Commit Graph

21103 Commits

Author SHA1 Message Date
Giteabot
35413d5b65 chore(deps): update dependency djlint to v1.40.0 (#38341) 2026-07-06 15:56:31 +02:00
Zettat123
e797a27d4e fix(actions): release claimed task if context is cancelled during FetchTask (#38343)
When a runner's `FetchTask` request context is cancelled after the job
is claimed but before the task reaches the runner (e.g. request
timeout), the job was left referencing a running task no runner ever
executes, so it stayed unpickable.

Fix: Check the context after assembling the task and release the task so
the job returns to waiting status for another runner.
2026-07-06 06:38:44 +02:00
GiteaBot
4b15260277 [skip ci] Updated translations via Crowdin 2026-07-06 01:02:23 +00:00
GiteaBot
18fdc77130 [skip ci] Updated translations via Crowdin 2026-07-05 01:02:27 +00:00
Zettat123
2c2691b969 test: compare key file contents instead of FileInfo in TestInitKeys (#38330)
`TestInitKeys` verified whether a host key file was regenerated by
comparing `os.FileInfo` before and after a `InitDefaultHostKeys` call.
On systems where the OS clock / filesystem timestamp granularity is
coarse, both writes land in the same tick and get an identical mtime.
The resulting `FileInfo` is then byte-for-byte equal even though the key
was actually regenerated, so `assert.NotEqual` fails.

Since a regenerated key always produces different random bytes,
comparing the content can reliably detect regeneration.
2026-07-04 22:30:12 +02:00
wxiaoguang
08d4abbb46 docs: describe duties of mergers prior to merging a PR (#38308)
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Signed-off-by: delvh <dev.lh@web.de>
Co-authored-by: delvh <dev.lh@web.de>
2026-07-04 21:00:22 +02:00
Lunny Xiao
e4ef995f2a fix(release): validate web attachment renames against allowed types (#38314)
This fixes the web release edit flow so renamed release attachments are
validated against `[repository.release] ALLOWED_TYPES`.

Previously, the API attachment edit endpoint already enforced release
attachment type restrictions, but the web release edit form passed
`attachment-edit-*` values into `release_service.UpdateRelease`, which
updated attachment names directly without validating the new filename
against `setting.Repository.Release.AllowedTypes`.

As a result, a user with repository write access could rename an
existing release attachment to a disallowed extension through the web
UI.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-07-04 15:02:17 +02:00
GiteaBot
7fdfb8d642 [skip ci] Updated translations via Crowdin 2026-07-04 00:56:26 +00:00
bircni
d4c4142123 fix(actions): make runner list pagination order deterministic (#38313)
The runner-listing API endpoints (`admin`, `org`, `user`, `repo`, and
`shared`) return runners in a non-deterministic order across pages. When
paging through runners, some runners from page 1 could reappear on page
2 (and others get skipped entirely).

The cause is in `FindRunnerOptions.ToOrders()`. Most sort modes order by
a **non-unique** column only:

- default / `online` / `offline` → `last_online`
- `alphabetically` / `reversealphabetically` → `name`

When multiple runners tie on the sort key (e.g. every offline runner
shares `last_online = 0`, or two runners have the same name), the
database is free to return the tied rows in any order between separate
queries. Combined with `LIMIT`/`OFFSET` pagination, this means the same
runner can land on more than one page.

## Fix

Append the unique primary key `id` as a stable tiebreaker to each
non-unique sort order:

The `newest`/`oldest` modes already sort by the unique `id`, so they are
left unchanged.
2026-07-03 20:35:47 +00:00
bircni
f7fd510224 fix(release): gate draft release attachments on web download endpoints (#38318)
Draft-release access control was enforced only on the API release
endpoints (`/api/v1/repos/{owner}/{repo}/releases/...`) but not on the
UUID-based web attachment endpoints (`/attachments/{uuid}`,
`/{owner}/{repo}/attachments/{uuid}`,
`/{owner}/{repo}/releases/attachments/{uuid}`).

Anyone who obtained an attachment UUID — including unauthenticated
callers — could download files belonging to a hidden draft release,
since `ServeAttachment` only checked repo-level read permission and
never the release's draft state.
2026-07-03 20:07:37 +02:00
silverwind
38a5824753 ci(snap): build snaps natively instead of on launchpad (#38312)
The nightly snap build fails with `snapcraft remote-build`'s
`BadRequest()`: it force-pushes Gitea's full history to a fresh
Launchpad repo each run and creates the recipe before Launchpad has
indexed the `main` ref. The race is unwinnable at Gitea's repo size, and
Canonical does not support `remote-build` in CI.

Build locally on native amd64 + arm64 runners with
`snapcore/action-build` + `snapcore/action-publish` instead — no
Launchpad, no race. Drops the `LAUNCHPAD_CREDENTIALS` secret (publishing
keeps `SNAPCRAFT_STORE_CREDENTIALS`); the `snap/` recipe is unchanged,
so the same snaps ship to `latest/edge`.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2026-07-03 07:22:27 +00:00
silverwind
e8d2c493bb chore: update eslint-plugin-unicorn to v70 (#38310)
Bumps to https://github.com/sindresorhus/eslint-plugin-unicorn/releases/tag/v70.0.0,
enable all new rules, no violations.

---------

Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com>
2026-07-02 14:09:37 -07:00
Shudhanshu Singh
b09920a537 feat(webhook): support Telegram Bot API 10.1 Rich Messages (#38298)
Upgrades Gitea's Telegram webhook integration to support Telegram Bot
API 10.1 (June 2026 release). This enables Gitea webhooks to take
advantage of rich formatted messages (tables, nested blocks, collapsible
details, etc.) by routing them through the /sendRichMessage endpoint
with the new rich_message payload structure.

Old `/sendMessage` webhook URLs are written to `/sendRichMessage`
at runtime to prevent the need for database migrations

Fixes https://github.com/go-gitea/gitea/issues/38118

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-07-02 15:14:48 +00:00
silverwind
c6184ed184 chore(snap): drop armhf build (#38311)
Launchpad no longer builds `core24` snaps for `armhf`. Since `snapcraft
remote-build` submits a single request for all platforms, the `armhf`
rejection fails with `snapcraft internal error: BadRequest()` and takes
the `amd64` and `arm64` builds down with it, so nothing gets published.

Dropping 32-bit ARM from `snap/snapcraft.yaml` and the workflow's
`--build-for` restores nightly snap publishing for the remaining
architectures.
2026-07-02 13:55:45 +02:00
Shudhanshu Singh
8909958055 fix(actions): prevent chevron overlap with log text when timestamps are enabled (#38227)
### Description
This PR resolves a UI alignment bug in the Gitea Actions log viewer
where the expand/collapse disclosure chevron overlaps with the log text
(specifically the timestamp) when timestamps are enabled.

### Cause
When log timestamps are enabled, the timestamp element
(`.log-time-stamp`) is rendered as the first element next to the line
number. Because it only had a default `10px` left margin, it positioned
itself exactly where the group's expand/collapse chevron is located,
causing them to overlap.

### Solution
Updated the CSS styles in `web_src/js/components/ActionRunJobView.vue`
to dynamically apply the `21px` margin to whichever element is the first
visible element after the line number:
- If the timestamp is visible, it gets the `21px` margin to clear the
chevron, and the subsequent log message gets a `10px` margin.
- If the timestamp is hidden, the log message receives the `21px`
margin.

### Before / After
**Before:**
<img width="853" height="348" alt="actions_log_before"
src="https://github.com/user-attachments/assets/d09a752e-18cb-4fe3-b749-4979cbe45240"
/>


**After:**
<img width="862" height="511" alt="actions_log_after"
src="https://github.com/user-attachments/assets/63063f05-8cd6-4986-a993-ed12f28625c8"
/>

Fixes #38222.

---------

Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Giteabot <teabot@gitea.io>
Co-authored-by: silverwind <me@silverwind.io>
2026-07-02 05:20:25 +00:00
silverwind
638e4bce09 chore: upgrade go-swagger to v0.35.0 and enforce zero swagger warnings (#38299)
Updates `go-swagger` to v0.35.0 and makes swagger generation and
validation warning-free, with the build now failing on any warning
(`go-swagger` itself exits `0` on warnings).

- Generation passes `--enable-allof-compounding` (keeps `$ref` fields
bare, no spec change) and `--skip-enum-desc` (drops the enum description
that duplicates `x-go-enum-desc` and was the only source of `allOf`
noise in the OpenAPI 3.0 output).
- Fixed warnings at the source: dropped `swagger:strfmt` where it
conflicts with `required: true` (`required` kept, `time.Time` still maps
to `date-time`), fixed a malformed `units_map` example, moved the
`parameterBodies` injection hack to `swagger:parameters`, and removed
unused responses.

Fixes: https://github.com/go-gitea/gitea/issues/12508

---------

Co-authored-by: bircni <bircni@icloud.com>
2026-07-01 21:07:34 +00:00
puni9869
a031454586 fix: Improve since/until when counting commits for X-Total-Count (#38243)
Follow up for https://github.com/go-gitea/gitea/pull/38204.

---------

Signed-off-by: puni9869 <80308335+puni9869@users.noreply.github.com>
2026-07-01 20:43:46 +00:00
silverwind
c52a07dcfe chore: remove eslint-plugin-array-func (#38294)
The rules from `eslint-plugin-array-func` are redundant with
`eslint-plugin-unicorn`:

- `from-map` → `unicorn/prefer-array-from-map`
- `no-unnecessary-this-arg` → `unicorn/no-array-method-this-argument`
- `prefer-flat` / `prefer-flat-map` → `unicorn/prefer-array-flat` /
`unicorn/prefer-array-flat-map` (already disabled here)

The two remaining rules (`avoid-reverse`, `prefer-array-from`) are niche
and not worth carrying an extra dependency for.

Co-authored-by: bircni <bircni@icloud.com>
2026-07-01 20:16:42 +00:00
bircni
b6ef881a9f docs: Welcome Zettat to TOC (#38303) 2026-07-01 20:07:44 +00:00
Kausthubh J Rao
6240d8bf89 fix(workflows): branch protection status checks fail when workflow uses on: paths filter (#38237) 2026-07-01 21:47:47 +02:00
silverwind
9cb2719fab chore: update node.js to v26 (#38285)
- bump ci, flake and `@types/node` to node 26
- regenerate flake.lock which is needed for that package
- refactor workflow to use shared composite action
2026-07-01 16:28:36 +02:00
silverwind
e8654c7e06 refactor: replace vue-bar-graph dependency with inlined SVG chart (#38292)
Inlines the small SVG bar graph into `RepoActivityTopAuthors.vue` (its
only consumer) and drops the `vue-bar-graph` npm dependency.

- Bars render at static height (dropped the grow animation).
- Theme-aware axis color instead of a hardcoded `#555555`.
- Removed the dangling `role="img"`/`aria-labelledby` on the `<svg>`.
- Reserve the chart height so the page does not shift when the component
mounts.

<img width="416" height="110" alt="Screenshot 2026-07-01 at 11 15 25"
src="https://github.com/user-attachments/assets/b2db4d0c-20f1-4345-9951-32a908abfaba"
/>
<img width="419" height="110" alt="Screenshot 2026-07-01 at 11 15 35"
src="https://github.com/user-attachments/assets/853305a5-575f-4a26-ba3b-12fc51081324"
/>

fyi @lafriks

---------

Signed-off-by: silverwind <me@silverwind.io>
2026-07-01 11:17:23 +00:00
Zettat123
67a6bd7fc0 feat(auth): add disable-2fa command (#38275)
This PR adds the `gitea admin user disable-2fa` command to disable 2FA
for a user

When the only admin in the instance loses their 2FA credentials, this
command can be used to disable 2FA, allowing them to log in and reset
it.

---------

Co-authored-by: Giteabot <teabot@gitea.io>
2026-07-01 12:33:16 +02:00
Aidan Fahey
77e221ffaf fix(oauth2): persist linkAccountData during auto-link 2FA flow (#38274)
Fixes HTTP 500 when OIDC auto account linking (`ACCOUNT_LINKING=auto`)
requires local 2FA. `oauth2LinkAccount` set `linkAccount` in the session
before redirecting to 2FA but did not persist `linkAccountData`, so
`TwoFactorPost` failed with `not in LinkAccount session`. The manual
linking flow already stored both, this aligns auto-link with that
behavior.

Closes #38171

---------

Co-authored-by: bircni <bircni@icloud.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-07-01 10:03:38 +00:00
bircni
458c11bd68 fix(actions): allow Actions bot to push to protected branches (#38284)
Fixes #38278

## Problem

When branch protection matches the branch an Actions workflow pushes to,
the runner's `git push` is rejected — even though the workflow token has
`contents: write` and the same push performed with a PAT (write access)
succeeds. Disabling protection or changing the pattern so it no longer
matches makes the push work.

## Root cause

In `preReceiveBranch` (`routers/private/hook_pre_receive.go`), the "can
the doer push to this protected branch" check resolves the pusher with
`user_model.GetUserByID(ctx, ctx.opts.UserID)`. For an Actions push the
user ID is `-2` (the virtual `ActionsUserID`), which has no database
row, so the lookup fails. Even past that, `CanUserPush` →
`HasAccessUnit`/whitelist membership cannot evaluate a virtual user and
returns `false`. As a result the Actions bot was rejected on every
matching protected branch, despite the earlier `assertCanWriteRef`
already confirming the token's code-write via
`GetActionsUserRepoPermission`.

This was inconsistent: a PAT with identical write access passed the
exact same check.

## Fix

Evaluate the Actions bot against its already-computed token permission
instead of a user lookup, mirroring the existing
`IsUserMergeWhitelisted` pattern:

- Add `CanActionsUserPush` / `CanActionsUserForcePush` on
`ProtectedBranch`, which take the precomputed `access_model.Permission`.
- Allow the push when push is enabled, **no** push whitelist is
enforced, and the token has code-write.
- Keep the bot blocked when a whitelist is enforced — it cannot be added
to one, so it must use a pull request. This preserves the whitelist as a
real security boundary.

Force-push, signed-commit and protected-file-path checks are untouched.

---------

Signed-off-by: bircni <bircni@icloud.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-07-01 09:19:47 +00:00
GiteaBot
3d2bbd25ec [skip ci] Updated translations via Crowdin 2026-07-01 01:19:35 +00:00
Avinash Thakur
7745720292 feat: extend <video> tag allowed attributes (#38279)
autoplay is useless nowadays without "muted" as browsers won't autoplay
unmuted videos.
Similarly, other attributes are also commonly used and harmless to keep.

<!--
Before submitting:
- Target the `main` branch; release branches are for backports only.
- Use a Conventional Commits title, e.g. `fix(repo): handle empty branch
names`.
- Read the contributing guidelines:
https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md
- Documentation changes go to https://gitea.com/gitea/docs

Describe your change below and link any issue it fixes.
-->

---------

Signed-off-by: Avinash Thakur <19588421+80avin@users.noreply.github.com>
2026-06-30 20:31:13 +00:00
bircni
d46d0540d0 fix(actions): include all aggregable run statuses in status filter (#38280)
The **Status** filter dropdown on the repository Actions run list does
not let you filter for **Blocked** runs (nor **Cancelled** or
**Skipped**). These statuses are missing from the dropdown even though a
run can legitimately end up in any of them.

A run's status is computed by `aggregateJobStatus`, which can return
`Blocked`, `Cancelled` and `Skipped`. Because the filter dropdown only
offered Success, Failure, Waiting, Running and Cancelling, runs in those
other states existed but were impossible to filter for.
2026-06-30 19:59:30 +00:00
techknowlogick
e449018730 non-shallow clone for snapcraft
Signed-off-by: techknowlogick <techknowlogick@gitea.com>
2026-06-30 18:35:29 +02:00
Vinod-OAI
e1cdb71845 fix(archiver): use serializable repo-archive queue payload (#38273)
After upgrading from 1.25.x to 1.26.x, `repo-archive` workers can fail
to unmarshal queued items:

```
Failed to unmarshal item from queue "repo-archive":
json: unable to unmarshal into Go convert.Conversion within "/Repo/Units/0/Config":
cannot derive concrete type for nil interface with finite type set
```

`ArchiveRequest` started embedding `*repo_model.Repository` in 1.26,
which does not round-trip through the JSON queue.

This change stores a minimal `archiveQueueItem` (`RepoID`, `Type`,
`CommitID`, `Paths`) in `repo-archive` and loads the repository in the
worker. `UnmarshalJSON` accepts legacy payloads that used `RepoID` or
embedded `Repo.id`.

Fixes #38272

<!--
Before submitting:
- Target the `main` branch; release branches are for backports only.
- Use a Conventional Commits title, e.g. `fix(repo): handle empty branch
names`.
- Read the contributing guidelines:
https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md
- Documentation changes go to https://gitea.com/gitea/docs

Describe your change below and link any issue it fixes.
-->

---------

Co-authored-by: bircni <bircni@icloud.com>
2026-06-30 14:42:05 +00:00
silverwind
a64131e22d chore: update eslint plugins and config (#38264)
1. Bump all eslint dependencies, enable some of the new unicorn rules
2. Remove `eslint-plugin-de-morgan`, it sometimes causes readability
issues
3. Disable some of the unicorn rules that are known to produce
false-positives
4. Remove obsolete type cast
5. Fix one violation of
https://github.com/sindresorhus/eslint-plugin-unicorn/blob/main/docs/rules/prefer-dom-node-replace-children.md

---------

Signed-off-by: silverwind <me@silverwind.io>
2026-06-30 13:53:29 +00:00
GiteaBot
0f0a38c1b9 [skip ci] Updated translations via Crowdin 2026-06-30 01:13:52 +00:00
silverwind
535f791166 ci: regenerate codemirror languages on renovate npm updates (#38267)
Adds `make generate-codemirror-languages` to the npm group's
`postUpgradeTasks` in `renovate.json5`, so renovate regenerates
`assets/codemirror-languages.json` whenever `@codemirror/language-data`
(or any npm dep) updates — mirroring the existing `make svg` handling.

Also reformats the `fileFilters` arrays multi-line and regenerates the
asset to pick up current upstream linguist languages.
2026-06-29 22:59:08 +00:00
Lunny Xiao
b34a09be38 build: fix snapcraft release (#38260)
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: silverwind <me@silverwind.io>
2026-06-29 14:35:26 -07:00
Giteabot
6f2e328c85 chore(deps): update dependency js-yaml to v5 (#38262)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [js-yaml](https://redirect.github.com/nodeca/js-yaml) | [`4.2.0` →
`5.1.0`](https://renovatebot.com/diffs/npm/js-yaml/4.2.0/5.1.0) |
![age](https://developer.mend.io/api/mc/badges/age/npm/js-yaml/5.1.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/js-yaml/4.2.0/5.1.0?slim=true)
|

---

### Release Notes

<details>
<summary>nodeca/js-yaml (js-yaml)</summary>

###
[`v5.1.0`](https://redirect.github.com/nodeca/js-yaml/blob/HEAD/CHANGELOG.md#510---2026-06-23)

[Compare
Source](https://redirect.github.com/nodeca/js-yaml/compare/5.0.0...5.1.0)

##### Added

- Collection tags can finalize an incrementally populated carrier into a
  different result value.

##### Changed

- \[breaking] `quoteStyle` now selects the preferred quote style; use
the
  restored `forceQuotes` option to force quoting non-key strings.

###
[`v5.0.0`](https://redirect.github.com/nodeca/js-yaml/blob/HEAD/CHANGELOG.md#500---2026-06-20)

[Compare
Source](https://redirect.github.com/nodeca/js-yaml/compare/4.3.0...5.0.0)

##### Added

- Added named exports for schemas, tags, parser events and AST
utilities.
- Reworked `JSON_SCHEMA` and `CORE_SCHEMA` with spec-compliant scalar
resolution
  rules, and added `YAML11_SCHEMA`.
- Added `realMapTag` for lossless mappings with non-string and complex
keys.
Object-based mappings now reject complex keys instead of stringifying
them.
- Added `dump()` `transform` option for changing the generated AST
before
  rendering.
- Added `dump()` options `seqInlineFirst`, `flowBracketPadding`,
`flowSkipCommaSpace`, `flowSkipColonSpace`, `quoteFlowKeys`,
`quoteStyle` and
  `tagBeforeAnchor`.
- Added formal data layers (events and AST) for modular data pipelines.
  - Added low-level parser (to events), presenter and visitor APIs.
- Added the [YAML Test
Suite](https://redirect.github.com/yaml/yaml-test-suite) to the
  test set.

##### Changed

- See the [migration guide](docs/migrate_v4_to_v5.md) for upgrade notes.
- Rewritten in TypeScript and reorganized the public API around flat
named
  exports.
- Reduced the set of exported schemas:
  - YAML 1.2 schemas: `CORE_SCHEMA` (loader default), `JSON_SCHEMA`,
    `FAILSAFE_SCHEMA`.
- `YAML11_SCHEMA`, a combination of all YAML 1.1 tags (YAML 1.1 does not
    specify a schema, only "types").
- `load`/`dump` default behaviour is now specified exactly via schemas:
  - `load` uses `CORE_SCHEMA`, without `!!merge` by default.
- `dump` uses `YAML11_SCHEMA` + `CORE_SCHEMA` for the quoting check, to
    guarantee backward compatibility by default.
- `!!set` is now loaded as a JavaScript `Set`.
- Replaced the `Type` API with a tags API. Similar, but more precise and
  simpler. See examples for details. Tags can be defined via
`defineScalarTag()`, `defineSequenceTag()` and `defineMappingTag()`, or
as a
  spread + override of an existing tag.
- Renamed `Schema.extend()` to `Schema.withTags()`.
- Expanded YAML 1.2 conformance and improved handling of directives,
document
  markers, block keys, multiline scalars, tag syntax and other things.
- `load()` now throws on empty input instead of returning `undefined`.
- Moved browser builds to the `js-yaml/browser` export.
- Deprecated the `loadAll` signature with an iterator (still works, but
is a
  candidate for removal).

##### Removed

- Removed deprecated `safeLoad()`, `safeLoadAll()` and `safeDump()`
exports.
- Removed `DEFAULT_SCHEMA` and the nested `types` export.
- Removed loader options `onWarning`, `legacy` and `listener`.
- Removed dumper options `styles`, `replacer`, `noCompatMode`,
`condenseFlow`,
`quotingType` and `forceQuotes`. Renamed `noArrayIndent` to
`seqNoIndent`.
Formatting and representation are now configured through presenter
options,
  schemas and tag definitions. See migration guide on how to replace.
- Removed support for importing internal files from `lib/`.

###
[`v4.3.0`](https://redirect.github.com/nodeca/js-yaml/blob/HEAD/CHANGELOG.md#430-3150---2026-06-27)

[Compare
Source](https://redirect.github.com/nodeca/js-yaml/compare/4.2.0...4.3.0)

##### Security

- Backported `maxTotalMergeKeys` option.

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Only on Monday (`* * * * 1`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

---------

Co-authored-by: silverwind <me@silverwind.io>
2026-06-29 17:22:21 +00:00
Giteabot
55983320ed chore(deps): update actions/cache action to v6 (#38261)
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/cache](https://redirect.github.com/actions/cache) | action |
major | `v5.0.5` → `v6.1.0` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/37531) for more information.

---

### Release Notes

<details>
<summary>actions/cache (actions/cache)</summary>

###
[`v6.1.0`](https://redirect.github.com/actions/cache/releases/tag/v6.1.0)

[Compare
Source](https://redirect.github.com/actions/cache/compare/v6.0.0...v6.1.0)

##### What's Changed

- Bump
[@&#8203;actions/cache](https://redirect.github.com/actions/cache) to
v6.1.0 - handle read-only cache access by
[@&#8203;jasongin](https://redirect.github.com/jasongin) in
[#&#8203;1768](https://redirect.github.com/actions/cache/pull/1768)

**Full Changelog**:
<https://github.com/actions/cache/compare/v6...v6.1.0>

###
[`v6`](https://redirect.github.com/actions/cache/compare/v6.0.0...v6.0.0)

[Compare
Source](https://redirect.github.com/actions/cache/compare/v6.0.0...v6.0.0)

###
[`v6.0.0`](https://redirect.github.com/actions/cache/releases/tag/v6.0.0)

[Compare
Source](https://redirect.github.com/actions/cache/compare/v5.1.0...v6.0.0)

##### What's Changed

- Update packages, migrate to ESM by
[@&#8203;Samirat](https://redirect.github.com/Samirat) in
[#&#8203;1760](https://redirect.github.com/actions/cache/pull/1760)

**Full Changelog**:
<https://github.com/actions/cache/compare/v5...v6.0.0>

###
[`v5.1.0`](https://redirect.github.com/actions/cache/releases/tag/v5.1.0)

[Compare
Source](https://redirect.github.com/actions/cache/compare/v5.0.5...v5.1.0)

##### What's Changed

- Bump
[@&#8203;actions/cache](https://redirect.github.com/actions/cache) to
v5.1.0 - handle read-only cache access by
[@&#8203;jasongin](https://redirect.github.com/jasongin) in
[#&#8203;1775](https://redirect.github.com/actions/cache/pull/1775)

**Full Changelog**:
<https://github.com/actions/cache/compare/v5...v5.1.0>

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Only on Monday (`* * * * 1`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
2026-06-29 17:00:15 +00:00
Giteabot
6ae42ca9c4 fix(deps): update module gitlab.com/gitlab-org/api/client-go/v2 to v2.42.0 (#38266)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go)
| `v2.40.1` → `v2.42.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/gitlab.com%2fgitlab-org%2fapi%2fclient-go%2fv2/v2.42.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/gitlab.com%2fgitlab-org%2fapi%2fclient-go%2fv2/v2.40.1/v2.42.0?slim=true)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/37531) for more information.

---

### Release Notes

<details>
<summary>gitlab-org/api/client-go
(gitlab.com/gitlab-org/api/client-go/v2)</summary>

###
[`v2.42.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.42.0)

[Compare
Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.41.0...v2.42.0)

#### 2.42.0

##### 🚀 Features

- Add missing fields to project level jira integration
([!2925](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2925))
by [Heidi Berry](https://gitlab.com/heidi.berry)

###
[2.42.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.41.0...v2.42.0)
(2026-06-24)

###
[`v2.41.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.41.0)

[Compare
Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.40.1...v2.41.0)

#### 2.41.0

##### 🚀 Features

- Add missing attributes and endpoints to group
([!2905](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2905))
by [Jimmy Spagnola](https://gitlab.com/jspagnola)

##### 🔄 Other Changes

- chore(deps): update docker docker tag to v29.5.3
([!2924](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2924))
by [GitLab Dependency
Bot](https://gitlab.com/gitlab-dependency-update-bot)

###
[2.41.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.40.1...v2.41.0)
(2026-06-23)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Only on Monday (`* * * * 1`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
v1.28.0-dev
2026-06-29 18:09:25 +02:00
Giteabot
5e5f5f3116 fix(deps): update go dependencies (#38194)
Update go deps and fix discovered issues

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-06-29 15:10:47 +00:00
wxiaoguang
4ce63a1d57 chore: various UI problems (#38263)
1. fix dirty "list" styles for "githooks" and "webhooks"
2. fix git hook edit page layout
3. fix codemirror editor styles
4. fix incorrect "ui attached header" width
2026-06-29 13:06:25 +00:00
Giteabot
07b18467c0 fix: update npm dependencies, fix misc issues (#38257)
Update all npm dependencies and fix discovered issues.

Co-authored-by: bircni <bircni@icloud.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-06-29 12:59:14 +02:00
Giteabot
e68ee61879 chore(deps): update action dependencies (#38258)
This PR contains the following updates:

| Package | Type | Update | Change | Pending |
|---|---|---|---|---|
| [actions/setup-go](https://redirect.github.com/actions/setup-go) |
action | minor | `v6.4.0` → `v6.5.0` | |
| [go-gitea/giteabot](https://redirect.github.com/go-gitea/giteabot) |
action | patch | `v1.0.3` → `v1.0.4` | |
| redis | service | digest | `a505f8b` → `c904002` |  |
|
[renovatebot/github-action](https://redirect.github.com/renovatebot/github-action)
| action | patch | `v46.1.15` → `v46.1.16` | `v46.1.17` |

---

### Release Notes

<details>
<summary>actions/setup-go (actions/setup-go)</summary>

###
[`v6.5.0`](https://redirect.github.com/actions/setup-go/releases/tag/v6.5.0)

[Compare
Source](https://redirect.github.com/actions/setup-go/compare/v6.4.0...v6.5.0)

##### What's Changed

##### Dependency update

- Upgrade actions dependencies by
[@&#8203;priyagupta108](https://redirect.github.com/priyagupta108) with
[@&#8203;Copilot](https://redirect.github.com/Copilot) in
[#&#8203;744](https://redirect.github.com/actions/setup-go/pull/744)
- Upgrade [@&#8203;types/node](https://redirect.github.com/types/node)
and typescript-eslint dependencies to resolve npm audit findings by
[@&#8203;HarithaVattikuti](https://redirect.github.com/HarithaVattikuti)
in [#&#8203;755](https://redirect.github.com/actions/setup-go/pull/755)
- Upgrade
[@&#8203;actions/cache](https://redirect.github.com/actions/cache) to
5.1.0, log cache write denied by
[@&#8203;jasongin](https://redirect.github.com/jasongin) in
[#&#8203;758](https://redirect.github.com/actions/setup-go/pull/758)
- Upgrade version to 6.5.0 in package.json and package-lock.json by
[@&#8203;HarithaVattikuti](https://redirect.github.com/HarithaVattikuti)
in [#&#8203;762](https://redirect.github.com/actions/setup-go/pull/762)

##### New Contributors

- [@&#8203;priyagupta108](https://redirect.github.com/priyagupta108)
with [@&#8203;Copilot](https://redirect.github.com/Copilot) made their
first contribution in
[#&#8203;744](https://redirect.github.com/actions/setup-go/pull/744)
- [@&#8203;jasongin](https://redirect.github.com/jasongin) made their
first contribution in
[#&#8203;758](https://redirect.github.com/actions/setup-go/pull/758)

**Full Changelog**:
<https://github.com/actions/setup-go/compare/v6...v6.5.0>

</details>

<details>
<summary>go-gitea/giteabot (go-gitea/giteabot)</summary>

###
[`v1.0.4`](https://redirect.github.com/go-gitea/giteabot/releases/tag/v1.0.4)

[Compare
Source](https://redirect.github.com/go-gitea/giteabot/compare/v1.0.3...v1.0.4)

##### What's Changed

- Keep lgtm status up to date on fork and backport PRs by
[@&#8203;silverwind](https://redirect.github.com/silverwind) in
[#&#8203;9](https://redirect.github.com/go-gitea/giteabot/pull/9)

**Full Changelog**:
<https://github.com/go-gitea/giteabot/compare/v1.0.3...v1.0.4>

</details>

<details>
<summary>renovatebot/github-action (renovatebot/github-action)</summary>

###
[`v46.1.16`](https://redirect.github.com/renovatebot/github-action/releases/tag/v46.1.16)

[Compare
Source](https://redirect.github.com/renovatebot/github-action/compare/v46.1.15...v46.1.16)

##### Documentation

- update references to renovatebot/github-action to v46.1.15
([0013591](00135917fd))

##### Miscellaneous Chores

- **deps:** update dependency
[@&#8203;types/node](https://redirect.github.com/types/node) to v24.13.0
([358d0a4](358d0a480c))
- **deps:** update dependency
[@&#8203;types/node](https://redirect.github.com/types/node) to v24.13.1
([783fe90](783fe90b5a))
- **deps:** update dependency
[@&#8203;types/node](https://redirect.github.com/types/node) to v24.13.2
([74b1acf](74b1acf271))
- **deps:** update dependency
[@&#8203;types/node](https://redirect.github.com/types/node) to v24.13.2
([#&#8203;1049](https://redirect.github.com/renovatebot/github-action/issues/1049))
([23dcba0](23dcba0a91))
- **deps:** update dependency esbuild to v0.28.1 \[security]
([#&#8203;1041](https://redirect.github.com/renovatebot/github-action/issues/1041))
([54012bd](54012bd29e))
- **deps:** update dependency lint-staged to v17
([#&#8203;1051](https://redirect.github.com/renovatebot/github-action/issues/1051))
([6a9f6dc](6a9f6dc5be))
- **deps:** update dependency npm-run-all2 to v9
([#&#8203;1052](https://redirect.github.com/renovatebot/github-action/issues/1052))
([8757a4e](8757a4e574))
- **deps:** update dependency npm-run-all2 to v9.0.2
([2c2c4e5](2c2c4e5c89))
- **deps:** update linters to v8.60.1
([d40e1b7](d40e1b7d86))
- **deps:** update linters to v8.61.0
([#&#8203;1043](https://redirect.github.com/renovatebot/github-action/issues/1043))
([1e06192](1e061929c4))
- **deps:** update node.js to v24.17.0
([#&#8203;1050](https://redirect.github.com/renovatebot/github-action/issues/1050))
([2cf33bc](2cf33bc523))
- **deps:** update pnpm to v10.34.2
([#&#8203;1048](https://redirect.github.com/renovatebot/github-action/issues/1048))
([63ebb9d](63ebb9d84b))
- **deps:** update pnpm to v10.34.3
([#&#8203;1054](https://redirect.github.com/renovatebot/github-action/issues/1054))
([cd3436d](cd3436d028))
- **deps:** update pnpm/action-setup action to v6
([#&#8203;1053](https://redirect.github.com/renovatebot/github-action/issues/1053))
([77e5805](77e58054f1))
- **deps:** update prettier packages to v3.8.4
([#&#8203;1045](https://redirect.github.com/renovatebot/github-action/issues/1045))
([d688888](d688888385))
- **deps:** update semantic-release monorepo to v25.0.4
([#&#8203;1046](https://redirect.github.com/renovatebot/github-action/issues/1046))
([d2dacc8](d2dacc8995))
- **deps:** update semantic-release monorepo to v25.0.5
([#&#8203;1047](https://redirect.github.com/renovatebot/github-action/issues/1047))
([d91f80c](d91f80c864))

##### Build System

- **deps:** lock file maintenance
([26f827f](26f827fdc5))

##### Continuous Integration

- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.214.6
([f3fd163](f3fd163431))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.216.1
([8cf15ee](8cf15ee083))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.216.2
([29c9f31](29c9f31e4a))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.216.4
([400f75c](400f75cbdb))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.217.0
([2aea29e](2aea29ebc0))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.217.1
([268f254](268f254301))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.218.0
([ebcc800](ebcc800ccd))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.219.0
([a61593e](a61593e15c))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.220.0
([#&#8203;1037](https://redirect.github.com/renovatebot/github-action/issues/1037))
([0d198c1](0d198c1f3c))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.222.0
([46f2bd6](46f2bd6ed2))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.222.1
([90deabf](90deabf853))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.224.0
([22d7b5c](22d7b5c57a))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.224.1
([39a2ba1](39a2ba1236))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.225.0
([c2f08ab](c2f08ab1a1))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.226.1
([75a5340](75a5340ae6))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.227.0
([da1079a](da1079ac41))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.227.1
([26a0ce7](26a0ce7c73))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.228.0
([9dd450f](9dd450fe09))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.228.1
([066bf0a](066bf0aa94))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.229.0
([edd7e4f](edd7e4f83e))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.229.1
([64e44a4](64e44a4239))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.229.2
([dce4d1b](dce4d1b6ba))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.230.0
([30fd043](30fd04394d))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.230.1
([425d313](425d313d98))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.231.0
([ae939aa](ae939aab83))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.231.1
([cac502d](cac502de33))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.231.2
([242a56f](242a56f27d))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.231.3
([3b66329](3b66329052))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.232.0
([c0502ab](c0502aba63))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.232.1
([d46a7eb](d46a7ebfc5))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.233.1
([b476f30](b476f3002f))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.233.2
([bc50ad1](bc50ad1e38))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.233.3
([908f92d](908f92dbc4))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.233.4
([a48bc32](a48bc32b6b))
- **deps:** update ghcr.io/renovatebot/renovate docker tag to v43.234.0
([c929092](c929092dcc))
- **deps:** update ghcr.io/zizmorcore/zizmor docker tag to v1.26.1
([#&#8203;1055](https://redirect.github.com/renovatebot/github-action/issues/1055))
([c878bfb](c878bfb543))
- **deps:** update zizmorcore/zizmor-action action to v0.5.7
([996e7bc](996e7bc847))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Only on Monday (`* * * * 1`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
2026-06-29 08:30:14 +00:00
metsw24-max
0c67849e68 fix(packages): validate debian distribution and component names (#38116)
**Newline injection into the Debian Release and Packages indices**

The `distribution` and `component` come straight from the request path
and are written line by line into the generated `Release` and `Packages`
files (the `Suite`/`Codename`/`Components` lines and the `Filename:
pool/<distribution>/<component>/...` line), but `UploadPackageFile` only
checked they were non-empty. `ctx.PathParam` url-decodes the segment, so
an encoded newline such as `main%0AInjected-Field: x` is accepted,
stored and then re-emitted for that distribution, which lets an
authenticated uploader forge extra fields in the index apt consumes.
Restricted both values to a conservative name pattern in the handler,
since that is the layer that accepts them; this should also keep the
pool paths well formed.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-06-29 06:50:22 +00:00
Giteabot
762c674bc5 chore(deps): update python dependencies (#38256)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [djlint](https://redirect.github.com/djlint/djLint) | `==1.39.2` →
`==1.39.4` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/djlint/1.39.4?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/djlint/1.39.2/1.39.4?slim=true)
|
| [zizmor](https://docs.zizmor.sh)
([source](https://redirect.github.com/zizmorcore/zizmor)) | `==1.25.2` →
`==1.26.1` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/zizmor/1.26.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/zizmor/1.25.2/1.26.1?slim=true)
|

---

### Release Notes

<details>
<summary>djlint/djLint (djlint)</summary>

###
[`v1.39.4`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1394---2026-06-24)

[Compare
Source](https://redirect.github.com/djlint/djLint/compare/v1.39.3...v1.39.4)

##### Fix

- Fix crashes in mypyc-compiled wheels.

###
[`v1.39.3`](https://redirect.github.com/djlint/djLint/blob/HEAD/CHANGELOG.md#1393---2026-06-23)

[Compare
Source](https://redirect.github.com/djlint/djLint/compare/v1.39.2...v1.39.3)

##### Fix

- Use Click instead of tqdm for progress output, send progress to
stderr, respect `--quiet`, and honor `NO_COLOR`. Remove direct
`colorama` and `tqdm` dependencies now that Click handles CLI colors and
progress.
- Avoid false H025 reports after self-closing tags in Django templates.
- Avoid false H025 reports for multiline Go template attributes.
- Keep Django child-template reformatting idempotent when inline control
blocks also appear inside HTML attributes.
- Respect whitespace-control dashes when applying `blank_line_after_tag`
and `blank_line_before_tag`.

</details>

<details>
<summary>zizmorcore/zizmor (zizmor)</summary>

###
[`v1.26.1`](https://redirect.github.com/zizmorcore/zizmor/releases/tag/v1.26.1)

[Compare
Source](https://redirect.github.com/zizmorcore/zizmor/compare/v1.26.0...v1.26.1)

This is a small corrective release for
[1.26.0](https://docs.zizmor.sh/release-notes/#&#8203;1260).

###
[`v1.26.0`](https://redirect.github.com/zizmorcore/zizmor/releases/tag/v1.26.0)

[Compare
Source](https://redirect.github.com/zizmorcore/zizmor/compare/v1.25.2...v1.26.0)

#### New Features
🌈[🔗](https://docs.zizmor.sh/release-notes/#new-features)

- New audit:
[typosquat-uses](https://docs.zizmor.sh/audits/#typosquat-uses) detects
uses: clauses that reference likely typoed actions
([#&#8203;1985](https://redirect.github.com/zizmorcore/zizmor/issues/1985))

Many thanks to [@&#8203;andrew](https://redirect.github.com/andrew) for
proposing and implementing this improvement!

- New audit:
[unsound-ternary](https://docs.zizmor.sh/audits/#unsound-ternary)
detects pseudo-ternary expressions that don't evaluate as expected
([#&#8203;2085](https://redirect.github.com/zizmorcore/zizmor/issues/2085))

Many thanks to [@&#8203;terror](https://redirect.github.com/terror) for
proposing and implementing this improvement!

- New audit:
[adhoc-packages](https://docs.zizmor.sh/audits/#adhoc-packages) detects
run: steps that install packages in an ad-hoc manner
([#&#8203;2061](https://redirect.github.com/zizmorcore/zizmor/issues/2061))

Many thanks to
[@&#8203;connorshea](https://redirect.github.com/connorshea) for
proposing and implementing this improvement!

#### Enhancements
🌱[🔗](https://docs.zizmor.sh/release-notes/#enhancements)

- The [cache-poisoning](https://docs.zizmor.sh/audits/#cache-poisoning)
audit now detects additional cache disablement heuristics
([#&#8203;2053](https://redirect.github.com/zizmorcore/zizmor/issues/2053))

- The
[known-vulnerable-actions](https://docs.zizmor.sh/audits/#known-vulnerable-actions)
audit is now configurable. See [the configuration
documentation](https://docs.zizmor.sh/audits/#known-vulnerable-actions-configuration)
for details
([#&#8203;2084](https://redirect.github.com/zizmorcore/zizmor/issues/2084))

- The
[excessive-permissions](https://docs.zizmor.sh/audits/#excessive-permissions)
audit is now aware of the code-quality permission
([#&#8203;2088](https://redirect.github.com/zizmorcore/zizmor/issues/2088))

- The [unpinned-uses](https://docs.zizmor.sh/audits/#unpinned-uses)
audit's auto-fix now uses the fully qualified version tag (e.g. #
v6.0.2) when fixing a major-version ref (e.g.
[@&#8203;v6](https://redirect.github.com/v6))
([#&#8203;2127](https://redirect.github.com/zizmorcore/zizmor/issues/2127))

#### Performance Improvements
🚄[🔗](https://docs.zizmor.sh/release-notes/#performance-improvements)

- Most online audits are significantly faster, thanks to more precise
retry handling
([#&#8203;2036](https://redirect.github.com/zizmorcore/zizmor/issues/2036))
  Bug Fixes 🐛[🔗](https://docs.zizmor.sh/release-notes/#bug-fixes)

- Fixed a bug where zizmor's LSP would not recognize dependabot.yaml
files in its default configuration
([#&#8203;2026](https://redirect.github.com/zizmorcore/zizmor/issues/2026))

Many thanks to [@&#8203;fionn](https://redirect.github.com/fionn) for
implementing this fix!

- Fixed a bug where
[ref-version-mismatch](https://docs.zizmor.sh/audits/#ref-version-mismatch)
would fail to fully match some version comments
([#&#8203;2040](https://redirect.github.com/zizmorcore/zizmor/issues/2040))

- Fixed a bug where
[dependabot-cooldown](https://docs.zizmor.sh/audits/#dependabot-cooldown)
would fail to honor the user's configured days when performing autofixes
([#&#8203;2055](https://redirect.github.com/zizmorcore/zizmor/issues/2055))

- Steps and jobs gated by statically-false if: conditions (e.g. if:
false, if: ${{ false }}) are now skipped during auditing, since they
cannot execute
([#&#8203;2059](https://redirect.github.com/zizmorcore/zizmor/issues/2059),
[#&#8203;2069](https://redirect.github.com/zizmorcore/zizmor/issues/2069))

- Fixed a bug where
[ref-version-mismatch](https://docs.zizmor.sh/audits/#ref-version-mismatch)
would fail to identify some valid version comments
([#&#8203;2073](https://redirect.github.com/zizmorcore/zizmor/issues/2073))

- Fixed a bug where
[unpinned-images](https://docs.zizmor.sh/audits/#unpinned-images) would
incorrectly flag empty matrix expansions as unpinned container image
references
([#&#8203;2102](https://redirect.github.com/zizmorcore/zizmor/issues/2102))

- Fixed a bug where
[unpinned-images](https://docs.zizmor.sh/audits/#unpinned-images) would
incorrectly flag some matrix expansions as unpinned
([#&#8203;2098](https://redirect.github.com/zizmorcore/zizmor/issues/2098))

- The SARIF (--format=sarif) and GitHub Annotations (--format=github)
output formats now provide more correct/useful paths, particularly when
the user provides a relative path as input to zizmor rather than zizmor
.
([#&#8203;1748](https://redirect.github.com/zizmorcore/zizmor/issues/1748),
[#&#8203;2095](https://redirect.github.com/zizmorcore/zizmor/issues/2095))

#### Changes ⚠️[🔗](https://docs.zizmor.sh/release-notes/#changes)

- The [impostor-commit](https://docs.zizmor.sh/audits/#impostor-commit)
audit no longer suggests auto-fixes, to avoid incorrectly minimizing the
amount of manual remediation work needed
([#&#8203;2054](https://redirect.github.com/zizmorcore/zizmor/issues/2054))

- The JSON and SARIF outputs no longer contain a misleading prefix key
([#&#8203;2095](https://redirect.github.com/zizmorcore/zizmor/issues/2095))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Only on Monday (`* * * * 1`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
2026-06-29 08:24:18 +02:00
wxiaoguang
8ff71a5e52 fix: flex divided list item shrink (#38255)
don't make the items shrink since they are used as list items.

fix #38220
2026-06-29 06:01:12 +00:00
GiteaBot
8343c47bd1 [skip ci] Updated translations via Crowdin 2026-06-29 01:20:03 +00:00
Copilot
c6b2394585 fix(actions): authenticate snapcraft before nightly remote build (#38252)
The `release-nightly-snapcraft` workflow’s `build-and-publish` job was
failing because `snapcraft remote-build` fell back to interactive
Launchpad authorization in CI. This change makes authentication explicit
and non-interactive before the remote build step.

- **Workflow change**
  - Add an `Authenticate snapcraft` step before `Remote build`.
- Run `snapcraft login --with` using the existing
`SNAPCRAFT_STORE_CREDENTIALS` secret.
  - Pin that step to `shell: bash` to support process substitution.

- **Why this fixes the failure**
  - Prevents CI from entering browser-based Launchpad auth flow.
  - Ensures `remote-build` runs with preloaded credentials.

```yaml
- name: Authenticate snapcraft
  shell: bash
  env:
    SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_STORE_CREDENTIALS }}
  run: snapcraft login --with <(printf '%s' "$SNAPCRAFT_STORE_CREDENTIALS")
```

---------

Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-06-28 15:36:28 -07:00
TheFox0x7
4f41ad7b91 revert(sign): restore gpg (#38251)
partially revert sigstore signing to avoid causing breaking change for v1.27
2026-06-28 20:44:26 +00:00
Augusto Xavier
4812e35486 fix(api): respect since/until when counting commits for X-Total-Count (#38204)
The repository commits API (`GET /repos/{owner}/{repo}/commits`) accepts
`since` and `until` query parameters and filters the returned page of
commits by commit date. However, the `X-Total-Count` and `X-Total`
response headers reported the *unfiltered* total number of commits, so
the advertised total could be far larger than the number of commits
actually returned for the requested date range. With a range that
matches no commits, the page is correctly empty while the headers still
claim the full repository total.

## Root cause

`gitrepo.CommitsCount` declared `Since` and `Until` options and the API
handler populated them, but the function never appended
`--since`/`--until` to the underlying `git rev-list --count` invocation.
The date filters were silently dropped, so the count always reflected
the entire revision history.

## Fix

Pass the `Since`/`Until` options through to `git rev-list`, mirroring
the existing commit-listing path (`commitsByRangeWithTime`). The
reported total now matches the filtered range used to build the page.

## Testing

Added `TestCommitsCountWithSinceUntil` in
`modules/gitrepo/commit_test.go`, a table-driven unit test against the
`repo1_bare` fixture covering `since`, `until`, and a bounded
`since`+`until` range. It fails on the pre-fix code (every case returns
the full count of 3) and passes after the change. Existing
`CommitsCount` tests remain green.

## Notes

- No new settings, no default changes; this corrects an incorrect header
value and is backward compatible. Clients that depend on `since`/`until`
already filter the returned commits, and the headers now agree with that
filtering.

Fixes #35886.

---

*AI-assistance disclosure:* this change was developed with the
assistance of Claude Code (Claude Opus 4.8). I have reviewed and
understand the change and take responsibility for it.
2026-06-28 19:58:25 +00:00
TheFox0x7
98c61942aa build(sign): move to sigstore (#38250)
drops signing with gpg in favor of sigstore based artifact signing
2026-06-28 19:18:12 +00:00
bircni
cc1df1976b fix: codemirror regressions (#38248) 2026-06-28 20:29:34 +02:00