mirror of
https://github.com/go-gitea/gitea.git
synced 2026-06-13 15:14:00 +00:00
6a7e232f1e2eaab820ab9c371ebef0bfe491e1a5
20971 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
puni9869
|
6a7e232f1e |
chore(deps): Update go to 1.26.4 and bump go dependencies (#38023)
New go version addressed multiple vulns as below. <img width="1217" height="818" alt="image" src="https://github.com/user-attachments/assets/f1738003-8b19-4fac-a200-6903d93f48ad" /> Dependencies affected: ``` gitea.com/gitea/runner - v1.0.6 → v1.0.8 gitea.dev/sdk - v1.0.1 → v1.1.0 github.com/Azure/azure-sdk-for-go/sdk/azcore - v1.20.0 → v1.22.0 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob - v1.6.3 → v1.7.0 github.com/alecthomas/chroma/v2 - v2.25.0 → v2.26.1 github.com/aws/aws-sdk-go-v2/credentials - v1.19.17 → v1.19.24 github.com/aws/aws-sdk-go-v2/service/codecommit - v1.33.14 → v1.34.4 github.com/dlclark/regexp2/v2 - v2.1.0 → v2.2.1 github.com/getkin/kin-openapi - v0.139.0 → v0.140.0 github.com/google/pprof - v0.0.0-20260507013755-92041b743c96 → v0.0.0-20260604005048-7023385849c0 github.com/jhillyerd/enmime/v2 - v2.4.0 → v2.4.1 github.com/mattn/go-sqlite3 - v1.14.44 → v1.14.45 github.com/meilisearch/meilisearch-go - v0.36.2 → v0.36.3 github.com/microsoft/go-mssqldb - v1.9.7 → v1.10.0 github.com/redis/go-redis/v9 - v9.19.0 → v9.20.0 github.com/urfave/cli/v3 - v3.9.0 → v3.9.1 gitlab.com/gitlab-org/api/client-go/v2 - v2.34.0 → v2.38.0 go.yaml.in/yaml/v4 - v4.0.0-rc.3 → v4.0.0-rc.5 golang.org/x/crypto - v0.52.0 → v0.53.0 golang.org/x/image - v0.41.0 → v0.42.0 golang.org/x/net - v0.55.0 → v0.56.0 golang.org/x/sync - v0.20.0 → v0.21.0 golang.org/x/sys - v0.45.0 → v0.46.0 golang.org/x/text - v0.37.0 → v0.38.0 golang.org/x/tools - v0.44.0 → v0.45.0 gopkg.in/ini.v1 - v1.67.2 → v1.67.3 modernc.org/sqlite - v1.50.1 → v1.52.0 ``` --------- Signed-off-by: puni9869 <80308335+puni9869@users.noreply.github.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
wxiaoguang
|
d3d092f65d |
chore: fix git commit "rev-list" (#38069)
Fix the copied & pasted messy code, fix #38067 Now, "limit=-1" means "no limit" |
||
|
bircni
|
5a24438698 |
chore: various trivial fixes (#38070)
Follow-up to #37987, addressing the unresolved review comments on the org members search form. And fix more trivial problems together (see the commit titles) --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
bn-zr
|
fefb6f3219 |
feat(api): Add GET /repos/{owner}/{repo}/actions/workflows/{workflow_id}/runs (#37196)
- Add GET /repos/{owner}/{repo}/actions/workflows/{workflow_id}/runs
endpoint, matching the
https://docs.github.com/en/rest/actions/workflow-runs?apiVersion=2026-03-10#list-workflow-runs-for-a-workflow
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: bircni <bircni@icloud.com>
|
||
|
wxiaoguang
|
250a38abb5 | chore: migrate unescaped-html-literal eslint rule to our repo and fix more cases (#38072) | ||
|
silverwind
|
360f34d7fa |
ci: bound seeded Go cache size and speed up disk cleanup (#38048)
Reduces the CI cache growth and disk pressure behind the flaky `No space left on device` failures in https://github.com/go-gitea/gitea/issues/37974. **`go-cache`** — the cache-seeder saved with a `restore-keys` prefix fallback, so every `go.sum` change restored the previous cache and re-saved the union; old module versions and stale build objects accumulated (~3 GB → ~7 GB) and overflowed disk on smaller runners. Drop `restore-keys` from the seeder **save** branches so each `go.sum` seeds a clean, size-bounded cache. PR runs keep `restore-keys` for warm-start fallback. **`free-disk-space`** — delete the unused preinstalled toolchains in parallel (~86 s → ~54 s) and log `df -h /` before/after. Measured during review: the hosted `ubuntu-latest` fleet is heterogeneous — most runners have ~89 GB free on `/` (a full pgsql integration shard peaks at ~17 GB used), but a minority arrive nearly full and fail mid cache-restore. The toolchain deletion is the headroom that keeps those runners green, so it stays; the cache bound shrinks the footprint for every runner. Authored with assistance from Claude (Opus 4.8). --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: bircni <bircni@icloud.com> |
||
|
bircni
|
bc2fbe77b1 |
refactor(actions): read runner capabilities from proto field (#38068)
[actions-proto-go v0.6.0](https://gitea.com/gitea/actions-proto-go) adds a `capabilities` field to `RegisterRequest` and `DeclareRequest`. This lets a runner advertise the transitional `cancelling` capability directly in the proto message instead of through the out-of-band mechanism we used while the proto bump was pending. This PR: - Bumps `gitea.dev/actions-proto-go` to `v0.6.0`. - Drops the forward-compat `capabilityGetter` type-assertion shim and the `runnerRequestHasCancellingCapability` helper, reading `GetCapabilities()` directly (now part of the `declareRequest` interface). - Removes the "capability state unknown → preserve existing value" branch. ## Why the behaviour change is correct The shim and the `(hasSupport, known)` two-value return only existed because the old proto had no `capabilities` field, so we couldn't tell "runner doesn't support it" from "we can't see the field." With v0.6.0 the field is always present. Since proto3 repeated fields have no presence, "no capabilities sent" now unambiguously means the runner does not advertise the capability, so a runner that omits `cancelling` is correctly recorded as `HasCancellingSupport = false`. There is no regression: prior to this bump Gitea was on `v0.5.0`, where the type assertion always failed and `HasCancellingSupport` was therefore never set from requests — so no runner relied on the preserved-unknown path. ## Compatibility The change is wire-compatible in both directions of version skew, because the new field uses a previously unused field number (8 on `RegisterRequest`, 3 on `DeclareRequest`) and the transport uses the binary protobuf codec: - **Old runner → new Gitea:** the runner omits the field; it decodes to an empty capability list. Registration/declaration succeed; the runner simply doesn't get the cancelling feature. - **New runner → old Gitea:** the runner sends the field; the old server's generated code doesn't know the field number and silently ignores it. Registration/declaration succeed. The feature only activates once both server and runner are on `v0.6.0`. |
||
|
wxiaoguang
|
442f5e7d06 | chore: fine tune pull request merge box and commit status item (#38060) | ||
|
metsw24-max
|
988f0ea54a |
fix: validate gem name in rubygems parseMetadataFile (#38061)
The registry writes the stored gem name straight into its line-based
compact index, both the shared `/versions` listing (one `GEMNAME
versions md5` line per gem) and the per-package `info/{name}` file. The
parser only rejected an empty name or one containing a slash, so a
`.gem` whose gemspec `name` carries a newline was accepted and persisted
as the package name, letting an authenticated uploader forge extra lines
in the shared index and so spoof additional gem names, versions and
checksums to clients. The name is now checked against the upstream
RubyGems name pattern in the parser, which is the layer that already
validates the version.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
|
||
|
Eugenio Paolantonio
|
fa89785d33 |
feat(api): add Link header in ListForks (#38052)
Fixes #38051. Disclosure: writing of the integration test was AI assisted. --------- Signed-off-by: Eugenio Paolantonio <eugenio.paolantonio@suse.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
silverwind
|
19d1e1d334 |
test: enable WAL for sqlite integration tests (#37861)
Enable `SQLITE_JOURNAL_MODE = WAL` for the sqlite integration test config. With modernc as the default driver, concurrent writers serialize on SQLite's single write lock and the tail of the queue can exceed the 20s busy timeout under CI load. WAL drains the queue fast enough to stay inside the timeout (removes rollback's fsync-per-commit and reader-vs-commit blocking) and covers all sqlite integration tests in one change. --- This PR was written with the help of Claude Opus 4.7 --------- Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
bircni
|
920b3f8cb6 | fix(hostmatcher): block reserved IP ranges from external/private filters (#38039) | ||
|
wxiaoguang
|
4ba0a545f2 |
chore: js html (#38056)
remove unnecessary "eslint-disable-line" rules |
||
|
wxiaoguang
|
a51781527b |
fix: commit display name (#38057)
fix #38054 |
||
|
metsw24-max
|
7134c1f845 |
fix: bound debian ParseControlFile to a single control stanza (#38044)
**Packages-index stanza injection via Debian control file** A `.deb` whose `control` file appends extra paragraphs after a blank line was still accepted, and `ParseControlFile` stored the whole multi-stanza blob in `p.Control`. That blob is re-emitted verbatim into the generated `Packages` index, so the embedded blank line splits it into separate stanzas and an uploader can smuggle a package entry with an attacker-chosen `Filename` into the shared index. A binary control file only holds one stanza, so parsing now stops at the blank line that terminates it; well-formed packages are unaffected and the new subtest covers the trailing-stanza case. --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
bircni
|
7b4a1a1a11 | fix(lfs): require Code-unit access for cross-repo LFS object reuse (#38006) | ||
|
bircni
|
63df886ba8 |
fix(actions): keep distinct commit statuses for workflows sharing a name (#37834)
## Summary Two Gitea Actions workflow files that share the same `name:` and same job name produced identical commit-status `Context` strings. Because `GetLatestCommitStatus` groups by `context_hash` (derived from `Context`), only one row was shown on the PR page — see #35699. GitHub displays both rows even though they look identical. This change does the same: the displayed `Context` is unchanged, but `ContextHash` now mixes in the workflow file path so the two statuses remain distinct in the dedupe query. ## Notes - Workflows that omit `name:` now use the workflow file name in the `Context` (e.g. `ci.yaml / build (push)`) instead of an empty `/ build (push)`. This changes the `Context` string for unnamed workflows, so any required-status-check rule that referenced the old string must be updated after upgrade. - For statuses created before this change (hashed from `Context` alone), `createCommitStatus` reuses that legacy hash when a matching row is still present, so in-flight pending statuses are superseded rather than orphaned on upgrade. Fixes #35699 --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: silverwind <me@silverwind.io> |
||
|
Giteabot
|
5fe77ad309 |
fix(deps): update go dependencies (#37967)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [gitea.com/gitea/runner](https://gitea.com/gitea/runner) | `v1.0.5` → `v1.0.6` |  |  | | [github.com/aws/aws-sdk-go-v2/credentials](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.19.16` → `v1.19.17` |  |  | | [github.com/getkin/kin-openapi](https://redirect.github.com/getkin/kin-openapi) | `v0.138.0` → `v0.139.0` |  |  | | [github.com/go-chi/chi/v5](https://redirect.github.com/go-chi/chi) | `v5.2.5` → `v5.3.0` |  |  | | [github.com/go-webauthn/webauthn](https://redirect.github.com/go-webauthn/webauthn) | `v0.17.3` → `v0.17.4` |  |  | | [github.com/minio/minio-go/v7](https://redirect.github.com/minio/minio-go) | `v7.1.0` → `v7.2.0` |  |  | | [gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go) | `v2.30.0` → `v2.34.0` |  |  | --- ### Release Notes <details> <summary>gitea/runner (gitea.com/gitea/runner)</summary> ### [`v1.0.6`](https://gitea.com/gitea/runner/releases/tag/v1.0.6) [Compare Source](https://gitea.com/gitea/runner/compare/v1.0.5...v1.0.6) #### Changelog - fix(deps): update module github.com/opencontainers/selinux to v1.15.0 ([#​990](https://redirect.github.com/gitea/runner/issues/990)) - chore: pin Docker base images to explicit versions ([#​992](https://redirect.github.com/gitea/runner/issues/992)) - chore(deps): update actions/setup-node action to v6 ([#​991](https://redirect.github.com/gitea/runner/issues/991)) - test: make TestRunEvent integration suite runnable locally ([#​987](https://redirect.github.com/gitea/runner/issues/987)) - ci: add PR title linting against Conventional Commits ([#​988](https://redirect.github.com/gitea/runner/issues/988)) - fix: clean up job network and container when container start fails ([#​986](https://redirect.github.com/gitea/runner/issues/986)) </details> <details> <summary>getkin/kin-openapi (github.com/getkin/kin-openapi)</summary> ### [`v0.139.0`](https://redirect.github.com/getkin/kin-openapi/releases/tag/v0.139.0) [Compare Source](https://redirect.github.com/getkin/kin-openapi/compare/v0.138.0...v0.139.0) #### What's Changed - feat(openapi3): batch-convert long-tail RequiredFieldError sites by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1170](https://redirect.github.com/getkin/kin-openapi/pull/1170) - feat(openapi3): typed validation error clusters (combined: [#​1171](https://redirect.github.com/getkin/kin-openapi/issues/1171)-[#​1179](https://redirect.github.com/getkin/kin-openapi/issues/1179)) by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1180](https://redirect.github.com/getkin/kin-openapi/pull/1180) - openapi3gen: skip component export for anonymous types by [@​0-don](https://redirect.github.com/0-don) in [#​1163](https://redirect.github.com/getkin/kin-openapi/pull/1163) - feat: migrate to oasdiff/yaml v0.1.0 single Unmarshal API + enable DisableTimestamps by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1181](https://redirect.github.com/getkin/kin-openapi/pull/1181) - openapi3: typed context errors for Validate() wrapper chain by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1183](https://redirect.github.com/getkin/kin-openapi/pull/1183) - openapi3: track Origin on the document root (T) by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1184](https://redirect.github.com/getkin/kin-openapi/pull/1184) - openapi3: tests flakiness corrected by [@​fenollp](https://redirect.github.com/fenollp) in [#​1159](https://redirect.github.com/getkin/kin-openapi/pull/1159) - openapi3: aggregate independent validation errors via EnableMultiError by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1185](https://redirect.github.com/getkin/kin-openapi/pull/1185) - openapi3: fix validation of duplicated path templates by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1189](https://redirect.github.com/getkin/kin-openapi/pull/1189) - openapi3: type the remaining bare-error validation sites by [@​reuvenharrison](https://redirect.github.com/reuvenharrison) in [#​1187](https://redirect.github.com/getkin/kin-openapi/pull/1187) **Full Changelog**: <https://github.com/getkin/kin-openapi/compare/v0.138.0...v0.139.0> </details> <details> <summary>go-chi/chi (github.com/go-chi/chi/v5)</summary> ### [`v5.3.0`](https://redirect.github.com/go-chi/chi/releases/tag/v5.3.0) [Compare Source](https://redirect.github.com/go-chi/chi/compare/v5.2.5...v5.3.0) #### What's Changed - Use strings.ReplaceAll where applicable by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1046](https://redirect.github.com/go-chi/chi/pull/1046) - Propagate inline middlewares across mounted subrouters by [@​LukasJenicek](https://redirect.github.com/LukasJenicek) in [#​1049](https://redirect.github.com/go-chi/chi/pull/1049) - add go 1.26 to ci by [@​pkieltyka](https://redirect.github.com/pkieltyka) in [#​1052](https://redirect.github.com/go-chi/chi/pull/1052) - Remove last uses of io/ioutil by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1054](https://redirect.github.com/go-chi/chi/pull/1054) - Simplify chi.walk with slices.Concat by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1053](https://redirect.github.com/go-chi/chi/pull/1053) - Apply the stringscutprefix modernizer by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1051](https://redirect.github.com/go-chi/chi/pull/1051) - Bump minimum Go to 1.23, always use request.Pattern by [@​JRaspass](https://redirect.github.com/JRaspass) in [#​1048](https://redirect.github.com/go-chi/chi/pull/1048) - middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by [@​alliasgher](https://redirect.github.com/alliasgher) in [#​1085](https://redirect.github.com/go-chi/chi/pull/1085) - Fix typo in Route doc comment by [@​gouwazi](https://redirect.github.com/gouwazi) in [#​1073](https://redirect.github.com/go-chi/chi/pull/1073) - fix: set Request.Pattern from RoutePattern() by [@​leno23](https://redirect.github.com/leno23) in [#​1097](https://redirect.github.com/go-chi/chi/pull/1097) - feat: middleware.ClientIP, a replacement for middleware.RealIP by [@​VojtechVitek](https://redirect.github.com/VojtechVitek) in [#​967](https://redirect.github.com/go-chi/chi/pull/967) #### New Contributors - [@​LukasJenicek](https://redirect.github.com/LukasJenicek) made their first contribution in [#​1049](https://redirect.github.com/go-chi/chi/pull/1049) - [@​alliasgher](https://redirect.github.com/alliasgher) made their first contribution in [#​1085](https://redirect.github.com/go-chi/chi/pull/1085) - [@​gouwazi](https://redirect.github.com/gouwazi) made their first contribution in [#​1073](https://redirect.github.com/go-chi/chi/pull/1073) - [@​leno23](https://redirect.github.com/leno23) made their first contribution in [#​1097](https://redirect.github.com/go-chi/chi/pull/1097) #### SECURITY: middleware.ClientIP, a replacement for middleware.RealIP [@​VojtechVitek](https://redirect.github.com/VojtechVitek) submitted PR [#​967](https://redirect.github.com/go-chi/chi/issues/967), which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories: - [GHSA-9g5q-2w5x-hmxf](https://redirect.github.com/go-chi/chi/security/advisories/GHSA-9g5q-2w5x-hmxf) — IP spoofing via XFF in `RemoteAddr` resolution (convto) - [GHSA-rjr7-jggh-pgcp](https://redirect.github.com/go-chi/chi/security/advisories/GHSA-rjr7-jggh-pgcp) — RealIP allows IP spoofing via unvalidated XFF (rezmoss) - [GHSA-3fxj-6jh8-hvhx](https://redirect.github.com/go-chi/chi/security/advisories/GHSA-3fxj-6jh8-hvhx) — IP spoofing in `middleware.RealIP` (Saku0512, Critical / 9.3) It also addresses issues outlined at: - [#​708](https://redirect.github.com/go-chi/chi/issues/708) - <https://adam-p.ca/blog/2022/03/x-forwarded-for/> - [#​711](https://redirect.github.com/go-chi/chi/issues/711) - [#​453](https://redirect.github.com/go-chi/chi/issues/453) - [#​908](https://redirect.github.com/go-chi/chi/pull/908) `middleware.RealIP` is deprecated in this PR with pointers to the new API. The deprecation only adds a `// Deprecated:` doc comment; the function keeps working for backward compatibility. ##### Why a new middleware (not "fix RealIP in place") `RealIP` has two unfixable design choices: it mutates `r.RemoteAddr`, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per [adam-p's "The perils of the 'real' client IP"](https://adam-p.ca/blog/2022/03/x-forwarded-for/) (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly. ##### The new API Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors: ```go // One of the four. There is no safe default — pick exactly one. func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler func ClientIPFromRemoteAddr(h http.Handler) http.Handler // Read the result. func GetClientIP(ctx context.Context) string // for logs, rate-limit keys func GetClientIPAddr(ctx context.Context) netip.Addr // for typed work ``` #### Example usage: ```go // Pick a single ClientIP middleware based on your deployment // Cloudflare. r.Use(middleware.ClientIPFromHeader("CF-Connecting-IP")) // Nginx with ngx_http_realip_module. r.Use(middleware.ClientIPFromHeader("X-Real-IP")) // Apache with mod_remoteip. r.Use(middleware.ClientIPFromHeader("X-Client-IP")) // AWS CloudFront, or any proxy fleet with known CIDRs. r.Use(middleware.ClientIPFromXFF( "13.32.0.0/15", // CloudFront IPv4 "52.46.0.0/18", // CloudFront IPv4 "2600:9000::/28", // CloudFront IPv6 )) // Behind exactly 2 trusted proxies with dynamic IPs (autoscaling pools, // ephemeral containers, dynamic CDN edges). r.Use(middleware.ClientIPFromXFFTrustedProxies(2)) // Server directly on the public internet, no proxy in front. r.Use(middleware.ClientIPFromRemoteAddr) ``` And in your handler or downstream middleware: ```go clientIP := middleware.GetClientIP(r.Context()) // log it, use it as a rate-limit key, etc. ``` *** Thanks to [@​adam-p](https://redirect.github.com/adam-p), [@​c2h5oh](https://redirect.github.com/c2h5oh), [@​rezmoss](https://redirect.github.com/rezmoss), [@​Saku0512](https://redirect.github.com/Saku0512), [@​convto](https://redirect.github.com/convto), [@​Dirbaio](https://redirect.github.com/Dirbaio), [@​jawnsy](https://redirect.github.com/jawnsy), [@​lrstanley](https://redirect.github.com/lrstanley), [@​mfridman](https://redirect.github.com/mfridman), [@​n33pm](https://redirect.github.com/n33pm), [@​pkieltyka](https://redirect.github.com/pkieltyka) for the prior discussions, detailed reviews, advisory reports, and test contributions that shaped this PR. **Full Changelog**: <https://github.com/go-chi/chi/compare/v5.2.5...v5.3.0> </details> <details> <summary>go-webauthn/webauthn (github.com/go-webauthn/webauthn)</summary> ### [`v0.17.4`](https://redirect.github.com/go-webauthn/webauthn/blob/HEAD/CHANGELOG.md#v0174-2026-05-22) [Compare Source](https://redirect.github.com/go-webauthn/webauthn/compare/v0.17.3...v0.17.4) ##### Dependency Updates This release just contains updates to dependencies. </details> <details> <summary>minio/minio-go (github.com/minio/minio-go/v7)</summary> ### [`v7.2.0`](https://redirect.github.com/minio/minio-go/releases/tag/v7.2.0) [Compare Source](https://redirect.github.com/minio/minio-go/compare/v7.1.0...v7.2.0) #### What's Changed - Use go tool for ci-lint check by [@​klauspost](https://redirect.github.com/klauspost) in [#​2229](https://redirect.github.com/minio/minio-go/pull/2229) - Rename github.com/go-ini/ini to gopkg.in/ini.v1 by [@​ramondeklein](https://redirect.github.com/ramondeklein) in [#​2232](https://redirect.github.com/minio/minio-go/pull/2232) - Add RDMA / NVIDIA GPU Direct Storage support by [@​harshavardhana](https://redirect.github.com/harshavardhana) in [#​2233](https://redirect.github.com/minio/minio-go/pull/2233) **Full Changelog**: <https://github.com/minio/minio-go/compare/v7.1.0...v7.2.0> </details> <details> <summary>gitlab-org/api/client-go (gitlab.com/gitlab-org/api/client-go/v2)</summary> ### [`v2.34.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.34.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.33.0...v2.34.0) #### 2.34.0 ##### 🚀 Features - Extend DeploymentDeployablePipeline with web_url ([!2902](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2902)) by [Jan Berge Sommerdahl](https://gitlab.com/sommerdahl) ##### 🔄 Other Changes - chore(deps): update docker docker tag to v29.5.1 ([!2903](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2903)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [2.34.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.33.0...v2.34.0) (2026-05-27) ### [`v2.33.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.33.0) [Compare Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.32.0...v2.33.0) #### 2.33.0 ##### 🚀 Features - feat(work-items): add ListWorkItemTypes to WorkItemsService ([!2864](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2864)) by [Emmanuel 326](https://gitlab.com/Emmanuel326) ##### 🔄 Other Changes - chore(deps): update module cel.dev/expr to v0.25.2 ([!2881](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2881)) by [GitLab Dependency Bot](https://gitlab.com/gitlab-dependency-update-bot) ### [2.33.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.32.0...v2.33.0) (2026-05-27) ##### Features * **work-items:** add ListWorkItemTypes to WorkItemsService ([e71cb99]( |
||
|
Giteabot
|
a91c88428b |
chore(deps): update dependency happy-dom to v20.10.1 (#38043)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`20.9.0` → `20.10.1`](https://renovatebot.com/diffs/npm/happy-dom/20.9.0/20.10.1) |  |  | --- ### Release Notes <details> <summary>capricorn86/happy-dom (happy-dom)</summary> ### [`v20.10.1`](https://redirect.github.com/capricorn86/happy-dom/compare/v20.10.0...v20.10.1) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.10.0...v20.10.1) ### [`v20.10.0`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.10.0) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.9.0...v20.10.0) ##### 🎨 Features - Adds support for setting a canvas adapter for handling the canvas rendering using the browser setting [canvasAdapter](https://redirect.github.com/capricorn86/happy-dom/wiki/IOptionalBrowserSettings) - By **[@​RAprogramm](https://redirect.github.com/RAprogramm)** and **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds new package [@​happy-dom/node-canvas-adapter](https://redirect.github.com/capricorn86/happy-dom/tree/master/packages/%40happy-dom/node-canvas-adapter) - By **[@​RAprogramm](https://redirect.github.com/RAprogramm)** and **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - [@​happy-dom/node-canvas-adapter](https://redirect.github.com/capricorn86/happy-dom/tree/master/packages/%40happy-dom/node-canvas-adapter) is a pluggable canvas adapter for Happy DOM using [node-canvas](https://redirect.github.com/Automattic/node-canvas). - Adds support for loading image files when enabling the browser setting [enableImageFileLoading](https://redirect.github.com/capricorn86/happy-dom/wiki/IOptionalBrowserSettings) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for loading image data URLs - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for [ImageData](https://developer.mozilla.org/en-US/docs/Web/API/ImageData) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for [ImageBitmap](https://developer.mozilla.org/en-US/docs/Web/API/ImageBitmap) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) - Adds support for [Window.createImageBitmap()](https://developer.mozilla.org/en-US/docs/Web/API/Window/createImageBitmap) - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​241](https://redirect.github.com/capricorn86/happy-dom/issues/241) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
Lunny Xiao
|
49a0d19fa3 |
feat(api): Add assignees APIs (#37330)
Follow https://docs.github.com/en/enterprise-server@3.20/rest/issues/assignees?apiVersion=2022-11-28 Fix #33576 And it also fixed some possible dead-lock problem. --------- Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: Zettat123 <zettat123@gmail.com> |
||
|
Lunny Xiao
|
611dfc9496 | fix: Fix some wrong code and follow 37347 (#37987) | ||
|
bircni
|
72c1e4c621 | docs: update community governance document (#38038) | ||
|
Giteabot
|
60abea17a2 |
chore(deps): update module github.com/go-swagger/go-swagger to v0.34.0 (#38028)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-swagger/go-swagger](https://redirect.github.com/go-swagger/go-swagger) | `v0.33.2` → `v0.34.0` |  |  | --- ### Release Notes <details> <summary>go-swagger/go-swagger (github.com/go-swagger/go-swagger)</summary> ### [`v0.34.0`](https://redirect.github.com/go-swagger/go-swagger/releases/tag/v0.34.0) [Compare Source](https://redirect.github.com/go-swagger/go-swagger/compare/v0.33.2...v0.34.0) go-swagger release 0.34.0 *** Released on 2026 May 29 ##### [0.34.0](https://redirect.github.com/go-swagger/go-swagger/tree/v0.34.0) - 2026-05-28 Major refactoring. Focus on improving runtime (e.g.generated client) and codescan (e.g. generated spec). **Full Changelog**: <https://github.com/go-swagger/go-swagger/compare/v0.33.2...v0.34.0> 42 commits in this release. *** ##### <!-- 00 -->Implemented enhancements - feat(client): added method to configure client-side custom producers/consumers by [@​fredbi](https://redirect.github.com/fredbi) in [#​3351](https://redirect.github.com/go-swagger/go-swagger/pull/3351) [...]( |
||
|
bircni
|
699fe2ef43 |
fix(actions)!: require merged PR to bypass fork PR approval gate (#38010)
`ifNeedApproval` in `services/actions/notifier_helper.go` decided whether a fork PR's workflow run had to wait for maintainer approval. The bypass clause counted any prior `approved_by > 0` run for `(repo_id, trigger_user_id)`, so the very first Approve-and-run click on a contributor's fork PR permanently trusted that user for every future fork PR in the same repository — including PRs whose only change is the workflow YAML itself. Approving a workflow *run* is not the same as merging *code*. This change aligns the gate with GitHub Actions' first-time-contributor model: trust is granted only after the user has had a pull request merged in the repo. ## Behavior change - **Before**: one approval = permanent trust for that user in that repo. - **After**: every fork PR is gated until the contributor has at least one merged PR in the repo. Existing already-approved runs and merged PRs continue to work; only the trust criterion for *future* fork PRs changes. Maintainers who rely on the implicit "approve once" trust will see the approval banner reappear until they merge a PR from that contributor. |
||
|
Giteabot
|
ee9f31e9c9 |
chore(deps): update dependency @eslint/json to v2 (#38030)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@eslint/json](https://redirect.github.com/eslint/json) | [`1.2.0` → `2.0.0`](https://renovatebot.com/diffs/npm/@eslint%2fjson/1.2.0/2.0.0) |  |  | --- ### Release Notes <details> <summary>eslint/json (@​eslint/json)</summary> ### [`v2.0.0`](https://redirect.github.com/eslint/json/blob/HEAD/CHANGELOG.md#200-2026-05-28) [Compare Source]( |
||
|
bircni
|
3b1e75764e |
feat(actions): add job summaries (GITHUB_STEP_SUMMARY) (#37500)
- Add GitHub-style Actions **job summaries** support
(`GITHUB_STEP_SUMMARY` / `workflow/SUMMARY.md`) and render them on the
run Summary view.
- Store uploaded summaries internally in the DB (not as downloadable
artifacts).
- Add runtime-token endpoint for runners to upload summaries:
- `PUT
/api/actions_pipeline/_apis/pipelines/workflows/{run_id}/jobs/{job_id}/summary`
- Advertise support to runners via `RunnerService.Declare` response
header:
- `X-Gitea-Actions-Capabilities: job-summary`
- Devtest: extend `/devtest/repo-action-view/...` to include mock
`jobSummaries` for previewing UI rendering.
## Compatibility
- New Gitea + old runner: no summary upload → UI shows nothing (no
behavior change)
- New runner + old Gitea: capability not advertised → runner skips
upload (no behavior change)
## Screenshot:
<img width="2017" height="729"
src="https://github.com/user-attachments/assets/31f8b945-50c4-40e1-9f40-382901a53013"
/>
Fixes #23721
PR on gitea-runner https://gitea.com/gitea/runner/pulls/917
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
|
||
|
bircni
|
b1c088e9cf |
enhance(actions): Make Summary UI more beautiful with more infos (#37824)
## Summary - Redesign the Actions run summary header to follow GitHub Actions layout: trigger info on the left, Status / Total duration / Artifacts columns inline on the right - Expose trigger user avatar, pull request link, and PR head branch info from the run view API - Update the workflow graph header to show the workflow filename (linked to the run workflow file) and `on: <event>`, while keeping the jobs/dependencies/success stats line - Remove the redundant commit/workflow metadata row below the run title; that information now lives in the summary bar New: <img width="1564" height="639" src="https://github.com/user-attachments/assets/e6bc1623-c5fc-4e97-abc9-fde7f3c6aef9" /> Old: <img width="2038" height="1038" src="https://github.com/user-attachments/assets/0857f19a-8d3a-4da2-82fd-e9ebeb200062" /> Replaces https://github.com/go-gitea/gitea/pull/36721 --------- Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
Giteabot
|
e01af366e2 |
fix(deps): update npm dependencies (#38035)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @​codemirror/autocomplete | [`6.20.2` → `6.20.3`](https://renovatebot.com/diffs/npm/@codemirror%2fautocomplete/6.20.2/6.20.3) |  |  | | [eslint-plugin-vue](https://eslint.vuejs.org) ([source](https://redirect.github.com/vuejs/eslint-plugin-vue)) | [`10.9.1` → `10.9.2`](https://renovatebot.com/diffs/npm/eslint-plugin-vue/10.9.1/10.9.2) |  |  | --- ### Release Notes <details> <summary>vuejs/eslint-plugin-vue (eslint-plugin-vue)</summary> ### [`v10.9.2`](https://redirect.github.com/vuejs/eslint-plugin-vue/blob/HEAD/CHANGELOG.md#1092) [Compare Source](https://redirect.github.com/vuejs/eslint-plugin-vue/compare/v10.9.1...v10.9.2) ##### Patch Changes - Fixed [`vue/custom-event-name-casing`](https://eslint.vuejs.org/rules/custom-event-name-casing.html) to check segments of colon-separated event names like `update:foo-bar` ([#​3079](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3079)) - Fixed [`vue/one-component-per-file`](https://eslint.vuejs.org/rules/one-component-per-file.html) to not report functions not imported from Vue ([#​3063](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3063)) - Fixed [`vue/prefer-import-from-vue`](https://eslint.vuejs.org/rules/prefer-import-from-vue.html) to not report imports/exports of names that are not re-exported by `vue` ([#​3081](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3081)) - Fixed [`vue/return-in-computed-property`](https://eslint.vuejs.org/rules/return-in-computed-property.html) and [`vue/require-render-return`](https://eslint.vuejs.org/rules/require-render-return.html) to not report exhaustive switch statements when TypeScript type information is available ([#​3067](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3067)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
TheFox0x7
|
d76a974b24 |
feat(ssh): auto generate additional ssh keys (#33974)
adds capabilities for gitea to generate ecdsa and ed25519 keys by default adds cli for built-in ssh key generation helpers closes: https://github.com/go-gitea/gitea/issues/33783 --------- Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
Nico Schlömer
|
ade76fe838 |
enhance: allow MathML core elements (#38034)
Fixes #36352. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
bircni
|
54916f708e |
feat: Add avatar stacks (#37594)
Parse `Co-authored-by:` trailers from commit messages and surface contributors as an avatar stack across the commit page, commits list, PR commits tab, latest-commit row, blame, graph, and dashboard feed. - Up to 10 visible 20px avatars, GitHub-style overlap (6px first stride, 4px between subsequent), `+N` chip for the rest. - Label: 1 → name; 2 → `<a> and <b>`; 3+ → `<N> people` opens a Tippy popup with all participants. - Names and avatars link to the repo's commits-by-author search; fall back to profile or `mailto:`. - Trailer parsing uses `net/mail.ParseAddress`, scans only the trailing paragraph, filters out the commit's own author/committer. - Drops the non-standard `Co-committed-by:` emission on squash merge and web edits. Devtest: `/devtest/coauthor-avatars`. Fixes #25521 ---- <img width="353" height="277" alt="image" src="https://github.com/user-attachments/assets/72092ceb-97ca-4b09-9557-0b72d3c5458e" /> <img width="533" height="328" src="https://github.com/user-attachments/assets/11d0c8f8-8b3f-4f2e-9993-879f1c06bcc5" /> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
Giteabot
|
2a84831400 |
chore(deps): update astral-sh/setup-uv action to v8.2.0 (#38036)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [astral-sh/setup-uv](https://redirect.github.com/astral-sh/setup-uv) | action | minor | `v8.1.0` → `v8.2.0` | --- ### Release Notes <details> <summary>astral-sh/setup-uv (astral-sh/setup-uv)</summary> ### [`v8.2.0`](https://redirect.github.com/astral-sh/setup-uv/releases/tag/v8.2.0): 🌈 New inputs `quiet` and `download-from-astral-mirror` [Compare Source](https://redirect.github.com/astral-sh/setup-uv/compare/v8.1.0...v8.2.0) #### Changes This release brings two new inputs and a few bug fixes. ##### New inputs Lets talk about the new inputs first. ##### quiet Pretty simple. It turns of all `info` loggings. Useful if you use this in a composite action and are not interested in all the details. In the upcoming releases we will add log groups to fully implement support for "less noise" > \[!NOTE]\ > Warnings and errors are always logged. ##### download-from-astral-mirror In some cases you may want to directly use the fallback of checking for available versions and downloading releases from GitHub instead of using the astral.sh mirror. Setting `download-from-astral-mirror: false` allows you to do that. ##### Bugfixes When using the astral.sh mirror to query available versions and download releases (done by default) we now stop sending the GitHub token in the header. The mirror never looked at it but we shouldn't be handing out that data even if it is just a short lived token. All other bugfixes try to limit the impact of failed GitHub queries due to retries and other faults. We couldn't pinpoint all rootcauses yet but added more logging for error cases to track them down. #### 🐛 Bug fixes - fix: report unexpected cache save failures [@​eifinger](https://redirect.github.com/eifinger) ([#​896](https://redirect.github.com/astral-sh/setup-uv/issues/896)) - fix: report unexpected setup failures [@​eifinger](https://redirect.github.com/eifinger) ([#​895](https://redirect.github.com/astral-sh/setup-uv/issues/895)) - fix: add timeout to fetch to prevent silent hangs [@​eifinger-bot](https://redirect.github.com/eifinger-bot) ([#​883](https://redirect.github.com/astral-sh/setup-uv/issues/883)) - Limit GitHub tokens to github.com download URLs [@​zsol](https://redirect.github.com/zsol) ([#​878](https://redirect.github.com/astral-sh/setup-uv/issues/878)) - increase libuv-workaround timeout to 100ms [@​eifinger](https://redirect.github.com/eifinger) ([#​880](https://redirect.github.com/astral-sh/setup-uv/issues/880)) #### 🚀 Enhancements - Add quiet input to suppress info-level log output [@​eifinger](https://redirect.github.com/eifinger) ([#​898](https://redirect.github.com/astral-sh/setup-uv/issues/898)) - feat: add `download-from-astral-mirror` input [@​eifinger](https://redirect.github.com/eifinger) ([#​897](https://redirect.github.com/astral-sh/setup-uv/issues/897)) #### 🧰 Maintenance - docs: update dependabot rollup biome guidance [@​eifinger](https://redirect.github.com/eifinger) ([#​902](https://redirect.github.com/astral-sh/setup-uv/issues/902)) - chore: update known checksums for 0.11.18 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​899](https://redirect.github.com/astral-sh/setup-uv/issues/899)) - chore: update known checksums for 0.11.17 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​892](https://redirect.github.com/astral-sh/setup-uv/issues/892)) - chore: update known checksums for 0.11.16 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​889](https://redirect.github.com/astral-sh/setup-uv/issues/889)) - chore: update known checksums for 0.11.15 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​885](https://redirect.github.com/astral-sh/setup-uv/issues/885)) - chore: update known checksums for 0.11.14 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​879](https://redirect.github.com/astral-sh/setup-uv/issues/879)) - chore: update known checksums for 0.11.13 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​877](https://redirect.github.com/astral-sh/setup-uv/issues/877)) - chore: update known checksums for 0.11.12 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​876](https://redirect.github.com/astral-sh/setup-uv/issues/876)) - chore: update known checksums for 0.11.11 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​873](https://redirect.github.com/astral-sh/setup-uv/issues/873)) - chore: update known checksums for 0.11.9/0.11.10 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​871](https://redirect.github.com/astral-sh/setup-uv/issues/871)) - chore: update known checksums for 0.11.8 @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#​867](https://redirect.github.com/astral-sh/setup-uv/issues/867)) - Bump setup-uv references to v8.1.0 SHA in docs [@​eifinger](https://redirect.github.com/eifinger) ([#​862](https://redirect.github.com/astral-sh/setup-uv/issues/862)) - Add update-docs.yml workflow [@​eifinger](https://redirect.github.com/eifinger) ([#​861](https://redirect.github.com/astral-sh/setup-uv/issues/861)) #### ⬆️ Dependency updates - chore(deps): roll up dependabot updates [@​eifinger](https://redirect.github.com/eifinger) ([#​903](https://redirect.github.com/astral-sh/setup-uv/issues/903)) - chore(deps): roll up dependabot updates [@​eifinger](https://redirect.github.com/eifinger) ([#​901](https://redirect.github.com/astral-sh/setup-uv/issues/901)) - chore(deps): bump release-drafter/release-drafter from 7.3.0 to 7.3.1 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​900](https://redirect.github.com/astral-sh/setup-uv/issues/900)) - chore(deps): bump eifinger/actionlint-action from 1.10.1 to 1.10.2 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​842](https://redirect.github.com/astral-sh/setup-uv/issues/842)) - chore(deps): bump github/codeql-action from 4.35.4 to 4.36.0 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​893](https://redirect.github.com/astral-sh/setup-uv/issues/893)) - chore(deps): bump zizmorcore/zizmor-action from 0.5.5 to 0.5.6 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​891](https://redirect.github.com/astral-sh/setup-uv/issues/891)) - chore(deps): bump release-drafter/release-drafter from 7.2.0 to 7.3.0 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​884](https://redirect.github.com/astral-sh/setup-uv/issues/884)) - chore(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.5 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​888](https://redirect.github.com/astral-sh/setup-uv/issues/888)) - chore(deps): bump github/codeql-action from 4.35.3 to 4.35.4 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​881](https://redirect.github.com/astral-sh/setup-uv/issues/881)) - chore(deps): bump github/codeql-action from 4.32.2 to 4.35.3 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​875](https://redirect.github.com/astral-sh/setup-uv/issues/875)) - chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​866](https://redirect.github.com/astral-sh/setup-uv/issues/866)) - chore(deps): bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​864](https://redirect.github.com/astral-sh/setup-uv/issues/864)) - chore(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#​863](https://redirect.github.com/astral-sh/setup-uv/issues/863)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> |
||
|
wxiaoguang
|
136f7d18aa |
fix: api error message (#38031)
Fix various abuses and mistakes |
||
|
Zettat123
|
60f66a9bfd |
enhance(actions): improve reusable workflow uses handling and cancellation (#37991)
Follow up #37478 ## Changes 1. #37478 doesn't support absolute URL in `uses`. This PR provides partial support for URL-style reusable workflow references. A reusable workflow can now be referenced by an absolute URL, as long as it points to the local Gitea instance: ```yaml jobs: call: uses: https://your-gitea.example.com/OWNER/REPO/.gitea/workflows/ci.yaml@v1 ``` 2. Show an error message in the UI for invalid `uses`. <img width="1600" alt="image" src="https://github.com/user-attachments/assets/21b34e61-bf10-4af1-b9fd-4ee4e9fde049" /> 3. Fix reusable caller cancellation issue. A reusable caller's status is aggregated from its children, so cancellation should processes a caller's descendants deepest-first. --------- Signed-off-by: Zettat123 <zettat123@gmail.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: bircni <bircni@icloud.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
Giteabot
|
1e9ea9c8f5 |
fix(deps): update npm dependencies (#38029)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@primer/octicons](https://primer.style/octicons) ([source](https://redirect.github.com/primer/octicons)) | [`19.27.0` → `19.28.0`](https://renovatebot.com/diffs/npm/@primer%2focticons/19.27.0/19.28.0) |  |  | | [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | [`8.60.0` → `8.60.1`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.60.0/8.60.1) |  |  | | [@vitest/eslint-plugin](https://redirect.github.com/vitest-dev/eslint-plugin-vitest) | [`1.6.18` → `1.6.19`](https://renovatebot.com/diffs/npm/@vitest%2feslint-plugin/1.6.18/1.6.19) |  |  | | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`10.4.0` → `10.4.1`](https://renovatebot.com/diffs/npm/eslint/10.4.0/10.4.1) |  |  | | [eslint-import-resolver-typescript](https://redirect.github.com/import-js/eslint-import-resolver-typescript) | [`4.4.4` → `4.4.5`](https://renovatebot.com/diffs/npm/eslint-import-resolver-typescript/4.4.4/4.4.5) |  |  | | [eslint-plugin-vue-scoped-css](https://future-architect.github.io/eslint-plugin-vue-scoped-css/) ([source](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css)) | [`3.1.0` → `3.1.1`](https://renovatebot.com/diffs/npm/eslint-plugin-vue-scoped-css/3.1.0/3.1.1) |  |  | | [js-yaml](https://redirect.github.com/nodeca/js-yaml) | [`4.1.1` → `4.2.0`](https://renovatebot.com/diffs/npm/js-yaml/4.1.1/4.2.0) |  |  | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.4.0` → `11.5.1`](https://renovatebot.com/diffs/npm/pnpm/11.4.0/11.5.1) |  |  | | [rolldown-license-plugin](https://redirect.github.com/silverwind/rolldown-license-plugin) | [`3.0.8` → `3.0.9`](https://renovatebot.com/diffs/npm/rolldown-license-plugin/3.0.8/3.0.9) |  |  | | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.60.0` → `8.60.1`](https://renovatebot.com/diffs/npm/typescript-eslint/8.60.0/8.60.1) |  |  | | [updates](https://redirect.github.com/silverwind/updates) | [`17.17.2` → `17.17.3`](https://renovatebot.com/diffs/npm/updates/17.17.2/17.17.3) |  |  | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`8.0.14` → `8.0.16`](https://renovatebot.com/diffs/npm/vite/8.0.14/8.0.16) |  |  | | [vitest](https://vitest.dev) ([source](https://redirect.github.com/vitest-dev/vitest/tree/HEAD/packages/vitest)) | [`4.1.7` → `4.1.8`](https://renovatebot.com/diffs/npm/vitest/4.1.7/4.1.8) |  |  | | [vue-tsc](https://redirect.github.com/vuejs/language-tools) ([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc)) | [`3.3.2` → `3.3.3`](https://renovatebot.com/diffs/npm/vue-tsc/3.3.2/3.3.3) |  |  | --- ### Release Notes <details> <summary>primer/octicons (@​primer/octicons)</summary> ### [`v19.28.0`](https://redirect.github.com/primer/octicons/blob/HEAD/CHANGELOG.md#19280) [Compare Source](https://redirect.github.com/primer/octicons/compare/v19.27.0...v19.28.0) ##### Minor Changes - [#​1208](https://redirect.github.com/primer/octicons/pull/1208) [`eddab3ff`]( |
||
|
Giteabot
|
6dcae57b54 | chore(deps): update action dependencies (#38027) | ||
|
bircni
|
1c289df6eb |
enhance: Adjust Workflow Graph styling (#37497)
- Fix workflow dependency graph overflow by making the graph container scrollable (no more clipped DAGs; addresses #37493). - Improve Actions job list readability by keeping durations fixed-width/right-aligned so long times don’t squeeze job names. - Make workflow graph layout more intuitive by vertically centering shorter columns to reduce misleading “looks like it depends on” alignments (addresses #37395). ### Screenshot <img width="966" height="439" src="https://github.com/user-attachments/assets/c180c5a2-4f56-4287-bcaa-f2735ba72949" /> <img width="949" height="559" src="https://github.com/user-attachments/assets/a383511d-a962-4920-b792-69f556847eff" /> Fixes #37493 Fixes #37395 --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
bircni
|
ea35af1b68 |
fix: bound CODEOWNERS regex match time (#38011)
User-supplied CODEOWNERS patterns were compiled without a match timeout, so a crafted pattern (e.g. (a+)+) against a crafted file path could backtrack for tens of seconds inside the PR creation transaction and exhaust the database connection pool. Set MatchTimeout on each compiled rule; the caller already treats match errors as non-matches. --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
wxiaoguang
|
e2fbfc8730 |
fix: various dropdown problems (#38020)
1. remove legacy onResponseKeepSelectedItem, refactor the code to
dropdown.js
2. make dropdown correctly handle "single selection + remote query + filter"
* fix #38018
3. fix incorrect "transition" class usage for the dropdown dividers
|
||
|
wxiaoguang
|
9bbea90bfe | fix: pgsql lint (#38022) | ||
|
Copilot
|
5fe4f962e8 |
refactor(api): clarify APIError message usage and fix legacy lint error (#38012)
Avoid unclear & fragile "any" tricks, fix various abuses Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
bircni
|
c43eb7c33a |
fix(auth): do not auto-reactivate disabled users on OAuth2 callback (#38009)
The OAuth2 sign-in callback unconditionally set IsActive=true on the local user row whenever the IdP authenticated them, silently undoing an administrator's "Disable Account" action and granting the user a fresh session in the same response. Treat the local IsActive flag as an authoritative admin override: inactive users get a session and are routed through the existing activate / prohibit-login pages by verifyAuthWithOptions, matching the local-credentials sign-in path. Adds an integration regression test that disables a linked local user and asserts the row stays IsActive=false after a full OIDC callback. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
bircni
|
42513398c0 |
fix(lfs): reject unknown SSH LFS sub-verbs to prevent auth bypass (#38008)
An authenticated SSH user could pass a malformed sub-verb (e.g. `git-lfs-authenticate <repo> badverb`) so getAccessMode falls through to AccessModeNone (0). The permission check in routers/private/serv.go then evaluates `userMode < 0` which is always false, granting a valid LFS JWT for any private repository. The HTTP LFS handler only validates the Op claim on writes, so the token works for downloads. Validate the sub-verb in runServ before calling getAccessMode and fail fast for anything other than upload/download. |
||
|
Sandro
|
743bbaa9c2 |
fix: refactor git error handling and make archive streaming handle non-existing commit id (#38007)
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
wxiaoguang
|
e88650cfcf |
chore: fix various layout problems (#37983)
Fix various misaligments, fix space between list item bar items, remove deadcode (milestone dashboard) |
||
|
bircni
|
4088d7e241 | fix(ui): keep actions run title intact when subject contains an issue ref (#38005) | ||
|
bircni
|
3659b5acc2 |
ci(workflows): add AgentScan workflow to flag possible AI-assisted PRs (#37962)
This PR adds an automated AgentScan workflow to help detect and handle pull requests that appear to be created or authored primarily by automated agents. - If a PR is classified as `automation` or community-flagged, the workflow: - Adds the `possible bot` label, - Posts a policy comment linking to the repository AI Contribution Policy (`CONTRIBUTING.md#ai-contribution-policy`) and listing required disclosures and checks, - Optionally closes the PR if classification indicates an automated/unwelcome submission. |
||
|
bircni
|
aa63d1583d |
fix(actions): return 404 when job log blob is missing (#38003)
- When the `action_task` row exists but the underlying dbfs/storage blob is gone, `OpenLogs` returns a wrapped `os.ErrNotExist` which surfaces as a 500 on the job logs endpoints. - Translate it to the same `util.NewNotExistErrorf` shape already used for unknown job ids / expired logs, so both the API (`/api/v1/repos/.../actions/jobs/<id>/logs`) and the web download handler return a clean 404 instead. Fixes #37990. |
||
|
GiteaBot
|
7a26d5a2ae | [skip ci] Updated translations via Crowdin | ||
|
wxiaoguang
|
dac41a124f |
fix!: raise git required version to 2.13 (#37996)
format `lstrip=2` is only supported in git >= 2.13 https://git-scm.com/docs/git-for-each-ref/2.13.7 ref: #37994 Co-authored-by: Giteabot <teabot@gitea.io> |
