agentboard/project-api-pr37518 #1
Assignees
killingdruid
Clear assignees
killingdruid
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: killingdruid/gitea#1
Reference in New Issue
Block a user
Delete Branch "agentboard/project-api-pr37518"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Please check the following:
mainbranch, pull requests on release branches are only allowed for backports.---.DeleteCollaborationtransaction behaviour (#28886) 8e9b6817bcMigrateRepositoryfor the actions notifier (#28920) 071b7b2a03/from relative links (#28932) 01acd1eea3## Purpose This is a refactor toward building an abstraction over managing git repositories. Afterwards, it does not matter anymore if they are stored on the local disk or somewhere remote. ## What this PR changes We used `git.OpenRepository` everywhere previously. Now, we should split them into two distinct functions: Firstly, there are temporary repositories which do not change: ```go git.OpenRepository(ctx, diskPath) ``` Gitea managed repositories having a record in the database in the `repository` table are moved into the new package `gitrepo`: ```go gitrepo.OpenRepository(ctx, repo_model.Repo) ``` Why is `repo_model.Repository` the second parameter instead of file path? Because then we can easily adapt our repository storage strategy. The repositories can be stored locally, however, they could just as well be stored on a remote server. ## Further changes in other PRs - A Git Command wrapper on package `gitrepo` could be created. i.e. `NewCommand(ctx, repo_model.Repository, commands...)`. `git.RunOpts{Dir: repo.RepoPath()}`, the directory should be empty before invoking this method and it can be filled in the function only. #28940 - Remove the `RepoPath()`/`WikiPath()` functions to reduce the possibility of mistakes. --------- Co-authored-by: delvh <dev.lh@web.de>ENABLEsetting (#28951) d9b3849454db.Find(AndCount)(#28978) 27d4c11ec3SubscribeandFollow(#28908) 3e8414179ces2020browsers (#28977) a062725758must-change-passwordcli parameter (#27626) 9bea276055WatchorStar(#29001) 6992ef98fcOutgoing new release e-mail notifications were missing links to the actual release. An example from Codeberg.org e-mail: <a href=3D"">View it on Codeberg.org</a>.<br/> This PR adds `"Link"` context property pointing to the release on the web interface. The change was tested using `[mailer] PROTOCOL=dummy`. Signed-off-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>lint-spell(#29106) 9c39f8515ffast-forward-only(#28954) 47b5965862View at this point in historyfor every commit (#29122) b85e4a64faKeyID. (#29167) 155269fa58- Refactor the system status list into its own template - Change the backend to return only the system status if htmx initiated the request - `hx-get="{{$.Link}}/system_status`: reuse the backend handler - `hx-swap="innerHTML"`: replace the `<div>`'s innerHTML (essentially the new template) - `hx-trigger="every 5s"`: call every 5 seconds - `hx-indicator=".divider"`: the `is-loading` class shouldn't be added to the div during the request, so set it on an element it has no effect on - Render "Since Last GC Time" with `<relative-time>`, so we send a timestamp # Auto-update in action GIF  --------- Signed-off-by: Yarden Shoham <git@yardenshoham.com> Co-authored-by: silverwind <me@silverwind.io>keyssettings (#29194) 7132a0ba75initCompLabelEditnot being called (#29198) 2d8756a960eslint-plugin-githuband fix issues (#29201) 26b17537e6no-trailing-punctuationandno-blanks-blockquote(#29214) b96fbb567cforpointing to anameinstead ofidin webhook settings (#29209) 0157db84b1initUserAuthLinkAccountViewfrom "link account" page (#29217) 3da2c63354ctx.Doerwhen reset password (#29289) 22b8de85ddgit cat-filesession. (#29298) f74c869221git cat-file(#29297) d6811baf88* use `setup(ctx, c.Bool("debug"))` like all other callers * `setting.RunMode = "dev"` is a no-op. * `if _, err := os.Stat(setting.RepoRootPath); err != nil` could be simplifiedissue_commentworkflow trigger event (#29277) a4fe1cdf38util.OptionalBooltooptional.Option[bool](#29329) 7fbdb60fc1linguist-detectableandlinguist-documentation(#29267) 2a278b996fAdds a new API `/repos/{owner}/{repo}/commits/{sha}/pull` that allows you to get the merged PR associated to a commit. --------- Co-authored-by: 6543 <6543@obermui.de>readpermission of pull requests can be assigned too (#27263) 98ab9445d1copybutton event handler (#29379) 736c98be5cio.Closerguidelines (#29387) ad0a34b492crypto/sha256(#29386) f79c9e817anoarchpackages into other architectures index (#29137) 1c6858543cThis will get tailwindcss working on a basic level. It provides only the utility classes, e.g. no tailwind base which we don't need because we have our own CSS reset. Without the base, we also do not have their CSS variables so a small amount of features do not work and I removed the generated classes for them. ***Note for future developers: This currently uses a `tw-` prefix, so we use it like `tw-p-3`.*** <details> <summary>Currently added CSS, all false-positives</summary> ``` .\!visible{ visibility: visible !important } .visible{ visibility: visible } .invisible{ visibility: hidden } .collapse{ visibility: collapse } .static{ position: static } .\!fixed{ position: fixed !important } .absolute{ position: absolute } .relative{ position: relative } .sticky{ position: sticky } .left-10{ left: 2.5rem } .isolate{ isolation: isolate } .float-right{ float: right } .float-left{ float: left } .mr-2{ margin-right: 0.5rem } .mr-3{ margin-right: 0.75rem } .\!block{ display: block !important } .block{ display: block } .inline-block{ display: inline-block } .inline{ display: inline } .flex{ display: flex } .inline-flex{ display: inline-flex } .\!table{ display: table !important } .inline-table{ display: inline-table } .table-caption{ display: table-caption } .table-cell{ display: table-cell } .table-column{ display: table-column } .table-column-group{ display: table-column-group } .table-footer-group{ display: table-footer-group } .table-header-group{ display: table-header-group } .table-row-group{ display: table-row-group } .table-row{ display: table-row } .flow-root{ display: flow-root } .inline-grid{ display: inline-grid } .contents{ display: contents } .list-item{ display: list-item } .\!hidden{ display: none !important } .hidden{ display: none } .flex-shrink{ flex-shrink: 1 } .shrink{ flex-shrink: 1 } .flex-grow{ flex-grow: 1 } .grow{ flex-grow: 1 } .border-collapse{ border-collapse: collapse } .select-all{ user-select: all } .resize{ resize: both } .flex-wrap{ flex-wrap: wrap } .overflow-visible{ overflow: visible } .rounded{ border-radius: 0.25rem } .border{ border-width: 1px } .text-justify{ text-align: justify } .uppercase{ text-transform: uppercase } .lowercase{ text-transform: lowercase } .capitalize{ text-transform: capitalize } .italic{ font-style: italic } .text-red{ color: var(--color-red) } .text-shadow{ color: var(--color-shadow) } .underline{ text-decoration-line: underline } .overline{ text-decoration-line: overline } .line-through{ text-decoration-line: line-through } .outline{ outline-style: solid } .ease-in{ transition-timing-function: cubic-bezier(0.4, 0, 1, 1) } .ease-in-out{ transition-timing-function: cubic-bezier(0.4, 0, 0.2, 1) } .ease-out{ transition-timing-function: cubic-bezier(0, 0, 0.2, 1) } ``` </details> --------- Co-authored-by: Giteabot <teabot@gitea.io>!important(#29437) e55926ebfeDEFAULT_ACTIONS_URL(#29442) 6ed74a3fc7gt-[wh]-helper classes (#29423) 9a8c90ee18ifisalways()(#29464) d0fe6ea4e1processWindowErrorEvent(#29407) 6d9b7253a2AppSubURL(#29459) a6fd0176deThis PR touches the most interesting part of the "template refactoring". 1. Unclear variable type. Especially for "web/feed/convert.go": sometimes it uses text, sometimes it uses HTML. 2. Assign text content to "RenderedContent" field, for example: ` project.RenderedContent = project.Description` in web/org/projects.go 3. Assign rendered content to text field, for example: `r.Note = rendered content` in web/repo/release.go 4. (possible) Incorrectly calling `{{Str2html .PackageDescriptor.Metadata.ReleaseNotes}}` in package/content/nuget.tmpl, I guess the name Str2html misleads developers to use it to "render string to html", but it only sanitizes. if ReleaseNotes really contains HTML, then this is not a problem.skippedif job is skipped (#29489) cee08f6347__debug_bin*which is generated by vscode when debugging (#29524) 6841e58d1fBefore this change, if we had more than 200 entries being deferred in loading, the entire table would get replaced thus losing any event listeners attached to the elements within the table, such as the elipsis button and commit list with tippy. With this change we remove the previous javascript code that replaced the table and use htmx to replace the table. htmx attributes added: - `hx-indicator="tr.notready td.message span"`: attach the loading spinner to the files whose last commit is still being loaded - `hx-trigger="load"` trigger the request-replace behavior as soon as possible - `hx-swap="morph"`: use the idiomorph morphing algorithm, this is the thing that makes it so the elipsis button event listener is kept during the replacement, fixing the bug because we don't actually replace the table, only modifying it - `hx-post="{{.LastCommitLoaderURL}}"`: make a post request to this url to get the table with all of the commit information As part of this change I removed the handling of partial replacement in the case we have less than 200 "not ready" files. The first reason is that I couldn't make htmx replace only a subset of returned elements, the second reason is that we have a cache implemented in the backend already so the only cost added is that we query the cache a few times (which is sure to be populated due to the initial request), and the last reason is that since the last refactor of this functionality that removed jQuery we don't properly send the "not ready" entries as the backend expects `FormData` with `f[]` and we send a JSON with `f` so we always query for all rows anyway. # Before  # After  --------- Signed-off-by: Yarden Shoham <git@yardenshoham.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>Add new option: `visible`: witch can hide a specific field of the form or the created content afterwards It is a string array witch can contain `form` and `content`. If only `form` is present, it wont show up in the created issue afterwards and the other way around. By default it sets both except for markdown As they are optional and github don't have any similar thing, it is non breaking and also do not conflict with it. With this you can: - define "post issue creation" elements like a TODO list to track an issue state - make sure to have a checkbox that reminds the user to check for a thing but dont have it in the created issue afterwards - define markdown for the created issue (was the downside of using yaml instead of md in the past) - ... ## Demo ```yaml name: New Contribution description: External Contributor creating a pull body: - type: checkboxes id: extern-todo visible: [form] attributes: label: Contribution Guidelines options: - label: I checked there exist no similar feature to be extended required: true - label: I did read the CONTRIBUTION.MD required: true - type: checkboxes id: intern-todo visible: [content] attributes: label: Maintainer Check-List options: - label: Does this pull follow the KISS principe - label: Checked if internal bord was notifyed # .... ``` [Demo Video](https://cloud.obermui.de/s/tm34fSAbJp9qw9z/download/vid-20240220-152751.mkv) --- *Sponsored by Kithara Software GmbH* --------- Co-authored-by: John Olheiser <john.olheiser@gmail.com> Co-authored-by: delvh <dev.lh@web.de>gt-classes withtw-(#29570) a2e90014eccss-variables-parserdependency (#29571) d769b664de1. Use "star/unstart", but not `{{if}}un{{}}star{{}}` (the same to "watch/unwatch") 2. Use "not-mobile" for hiding the elements on mobilegt-withtw-, update frontend docs (#29595) 7e8c1c5ba1DetectAndHandleSchedules(#29606) 3f3335ae51locale_en-US.ini(#29608) c481dba52c# Preview Tab - Removed the jQuery AJAX call and replaced with our fetch wrapper - Tested the preview tab functionality and it works as before # Diff Tab - Removed the jQuery AJAX call and replaced with htmx - Tested the diff tab functionality and it works as before ## htmx Attributes - `hx-post="{{.RepoLink}}..."`: make a POST request to the endpoint - `hx-indicator=".tab[data-tab='diff']"`: attach the loading indicator to the tab body - `hx-target=".tab[data-tab='diff']"`: target the tab body for swapping with the response - `hx-swap="innerHTML"`: swap the target's inner HTML - `hx-include="#edit_area"`: include the value of the textarea (content) in the request body - `hx-vals='{"context":"{{.BranchLink}}"}'`: include the context in the request body - `hx-params="context,content"`: include only these keys in the request body # Demo using `fetch` and `htmx` instead of jQuery AJAX  --------- Signed-off-by: Yarden Shoham <git@yardenshoham.com> Co-authored-by: silverwind <me@silverwind.io><br />in alert block (#29650) b5c418f271namelinks (#29679) baeb251174<gitea-absolute-date>(#29725) 857243bed7make generate-swaggerin go 1.22 (#29780) bbef5fc5c3repo-issue.jsfile (#29776) 0679e60c77<overflow-menu>, rename webcomponents (#29400) 256a1eeb9aTemporal.PlainDatefor absolute dates (#29804) 0d3ec8e2adforattribute not pointing to the ID of the color picker (#29813) 3b6e57273ahtmxto v1.9.11 (#29821) c00633971atime-sinceclass (#29826) 3f1e4896b6When read the code: `pager.AddParam(ctx, "search", "search")`, the question always comes: What is it doing? Where is the value from? Why "search" / "search" ? Now it is clear: `pager.AddParamIfExist("search", ctx.Data["search"])`$prefix (#29839) 3cd64949ae.propand fix related issues (#29832) 21fe512aac.suppressedlink class (#29847) ffeaf2d0bd.cssand refactor all usage (#29852) fa100618c4.attrfrom the issue author dropdown (#29915) 55a8f4510a.attrfrom the quick pull request button text (#29916) 4cfda02419.attrfrom the image diff (#29917) cb98e27992.attrfrom the archive download and compare page branch selector (#29918) dd043854ee.attrfrom the user search box (#29919) adc61c5d71.page-content(#29922) 8cad44f410<overflow-menu>items (#29831) 99d7ef5091routers/private/testsfrom air (#29949) 3ee39db34e.loadingclass (#29920) d6fed9ab88.attrfrom the project page (#30004) 5c91d7920f.attrfrom the commit graph (#30006) d4ac1bd26e.attrfrom the branch/tag selector (#30010) bc92478575.secondary-navand handle.page-contentspacing universally (#29982) 3ccda41a53.attrfrom the image diff again (#30022) d0d7b4b6d1.attrfrom the repository settings (#30018) 26dbca7411.attrfrom the diff page (#30021) 74c1378dfb.attrfrom the common global functions (#30023) 900dd79d8agaphelpers to tailwind (#30034) 90a4f9a49eThis will conclude the refactor of 1:1 class replacements to tailwind, except `gt-hidden`. Commands ran: ```bash perl -p -i -e 's#gt-(p|m)([lrtbxy])?-0#tw-$1$2-0#g' {web_src/js,templates,routers,services}/**/* perl -p -i -e 's#gt-(p|m)([lrtbxy])?-1#tw-$1$2-0.5#g' {web_src/js,templates,routers,services}/**/* perl -p -i -e 's#gt-(p|m)([lrtbxy])?-2#tw-$1$2-1#g' {web_src/js,templates,routers,services}/**/* perl -p -i -e 's#gt-(p|m)([lrtbxy])?-3#tw-$1$2-2#g' {web_src/js,templates,routers,services}/**/* perl -p -i -e 's#gt-(p|m)([lrtbxy])?-4#tw-$1$2-4#g' {web_src/js,templates,routers,services}/**/* perl -p -i -e 's#gt-(p|m)([lrtbxy])?-5#tw-$1$2-8#g' {web_src/js,templates,routers,services}/**/* ```isand fix issues (#30016) 0a2f973de9gt-hiddentotw-hidden(#30046) ec3d467f15.attrfrom the repository topic bar (#30050) 314cd1ec98.attrfrom the label edit exclusive checkbox (#30053) a7d0c5de4c.attrfrom the ComboMarkdownEditor (#30051) 428e05662f.attrfrom the reaction selector (#30052) 2e31a2800eTxContext(#30061) c6c4d66004.length === 0patterns in JS (#30045) 8fe26fb314.attrfrom the code line range selection (#30077) a9a5734185space-before-function-paren(#30078) bcb151c220fixBrokenRepoUnits16961(#30068) 08aec2c20astorage-archives(#30094) 9cf0f0bb04.attrfrom the common issue page functions (#30083) e0b018706fshowElemandhideElem(#30110) a1f11e2e33.attrfrom the code comments (#30112) 5687aca4fc.attrfrom the Fomantic modal cancel buttons (#30113) f47e00d9d3.attrfrom the common admin functions (#30115) a190f68f1b.attrfrom the Fomantic dropdowns (#30114) 0922ce8191.attr(#30116) 34acd8e376Now, the chars `=:;()[]{}~!@#$%^ &` are possible as well Fixes #30134 --------- Co-authored-by: KN4CK3R <admin@oldschoolhack.me>max( id )tomax( index )for latest commit statuses (#30076) 7443a10fc3@github/relative-time-elementto v4.4.0 (#30154) eca4c48534DEFAULT_SHOW_FULL_NAME=falsehas no effect in commit list and commit graph page (#30096) 6103623596Variables(#29520) 62b073e6f3stylelint-value-no-unknown-custom-propertiesand convert stylelint config to js (#30117) f31a88d3cbactiveandselectedin the issue author dropdown (#30207) f8fbaaf26fmodifies/frontendfrom labeler (#30198) f691721714repo-issue.jsfile (#30192) ef5892d988/options/licenseand/options/gitignoreto.ignore(#30219) 934fa46f76[other].SHOW_FOOTER_POWERED_BYsetting to hidePowered by(#30253) 609a627a44golang.org/x/netto v0.24.0 (#30283) 95504045ccocticon-eyeon watch button (#30288) 9c1f4dae2e`log.Xxx("%v")` is not ideal, this PR adds necessary context messages. Remove some unnecessary logs. Co-authored-by: Giteabot <teabot@gitea.io>--page-spacingvariable, fix admin dashboard notice (#30302) 019857a701Failed to change the default wiki branchif repo has no wiki when saving repo settings (#30329) 7d66b9ea65Many places have the following logic: ```go func (jobs ActionJobList) GetRunIDs() []int64 { ids := make(container.Set[int64], len(jobs)) for _, j := range jobs { if j.RunID == 0 { continue } ids.Add(j.RunID) } return ids.Values() } ``` this introduces a `container.FilterMapUnique` function, which reduces the code above to: ```go func (jobs ActionJobList) GetRunIDs() []int64 { return container.FilterMapUnique(jobs, func(j *ActionRunJob) (int64, bool) { return j.RunID, j.RunID != 0 }) } ```issue editcode fromrepo-legacy.jsinto its own file (#30419) 26ee66327f/public/assets/img/webpackto ignore files again (#30451) 68271834d6interface{}toanyreplacement tomake fmt, exclude*.pb.go(#30461) c77e8140bcflex-containerfor dashboard layout (#30214) 044cc169e7login_namein API response JSON when creating user (#30511) cf9061f44apreferred_usernameas username source for OIDC (#30454) 6ba0c371c2go generateandgo veton all packages (#30529) 8e12ef911asetup-nodeaction (#30577) acfe29fc2bmodules/web/middlewareinmodules/session(#30584) 61457cdf6brevivelinter rules (#30608) 74f0c84fa4- Add endpoint to list repository action secrets in API routes - Implement `ListActionsSecrets` function to retrieve action secrets from the database - Update Swagger documentation to include the new `/repos/{owner}/{repo}/actions/secrets` endpoint - Add `actions` package import and define new routes for actions, secrets, variables, and runners in `api.go`. - Refactor action-related API functions into `Action` struct methods in `org/action.go` and `repo/action.go`. - Remove `actionAPI` struct and related functions, replacing them with `NewAction()` calls. - Rename `variables.go` to `action.go` in `org` directory. - Delete `runners.go` and `secrets.go` in both `org` and `repo` directories, consolidating their content into `action.go`. - Update copyright year and add new imports in `org/action.go`. - Implement `API` interface in `services/actions/interface.go` for action-related methods. - Remove individual action-related functions and replace them with methods on the `Action` struct in `repo/action.go`. --------- Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com> Signed-off-by: appleboy <appleboy.tw@gmail.com>misspellings.csv(#30573) 9b2536b78fservices/mirror(#30724) 4ae6b1a553math/randfunctions (#30733) 7b8e418da1ProtonMail/go-cryptoforopengpgin tests (#30736) 8b8b48ef5fgithub.com/google/go-githubto v61 (#30738) b2013be910Documentation building has encountered a problem like below. This is because MDX syntax doesn't allow `{customPath}`, we have to use \`{customPath}\` ``` Error: Can't render static file for pathname "/next/administration/config-cheat-sheet" at generateStaticFile (/workspace/gitea/gitea-docusaurus/node_modules/@docusaurus/core/lib/ssg.js:119:15) at runNextTicks (node:internal/process/task_queues:60:5) at process.processImmediate (node:internal/timers:449:9) at async /workspace/gitea/gitea-docusaurus/node_modules/p-map/index.js:57:22 { [cause]: ReferenceError: CustomPath is not defined at _createMdxContent (server.bundle.js:4406:106) at MDXContent (server.bundle.js:10745:8) at Uc (server.bundle.js:264171:44) at Xc (server.bundle.js:264173:253) at Z (server.bundle.js:264179:89) at Yc (server.bundle.js:264182:98) at $c (server.bundle.js:264181:140) at Z (server.bundle.js:264179:345) at Xc (server.bundle.js:264177:231) at Z (server.bundle.js:264179:89) ```redis-clusteras possible cache/session adapter in docs (#30794) f135cb7c94TestPassword(#30716) 9235442ba5break-wordin CSS (#30934) 5556782ebeinsetshorthand (#30939) 3c2406a2f3declaration-block-no-redundant-longhand-properties(#30950) 46b7004f05labelfix correct input id (#30987) 2611249511tqdmdependency (#30996) a73e3c6a69access_deniederror when an OAuth2 request is denied (#30974) f1d9f18d96defaultattribute of the issue template dropdown field (#31045) 7ab0988af1View Filebutton link if branch deleted on pull request files pages (#31063) 47e715a70f--border-radius-circleto--border-radius-full(#30936) 2ced31e81djobs.<job_id>.if(#31070) 31a0c4dfb4ctx.ServerError(#31130) b6f15c7948ProxyPreserveHostin Apache httpd doc (#31143) c93cbc991eIDOrderDescfor listing Actions task and always order byid DESC(#31150) 572fa55fbctw-helpers to tailwind plugin (#31184) 8c68c5e436@github/relative-time-elementto v4.4.1 (#31232) 433963e52cgt-word-breakwithtw-break-anywhere(#31183) 138e946c3dlint-go-gopls(#30729) 816222243amholt/archiver(#31267) 6a3c487d07golang.org/x/net(#31260) 24dace8f76MAX_ROWSoption for CSV rendering (#30268) f7125ab61aReviewed-on/Reviewed-bylines for custom merge messages (#31211) da4bbc4247ConfirmModal(#31283) 291a00dc57.text()(#30506) a2304cb163querySelectorover alternative DOM methods (#31280) 507fbf4c3cIifexactly matchif(#31322) 4bf848a06bunparamlinter (#31277) fc2d75f86d+menu flashing on page load (#31281) 21ba5ca03bexplorer.go(#31348) fede3cbadagorilla/feeds(#31400) 9c8092807aeslint-plugin-jquery(#31402) 17baf1af10airverbosity (#31417) 1c15452687golang.org/x/imageto v0.18.0 (#31541) b270b30aebYEAR,MONTH,MONTH_ENGLISH,DAYvariables for template repos (#31584) 7bb3835811no-jquery/no-class-state(#31639) 3a7454df7aword-break: break-all(#31637) 0c1127a2fbdetectWebAuthnSupportonly on sign-in page (#31676) bbd14769cdusernameto OIDC introspection response (#31688) ecc8f2b047detectWebAuthnSupportonly if necessary (#31691) cabcca3d81pull_request_targetevent for commit status (#31703) 4b376a0ed9Basic(#31706) e1cf760d2fno-jquery/no-parse-html-literaland fix violation (#31684) aa36989bd0go-installindeps-toolsin parallel (#31711) 5f526d7d3dregisterActionsCleanuptoinitActionsTasks(#31721) f989f46438TAGStoTEST_TAGSand fix bugs found with gogit (#31791) de2787a493IsObjectExistwith gogit (#31790) f4d3120f9ddocs-update-neededfor PRs that modifyapp.example.ini(#31810) fb271d1e6aLOG_COMPRESSIONin ini (#31809) 42841aab59AutodetectManualMergewas not enabled (#31805) 9633f336c8:focus-visiblestyle to buttons (#31799) 63c5ac6cdbhtmxto2.0.2(#31847) 951f02ff1cDSA is considered inherently insecure and is already disabled/removed in OpenSSH 9.8. Therefore "dsa-1024" tescases are failing. ``` --- FAIL: Test_calcFingerprint (0.02s) --- FAIL: Test_calcFingerprint/dsa-1024 (0.00s) --- FAIL: Test_calcFingerprint/dsa-1024/SSHKeygen (0.00s) ssh_key_test.go:196: Error Trace: /src/gitea/models/asymkey/ssh_key_test.go:196 Error: Received unexpected error: Unable to verify key content [result: /tmp/gitea_keytest1239408114 is not a public key file. ] Test: Test_calcFingerprint/dsa-1024/SSHKeygen ssh_key_test.go:197: Error Trace: /src/gitea/models/asymkey/ssh_key_test.go:197 Error: Not equal: expected: "SHA256:fSIHQlpKMDsGPVAXI8BPYfRp+e2sfvSt1sMrPsFiXrc" actual : "" Diff: --- Expected +++ Actual @@ -1 +1 @@ -SHA256:fSIHQlpKMDsGPVAXI8BPYfRp+e2sfvSt1sMrPsFiXrc + Test: Test_calcFingerprint/dsa-1024/SSHKeygen FAIL ``` Fix #31624overview(#31373) 39d2fdefafweb_src/js/globals.d.ts(#31943) e5e40787dcstateparams is set when editing issue/PR by API (#31880) eba6bfbe15cacheContextLifetimeto reduce false reports (#32011) a323a82ec4/repos/{owner}/{repo}/pulls/{index}/filesendpoint not populatingprevious_filename(#32017) 7c6edf1ba0due_dateis nil when editing issues (#32035) 3a51c37672git push --tags --force(#32040) 269c630923tabindexes on login page (#31689) aa9faf8250/tokensapi (#32085) 08adbc468fSet up Jobwhen first step is skipped (#32120) 6fa962f409GetCSRFdoesn't return an empty token (#32130) 13283873e9This PR fixes javascript errors when an anonymous user visits the migration page. It also makes task view checking more restrictive. The router moved from `/user/task/{id}/status` to `/username/reponame/-/migrate/status` because it's a migrate status. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>show statswork when only one file changed (#32244) c4b2808b89owner/repo/pullshandlers use "PR reader" permission (#32254) 5242e520c4gh-access-tokenflag into backport script (#32283) 2b8ff419a7DISABLE_ORGANIZATIONS_PAGEandDISABLE_CODE_PAGEsettings for explore pages and fix an issue related to user search (#32288) 9206fbb55fmissing signature keyerror when pulling Docker images withSERVE_DIRECTenabled (#32365) 0690cb076b1. clarify the "filepath" could(should) contain "{ref}" 2. remove unclear RepoRefLegacy and RepoRefAny, use RepoRefUnknown to guess 3. by the way, avoid using AppURLThis PR improves the accuracy of Gitea's code search. Currently, Gitea does not consider statements such as `onsole.log("hello")` as hits when the user searches for `log`. The culprit is how both ES and Bleve are tokenizing the file contents (in both cases, `console.log` is a whole token). In ES' case, we changed the tokenizer to [simple_pattern_split](https://www.elastic.co/guide/en/elasticsearch/reference/current/analysis-simplepatternsplit-tokenizer.html#:~:text=The%20simple_pattern_split%20tokenizer%20uses%20a,the%20tokenization%20is%20generally%20faster.). In such a case, tokens are words formed by digits and letters. In Bleve's case, it employs a [letter](https://blevesearch.com/docs/Tokenizers/) tokenizer. Resolves #32220 --------- Signed-off-by: Bruno Sofiato <bruno.sofiato@gmail.com>DEFAULT_MIRROR_REPO_UNITSandDEFAULT_TEMPLATE_REPO_UNITSoptions (#32416) b1f42a0cddPublicOnlyfor org membership only once (#32234) 43c252dfeagithub.com/meilisearch/meilisearch-go(#32484) cad313e64frecentupdatesorting bugs (#32505) a0c0cb3a2c/userinfo, aligning to OpenID Core specification (#32578) 56bff7ae23GetRefCommitID(#32705) 5dda9510f4::group::support (#32713) f7f68e4cc01. add backend support for filtering "poster" and "assignee" * due to the limits, there is no frontend support at the moment 2. rewrite TS code without jquery, now there are 14 jQuery files left:##[group](#32770) 1b069dc94amoduletonodenext(#32757) d061f6b70ais_archivedoption for issue indexer (#32735) d43620e7bceslint-plugin-import-x(#32790) ee45950dabtsc(#32840) c8ea41b049attestation-manifestand use short sha256 instead of full sha256 (#32851) 276f43330cDumpTables(#32930) 1c9b022c4dstrictFunctionTypes(#32911) c0e80dbe261. do not use `{{/* */}}` to remove spaces, use `{{- -}}` 2. fix "blob_excerpt" endpoint, remove the legacy fragile code: have tested commit diff and wiki diffSeek(#32974) abaeae0b9cCloseIssueandReopenIssueinstead ofChangeStatus(#32467) 5feb1a6bffshow moreorganizations icon in user's profile (#32986) 7bb7ba1b5b-s -wldflags for release artifacts (#33041) 232867cff6- Add `IssueChangeTitle` method to handle issue title changes - Add `notifyIssueChangeWithTitleOrContent` method to generalize notification handling for issue title or content changes action file as below: ```yaml name: Semantic Pull Request on: pull_request_target: types: [edited] ``` --------- Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>/etc/gitconfig(#33076) e709cc76daProject-URLmetadata field to get a PyPI package's homepage URL (#33089) 188e0ee8e4git remotesubcommands for git version >=2.30.0 (#33129) 0d7d2ed39dToGitServiceType(#33146) e1772395291. "blob" is not a "ref", it shouldn't (and not unable to) be handled by `RepoRefByType` 2. the `/blob/{sha}` handle should use the path param "sha" directlyvue-tsc(#33248) 98d7e04767The template should be `repo/migrate/{service type}` But input element `service` is not in the form. Related: #33081 --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>routerstoservices(#33280) d0962ce3danoImplicitThis(#33250) 4b21a6c792noImplicitAny(#33322) c7f4ca2653GetCommitBranchStartbug (#33298) a9577e0808@github/text-expander-elementto 2.9.0 (#33435) dc7ddaee2a@github/text-expander-element, adapt type imports (#33449) 05e9063013This adds an endpoint (`/orgs/{org}/rename`) to rename organizations. I've modeled the endpoint using the rename user endpoint -- `/admin/users/{username}/rename` -- as base. It is the 1st time I wrote a new API endpoint (I've tried to follow the rename users endpoint code while writing it). So feel free to ping me if there is something wrong or missing. Resolves #32995 --------- Signed-off-by: Bruno Sofiato <bruno.sofiato@gmail.com> Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>vertical-align(#33477) 50873c1925timetzdatabuild tag to binary releases (#33463) 7e596bd7a9pickTask(#33543) 06f1065636@vitest/eslint-plugin(#33573) bcd1317d17* download endpoint has to use 302 redirect * fake blob download used if direct download not possible * downloading v3 artifacts not possible New repo apis based on GitHub Rest V3 - GET /runs/{run}/artifacts (Cannot use run index of url due to not being unique) - GET /artifacts - GET + DELETE /artifacts/{artifact_id} - GET /artifacts/{artifact_id}/zip - (GET /artifacts/{artifact_id}/zip/raw this is a workaround for a http 302 assertion in actions/toolkit) - api docs removed this is protected by a signed url like the internal artifacts api and no longer usable with any token or swagger - returns http 401 if the signature is invalid - or change the artifact id - or expired after 1 hour Closes #33353 Closes #32124 --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>@typescript-eslint/no-use-before-define(#33715) b35a9da14cgit diff-treeforDiffFileTreeon diff pages (#33514) aba96f65cdmake tidy(#33747) 6e475dc7e01. Rewrite `dirauto.ts` to `observer.ts`. * We have been using MutationObserver for long time, it's proven that it is quite performant. * Now we extend its ability to handle more "init" works. 2. Use `observeAddedElement` to init all non-custom "dropdown". 3. Use `data-global-click` to handle click events from dynamically loaded elements. * By this new approach, the old fragile selector-based (`.comment-reaction-button`) mechanism is removed. 4. By the way, remove unused `.diff-box` selector, it was abused and never really used. A lot of FIXMEs in "repo-diff.ts" are completely fixed, newly loaded contents could work as expected.vetas part ofgo test(#33662) 43c8d85f191. Add some "render-content" classes to "markup" elements when the content is rendered 2. Use correct "markup" wrapper for "preview" (but not set that class on the tab) 3. Remove incorrect "markup" class from LFS file view, because there is no markup content * "edit-diff" is also removed because it does nothing 5. Use "initPdfViewer" for PDF viewer 6. Remove incorrect "content" class from milestone markup 7. Init all ".markup" elements by new init framework --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>go.modandgo.sumin.editorconfig(#33960) d1a755e5b7check-attrcommand on Windows OS. (#34035) a7594969b6last_committer_dateandlast_author_datefor file contents API (#32921) 45c45934aapull_requestactions trigger (#34106) f94ee4fd3coverflow-wrap: anywhereto replaceword-break: break-all(#34126) a62ed19da6This pull request adds a GitHub-compatible API endpoint to lock and unlock an issue. The following routes exist now: - `PUT /api/v1/repos/{owner}/{repo}/issues/{id}/lock` to lock an issue - `DELETE /api/v1/repos/{owner}/{repo}/issues/{id}/lock` to unlock an issue Fixes #33677 Fixes #20012 --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>Adds an API POST endpoint under `/repos/{owner}/{repo}/file-contents` which receives a list of paths and returns a list of the contents of these files. This API endpoint will be helpful for applications like headless CMS (reference: https://github.com/sveltia/sveltia-cms/issues/198) which need to retrieve a large number of files by reducing the amount of needed API calls. Close #33495 --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>--page-space-bottomat 64px (#30692) 27ff5e2e84In the Gitea GUI, the user can see the time that _AccessTokens_ and _PublicKeys_ were last used. This information is not returned by the _/users/{username}/tokens_ and _/user/keys_ endpoints in the API. This PR adds the missing data. The time of last usage for for _tokens_ & _keys_ seem to be stored in the _Updated_ field of the structs internally. For consistency, I have used the name _updated_at_ for the new field returned by the _API_. However, for the _API_ user, I don't think that name reflects the data returned, as I believe it is the time of last usage. I propose that we use the name _last_used_at_ instead. Let's hear reviewers opinion on that. * PublicKey 1. _last_used_at_: string($date-time) * AccessToken 1. _created_at_: string($date-time) (for parity with public keys) 2. _last_used_at_: string($date-time) Fix #34313@github/relative-time-elementto v4.4.6 (#34352) 3446f14ba0@github/relative-time-elementto v4.4.7 (#34384) 6bd8fe5353This PR adds the label _state_ to the metric _gitea_users_. With the change, _gitea_users_ would be reported like this: ``` ... # HELP gitea_users Number of Users # TYPE gitea_users gauge gitea_users{state="active"} 20 gitea_users{state="inactive"} 10 ... ``` The metrics above would be from a Gitea instance with 30 user accounts. 20 of the accounts are active and 10 of the accounts are not active. Resolve #34325The "autofocus" was abused or misbehaved: 1. When users visit a page but they are not going to change a field, then the field shouldn't get "autofocus" * the "auth" / "user" page: in most cases, users do not want to change the names * see also the GitHub's "settings" page behavior. 2. There shouldn't be duplicate "autofocus" inputs in most cases, only the first one focuses 3. When a panel is shown, the "autofocus" should get focus * "add ssh key" panel This PR fixes all these problems and by the way remove duplicate "isElemHidden" function.@github/relative-time-elementto v4.4.8 (#34413) 2ecd73d2e5last changedof a repository (#34388) 780e92ea99--color-logofor text that should match logo color (#34639) 7fa5a88831gopls modernizeon codebase (#34751) 1f35435b81doer(#34545) 08c634b7b7gopls modernizeformatting (#34771) 46a1d52235goplsto v0.19.0, addmake fix(#34772) b18c047d62shallowRefinstead ofrefin.vuefiles where possible (#34813) 181db69e0cuint8-to-base64, remove type stub (#34844) 04783f548dlabels-listrendering (#34846) 1e50cec0b3login/login-name/usernamedisambiguation to affected endpoint parameters and response/request models (#34901) f74a13610dequalFoldand fix issues (#34952) 95a935aca0actions/workflows. (#35009) bb0c84e8c3topic/code-linting(#35020) 1e86b7dad0poetrywithuv(#35084) 7413e8583duv runwith--frozen(#35097) 639ac0026cissue-title-buttonswithlist-header(#35018) 13b9659952setup-pythonwithsetup-uv(#35116) 3531e9dbfdownerandparentfields clarification to docs (#35023) c10c4203eeupdate repoAPI (#35140) de570b7ddehas_codeto repository REST API (#35214) ef613ee760similar to how we can enable/disable repos or issues on a repo add the code unit as option to it. affects ``` PATCH /repos/{owner}/{repo} ``` --- *Sponsored by Kithara Software GmbH*report*options (#35236) c4c1a4bd18The new trace log looks like ``` http start=2025-08-14 15:03:04 duration=0.6978s http.route=/ http.func start=2025-08-14 15:03:04 duration=0.6978s func=common.ForwardedHeadersHandler.ForwardedHeaders http.func start=2025-08-14 15:03:04 duration=0.6978s func=routing.(*requestRecordsManager).handler-fm http.func start=2025-08-14 15:03:04 duration=0.6978s func=gzhttp.NewWrapper http.func start=2025-08-14 15:03:04 duration=0.6975s func=session.Sessioner http.func start=2025-08-14 15:03:04 duration=0.6973s func=context.Contexter ```pubkeyshould allow all public keys, not just GPG (#35357) da5ce5c8e7bitnamiimages tobitnamilegacyon CI (#35402) ca6c0dee2eDefault behaviour rejected all rows (Records) with more or fewer columns (Fields) than the first row, preventing them from parsing at all and silently hiding them. While RFC4180 section 2.4 says each line _should_ contain the same number of fields, enforcing this on the viewer is unhelpful. This pull request disables that validation, allowing the viewer to render lines with fewer columns than the maximum number within the file. As it's a simple HTML table, this works without additional changes (i.e. no need to manually determine the maximum number of columns), but the default appearance of rows with fewer columns may be undesirable to some people, especially when using CSS that has `td {border-right: none}`. <img width="1408" height="156" alt="Screenshot without cell right borders" src="https://github.com/user-attachments/assets/d4c19bbc-3fd2-4fd1-83a6-1125e953e95b" /> <img width="1397" height="158" alt="Screenshot with cell right borders" src="https://github.com/user-attachments/assets/86aaafcb-d7e8-4228-99a8-7527c823a07c" /> Fixes #16559, #30358. Unfortunately, retaining empty lines is less trivial, so the line numbers on the leftmost column will still not match the source file whenever those are present, though a future PR could address that./.pnpm-storeto .gitignore (#35414) 998b6b8889@resvg/resvg-wasmforgenerate-images(#35415) 89b4be057bgitea dump(#35467) 7a474d1c95inputscontext when parsing workflows (#35590) cdc0733047concurrencysyntax (#32751) 40f71bcd4cactions/labelerto v6 (#35681) 5bf7cf788dThis PR moves "no online runner" warning to the runs list. A job's `runs-on` may contain expressions like `runs-on: [self-hosted, "${{ inputs.chosen-os }}"]` so the value of `runs-on` may be different in each run. We cannot check it through the workflow file. <details> <summary>Screenshots</summary> Before: <img width="960" alt="3d2a91746271d8b1f12c8f7d20eba550" src="https://github.com/user-attachments/assets/7a972c50-db97-49d2-b12b-c1a439732a11" /> After: <img width="960" alt="image" src="https://github.com/user-attachments/assets/fc076e0e-bd08-4afe-99b9-c0eb0fd2c7e7" /> </details> This PR also splits `prepareWorkflowDispatchTemplate` function into 2 functions: - `prepareWorkflowTemplate` get and check all of the workflows - `prepareWorkflowDispatchTemplate` only prepare workflow dispatch config for `workflow_dispatch` workflows. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>codeformatfolder to tools (#35758) 91839ca01avue/require-typed-refeslint rule (#35764) fe25997157strictNullChecks-related issues (#35795) 37208fef7eflake-utils(#35675) 2be51d0b27fixMake targets (#35868) 84d7496b9d.ui .sha.label(#35864) 23a37b4b77gitea-vetto usego tool(#35878) b2feeddf42Permission & protection check: - Fix Delete Release permission check - Fix Update Pull Request with rebase branch protection check - Fix Issue Dependency permission check - Fix Delete Comment History ID check Information leaking: - Show unified message for non-existing user and invalid password - Fix #35984 - Don't expose release draft to non-writer users. - Make API returns signature's email address instead of the user profile's. Auth & Login: - Avoid GCM OAuth2 attempt when OAuth2 is disabled - Fix #35510 --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>pull_request.pathsbeing triggered incorrectly by rebase (#36045) f4e38e6367lint-go-goplswith additionalgovetlinters (#36028) b54af8811estrictNullChecks(#35843) 46d7adefe0styleattribute (#36133) 4cbcb91b7bactions/checkoutto v6 (#36136) 87b855bd15files-changedjobs (#36142) 3e57ba5b36FileTreeItemtype (#36137) ac8308b5cb1. Full file highlighting (fix the legacy todo "we should instead highlight the whole file at once") * Fix #24383 2. Correctly covert file content encoding 3. Remove dead code, split large for-loop into small functions/blocks to make code maintainablebodycloselinter (#36168) 84b74d7c3emodifies/dependencieslabel to dependabot (#36206) e06040efd8CrossOriginProtection(#36183) 42d294941c--batch-commandapproach (#35775) e226720cffhas_codein repository api (#36338) 040fc93046import.meta.envand clean up types and eslint (#36362) 4a9ac53862node-checkandgo-check, support node prerelease versions (#36382) 5f91c51fa5kniplinter (#36442) 12a81d38c1knip, misc tweaks (#36499) 7292ae1ed5docker-dryrun(#36379) 9d96039027@ts-expect-error(#36513) 7883f6dde9add-matcherandremove-matcherfrom actions job logs (#36520) fca94bcdd7elklayout support to mermaid (#36486) 49e6d5f6d6.commit-sign-badgechildren (#36570) c17280149feditContextto avoid bugs with lost focus (#36585) 514f322dcf## Problem `GET /api/v1/repos/{owner}/{repo}/actions/runs/{runId}/jobs` was always returning `steps: null` for each job. ## Cause In `convert.ToActionWorkflowJob`, when the job had a `TaskID` we loaded the task with `db.GetByID` but never loaded `task.Steps`. `ActionTask.Steps` is not stored in the task row (`xorm:"-"`); it comes from `action_task_step` and is only filled by `task.LoadAttributes()` / `GetTaskStepsByTaskID()`. So the conversion loop over `task.Steps` always saw nil and produced no steps in the API response. ## Solution After resolving the task (by ID when the caller passes `nil`), we now load its steps with `GetTaskStepsByTaskID(ctx, task.ID)` and set `task.Steps` before building the API steps slice. No other behavior is changed. ## Testing - New integration test `TestAPIListWorkflowRunJobsReturnsSteps`: calls the runs/{runId}/jobs endpoint, inserts a task step for a fixture job, and asserts that the response includes non-null, non-empty `steps` with the expected step data. - `make test-sqlite#TestAPIListWorkflowRunJobsReturnsSteps` passes with this fix. --------- Co-authored-by: Manav <mdave0905@gmail.com>localStorage(#36623) 26bb175d69nilnillinter for new code (#36591) a0160694b9relative-timeto render absolute dates (#36238) cfc60b2142TestActionsCollaborativeOwner(#36657) 72ab59efdbgoogle/go-licenseswith custom generation (#36575) b9d323c3d8actions.WORKFLOW_DIRSsetting (#36619) 147bdfce0dsecurity-checkinformational only (#36681) 87f7291909tinycolor2withcolord(#36673) 91dc737a35X_FRAME_OPTIONSsetting fromcorstosecuritysection (#30256) 5f8e19fcefno-contentmessage not rendering after comment edit (#36733) 2e00b2f0bbneveroption toPUBLIC_URL_DETECTIONconfiguration (#36785) 5b8c8e724fdry-runandnightlycontainer builds (#36738) 08254cf126In manual merge detected changes, the pushing user should be the de-facto author of the merge, not the committer. For ff-only merges, the author (PR owner) often have nothing to do with the merger. Similarly, even if a merge commit exists, it does not indicate that the merge commit author is the merger. This is especially true if the merge commit is a ff-only merge on a given branch. If pusher is for some reason unavailable, we fall back to the old method of using committer or owning organization as the author. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>This PR adds official REST API endpoints to rerun Gitea Actions workflow runs and individual jobs: * POST /api/v1/repos/{owner}/{repo}/actions/runs/{run}/rerun * POST /api/v1/repos/{owner}/{repo}/actions/runs/{run}/jobs/{job_id}/rerun It reuses the existing rerun behavior from the web UI and exposes it through stable API routes. --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io>The `PATCH /api/v1/repos/{owner}/{repo}` endpoint silently ignores pull request config fields (like `default_delete_branch_after_merge`, `allow_squash_merge`, etc.) unless `has_pull_requests: true` is also included in the request body. This is because the entire PR unit config block was gated behind `if opts.HasPullRequests != nil`. This PR restructures the logic so that PR config options are applied whenever the pull request unit already exists on the repo, without requiring `has_pull_requests` to be explicitly set. A new unit is only created when `has_pull_requests: true` is explicitly sent. Fixes https://github.com/go-gitea/gitea/issues/36466 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io>mentionValuesasynchronously (#36739) 130e34994futil.URLJoinand replace all callers with direct path concatenation (#36867) 80c57ec126refreshViewedFilesSummary(#36868) a52617b816ListUnadoptedRepositories(#36884) 2601f50026searchandmodalCSS to first-party modules (#36869) 89cd3737bcWhen opening a Actions run without a job in the path (`/actions/runs/{run}`), show a run summary. --------- Signed-off-by: Nicolas <bircni@icloud.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>DEFAULT_DELETE_BRANCH_AFTER_MERGEsetting (#36917) ef88cdb7e7inputborder hover effect (#36870) 788200de9fcmd/to use constructor functions. (#36962) 435123fe65Pass `ServeHeaderOptions` by value instead of pointer across all call sites — no nil-check semantics are needed and the struct is small enough that copying is fine. ## Changes - **`services/context/base.go`**: `SetServeHeaders` and `ServeContent` accept `ServeHeaderOptions` (value, not pointer); internal unsafe pointer cast replaced with a clean type conversion - **`routers/api/packages/helper/helper.go`**: `ServePackageFile` variadic changed from `...*context.ServeHeaderOptions` to `...context.ServeHeaderOptions`; internal variable is now a value type - **All call sites** (13 files): `&context.ServeHeaderOptions{...}` → `context.ServeHeaderOptions{...}` Before/after at the definition level: ```go // Before func (b *Base) SetServeHeaders(opt *ServeHeaderOptions) { ... } func (b *Base) ServeContent(r io.ReadSeeker, opts *ServeHeaderOptions) { ... } func ServePackageFile(..., forceOpts ...*context.ServeHeaderOptions) { ... } // After func (b *Base) SetServeHeaders(opts ServeHeaderOptions) { ... } func (b *Base) ServeContent(r io.ReadSeeker, opts ServeHeaderOptions) { ... } func ServePackageFile(..., forceOpts ...context.ServeHeaderOptions) { ... } ``` --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: wxiaoguang <2114189+wxiaoguang@users.noreply.github.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>workflow_runnotifications when updating jobs from multiple runs (#36997) 8fdd6d1235- Add `content_version` field to Issue and PullRequest API responses - Accept optional `content_version` in `PATCH /repos/{owner}/{repo}/issues/{index}` and `PATCH /repos/{owner}/{repo}/pulls/{index}` — returns 409 Conflict when stale, succeeds silently when omitted (backward compatible) - Pre-check `content_version` before any mutations to prevent partial writes (e.g. title updated but body rejected) Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>golang.org/x/imageto v0.38.0 (#37054) b20b0ed372go-gitto v5.17.2 (#37060) 0df3213766webpackChunkNamecomments from codeeditor (#37062) 47a0d88056workflow_run(#37088) f70f2c76cb1. `origin-url` was introduced in the past when there was no good framework support to detect current host url * It is not needed anymore * Removing it makes the code clearer 2. Separate template helper functions for different templates (web page/mail) 3. The "AppURL" info is removed from admin config page: it doesn't really help. * We already have various app url checks at many placessetup-uvto v8.0.0 (#37101) 3c17daf615rollup-plugin-licensewithrolldown-license-plugin(#37130) 04fb6f1c0b//nolint:depguard(#37162) 681c4074e5TestCatFileBatch/QueryTerminatedtest (#37159) 09c2677b21ExternalIDClaimoption for OAuth2 OIDC auth source (#37229) b1bfca39f1dropzonewith@deltablot/dropzone(#37237) 2bfaa33347golangci-lint fmt(#37194) a9108ab6aaSubmitEventpolyfill (#37276) 0824610e39tw-justify-betweenlayouts toflex-left-right(#37291) 30be22f30ferrorMessagehelper (#37292) f6960096f3deadcodetool (#37271) aba87285f0form-fetch-actionto some forms, fix "fetch action" resp bug (#37305) ca44b5fca8## Problem Workflow-level concurrency groups were evaluated — and jobs were parsed — before the run was persisted, so `run.ID` was `0` and `github.run_id` in the expression context resolved to an empty string. Expressions like: ```yaml concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true ``` collapsed to `<workflow>-` on every push event (`head_ref` is empty on push), so `cancel-in-progress` cancelled in-progress runs across **unrelated branches**, not just the current one. Reproduced on a 1.26 instance: - push to `master` → `ci` run starts - push to `feature-branch` → the `master` run gets cancelled GitHub Actions' documented semantic: on push events `github.run_id` is unique per run, so the group is unique → no cancellation; on PR events `github.head_ref` is the source branch → cancellation is per-PR. ## Fix Insert the run **before** parsing jobs or evaluating workflow-level concurrency, so `run.ID` is populated in time for every expression that reads `github.run_id` — not just the concurrency group, but also `run-name`, job names, and `runs-on`. `jobparser.Parse` now runs inside the `InsertRun` transaction, after `db.Insert(ctx, run)`. Workflow-level concurrency evaluation runs next and only mutates `run` in memory. All concurrency-derived fields (`raw_concurrency`, `concurrency_group`, `concurrency_cancel`) plus `status` and `title` are persisted in a single final `UpdateRun` at end-of-transaction — one `INSERT` + one `UPDATE` per run in both the concurrency and non-concurrency paths (matches pre-branch parity, one fewer `UpdateRepoRunsNumbers` `COUNT` than the interim state). `GenerateGiteaContext` now sets `run_id` from `run.ID` unconditionally; every caller passes a persisted run. **Verification**: tested end-to-end on a 1.26 deployment. Before the patch, two successive `ci` pushes (one to master, one to a feature branch) cross-cancelled each other. After the patch, the same pushes — in both orders (master→branch, branch→master) — run to completion simultaneously across 15+ runs with zero cancellations. **Regression tests** in `services/actions/context_test.go`: - `TestEvaluateRunConcurrency_RunIDFallback` — unit check that `EvaluateRunConcurrencyFillModel` resolves `github.run_id` from `run.ID`. - `TestPrepareRunAndInsert_ExpressionsSeeRunID` — full-flow check: calls `PrepareRunAndInsert` with `${{ github.run_id }}` in both `run-name` and the concurrency group, then asserts the persisted `Title`, `ConcurrencyGroup`, and `RawConcurrency` contain / survive the run's ID. Re-ordering `db.Insert` relative to either parse or concurrency eval fails this test. ## Relation to #37119 [#37119](https://github.com/go-gitea/gitea/pull/37119) also moves concurrency evaluation into `InsertRun` but keeps it **before** `db.Insert`, then tries to populate `run_id` only when `run.ID > 0` — which is still `0` at that call site, so the cross-branch leak would survive that PR as written. This PR fixes the ordering so that `run.ID` is actually populated at eval time, and broadens it to cover parse-time expression interpolation too. Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>relative-timeerror and improve global error handler (#37241) caff989f34Fail the vite build on any rolldown warnings when `NODE_ENV=test` is set. This gate is set on the CI `make frontend` steps (compliance and e2e workflows) and on the local `make test-e2e` target, so warnings fail the build both in CI and when running e2e tests locally. Regular `make frontend` / production builds are unaffected. Example output: ``` [plugin test-warning-injector] first synthetic warning [plugin test-warning-injector] second synthetic warning transforming...✗ Build failed in 14ms error during build: Build failed with 1 error: [plugin fail-on-warnings] Error: 2 warnings present at PluginContextImpl.buildEnd (vite.config.ts:50:13) ... ``` --- This PR was written with the help of Claude Opus 4.7 --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com>Learn more about blocking a user(#37355) f52b6f3315This PR simplifies URL validation by removing `IsValidExternalURL` and `IsAPIURL` from `modules/validation/helpers.go` and switching repository settings/API callers to `IsValidURL`. It also aligns tracker-format validation and tests with the new helper surface. - **Validation helpers** - Removed `IsValidExternalURL` and `IsAPIURL`. - Updated `IsValidExternalTrackerURLFormat` to depend on `IsValidURL`. - **Caller updates** - Replaced `validation.IsValidExternalURL(...)` with `validation.IsValidURL(...)` in: - `routers/web/repo/setting/setting.go` - `routers/api/v1/repo/repo.go` - **Tests** - Removed tests dedicated to `IsValidExternalURL`. - Updated tracker-format test expectations to match `IsValidURL`-based behavior. ```go // before if !validation.IsValidExternalURL(form.ExternalTrackerURL) { ... } // after if !validation.IsValidURL(form.ExternalTrackerURL) { ... } ``` Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: wxiaoguang <2114189+wxiaoguang@users.noreply.github.com>Block a userform (#37359) 4695110d5fActionRunAttemptto represent each execution of a run (#37119) 899ede1d55This PR introduces a new `ActionRunAttempt` model and makes Actions execution attempt-scoped. **Main Changes** - Each workflow run trigger generates a new `ActionRunAttempt`. The triggered jobs are then associated with this new `ActionRunAttempt` record. - Each rerun now creates: - a new `ActionRunAttempt` record for the workflow run - a full new set of `ActionRunJob` records for the new `ActionRunAttempt` - For jobs that need to be rerun, the new job records are created as runnable jobs in the new attempt. - For jobs that do not need to be rerun, new job records are still created in the new attempt, but they reuse the result of the previous attempt instead of executing again. - Introduce `rerunPlan` to manage each rerun and refactored rerun flow into a two-phase plan-based model: - `buildRerunPlan` - `execRerunPlan` - `RerunFailedWorkflowRun` and `RerunFailed` no longer directly derives all jobs that need to be rerun; this step is now handled by `buildRerunPlan`. - Converted artifacts from run-scoped to attempt-scoped: - uploads are now associated with `RunAttemptID` - listing, download, and deletion resolve against the current attempt - Added attempt-aware web Actions views: - the default run page shows the latest attempt (`/actions/runs/{run_id}`) - previous attempt pages show jobs and artifacts for that attempt (`/actions/runs/{run_id}/attempts/{attempt_num}`) - New APIs: - `/repos/{owner}/{repo}/actions/runs/{run}/attempts/{attempt}` - `/repos/{owner}/{repo}/actions/runs/{run}/attempts/{attempt}/jobs` - New configuration `MAX_RERUN_ATTEMPTS` - https://gitea.com/gitea/docs/pulls/383 **Compatibility** - Existing legacy runs use `LatestAttemptID = 0` and legacy jobs use `RunAttemptID = 0`. Therefore, these fields can be used to identify legacy runs and jobs and provide backward compatibility. - If a legacy run is rerun, an `ActionRunAttempt` with `attempt=1` will be created to represent the original execution. Then a new `ActionRunAttempt` with `attempt=2` will be created for the real rerun. - Existing artifact records are not backfilled; legacy artifacts continue to use `RunAttemptID = 0`. **Improvements** - It is now easier to inspect and download logs from previous attempts. - [`run_attempt`](https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#github-context) semantics are now aligned with GitHub. - > A unique number for each attempt of a particular workflow run in a repository. This number begins at 1 for the workflow run's first attempt, and increments with each re-run. - Rerun behavior is now clearer and more explicit. - Instead of mutating the status of previous jobs in place, each rerun creates a new attempt with a full new set of job records. - Artifacts produced by different reruns can now be listed separately. Signed-off-by: Zettat123 <zettat123@gmail.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io>/assets/site-manifest.jsonendpoint (#37405) c5c9713ed4prioritycolor (#37417) 24b60f8ff9Permissionfield inRepositorystruct instead of anonymous embedding (#37441) 45b4fffae4Adds a dedicated endpoint for replying to pull request review comments, ``` POST /repos/{owner}/{repo}/pulls/{index}/comments/{id}/replies { "body": "..." } ``` The reply is threaded under the same review as the parent comment. Ref: https://gitea.com/gitea/gitea-mcp/issues/129 Fixes: https://github.com/go-gitea/gitea/issues/37419 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>## Summary This PR adds support for updating pull mirror authentication via the repository edit API and UI. It introduces new mirror authentication fields in _EditRepoOption_, updates the API logic to safely handle partial credential updates, and fixes the web settings flow so that the existing remote username is preserved when only the password is changed. ### What changed - added _auth_username_, _auth_password_, and _auth_token_ to EditRepoOption - updated the repository edit API to apply mirror auth changes via _updateMirror_ - preserved existing username/password when only part of the auth payload is provided - used oauth2 as the default username when _auth_token_ is provided - kept stored mirror URLs sanitized in DB and API responses - updated Swagger schema for the new API fields - added API integration tests for password-only and token-only updates - added a web settings test to ensure username preservation on partial updates ## Why Some use cases require automated synchronization of pull mirrors, for example in CI/CD pipelines or integrations with external systems. At the same time, many organizations enforce security policies that require periodic token rotation (e.g., monthly). Currently, mirror credentials can only be updated via the UI, which makes automation difficult. ## This change enables: - automated token rotation - avoiding manual updates via the UI - easier integration with secret management systems ## Testing - added integration coverage for mirror auth updates via _PATCH /api/v1/repos/{owner}/{repo}_ - added web settings tests for password-only updates preserving the existing username ## Result Ability to automate auth update <img width="2400" height="1245" alt="1" src="https://github.com/user-attachments/assets/67fd5cca-9cb3-4536-b0e2-4d09b8ebff0f" /> <img width="962" height="932" alt="image" src="https://github.com/user-attachments/assets/5d548f5d-aadf-4807-ba52-9c29df93a4cc" /> Generative AI was used to help with making this PR. ##olivere/elasticwith REST API client, add OpenSearch support (#37411) abcfa53040Drops `github.com/olivere/elastic/v7` (unmaintained) and replaces it with a small in-house wrapper that speaks the Elasticsearch REST API directly via `net/http`. The subset used by Gitea (`_cluster/health`, `_bulk`, `_doc`, `_delete_by_query`, `_refresh`, `_search`, `HEAD`/`PUT` index) is stable across the targeted servers, so no client library is needed. **Targets tested** - Elasticsearch 7, 8, 9 - OpenSearch 1, 2, 3 **Why not `go-elasticsearch`?** The official client enforces an `X-Elastic-Product` server-identity check that OpenSearch deliberately fails, which would force shipping a transport shim to defeat it. Going direct over `net/http` removes that fight along with several MB of transitive deps (`elastic-transport-go`, `go.opentelemetry.io/otel{,/metric,/trace}`, `auto/sdk`, `easyjson`, `intern`, `logr`, `stdr`). Replaces: #30755 Fixes: https://github.com/go-gitea/gitea/issues/30752 --- This PR was written with the help of Claude Opus 4.7 --------- Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>When running `gitea dump` with output routed to stdout (--file -), deprecation warnings from loadAvatarsFrom were written to stdout, corrupting the archive stream. Root cause: PrepareConsoleLoggerLevel (called in app.Before) sets up a console logger via SetConsoleLogger, which used WriterConsoleOption{} defaulting Stderr to false (i.e. stdout). This logger is installed before the dump subcommand can redirect logging to stderr in runDump. Fix: use WriterConsoleOption{Stderr: true} in SetConsoleLogger so all early CLI diagnostic output goes to stderr from the start. This is correct for all subcommands — diagnostic/log output should never pollute stdout. --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com>This adds a complete REST API implementation for managing repository project boards, including projects, columns, and adding issues to columns. API Endpoints: - GET /repos/{owner}/{repo}/projects - List projects - POST /repos/{owner}/{repo}/projects - Create project - GET /repos/{owner}/{repo}/projects/{id} - Get project - PATCH /repos/{owner}/{repo}/projects/{id} - Update project - DELETE /repos/{owner}/{repo}/projects/{id} - Delete project - GET /repos/{owner}/{repo}/projects/{id}/columns - List columns - POST /repos/{owner}/{repo}/projects/{id}/columns - Create column - PATCH /repos/{owner}/{repo}/projects/columns/{id} - Update column - DELETE /repos/{owner}/{repo}/projects/columns/{id} - Delete column - POST /repos/{owner}/{repo}/projects/columns/{id}/issues - Add issue Features: - Full Swagger/OpenAPI documentation - Proper permission checks - Pagination support for list endpoints - State filtering (open/closed/all) - Comprehensive error handling - Token-based authentication with scope validation - Archive repository protection New Files: - modules/structs/project.go: API data structures - routers/api/v1/repo/project.go: API handlers - routers/api/v1/swagger/project.go: Swagger responses - services/convert/project.go: Model converters - tests/integration/api_repo_project_test.go: Integration tests Modified Files: - models/project/issue.go: Added AddOrUpdateIssueToColumn function - routers/api/v1/api.go: Registered project API routes - routers/api/v1/swagger/options.go: Added project option types - templates/swagger/v1_json.tmpl: Regenerated swagger spec fix(api): remove duplicated permission checks in project handlers Route middleware reqRepoReader(unit.TypeProjects) wraps the entire /projects route group, and reqRepoWriter(unit.TypeProjects) is applied to each mutating route individually in api.go. These middleware run before any handler fires and already gate access correctly. The inline CanRead/CanWrite checks at the top of all 10 handlers were therefore unreachable dead code — removed from ListProjects, GetProject, CreateProject, EditProject, DeleteProject, ListProjectColumns, CreateProjectColumn, EditProjectColumn, DeleteProjectColumn, and AddIssueToProjectColumn. The now-unused "code.gitea.io/gitea/models/unit" import is also removed. Addresses review feedback on: https://github.com/go-gitea/gitea/pull/36008 Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> fix(api): replace AddOrUpdateIssueToColumn with IssueAssignOrRemoveProject The custom AddOrUpdateIssueToColumn function introduced by this PR was missing three things that the existing IssueAssignOrRemoveProject provides: 1. db.WithTx transaction wrapper — raw DB updates without a transaction can leave the database in a partial state on error. 2. CreateComment(CommentTypeProject) — assigning an issue to a project column via the UI creates a comment on the issue timeline. The API doing the same action silently was an inconsistency. 3. CanBeAccessedByOwnerRepo ownership check — IssueAssignOrRemoveProject validates that the issue is accessible within the repo/org context before mutating state. AddOrUpdateIssueToColumn is removed entirely. AddIssueToProjectColumn now delegates to issues_model.IssueAssignOrRemoveProject, which already has the issue object loaded earlier in the handler. Addresses review feedback on: https://github.com/go-gitea/gitea/pull/36008 Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> fix(api): remove unnecessary pagination from ListProjectColumns Project columns are few in number by design (typically 3-8 per board). The previous implementation fetched all columns from the DB then sliced the result in memory — adding complexity and a misleading Link header without any practical benefit. ListProjectColumns now returns all columns directly. The page/limit query parameters and associated swagger docs are removed. Addresses review feedback on: https://github.com/go-gitea/gitea/pull/36008 Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> fix(api): regenerate swagger spec after removing ListProjectColumns pagination Removes the page and limit parameters from the generated swagger spec for the ListProjectColumns endpoint, matching the handler change that dropped in-memory pagination. Co-authored-by: Claude <noreply@anthropic.com> test(api): remove pagination assertion from TestAPIListProjectColumns ListProjectColumns no longer supports pagination — it returns all columns directly. Remove the page/limit test case that expected 2 of 3 columns. Co-authored-by: Claude <noreply@anthropic.com> fix(api): implement proper pagination for ListProjectColumns Per contribution guidelines, list endpoints must support page/limit query params and set X-Total-Count header. - Add CountColumns and GetColumnsPaginated to project model (DB-level, not in-memory slicing) - ListProjectColumns uses utils.GetListOptions, calls paginated model functions, and sets X-Total-Count via ctx.SetTotalCountHeader - Restore page/limit swagger doc params on the endpoint - Regenerate swagger spec - Integration test covers: full list with X-Total-Count, page 1 of 2, page 2 of 2, and 404 for non-existent project Co-authored-by: Claude <noreply@anthropic.com>- Rename response timestamps to created_at / updated_at / closed_at - Replace is_closed bool with state ("open" / "closed") via api.StateType - Switch template_type / card_type / type to string enums with input validation - Embed creator User object on Project and ProjectColumn (batched lookup) - Add absolute html_url; drop relative url - Add POST /repos/.../projects/{id}/issues/{issue_id}/move with optional sorting - Validate column hex color and reject writes to closed projects - Document issue-only project scope in swagger - Push project-issue existence check into project_model.IsIssueInColumn - Add project_service.ErrIssueNotInProject sentinel for the move endpoint Co-Authored-By: Claude (Opus 4.7) <noreply@anthropic.com>View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.