Some minor refactors, disable one obsolete lint rule, fix another. The
tribute type issue is not fully fixed and I'm pretty sure it must be an
error in their types.
* Fix#35252
* Fix#35999
* Improve diff rendering, don't add unnecessary "added"/"removed" tags for a full-line change
* Also fix a "space trimming" bug in #36539 and add tests
* Use chroma "SQL" lexer instead of "MySQL" to workaround a bug (35999)
The "Show more files" button replaces `#diff-incomplete` with newly
loaded diff file boxes.
The inserted HTML may contain htmx attributes, but they are not
processed after insertion.
### Solution
Wrap the incomplete diff placeholder with a temporary wrapper so we can
call `htmx.process()` on the newly inserted content.
After processing, unwrap the wrapper to keep the DOM structure
unchanged.
### Testing
- Open a large PR diff page where `Diff.IsIncomplete` is true
- Click "Show more files"
- Verify newly loaded file boxes behave correctly (htmx-related features
work as expected)
<img width="927" height="278" alt="image"
src="https://github.com/user-attachments/assets/54f2b4f2-c0e1-483c-9e26-79a2838e98ee"
/>
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
1. handle non-release git verions (not semver)
2. fix rubygems version "0" handling (only ">=" can be omitted)
3. lazy compile the regexp to improve performance
4. make test data maintainable, use origin source code instead of compressed binary
* Implicitly handle Actions Task Token for Nuget Api Keys
* Support same tokens as Basic Auth in Nuget Api Key Header
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Fixes #36532
Refined the Enter key trigger logic in the repository filter to prevent
actions during IME composition.
By checking the e.isComposing property, the filter now correctly
distinguishes between "confirming an IME candidate" and "submitting the
search." This prevents premature search triggers when users press Enter
to select Chinese/Japanese characters.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Fixes: https://github.com/go-gitea/gitea/issues/34769
This allows the user to opt-in to using `elk` layouts using either YAML
frontmatter or `%%{ init` directives inside the markup code block. The
default layout is not changed.
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This adds a per-repository default PR base branch and wires it through
PR entry points. It updates compare links and recently pushed branch
prompts to respect the configured base branch, and prevents auto-merge
cleanup from deleting the configured base branch on same-repo PRs.
## Behavior changes
- New PR compare links on repo home/issue list and branch list honor the
configured default PR base branch.
- The "recently pushed new branches" prompt now compares against the
configured base branch.
- Auto-merge branch cleanup skips deleting the configured base branch
(same-repo PRs only).
---------
Signed-off-by: Louis <116039387+tototomate123@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
The issues filter dropdown always rendered the label scope divider and
header, even when .ExclusiveLabelScopes was empty.
This PR wraps the label scope section with a conditional so the
divider/header and scope entries are only displayed when scopes exist.
Before
The dropdown showed a divider and “Label” header even when there were no
exclusive label scopes available.
<img width="521" height="569" alt="image"
src="https://github.com/user-attachments/assets/9766df6b-c11b-46f3-aabc-9fa5f4ca767d"
/>
After
The label scope section is hidden entirely when .ExclusiveLabelScopes is
empty, keeping the dropdown clean and consistent.
<img width="329" height="485" alt="image"
src="https://github.com/user-attachments/assets/e9586e57-2be5-43ea-8a13-9b87c951be6f"
/>
Notes
UI-only change, no behavior change to filtering logic.
Hides `::add-matcher::`, `##[add-matcher]` and `::remove-matcher` in job
step logs. These are used to configure regex matchers to detect lines
that should trigger annotation comments on the UI, currently unsupported
by Gitea and these have no relevance to the user.
---------
Signed-off-by: silverwind <me@silverwind.io>
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Fix#28479
When scrolling inside the editor and the editor has already reached the
end of its scroll area, the browser does not continue scrolling. This is
inconvenient because users must move the cursor out of the editor to
scroll the page further.
This PR enables automatic switching between the editor’s scroll and the
browser’s scroll, allowing seamless continuous scrolling.
- Update all JS deps
- Enable a few more stylelint stylistic rules and fix issues
- Remove knip, it raised another false-positive, this tool is not worth
it when you have to babysit it like that
- Exclude @eslint/json from updating as it requires unreleased eslint 10
([ref](https://github.com/eslint/json/issues/207))
- Update labeler config for new eslint filenames
- Adjust `make help` output
- Add type checking in `stylelint.config.ts`
`smtp.mydomain.test` is a real domain that resolves to something and
which is being connected to while running tests. Instead, use
[.test](https://en.wikipedia.org/wiki/.test) which is guaranteed to
never be registered on the internet, so all connections to it will fail
with NXDOMAIN dns error.
Fix#36483
In git log/rev-list, the "..." syntax represents the symmetric
difference between two references, which is different from the meaning
of "..." in git diff (where it implies diffing from the merge base).
For listing PR commits, we must use `merge-base..head` to include only
the commits introduced by the head branch. Otherwise, commits newly
pushed to the base branch would also be included, which is incorrect.
## Overview
This PR updates the Go toolchain version from `1.25.5` to `1.25.6` for
the Gitea project.
## Changes
### Toolchain Update
- **Go Toolchain**: Updated from `go1.25.5` to `go1.25.6`
This is a minor toolchain version bump that ensures the project uses the
latest patch release of Go 1.25.
## Security Improvements
While this PR primarily addresses the toolchain update, the project
maintains a strong security posture through:
### Current Security Measures
```log
Vulnerability #1: GO-2026-4342
Excessive CPU consumption when building archive index in archive/zip
More info: https://pkg.go.dev/vuln/GO-2026-4342
Standard library
Found in: archive/zip@go1.25.5
Fixed in: archive/zip@go1.25.6
Example traces found:
#1: modules/packages/nuget/metadata.go:217:25: nuget.ParseNuspecMetaData calls zip.Reader.Open
Vulnerability #2: GO-2026-4341
Memory exhaustion in query parameter parsing in net/url
More info: https://pkg.go.dev/vuln/GO-2026-4341
Standard library
Found in: net/url@go1.25.5
Fixed in: net/url@go1.25.6
Example traces found:
#1: modules/storage/minio.go:284:34: storage.MinioStorage.URL calls url.ParseQuery
#2: routers/api/v1/repo/action.go:1640:29: repo.DownloadArtifactRaw calls url.URL.Query
Vulnerability #3: GO-2026-4340
Handshake messages may be processed at the incorrect encryption level in
crypto/tls
More info: https://pkg.go.dev/vuln/GO-2026-4340
Standard library
Found in: crypto/tls@go1.25.5
Fixed in: crypto/tls@go1.25.6
Example traces found:
#1: services/auth/source/ldap/source_search.go:129:25: ldap.dial calls ldap.Conn.StartTLS, which calls tls.Conn.Handshake
#2: modules/graceful/server.go:156:14: graceful.Server.Serve calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext
#3: modules/lfs/content_store.go:132:27: lfs.hashingReader.Read calls tls.Conn.Read
#4: modules/proxyprotocol/conn.go:91:21: proxyprotocol.Conn.Write calls tls.Conn.Write
#5: modules/session/virtual.go:168:39: session.VirtualStore.Release calls couchbase.CouchbaseProvider.Exist, which eventually calls tls.Dial
#6: services/auth/source/ldap/source_search.go:120:22: ldap.dial calls ldap.DialTLS, which calls tls.DialWithDialer
#7: services/migrations/gogs.go:114:34: migrations.client calls http.Transport.RoundTrip, which eventually calls tls.Dialer.DialContext
```
## Breaking Changes
None expected. This is a minor toolchain patch update.
Followup to
59f812bc1c,
enforce using our localStorage wrapper in eslint.
Also did a few tweaks in the eslint config, like removing the incomplete
list of globals, this is a non-issue with typescript.
---------
Signed-off-by: silverwind <me@silverwind.io>
In Git 2.38, the `merge-tree` command introduced the `--write-tree`
option, which works directly on bare repositories. In Git 2.40, a new parameter `--merge-base` introduced so we require Git 2.40 to use the merge tree feature.
This option produces the merged tree object ID, allowing us to perform
diffs between commits without creating a temporary repository. By
avoiding the overhead of setting up and tearing down temporary repos,
this approach delivers a notable performance improvement.
It also fixes a possible situation that conflict files might be empty
but it's a conflict status according to
https://git-scm.com/docs/git-merge-tree#_mistakes_to_avoid
Replace #35542
---------
Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
