
+  * Update blog links (#25843)
+  * Fix default value for LocalURL (#25426)
+  * Update `from-source.zh-cn.md` & `from-source.en-us.md` - Cross Compile Using Zig (#25194)
+* MISC
+  * Replace deprecated `elliptic.Marshal` (#26800)
+  * Add elapsed time on debug for slow git commands (#25642)
+
 ## [1.20.5](https://github.com/go-gitea/gitea/releases/tag/v1.20.5) - 2023-10-03
 
 * ENHANCEMENTS
@@ -455,7 +1051,6 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
   * Add option to search for users is active join a team (#24093)
   * Add PDF rendering via PDFObject (#24086)
   * Refactor web route (#24080)
-  * Make more functions use ctx instead of db.DefaultContext (#24068)
   * Make HTML template functions support context (#24056)
   * Refactor rename user and rename organization (#24052)
   * Localize milestone related time strings (#24051)

Dockerfile

@@ -1,4 +1,4 @@
-#Build stage
+# Build stage
 FROM docker.io/library/golang:1.21-alpine3.18 AS build-env
 
 ARG GOPROXY
@@ -9,20 +9,38 @@ ARG TAGS="sqlite sqlite_unlock_notify"
 ENV TAGS "bindata timetzdata $TAGS"
 ARG CGO_EXTRA_CFLAGS
 
-#Build deps
-RUN apk --no-cache add build-base git nodejs npm
+# Build deps
+RUN apk --no-cache add \
+    build-base \
+    git \
+    nodejs \
+    npm \
+    && rm -rf /var/cache/apk/*
 
-#Setup repo
+# Setup repo
 COPY . ${GOPATH}/src/code.gitea.io/gitea
 WORKDIR ${GOPATH}/src/code.gitea.io/gitea
 
-#Checkout version if set
+# Checkout version if set
 RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
  && make clean-all build
 
 # Begin env-to-ini build
 RUN go build contrib/environment-to-ini/environment-to-ini.go
 
+# Copy local files
+COPY docker/root /tmp/local
+
+# Set permissions
+RUN chmod 755 /tmp/local/usr/bin/entrypoint \
+              /tmp/local/usr/local/bin/gitea \
+              /tmp/local/etc/s6/gitea/* \
+              /tmp/local/etc/s6/openssh/* \
+              /tmp/local/etc/s6/.s6-svscan/* \
+              /go/src/code.gitea.io/gitea/gitea \
+              /go/src/code.gitea.io/gitea/environment-to-ini
+RUN chmod 644 /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete
+
 FROM docker.io/library/alpine:3.18
 LABEL maintainer="maintainers@gitea.io"
 
@@ -39,7 +57,8 @@ RUN apk --no-cache add \
     s6 \
     sqlite \
     su-exec \
-    gnupg
+    gnupg \
+    && rm -rf /var/cache/apk/*
 
 RUN addgroup \
     -S -g 1000 \
@@ -61,10 +80,7 @@ VOLUME ["/data"]
 ENTRYPOINT ["/usr/bin/entrypoint"]
 CMD ["/bin/s6-svscan", "/etc/s6"]
 
-COPY docker/root /
+COPY --from=build-env /tmp/local /
 COPY --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
 COPY --from=build-env /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
 COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
-RUN chmod 755 /usr/bin/entrypoint /app/gitea/gitea /usr/local/bin/gitea /usr/local/bin/environment-to-ini
-RUN chmod 755 /etc/s6/gitea/* /etc/s6/openssh/* /etc/s6/.s6-svscan/*
-RUN chmod 644 /etc/profile.d/gitea_bash_autocomplete.sh

Dockerfile.rootless

@@ -1,4 +1,4 @@
-#Build stage
+# Build stage
 FROM docker.io/library/golang:1.21-alpine3.18 AS build-env
 
 ARG GOPROXY
@@ -10,19 +10,35 @@ ENV TAGS "bindata timetzdata $TAGS"
 ARG CGO_EXTRA_CFLAGS
 
 #Build deps
-RUN apk --no-cache add build-base git nodejs npm
+RUN apk --no-cache add \
+    build-base \
+    git \
+    nodejs \
+    npm \
+    && rm -rf /var/cache/apk/*
 
-#Setup repo
+# Setup repo
 COPY . ${GOPATH}/src/code.gitea.io/gitea
 WORKDIR ${GOPATH}/src/code.gitea.io/gitea
 
-#Checkout version if set
+# Checkout version if set
 RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
  && make clean-all build
 
 # Begin env-to-ini build
 RUN go build contrib/environment-to-ini/environment-to-ini.go
 
+# Copy local files
+COPY docker/rootless /tmp/local
+
+# Set permissions
+RUN chmod 755 /tmp/local/usr/local/bin/docker-entrypoint.sh \
+              /tmp/local/usr/local/bin/docker-setup.sh \
+              /tmp/local/usr/local/bin/gitea \
+              /go/src/code.gitea.io/gitea/gitea \
+              /go/src/code.gitea.io/gitea/environment-to-ini
+RUN chmod 644 /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete
+
 FROM docker.io/library/alpine:3.18
 LABEL maintainer="maintainers@gitea.io"
 
@@ -35,7 +51,8 @@ RUN apk --no-cache add \
     gettext \
     git \
     curl \
-    gnupg
+    gnupg \
+    && rm -rf /var/cache/apk/*
 
 RUN addgroup \
     -S -g 1000 \
@@ -51,21 +68,19 @@ RUN addgroup \
 RUN mkdir -p /var/lib/gitea /etc/gitea
 RUN chown git:git /var/lib/gitea /etc/gitea
 
-COPY docker/rootless /
+COPY --from=build-env /tmp/local /
 COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
 COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
 COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
-RUN chmod 755 /usr/local/bin/docker-entrypoint.sh /usr/local/bin/docker-setup.sh /app/gitea/gitea /usr/local/bin/gitea /usr/local/bin/environment-to-ini
-RUN chmod 644 /etc/profile.d/gitea_bash_autocomplete.sh
 
-#git:git
+# git:git
 USER 1000:1000
 ENV GITEA_WORK_DIR /var/lib/gitea
 ENV GITEA_CUSTOM /var/lib/gitea/custom
 ENV GITEA_TEMP /tmp/gitea
 ENV TMPDIR /tmp/gitea
 
-#TODO add to docs the ability to define the ini to load (useful to test and revert a config)
+# TODO add to docs the ability to define the ini to load (useful to test and revert a config)
 ENV GITEA_APP_INI /etc/gitea/app.ini
 ENV HOME "/var/lib/gitea/git"
 VOLUME ["/var/lib/gitea", "/etc/gitea"]
@@ -73,4 +88,3 @@ WORKDIR /var/lib/gitea
 
 ENTRYPOINT ["/usr/bin/dumb-init", "--", "/usr/local/bin/docker-entrypoint.sh"]
 CMD []
-

Makefile

@@ -922,7 +922,7 @@ node_modules: package-lock.json
 	@touch node_modules
 
 .venv: poetry.lock
-	poetry install
+	poetry install --no-root
 	@touch .venv
 
 .PHONY: update

cmd/doctor.go

@@ -14,6 +14,7 @@ import (
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/migrations"
 	migrate_base "code.gitea.io/gitea/models/migrations/base"
+	"code.gitea.io/gitea/modules/container"
 	"code.gitea.io/gitea/modules/doctor"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
@@ -22,6 +23,19 @@ import (
 	"xorm.io/xorm"
 )
 
+// CmdDoctor represents the available doctor sub-command.
+var CmdDoctor = &cli.Command{
+	Name:        "doctor",
+	Usage:       "Diagnose and optionally fix problems",
+	Description: "A command to diagnose problems with the current Gitea instance according to the given configuration. Some problems can optionally be fixed by modifying the database or data storage.",
+
+	Subcommands: []*cli.Command{
+		cmdDoctorCheck,
+		cmdRecreateTable,
+		cmdDoctorConvert,
+	},
+}
+
 var cmdDoctorCheck = &cli.Command{
 	Name:        "check",
 	Usage:       "Diagnose and optionally fix problems",
@@ -60,19 +74,6 @@ var cmdDoctorCheck = &cli.Command{
 	},
 }
 
-// CmdDoctor represents the available doctor sub-command.
-var CmdDoctor = &cli.Command{
-	Name:        "doctor",
-	Usage:       "Diagnose and optionally fix problems",
-	Description: "A command to diagnose problems with the current Gitea instance according to the given configuration. Some problems can optionally be fixed by modifying the database or data storage.",
-
-	Subcommands: []*cli.Command{
-		cmdDoctorCheck,
-		cmdRecreateTable,
-		cmdDoctorConvert,
-	},
-}
-
 var cmdRecreateTable = &cli.Command{
 	Name:      "recreate-table",
 	Usage:     "Recreate tables from XORM definitions and copy the data.",
@@ -177,6 +178,7 @@ func runDoctorCheck(ctx *cli.Context) error {
 	if ctx.IsSet("list") {
 		w := tabwriter.NewWriter(os.Stdout, 0, 8, 1, '\t', 0)
 		_, _ = w.Write([]byte("Default\tName\tTitle\n"))
+		doctor.SortChecks(doctor.Checks)
 		for _, check := range doctor.Checks {
 			if check.IsDefault {
 				_, _ = w.Write([]byte{'*'})
@@ -192,26 +194,20 @@ func runDoctorCheck(ctx *cli.Context) error {
 
 	var checks []*doctor.Check
 	if ctx.Bool("all") {
-		checks = doctor.Checks
+		checks = make([]*doctor.Check, len(doctor.Checks))
+		copy(checks, doctor.Checks)
 	} else if ctx.IsSet("run") {
 		addDefault := ctx.Bool("default")
-		names := ctx.StringSlice("run")
-		for i, name := range names {
-			names[i] = strings.ToLower(strings.TrimSpace(name))
-		}
-
+		runNamesSet := container.SetOf(ctx.StringSlice("run")...)
 		for _, check := range doctor.Checks {
-			if addDefault && check.IsDefault {
+			if (addDefault && check.IsDefault) || runNamesSet.Contains(check.Name) {
 				checks = append(checks, check)
-				continue
-			}
-			for _, name := range names {
-				if name == check.Name {
-					checks = append(checks, check)
-					break
-				}
+				runNamesSet.Remove(check.Name)
 			}
 		}
+		if len(runNamesSet) > 0 {
+			return fmt.Errorf("unknown checks: %q", strings.Join(runNamesSet.Values(), ","))
+		}
 	} else {
 		for _, check := range doctor.Checks {
 			if check.IsDefault {
@@ -219,6 +215,5 @@ func runDoctorCheck(ctx *cli.Context) error {
 			}
 		}
 	}
-
 	return doctor.RunChecks(stdCtx, colorize, ctx.Bool("fix"), checks)
 }

cmd/doctor_test.go

@@ -0,0 +1,33 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"context"
+	"testing"
+
+	"code.gitea.io/gitea/modules/doctor"
+	"code.gitea.io/gitea/modules/log"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/urfave/cli/v2"
+)
+
+func TestDoctorRun(t *testing.T) {
+	doctor.Register(&doctor.Check{
+		Title: "Test Check",
+		Name:  "test-check",
+		Run:   func(ctx context.Context, logger log.Logger, autofix bool) error { return nil },
+
+		SkipDatabaseInitialization: true,
+	})
+	app := cli.NewApp()
+	app.Commands = []*cli.Command{cmdDoctorCheck}
+	err := app.Run([]string{"./gitea", "check", "--run", "test-check"})
+	assert.NoError(t, err)
+	err = app.Run([]string{"./gitea", "check", "--run", "no-such"})
+	assert.ErrorContains(t, err, `unknown checks: "no-such"`)
+	err = app.Run([]string{"./gitea", "check", "--run", "test-check,no-such"})
+	assert.ErrorContains(t, err, `unknown checks: "no-such"`)
+}

cmd/dump.go

@@ -452,7 +452,7 @@ func addRecursiveExclude(w archiver.Writer, insidePath, absPath string, excludeA
 		return err
 	}
 	for _, file := range files {
-		currentAbsPath := path.Join(absPath, file.Name())
+		currentAbsPath := filepath.Join(absPath, file.Name())
 		currentInsidePath := path.Join(insidePath, file.Name())
 		if file.IsDir() {
 			if !util.SliceContainsString(excludeAbsPath, currentAbsPath) {

contrib/environment-to-ini/environment-to-ini.go

@@ -47,24 +47,28 @@ func main() {
 	on the configuration cheat sheet.`
 	app.Flags = []cli.Flag{
 		&cli.StringFlag{
-			Name:  "custom-path, C",
-			Value: setting.CustomPath,
-			Usage: "Custom path file path",
+			Name:    "custom-path",
+			Aliases: []string{"C"},
+			Value:   setting.CustomPath,
+			Usage:   "Custom path file path",
 		},
 		&cli.StringFlag{
-			Name:  "config, c",
-			Value: setting.CustomConf,
-			Usage: "Custom configuration file path",
+			Name:    "config",
+			Aliases: []string{"c"},
+			Value:   setting.CustomConf,
+			Usage:   "Custom configuration file path",
 		},
 		&cli.StringFlag{
-			Name:  "work-path, w",
-			Value: setting.AppWorkPath,
-			Usage: "Set the gitea working path",
+			Name:    "work-path",
+			Aliases: []string{"w"},
+			Value:   setting.AppWorkPath,
+			Usage:   "Set the gitea working path",
 		},
 		&cli.StringFlag{
-			Name:  "out, o",
-			Value: "",
-			Usage: "Destination file to write to",
+			Name:    "out",
+			Aliases: []string{"o"},
+			Value:   "",
+			Usage:   "Destination file to write to",
 		},
 	}
 	app.Action = runEnvironmentToIni

contrib/systemd/gitea.service

@@ -52,7 +52,7 @@ After=network.target
 # Uncomment the next line if you have repos with lots of files and get a HTTP 500 error because of that
 # LimitNOFILE=524288:524288
 RestartSec=2s
-Type=notify
+Type=simple
 User=git
 Group=git
 WorkingDirectory=/var/lib/gitea/
@@ -62,7 +62,6 @@ WorkingDirectory=/var/lib/gitea/
 ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
 Restart=always
 Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
-WatchdogSec=30s
 # If you install Git to directory prefix other than default PATH (which happens
 # for example if you install other versions of Git side-to-side with
 # distribution version), uncomment below line and add that prefix to PATH

custom/conf/app.example.ini

@@ -491,6 +491,11 @@ INTERNAL_TOKEN=
 ;; Cache successful token hashes. API tokens are stored in the DB as pbkdf2 hashes however, this means that there is a potentially significant hashing load when there are multiple API operations.
 ;; This cache will store the successfully hashed tokens in a LRU cache as a balance between performance and security.
 ;SUCCESSFUL_TOKENS_CACHE_SIZE = 20
+;;
+;; Reject API tokens sent in URL query string (Accept Header-based API tokens only). This avoids security vulnerabilities
+;; stemming from cached/logged plain-text API tokens.
+;; In future releases, this will become the default behavior
+;DISABLE_QUERY_AUTH_TOKEN = false
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -1014,8 +1019,8 @@ LEVEL = Info
 ;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
 ;ALLOWED_TYPES =
 ;;
-;; Max size of each file in megabytes. Defaults to 3MB
-;FILE_MAX_SIZE = 3
+;; Max size of each file in megabytes. Defaults to 50MB
+;FILE_MAX_SIZE = 50 
 ;;
 ;; Max number of files per upload. Defaults to 5
 ;MAX_FILES = 5
@@ -1151,15 +1156,9 @@ LEVEL = Info
 ;; enable cors headers (disabled by default)
 ;ENABLED = false
 ;;
-;; scheme of allowed requests
-;SCHEME = http
-;;
-;; list of requesting domains that are allowed
+;; list of requesting origins that are allowed, eg: "https://*.example.com"
 ;ALLOW_DOMAIN = *
 ;;
-;; allow subdomains of headers listed above to request
-;ALLOW_SUBDOMAIN = false
-;;
 ;; list of methods allowed to request
 ;METHODS = GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS
 ;;
@@ -1205,6 +1204,9 @@ LEVEL = Info
 ;; Max size of files to be displayed (default is 8MiB)
 ;MAX_DISPLAY_FILE_SIZE = 8388608
 ;;
+;; Detect ambiguous unicode characters in file contents and show warnings on the UI
+;AMBIGUOUS_UNICODE_DETECTION = true
+;;
 ;; Whether the email of the user should be shown in the Explore Users page
 ;SHOW_USER_EMAIL = true
 ;;
@@ -1219,6 +1221,9 @@ LEVEL = Info
 ;; For custom reactions, add a tightly cropped square image to public/assets/img/emoji/reaction_name.png
 ;REACTIONS = +1, -1, laugh, hooray, confused, heart, rocket, eyes
 ;;
+;; Change the number of users that are displayed in reactions tooltip (triggered by mouse hover).
+;REACTION_MAX_USER_NUM = 10
+;;
 ;; Additional Emojis not defined in the utf8 standard
 ;; By default we support gitea (:gitea:), to add more copy them to public/assets/img/emoji/emoji_name.png and add it to this config.
 ;; Dont mistake it for Reactions.
@@ -1812,8 +1817,8 @@ LEVEL = Info
 ;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
 ;ALLOWED_TYPES = .csv,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.xls,.xlsx,.zip
 ;;
-;; Max size of each file. Defaults to 4MB
-;MAX_SIZE = 4
+;; Max size of each file. Defaults to 2048MB
+;MAX_SIZE = 2048
 ;;
 ;; Max number of files per upload. Defaults to 5
 ;MAX_FILES = 5
@@ -2566,7 +2571,7 @@ LEVEL = Info
 ;;
 ;; Default platform to get action plugins, `github` for `https://github.com`, `self` for the current Gitea instance.
 ;DEFAULT_ACTIONS_URL = github
-;; Default artifact retention time in days, default is 90 days
+;; Default artifact retention time in days. Artifacts could have their own retention periods by setting the `retention-days` option in `actions/upload-artifact` step.
 ;ARTIFACT_RETENTION_DAYS = 90
 ;; Timeout to stop the task which have running status, but haven't been updated for a long time
 ;ZOMBIE_TASK_TIMEOUT = 10m

docker/root/usr/bin/entrypoint

@@ -7,7 +7,7 @@ if [ ! -x /bin/sh ]; then
 fi
 
 if [ "${USER}" != "git" ]; then
-    # rename user
+    # Rename user
     sed -i -e "s/^git\:/${USER}\:/g" /etc/passwd
 fi
 
@@ -19,13 +19,13 @@ if [ -z "${USER_UID}" ]; then
   USER_UID="`id -u ${USER}`"
 fi
 
-## Change GID for USER?
+# Change GID for USER?
 if [ -n "${USER_GID}" ] && [ "${USER_GID}" != "`id -g ${USER}`" ]; then
     sed -i -e "s/^${USER}:\([^:]*\):[0-9]*/${USER}:\1:${USER_GID}/" /etc/group
     sed -i -e "s/^${USER}:\([^:]*\):\([0-9]*\):[0-9]*/${USER}:\1:\2:${USER_GID}/" /etc/passwd
 fi
 
-## Change UID for USER?
+# Change UID for USER?
 if [ -n "${USER_UID}" ] && [ "${USER_UID}" != "`id -u ${USER}`" ]; then
     sed -i -e "s/^${USER}:\([^:]*\):[0-9]*:\([0-9]*\)/${USER}:\1:${USER_UID}:\2/" /etc/passwd
 fi

docs/content/administration/adding-legal-pages.en-us.md

@@ -19,10 +19,10 @@ Some jurisdictions (such as EU), requires certain legal pages (e.g. Privacy Poli
 
 ## Getting Pages
 
-Gitea source code ships with sample pages, available in `contrib/legal` directory. Copy them to `custom/public/`. For example, to add Privacy Policy:
+Gitea source code ships with sample pages, available in `contrib/legal` directory. Copy them to `custom/public/assets/`. For example, to add Privacy Policy:
 
 ```
-wget -O /path/to/custom/public/privacy.html https://raw.githubusercontent.com/go-gitea/gitea/main/contrib/legal/privacy.html.sample
+wget -O /path/to/custom/public/assets/privacy.html https://raw.githubusercontent.com/go-gitea/gitea/main/contrib/legal/privacy.html.sample
 ```
 
 Now you need to edit the page to meet your requirements. In particular you must change the email addresses, web addresses and references to "Your Gitea Instance" to match your situation.

docs/content/administration/adding-legal-pages.zh-cn.md

@@ -19,10 +19,10 @@ menu:
 
 ## 获取页面
 
-Gitea 源代码附带了示例页面，位于 `contrib/legal` 目录中。将它们复制到 `custom/public/` 目录下。例如，如果要添加隐私政策：
+Gitea 源代码附带了示例页面，位于 `contrib/legal` 目录中。将它们复制到 `custom/public/assets/` 目录下。例如，如果要添加隐私政策：
 
 ```
-wget -O /path/to/custom/public/privacy.html https://raw.githubusercontent.com/go-gitea/gitea/main/contrib/legal/privacy.html.sample
+wget -O /path/to/custom/public/assets/privacy.html https://raw.githubusercontent.com/go-gitea/gitea/main/contrib/legal/privacy.html.sample
 ```
 
 现在，你需要编辑该页面以满足你的需求。特别是，你必须更改电子邮件地址、网址以及与 "Your Gitea Instance" 相关的引用，以匹配你的情况。

docs/content/administration/config-cheat-sheet.en-us.md

@@ -146,7 +146,7 @@ In addition, there is _`StaticRootPath`_ which can be set as a built-in at build
 - `ENABLED`: **true**: Whether repository file uploads are enabled
 - `TEMP_PATH`: **data/tmp/uploads**: Path for uploads (content gets deleted on Gitea restart)
 - `ALLOWED_TYPES`: **_empty_**: Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
-- `FILE_MAX_SIZE`: **3**: Max size of each file in megabytes.
+- `FILE_MAX_SIZE`: **50**: Max size of each file in megabytes.
 - `MAX_FILES`: **5**: Max number of files per upload
 
 ### Repository - Release (`repository.release`)
@@ -196,9 +196,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 ## CORS (`cors`)
 
 - `ENABLED`: **false**: enable cors headers (disabled by default)
-- `SCHEME`: **http**: scheme of allowed requests
-- `ALLOW_DOMAIN`: **\***: list of requesting domains that are allowed
-- `ALLOW_SUBDOMAIN`: **false**: allow subdomains of headers listed above to request
+- `ALLOW_DOMAIN`: **\***: list of requesting origins that are allowed, eg: "https://*.example.com"
 - `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request
 - `MAX_AGE`: **10m**: max time to cache response
 - `ALLOW_CREDENTIALS`: **false**: allow request with credentials
@@ -220,9 +218,11 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `THEMES`:  **auto,gitea,arc-green**: All available themes. Allow users select personalized themes.
   regardless of the value of `DEFAULT_THEME`.
 - `MAX_DISPLAY_FILE_SIZE`: **8388608**: Max size of files to be displayed (default is 8MiB)
+- `AMBIGUOUS_UNICODE_DETECTION`: **true**: Detect ambiguous unicode characters in file contents and show warnings on the UI
 - `REACTIONS`: All available reactions users can choose on issues/prs and comments
     Values can be emoji alias (:smile:) or a unicode emoji.
     For custom reactions, add a tightly cropped square image to public/assets/img/emoji/reaction_name.png
+- `REACTION_MAX_USER_NUM`: **10**: Change the number of users that are displayed in reactions tooltip (triggered by mouse hover).
 - `CUSTOM_EMOJIS`: **gitea, codeberg, gitlab, git, github, gogs**: Additional Emojis not defined in the utf8 standard.
     By default, we support Gitea (:gitea:), to add more copy them to public/assets/img/emoji/emoji_name.png and
     add it to this config.
@@ -340,7 +340,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `SSH_AUTHORIZED_PRINCIPALS_ALLOW`: **off** or **username, email**: \[off, username, email, anything\]: Specify the principals values that users are allowed to use as principal. When set to `anything` no checks are done on the principal string. When set to `off` authorized principal are not allowed to be set.
 - `SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE`: **false/true**: Gitea will create a authorized_principals file by default when it is not using the internal ssh server and `SSH_AUTHORIZED_PRINCIPALS_ALLOW` is not `off`.
 - `SSH_AUTHORIZED_PRINCIPALS_BACKUP`: **false/true**: Enable SSH Authorized Principals Backup when rewriting all keys, default is true if `SSH_AUTHORIZED_PRINCIPALS_ALLOW` is not `off`.
-- `SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE`: **{{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}}**: Set the template for the command to passed on authorized keys. Possible keys are: AppPath, AppWorkPath, CustomConf, CustomPath, Key - where Key is a `models/asymkey.PublicKey` and the others are strings which are shellquoted.
+- `SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE`: **`{{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}}`**: Set the template for the command to passed on authorized keys. Possible keys are: AppPath, AppWorkPath, CustomConf, CustomPath, Key - where Key is a `models/asymkey.PublicKey` and the others are strings which are shellquoted.
 - `SSH_SERVER_CIPHERS`: **chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com**: For the built-in SSH server, choose the ciphers to support for SSH connections, for system SSH this setting has no effect.
 - `SSH_SERVER_KEY_EXCHANGES`: **curve25519-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1**: For the built-in SSH server, choose the key exchange algorithms to support for SSH connections, for system SSH this setting has no effect.
 - `SSH_SERVER_MACS`: **hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1**: For the built-in SSH server, choose the MACs to support for SSH connections, for system SSH this setting has no effect
@@ -423,7 +423,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 ## Database (`database`)
 
 - `DB_TYPE`: **mysql**: The database type in use \[mysql, postgres, mssql, sqlite3\].
-- `HOST`: **127.0.0.1:3306**: Database host address and port or absolute path for unix socket \[mysql, postgres\] (ex: /var/run/mysqld/mysqld.sock).
+- `HOST`: **127.0.0.1:3306**: Database host address and port or absolute path for unix socket \[mysql, postgres[^1]\] (ex: /var/run/mysqld/mysqld.sock).
 - `NAME`: **gitea**: Database name.
 - `USER`: **root**: Database username.
 - `PASSWD`: **_empty_**: Database user password. Use \`your password\` or """your password""" for quoting if you use special characters in the password.
@@ -454,6 +454,8 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `CONN_MAX_LIFETIME` **0 or 3s**: Sets the maximum amount of time a DB connection may be reused - default is 0, meaning there is no limit (except on MySQL where it is 3s - see #6804 & #7071).
 - `AUTO_MIGRATION` **true**: Whether execute database models migrations automatically.
 
+[^1]: It may be necessary to specify a hostport even when listening on a unix socket, as the port is part of the socket name. see [#24552](https://github.com/go-gitea/gitea/issues/24552#issuecomment-1681649367) for additional details.
+
 Please see #8540 & #8273 for further discussion of the appropriate values for `MAX_OPEN_CONNS`, `MAX_IDLE_CONNS` & `CONN_MAX_LIFETIME` and their
 relation to port exhaustion.
 
@@ -568,6 +570,7 @@ And the following unique queues:
   - off - do not check password complexity
 - `PASSWORD_CHECK_PWN`: **false**: Check [HaveIBeenPwned](https://haveibeenpwned.com/Passwords) to see if a password has been exposed.
 - `SUCCESSFUL_TOKENS_CACHE_SIZE`: **20**: Cache successful token hashes. API tokens are stored in the DB as pbkdf2 hashes however, this means that there is a potentially significant hashing load when there are multiple API operations. This cache will store the successfully hashed tokens in a LRU cache as a balance between performance and security.
+- `DISABLE_QUERY_AUTH_TOKEN`: **false**: Reject API tokens sent in URL query string (Accept Header-based API tokens only). This setting will default to `true` in Gitea 1.23 and be deprecated in Gitea 1.24.
 
 ## Camo (`camo`)
 
@@ -819,7 +822,7 @@ Default templates for project boards:
 
 - `ENABLED`: **true**: Whether issue and pull request attachments are enabled.
 - `ALLOWED_TYPES`: **.csv,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.xls,.xlsx,.zip**: Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
-- `MAX_SIZE`: **4**: Maximum size (MB).
+- `MAX_SIZE`: **2048**: Maximum size (MB).
 - `MAX_FILES`: **5**: Maximum number of attachments that can be uploaded at once.
 - `STORAGE_TYPE`: **local**: Storage type for attachments, `local` for local disk or `minio` for s3 compatible object storage service, default is `local` or other name defined with `[storage.xxx]`
 - `SERVE_DIRECT`: **false**: Allows the storage driver to redirect to authenticated URLs to serve files directly. Currently, only Minio/S3 is supported via signed URLs, local does nothing.
@@ -1388,7 +1391,7 @@ PROXY_HOSTS = *.github.com
 - `DEFAULT_ACTIONS_URL`: **github**: Default platform to get action plugins, `github` for `https://github.com`, `self` for the current Gitea instance.
 - `STORAGE_TYPE`: **local**: Storage type for actions logs, `local` for local disk or `minio` for s3 compatible object storage service, default is `local` or other name defined with `[storage.xxx]`
 - `MINIO_BASE_PATH`: **actions_log/**: Minio base path on the bucket only available when STORAGE_TYPE is `minio`
-- `ARTIFACT_RETENTION_DAYS`: **90**: Number of days to keep artifacts. Set to 0 to disable artifact retention. Default is 90 days if not set.
+- `ARTIFACT_RETENTION_DAYS`: **90**: Default number of days to keep artifacts. Artifacts could have their own retention periods by setting the `retention-days` option in `actions/upload-artifact` step.
 - `ZOMBIE_TASK_TIMEOUT`: **10m**: Timeout to stop the task which have running status, but haven't been updated for a long time
 - `ENDLESS_TASK_TIMEOUT`: **3h**: Timeout to stop the tasks which have running status and continuous updates, but don't end for a long time
 - `ABANDONED_JOB_TIMEOUT`: **24h**: Timeout to cancel the jobs which have waiting status, but haven't been picked by a runner for a long time
@@ -1401,7 +1404,7 @@ Please note that using `self` is not recommended for most cases, as it could mak
 Additionally, it requires you to mirror all the actions you need to your Gitea instance, which may not be worth it.
 Therefore, please use `self` only if you understand what you are doing.
 
-In earlier versions (<= 1.19), `DEFAULT_ACTIONS_URL` cound be set to any custom URLs like `https://gitea.com` or `http://your-git-server,https://gitea.com`, and the default value was `https://gitea.com`.
+In earlier versions (`<= 1.19`), `DEFAULT_ACTIONS_URL` cound be set to any custom URLs like `https://gitea.com` or `http://your-git-server,https://gitea.com`, and the default value was `https://gitea.com`.
 However, later updates removed those options, and now the only options are `github` and `self`, with the default value being `github`.
 However, if you want to use actions from other git server, you can use a complete URL in `uses` field, it's supported by Gitea (but not GitHub).
 Like `uses: https://gitea.com/actions/checkout@v3` or `uses: http://your-git-server/actions/checkout@v3`.

docs/content/administration/config-cheat-sheet.zh-cn.md

@@ -145,7 +145,7 @@ menu:
 - `ENABLED`: **true**: 是否启用仓库文件上传。
 - `TEMP_PATH`: **data/tmp/uploads**: 文件上传的临时保存路径(在Gitea重启的时候该目录会被清空)。
 - `ALLOWED_TYPES`: **_empty_**: 以逗号分割的列表，代表支持上传的文件类型。(`.zip`), mime类型 (`text/plain`) or 通配符类型 (`image/*`, `audio/*`, `video/*`). 为空或者 `*/*`代表允许所有类型文件。
-- `FILE_MAX_SIZE`: **3**: 每个文件的最大大小(MB)。
+- `FILE_MAX_SIZE`: **50**: 每个文件的最大大小(MB)。
 - `MAX_FILES`: **5**: 每次上传的最大文件数。
 
 ### 仓库 - 版本发布 (`repository.release`)
@@ -195,9 +195,7 @@ menu:
 ## 跨域 (`cors`)
 
 - `ENABLED`: **false**: 启用 CORS 头部（默认禁用）
-- `SCHEME`: **http**: 允许请求的协议
 - `ALLOW_DOMAIN`: **\***: 允许请求的域名列表
-- `ALLOW_SUBDOMAIN`: **false**: 允许上述列出的头部的子域名发出请求。
 - `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: 允许发起的请求方式列表
 - `MAX_AGE`: **10m**: 缓存响应的最大时间
 - `ALLOW_CREDENTIALS`: **false**: 允许带有凭据的请求
@@ -335,7 +333,7 @@ menu:
 - `SSH_AUTHORIZED_PRINCIPALS_ALLOW`: **off** 或 **username, email**：\[off, username, email, anything\]：指定允许用户用作 principal 的值。当设置为 `anything` 时，对 principal 字符串不执行任何检查。当设置为 `off` 时，不允许设置授权的 principal。
 - `SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE`: **false/true**：当 Gitea 不使用内置 SSH 服务器且 `SSH_AUTHORIZED_PRINCIPALS_ALLOW` 不为 `off` 时，默认情况下 Gitea 会创建一个 authorized_principals 文件。
 - `SSH_AUTHORIZED_PRINCIPALS_BACKUP`: **false/true**：在重写所有密钥时启用 SSH 授权 principal 备份，默认值为 true（如果 `SSH_AUTHORIZED_PRINCIPALS_ALLOW` 不为 `off`）。
-- `SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE`: **{{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}}**：设置用于传递授权密钥的命令模板。可能的密钥是：AppPath、AppWorkPath、CustomConf、CustomPath、Key，其中 Key 是 `models/asymkey.PublicKey`，其他是 shellquoted 字符串。
+- `SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE`: **`{{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}}`**：设置用于传递授权密钥的命令模板。可能的密钥是：AppPath、AppWorkPath、CustomConf、CustomPath、Key，其中 Key 是 `models/asymkey.PublicKey`，其他是 shellquoted 字符串。
 - `SSH_SERVER_CIPHERS`: **chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com**：对于内置的 SSH 服务器，选择支持的 SSH 连接的加密方法，对于系统 SSH，此设置无效。
 - `SSH_SERVER_KEY_EXCHANGES`: **curve25519-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1**：对于内置 SSH 服务器，选择支持的 SSH 连接的密钥交换算法，对于系统 SSH，此设置无效。
 - `SSH_SERVER_MACS`: **hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1**：对于内置 SSH 服务器，选择支持的 SSH 连接的 MAC 算法，对于系统 SSH，此设置无效。
@@ -784,7 +782,7 @@ Gitea 创建以下非唯一队列：
 
 - `ENABLED`: **true**: 是否允许用户上传附件。
 - `ALLOWED_TYPES`: **.csv,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.xls,.xlsx,.zip**: 允许的文件扩展名（`.zip`）、mime 类型（`text/plain`）或通配符类型（`image/*`、`audio/*`、`video/*`）的逗号分隔列表。空值或 `*/*` 允许所有类型。
-- `MAX_SIZE`: **4**: 附件的最大限制（MB）。
+- `MAX_SIZE`: **2048**: 附件的最大限制（MB）。
 - `MAX_FILES`: **5**: 一次最多上传的附件数量。
 - `STORAGE_TYPE`: **local**: 附件的存储类型，`local` 表示本地磁盘，`minio` 表示兼容 S3 的对象存储服务，如果未设置将使用默认值 `local` 或其他在 `[storage.xxx]` 中定义的名称。
 - `SERVE_DIRECT`: **false**: 允许存储驱动器重定向到经过身份验证的 URL 以直接提供文件。目前，只支持 Minio/S3 通过签名 URL 提供支持，local 不会执行任何操作。
@@ -1040,10 +1038,11 @@ Gitea 创建以下非唯一队列：
 
 ## API (`api`)
 
-- `ENABLE_SWAGGER`: **true**: 是否启用swagger路由 (`/api/swagger`, `/api/v1/swagger`, …)。
-- `MAX_RESPONSE_ITEMS`: **50**: 单个页面的最大 Feed.
-- `ENABLE_OPENID_SIGNIN`: **false**: 允许使用OpenID登录，当设置为`true`时可以通过 `/user/login` 页面进行OpenID登录。
-- `DISABLE_REGISTRATION`: **false**: 关闭用户注册。
+- `ENABLE_SWAGGER`: **true**: 启用API文档接口 (`/api/swagger`, `/api/v1/swagger`, …). True or false。
+- `MAX_RESPONSE_ITEMS`: **50**: API分页的最大单页项目数。
+- `DEFAULT_PAGING_NUM`: **30**: API分页的默认分页数。
+- `DEFAULT_GIT_TREES_PER_PAGE`: **1000**: Git trees API的默认单页项目数。
+- `DEFAULT_MAX_BLOB_SIZE`: **10485760** (10MiB): blobs API的默认最大文件大小。
 
 ## OAuth2 (`oauth2`)
 
@@ -1344,7 +1343,7 @@ PROXY_HOSTS = *.github.com
 此外，它要求您将所有所需的操作镜像到您的 Gitea 实例，这可能不值得。
 因此，请仅在您了解自己在做什么的情况下使用 `self`。
 
-在早期版本（<= 1.19）中，`DEFAULT_ACTIONS_URL` 可以设置为任何自定义 URL，例如 `https://gitea.com` 或 `http://your-git-server,https://gitea.com`，默认值为 `https://gitea.com`。
+在早期版本（`<= 1.19`）中，`DEFAULT_ACTIONS_URL` 可以设置为任何自定义 URL，例如 `https://gitea.com` 或 `http://your-git-server,https://gitea.com`，默认值为 `https://gitea.com`。
 然而，后来的更新删除了这些选项，现在唯一的选项是 `github` 和 `self`，默认值为 `github`。
 但是，如果您想要使用其他 Git 服务器中的操作，您可以在 `uses` 字段中使用完整的 URL，Gitea 支持此功能（GitHub 不支持）。
 例如 `uses: https://gitea.com/actions/checkout@v3` 或 `uses: http://your-git-server/actions/checkout@v3`。

docs/content/administration/customizing-gitea.zh-cn.md

@@ -42,11 +42,11 @@ Gitea 引用 `custom` 目录中的自定义配置文件来覆盖配置、模板
 
 将自定义的公共文件（比如页面和图片）作为 webroot 放在 `custom/public/` 中来让 Gitea 提供这些自定义内容（符号链接将被追踪）。
 
-举例说明：`image.png` 存放在 `custom/public/`中，那么它可以通过链接 http://gitea.domain.tld/assets/image.png 访问。
+举例说明：`image.png` 存放在 `custom/public/assets/`中，那么它可以通过链接 http://gitea.domain.tld/assets/image.png 访问。
 
 ## 修改默认头像
 
-替换以下目录中的 png 图片： `custom/public/img/avatar\_default.png`
+替换以下目录中的 png 图片： `custom/public/assets/img/avatar\_default.png`
 
 ## 自定义 Gitea 页面
 

docs/content/administration/email-setup.en-us.md

@@ -61,7 +61,7 @@ Please note: authentication is only supported when the SMTP server communication
 
 - STARTTLS (also known as Opportunistic TLS) via port 587. Initial connection is done over cleartext, but then be upgraded over TLS if the server supports it.
 - SMTPS connection (SMTP over TLS) via the default port 465. Connection to the server use TLS from the beginning.
-- Forced SMTPS connection with `IS_TLS_ENABLED=true`. (These are both known as Implicit TLS.)
+- Forced SMTPS connection with `PROTOCOL=smtps`. (These are both known as Implicit TLS.)
 This is due to protections imposed by the Go internal libraries against STRIPTLS attacks.
 
 Note that Implicit TLS is recommended by [RFC8314](https://tools.ietf.org/html/rfc8314#section-3) since 2018.

docs/content/administration/email-setup.zh-cn.md

@@ -55,13 +55,13 @@ PASSWD         = `password`
 
 要发送测试邮件以验证设置，请转到 Gitea > 站点管理 > 配置 > SMTP 邮件配置。
 
-有关所有选项的完整列表，请查看[配置速查表](doc/administration/config-cheat-sheet.zh-cn.md)。
+有关所有选项的完整列表，请查看[配置速查表](administration/config-cheat-sheet.md)。
 
 请注意：只有在使用 TLS 或 `HOST=localhost` 加密 SMTP 服务器通信时才支持身份验证。TLS 加密可以通过以下方式进行：
 
 - 通过端口 587 的 STARTTLS（也称为 Opportunistic TLS）。初始连接是明文的，但如果服务器支持，则可以升级为 TLS。
 - 通过默认端口 465 的 SMTPS 连接。连接到服务器从一开始就使用 TLS。
-- 使用 `IS_TLS_ENABLED=true` 进行强制的 SMTPS 连接。（这两种方式都被称为 Implicit TLS）
+- 使用 `PROTOCOL=smtps` 进行强制的 SMTPS 连接。（这两种方式都被称为 Implicit TLS）
 这是由于 Go 内部库对 STRIPTLS 攻击的保护机制。
 
 请注意，自2018年起，[RFC8314](https://tools.ietf.org/html/rfc8314#section-3) 推荐使用 Implicit TLS。

docs/content/administration/external-renderers.zh-cn.md

@@ -194,7 +194,7 @@ ALLOW_DATA_URI_IMAGES = true
 }
 ```
 
-将您的样式表添加到自定义目录中，例如 `custom/public/css/my-style-XXXXX.css`，并使用自定义的头文件 `custom/templates/custom/header.tmpl` 进行导入：
+将您的样式表添加到自定义目录中，例如 `custom/public/assets/css/my-style-XXXXX.css`，并使用自定义的头文件 `custom/templates/custom/header.tmpl` 进行导入：
 
 ```html
 <link rel="stylesheet" href="{{AppSubUrl}}/assets/css/my-style-XXXXX.css" />

docs/content/administration/https-support.zh-cn.md

@@ -33,7 +33,7 @@ CERT_FILE = cert.pem
 KEY_FILE  = key.pem
 ```
 
-请注意，如果您的证书由第三方证书颁发机构签名（即不是自签名的），则 cert.pem 应包含证书链。服务器证书必须是 cert.pem 中的第一个条目，后跟中介（如果有）。不必包含根证书，因为连接客户端必须已经拥有根证书才能建立信任关系。要了解有关配置值的更多信息，请查看 [配置备忘单](../config-cheat-sheet#server-server)。
+请注意，如果您的证书由第三方证书颁发机构签名（即不是自签名的），则 cert.pem 应包含证书链。服务器证书必须是 cert.pem 中的第一个条目，后跟中介（如果有）。不必包含根证书，因为连接客户端必须已经拥有根证书才能建立信任关系。要了解有关配置值的更多信息，请查看 [配置备忘单](administration/config-cheat-sheet#server-server)。
 
 对于“CERT_FILE”或“KEY_FILE”字段，当文件路径是相对路径时，文件路径相对于“GITEA_CUSTOM”环境变量。它也可以是绝对路径。
 

docs/content/contributing/guidelines-frontend.en-us.md

@@ -48,11 +48,12 @@ We recommend [Google HTML/CSS Style Guide](https://google.github.io/styleguide/h
 10. Avoid mixing different events in one event listener, prefer to use individual event listeners for every event.
 11. Custom event names are recommended to use `ce-` prefix.
 12. Gitea's tailwind-style CSS classes use `gt-` prefix (`gt-relative`), while Gitea's own private framework-level CSS classes use `g-` prefix (`g-modal-confirm`).
+13. Avoid inline scripts & styles as much as possible, it's recommended to put JS code into JS files and use CSS classes. If inline scripts & styles are unavoidable, explain the reason why it can't be avoided.
 
 ### Accessibility / ARIA
 
 In history, Gitea heavily uses Fomantic UI which is not an accessibility-friendly framework.
-Gitea uses some patches to make Fomantic UI more accessible (see the `aria.js` and `aria.md`),
+Gitea uses some patches to make Fomantic UI more accessible (see `aria.md` and related JS files),
 but there are still many problems which need a lot of work and time to fix.
 
 ### Framework Usage

docs/content/development/api-usage.en-us.md

@@ -19,10 +19,7 @@ menu:
 
 ## Enabling/configuring API access
 
-By default, `ENABLE_SWAGGER` is true, and
-`MAX_RESPONSE_ITEMS` is set to 50. See [Config Cheat
-Sheet](administration/config-cheat-sheet.md) for more
-information.
+By default, `ENABLE_SWAGGER` is true, and `MAX_RESPONSE_ITEMS` is set to 50. See [Config Cheat Sheet](administration/config-cheat-sheet.md) for more information.
 
 ## Authentication
 

docs/content/development/api-usage.zh-cn.md

@@ -19,8 +19,7 @@ menu:
 
 ## 开启/配置 API 访问
 
-通常情况下， `ENABLE_SWAGGER` 默认开启并且参数 `MAX_RESPONSE_ITEMS` 默认为 50。您可以从 [Config Cheat
-Sheet](administration/config-cheat-sheet.md) 中获取更多配置相关信息。
+通常情况下， `ENABLE_SWAGGER` 默认开启并且参数 `MAX_RESPONSE_ITEMS` 默认为 50。您可以从 [Config Cheat Sheet](administration/config-cheat-sheet.md) 中获取更多配置相关信息。
 
 ## 通过 API 认证
 

docs/content/help/faq.en-us.md

@@ -138,9 +138,9 @@ All Gitea instances have the built-in API and there is no way to disable it comp
 You can, however, disable showing its documentation by setting `ENABLE_SWAGGER` to `false` in the `api` section of your `app.ini`.
 For more information, refer to Gitea's [API docs](development/api-usage.md).
 
-You can see the latest API (for example) on <https://try.gitea.io/api/swagger>.
+You can see the latest API (for example) on https://try.gitea.io/api/swagger
 
-You can also see an example of the `swagger.json` file at <https://try.gitea.io/swagger.v1.json>.
+You can also see an example of the `swagger.json` file at https://try.gitea.io/swagger.v1.json
 
 ## Adjusting your server for public/private use
 

docs/content/help/faq.zh-cn.md

@@ -142,9 +142,9 @@ Gitea不提供内置的Pages服务器。您需要一个专用的域名来提供
 但是，您可以在app.ini的api部分将ENABLE_SWAGGER设置为false，以禁用其文档显示。
 有关更多信息，请参阅Gitea的[API文档](development/api-usage.md)。
 
-您可以在上查看最新的API（例如）<https://try.gitea.io/api/swagger>。
+您可以在上查看最新的API（例如）https://try.gitea.io/api/swagger
 
-您还可以在上查看`swagger.json`文件的示例 <https://try.gitea.io/swagger.v1.json>。
+您还可以在上查看`swagger.json`文件的示例 https://try.gitea.io/swagger.v1.json
 
 ## 调整服务器用于公共/私有使用
 
@@ -190,7 +190,7 @@ Gitea 目前支持三个官方主题，分别是 `gitea`（亮色）、`arc-gree
 
 假设我们的主题是 `arc-blue`（这是一个真实的主题，可以在[此问题](https://github.com/go-gitea/gitea/issues/6011)中找到）
 
-将`.css`文件命名为`theme-arc-blue.css`并将其添加到`custom/public/css`文件夹中
+将`.css`文件命名为`theme-arc-blue.css`并将其添加到`custom/public/assets/css`文件夹中
 
 通过将`arc-blue`添加到`app.ini`中的`THEMES`列表中，允许用户使用该主题
 

docs/content/installation/database-preparation.en-us.md

@@ -17,7 +17,9 @@ menu:
 
 # Database Preparation
 
-You need a database to use Gitea. Gitea supports PostgreSQL (>=10), MySQL (>=5.7), MariaDB, SQLite, and MSSQL (>=2008R2 SP3). This page will guide into preparing database. Only PostgreSQL and MySQL will be covered here since those database engines are widely-used in production. If you plan to use SQLite, you can ignore this chapter.
+You need a database to use Gitea. Gitea supports PostgreSQL (>= 12), MySQL (>= 8.0), MariaDB (>= 10.4), SQLite (builtin), and MSSQL (>= 2012 SP4). This page will guide into preparing database. Only PostgreSQL and MySQL will be covered here since those database engines are widely-used in production. If you plan to use SQLite, you can ignore this chapter.
+
+If you use an unsupported database version, please [get in touch](/help/support) with us for information on our Extended Support Contracts. We can provide testing and support for older databases and integrate those fixes into the Gitea codebase.
 
 Database instance can be on same machine as Gitea (local database setup), or on different machine (remote database).
 

docs/content/installation/from-binary.zh-cn.md

@@ -117,7 +117,7 @@ chmod 770 /etc/gitea
 - 使用 `gitea generate secret` 创建 `SECRET_KEY` 和 `INTERNAL_TOKEN`
 - 提供所有必要的密钥
 
-详情参考 [命令行文档](/zh-cn/command-line/) 中有关 `gitea generate secret` 的内容。
+详情参考 [命令行文档](administration/command-line.md) 中有关 `gitea generate secret` 的内容。
 
 ### 配置 Gitea 工作路径
 
@@ -209,6 +209,6 @@ remote: ./hooks/pre-receive.d/gitea: line 2: [...]: No such file or directory
 
 如果您没有使用 Gitea 内置的 SSH 服务器，您还需要通过在管理选项中运行任务 `Update the '.ssh/authorized_keys' file with Gitea SSH keys.` 来重新编写授权密钥文件。
 
-> 更多经验总结，请参考英文版 [Troubleshooting](/en-us/install-from-binary/#troubleshooting)
+> 更多经验总结，请参考英文版 [Troubleshooting](https://docs.gitea.com/installation/install-from-binary#troubleshooting)
 
 如果从本页中没有找到你需要的内容，请访问 [帮助页面](help/support.md)

docs/content/installation/from-source.zh-cn.md

@@ -64,7 +64,7 @@ git checkout v@version@  # or git checkout pr-xyz
 
 - `go` @minGoVersion@ 或更高版本，请参阅 [这里](https://golang.org/dl/)
 - `node` @minNodeVersion@ 或更高版本，并且安装 `npm`, 请参阅 [这里](https://nodejs.org/zh-cn/download/)
-- `make`, 请参阅 [这里](/zh-cn/hacking-on-gitea/)
+- `make`, 请参阅 [这里](development/hacking-on-gitea.md)
 
 为了尽可能简化编译过程，提供了各种 [make任务](https://github.com/go-gitea/gitea/blob/main/Makefile)。
 

docs/content/usage/actions/act-runner.en-us.md

@@ -114,6 +114,12 @@ If you cannot see the settings page, please make sure that you have the right pe
 
 The format of the registration token is a random string `D0gvfu2iHfUjNqCYVljVyRV14fISpJxxxxxxxxxx`.
 
+A registration token can also be obtained from the gitea [command-line interface](administration/command-line.md#actions-generate-runner-token):
+
+```
+gitea --config /etc/gitea/app.ini actions generate-runner-token
+```
+
 ### Register the runner
 
 The act runner can be registered by running the following command:
@@ -262,6 +268,40 @@ The runner will fetch jobs from the Gitea instance and run them automatically.
 
 Since act runner is still in development, it is recommended to check the latest version and upgrade it regularly.
 
+## Systemd service
+
+It is also possible to run act-runner as a [systemd](https://en.wikipedia.org/wiki/Systemd) service. Create an unprivileged `act_runner` user on your system, and the following file in `/etc/systemd/system/act_runner.service`. The paths in `ExecStart` and `WorkingDirectory` may need to be adjusted depending on where you installed the `act_runner` binary, its configuration file, and the home directory of the `act_runner` user.
+
+```ini
+[Unit]
+Description=Gitea Actions runner
+Documentation=https://gitea.com/gitea/act_runner
+After=docker.service
+
+[Service]
+ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
+ExecReload=/bin/kill -s HUP $MAINPID
+WorkingDirectory=/var/lib/act_runner
+TimeoutSec=0
+RestartSec=10
+Restart=always
+User=act_runner
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Then:
+
+```bash
+# load the new systemd unit file
+sudo systemctl daemon-reload
+# start the service and enable it at boot
+sudo systemctl enable act_runner --now
+```
+
+If using Docker, the `act_runner` user should also be added to the `docker` group before starting the service. Keep in mind that this effectively gives `act_runner` root access to the system [[1]](https://docs.docker.com/engine/security/#docker-daemon-attack-surface).
+
 ## Configuration variable
 
 You can create configuration variables on the user, organization and repository level.

docs/content/usage/actions/act-runner.zh-cn.md

@@ -113,6 +113,8 @@ Runner级别决定了从哪里获取注册令牌。
 
 注册令牌的格式是一个随机字符串 `D0gvfu2iHfUjNqCYVljVyRV14fISpJxxxxxxxxxx`。
 
+注册令牌也可以通过 Gitea 的 [命令行](administration/command-line.md#actions-generate-runner-token) 获得:
+
 ### 注册Runner
 
 可以通过运行以下命令来注册Act Runner：

docs/content/usage/actions/comparison.en-us.md

@@ -29,6 +29,10 @@ Like `uses: https://github.com/actions/checkout@v3` or `uses: http://your_gitea.
 Gitea Actions supports writing actions in Go.
 See [Creating Go Actions](https://blog.gitea.com/creating-go-actions/).
 
+### Support the non-standard syntax @yearly, @monthly, @weekly, @daily, @hourly on schedule
+
+Github Actions doesn't support that. https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule
+
 ## Unsupported workflows syntax
 
 ### `concurrency`
@@ -110,14 +114,18 @@ It's ignored by Gitea Actions now.
 
 Pre and Post steps don't have their own section in the job log user interface.
 
+### Services steps
+
+Services steps don't have their own section in the job log user interface.
+
 ## Different behavior
 
 ### Downloading actions
 
 Previously (Pre 1.21.0), `[actions].DEFAULT_ACTIONS_URL` defaulted to `https://gitea.com`.
 We have since restricted this option to only allow two values (`github` and `self`).
-When set to `github`, the new default, Gitea will download non-fully-qualified actions from <https://github.com>.
-For example, if you use `uses: actions/checkout@v3`, it will download the checkout repository from <https://github.com/actions/checkout.git>.
+When set to `github`, the new default, Gitea will download non-fully-qualified actions from `https://github.com`.
+For example, if you use `uses: actions/checkout@v3`, it will download the checkout repository from `https://github.com/actions/checkout.git`.
 
 If you want to download an action from another git hoster, you can use an absolute URL, e.g. `uses: https://gitea.com/actions/checkout@v3`.
 
@@ -130,34 +138,3 @@ More details about the `[actions].DEFAULT_ACTIONS_URL` configuration can be foun
 
 Context availability is not checked, so you can use the env context on more places.
 See [Context availability](https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability).
-
-## Known issues
-
-### `docker/build-push-action@v4`
-
-See [act_runner#119](https://gitea.com/gitea/act_runner/issues/119#issuecomment-738294).
-
-`ACTIONS_RUNTIME_TOKEN` is a random string in Gitea Actions, not a JWT.
-But the `docker/build-push-action@v4` tries to parse the token as JWT and doesn't handle the error, so the job fails.
-
-There are two workarounds:
-
-Set the `ACTIONS_RUNTIME_TOKEN` to empty manually, like:
-
-``` yml
-- name: Build and push
-  uses: docker/build-push-action@v4
-  env:
-    ACTIONS_RUNTIME_TOKEN: ''
-  with:
-...
-```
-
-The bug has been fixed in a newer [commit](https://gitea.com/docker/build-push-action/commit/d8823bfaed2a82c6f5d4799a2f8e86173c461aba?style=split&whitespace=show-all#diff-1af9a5bdf96ddff3a2f3427ed520b7005e9564ad), but it has not been released. So you could use the latest version by specifying the branch name, like:
-
-``` yml
-- name: Build and push
-  uses: docker/build-push-action@master
-  with:
-...
-```

docs/content/usage/actions/comparison.zh-cn.md

@@ -29,6 +29,10 @@ Gitea Actions支持通过URL绝对路径定义actions，这意味着您可以使
 Gitea Actions支持使用Go编写Actions。
 请参阅[创建Go Actions](https://blog.gitea.com/creating-go-actions/)。
 
+### 支持非标准的调度语法 @yearly, @monthly, @weekly, @daily, @hourly
+
+Github Actions 不支持这些语法，详见： https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule
+
 ## 不支持的工作流语法
 
 ### `concurrency`
@@ -116,6 +120,10 @@ Gitea Actions目前不支持此功能。
 
 预处理和后处理步骤在Job日志用户界面中没有自己的用户界面。
 
+### 服务步骤
+
+服务步骤在Job日志用户界面中没有自己的用户界面。
+
 ## 不一样的行为
 
 ### 下载Actions
@@ -132,34 +140,3 @@ Gitea Actions目前不支持此功能。
 
 不检查上下文可用性，因此您可以在更多地方使用env上下文。
 请参阅[上下文可用性](https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability)。
-
-## 已知问题
-
-### `docker/build-push-action@v4`
-
-请参阅[act_runner#119](https://gitea.com/gitea/act_runner/issues/119#issuecomment-738294)。
-
-`ACTIONS_RUNTIME_TOKEN`在Gitea Actions中是一个随机字符串，而不是JWT。
-但是`DOCKER/BUILD-PUSH-ACTION@V4尝试将令牌解析为JWT，并且不处理错误，因此Job失败。
-
-有两种解决方法：
-
-手动将`ACTIONS_RUNTIME_TOKEN`设置为空字符串，例如：
-
-``` yml
-- name: Build and push
-  uses: docker/build-push-action@v4
-  env:
-    ACTIONS_RUNTIME_TOKEN: ''
-  with:
-...
-```
-
-该问题已在较新的[提交](https://gitea.com/docker/build-push-action/commit/d8823bfaed2a82c6f5d4799a2f8e86173c461aba?style=split&whitespace=show-all#diff-1af9a5bdf96ddff3a2f3427ed520b7005e9564ad)中修复，但尚未发布。因此，您可以通过指定分支名称来使用最新版本，例如：
-
-``` yml
-- name: Build and push
-  uses: docker/build-push-action@master
-  with:
-...
-```

docs/content/usage/actions/quickstart.en-us.md

@@ -23,7 +23,7 @@ First of all, you need a Gitea instance.
 You can follow the [documentation](installation/from-package.md) to set up a new instance or upgrade your existing one.
 It doesn't matter how you install or run Gitea, as long as its version is 1.19.0 or higher.
 
-Actions are disabled by default, so you need to add the following to the configuration file to enable it:
+Since 1.21.0, Actions are enabled by default. If you are using versions before 1.21.0, you need to add the following to the configuration file to enable it:
 
 ```ini
 [actions]

docs/content/usage/actions/quickstart.zh-cn.md

@@ -23,7 +23,7 @@ menu:
 您可以按照[文档](installation/from-package.md) 来设置一个新实例或升级现有实例。
 无论您如何安装或运行Gitea，只要版本号是1.19.0或更高即可。
 
-默认情况下，Actions是禁用的，因此您需要将以下内容添加到配置文件中以启用它：
+从1.21.0开始，默认情况下，Actions是启用的。如果您正在使用1.21.0之前的版本，您需要将以下内容添加到配置文件中以启用它：
 
 ```ini
 [actions]

docs/content/usage/authentication.en-us.md

@@ -198,7 +198,7 @@ administrative user.
     field is set to `mail.com`, then Gitea will expect the `user email` field
     for an authenticated GIT instance to be `gituser@mail.com`.[^2]
 
-**Note**: PAM support is added via [build-time flags](installation/install-from-source.md#build),
+**Note**: PAM support is added via [build-time flags](installation/from-source.md#build),
 and the official binaries provided do not have this enabled.  PAM requires that
 the necessary libpam dynamic library be available and the necessary PAM
 development headers be accessible to the compiler.

docs/content/usage/authentication.zh-cn.md

@@ -162,7 +162,7 @@ PAM提供了一种机制，通过对用户进行PAM认证来自动将其添加
     - PAM电子邮件域:用户认证时要附加的电子邮件后缀。例如，如果登录系统期望一个名为gituse的用户，
   并且将此字段设置为mail.com，那么Gitea在验证一个GIT实例的用户时将期望user emai字段为gituser@mail.com[^2]。
 
-**Note**: PAM 支持通过[build-time flags](installation/install-from-source.md#build)添加,
+**Note**: PAM 支持通过[build-time flags](installation/from-source.md#build)添加,
 而官方提供的二进制文件通常不会默认启用此功能。PAM需要确保系统上有必要的libpam动态库，并且编译器可以访问必要的PAM开发头文件。
 
 [^1]: 例如，在Debian "Bullseye"上使用标准Linux登录，可以使用`common-session-noninteractive`。这个值对于其他版本的Debian，

docs/content/usage/packages/debian.en-us.md

@@ -27,7 +27,7 @@ The following examples use `apt`.
 To register the Debian registry add the url to the list of known apt sources:
 
 ```shell
-echo "deb https://gitea.example.com/api/packages/{owner}/debian {distribution} {component}" | sudo tee -a /etc/apt/sources.list.d/gitea.list
+echo "deb [signed-by=/etc/apt/keyrings/gitea-{owner}.asc] https://gitea.example.com/api/packages/{owner}/debian {distribution} {component}" | sudo tee -a /etc/apt/sources.list.d/gitea.list
 ```
 
 | Placeholder    | Description |
@@ -39,13 +39,13 @@ echo "deb https://gitea.example.com/api/packages/{owner}/debian {distribution} {
 If the registry is private, provide credentials in the url. You can use a password or a [personal access token](development/api-usage.md#authentication):
 
 ```shell
-echo "deb https://{username}:{your_password_or_token}@gitea.example.com/api/packages/{owner}/debian {distribution} {component}" | sudo tee -a /etc/apt/sources.list.d/gitea.list
+echo "deb [signed-by=/etc/apt/keyrings/gitea-{owner}.asc] https://{username}:{your_password_or_token}@gitea.example.com/api/packages/{owner}/debian {distribution} {component}" | sudo tee -a /etc/apt/sources.list.d/gitea.list
 ```
 
 The Debian registry files are signed with a PGP key which must be known to apt:
 
 ```shell
-sudo curl https://gitea.example.com/api/packages/{owner}/debian/repository.key -o /etc/apt/trusted.gpg.d/gitea-{owner}.asc
+sudo curl https://gitea.example.com/api/packages/{owner}/debian/repository.key -o /etc/apt/keyrings/gitea-{owner}.asc
 ```
 
 Afterwards update the local package index:

docs/content/usage/packages/debian.zh-cn.md

@@ -27,7 +27,7 @@ menu:
 要注册 Debian 注册表，请将 URL 添加到已知 `apt` 源列表中：
 
 ```shell
-echo "deb https://gitea.example.com/api/packages/{owner}/debian {distribution} {component}" | sudo tee -a /etc/apt/sources.list.d/gitea.list
+echo "deb [signed-by=/etc/apt/keyrings/gitea-{owner}.asc] https://gitea.example.com/api/packages/{owner}/debian {distribution} {component}" | sudo tee -a /etc/apt/sources.list.d/gitea.list
 ```
 
 | 占位符         | 描述           |
@@ -39,13 +39,13 @@ echo "deb https://gitea.example.com/api/packages/{owner}/debian {distribution} {
 如果注册表是私有的，请在 URL 中提供凭据。您可以使用密码或[个人访问令牌](development/api-usage.md#通过-api-认证)：
 
 ```shell
-echo "deb https://{username}:{your_password_or_token}@gitea.example.com/api/packages/{owner}/debian {distribution} {component}" | sudo tee -a /etc/apt/sources.list.d/gitea.list
+echo "deb [signed-by=/etc/apt/keyrings/gitea-{owner}.asc] https://{username}:{your_password_or_token}@gitea.example.com/api/packages/{owner}/debian {distribution} {component}" | sudo tee -a /etc/apt/sources.list.d/gitea.list
 ```
 
 Debian 注册表文件使用 PGP 密钥进行签名，`apt` 必须知道该密钥：
 
 ```shell
-sudo curl https://gitea.example.com/api/packages/{owner}/debian/repository.key -o /etc/apt/trusted.gpg.d/gitea-{owner}.asc
+sudo curl https://gitea.example.com/api/packages/{owner}/debian/repository.key -o /etc/apt/keyrings/gitea-{owner}.asc
 ```
 
 然后更新本地软件包索引：

go.mod

@@ -17,7 +17,7 @@ require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/PuerkitoBio/goquery v1.8.1
-	github.com/alecthomas/chroma/v2 v2.9.1
+	github.com/alecthomas/chroma/v2 v2.10.0
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb
 	github.com/blevesearch/bleve/v2 v2.3.10
 	github.com/bufbuild/connect-go v1.10.0
@@ -106,12 +106,12 @@ require (
 	github.com/yuin/goldmark v1.5.6
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
 	github.com/yuin/goldmark-meta v1.1.0
-	golang.org/x/crypto v0.14.0
+	golang.org/x/crypto v0.17.0
 	golang.org/x/image v0.13.0
 	golang.org/x/net v0.17.0
 	golang.org/x/oauth2 v0.13.0
-	golang.org/x/sys v0.13.0
-	golang.org/x/text v0.13.0
+	golang.org/x/sys v0.15.0
+	golang.org/x/text v0.14.0
 	golang.org/x/tools v0.14.0
 	google.golang.org/grpc v1.58.3
 	google.golang.org/protobuf v1.31.0
@@ -121,7 +121,7 @@ require (
 	mvdan.cc/xurls/v2 v2.5.0
 	strk.kbt.io/projects/go/libravatar v0.0.0-20191008002943-06d1c002b251
 	xorm.io/builder v0.3.13
-	xorm.io/xorm v1.3.4-0.20231017094142-dbe499091a7e
+	xorm.io/xorm v1.3.6
 )
 
 require (
@@ -165,7 +165,7 @@ require (
 	github.com/bradfitz/gomemcache v0.0.0-20230905024940-24af94b03874 // indirect
 	github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/cloudflare/circl v1.3.3 // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/couchbase/go-couchbase v0.1.1 // indirect
 	github.com/couchbase/gomemcached v0.2.1 // indirect
 	github.com/couchbase/goutils v0.1.2 // indirect

go.sum

@@ -118,8 +118,8 @@ github.com/acomagu/bufpipe v1.0.4/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ
 github.com/alecthomas/assert/v2 v2.2.1 h1:XivOgYcduV98QCahG8T5XTezV5bylXe+lBxLG2K2ink=
 github.com/alecthomas/assert/v2 v2.2.1/go.mod h1:pXcQ2Asjp247dahGEmsZ6ru0UVwnkhktn7S0bBDLxvQ=
 github.com/alecthomas/chroma/v2 v2.2.0/go.mod h1:vf4zrexSH54oEjJ7EdB65tGNHmH3pGZmVkgTP5RHvAs=
-github.com/alecthomas/chroma/v2 v2.9.1 h1:0O3lTQh9FxazJ4BYE/MOi/vDGuHn7B+6Bu902N2UZvU=
-github.com/alecthomas/chroma/v2 v2.9.1/go.mod h1:4TQu7gdfuPjSh76j78ietmqh9LiurGF0EpseFXdKMBw=
+github.com/alecthomas/chroma/v2 v2.10.0 h1:T2iQOCCt4pRmRMfL55gTodMtc7cU0y7lc1Jb8/mK/64=
+github.com/alecthomas/chroma/v2 v2.10.0/go.mod h1:4TQu7gdfuPjSh76j78ietmqh9LiurGF0EpseFXdKMBw=
 github.com/alecthomas/repr v0.0.0-20220113201626-b1b626ac65ae/go.mod h1:2kn6fqh/zIyPLmm3ugklbEi5hg5wS435eygvNfaDQL8=
 github.com/alecthomas/repr v0.2.0 h1:HAzS41CIzNW5syS8Mf9UwXhNH1J9aix/BvDRf1Ml2Yk=
 github.com/alecthomas/repr v0.2.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
@@ -227,8 +227,9 @@ github.com/chzyer/readline v1.5.0/go.mod h1:x22KAscuvRqlLoK9CsoYsmxoXZMMFVyOl86c
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/chzyer/test v0.0.0-20210722231415-061457976a23/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
 github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
+github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
+github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -1152,8 +1153,8 @@ golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2Uz
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
-golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
+golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1348,8 +1349,8 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -1360,8 +1361,8 @@ golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
-golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
-golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1376,8 +1377,9 @@ golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1648,5 +1650,5 @@ strk.kbt.io/projects/go/libravatar v0.0.0-20191008002943-06d1c002b251/go.mod h1:
 xorm.io/builder v0.3.11-0.20220531020008-1bd24a7dc978/go.mod h1:aUW0S9eb9VCaPohFCH3j7czOx1PMW3i1HrSzbLYGBSE=
 xorm.io/builder v0.3.13 h1:a3jmiVVL19psGeXx8GIurTp7p0IIgqeDmwhcR6BAOAo=
 xorm.io/builder v0.3.13/go.mod h1:aUW0S9eb9VCaPohFCH3j7czOx1PMW3i1HrSzbLYGBSE=
-xorm.io/xorm v1.3.4-0.20231017094142-dbe499091a7e h1:oL+ktEW+iSrCXU6IauJ9csZFATEmawkhsq/MAoHTdwo=
-xorm.io/xorm v1.3.4-0.20231017094142-dbe499091a7e/go.mod h1:qFJGFoVYbbIdnz2vaL5OxSQ2raleMpyRRalnq3n9OJo=
+xorm.io/xorm v1.3.6 h1:hfpWHkDIWWqUi8FRF2H2M9O8lO3Ov47rwFcS9gPzPkU=
+xorm.io/xorm v1.3.6/go.mod h1:qFJGFoVYbbIdnz2vaL5OxSQ2raleMpyRRalnq3n9OJo=

models/actions/run.go

@@ -168,13 +168,14 @@ func updateRepoRunsNumbers(ctx context.Context, repo *repo_model.Repository) err
 }
 
 // CancelRunningJobs cancels all running and waiting jobs associated with a specific workflow.
-func CancelRunningJobs(ctx context.Context, repoID int64, ref, workflowID string) error {
+func CancelRunningJobs(ctx context.Context, repoID int64, ref, workflowID string, event webhook_module.HookEventType) error {
 	// Find all runs in the specified repository, reference, and workflow with statuses 'Running' or 'Waiting'.
 	runs, total, err := FindRuns(ctx, FindRunOptions{
-		RepoID:     repoID,
-		Ref:        ref,
-		WorkflowID: workflowID,
-		Status:     []Status{StatusRunning, StatusWaiting},
+		RepoID:       repoID,
+		Ref:          ref,
+		WorkflowID:   workflowID,
+		TriggerEvent: event,
+		Status:       []Status{StatusRunning, StatusWaiting},
 	})
 	if err != nil {
 		return err

models/actions/run_list.go

@@ -10,6 +10,7 @@ import (
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/container"
+	webhook_module "code.gitea.io/gitea/modules/webhook"
 
 	"xorm.io/builder"
 )
@@ -71,6 +72,7 @@ type FindRunOptions struct {
 	WorkflowID    string
 	Ref           string // the commit/tag/… that caused this workflow
 	TriggerUserID int64
+	TriggerEvent  webhook_module.HookEventType
 	Approved      bool // not util.OptionalBool, it works only when it's true
 	Status        []Status
 }
@@ -98,6 +100,9 @@ func (opts FindRunOptions) toConds() builder.Cond {
 	if opts.Ref != "" {
 		cond = cond.And(builder.Eq{"ref": opts.Ref})
 	}
+	if opts.TriggerEvent != "" {
+		cond = cond.And(builder.Eq{"trigger_event": opts.TriggerEvent})
+	}
 	return cond
 }
 

models/actions/runner.go

@@ -51,6 +51,11 @@ type ActionRunner struct {
 	Deleted timeutil.TimeStamp `xorm:"deleted"`
 }
 
+const (
+	RunnerOfflineTime = time.Minute
+	RunnerIdleTime    = 10 * time.Second
+)
+
 // BelongsToOwnerName before calling, should guarantee that all attributes are loaded
 func (r *ActionRunner) BelongsToOwnerName() string {
 	if r.RepoID != 0 {
@@ -76,11 +81,12 @@ func (r *ActionRunner) BelongsToOwnerType() types.OwnerType {
 	return types.OwnerTypeSystemGlobal
 }
 
+// if the logic here changed, you should also modify FindRunnerOptions.ToCond
 func (r *ActionRunner) Status() runnerv1.RunnerStatus {
-	if time.Since(r.LastOnline.AsTime()) > time.Minute {
+	if time.Since(r.LastOnline.AsTime()) > RunnerOfflineTime {
 		return runnerv1.RunnerStatus_RUNNER_STATUS_OFFLINE
 	}
-	if time.Since(r.LastActive.AsTime()) > 10*time.Second {
+	if time.Since(r.LastActive.AsTime()) > RunnerIdleTime {
 		return runnerv1.RunnerStatus_RUNNER_STATUS_IDLE
 	}
 	return runnerv1.RunnerStatus_RUNNER_STATUS_ACTIVE
@@ -153,6 +159,7 @@ type FindRunnerOptions struct {
 	OwnerID       int64
 	Sort          string
 	Filter        string
+	IsOnline      util.OptionalBool
 	WithAvailable bool // not only runners belong to, but also runners can be used
 }
 
@@ -178,6 +185,12 @@ func (opts FindRunnerOptions) toCond() builder.Cond {
 	if opts.Filter != "" {
 		cond = cond.And(builder.Like{"name", opts.Filter})
 	}
+
+	if opts.IsOnline.IsTrue() {
+		cond = cond.And(builder.Gt{"last_online": time.Now().Add(-RunnerOfflineTime).Unix()})
+	} else if opts.IsOnline.IsFalse() {
+		cond = cond.And(builder.Lte{"last_online": time.Now().Add(-RunnerOfflineTime).Unix()})
+	}
 	return cond
 }
 
@@ -266,3 +279,27 @@ func CreateRunner(ctx context.Context, t *ActionRunner) error {
 	_, err := db.GetEngine(ctx).Insert(t)
 	return err
 }
+
+func CountRunnersWithoutBelongingOwner(ctx context.Context) (int64, error) {
+	// Only affect action runners were a owner ID is set, as actions runners
+	// could also be created on a repository.
+	return db.GetEngine(ctx).Table("action_runner").
+		Join("LEFT", "user", "`action_runner`.owner_id = `user`.id").
+		Where("`action_runner`.owner_id != ?", 0).
+		And(builder.IsNull{"`user`.id"}).
+		Count(new(ActionRunner))
+}
+
+func FixRunnersWithoutBelongingOwner(ctx context.Context) (int64, error) {
+	subQuery := builder.Select("`action_runner`.id").
+		From("`action_runner`").
+		Join("LEFT", "user", "`action_runner`.owner_id = `user`.id").
+		Where(builder.Neq{"`action_runner`.owner_id": 0}).
+		And(builder.IsNull{"`user`.id"})
+	b := builder.Delete(builder.In("id", subQuery)).From("`action_runner`")
+	res, err := db.GetEngine(ctx).Exec(b)
+	if err != nil {
+		return 0, err
+	}
+	return res.RowsAffected()
+}

models/actions/schedule.go

@@ -5,6 +5,7 @@ package actions
 
 import (
 	"context"
+	"fmt"
 	"time"
 
 	"code.gitea.io/gitea/models/db"
@@ -118,3 +119,22 @@ func DeleteScheduleTaskByRepo(ctx context.Context, id int64) error {
 
 	return committer.Commit()
 }
+
+func CleanRepoScheduleTasks(ctx context.Context, repo *repo_model.Repository) error {
+	// If actions disabled when there is schedule task, this will remove the outdated schedule tasks
+	// There is no other place we can do this because the app.ini will be changed manually
+	if err := DeleteScheduleTaskByRepo(ctx, repo.ID); err != nil {
+		return fmt.Errorf("DeleteCronTaskByRepo: %v", err)
+	}
+	// cancel running cron jobs of this repository and delete old schedules
+	if err := CancelRunningJobs(
+		ctx,
+		repo.ID,
+		repo.DefaultBranch,
+		"",
+		webhook_module.HookEventSchedule,
+	); err != nil {
+		return fmt.Errorf("CancelRunningJobs: %v", err)
+	}
+	return nil
+}

models/actions/task_output.go

@@ -20,6 +20,10 @@ type ActionTaskOutput struct {
 	OutputValue string `xorm:"MEDIUMTEXT"`
 }
 
+func init() {
+	db.RegisterModel(new(ActionTaskOutput))
+}
+
 // FindTaskOutputByTaskID returns the outputs of the task.
 func FindTaskOutputByTaskID(ctx context.Context, taskID int64) ([]*ActionTaskOutput, error) {
 	var outputs []*ActionTaskOutput

models/activities/action.go

@@ -446,9 +446,12 @@ func GetFeeds(ctx context.Context, opts GetFeedsOptions) (ActionList, int64, err
 		return nil, 0, err
 	}
 
-	sess := db.GetEngine(ctx).Where(cond).
-		Select("`action`.*"). // this line will avoid select other joined table's columns
-		Join("INNER", "repository", "`repository`.id = `action`.repo_id")
+	sess := db.GetEngine(ctx).Where(cond)
+	if setting.Database.Type.IsMySQL() {
+		sess = sess.IndexHint("USE", "JOIN", "IDX_action_c_u_d")
+	}
+	sess = sess.Select("`action`.*"). // this line will avoid select other joined table's columns
+						Join("INNER", "repository", "`repository`.id = `action`.repo_id")
 
 	opts.SetDefaultValues()
 	sess = db.SetSessionPagination(sess, &opts)

models/asymkey/gpg_key.go

@@ -92,10 +92,9 @@ func CountUserGPGKeys(ctx context.Context, userID int64) (int64, error) {
 	return db.GetEngine(ctx).Where("owner_id=? AND primary_key_id=''", userID).Count(&GPGKey{})
 }
 
-// GetGPGKeyByID returns public key by given ID.
-func GetGPGKeyByID(ctx context.Context, keyID int64) (*GPGKey, error) {
+func GetGPGKeyForUserByID(ctx context.Context, ownerID, keyID int64) (*GPGKey, error) {
 	key := new(GPGKey)
-	has, err := db.GetEngine(ctx).ID(keyID).Get(key)
+	has, err := db.GetEngine(ctx).Where("id=? AND owner_id=?", keyID, ownerID).Get(key)
 	if err != nil {
 		return nil, err
 	} else if !has {
@@ -225,7 +224,7 @@ func deleteGPGKey(ctx context.Context, keyID string) (int64, error) {
 
 // DeleteGPGKey deletes GPG key information in database.
 func DeleteGPGKey(ctx context.Context, doer *user_model.User, id int64) (err error) {
-	key, err := GetGPGKeyByID(ctx, id)
+	key, err := GetGPGKeyForUserByID(ctx, doer.ID, id)
 	if err != nil {
 		if IsErrGPGKeyNotExist(err) {
 			return nil
@@ -233,11 +232,6 @@ func DeleteGPGKey(ctx context.Context, doer *user_model.User, id int64) (err err
 		return fmt.Errorf("GetPublicKeyByID: %w", err)
 	}
 
-	// Check if user has access to delete this key.
-	if !doer.IsAdmin && doer.ID != key.OwnerID {
-		return ErrGPGKeyAccessDenied{doer.ID, key.ID}
-	}
-
 	ctx, committer, err := db.TxContext(ctx)
 	if err != nil {
 		return err

models/asymkey/ssh_key_verify.go

@@ -29,10 +29,15 @@ func VerifySSHKey(ownerID int64, fingerprint, token, signature string) (string,
 		return "", ErrKeyNotExist{}
 	}
 
-	if err := sshsig.Verify(bytes.NewBuffer([]byte(token)), []byte(signature), []byte(key.Content), "gitea"); err != nil {
-		log.Error("Unable to validate token signature. Error: %v", err)
-		return "", ErrSSHInvalidTokenSignature{
-			Fingerprint: key.Fingerprint,
+	err = sshsig.Verify(bytes.NewBuffer([]byte(token)), []byte(signature), []byte(key.Content), "gitea")
+	if err != nil {
+		// edge case for Windows based shells that will add CR LF if piped to ssh-keygen command
+		// see https://github.com/PowerShell/PowerShell/issues/5974
+		if sshsig.Verify(bytes.NewBuffer([]byte(token+"\r\n")), []byte(signature), []byte(key.Content), "gitea") != nil {
+			log.Error("Unable to validate token signature. Error: %v", err)
+			return "", ErrSSHInvalidTokenSignature{
+				Fingerprint: key.Fingerprint,
+			}
 		}
 	}
 

models/auth/source.go

@@ -232,7 +232,7 @@ func CreateSource(source *Source) error {
 	err = registerableSource.RegisterSource()
 	if err != nil {
 		// remove the AuthSource in case of errors while registering configuration
-		if _, err := db.GetEngine(db.DefaultContext).Delete(source); err != nil {
+		if _, err := db.GetEngine(db.DefaultContext).ID(source.ID).Delete(new(Source)); err != nil {
 			log.Error("CreateSource: Error while wrapOpenIDConnectInitializeError: %v", err)
 		}
 	}
@@ -275,9 +275,6 @@ func ActiveSources(tp Type) ([]*Source, error) {
 // IsSSPIEnabled returns true if there is at least one activated login
 // source of type LoginSSPI
 func IsSSPIEnabled() bool {
-	if !db.HasEngine {
-		return false
-	}
 	sources, err := ActiveSources(SSPI)
 	if err != nil {
 		log.Error("ActiveSources: %v", err)

models/db/context.go

@@ -178,6 +178,15 @@ func GetByBean(ctx context.Context, bean any) (bool, error) {
 	return GetEngine(ctx).Get(bean)
 }
 
+func Exist[T any](ctx context.Context, cond builder.Cond) (bool, error) {
+	if !cond.IsValid() {
+		return false, ErrConditionRequired{}
+	}
+
+	var bean T
+	return GetEngine(ctx).Where(cond).NoAutoCondition().Exist(&bean)
+}
+
 // DeleteByBean deletes all records according non-empty fields of the bean as conditions.
 func DeleteByBean(ctx context.Context, bean any) (int64, error) {
 	return GetEngine(ctx).Delete(bean)

models/db/engine.go

@@ -27,9 +27,6 @@ var (
 	x         *xorm.Engine
 	tables    []any
 	initFuncs []func() error
-
-	// HasEngine specifies if we have a xorm.Engine
-	HasEngine bool
 )
 
 // Engine represents a xorm engine or session.

models/db/error.go

@@ -72,3 +72,21 @@ func (err ErrNotExist) Error() string {
 func (err ErrNotExist) Unwrap() error {
 	return util.ErrNotExist
 }
+
+// ErrConditionRequired represents an error which require condition.
+type ErrConditionRequired struct{}
+
+// IsErrConditionRequired checks if an error is an ErrConditionRequired
+func IsErrConditionRequired(err error) bool {
+	_, ok := err.(ErrConditionRequired)
+	return ok
+}
+
+func (err ErrConditionRequired) Error() string {
+	return "condition is required"
+}
+
+// Unwrap unwraps this as a ErrNotExist err
+func (err ErrConditionRequired) Unwrap() error {
+	return util.ErrInvalidArgument
+}

models/error.go

@@ -57,6 +57,21 @@ func (err ErrUserOwnPackages) Error() string {
 	return fmt.Sprintf("user still has ownership of packages [uid: %d]", err.UID)
 }
 
+// ErrDeleteLastAdminUser represents a "DeleteLastAdminUser" kind of error.
+type ErrDeleteLastAdminUser struct {
+	UID int64
+}
+
+// IsErrDeleteLastAdminUser checks if an error is a ErrDeleteLastAdminUser.
+func IsErrDeleteLastAdminUser(err error) bool {
+	_, ok := err.(ErrDeleteLastAdminUser)
+	return ok
+}
+
+func (err ErrDeleteLastAdminUser) Error() string {
+	return fmt.Sprintf("can not delete the last admin user [uid: %d]", err.UID)
+}
+
 // ErrNoPendingRepoTransfer is an error type for repositories without a pending
 // transfer request
 type ErrNoPendingRepoTransfer struct {

models/fixtures/comment.yml

@@ -66,3 +66,12 @@
   tree_path: "README.md"
   created_unix: 946684812
   invalidated: true
+
+-
+  id: 8
+  type: 0 # comment
+  poster_id: 2
+  issue_id: 4 # in repo_id 2
+  content: "comment in private pository"
+  created_unix: 946684811
+  updated_unix: 946684811

models/fixtures/issue.yml

@@ -61,7 +61,7 @@
   priority: 0
   is_closed: true
   is_pull: false
-  num_comments: 0
+  num_comments: 1
   created_unix: 946684830
   updated_unix: 978307200
   is_locked: false

models/git/branch.go

@@ -205,10 +205,9 @@ func DeleteBranches(ctx context.Context, repoID, doerID int64, branchIDs []int64
 	})
 }
 
-// UpdateBranch updates the branch information in the database. If the branch exist, it will update latest commit of this branch information
-// If it doest not exist, insert a new record into database
-func UpdateBranch(ctx context.Context, repoID, pusherID int64, branchName string, commit *git.Commit) error {
-	cnt, err := db.GetEngine(ctx).Where("repo_id=? AND name=?", repoID, branchName).
+// UpdateBranch updates the branch information in the database.
+func UpdateBranch(ctx context.Context, repoID, pusherID int64, branchName string, commit *git.Commit) (int64, error) {
+	return db.GetEngine(ctx).Where("repo_id=? AND name=?", repoID, branchName).
 		Cols("commit_id, commit_message, pusher_id, commit_time, is_deleted, updated_unix").
 		Update(&Branch{
 			CommitID:      commit.ID.String(),
@@ -217,21 +216,6 @@ func UpdateBranch(ctx context.Context, repoID, pusherID int64, branchName string
 			CommitTime:    timeutil.TimeStamp(commit.Committer.When.Unix()),
 			IsDeleted:     false,
 		})
-	if err != nil {
-		return err
-	}
-	if cnt > 0 {
-		return nil
-	}
-
-	return db.Insert(ctx, &Branch{
-		RepoID:        repoID,
-		Name:          branchName,
-		CommitID:      commit.ID.String(),
-		CommitMessage: commit.Summary(),
-		PusherID:      pusherID,
-		CommitTime:    timeutil.TimeStamp(commit.Committer.When.Unix()),
-	})
 }
 
 // AddDeletedBranch adds a deleted branch to the database
@@ -299,7 +283,7 @@ func FindRenamedBranch(ctx context.Context, repoID int64, from string) (branch *
 }
 
 // RenameBranch rename a branch
-func RenameBranch(ctx context.Context, repo *repo_model.Repository, from, to string, gitAction func(isDefault bool) error) (err error) {
+func RenameBranch(ctx context.Context, repo *repo_model.Repository, from, to string, gitAction func(ctx context.Context, isDefault bool) error) (err error) {
 	ctx, committer, err := db.TxContext(ctx)
 	if err != nil {
 		return err
@@ -308,6 +292,17 @@ func RenameBranch(ctx context.Context, repo *repo_model.Repository, from, to str
 
 	sess := db.GetEngine(ctx)
 
+	var branch Branch
+	exist, err := db.GetEngine(ctx).Where("repo_id=? AND name=?", repo.ID, from).Get(&branch)
+	if err != nil {
+		return err
+	} else if !exist || branch.IsDeleted {
+		return ErrBranchNotExist{
+			RepoID:     repo.ID,
+			BranchName: from,
+		}
+	}
+
 	// 1. update branch in database
 	if n, err := sess.Where("repo_id=? AND name=?", repo.ID, from).Update(&Branch{
 		Name: to,
@@ -363,7 +358,7 @@ func RenameBranch(ctx context.Context, repo *repo_model.Repository, from, to str
 	}
 
 	// 5. do git action
-	if err = gitAction(isDefault); err != nil {
+	if err = gitAction(ctx, isDefault); err != nil {
 		return err
 	}
 

models/git/branch_list.go

@@ -73,7 +73,7 @@ type FindBranchOptions struct {
 	Keyword            string
 }
 
-func (opts *FindBranchOptions) Cond() builder.Cond {
+func (opts FindBranchOptions) ToConds() builder.Cond {
 	cond := builder.NewCond()
 	if opts.RepoID > 0 {
 		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
@@ -92,7 +92,7 @@ func (opts *FindBranchOptions) Cond() builder.Cond {
 }
 
 func CountBranches(ctx context.Context, opts FindBranchOptions) (int64, error) {
-	return db.GetEngine(ctx).Where(opts.Cond()).Count(&Branch{})
+	return db.GetEngine(ctx).Where(opts.ToConds()).Count(&Branch{})
 }
 
 func orderByBranches(sess *xorm.Session, opts FindBranchOptions) *xorm.Session {
@@ -108,7 +108,7 @@ func orderByBranches(sess *xorm.Session, opts FindBranchOptions) *xorm.Session {
 }
 
 func FindBranches(ctx context.Context, opts FindBranchOptions) (BranchList, error) {
-	sess := db.GetEngine(ctx).Where(opts.Cond())
+	sess := db.GetEngine(ctx).Where(opts.ToConds())
 	if opts.PageSize > 0 && !opts.IsListAll() {
 		sess = db.SetSessionPagination(sess, &opts.ListOptions)
 	}
@@ -119,7 +119,7 @@ func FindBranches(ctx context.Context, opts FindBranchOptions) (BranchList, erro
 }
 
 func FindBranchNames(ctx context.Context, opts FindBranchOptions) ([]string, error) {
-	sess := db.GetEngine(ctx).Select("name").Where(opts.Cond())
+	sess := db.GetEngine(ctx).Select("name").Where(opts.ToConds())
 	if opts.PageSize > 0 && !opts.IsListAll() {
 		sess = db.SetSessionPagination(sess, &opts.ListOptions)
 	}

models/git/branch_test.go

@@ -4,6 +4,7 @@
 package git_test
 
 import (
+	"context"
 	"testing"
 
 	"code.gitea.io/gitea/models/db"
@@ -37,7 +38,7 @@ func TestAddDeletedBranch(t *testing.T) {
 		},
 	}
 
-	err := git_model.UpdateBranch(db.DefaultContext, repo.ID, secondBranch.PusherID, secondBranch.Name, commit)
+	_, err := git_model.UpdateBranch(db.DefaultContext, repo.ID, secondBranch.PusherID, secondBranch.Name, commit)
 	assert.NoError(t, err)
 }
 
@@ -133,7 +134,7 @@ func TestRenameBranch(t *testing.T) {
 	}, git_model.WhitelistOptions{}))
 	assert.NoError(t, committer.Commit())
 
-	assert.NoError(t, git_model.RenameBranch(db.DefaultContext, repo1, "master", "main", func(isDefault bool) error {
+	assert.NoError(t, git_model.RenameBranch(db.DefaultContext, repo1, "master", "main", func(ctx context.Context, isDefault bool) error {
 		_isDefault = isDefault
 		return nil
 	}))

models/git/commit_status.go

@@ -25,7 +25,6 @@ import (
 	"code.gitea.io/gitea/modules/translation"
 
 	"xorm.io/builder"
-	"xorm.io/xorm"
 )
 
 // CommitStatus holds a single Status of a single Commit
@@ -220,60 +219,58 @@ func CalcCommitStatus(statuses []*CommitStatus) *CommitStatus {
 // CommitStatusOptions holds the options for query commit statuses
 type CommitStatusOptions struct {
 	db.ListOptions
+	RepoID   int64
+	SHA      string
 	State    string
 	SortType string
 }
 
-// GetCommitStatuses returns all statuses for a given commit.
-func GetCommitStatuses(ctx context.Context, repo *repo_model.Repository, sha string, opts *CommitStatusOptions) ([]*CommitStatus, int64, error) {
-	if opts.Page <= 0 {
-		opts.Page = 1
-	}
-	if opts.PageSize <= 0 {
-		opts.Page = setting.ItemsPerPage
+func (opts *CommitStatusOptions) ToConds() builder.Cond {
+	var cond builder.Cond = builder.Eq{
+		"repo_id": opts.RepoID,
+		"sha":     opts.SHA,
 	}
 
-	countSession := listCommitStatusesStatement(ctx, repo, sha, opts)
-	countSession = db.SetSessionPagination(countSession, opts)
-	maxResults, err := countSession.OrderBy("1").Count(new(CommitStatus))
-	if err != nil {
-		log.Error("Count PRs: %v", err)
-		return nil, maxResults, err
-	}
-
-	statuses := make([]*CommitStatus, 0, opts.PageSize)
-	findSession := listCommitStatusesStatement(ctx, repo, sha, opts)
-	findSession = db.SetSessionPagination(findSession, opts)
-	sortCommitStatusesSession(findSession, opts.SortType)
-	return statuses, maxResults, findSession.Find(&statuses)
-}
-
-func listCommitStatusesStatement(ctx context.Context, repo *repo_model.Repository, sha string, opts *CommitStatusOptions) *xorm.Session {
-	sess := db.GetEngine(ctx).Where("repo_id = ?", repo.ID).And("sha = ?", sha)
 	switch opts.State {
 	case "pending", "success", "error", "failure", "warning":
-		sess.And("state = ?", opts.State)
+		cond = cond.And(builder.Eq{
+			"state": opts.State,
+		})
 	}
-	return sess
+
+	return cond
 }
 
-func sortCommitStatusesSession(sess *xorm.Session, sortType string) {
-	switch sortType {
+func (opts *CommitStatusOptions) ToOrders() string {
+	switch opts.SortType {
 	case "oldest":
-		sess.Asc("created_unix")
+		return "created_unix ASC"
 	case "recentupdate":
-		sess.Desc("updated_unix")
+		return "updated_unix DESC"
 	case "leastupdate":
-		sess.Asc("updated_unix")
+		return "updated_unix ASC"
 	case "leastindex":
-		sess.Desc("index")
+		return "`index` DESC"
 	case "highestindex":
-		sess.Asc("index")
+		return "`index` ASC"
 	default:
-		sess.Desc("created_unix")
+		return "created_unix DESC"
 	}
 }
 
+// GetCommitStatuses returns all statuses for a given commit.
+func GetCommitStatuses(ctx context.Context, opts *CommitStatusOptions) ([]*CommitStatus, int64, error) {
+	sess := db.GetEngine(ctx).
+		Where(opts.ToConds()).
+		OrderBy(opts.ToOrders())
+
+	db.SetSessionPagination(sess, opts)
+
+	statuses := make([]*CommitStatus, 0, opts.PageSize)
+	count, err := sess.FindAndCount(&statuses)
+	return statuses, count, err
+}
+
 // CommitStatusIndex represents a table for commit status index
 type CommitStatusIndex struct {
 	ID       int64

models/git/commit_status_test.go

@@ -22,7 +22,11 @@ func TestGetCommitStatuses(t *testing.T) {
 
 	sha1 := "1234123412341234123412341234123412341234"
 
-	statuses, maxResults, err := git_model.GetCommitStatuses(db.DefaultContext, repo1, sha1, &git_model.CommitStatusOptions{ListOptions: db.ListOptions{Page: 1, PageSize: 50}})
+	statuses, maxResults, err := git_model.GetCommitStatuses(db.DefaultContext, &git_model.CommitStatusOptions{
+		ListOptions: db.ListOptions{Page: 1, PageSize: 50},
+		RepoID:      repo1.ID,
+		SHA:         sha1,
+	})
 	assert.NoError(t, err)
 	assert.Equal(t, int(maxResults), 5)
 	assert.Len(t, statuses, 5)
@@ -46,4 +50,13 @@ func TestGetCommitStatuses(t *testing.T) {
 	assert.Equal(t, "deploy/awesomeness", statuses[4].Context)
 	assert.Equal(t, structs.CommitStatusError, statuses[4].State)
 	assert.Equal(t, "https://try.gitea.io/api/v1/repos/user2/repo1/statuses/1234123412341234123412341234123412341234", statuses[4].APIURL(db.DefaultContext))
+
+	statuses, maxResults, err = git_model.GetCommitStatuses(db.DefaultContext, &git_model.CommitStatusOptions{
+		ListOptions: db.ListOptions{Page: 2, PageSize: 50},
+		RepoID:      repo1.ID,
+		SHA:         sha1,
+	})
+	assert.NoError(t, err)
+	assert.Equal(t, int(maxResults), 5)
+	assert.Empty(t, statuses)
 }

models/issues/comment.go

@@ -342,7 +342,7 @@ func (c *Comment) AfterLoad(session *xorm.Session) {
 
 // LoadPoster loads comment poster
 func (c *Comment) LoadPoster(ctx context.Context) (err error) {
-	if c.PosterID <= 0 || c.Poster != nil {
+	if c.Poster != nil {
 		return nil
 	}
 
@@ -1016,6 +1016,7 @@ type FindCommentsOptions struct {
 	Type        CommentType
 	IssueIDs    []int64
 	Invalidated util.OptionalBool
+	IsPull      util.OptionalBool
 }
 
 // ToConds implements FindOptions interface
@@ -1050,6 +1051,9 @@ func (opts *FindCommentsOptions) ToConds() builder.Cond {
 	if !opts.Invalidated.IsNone() {
 		cond = cond.And(builder.Eq{"comment.invalidated": opts.Invalidated.IsTrue()})
 	}
+	if opts.IsPull != util.OptionalBoolNone {
+		cond = cond.And(builder.Eq{"issue.is_pull": opts.IsPull.IsTrue()})
+	}
 	return cond
 }
 
@@ -1057,7 +1061,7 @@ func (opts *FindCommentsOptions) ToConds() builder.Cond {
 func FindComments(ctx context.Context, opts *FindCommentsOptions) (CommentList, error) {
 	comments := make([]*Comment, 0, 10)
 	sess := db.GetEngine(ctx).Where(opts.ToConds())
-	if opts.RepoID > 0 {
+	if opts.RepoID > 0 || opts.IsPull != util.OptionalBoolNone {
 		sess.Join("INNER", "issue", "issue.id = comment.issue_id")
 	}
 
@@ -1149,14 +1153,9 @@ func DeleteComment(ctx context.Context, comment *Comment) error {
 // UpdateCommentsMigrationsByType updates comments' migrations information via given git service type and original id and poster id
 func UpdateCommentsMigrationsByType(ctx context.Context, tp structs.GitServiceType, originalAuthorID string, posterID int64) error {
 	_, err := db.GetEngine(ctx).Table("comment").
-		Where(builder.In("issue_id",
-			builder.Select("issue.id").
-				From("issue").
-				InnerJoin("repository", "issue.repo_id = repository.id").
-				Where(builder.Eq{
-					"repository.original_service_type": tp,
-				}),
-		)).
+		Join("INNER", "issue", "issue.id = comment.issue_id").
+		Join("INNER", "repository", "issue.repo_id = repository.id").
+		Where("repository.original_service_type = ?", tp).
 		And("comment.original_author_id = ?", originalAuthorID).
 		Update(map[string]any{
 			"poster_id":          posterID,

models/issues/comment_code.go

@@ -109,9 +109,11 @@ func findCodeComments(ctx context.Context, opts FindCommentsOptions, issue *Issu
 
 		var err error
 		if comment.RenderedContent, err = markdown.RenderString(&markup.RenderContext{
-			Ctx:       ctx,
-			URLPrefix: issue.Repo.Link(),
-			Metas:     issue.Repo.ComposeMetas(),
+			Ctx: ctx,
+			Links: markup.Links{
+				Base: issue.Repo.Link(),
+			},
+			Metas: issue.Repo.ComposeMetas(),
 		}, comment.Content); err != nil {
 			return nil, err
 		}

models/issues/content_history.go

@@ -218,9 +218,9 @@ func GetIssueContentHistoryByID(dbCtx context.Context, id int64) (*ContentHistor
 }
 
 // GetIssueContentHistoryAndPrev get a history and the previous non-deleted history (to compare)
-func GetIssueContentHistoryAndPrev(dbCtx context.Context, id int64) (history, prevHistory *ContentHistory, err error) {
+func GetIssueContentHistoryAndPrev(dbCtx context.Context, issueID, id int64) (history, prevHistory *ContentHistory, err error) {
 	history = &ContentHistory{}
-	has, err := db.GetEngine(dbCtx).ID(id).Get(history)
+	has, err := db.GetEngine(dbCtx).Where("id=? AND issue_id=?", id, issueID).Get(history)
 	if err != nil {
 		log.Error("failed to get issue content history %v. err=%v", id, err)
 		return nil, nil, err

models/issues/content_history_test.go

@@ -58,13 +58,13 @@ func TestContentHistory(t *testing.T) {
 	hasHistory2, _ := issues_model.HasIssueContentHistory(dbCtx, 10, 1)
 	assert.False(t, hasHistory2)
 
-	h6, h6Prev, _ := issues_model.GetIssueContentHistoryAndPrev(dbCtx, 6)
+	h6, h6Prev, _ := issues_model.GetIssueContentHistoryAndPrev(dbCtx, 10, 6)
 	assert.EqualValues(t, 6, h6.ID)
 	assert.EqualValues(t, 5, h6Prev.ID)
 
 	// soft-delete
 	_ = issues_model.SoftDeleteIssueContentHistory(dbCtx, 5)
-	h6, h6Prev, _ = issues_model.GetIssueContentHistoryAndPrev(dbCtx, 6)
+	h6, h6Prev, _ = issues_model.GetIssueContentHistoryAndPrev(dbCtx, 10, 6)
 	assert.EqualValues(t, 6, h6.ID)
 	assert.EqualValues(t, 4, h6Prev.ID)
 

models/issues/review.go

@@ -461,8 +461,10 @@ func SubmitReview(ctx context.Context, doer *user_model.User, issue *Issue, revi
 func GetReviewByIssueIDAndUserID(ctx context.Context, issueID, userID int64) (*Review, error) {
 	review := new(Review)
 
-	has, err := db.GetEngine(ctx).SQL("SELECT * FROM review WHERE id IN (SELECT max(id) as id FROM review WHERE issue_id = ? AND reviewer_id = ? AND original_author_id = 0 AND type in (?, ?, ?))",
-		issueID, userID, ReviewTypeApprove, ReviewTypeReject, ReviewTypeRequest).
+	has, err := db.GetEngine(ctx).Where(
+		builder.In("type", ReviewTypeApprove, ReviewTypeReject, ReviewTypeRequest).
+			And(builder.Eq{"issue_id": issueID, "reviewer_id": userID, "original_author_id": 0})).
+		Desc("id").
 		Get(review)
 	if err != nil {
 		return nil, err
@@ -476,13 +478,13 @@ func GetReviewByIssueIDAndUserID(ctx context.Context, issueID, userID int64) (*R
 }
 
 // GetTeamReviewerByIssueIDAndTeamID get the latest review request of reviewer team for a pull request
-func GetTeamReviewerByIssueIDAndTeamID(ctx context.Context, issueID, teamID int64) (review *Review, err error) {
-	review = new(Review)
+func GetTeamReviewerByIssueIDAndTeamID(ctx context.Context, issueID, teamID int64) (*Review, error) {
+	review := new(Review)
 
-	var has bool
-	if has, err = db.GetEngine(ctx).SQL("SELECT * FROM review WHERE id IN (SELECT max(id) as id FROM review WHERE issue_id = ? AND reviewer_team_id = ?)",
-		issueID, teamID).
-		Get(review); err != nil {
+	has, err := db.GetEngine(ctx).Where(builder.Eq{"issue_id": issueID, "reviewer_team_id": teamID}).
+		Desc("id").
+		Get(review)
+	if err != nil {
 		return nil, err
 	}
 
@@ -898,6 +900,16 @@ func DeleteReview(ctx context.Context, r *Review) error {
 		return err
 	}
 
+	opts = FindCommentsOptions{
+		Type:     CommentTypeDismissReview,
+		IssueID:  r.IssueID,
+		ReviewID: r.ID,
+	}
+
+	if _, err := sess.Where(opts.ToConds()).Delete(new(Comment)); err != nil {
+		return err
+	}
+
 	if _, err := sess.ID(r.ID).Delete(new(Review)); err != nil {
 		return err
 	}

models/issues/review_test.go

@@ -8,6 +8,7 @@ import (
 
 	"code.gitea.io/gitea/models/db"
 	issues_model "code.gitea.io/gitea/models/issues"
+	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
 
@@ -258,3 +259,32 @@ func TestDeleteReview(t *testing.T) {
 	assert.NoError(t, err)
 	assert.True(t, review1.Official)
 }
+
+func TestDeleteDismissedReview(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 2})
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
+	review, err := issues_model.CreateReview(db.DefaultContext, issues_model.CreateReviewOptions{
+		Content:  "reject",
+		Type:     issues_model.ReviewTypeReject,
+		Official: false,
+		Issue:    issue,
+		Reviewer: user,
+	})
+	assert.NoError(t, err)
+	assert.NoError(t, issues_model.DismissReview(db.DefaultContext, review, true))
+	comment, err := issues_model.CreateComment(db.DefaultContext, &issues_model.CreateCommentOptions{
+		Type:     issues_model.CommentTypeDismissReview,
+		Doer:     user,
+		Repo:     repo,
+		Issue:    issue,
+		ReviewID: review.ID,
+		Content:  "dismiss",
+	})
+	assert.NoError(t, err)
+	unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: comment.ID})
+	assert.NoError(t, issues_model.DeleteReview(db.DefaultContext, review))
+	unittest.AssertNotExistsBean(t, &issues_model.Comment{ID: comment.ID})
+}

models/migrations/v1_21/v263.go

@@ -32,7 +32,12 @@ func AddGitSizeAndLFSSizeToRepositoryTable(x *xorm.Engine) error {
 		return err
 	}
 
-	_, err = sess.Exec(`UPDATE repository SET git_size = size - lfs_size`)
+	_, err = sess.Exec(`UPDATE repository SET size = 0 WHERE size IS NULL`)
+	if err != nil {
+		return err
+	}
+
+	_, err = sess.Exec(`UPDATE repository SET git_size = size - lfs_size WHERE size > lfs_size`)
 	if err != nil {
 		return err
 	}

models/project/project.go

@@ -311,6 +311,18 @@ func GetProjectByID(ctx context.Context, id int64) (*Project, error) {
 	return p, nil
 }
 
+// GetProjectForRepoByID returns the projects in a repository
+func GetProjectForRepoByID(ctx context.Context, repoID, id int64) (*Project, error) {
+	p := new(Project)
+	has, err := db.GetEngine(ctx).Where("id=? AND repo_id=?", id, repoID).Get(p)
+	if err != nil {
+		return nil, err
+	} else if !has {
+		return nil, ErrProjectNotExist{ID: id}
+	}
+	return p, nil
+}
+
 // UpdateProject updates project properties
 func UpdateProject(ctx context.Context, p *Project) error {
 	if !IsCardTypeValid(p.CardType) {

models/repo/release.go

@@ -207,6 +207,21 @@ func GetReleaseByID(ctx context.Context, id int64) (*Release, error) {
 	return rel, nil
 }
 
+// GetReleaseForRepoByID returns release with given ID.
+func GetReleaseForRepoByID(ctx context.Context, repoID, id int64) (*Release, error) {
+	rel := new(Release)
+	has, err := db.GetEngine(ctx).
+		Where("id=? AND repo_id=?", id, repoID).
+		Get(rel)
+	if err != nil {
+		return nil, err
+	} else if !has {
+		return nil, ErrReleaseNotExist{id, ""}
+	}
+
+	return rel, nil
+}
+
 // FindReleasesOptions describes the conditions to Find releases
 type FindReleasesOptions struct {
 	db.ListOptions

models/repo/repo.go

@@ -47,6 +47,14 @@ func (err ErrUserDoesNotHaveAccessToRepo) Unwrap() error {
 	return util.ErrPermissionDenied
 }
 
+type ErrRepoIsArchived struct {
+	Repo *Repository
+}
+
+func (err ErrRepoIsArchived) Error() string {
+	return fmt.Sprintf("%s is archived", err.Repo.LogString())
+}
+
 var (
 	reservedRepoNames    = []string{".", "..", "-"}
 	reservedRepoPatterns = []string{"*.git", "*.wiki", "*.rss", "*.atom"}
@@ -570,8 +578,7 @@ func (repo *Repository) CanEnableEditor() bool {
 // DescriptionHTML does special handles to description and return HTML string.
 func (repo *Repository) DescriptionHTML(ctx context.Context) template.HTML {
 	desc, err := markup.RenderDescriptionHTML(&markup.RenderContext{
-		Ctx:       ctx,
-		URLPrefix: repo.HTMLURL(),
+		Ctx: ctx,
 		// Don't use Metas to speedup requests
 	}, repo.Description)
 	if err != nil {
@@ -594,25 +601,23 @@ func ComposeHTTPSCloneURL(owner, repo string) string {
 
 func ComposeSSHCloneURL(ownerName, repoName string) string {
 	sshUser := setting.SSH.User
-
-	// if we have a ipv6 literal we need to put brackets around it
-	// for the git cloning to work.
 	sshDomain := setting.SSH.Domain
-	ip := net.ParseIP(setting.SSH.Domain)
-	if ip != nil && ip.To4() == nil {
-		sshDomain = "[" + setting.SSH.Domain + "]"
+
+	// non-standard port, it must use full URI
+	if setting.SSH.Port != 22 {
+		sshHost := net.JoinHostPort(sshDomain, strconv.Itoa(setting.SSH.Port))
+		return fmt.Sprintf("ssh://%s@%s/%s/%s.git", sshUser, sshHost, url.PathEscape(ownerName), url.PathEscape(repoName))
 	}
 
-	if setting.SSH.Port != 22 {
-		return fmt.Sprintf("ssh://%s@%s/%s/%s.git", sshUser,
-			net.JoinHostPort(setting.SSH.Domain, strconv.Itoa(setting.SSH.Port)),
-			url.PathEscape(ownerName),
-			url.PathEscape(repoName))
+	// for standard port, it can use a shorter URI (without the port)
+	sshHost := sshDomain
+	if ip := net.ParseIP(sshHost); ip != nil && ip.To4() == nil {
+		sshHost = "[" + sshHost + "]" // for IPv6 address, wrap it with brackets
 	}
 	if setting.Repository.UseCompatSSHURI {
-		return fmt.Sprintf("ssh://%s@%s/%s/%s.git", sshUser, sshDomain, url.PathEscape(ownerName), url.PathEscape(repoName))
+		return fmt.Sprintf("ssh://%s@%s/%s/%s.git", sshUser, sshHost, url.PathEscape(ownerName), url.PathEscape(repoName))
 	}
-	return fmt.Sprintf("%s@%s:%s/%s.git", sshUser, sshDomain, url.PathEscape(ownerName), url.PathEscape(repoName))
+	return fmt.Sprintf("%s@%s:%s/%s.git", sshUser, sshHost, url.PathEscape(ownerName), url.PathEscape(repoName))
 }
 
 func (repo *Repository) cloneLink(isWiki bool) *CloneLink {
@@ -654,6 +659,14 @@ func (repo *Repository) GetTrustModel() TrustModelType {
 	return trustModel
 }
 
+// MustNotBeArchived returns ErrRepoIsArchived if the repo is archived
+func (repo *Repository) MustNotBeArchived() error {
+	if repo.IsArchived {
+		return ErrRepoIsArchived{Repo: repo}
+	}
+	return nil
+}
+
 // __________                           .__  __
 // \______   \ ____ ______   ____  _____|__|/  |_  ___________ ___.__.
 //  |       _// __ \\____ \ /  _ \/  ___/  \   __\/  _ \_  __ <   |  |

models/repo/repo_list.go

@@ -652,12 +652,12 @@ func AccessibleRepositoryCondition(user *user_model.User, unitType unit.Type) bu
 				userOrgTeamUnitRepoCond("`repository`.id", user.ID, unitType),
 			)
 		}
-		cond = cond.Or(
-			// 4. Repositories that we directly own
-			builder.Eq{"`repository`.owner_id": user.ID},
+		// 4. Repositories that we directly own
+		cond = cond.Or(builder.Eq{"`repository`.owner_id": user.ID})
+		if !user.IsRestricted {
 			// 5. Be able to see all public repos in private organizations that we are an org_user of
-			userOrgPublicRepoCond(user.ID),
-		)
+			cond = cond.Or(userOrgPublicRepoCond(user.ID))
+		}
 	}
 
 	return cond
@@ -716,7 +716,7 @@ func FindUserCodeAccessibleOwnerRepoIDs(ctx context.Context, ownerID int64, user
 }
 
 // GetUserRepositories returns a list of repositories of given user.
-func GetUserRepositories(opts *SearchRepoOptions) (RepositoryList, int64, error) {
+func GetUserRepositories(ctx context.Context, opts *SearchRepoOptions) (RepositoryList, int64, error) {
 	if len(opts.OrderBy) == 0 {
 		opts.OrderBy = "updated_unix DESC"
 	}
@@ -734,7 +734,7 @@ func GetUserRepositories(opts *SearchRepoOptions) (RepositoryList, int64, error)
 		cond = cond.And(builder.In("lower_name", opts.LowerNames))
 	}
 
-	sess := db.GetEngine(db.DefaultContext)
+	sess := db.GetEngine(ctx)
 
 	count, err := sess.Where(cond).Count(new(Repository))
 	if err != nil {

models/repo/repo_test.go

@@ -12,6 +12,8 @@ import (
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/markup"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/test"
 	"code.gitea.io/gitea/modules/util"
 
 	"github.com/stretchr/testify/assert"
@@ -186,3 +188,32 @@ func TestGetRepositoryByURL(t *testing.T) {
 		test(t, "try.gitea.io:user2/repo2.git")
 	})
 }
+
+func TestComposeSSHCloneURL(t *testing.T) {
+	defer test.MockVariableValue(&setting.SSH, setting.SSH)()
+	defer test.MockVariableValue(&setting.Repository, setting.Repository)()
+
+	setting.SSH.User = "git"
+
+	// test SSH_DOMAIN
+	setting.SSH.Domain = "domain"
+	setting.SSH.Port = 22
+	setting.Repository.UseCompatSSHURI = false
+	assert.Equal(t, "git@domain:user/repo.git", repo_model.ComposeSSHCloneURL("user", "repo"))
+	setting.Repository.UseCompatSSHURI = true
+	assert.Equal(t, "ssh://git@domain/user/repo.git", repo_model.ComposeSSHCloneURL("user", "repo"))
+	// test SSH_DOMAIN while use non-standard SSH port
+	setting.SSH.Port = 123
+	setting.Repository.UseCompatSSHURI = false
+	assert.Equal(t, "ssh://git@domain:123/user/repo.git", repo_model.ComposeSSHCloneURL("user", "repo"))
+	setting.Repository.UseCompatSSHURI = true
+	assert.Equal(t, "ssh://git@domain:123/user/repo.git", repo_model.ComposeSSHCloneURL("user", "repo"))
+
+	// test IPv6 SSH_DOMAIN
+	setting.Repository.UseCompatSSHURI = false
+	setting.SSH.Domain = "::1"
+	setting.SSH.Port = 22
+	assert.Equal(t, "git@[::1]:user/repo.git", repo_model.ComposeSSHCloneURL("user", "repo"))
+	setting.SSH.Port = 123
+	assert.Equal(t, "ssh://git@[::1]:123/user/repo.git", repo_model.ComposeSSHCloneURL("user", "repo"))
+}

models/repo/repo_unit.go

@@ -283,29 +283,3 @@ func UpdateRepoUnit(unit *RepoUnit) error {
 	_, err := db.GetEngine(db.DefaultContext).ID(unit.ID).Update(unit)
 	return err
 }
-
-// UpdateRepositoryUnits updates a repository's units
-func UpdateRepositoryUnits(repo *Repository, units []RepoUnit, deleteUnitTypes []unit.Type) (err error) {
-	ctx, committer, err := db.TxContext(db.DefaultContext)
-	if err != nil {
-		return err
-	}
-	defer committer.Close()
-
-	// Delete existing settings of units before adding again
-	for _, u := range units {
-		deleteUnitTypes = append(deleteUnitTypes, u.Type)
-	}
-
-	if _, err = db.GetEngine(ctx).Where("repo_id = ?", repo.ID).In("type", deleteUnitTypes).Delete(new(RepoUnit)); err != nil {
-		return err
-	}
-
-	if len(units) > 0 {
-		if err = db.Insert(ctx, units); err != nil {
-			return err
-		}
-	}
-
-	return committer.Commit()
-}

models/system/setting.go

@@ -81,7 +81,7 @@ func SetSettings(ctx context.Context, settings map[string]string) error {
 			return err
 		}
 		for k, v := range settings {
-			res, err := e.Exec("UPDATE system_setting SET setting_value=? WHERE setting_key=?", v, k)
+			res, err := e.Exec("UPDATE system_setting SET version=version+1, setting_value=? WHERE setting_key=?", v, k)
 			if err != nil {
 				return err
 			}
@@ -115,24 +115,26 @@ func (d *dbConfigCachedGetter) GetValue(ctx context.Context, key string) (v stri
 
 func (d *dbConfigCachedGetter) GetRevision(ctx context.Context) int {
 	d.mu.RLock()
-	defer d.mu.RUnlock()
-	if time.Since(d.cacheTime) < time.Second {
-		return d.revision
+	cachedDuration := time.Since(d.cacheTime)
+	cachedRevision := d.revision
+	d.mu.RUnlock()
+
+	if cachedDuration < time.Second {
+		return cachedRevision
 	}
+
+	d.mu.Lock()
+	defer d.mu.Unlock()
 	if GetRevision(ctx) != d.revision {
-		d.mu.RUnlock()
-		d.mu.Lock()
 		rev, set, err := GetAllSettings(ctx)
 		if err != nil {
 			log.Error("Unable to get all settings: %v", err)
 		} else {
-			d.cacheTime = time.Now()
 			d.revision = rev
 			d.settings = set
 		}
-		d.mu.Unlock()
-		d.mu.RLock()
 	}
+	d.cacheTime = time.Now()
 	return d.revision
 }
 

models/system/setting_test.go

@@ -39,4 +39,16 @@ func TestSettings(t *testing.T) {
 	assert.EqualValues(t, 3, rev)
 	assert.Len(t, settings, 2)
 	assert.EqualValues(t, "false", settings[keyName])
+
+	// setting the same value should not trigger DuplicateKey error, and the "version" should be increased
+	setting := &system.Setting{SettingKey: keyName}
+	_, err = db.GetByBean(db.DefaultContext, setting)
+	assert.NoError(t, err)
+	assert.EqualValues(t, 2, setting.Version)
+	err = system.SetSettings(db.DefaultContext, map[string]string{keyName: "false"})
+	assert.NoError(t, err)
+	setting = &system.Setting{SettingKey: keyName}
+	_, err = db.GetByBean(db.DefaultContext, setting)
+	assert.NoError(t, err)
+	assert.EqualValues(t, 3, setting.Version)
 }

models/user/user.go

@@ -705,9 +705,18 @@ func CreateUser(ctx context.Context, u *User, overwriteDefault ...*CreateUserOve
 	return committer.Commit()
 }
 
+// IsLastAdminUser check whether user is the last admin
+func IsLastAdminUser(ctx context.Context, user *User) bool {
+	if user.IsAdmin && CountUsers(ctx, &CountUserFilter{IsAdmin: util.OptionalBoolTrue}) <= 1 {
+		return true
+	}
+	return false
+}
+
 // CountUserFilter represent optional filters for CountUsers
 type CountUserFilter struct {
 	LastLoginSince *int64
+	IsAdmin        util.OptionalBool
 }
 
 // CountUsers returns number of users.
@@ -716,13 +725,25 @@ func CountUsers(ctx context.Context, opts *CountUserFilter) int64 {
 }
 
 func countUsers(ctx context.Context, opts *CountUserFilter) int64 {
-	sess := db.GetEngine(ctx).Where(builder.Eq{"type": "0"})
+	sess := db.GetEngine(ctx)
+	cond := builder.NewCond()
+	cond = cond.And(builder.Eq{"type": UserTypeIndividual})
 
-	if opts != nil && opts.LastLoginSince != nil {
-		sess = sess.Where(builder.Gte{"last_login_unix": *opts.LastLoginSince})
+	if opts != nil {
+		if opts.LastLoginSince != nil {
+			cond = cond.And(builder.Gte{"last_login_unix": *opts.LastLoginSince})
+		}
+
+		if !opts.IsAdmin.IsNone() {
+			cond = cond.And(builder.Eq{"is_admin": opts.IsAdmin.IsTrue()})
+		}
+	}
+
+	count, err := sess.Where(cond).Count(new(User))
+	if err != nil {
+		log.Error("user.countUsers: %v", err)
 	}
 
-	count, _ := sess.Count(new(User))
 	return count
 }
 
@@ -1205,6 +1226,8 @@ func isUserVisibleToViewerCond(viewer *User) builder.Cond {
 	return builder.Neq{
 		"`user`.visibility": structs.VisibleTypePrivate,
 	}.Or(
+		// viewer self
+		builder.Eq{"`user`.id": viewer.ID},
 		// viewer's following
 		builder.In("`user`.id",
 			builder.

models/user/user_system.go

@@ -36,6 +36,7 @@ func NewReplaceUser(name string) *User {
 }
 
 const (
+	GhostUserID     = -1
 	ActionsUserID   = -2
 	ActionsUserName = "gitea-actions"
 	ActionsFullName = "Gitea Actions"

models/webhook/webhook.go

@@ -392,39 +392,40 @@ func CreateWebhooks(ctx context.Context, ws []*Webhook) error {
 	return db.Insert(ctx, ws)
 }
 
-// getWebhook uses argument bean as query condition,
-// ID must be specified and do not assign unnecessary fields.
-func getWebhook(bean *Webhook) (*Webhook, error) {
-	has, err := db.GetEngine(db.DefaultContext).Get(bean)
+// GetWebhookByID returns webhook of repository by given ID.
+func GetWebhookByID(ctx context.Context, id int64) (*Webhook, error) {
+	bean := new(Webhook)
+	has, err := db.GetEngine(ctx).ID(id).Get(bean)
 	if err != nil {
 		return nil, err
 	} else if !has {
-		return nil, ErrWebhookNotExist{ID: bean.ID}
+		return nil, ErrWebhookNotExist{ID: id}
 	}
 	return bean, nil
 }
 
-// GetWebhookByID returns webhook of repository by given ID.
-func GetWebhookByID(id int64) (*Webhook, error) {
-	return getWebhook(&Webhook{
-		ID: id,
-	})
-}
-
 // GetWebhookByRepoID returns webhook of repository by given ID.
-func GetWebhookByRepoID(repoID, id int64) (*Webhook, error) {
-	return getWebhook(&Webhook{
-		ID:     id,
-		RepoID: repoID,
-	})
+func GetWebhookByRepoID(ctx context.Context, repoID, id int64) (*Webhook, error) {
+	webhook := new(Webhook)
+	has, err := db.GetEngine(ctx).Where("id=? AND repo_id=?", id, repoID).Get(webhook)
+	if err != nil {
+		return nil, err
+	} else if !has {
+		return nil, ErrWebhookNotExist{ID: id}
+	}
+	return webhook, nil
 }
 
 // GetWebhookByOwnerID returns webhook of a user or organization by given ID.
-func GetWebhookByOwnerID(ownerID, id int64) (*Webhook, error) {
-	return getWebhook(&Webhook{
-		ID:      id,
-		OwnerID: ownerID,
-	})
+func GetWebhookByOwnerID(ctx context.Context, ownerID, id int64) (*Webhook, error) {
+	webhook := new(Webhook)
+	has, err := db.GetEngine(ctx).Where("id=? AND owner_id=?", id, ownerID).Get(webhook)
+	if err != nil {
+		return nil, err
+	} else if !has {
+		return nil, ErrWebhookNotExist{ID: id}
+	}
+	return webhook, nil
 }
 
 // ListWebhookOptions are options to filter webhooks on ListWebhooksByOpts
@@ -482,20 +483,20 @@ func UpdateWebhookLastStatus(w *Webhook) error {
 	return err
 }
 
-// deleteWebhook uses argument bean as query condition,
+// DeleteWebhookByID uses argument bean as query condition,
 // ID must be specified and do not assign unnecessary fields.
-func deleteWebhook(bean *Webhook) (err error) {
-	ctx, committer, err := db.TxContext(db.DefaultContext)
+func DeleteWebhookByID(ctx context.Context, id int64) (err error) {
+	ctx, committer, err := db.TxContext(ctx)
 	if err != nil {
 		return err
 	}
 	defer committer.Close()
 
-	if count, err := db.DeleteByBean(ctx, bean); err != nil {
+	if count, err := db.DeleteByID(ctx, id, new(Webhook)); err != nil {
 		return err
 	} else if count == 0 {
-		return ErrWebhookNotExist{ID: bean.ID}
-	} else if _, err = db.DeleteByBean(ctx, &HookTask{HookID: bean.ID}); err != nil {
+		return ErrWebhookNotExist{ID: id}
+	} else if _, err = db.DeleteByBean(ctx, &HookTask{HookID: id}); err != nil {
 		return err
 	}
 
@@ -503,17 +504,17 @@ func deleteWebhook(bean *Webhook) (err error) {
 }
 
 // DeleteWebhookByRepoID deletes webhook of repository by given ID.
-func DeleteWebhookByRepoID(repoID, id int64) error {
-	return deleteWebhook(&Webhook{
-		ID:     id,
-		RepoID: repoID,
-	})
+func DeleteWebhookByRepoID(ctx context.Context, repoID, id int64) error {
+	if _, err := GetWebhookByRepoID(ctx, repoID, id); err != nil {
+		return err
+	}
+	return DeleteWebhookByID(ctx, id)
 }
 
 // DeleteWebhookByOwnerID deletes webhook of a user or organization by given ID.
-func DeleteWebhookByOwnerID(ownerID, id int64) error {
-	return deleteWebhook(&Webhook{
-		ID:      id,
-		OwnerID: ownerID,
-	})
+func DeleteWebhookByOwnerID(ctx context.Context, ownerID, id int64) error {
+	if _, err := GetWebhookByOwnerID(ctx, ownerID, id); err != nil {
+		return err
+	}
+	return DeleteWebhookByID(ctx, id)
 }

models/webhook/webhook_test.go

@@ -101,22 +101,22 @@ func TestCreateWebhook(t *testing.T) {
 
 func TestGetWebhookByRepoID(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
-	hook, err := GetWebhookByRepoID(1, 1)
+	hook, err := GetWebhookByRepoID(db.DefaultContext, 1, 1)
 	assert.NoError(t, err)
 	assert.Equal(t, int64(1), hook.ID)
 
-	_, err = GetWebhookByRepoID(unittest.NonexistentID, unittest.NonexistentID)
+	_, err = GetWebhookByRepoID(db.DefaultContext, unittest.NonexistentID, unittest.NonexistentID)
 	assert.Error(t, err)
 	assert.True(t, IsErrWebhookNotExist(err))
 }
 
 func TestGetWebhookByOwnerID(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
-	hook, err := GetWebhookByOwnerID(3, 3)
+	hook, err := GetWebhookByOwnerID(db.DefaultContext, 3, 3)
 	assert.NoError(t, err)
 	assert.Equal(t, int64(3), hook.ID)
 
-	_, err = GetWebhookByOwnerID(unittest.NonexistentID, unittest.NonexistentID)
+	_, err = GetWebhookByOwnerID(db.DefaultContext, unittest.NonexistentID, unittest.NonexistentID)
 	assert.Error(t, err)
 	assert.True(t, IsErrWebhookNotExist(err))
 }
@@ -174,10 +174,10 @@ func TestUpdateWebhook(t *testing.T) {
 func TestDeleteWebhookByRepoID(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 	unittest.AssertExistsAndLoadBean(t, &Webhook{ID: 2, RepoID: 1})
-	assert.NoError(t, DeleteWebhookByRepoID(1, 2))
+	assert.NoError(t, DeleteWebhookByRepoID(db.DefaultContext, 1, 2))
 	unittest.AssertNotExistsBean(t, &Webhook{ID: 2, RepoID: 1})
 
-	err := DeleteWebhookByRepoID(unittest.NonexistentID, unittest.NonexistentID)
+	err := DeleteWebhookByRepoID(db.DefaultContext, unittest.NonexistentID, unittest.NonexistentID)
 	assert.Error(t, err)
 	assert.True(t, IsErrWebhookNotExist(err))
 }
@@ -185,10 +185,10 @@ func TestDeleteWebhookByRepoID(t *testing.T) {
 func TestDeleteWebhookByOwnerID(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 	unittest.AssertExistsAndLoadBean(t, &Webhook{ID: 3, OwnerID: 3})
-	assert.NoError(t, DeleteWebhookByOwnerID(3, 3))
+	assert.NoError(t, DeleteWebhookByOwnerID(db.DefaultContext, 3, 3))
 	unittest.AssertNotExistsBean(t, &Webhook{ID: 3, OwnerID: 3})
 
-	err := DeleteWebhookByOwnerID(unittest.NonexistentID, unittest.NonexistentID)
+	err := DeleteWebhookByOwnerID(db.DefaultContext, unittest.NonexistentID, unittest.NonexistentID)
 	assert.Error(t, err)
 	assert.True(t, IsErrWebhookNotExist(err))
 }

modules/actions/github.go

@@ -22,6 +22,7 @@ const (
 	GithubEventRelease                  = "release"
 	GithubEventPullRequestComment       = "pull_request_comment"
 	GithubEventGollum                   = "gollum"
+	GithubEventSchedule                 = "schedule"
 )
 
 // canGithubEventMatch check if the input Github event can match any Gitea event.
@@ -69,6 +70,9 @@ func canGithubEventMatch(eventName string, triggedEvent webhook_module.HookEvent
 			return false
 		}
 
+	case GithubEventSchedule:
+		return triggedEvent == webhook_module.HookEventSchedule
+
 	default:
 		return eventName == string(triggedEvent)
 	}

modules/actions/workflows.go

@@ -22,7 +22,7 @@ import (
 
 type DetectedWorkflow struct {
 	EntryName    string
-	TriggerEvent string
+	TriggerEvent *jobparser.Event
 	Content      []byte
 }
 
@@ -100,6 +100,7 @@ func DetectWorkflows(
 	commit *git.Commit,
 	triggedEvent webhook_module.HookEventType,
 	payload api.Payloader,
+	detectSchedule bool,
 ) ([]*DetectedWorkflow, []*DetectedWorkflow, error) {
 	entries, err := ListWorkflows(commit)
 	if err != nil {
@@ -114,6 +115,7 @@ func DetectWorkflows(
 			return nil, nil, err
 		}
 
+		// one workflow may have multiple events
 		events, err := GetEventsFromContent(content)
 		if err != nil {
 			log.Warn("ignore invalid workflow %q: %v", entry.Name(), err)
@@ -122,17 +124,18 @@ func DetectWorkflows(
 		for _, evt := range events {
 			log.Trace("detect workflow %q for event %#v matching %q", entry.Name(), evt, triggedEvent)
 			if evt.IsSchedule() {
-				dwf := &DetectedWorkflow{
-					EntryName:    entry.Name(),
-					TriggerEvent: evt.Name,
-					Content:      content,
+				if detectSchedule {
+					dwf := &DetectedWorkflow{
+						EntryName:    entry.Name(),
+						TriggerEvent: evt,
+						Content:      content,
+					}
+					schedules = append(schedules, dwf)
 				}
-				schedules = append(schedules, dwf)
-			}
-			if detectMatched(gitRepo, commit, triggedEvent, payload, evt) {
+			} else if detectMatched(gitRepo, commit, triggedEvent, payload, evt) {
 				dwf := &DetectedWorkflow{
 					EntryName:    entry.Name(),
-					TriggerEvent: evt.Name,
+					TriggerEvent: evt,
 					Content:      content,
 				}
 				workflows = append(workflows, dwf)
@@ -153,7 +156,8 @@ func detectMatched(gitRepo *git.Repository, commit *git.Commit, triggedEvent web
 		webhook_module.HookEventCreate,
 		webhook_module.HookEventDelete,
 		webhook_module.HookEventFork,
-		webhook_module.HookEventWiki:
+		webhook_module.HookEventWiki,
+		webhook_module.HookEventSchedule:
 		if len(evt.Acts()) != 0 {
 			log.Warn("Ignore unsupported %s event arguments %v", triggedEvent, evt.Acts())
 		}

modules/actions/workflows_test.go

@@ -118,6 +118,13 @@ func TestDetectMatched(t *testing.T) {
 			yamlOn:       "on: gollum",
 			expected:     true,
 		},
+		{
+			desc:         "HookEventSchedue(schedule) matches GithubEventSchedule(schedule)",
+			triggedEvent: webhook_module.HookEventSchedule,
+			payload:      nil,
+			yamlOn:       "on: schedule",
+			expected:     true,
+		},
 	}
 
 	for _, tc := range testCases {

modules/charset/escape.go

@@ -8,11 +8,12 @@
 package charset
 
 import (
-	"bufio"
+	"html/template"
 	"io"
 	"strings"
 
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/translation"
 )
 
@@ -20,20 +21,18 @@ import (
 const RuneNBSP = 0xa0
 
 // EscapeControlHTML escapes the unicode control sequences in a provided html document
-func EscapeControlHTML(text string, locale translation.Locale, allowed ...rune) (escaped *EscapeStatus, output string) {
+func EscapeControlHTML(html template.HTML, locale translation.Locale, allowed ...rune) (escaped *EscapeStatus, output template.HTML) {
 	sb := &strings.Builder{}
-	outputStream := &HTMLStreamerWriter{Writer: sb}
-	streamer := NewEscapeStreamer(locale, outputStream, allowed...).(*escapeStreamer)
-
-	if err := StreamHTML(strings.NewReader(text), streamer); err != nil {
-		streamer.escaped.HasError = true
-		log.Error("Error whilst escaping: %v", err)
-	}
-	return streamer.escaped, sb.String()
+	escaped, _ = EscapeControlReader(strings.NewReader(string(html)), sb, locale, allowed...) // err has been handled in EscapeControlReader
+	return escaped, template.HTML(sb.String())
 }
 
-// EscapeControlReaders escapes the unicode control sequences in a provided reader of HTML content and writer in a locale and returns the findings as an EscapeStatus and the escaped []byte
+// EscapeControlReader escapes the unicode control sequences in a provided reader of HTML content and writer in a locale and returns the findings as an EscapeStatus
 func EscapeControlReader(reader io.Reader, writer io.Writer, locale translation.Locale, allowed ...rune) (escaped *EscapeStatus, err error) {
+	if !setting.UI.AmbiguousUnicodeDetection {
+		_, err = io.Copy(writer, reader)
+		return &EscapeStatus{}, err
+	}
 	outputStream := &HTMLStreamerWriter{Writer: writer}
 	streamer := NewEscapeStreamer(locale, outputStream, allowed...).(*escapeStreamer)
 
@@ -43,41 +42,3 @@ func EscapeControlReader(reader io.Reader, writer io.Writer, locale translation.
 	}
 	return streamer.escaped, err
 }
-
-// EscapeControlStringReader escapes the unicode control sequences in a provided reader of string content and writer in a locale and returns the findings as an EscapeStatus and the escaped []byte. HTML line breaks are not inserted after every newline by this method.
-func EscapeControlStringReader(reader io.Reader, writer io.Writer, locale translation.Locale, allowed ...rune) (escaped *EscapeStatus, err error) {
-	bufRd := bufio.NewReader(reader)
-	outputStream := &HTMLStreamerWriter{Writer: writer}
-	streamer := NewEscapeStreamer(locale, outputStream, allowed...).(*escapeStreamer)
-
-	for {
-		line, rdErr := bufRd.ReadString('\n')
-		if len(line) > 0 {
-			if err := streamer.Text(line); err != nil {
-				streamer.escaped.HasError = true
-				log.Error("Error whilst escaping: %v", err)
-				return streamer.escaped, err
-			}
-		}
-		if rdErr != nil {
-			if rdErr != io.EOF {
-				err = rdErr
-			}
-			break
-		}
-	}
-	return streamer.escaped, err
-}
-
-// EscapeControlString escapes the unicode control sequences in a provided string and returns the findings as an EscapeStatus and the escaped string
-func EscapeControlString(text string, locale translation.Locale, allowed ...rune) (escaped *EscapeStatus, output string) {
-	sb := &strings.Builder{}
-	outputStream := &HTMLStreamerWriter{Writer: sb}
-	streamer := NewEscapeStreamer(locale, outputStream, allowed...).(*escapeStreamer)
-
-	if err := streamer.Text(text); err != nil {
-		streamer.escaped.HasError = true
-		log.Error("Error whilst escaping: %v", err)
-	}
-	return streamer.escaped, sb.String()
-}

modules/charset/escape_stream.go

@@ -64,7 +64,7 @@ func (e *escapeStreamer) Text(data string) error {
 			until, next = nextIdxs[0]+pos, nextIdxs[1]+pos
 		}
 
-		// from pos until until we know that the runes are not \r\t\n or even ' '
+		// from pos until we know that the runes are not \r\t\n or even ' '
 		runes := make([]rune, 0, next-until)
 		positions := make([]int, 0, next-until+1)
 

modules/charset/escape_test.go

@@ -4,11 +4,14 @@
 package charset
 
 import (
-	"reflect"
 	"strings"
 	"testing"
 
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/test"
 	"code.gitea.io/gitea/modules/translation"
+
+	"github.com/stretchr/testify/assert"
 )
 
 type escapeControlTest struct {
@@ -132,22 +135,8 @@ then resh (ר), and finally heh (ה) (which should appear leftmost).`,
 	},
 }
 
-func TestEscapeControlString(t *testing.T) {
-	for _, tt := range escapeControlTests {
-		t.Run(tt.name, func(t *testing.T) {
-			status, result := EscapeControlString(tt.text, &translation.MockLocale{})
-			if !reflect.DeepEqual(*status, tt.status) {
-				t.Errorf("EscapeControlString() status = %v, wanted= %v", status, tt.status)
-			}
-			if result != tt.result {
-				t.Errorf("EscapeControlString()\nresult= %v,\nwanted= %v", result, tt.result)
-			}
-		})
-	}
-}
-
 func TestEscapeControlReader(t *testing.T) {
-	// lets add some control characters to the tests
+	// add some control characters to the tests
 	tests := make([]escapeControlTest, 0, len(escapeControlTests)*3)
 	copy(tests, escapeControlTests)
 
@@ -169,29 +158,20 @@ func TestEscapeControlReader(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			input := strings.NewReader(tt.text)
 			output := &strings.Builder{}
-			status, err := EscapeControlReader(input, output, &translation.MockLocale{})
-			result := output.String()
-			if err != nil {
-				t.Errorf("EscapeControlReader(): err = %v", err)
-			}
-
-			if !reflect.DeepEqual(*status, tt.status) {
-				t.Errorf("EscapeControlReader() status = %v, wanted= %v", status, tt.status)
-			}
-			if result != tt.result {
-				t.Errorf("EscapeControlReader()\nresult= %v,\nwanted= %v", result, tt.result)
-			}
+			status, err := EscapeControlReader(strings.NewReader(tt.text), output, &translation.MockLocale{})
+			assert.NoError(t, err)
+			assert.Equal(t, tt.status, *status)
+			assert.Equal(t, tt.result, output.String())
 		})
 	}
 }
 
-func TestEscapeControlReader_panic(t *testing.T) {
-	bs := make([]byte, 0, 20479)
-	bs = append(bs, 'A')
-	for i := 0; i < 6826; i++ {
-		bs = append(bs, []byte("—")...)
-	}
-	_, _ = EscapeControlString(string(bs), &translation.MockLocale{})
+func TestSettingAmbiguousUnicodeDetection(t *testing.T) {
+	defer test.MockVariableValue(&setting.UI.AmbiguousUnicodeDetection, true)()
+	_, out := EscapeControlHTML("a test", &translation.MockLocale{})
+	assert.EqualValues(t, `a<span class="escaped-code-point" data-escaped="[U+00A0]"><span class="char"> </span></span>test`, out)
+	setting.UI.AmbiguousUnicodeDetection = false
+	_, out = EscapeControlHTML("a test", &translation.MockLocale{})
+	assert.EqualValues(t, `a test`, out)
 }

modules/context/api.go

@@ -11,7 +11,6 @@ import (
 	"net/url"
 	"strings"
 
-	"code.gitea.io/gitea/models/auth"
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
@@ -205,32 +204,6 @@ func (ctx *APIContext) SetLinkHeader(total, pageSize int) {
 	}
 }
 
-// CheckForOTP validates OTP
-func (ctx *APIContext) CheckForOTP() {
-	if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) {
-		return // Skip 2FA
-	}
-
-	otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
-	twofa, err := auth.GetTwoFactorByUID(ctx, ctx.Doer.ID)
-	if err != nil {
-		if auth.IsErrTwoFactorNotEnrolled(err) {
-			return // No 2FA enrollment for this user
-		}
-		ctx.Error(http.StatusInternalServerError, "GetTwoFactorByUID", err)
-		return
-	}
-	ok, err := twofa.ValidateTOTP(otpHeader)
-	if err != nil {
-		ctx.Error(http.StatusInternalServerError, "ValidateTOTP", err)
-		return
-	}
-	if !ok {
-		ctx.Error(http.StatusUnauthorized, "", nil)
-		return
-	}
-}
-
 // APIContexter returns apicontext as middleware
 func APIContexter() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {

modules/context/context.go

@@ -157,7 +157,6 @@ func Contexter() func(next http.Handler) http.Handler {
 			ctx.Data["Context"] = ctx // TODO: use "ctx" in template and remove this
 			ctx.Data["CurrentURL"] = setting.AppSubURL + req.URL.RequestURI()
 			ctx.Data["Link"] = ctx.Link
-			ctx.Data["locale"] = ctx.Locale
 
 			// PageData is passed by reference, and it will be rendered to `window.config.pageData` in `head.tmpl` for JavaScript modules
 			ctx.PageData = map[string]any{}

modules/context/repo.go

@@ -560,6 +560,7 @@ func RepoAssignment(ctx *Context) context.CancelFunc {
 	ctx.Data["CanWriteCode"] = ctx.Repo.CanWrite(unit_model.TypeCode)
 	ctx.Data["CanWriteIssues"] = ctx.Repo.CanWrite(unit_model.TypeIssues)
 	ctx.Data["CanWritePulls"] = ctx.Repo.CanWrite(unit_model.TypePullRequests)
+	ctx.Data["CanWriteActions"] = ctx.Repo.CanWrite(unit_model.TypeActions)
 
 	canSignedUserFork, err := repo_module.CanUserForkRepo(ctx, ctx.Doer, ctx.Repo.Repository)
 	if err != nil {

modules/doctor/dbconsistency.go

@@ -6,6 +6,7 @@ package doctor
 import (
 	"context"
 
+	actions_model "code.gitea.io/gitea/models/actions"
 	activities_model "code.gitea.io/gitea/models/activities"
 	"code.gitea.io/gitea/models/db"
 	issues_model "code.gitea.io/gitea/models/issues"
@@ -151,6 +152,12 @@ func checkDBConsistency(ctx context.Context, logger log.Logger, autofix bool) er
 			Fixer:        activities_model.FixActionCreatedUnixString,
 			FixedMessage: "Set to zero",
 		},
+		{
+			Name:         "Action Runners without existing owner",
+			Counter:      actions_model.CountRunnersWithoutBelongingOwner,
+			Fixer:        actions_model.FixRunnersWithoutBelongingOwner,
+			FixedMessage: "Removed",
+		},
 	}
 
 	// TODO: function to recalc all counters

modules/doctor/doctor.go

@@ -79,6 +79,7 @@ var Checks []*Check
 
 // RunChecks runs the doctor checks for the provided list
 func RunChecks(ctx context.Context, colorize, autofix bool, checks []*Check) error {
+	SortChecks(checks)
 	// the checks output logs by a special logger, they do not use the default logger
 	logger := log.BaseLoggerToGeneralLogger(&doctorCheckLogger{colorize: colorize})
 	loggerStep := log.BaseLoggerToGeneralLogger(&doctorCheckStepLogger{colorize: colorize})
@@ -104,20 +105,23 @@ func RunChecks(ctx context.Context, colorize, autofix bool, checks []*Check) err
 			logger.Info("OK")
 		}
 	}
-	logger.Info("\nAll done.")
+	logger.Info("\nAll done (checks: %d).", len(checks))
 	return nil
 }
 
 // Register registers a command with the list
 func Register(command *Check) {
 	Checks = append(Checks, command)
-	sort.SliceStable(Checks, func(i, j int) bool {
-		if Checks[i].Priority == Checks[j].Priority {
-			return Checks[i].Name < Checks[j].Name
+}
+
+func SortChecks(checks []*Check) {
+	sort.SliceStable(checks, func(i, j int) bool {
+		if checks[i].Priority == checks[j].Priority {
+			return checks[i].Name < checks[j].Name
 		}
-		if Checks[i].Priority == 0 {
+		if checks[i].Priority == 0 {
 			return false
 		}
-		return Checks[i].Priority < Checks[j].Priority
+		return checks[i].Priority < checks[j].Priority
 	})
 }

modules/doctor/repository.go

@@ -0,0 +1,75 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package doctor
+
+import (
+	"context"
+
+	"code.gitea.io/gitea/models/db"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/storage"
+	repo_service "code.gitea.io/gitea/services/repository"
+
+	"xorm.io/builder"
+)
+
+func handleDeleteOrphanedRepos(ctx context.Context, logger log.Logger, autofix bool) error {
+	test := &consistencyCheck{
+		Name:         "Repos with no existing owner",
+		Counter:      countOrphanedRepos,
+		Fixer:        deleteOrphanedRepos,
+		FixedMessage: "Deleted all content related to orphaned repos",
+	}
+	return test.Run(ctx, logger, autofix)
+}
+
+// countOrphanedRepos count repository where user of owner_id do not exist
+func countOrphanedRepos(ctx context.Context) (int64, error) {
+	return db.CountOrphanedObjects(ctx, "repository", "user", "repository.owner_id=`user`.id")
+}
+
+// deleteOrphanedRepos delete repository where user of owner_id do not exist
+func deleteOrphanedRepos(ctx context.Context) (int64, error) {
+	if err := storage.Init(); err != nil {
+		return 0, err
+	}
+
+	batchSize := db.MaxBatchInsertSize("repository")
+	e := db.GetEngine(ctx)
+	var deleted int64
+	adminUser := &user_model.User{IsAdmin: true}
+
+	for {
+		var ids []int64
+		if err := e.Table("`repository`").
+			Join("LEFT", "`user`", "repository.owner_id=`user`.id").
+			Where(builder.IsNull{"`user`.id"}).
+			Select("`repository`.id").Limit(batchSize).Find(&ids); err != nil {
+			return deleted, err
+		}
+
+		// if we don't get ids we have deleted them all
+		if len(ids) == 0 {
+			return deleted, nil
+		}
+
+		for _, id := range ids {
+			if err := repo_service.DeleteRepositoryDirectly(ctx, adminUser, 0, id, true); err != nil {
+				return deleted, err
+			}
+			deleted++
+		}
+	}
+}
+
+func init() {
+	Register(&Check{
+		Title:     "Deleted all content related to orphaned repos",
+		Name:      "delete-orphaned-repos",
+		IsDefault: false,
+		Run:       handleDeleteOrphanedRepos,
+		Priority:  4,
+	})
+}

modules/git/blame.go

@@ -11,6 +11,7 @@ import (
 	"io"
 	"os"
 	"regexp"
+	"strings"
 
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/util"
@@ -18,8 +19,10 @@ import (
 
 // BlamePart represents block of blame - continuous lines with one sha
 type BlamePart struct {
-	Sha   string
-	Lines []string
+	Sha          string
+	Lines        []string
+	PreviousSha  string
+	PreviousPath string
 }
 
 // BlameReader returns part of file blame one by one
@@ -43,30 +46,38 @@ func (r *BlameReader) NextPart() (*BlamePart, error) {
 	var blamePart *BlamePart
 
 	if r.lastSha != nil {
-		blamePart = &BlamePart{*r.lastSha, make([]string, 0)}
+		blamePart = &BlamePart{
+			Sha:   *r.lastSha,
+			Lines: make([]string, 0),
+		}
 	}
 
-	var line []byte
+	var lineBytes []byte
 	var isPrefix bool
 	var err error
 
 	for err != io.EOF {
-		line, isPrefix, err = r.bufferedReader.ReadLine()
+		lineBytes, isPrefix, err = r.bufferedReader.ReadLine()
 		if err != nil && err != io.EOF {
 			return blamePart, err
 		}
 
-		if len(line) == 0 {
+		if len(lineBytes) == 0 {
 			// isPrefix will be false
 			continue
 		}
 
-		lines := shaLineRegex.FindSubmatch(line)
+		line := string(lineBytes)
+
+		lines := shaLineRegex.FindStringSubmatch(line)
 		if lines != nil {
-			sha1 := string(lines[1])
+			sha1 := lines[1]
 
 			if blamePart == nil {
-				blamePart = &BlamePart{sha1, make([]string, 0)}
+				blamePart = &BlamePart{
+					Sha:   sha1,
+					Lines: make([]string, 0),
+				}
 			}
 
 			if blamePart.Sha != sha1 {
@@ -81,9 +92,11 @@ func (r *BlameReader) NextPart() (*BlamePart, error) {
 				return blamePart, nil
 			}
 		} else if line[0] == '\t' {
-			code := line[1:]
-
-			blamePart.Lines = append(blamePart.Lines, string(code))
+			blamePart.Lines = append(blamePart.Lines, line[1:])
+		} else if strings.HasPrefix(line, "previous ") {
+			parts := strings.SplitN(line[len("previous "):], " ", 2)
+			blamePart.PreviousSha = parts[0]
+			blamePart.PreviousPath = parts[1]
 		}
 
 		// need to munch to end of line...

modules/git/blame_test.go

@@ -24,15 +24,17 @@ func TestReadingBlameOutput(t *testing.T) {
 
 		parts := []*BlamePart{
 			{
-				"72866af952e98d02a73003501836074b286a78f6",
-				[]string{
+				Sha: "72866af952e98d02a73003501836074b286a78f6",
+				Lines: []string{
 					"# test_repo",
 					"Test repository for testing migration from github to gitea",
 				},
 			},
 			{
-				"f32b0a9dfd09a60f616f29158f772cedd89942d2",
-				[]string{"", "Do not make any changes to this repo it is used for unit testing"},
+				Sha:          "f32b0a9dfd09a60f616f29158f772cedd89942d2",
+				Lines:        []string{"", "Do not make any changes to this repo it is used for unit testing"},
+				PreviousSha:  "72866af952e98d02a73003501836074b286a78f6",
+				PreviousPath: "README.md",
 			},
 		}
 
@@ -64,16 +66,18 @@ func TestReadingBlameOutput(t *testing.T) {
 
 		full := []*BlamePart{
 			{
-				"af7486bd54cfc39eea97207ca666aa69c9d6df93",
-				[]string{"line", "line"},
+				Sha:   "af7486bd54cfc39eea97207ca666aa69c9d6df93",
+				Lines: []string{"line", "line"},
 			},
 			{
-				"45fb6cbc12f970b04eacd5cd4165edd11c8d7376",
-				[]string{"changed line"},
+				Sha:          "45fb6cbc12f970b04eacd5cd4165edd11c8d7376",
+				Lines:        []string{"changed line"},
+				PreviousSha:  "af7486bd54cfc39eea97207ca666aa69c9d6df93",
+				PreviousPath: "blame.txt",
 			},
 			{
-				"af7486bd54cfc39eea97207ca666aa69c9d6df93",
-				[]string{"line", "line", ""},
+				Sha:   "af7486bd54cfc39eea97207ca666aa69c9d6df93",
+				Lines: []string{"line", "line", ""},
 			},
 		}
 
@@ -89,8 +93,8 @@ func TestReadingBlameOutput(t *testing.T) {
 				Bypass:         false,
 				Parts: []*BlamePart{
 					{
-						"af7486bd54cfc39eea97207ca666aa69c9d6df93",
-						[]string{"line", "line", "changed line", "line", "line", ""},
+						Sha:   "af7486bd54cfc39eea97207ca666aa69c9d6df93",
+						Lines: []string{"line", "line", "changed line", "line", "line", ""},
 					},
 				},
 			},

modules/git/command.go

@@ -14,7 +14,6 @@ import (
 	"os/exec"
 	"strings"
 	"time"
-	"unsafe"
 
 	"code.gitea.io/gitea/modules/git/internal" //nolint:depguard // only this file can use the internal type CmdArg, other files and packages should use AddXxx functions
 	"code.gitea.io/gitea/modules/log"
@@ -389,15 +388,11 @@ func (r *runStdError) IsExitCode(code int) bool {
 	return false
 }
 
-func bytesToString(b []byte) string {
-	return *(*string)(unsafe.Pointer(&b)) // that's what Golang's strings.Builder.String() does (go/src/strings/builder.go)
-}
-
 // RunStdString runs the command with options and returns stdout/stderr as string. and store stderr to returned error (err combined with stderr).
 func (c *Command) RunStdString(opts *RunOpts) (stdout, stderr string, runErr RunStdError) {
 	stdoutBytes, stderrBytes, err := c.RunStdBytes(opts)
-	stdout = bytesToString(stdoutBytes)
-	stderr = bytesToString(stderrBytes)
+	stdout = util.UnsafeBytesToString(stdoutBytes)
+	stderr = util.UnsafeBytesToString(stderrBytes)
 	if err != nil {
 		return stdout, stderr, &runStdError{err: err, stderr: stderr}
 	}
@@ -432,7 +427,7 @@ func (c *Command) RunStdBytes(opts *RunOpts) (stdout, stderr []byte, runErr RunS
 	err := c.Run(newOpts)
 	stderr = stderrBuf.Bytes()
 	if err != nil {
-		return nil, stderr, &runStdError{err: err, stderr: bytesToString(stderr)}
+		return nil, stderr, &runStdError{err: err, stderr: util.UnsafeBytesToString(stderr)}
 	}
 	// even if there is no err, there could still be some stderr output
 	return stdoutBuf.Bytes(), stderr, nil

modules/git/commit.go

@@ -43,8 +43,9 @@ func (c *Commit) Message() string {
 }
 
 // Summary returns first line of commit message.
+// The string is forced to be valid UTF8
 func (c *Commit) Summary() string {
-	return strings.Split(strings.TrimSpace(c.CommitMessage), "\n")[0]
+	return strings.ToValidUTF8(strings.Split(strings.TrimSpace(c.CommitMessage), "\n")[0], "?")
 }
 
 // ParentID returns oid of n-th parent (0-based index).

modules/git/foreachref/format_test.go

@@ -49,9 +49,9 @@ func TestFormat_Flag(t *testing.T) {
 		{
 			name: "multiple fields",
 
-			givenFormat: foreachref.NewFormat("refname:short", "objecttype", "objectname"),
+			givenFormat: foreachref.NewFormat("refname:lstrip=2", "objecttype", "objectname"),
 
-			wantFlag: "refname:short %(refname:short)%00objecttype %(objecttype)%00objectname %(objectname)%00%00",
+			wantFlag: "refname:lstrip=2 %(refname:lstrip=2)%00objecttype %(objecttype)%00objectname %(objectname)%00%00",
 		},
 	}