diff --git a/CHANGELOG.md b/CHANGELOG.md index c811e6bc043..77274af31c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,274 @@ This changelog goes through the changes that have been made in each release without substantial changes to our git log; to see the highlights of what has been added to each release, please refer to the [blog](https://blog.gitea.com). +## [1.27.0-rc0](https://github.com/go-gitea/gitea/releases/tag/v1.27.0-rc0) - 2026-06-28 + +* BREAKING + * Feat(actions)!: improve support for reusable workflows (#37478) + * Use Content-Security-Policy: script nonce (#37232) + +* SECURITY + * Fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security] (#37786) + * Fix(oauth): restrict introspection to the token's client (#38042) + * Fix(api): don't expose private org membership via public_members (#38145) + * Fix(actions): deny fork-PR cross-repo access via collaborative owner (#38214) + * Fix(migrations): prevent path traversal in repository restore (#38215) + +* FEATURES + * Feat(actions): add workflow status badge modal (#38196) + * Feat(actions): support owner-level and global scoped workflows (#38154) + * Feat(api): support ref suffixes in compare (#38148) + * Feat(actions): implement `jobs..continue-on-error` (#38100) + * Feat(actions): show run status on browser tab favicon (#38071) + * Feat(api): add token introspection and self-deletion endpoint (#37995) + * Feat(api): add q parameter to list branches API for server-side filtering (#37982) + * Feat(repo): split repository creation limit into user and org scopes (#37872) + * Feat(actions): bulk delete, disable and enable runners in admin UI (#37869) + * Feat(actions): List workflows that were executed once but got removed from the default branch (#37835) + * Feat(org): add team visibility so org members can discover teams (#37680) + * Feat: add raw diff/patch endpoint for repository comparisons (#37632) + * Feat: Add avatar stacks (#37594) + * Feat(actions): add job summaries (GITHUB_STEP_SUMMARY) (#37500) + * Feat(web): Add Jupyter Notebook (.ipynb) Rendering Support (#37433) + * Support for Custom URI Schemes in OAuth2 Redirect URIs (#37356) + * Feat(orgs): Add search bar for organization members tab page (#37347) + * Feat(api): Add assignees APIs (#37330) + * Feat(api): Add GET /repos/{owner}/{repo}/actions/workflows/{workflow_id}/runs (#37196) + * Serve OpenAPI 3.0 spec at /openapi.v1.json (#37038) + * Add project column picker to issue and pull request sidebar (#37037) + * Allow multiple projects per issue and pull requests (#36784) + * Feat(ui): add "follow rename" to file commit history list (#34994) + * Feat(ssh): auto generate additional ssh keys (#33974) + +* ENHANCEMENTS + * Enhance: allow builtin default git config options to be overridden (#38172) + * Enhance: allow MathML core elements (#38034) + * Enhance(markup): improve issue title rendering (#37908) + * Enhance(actions): set descriptive browser tab title on run view (#37870) + * Enhance: Migrate remaining gopkg.in/yaml.v3 usages to go.yaml.in/yaml/v4 (#37866) + * Enhance(actions): show workflow name from YAML instead of filename (#37833) + * Feat(actions): add before/after to PR synchronize event payload (#37827) + * Enhance(actions): add branch filters to run list (#37826) + * Enhance(actions): Make Summary UI more beautiful with more infos (#37824) + * Feat: add copy button to action step header, improve other copy buttons (#37744) + * Fix(icon): use repo-forked icon to display forks count (#37731) + * Feat(api): add sort and order query parameters to job list endpoints (#37672) + * Feat(api): add last_sync to repository API (#37566) + * Enhance: Adjust Workflow Graph styling (#37497) + * Improve code editor text selection and clean up lint enablement (#37474) + * Add mirror auth updates to repo edit API and settings (#37468) + * Replace `olivere/elastic` with REST API client, add OpenSearch support (#37411) + * Feat: Add default PR branch update style setting (#37410) + * Fix inconsistent disabled styling on logged-out repo header buttons (#37406) + * Allow fast-forward-only merge when signed commits are required (#37335) + * Enhance styling in actions page (#37323) + * Fix: improve actions status icons and texts (#37206) + * Make Markdown fenced code block work with more syntaxes (#37154) + * Fix: Sort action run jobs by JobID and Name with matrix examples (#37046) + * Add API endpoint to reply to pull request review comments (#36683) + +* PERFORMANCE + * Perf(web): sort the action_run query by a repo-scoped index when possible (#38155) + * Perf: Various performance regression fixes (#38078) + * Perf: extend action `c_u` index to include `created_unix` for faster dashboard feeds (#38076) + * Batch-load related data in actions run, job, and task API endpoints (#37032) + +* BUGFIXES + * Fix: update npm dependencies, fix misc issues (#38257) + * Fix(api): respect since/until when counting commits for X-Total-Count (#38204) + * Fix: codemirror regressions (#38248) + * Fix(api): support HEAD requests on all API GET endpoints (#38245) + * Fix(actions): Cleanup workflow status badge code (#38241) + * Fix(web): Correctly align the "disabled" label on larger workflow names (#38240) + * Fix(actions): don't swallow HTML entities into linkified URLs (#38239) + * Fix(packages): accept npm "repository" and "bin" in string form (#38236) + * Fix(actions): fix 500 error when canceling a canceling task (#38223) + * Fix(deps): update module golang.org/x/image to v0.43.0 [security] (#38219) + * Fix(mssql): convert legacy DATETIME columns to DATETIME2 (#38216) + * Fix(api): deny private org member enumeration via /members (#38213) + * Fix(actions): ensure all waiting jobs get runners in large workflows (#38200) + * Fix(deps): update go dependencies (#38194) + * Fix(deps): update npm dependencies (#38193) + * Fix(cli): default must-change-password to false for bot users (#38175) + * Fix(actions): show run index in run view and fix summary graph height (#38165) + * Fix: csp (#38162) + * Fix(deps): update npm dependencies (#38123) + * Fix(mssql): expand legacy issue and comment long-text columns (#38120) + * Fix(packages): validate debian distribution and component names (#38116) + * Fix(packages): validate module version in goproxy ParsePackage (#38104) + * Fix(deps): update dependency esbuild to v0.28.1 [security] (#38097) + * Fix: git push hook post receive (#38089) + * Fix(ui): prevent commit status popup overflowing its row (#38081) + * Fix: validate gem name in rubygems parseMetadataFile (#38061) + * Fix: commit display name (#38057) + * Fix: csp regressions (#38047) + * Fix: api error message (#38031) + * Fix(deps): update npm dependencies (#38029) + * Fix: pgsql lint (#38022) + * Fix(indexer): fix assignee filters in issue search (#38021) + * Fix: various dropdown problems (#38020) + * Fix: refactor git error handling and make archive streaming handle non-existing commit id (#38007) + * Fix: raise git required version to 2.13 (#37996) + * Fix: remove "no-transfrom" from the cache-control header (#37985) + * Fix(deps): update module github.com/google/go-github/v87 to v88 (#37971) + * Fix: use committer time where ever possible as default (#37969) + * Fix(deps): update npm dependencies, remove nolyfill (#37968) + * Fix(deps): update go dependencies (#37967) + * Fix(pull): preserve squash message trailers and additional commit messages (#37954) + * Fix(deps): update module golang.org/x/image to v0.41.0 [security] (#37904) + * Fix: support ##[command] log prefix in action run UI (#37882) + * Fix(deps): update module github.com/google/go-github/v86 to v87 (#37845) + * Fix(deps): update npm dependencies (#37844) + * Fix(deps): update go dependencies (#37841) + * Fix(frontend): resolve Vite assets by manifest source path (#37836) + * Fix(locales): Replace hardcoded strings (#37788) + * Fix(packages): render markdown links relative to linked repo (#37676) + * Fix: persist mirror repository metadata (#37519) + * Fix cmd tests by mocking builtin paths (#37369) + * Add `form-fetch-action` to some forms, fix "fetch action" resp bug (#37305) + * Feat: execute post run cleanup when workflow is cancelled (#37275) + * Fix `relative-time` error and improve global error handler (#37241) + * Refactor flash message and remove SanitizeHTML template func (#37179) + +* TESTING + * Test: speed up two tests (#37905) + * Test: Fix random failure test (#37887) + * Test: fix flaky `issue-comment` close test (#37880) + * Test: enable WAL for sqlite integration tests (#37861) + * Test: fix flaky `TestResourceIndex` and reduce its runtime (#37847) + * Test: run `TestAPIRepoMigrate` offline via a local clone source (#37817) + * Ci: shard tests and reduce redundant work (#37618) + * Test(e2e): run playwright via container (#37300) + * Remove external service dependencies in migration tests (#36866) + +* BUILD + * Fix(actions): authenticate snapcraft before nightly remote build (#38252) + * Ci: cap Elasticsearch heap in db-tests (#37816) + * Build(snap): publish nightly version to snapcraft via actions (#37814) + * Ci: split pgsql shards into plain jobs, dedupe setup actions (#37802) + * Ci: narrow files-changed frontend filter (#37749) + * Ci: add `zizmor` to `lint-actions` (#37720) + * Chore: clean up "contrib" dir (#37690) + * Fix: snap build (main branch) (#37685) + * Ci: Also lint json5 files (#37659) + * Feat(editor): broaden language detection in web code editor (#37619) + * Build: update pnpm to v11 (#37591) + * Refactor(deps): migrate from `nektos/act` fork to `gitea/runner` (#37557) + * Refactor: lint bare `fill`/`stroke` colors, add vars for git graph color series (#37543) + * Update go js py dependencies (#37525) + * Ci: lint PR titles with commitlint (#37498) + * Chore: upgrade Go version in devcontainer image to 1.26 (#37374) + * Update GitHub Actions to latest major versions (#37313) + * Update go js dependencies (#37312) + * Fail vite build on rolldown warnings via NODE_ENV=test (#37270) + * Remove htmx (#37224) + * Replace custom Go formatter with `golangci-lint fmt` (#37194) + * Refactor htmx and fetch-action related code (#37186) + * Integrate renovate bot for all dependency updates (#37050) + * Build(sign): move to sigstore (#38250) + +* DOCS + * Docs: update changelog for 1.26.3 & 1.26.4 (#38178) + * Docs: fix duplicated word in foreachref doc comment (#38161) + * Docs: Clarify criteria for becoming a merger (#38113) + * Docs: Publish TOC Election Result 2026 (#38111) + * Docs: mark openapi3 as autogenerated in attributes (#37963) + * Docs: add development setup guide (#37960) + +* MISC + * Revert(sign): restore gpg (#38251) + * Refactor: replace legacy `delete-button` with `link-action` (#38143) + * Refactor(actions): read runner capabilities from proto field (#38068) + * Refactor(api): clarify APIError message usage and fix legacy lint error (#38012) + * Refactor: Use db.Get[] instead of db.GetEngine(ctx).Get(bean) to avoid zero value fetching wrong database record (#37977) + * Fix(deps): update go dependencies (#37851) + * Ci: Fix sync PR labels from the conventional-commit title (#37784) (#37825) + * Ci: tweak `files-changed`, add `free-disk-space` (#37819) + * Fix(deps): update module golang.org/x/crypto to v0.52.0 [security] (#37806) + * Test(e2e): add comment, release, star, PR and fork tests (#37800) + * Chore: simplify issue and pull request templates (#37799) + * Chore: Update giteabot to fix failure when backport (#37789) + * Fix(api): handle partial failures in push mirror synchronization gracefully (#37782) + * Fix(deps): update module gitlab.com/gitlab-org/api/client-go/v2 to v2.26.0 (#37771) + * Ci: split giteabot workflow (#37770) + * Fix(deps): update npm dependencies (#37768) + * Refactor(waitgroup): replace Add/Done goroutines with WaitGroup.Go (#37764) + * Fix(deps): update module google.golang.org/grpc to v1.81.1 (#37762) + * Ci: fix cache-related issues (#37761) + * Chore: fix tests (#37760) + * Fix(deps): update module github.com/google/go-github/v85 to v86 (#37754) + * Fix(deps): update npm dependencies (#37753) + * Fix(deps): update go dependencies (#37752) + * Chore(deps): update action dependencies (#37751) + * Fix(markup): wrap indented code blocks for the code-copy button (#37748) + * Chore(db): introduce db.Session and db.EngineMigration interfaces (#37746) + * Feat(web): also display PR counts in repo list (#37739) + * Refactor(glob): use strings.Builder for regexp compilation (#37730) + * Chore(doctor): remove four obsolete doctor check implementations (#37728) + * Refactor(org): simplify owner-team org repo creation logic (#37727) + * Refactor: move `workflowpattern` into `modules/actions` (#37717) + * Chore: clean up tests (#37715) + * Style: misc UI fixes (#37691) + * Ci: add shellcheck linter (#37682) + * Fix: catch and fix more lint problems (#37674) + * Fix(deps): update dependency mermaid to v11.15.0 [security], add e2e test (#37662) + * Fix(deps): update npm dependencies (#37647) + * Ci(renovate): update Go import paths on major bumps (#37641) + * Fix(deps): update go dependencies (major) (#37639) + * Chore(deps): update action dependencies (major) (#37638) + * Fix(deps): update module code.gitea.io/sdk/gitea to v0.25.0 (#37637) + * Fix(deps): update npm dependencies (#37636) + * Refactor(log): replace log.Critical with log.Error (#37624) + * Build(deps): bump fast-uri from 3.1.0 to 3.1.2 (#37616) + * Feat(oauth): Support AWS Cognito OAuth2 provider (#37607) + * Chore(deps): update action dependencies (#37603) + * Ci: allow `chore` type in PR title lint (#37575) + * Refactor: only reset a database table when the table's data was changed (#37573) + * Ci: increase renovate frequency and fix RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS (#37565) + * Refactor: use modernc sqlite driver as default (#37562) + * Docs: fix 4 typos in CHANGELOG.md (#37549) + * Fix(deps): update go dependencies (#37541) + * Chore(deps): update action dependencies (#37540) + * Refactor pull request view (6) (#37522) + * Fix: redirect early CLI console logger to stderr (#37507) + * Refactor "flex-list" to "flex-divided-list" (#37505) + * Refactor compare diff/pull page (1) (#37481) + * Refactor pull request view (4) (#37451) + * Update 1.26.1 changelog in main (#37442) + * Refactor: use named `Permission` field in `Repository` struct instead of anonymous embedding (#37441) + * Refactor: serve site manifest via `/assets/site-manifest.json` endpoint (#37405) + * Remove IsValidExternalURL/IsAPIURL and use IsValidURL at call sites (#37364) + * Update `Block a user` form (#37359) + * Move review request functions to a standalone file (#37358) + * Feat(security): set X-Content-Type-Options: nosniff by default (#37354) + * Enable strict TypeScript, add `errorMessage` helper (#37292) + * Refactor frontend `tw-justify-between` layouts to `flex-left-right` (#37291) + * Update Nix flake (#37284) + * Fix Repository transferring page (#37277) + * Remove `SubmitEvent` polyfill (#37276) + * Remove dead code identified by `deadcode` tool (#37271) + * Upgrade go-git to v5.18.0 (#37268) + * Don't add useless labels which will bother changelog generation (#37267) + * Move heatmap to first-party code (#37262) + * Tests/integration: simplify code (#37249) + * Add pagination and search box to org teams list (#37245) + * Remove error returns from crypto random helpers and callers (#37240) + * Add `ExternalIDClaim` option for OAuth2 OIDC auth source (#37229) + * Refactor: simplify ParseCatFileTreeLine and catBatchParseTreeEntries (#37210) + * Refactor "htmx" to "fetch action" (#37208) + * Update go js py dependencies (#37204) + * Add comment for the design of "user activity time" (#37195) + * Remove outdated RunUser logic (#37180) + * Models/fixtures: add "DO NOT add more test data" comment to all yml fixture files (#37150) + * Update javascript dependencies (#37142) + * Update go dependencies (#37141) + * Frontport changelog of v1.26.0-rc0 (#37138) + * Introduce `ActionRunAttempt` to represent each execution of a run (#37119) + * Workflow Artifact Info Hover (#37100) + * Extend issue context popup beyond markdown content (#36908) + * Add bulk repository deletion for organizations (#36763) + * Feat: Add bypass allowlist for branch protection (#36514) + ## [1.26.4](https://github.com/go-gitea/gitea/releases/tag/1.26.4) - 2026-06-21 * SECURITY