fix(pull): handle empty pull request files view to allow reviews (#37783 ) (#37785 )

Backport #37783 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
fix(markup): make RenderString never fail (#37779 ) (#37780 )
2026-05-20 12:01:07 +00:00 · 2026-05-19 18:45:18 +00:00 · 2026-05-19 18:08:11 +00:00 · 2026-05-19 15:38:51 +00:00 · 2026-05-19 17:06:09 +02:00 · 2026-05-19 09:53:45 +00:00
1765 changed files with 22216 additions and 63884 deletions
--- a/.changelog.yml
+++ b/.changelog.yml
@@ -37,7 +37,10 @@ groups:
    name: BUGFIXES
    labels:
      - type/bug
-
+  -
    name: API
    labels:
      - modifies/api
  -
    name: TESTING
    labels:
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -1,6 +1,6 @@
 {
  "name": "Gitea DevContainer",
-  "image": "mcr.microsoft.com/devcontainers/go:1.26-trixie",
+  "image": "mcr.microsoft.com/devcontainers/go:1.25-trixie",
  "containerEnv": {
    // override "local" from packaged version
    "GOTOOLCHAIN": "auto"
--- a/.dockerignore
+++ b/.dockerignore
@@ -40,7 +40,9 @@ cpu.out
 *.log
 /gitea
 /gitea-vet
 /debug
 /integrations.test
 /bin
 /dist
@@ -52,6 +54,12 @@ cpu.out
 /indexers
 /log
 /tests/integration/gitea-integration-*
 /tests/integration/indexers-*
 /tests/e2e/gitea-e2e-*
 /tests/e2e/indexers-*
 /tests/e2e/reports
 /tests/e2e/test-artifacts
 /tests/e2e/test-snapshots
 /tests/*.ini
 /node_modules
 /yarn.lock
--- a/.editorconfig
+++ b/.editorconfig
@@ -18,7 +18,7 @@ indent_style = tab
 [templates/custom/*.tmpl]
 insert_final_newline = false
-[templates/swagger/*_json.tmpl]
+[templates/swagger/v1_json.tmpl]
 indent_style = space
 insert_final_newline = false
--- a/.github/actions/docker-dryrun/action.yml
+++ b/.github/actions/docker-dryrun/action.yml
@@ -1,29 +0,0 @@
 name: docker-dryrun
 description: Composite action that performs the container build steps for a single platform.
 inputs:
  platform:
    description: "The target platform: linux/amd64, linux/arm64, linux/riscv64."
    required: true
 runs:
  using: composite
  steps:
    - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
    - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
    - name: Build regular image
      uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
      with:
        context: .
        platforms: ${{ inputs.platform }}
        push: false
        file: Dockerfile
        cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootful
    - name: Build rootless image
      uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
      with:
        context: .
        platforms: ${{ inputs.platform }}
        push: false
        file: Dockerfile.rootless
        cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootless
--- a/.github/actions/go-cache/action.yml
+++ b/.github/actions/go-cache/action.yml
@@ -1,47 +0,0 @@
 name: go-caches
 description: Restore and save go module, build, and golangci-lint caches
 inputs:
  cache-name:
    description: Short identifier used in the per-caller build cache key
    required: true
  build-cache:
    description: Whether to include ~/.cache/go-build
    default: "true"
  build-cache-rotate:
    description: Whether to rotate the build cache key per run so Go's test result cache can accumulate across runs
    default: "false"
  lint-cache:
    description: Whether to include ~/.cache/golangci-lint
    default: "false"
 runs:
  using: composite
  steps:
    - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
      with:
        path: ~/go/pkg/mod
        key: gomod-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('go.sum') }}
        restore-keys: gomod-${{ runner.os }}-${{ runner.arch }}
    - if: ${{ inputs.build-cache == 'true' && inputs.build-cache-rotate == 'true' }}
      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
      with:
        path: ~/.cache/go-build
        key: gobuild-${{ runner.os }}-${{ runner.arch }}-${{ inputs.cache-name }}-${{ hashFiles('go.sum') }}-${{ github.run_id }}
        restore-keys: |
          gobuild-${{ runner.os }}-${{ runner.arch }}-${{ inputs.cache-name }}-${{ hashFiles('go.sum') }}
          gobuild-${{ runner.os }}-${{ runner.arch }}-${{ inputs.cache-name }}
          gobuild-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('go.sum') }}
          gobuild-${{ runner.os }}-${{ runner.arch }}
    - if: ${{ inputs.build-cache == 'true' && inputs.build-cache-rotate != 'true' }}
      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
      with:
        path: ~/.cache/go-build
        key: gobuild-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('go.sum') }}
        restore-keys: gobuild-${{ runner.os }}-${{ runner.arch }}
    - if: ${{ inputs.lint-cache == 'true' }}
      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
      with:
        path: ~/.cache/golangci-lint
        key: golangci-${{ runner.os }}-${{ runner.arch }}-${{ inputs.cache-name }}-${{ hashFiles('go.sum', '.golangci.yml') }}
        restore-keys: golangci-${{ runner.os }}-${{ runner.arch }}-${{ inputs.cache-name }}
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
 version: 2
 updates:
  - package-ecosystem: github-actions
    labels: [modifies/dependencies]
    directory: /
    schedule:
      interval: daily
    cooldown:
      default-days: 5
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -1,3 +1,80 @@
 modifies/docs:
  - changed-files:
      - any-glob-to-any-file:
          - "**/*.md"
          - "docs/**"
 modifies/templates:
  - changed-files:
      - all-globs-to-any-file:
          - "templates/**"
          - "!templates/swagger/v1_json.tmpl"
 modifies/api:
  - changed-files:
      - any-glob-to-any-file:
          - "routers/api/**"
          - "templates/swagger/v1_json.tmpl"
 modifies/cli:
  - changed-files:
      - any-glob-to-any-file:
          - "cmd/**"
 modifies/translation:
  - changed-files:
      - any-glob-to-any-file:
          - "options/locale/*.ini"
 modifies/migrations:
  - changed-files:
      - any-glob-to-any-file:
          - "models/migrations/**"
 modifies/internal:
  - changed-files:
      - any-glob-to-any-file:
          - ".air.toml"
          - "Makefile"
          - "Dockerfile"
          - "Dockerfile.rootless"
          - ".dockerignore"
          - "docker/**"
          - ".editorconfig"
          - ".eslintrc.cjs"
          - ".golangci.yml"
          - ".markdownlint.yaml"
          - ".spectral.yaml"
          - "stylelint.config.*"
          - ".yamllint.yaml"
          - ".github/**"
          - ".gitea/**"
          - ".devcontainer/**"
          - "build/**"
          - "contrib/**"
 modifies/dependencies:
  - changed-files:
      - any-glob-to-any-file:
          - "package.json"
          - "pnpm-lock.yaml"
          - "pyproject.toml"
          - "uv.lock"
          - "go.mod"
          - "go.sum"
 modifies/go:
  - changed-files:
      - any-glob-to-any-file:
          - "**/*.go"
 modifies/frontend:
  - changed-files:
      - any-glob-to-any-file:
          - "*.js"
          - "*.ts"
          - "web_src/**"
 docs-update-needed:
  - changed-files:
      - any-glob-to-any-file:
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,11 +1,10 @@
 <!-- start tips -->
 Please check the following:
 1. Make sure you are targeting the `main` branch, pull requests on release branches are only allowed for backports.
-2. Use a Conventional Commits PR title, for example `fix(repo): handle empty branch names`.
+2. Make sure you have read contributing guidelines: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md .
-3. Make sure you have read contributing guidelines: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md .
+3. For documentations contribution, please go to https://gitea.com/gitea/docs
-4. For documentations contribution, please go to https://gitea.com/gitea/docs
+4. Describe what your pull request does and which issue you're targeting (if any).
-5. Describe what your pull request does and which issue you're targeting (if any).
+5. It is recommended to enable "Allow edits by maintainers", so maintainers can help more easily.
-6. It is recommended to enable "Allow edits by maintainers", so maintainers can help more easily.
+6. Your input here will be included in the commit message when this PR has been merged. If you don't want some content to be included, please separate them with a line like `---`.
-7. Your input here will be included in the commit message when this PR has been merged. If you don't want some content to be included, please separate them with a line like `---`.
+7. Delete all these tips before posting.
 8. Delete all these tips before posting.
 <!-- end tips -->
--- a/.github/workflows/cache-seeder.yml
+++ b/.github/workflows/cache-seeder.yml
@@ -1,71 +0,0 @@
 # Populates the go module, build, and golangci-lint caches under the default
 # branch's cache scope so that PR runs have a warm fallback to restore from.
 #
 # GitHub Actions caches are scoped per ref: a PR run can only write to its own
 # branch's scope, but can read from the base branch's scope as a fallback.
 # PRs therefore cannot seed main's scope themselves. Running the same cache
 # steps on push-to-main is the only opportunity to populate that fallback
 # scope so fresh PR branches start with a useful cache on first run.
 # A PR job's exact key lives in its own PR-scope (empty on first run, filled
 # by later runs of the same PR); on miss, actions/cache's restore-keys fall
 # back to prefix matches against entries this seeder saves in main's scope.
 name: cache-seeder
 on:
  push:
    branches:
      - main
    paths:
      - "go.sum"
      - ".golangci.yml"
      - ".github/actions/go-cache/action.yml"
      - ".github/workflows/cache-seeder.yml"
 concurrency:
  group: cache-seeder
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  gobuild:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version-file: go.mod
          check-latest: true
          cache: false
      - uses: ./.github/actions/go-cache
        with:
          cache-name: seed
      - run: make deps-backend
      - run: TAGS="bindata" make backend
      - run: TAGS="bindata gogit" GOEXPERIMENT="" make backend
  lint:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        include:
          - { job: lint-backend, tags: "bindata", target: "lint-backend" }
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version-file: go.mod
          check-latest: true
          cache: false
      - uses: ./.github/actions/go-cache
        with:
          cache-name: ${{ matrix.job }}
          lint-cache: "true"
      - run: make deps-backend deps-tools
      - run: make ${{ matrix.target }}
        env:
          TAGS: ${{ matrix.tags }}
--- a/.github/workflows/cron-flake-updater.yml
+++ b/.github/workflows/cron-flake-updater.yml
@@ -0,0 +1,22 @@
 name: cron-flake-updater
 on:
  workflow_dispatch:
  schedule:
    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00
 jobs:
  nix-flake-update:
    permissions:
      contents: write
      issues: write
      pull-requests: write
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: DeterminateSystems/determinate-nix-action@v3
      - uses: DeterminateSystems/update-flake-lock@main
        with:
          pr-title: "Update Nix flake"
          pr-labels: |
            dependencies
--- a/.github/workflows/cron-licenses.yml
+++ b/.github/workflows/cron-licenses.yml
@@ -12,15 +12,15 @@ jobs:
    permissions:
      contents: write
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          check-latest: true
      - run: make generate-gitignore
        timeout-minutes: 40
      - name: push translations to repo
-        uses: appleboy/git-push-action@3b2c8661652360dbf1afe1b319a49dbb739c39f1 # v1.2.0
+        uses: appleboy/git-push-action@v1.2.0
        with:
          author_email: "teabot@gitea.io"
          author_name: GiteaBot
--- a/.github/workflows/cron-renovate.yml
+++ b/.github/workflows/cron-renovate.yml
@@ -1,32 +0,0 @@
 name: cron-renovate
 on:
  schedule:
    - cron: "23 * * * *" # hourly at :23
  workflow_dispatch:
 concurrency:
  group: cron-renovate
 env:
  RENOVATE_VERSION: 43.141.5 # renovate: datasource=docker depName=ghcr.io/renovatebot/renovate
 permissions:
  contents: read
 jobs:
  cron-renovate:
    runs-on: ubuntu-latest
    if: github.repository == 'go-gitea/gitea' # prevent running on forks
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: renovatebot/github-action@693b9ef15eec82123529a37c782242f091365961 # v46.1.14
        with:
          renovate-version: ${{ env.RENOVATE_VERSION }}
          configurationFile: renovate.json5
          token: ${{ secrets.RENOVATE_TOKEN }}
        env:
          RENOVATE_BINARY_SOURCE: install # auto-install go/node toolchains needed by post-upgrade tasks.
          RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS: '["^make (tidy|svg nolyfill)$"]'
          RENOVATE_REPOSITORIES: '["go-gitea/gitea"]'
--- a/.github/workflows/cron-translations.yml
+++ b/.github/workflows/cron-translations.yml
@@ -12,8 +12,8 @@ jobs:
    permissions:
      contents: write
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
-      - uses: crowdin/github-action@8868a33591d21088edfc398968173a3b98d51706 # v2.16.2
+      - uses: crowdin/github-action@v2
        with:
          upload_sources: true
          upload_translations: false
@@ -29,7 +29,7 @@ jobs:
      - name: update locales
        run: ./build/update-locales.sh
      - name: push translations to repo
-        uses: appleboy/git-push-action@3b2c8661652360dbf1afe1b319a49dbb739c39f1 # v1.2.0
+        uses: appleboy/git-push-action@v1.2.0
        with:
          author_email: "teabot@gitea.io"
          author_name: GiteaBot
--- a/.github/workflows/files-changed.yml
+++ b/.github/workflows/files-changed.yml
@@ -15,24 +15,19 @@ on:
        value: ${{ jobs.detect.outputs.templates }}
      docker:
        value: ${{ jobs.detect.outputs.docker }}
      dockerfile:
        value: ${{ jobs.detect.outputs.dockerfile }}
      swagger:
        value: ${{ jobs.detect.outputs.swagger }}
      yaml:
        value: ${{ jobs.detect.outputs.yaml }}
      json:
        value: ${{ jobs.detect.outputs.json }}
      e2e:
        value: ${{ jobs.detect.outputs.e2e }}
 permissions:
  contents: read
 jobs:
  detect:
    runs-on: ubuntu-latest
    timeout-minutes: 3
    permissions:
      contents: read
    outputs:
      backend: ${{ steps.changes.outputs.backend }}
      frontend: ${{ steps.changes.outputs.frontend }}
@@ -40,14 +35,12 @@ jobs:
      actions: ${{ steps.changes.outputs.actions }}
      templates: ${{ steps.changes.outputs.templates }}
      docker: ${{ steps.changes.outputs.docker }}
      dockerfile: ${{ steps.changes.outputs.dockerfile }}
      swagger: ${{ steps.changes.outputs.swagger }}
      yaml: ${{ steps.changes.outputs.yaml }}
      json: ${{ steps.changes.outputs.json }}
      e2e: ${{ steps.changes.outputs.e2e }}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
-      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+      - uses: dorny/paths-filter@v4
        id: changes
        with:
          filters: |
@@ -63,21 +56,23 @@ jobs:
              - "options/locale/locale_en-US.json"
            frontend:
              - "*.js"
              - "*.ts"
              - "web_src/**"
-              - "tools/generate-svg.ts"
+              - "tools/*.js"
              - "tools/*.ts"
              - "assets/emoji.json"
              - "package.json"
              - "pnpm-lock.yaml"
              - "pnpm-workspace.yaml"
              - "Makefile"
              - ".eslintrc.cjs"
              - ".npmrc"
            docs:
              - "**/*.md"
              - ".markdownlint.yaml"
              - "package.json"
              - "pnpm-lock.yaml"
              - "pnpm-workspace.yaml"
            actions:
              - ".github/workflows/*"
@@ -96,17 +91,12 @@ jobs:
              - "docker/**"
              - "Makefile"
            dockerfile:
              - "Dockerfile"
              - "Dockerfile.rootless"
            swagger:
              - "templates/swagger/v1_json.tmpl"
              - "templates/swagger/v1_input.json"
              - "Makefile"
              - "package.json"
              - "pnpm-lock.yaml"
              - "pnpm-workspace.yaml"
              - ".spectral.yaml"
            yaml:
@@ -117,9 +107,3 @@ jobs:
            json:
              - "**/*.json"
              - "**/*.json5"
            e2e:
              - "tests/e2e/**"
              - "tools/test-e2e.sh"
              - "playwright.config.ts"
--- a/.github/workflows/giteabot.yml
+++ b/.github/workflows/giteabot.yml
@@ -1,44 +0,0 @@
 name: giteabot
 on:
  push:
    branches:
      - main
  # pull_request_target gives this workflow access to GITEABOT_TOKEN on PRs from
  # forks, which the bot needs to write labels, statuses and comments. Safe here
  # because the job only runs a pinned action and never checks out PR HEAD.
  pull_request_target: # zizmor: ignore[dangerous-triggers]
    types:
      - opened
      - synchronize
      - labeled
      - unlabeled
      - closed
      - review_requested
      - review_request_removed
  pull_request_review:
    types:
      - submitted
      - edited
      - dismissed
  schedule:
    - cron: "15 3 * * *"
  workflow_dispatch:
 permissions:
  contents: read
 concurrency:
  group: ${{ format('{0}-{1}', github.workflow, (github.event_name == 'pull_request_target' || github.event_name == 'pull_request_review') && format('pr-{0}', github.event.pull_request.number) || 'maintenance') }}
  cancel-in-progress: false
 jobs:
  giteabot:
    if: github.repository == 'go-gitea/gitea'
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - uses: go-gitea/giteabot@8996d0b0e6c4ab066e3adcaf2c49b5d4cd15d7af # v1.0.1
        with:
          github_token: ${{ secrets.GITEABOT_TOKEN }}
          gitea_fork: giteabot/gitea
--- a/.github/workflows/pull-compliance.yml
+++ b/.github/workflows/pull-compliance.yml
@@ -7,79 +7,156 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  files-changed:
    uses: ./.github/workflows/files-changed.yml
    permissions:
      contents: read
  lint-backend:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          check-latest: true
          cache: false
      - uses: ./.github/actions/go-cache
        with:
          cache-name: lint-backend
          lint-cache: "true"
      - run: make deps-backend deps-tools
      - run: TAGS="bindata" make generate-go # lint-go also lints with "bindata" tags which requires "_bindata.go"
      - run: make lint-backend
        env:
          TAGS: bindata sqlite sqlite_unlock_notify
-  lint-on-demand:
+  lint-templates:
    if: needs.files-changed.outputs.templates == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: astral-sh/setup-uv@v8.0.0
-        with:
+      - run: uv python install 3.14
-          go-version-file: go.mod
+      - uses: pnpm/action-setup@v5
-          check-latest: true
+      - uses: actions/setup-node@v6
          cache: false
      - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24
          cache: pnpm
          cache-dependency-path: pnpm-lock.yaml
      - run: make deps-py
      - run: make deps-frontend
      - run: make lint-templates
  lint-yaml:
    if: needs.files-changed.outputs.yaml == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v6
      - uses: astral-sh/setup-uv@v8.0.0
      - run: uv python install 3.14
      - run: make deps-py
      - run: make lint-yaml
  lint-json:
    if: needs.files-changed.outputs.json == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v6
      - uses: pnpm/action-setup@v5
      - uses: actions/setup-node@v5
        with:
          node-version: 24
      - run: make deps-frontend
      - run: make lint-json
  lint-swagger:
    if: needs.files-changed.outputs.swagger == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v6
      - uses: pnpm/action-setup@v5
      - uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: pnpm
          cache-dependency-path: pnpm-lock.yaml
      - run: make deps-frontend
      - run: make lint-swagger
  lint-spell:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.actions == 'true' || needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.templates == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          check-latest: true
      - run: make lint-spell
-      - if: needs.files-changed.outputs.templates == 'true' || needs.files-changed.outputs.yaml == 'true' || needs.files-changed.outputs.actions == 'true'
+  lint-go-windows:
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-go@v6
        with:
-          python-version: 3.14
+          go-version-file: go.mod
-      - if: needs.files-changed.outputs.templates == 'true' || needs.files-changed.outputs.yaml == 'true'
+          check-latest: true
-        run: make deps-py lint-templates lint-yaml
+      - run: make deps-backend deps-tools
      - run: make lint-go-windows lint-go-gitea-vet
        env:
          TAGS: bindata sqlite sqlite_unlock_notify
          GOOS: windows
          GOARCH: amd64
-      - if: needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.swagger == 'true' || needs.files-changed.outputs.json == 'true'
+  lint-go-gogit:
-        run: make deps-frontend lint-md lint-swagger lint-json
+    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
-
+    needs: files-changed
-      - if: needs.files-changed.outputs.actions == 'true'
+    runs-on: ubuntu-latest
-        run: make lint-actions
+    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          check-latest: true
      - run: make deps-backend deps-tools
      - run: make lint-go
        env:
          TAGS: bindata gogit sqlite sqlite_unlock_notify
  checks-backend:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          check-latest: true
          cache: false
      - uses: ./.github/actions/go-cache
        with:
          cache-name: checks-backend
          build-cache: "false"
      - run: make deps-backend deps-tools
      - run: make --always-make checks-backend # ensure the "go-licenses" make target runs
@@ -87,10 +164,12 @@ jobs:
    if: needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
-      - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+      - uses: pnpm/action-setup@v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      - uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: pnpm
@@ -105,21 +184,20 @@ jobs:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          check-latest: true
-          cache: false
+      # no frontend build here as backend should be able to build
-      - uses: ./.github/actions/go-cache
+      # even without any frontend files
-        with:
+      - run: make deps-backend
-          cache-name: compliance-backend
+      - run: go build -o gitea_no_gcc # test if build succeeds without the sqlite tag
      - run: make deps-backend generate-go
      # no frontend build here as backend should be able to build, even without any frontend files
      # CGO is not used when cross-compile, so these steps also test if the code is compatible with CGO disabled
      - name: build-backend-arm64
-        run: go build -o gitea_linux_arm64
+        run: make backend # test cross compile
        env:
          GOOS: linux
          GOARCH: arm64
@@ -131,7 +209,38 @@ jobs:
          GOARCH: amd64
          TAGS: bindata gogit
      - name: build-backend-386
-        run: go build -o gitea_linux_386
+        run: go build -o gitea_linux_386 # test if compatible with 32 bit
        env:
          GOOS: linux
          GOARCH: 386
  docs:
    if: needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v6
      - uses: pnpm/action-setup@v5
      - uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: pnpm
          cache-dependency-path: pnpm-lock.yaml
      - run: make deps-frontend
      - run: make lint-md
  actions:
    if: needs.files-changed.outputs.actions == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          check-latest: true
      - run: make lint-actions
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -7,17 +7,18 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  files-changed:
    uses: ./.github/workflows/files-changed.yml
    permissions:
      contents: read
  test-pgsql:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    services:
      pgsql:
        image: postgres:14
@@ -27,29 +28,25 @@ jobs:
        ports:
          - "5432:5432"
      ldap:
-        image: gitea/test-openldap:latest@sha256:4ac633b01d684e6b2a458cc0c8530c92f9b3702f6e040ce5f365607df34fbda0
+        image: gitea/test-openldap:latest
        ports:
          - "389:389"
          - "636:636"
      minio:
        # as github actions doesn't support "entrypoint", we need to use a non-official image
        # that has a custom entrypoint set to "minio server /data"
-        image: bitnamilegacy/minio:2025.7.23
+        image: bitnamilegacy/minio:2023.8.31
        env:
          MINIO_ROOT_USER: 123456
          MINIO_ROOT_PASSWORD: 12345678
        ports:
          - "9000:9000"
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          check-latest: true
          cache: false
      - uses: ./.github/actions/go-cache
        with:
          cache-name: pgsql
      - name: Add hosts to /etc/hosts
        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 pgsql ldap minio" | sudo tee -a /etc/hosts'
      - run: make deps-backend
@@ -57,58 +54,53 @@ jobs:
        env:
          TAGS: bindata
      - name: run migration tests
-        run: GITEA_TEST_DATABASE=pgsql make test-migration
+        run: make test-pgsql-migration
      - name: run tests
-        run: GITEA_TEST_DATABASE=pgsql make test-integration
+        run: make test-pgsql
        timeout-minutes: 50
        env:
          # pgsql is chosen to be the unlucky one to run with the slow "race detector", it is about 60% slower.
          GOTEST_FLAGS: -race -timeout=40m
          TAGS: bindata gogit
          RACE_ENABLED: true
          TEST_TAGS: gogit
          TEST_LDAP: 1
  test-sqlite:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          check-latest: true
          cache: false
      - uses: ./.github/actions/go-cache
        with:
          cache-name: sqlite
      - run: make deps-backend
-      - run: make backend
+      - run: GOEXPERIMENT='' make backend
        env:
-          TAGS: bindata gogit
+          TAGS: bindata gogit sqlite sqlite_unlock_notify
          GOEXPERIMENT:
      - name: run migration tests
-        run: GITEA_TEST_DATABASE=sqlite make test-migration
+        run: make test-sqlite-migration
        env:
          TAGS: bindata gogit
      - name: run tests
-        run: GITEA_TEST_DATABASE=sqlite make test-integration
+        run: GOEXPERIMENT='' make test-sqlite
        timeout-minutes: 50
        env:
-          # sqlite driver can contain large amount of Golang code, so don't use race detector for it, otherwise, extremely slow
+          TAGS: bindata gogit sqlite sqlite_unlock_notify
-          GOTEST_FLAGS: -timeout=40m
+          RACE_ENABLED: true
-          TAGS: bindata gogit
+          TEST_TAGS: gogit sqlite sqlite_unlock_notify
          GOEXPERIMENT:
  test-unit:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    services:
      elasticsearch:
-        image: docker.elastic.co/elasticsearch/elasticsearch:8.19.15
+        image: elasticsearch:7.5.0
        env:
          discovery.type: single-node
          xpack.security.enabled: false
        ports:
          - "9200:9200"
      meilisearch:
@@ -118,7 +110,7 @@ jobs:
        ports:
          - "7700:7700"
      redis:
-        image: redis:latest@sha256:94ea4f5ccdaa6b154df99a792986ecb3ffbb3fe7722a197220477f1f3e65f9fe
+        image: redis
        options: >- # wait until redis has started
          --health-cmd "redis-cli ping"
          --health-interval 5s
@@ -127,27 +119,22 @@ jobs:
        ports:
          - 6379:6379
      minio:
-        image: bitnamilegacy/minio:2025.7.23
+        image: bitnamilegacy/minio:2021.3.17
        env:
-          MINIO_ROOT_USER: 123456
+          MINIO_ACCESS_KEY: 123456
-          MINIO_ROOT_PASSWORD: 12345678
+          MINIO_SECRET_KEY: 12345678
        ports:
          - "9000:9000"
      devstoreaccount1.azurite.local: # https://github.com/Azure/Azurite/issues/1583
-        image: mcr.microsoft.com/azure-storage/azurite:latest@sha256:dae2a5f96553962901304b94e72ef87e299d0825e4b679673bcc527a25076fe4
+        image: mcr.microsoft.com/azure-storage/azurite:latest
        ports:
          - 10000:10000
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          check-latest: true
          cache: false
      - uses: ./.github/actions/go-cache
        with:
          cache-name: unit
          build-cache-rotate: "true"
      - name: Add hosts to /etc/hosts
        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 minio devstoreaccount1.azurite.local mysql elasticsearch meilisearch smtpimap" | sudo tee -a /etc/hosts'
      - run: make deps-backend
@@ -155,27 +142,28 @@ jobs:
        env:
          TAGS: bindata
      - name: unit-tests
-        run: make test-backend test-check
+        run: make unit-test-coverage test-check
        env:
          GOTEST_FLAGS: -race -timeout=20m
          TAGS: bindata
          RACE_ENABLED: true
          GITHUB_READ_TOKEN: ${{ secrets.GITHUB_READ_TOKEN }}
      - name: unit-tests-gogit
-        run: make test-backend test-check
+        run: GOEXPERIMENT='' make unit-test-coverage test-check
        env:
          GOTEST_FLAGS: -race -timeout=20m
          TAGS: bindata gogit
-          GOEXPERIMENT:
+          RACE_ENABLED: true
          GITHUB_READ_TOKEN: ${{ secrets.GITHUB_READ_TOKEN }}
  test-mysql:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    services:
      mysql:
        # the bitnami mysql image has more options than the official one, it's easier to customize
-        image: bitnamilegacy/mysql:8.4
+        image: bitnamilegacy/mysql:8.0
        env:
          ALLOW_EMPTY_PASSWORD: true
          MYSQL_DATABASE: testgitea
@@ -184,29 +172,24 @@ jobs:
        options: >-
          --mount type=tmpfs,destination=/bitnami/mysql/data
      elasticsearch:
-        image: docker.elastic.co/elasticsearch/elasticsearch:8.19.15
+        image: elasticsearch:7.5.0
        env:
          discovery.type: single-node
          xpack.security.enabled: false
        ports:
          - "9200:9200"
      smtpimap:
-        image: tabascoterrier/docker-imap-devel:latest@sha256:3fb7cf50b47693e7b80f6f74abea2def4d7386016931d61359864de8a0aba551
+        image: tabascoterrier/docker-imap-devel:latest
        ports:
          - "25:25"
          - "143:143"
          - "587:587"
          - "993:993"
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          check-latest: true
          cache: false
      - uses: ./.github/actions/go-cache
        with:
          cache-name: mysql
      - name: Add hosts to /etc/hosts
        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 mysql elasticsearch smtpimap" | sudo tee -a /etc/hosts'
      - run: make deps-backend
@@ -214,17 +197,21 @@ jobs:
        env:
          TAGS: bindata
      - name: run migration tests
-        run: GITEA_TEST_DATABASE=mysql make test-migration
+        run: make test-mysql-migration
      - name: run tests
-        run: GITEA_TEST_DATABASE=mysql make test-integration
+        # run: make integration-test-coverage (at the moment, no coverage is really handled)
        run: make test-mysql
        env:
          TAGS: bindata
          RACE_ENABLED: true
          TEST_INDEXER_CODE_ES_URL: "http://elastic:changeme@elasticsearch:9200"
  test-mssql:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    services:
      mssql:
        image: mcr.microsoft.com/mssql/server:2019-latest
@@ -235,28 +222,24 @@ jobs:
        ports:
          - "1433:1433"
      devstoreaccount1.azurite.local: # https://github.com/Azure/Azurite/issues/1583
-        image: mcr.microsoft.com/azure-storage/azurite:latest@sha256:dae2a5f96553962901304b94e72ef87e299d0825e4b679673bcc527a25076fe4
+        image: mcr.microsoft.com/azure-storage/azurite:latest
        ports:
          - 10000:10000
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          check-latest: true
          cache: false
      - uses: ./.github/actions/go-cache
        with:
          cache-name: mssql
      - name: Add hosts to /etc/hosts
        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 mssql devstoreaccount1.azurite.local" | sudo tee -a /etc/hosts'
      - run: make deps-backend
      - run: make backend
        env:
          TAGS: bindata
-      - run: GITEA_TEST_DATABASE=mssql make test-migration
+      - run: make test-mssql-migration
      - name: run tests
-        run: GITEA_TEST_DATABASE=mssql make test-integration
+        run: make test-mssql
        timeout-minutes: 50
        env:
          TAGS: bindata
--- a/.github/workflows/pull-docker-dryrun.yml
+++ b/.github/workflows/pull-docker-dryrun.yml
@@ -7,41 +7,34 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  files-changed:
    uses: ./.github/workflows/files-changed.yml
    permissions:
      contents: read
-  # QEMU-based build is slow (40-50 minutes), so run arm64 and riscv64 when dockerfile changes.
+  container:
  # Run amd64 when any docker-related files change, which is fast (4 minutes).
  container-amd64:
    if: needs.files-changed.outputs.docker == 'true'
-    needs: [files-changed]
+    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
-      - uses: ./.github/actions/docker-dryrun
+      - uses: docker/setup-qemu-action@v4
      - uses: docker/setup-buildx-action@v4
      - name: Build regular container image
        uses: docker/build-push-action@v7
        with:
-          platform: linux/amd64
+          context: .
-
+          platforms: linux/amd64,linux/arm64,linux/riscv64
-  container-arm64:
+          push: false
-    if: needs.files-changed.outputs.dockerfile == 'true'
+          cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootful
-    needs: [files-changed]
+      - name: Build rootless container image
-    runs-on: ubuntu-latest
+        uses: docker/build-push-action@v7
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: ./.github/actions/docker-dryrun
        with:
-          platform: linux/arm64
+          context: .
-
+          push: false
-  container-riscv64:
+          platforms: linux/amd64,linux/arm64,linux/riscv64
-    if: needs.files-changed.outputs.dockerfile == 'true'
+          file: Dockerfile.rootless
-    needs: [files-changed]
+          cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootless
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: ./.github/actions/docker-dryrun
        with:
          platform: linux/riscv64
--- a/.github/workflows/pull-e2e-tests.yml
+++ b/.github/workflows/pull-e2e-tests.yml
@@ -7,30 +7,26 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  files-changed:
    uses: ./.github/workflows/files-changed.yml
    permissions:
      contents: read
  test-e2e:
-    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.e2e == 'true'
+    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.frontend == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          check-latest: true
-          cache: false
+      - uses: pnpm/action-setup@v5
-      - uses: ./.github/actions/go-cache
+      - uses: actions/setup-node@v6
        with:
          cache-name: e2e
          build-cache: "false"
      - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24
          cache: pnpm
@@ -38,13 +34,10 @@ jobs:
      - run: make deps-frontend
      - run: make frontend
      - run: make deps-backend
-      - run: make backend
+      - run: make gitea-e2e
        env:
          TAGS: bindata
      - run: make playwright
      - run: make test-e2e
        timeout-minutes: 10
        env:
          TAGS: bindata
          FORCE_COLOR: 1
          GITEA_TEST_E2E_DEBUG: 1
--- a/.github/workflows/pull-labeler.yml
+++ b/.github/workflows/pull-labeler.yml
@@ -15,6 +15,6 @@ jobs:
      contents: read
      pull-requests: write
    steps:
-      - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
+      - uses: actions/labeler@v6
        with:
          sync-labels: true
--- a/.github/workflows/pull-pr-title.yml
+++ b/.github/workflows/pull-pr-title.yml
@@ -1,31 +0,0 @@
 name: pr-title
 on:
  pull_request:
    types:
      - opened
      - edited
      - reopened
      - synchronize
      - ready_for_review
 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  lint-pr-title:
    if: github.event.pull_request.draft == false
    runs-on: ubuntu-latest
    timeout-minutes: 5
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24
      - run: make lint-pr-title
        env:
          PR_TITLE: ${{ github.event.pull_request.title }}
--- a/.github/workflows/release-nightly.yml
+++ b/.github/workflows/release-nightly.yml
@@ -14,16 +14,16 @@ jobs:
    permissions:
      contents: read
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
      - run: git fetch --unshallow --quiet --tags --force
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          check-latest: true
-      - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+      - uses: pnpm/action-setup@v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      - uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: pnpm
@@ -32,42 +32,34 @@ jobs:
      # xgo build
      - run: make release
        env:
-          TAGS: bindata
+          TAGS: bindata sqlite sqlite_unlock_notify
      - name: import gpg key
        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
+        uses: crazy-max/ghaction-import-gpg@v7
        with:
          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
      - name: sign binaries
        env:
          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
          GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }}
        run: |
          for f in dist/release/*; do
-            echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f"
+            echo '${{ secrets.GPGSIGN_PASSPHRASE }}' | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u ${{ steps.import_gpg.outputs.fingerprint }} --output "$f.asc" "$f"
          done
      # clean branch name to get the folder name in S3
      - name: Get cleaned branch name
        id: clean_name
        env:
          REF: ${{ github.ref }}
        run: |
-          REF_NAME=$(echo "$REF" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
+          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
          echo "Cleaned name is ${REF_NAME}"
          echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT"
      - name: configure aws
-        uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
+        uses: aws-actions/configure-aws-credentials@v6
        with:
          aws-region: ${{ secrets.AWS_REGION }}
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      - name: upload binaries to s3
        env:
          AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
          BRANCH: ${{ steps.clean_name.outputs.branch }}
        run: |
-          aws s3 sync dist/release "s3://$AWS_S3_BUCKET/gitea/$BRANCH" --no-progress
+          aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
  nightly-container:
    runs-on: namespace-profile-gitea-release-docker
@@ -75,20 +67,18 @@ jobs:
      contents: read
      packages: write # to publish to ghcr.io
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
      - run: git fetch --unshallow --quiet --tags --force
-      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+      - uses: docker/setup-qemu-action@v4
-      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - uses: docker/setup-buildx-action@v4
      - name: Get cleaned branch name
        id: clean_name
        env:
          REF: ${{ github.ref }}
        run: |
-          REF_NAME=$(echo "$REF" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
+          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
          echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT"
-      - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+      - uses: docker/metadata-action@v6
        id: meta
        with:
          images: |-
@@ -98,7 +88,7 @@ jobs:
            type=raw,value=${{ steps.clean_name.outputs.branch }}
          annotations: |
            org.opencontainers.image.authors="maintainers@gitea.io"
-      - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+      - uses: docker/metadata-action@v6
        id: meta_rootless
        with:
          images: |-
@@ -112,18 +102,18 @@ jobs:
          annotations: |
            org.opencontainers.image.authors="maintainers@gitea.io"
      - name: Login to Docker Hub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@v4
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Login to GHCR using PAT
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: build regular docker image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@v7
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/riscv64
@@ -133,7 +123,7 @@ jobs:
          cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootful
          cache-to: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootful,mode=max
      - name: build rootless docker image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@v7
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/riscv64
--- a/.github/workflows/release-tag-rc.yml
+++ b/.github/workflows/release-tag-rc.yml
@@ -15,16 +15,16 @@ jobs:
    permissions:
      contents: read
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
      - run: git fetch --unshallow --quiet --tags --force
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          check-latest: true
-      - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+      - uses: pnpm/action-setup@v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      - uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: pnpm
@@ -33,52 +33,43 @@ jobs:
      # xgo build
      - run: make release
        env:
-          TAGS: bindata
+          TAGS: bindata sqlite sqlite_unlock_notify
      - name: import gpg key
        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
+        uses: crazy-max/ghaction-import-gpg@v7
        with:
          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
      - name: sign binaries
        env:
          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
          GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }}
        run: |
          for f in dist/release/*; do
-            echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f"
+            echo '${{ secrets.GPGSIGN_PASSPHRASE }}' | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u ${{ steps.import_gpg.outputs.fingerprint }} --output "$f.asc" "$f"
          done
      # clean branch name to get the folder name in S3
      - name: Get cleaned branch name
        id: clean_name
        env:
          REF: ${{ github.ref }}
        run: |
-          REF_NAME=$(echo "$REF" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//')
+          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//')
          echo "Cleaned name is ${REF_NAME}"
          echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT"
      - name: configure aws
-        uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
+        uses: aws-actions/configure-aws-credentials@v6
        with:
          aws-region: ${{ secrets.AWS_REGION }}
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      - name: upload binaries to s3
        env:
          AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
          BRANCH: ${{ steps.clean_name.outputs.branch }}
        run: |
-          aws s3 sync dist/release "s3://$AWS_S3_BUCKET/gitea/$BRANCH" --no-progress
+          aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
      - name: Install GH CLI
-        uses: dev-hanz-ops/install-gh-cli-action@af38ce09b1ec248aeb08eea2b16bbecea9e059f8 # v0.2.1
+        uses: dev-hanz-ops/install-gh-cli-action@v0.2.1
        with:
          gh-cli-version: 2.39.1
      - name: create github release
        run: |
          gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --draft --notes-from-tag dist/release/*
        env:
          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
          TAG: ${{ github.ref_name }}
        run: |
          gh release create "$TAG" --title "$TAG" --draft --notes-from-tag dist/release/*
  container:
    runs-on: namespace-profile-gitea-release-docker
@@ -86,13 +77,13 @@ jobs:
      contents: read
      packages: write # to publish to ghcr.io
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
      - run: git fetch --unshallow --quiet --tags --force
-      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+      - uses: docker/setup-qemu-action@v4
-      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - uses: docker/setup-buildx-action@v4
-      - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+      - uses: docker/metadata-action@v6
        id: meta
        with:
          images: |-
@@ -105,7 +96,7 @@ jobs:
            type=semver,pattern={{version}}
          annotations: |
            org.opencontainers.image.authors="maintainers@gitea.io"
-      - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+      - uses: docker/metadata-action@v6
        id: meta_rootless
        with:
          images: |-
@@ -121,18 +112,18 @@ jobs:
          annotations: |
            org.opencontainers.image.authors="maintainers@gitea.io"
      - name: Login to Docker Hub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@v4
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Login to GHCR using PAT
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: build regular container image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@v7
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/riscv64
@@ -140,7 +131,7 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          annotations: ${{ steps.meta.outputs.annotations }}
      - name: build rootless container image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@v7
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/riscv64
--- a/.github/workflows/release-tag-version.yml
+++ b/.github/workflows/release-tag-version.yml
@@ -18,16 +18,16 @@ jobs:
      contents: read
      packages: write # to publish to ghcr.io
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
      - run: git fetch --unshallow --quiet --tags --force
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          check-latest: true
-      - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+      - uses: pnpm/action-setup@v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      - uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: pnpm
@@ -36,52 +36,43 @@ jobs:
      # xgo build
      - run: make release
        env:
-          TAGS: bindata
+          TAGS: bindata sqlite sqlite_unlock_notify
      - name: import gpg key
        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
+        uses: crazy-max/ghaction-import-gpg@v7
        with:
          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
      - name: sign binaries
        env:
          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
          GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }}
        run: |
          for f in dist/release/*; do
-            echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f"
+            echo '${{ secrets.GPGSIGN_PASSPHRASE }}' | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u ${{ steps.import_gpg.outputs.fingerprint }} --output "$f.asc" "$f"
          done
      # clean branch name to get the folder name in S3
      - name: Get cleaned branch name
        id: clean_name
        env:
          REF: ${{ github.ref }}
        run: |
-          REF_NAME=$(echo "$REF" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//')
+          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//')
          echo "Cleaned name is ${REF_NAME}"
          echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT"
      - name: configure aws
-        uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
+        uses: aws-actions/configure-aws-credentials@v6
        with:
          aws-region: ${{ secrets.AWS_REGION }}
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      - name: upload binaries to s3
        env:
          AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
          BRANCH: ${{ steps.clean_name.outputs.branch }}
        run: |
-          aws s3 sync dist/release "s3://$AWS_S3_BUCKET/gitea/$BRANCH" --no-progress
+          aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
      - name: Install GH CLI
-        uses: dev-hanz-ops/install-gh-cli-action@af38ce09b1ec248aeb08eea2b16bbecea9e059f8 # v0.2.1
+        uses: dev-hanz-ops/install-gh-cli-action@v0.2.1
        with:
          gh-cli-version: 2.39.1
      - name: create github release
        run: |
          gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --notes-from-tag dist/release/*
        env:
          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
          TAG: ${{ github.ref_name }}
        run: |
          gh release create "$TAG" --title "$TAG" --notes-from-tag dist/release/*
  container:
    runs-on: namespace-profile-gitea-release-docker
@@ -89,13 +80,13 @@ jobs:
      contents: read
      packages: write # to publish to ghcr.io
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v6
      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
      - run: git fetch --unshallow --quiet --tags --force
-      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+      - uses: docker/setup-qemu-action@v4
-      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - uses: docker/setup-buildx-action@v4
-      - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+      - uses: docker/metadata-action@v6
        id: meta
        with:
          images: |-
@@ -112,7 +103,7 @@ jobs:
            type=semver,pattern={{major}}.{{minor}}
          annotations: |
            org.opencontainers.image.authors="maintainers@gitea.io"
-      - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+      - uses: docker/metadata-action@v6
        id: meta_rootless
        with:
          images: |-
@@ -133,18 +124,18 @@ jobs:
          annotations: |
            org.opencontainers.image.authors="maintainers@gitea.io"
      - name: Login to Docker Hub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@v4
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Login to GHCR using PAT
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: build regular container image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@v7
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/riscv64
@@ -152,7 +143,7 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          annotations: ${{ steps.meta.outputs.annotations }}
      - name: build rootless container image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@v7
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/riscv64
--- a/.gitignore
+++ b/.gitignore
@@ -55,7 +55,10 @@ cpu.out
 *.log.*.gz
 /gitea
 /gitea-e2e
 /gitea-vet
 /debug
 /integrations.test
 /bin
 /dist
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -51,14 +51,6 @@ linters:
              desc: do not use the go-chi cache package, use gitea's cache system
            - pkg: github.com/pkg/errors
              desc: use builtin errors package instead
        migrations:
          files:
            - '**/models/migrations/**/*.go'
          deny:
            - pkg: code.gitea.io/gitea/models$
              desc: migrations must not depend on the models package
            - pkg: code.gitea.io/gitea/modules/structs
              desc: migrations must not depend on modules/structs (API structures change over time)
    nolintlint:
      allow-unused: false
      require-explanation: true
@@ -166,16 +158,9 @@ issues:
  max-same-issues: 0
 formatters:
  enable:
-    - gci
+    - gofmt
    - gofumpt
  settings:
    gci:
      custom-order: true
      sections:
        - standard
        - prefix(code.gitea.io/gitea)
        - blank
        - default
    gofumpt:
      extra-rules: true
  exclusions:
@@ -185,6 +170,9 @@ formatters:
      - .venv
      - public
      - web_src
      - third_party$
      - builtin$
      - examples$
 run:
  timeout: 10m
--- a/.npmrc
+++ b/.npmrc
@@ -0,0 +1,7 @@
 audit=false
 fund=false
 update-notifier=false
 save-exact=true
 auto-install-peers=true
 dedupe-peer-dependents=false
 enable-pre-post-scripts=true
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -2,18 +2,10 @@
 - Run `make fmt` to format `.go` files, and run `make lint-go` to lint them
 - Run `make lint-js` to lint `.ts` files
 - Run `make tidy` after any `go.mod` changes
 - Run single go tests with `go test -run '^TestName$' ./modulepath/`
 - Run single js test files with `pnpm exec vitest <path-filter>`
 - Run single playwright e2e test files with `GITEA_TEST_E2E_FLAGS='<filepath>' make test-e2e`
 - Add the current year into the copyright header of new `.go` files
 - Ensure no trailing whitespace in edited files
 - Use Conventional Commits format for commit messages and PR titles (for example `type(scope): subject`; place `!` immediately before the colon when the change is breaking)
 - Never force-push, amend, or squash unless asked. Use new commits and normal push for pull request updates
 - Preserve existing code comments, do not remove or rewrite comments that are still relevant
 - Keep comments short, prefer same-line, explain why, never narrate code
 - Prefer unit tests over integration tests when logic is testable in isolation
 - Aim for sub-2s local runtime for integration and e2e tests
 - In TypeScript, use `!` (non-null assertion) instead of `?.`/`??` when a value is known to always exist
 - For CSS layout, prefer `flex-*` helpers over per-child `tw-ml-*` / `tw-mr-*` margins; fall back to `tw-*` utilities when specificity requires `!important`
 - Include authorship attribution in issue and pull request comments
 - Add `Co-Authored-By` lines to all commits, indicating name and model used
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -24,7 +24,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
  * Fix button layout shift when collapsing file tree in editor (#37363) #37375
  * Fix org team assignee/reviewer lookups for team member permissions (#37365) #37391
  * Fix repo init README EOL (#37388) #37399
-  * Fix: dump with default zip type produces uncompressed zip (#37401) #37402
+  * Fix: dump with default zip type produces uncompressed zip (#37401)#37402
 ## [1.26.0](https://github.com/go-gitea/gitea/releases/tag/v1.26.0) - 2026-04-17
@@ -1383,7 +1383,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
  * Fix mCaptcha bug (#33659) (#33661)
  * Git graph: don't show detached commits (#33645) (#33650)
  * Use MatchPhraseQuery for bleve code search (#33628)
-  * Adjust appearance of commit status webhook (#33778) #33789
+  * Adjust appearence of commit status webhook (#33778) #33789
  * Upgrade golang net from 0.35.0 -> 0.36.0 (#33795) #33796
 ## [1.23.4](https://github.com/go-gitea/gitea/releases/tag/v1.23.4) - 2025-02-16
@@ -2114,7 +2114,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
  * Optimize repo-list layout to enhance visual experience (#31272) (#31276)
  * fixed the dropdown menu for the top New button to expand to the left (#31273) (#31275)
  * Fix Activity Page Contributors dropdown (#31264) (#31269)
-  * fix: allow actions artifacts storage migration to complete successfully (#31251) (#31257)
+  * fix: allow actions artifacts storage migration to complete succesfully (#31251) (#31257)
  * Make blockquote attention recognize more syntaxes (#31240) (#31250)
  * Remove .segment from .project-column (#31204) (#31239)
  * Ignore FindRecentlyPushedNewBranches err (#31164) (#31171)
@@ -2298,7 +2298,7 @@ Key highlights of this release encompass significant changes categorized under `
  * Performance optimization for git push and check permissions for push options (#30104) (#30354)
 * BUGFIXES
  * Fix close file in the Upload func (#30262) (#30269)
-  * Fix inline math blocks can't be preceded/followed by alphanumerical characters (#30175) (#30250)
+  * Fix inline math blocks can't be preceeded/followed by alphanumerical characters (#30175) (#30250)
  * Fix missing 0 prefix of GPG key id (#30245) (#30247)
  * Include encoding in signature payload (#30174) (#30181)
  * Move from `max( id )` to `max( index )` for latest commit statuses (#30076) (#30155)
@@ -5590,7 +5590,7 @@ Key highlights of this release encompass significant changes categorized under `
  * Fix navbar on project view (#17749)
  * More pleasantly handle broken or missing git repositories (#17747)
  * Use `*PushUpdateOptions` as receiver (#17724)
-  * Remove unused `user` parameter (#17723)
+  * Remove unused `user` paramater (#17723)
  * Better builtin avatar generator (#17707)
  * Cleanup and use global style on popups (#17674)
  * Move user/org deletion to services (#17673)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,14 +1,5 @@
 # Contribution Guidelines
 This document explains how to contribute changes to the Gitea project. Topic-specific guides live in separate files so the essentials are easier to find.
 | Topic | Document |
 | :---- | :------- |
 | Backend (Go modules, API v1) | [docs/guideline-backend.md](docs/guideline-backend.md) |
 | Frontend (npm, UI guidelines) | [docs/guideline-frontend.md](docs/guideline-frontend.md) |
 | Maintainers, TOC, labels, merge queue, commit format for mergers | [docs/community-governance.md](docs/community-governance.md) |
 | Release cycle, backports, tagging releases | [docs/release-management.md](docs/release-management.md) |
 <details><summary>Table of Contents</summary>
 - [Contribution Guidelines](#contribution-guidelines)
@@ -20,6 +11,10 @@ This document explains how to contribute changes to the Gitea project. Topic-spe
    - [Discuss your design before the implementation](#discuss-your-design-before-the-implementation)
    - [Issue locking](#issue-locking)
  - [Building Gitea](#building-gitea)
  - [Dependencies](#dependencies)
    - [Backend](#backend)
    - [Frontend](#frontend)
  - [Design guideline](#design-guideline)
  - [Styleguide](#styleguide)
  - [Copyright](#copyright)
  - [Testing](#testing)
@@ -27,19 +22,47 @@ This document explains how to contribute changes to the Gitea project. Topic-spe
  - [Code review](#code-review)
    - [Pull request format](#pull-request-format)
    - [PR title and summary](#pr-title-and-summary)
    - [Milestone](#milestone)
    - [Labels](#labels)
    - [Breaking PRs](#breaking-prs)
      - [What is a breaking PR?](#what-is-a-breaking-pr)
      - [How to handle breaking PRs?](#how-to-handle-breaking-prs)
    - [Maintaining open PRs](#maintaining-open-prs)
-    - [Reviewing PRs](#reviewing-prs)
+    - [Getting PRs merged](#getting-prs-merged)
-      - [For PR authors](#for-pr-authors)
+    - [Final call](#final-call)
    - [Commit messages](#commit-messages)
      - [PR Co-authors](#pr-co-authors)
      - [PRs targeting `main`](#prs-targeting-main)
      - [Backport PRs](#backport-prs)
  - [Documentation](#documentation)
  - [API v1](#api-v1)
    - [GitHub API compatibility](#github-api-compatibility)
    - [Adding/Maintaining API routes](#addingmaintaining-api-routes)
    - [When to use what HTTP method](#when-to-use-what-http-method)
    - [Requirements for API routes](#requirements-for-api-routes)
  - [Backports and Frontports](#backports-and-frontports)
    - [What is backported?](#what-is-backported)
    - [How to backport?](#how-to-backport)
    - [Format of backport PRs](#format-of-backport-prs)
    - [Frontports](#frontports)
  - [Developer Certificate of Origin (DCO)](#developer-certificate-of-origin-dco)
  - [Release Cycle](#release-cycle)
  - [Maintainers](#maintainers)
  - [Technical Oversight Committee (TOC)](#technical-oversight-committee-toc)
    - [TOC election process](#toc-election-process)
    - [Current TOC members](#current-toc-members)
    - [Previous TOC/owners members](#previous-tocowners-members)
  - [Governance Compensation](#governance-compensation)
  - [TOC \& Working groups](#toc--working-groups)
  - [Roadmap](#roadmap)
  - [Versions](#versions)
  - [Releasing Gitea](#releasing-gitea)
 </details>
 ## Introduction
 This document explains how to contribute changes to the Gitea project. \
 It assumes you have followed the [installation instructions](https://docs.gitea.com/category/installation). \
 Sensitive security-related issues should be reported to [security@gitea.io](mailto:security@gitea.io).
@@ -108,6 +131,34 @@ If further discussion is needed, we encourage you to open a new issue instead an
 See the [development setup instructions](https://docs.gitea.com/development/hacking-on-gitea).
 ## Dependencies
 ### Backend
 Go dependencies are managed using [Go Modules](https://go.dev/cmd/go/#hdr-Module_maintenance). \
 You can find more details in the [go mod documentation](https://go.dev/ref/mod) and the [Go Modules Wiki](https://github.com/golang/go/wiki/Modules).
 Pull requests should only modify `go.mod` and `go.sum` where it is related to your change, be it a bugfix or a new feature. \
 Apart from that, these files should only be modified by Pull Requests whose only purpose is to update dependencies.
 The `go.mod`, `go.sum` update needs to be justified as part of the PR description,
 and must be verified by the reviewers and/or merger to always reference
 an existing upstream commit.
 ### Frontend
 For the frontend, we use [npm](https://www.npmjs.com/).
 The same restrictions apply for frontend dependencies as for backend dependencies, with the exceptions that the files for it are `package.json` and `package-lock.json`, and that new versions must always reference an existing version.
 ## Design guideline
 Depending on your change, please read the
 - [backend development guideline](https://docs.gitea.com/contributing/guidelines-backend)
 - [frontend development guideline](https://docs.gitea.com/contributing/guidelines-frontend)
 - [refactoring guideline](https://docs.gitea.com/contributing/guidelines-refactoring)
 ## Styleguide
 You should always run `make fmt` before committing to conform to Gitea's styleguide.
@@ -139,11 +190,11 @@ Here's how to run the test suite:
 - run tests (we suggest running them on Linux)
-| Command                                       | Action                                               |                                             |
+|  Command                                    | Action                                                   |                                             |
-|:----------------------------------------------|:-----------------------------------------------------| ------------------------------------------- |
+| :------------------------------------------ | :------------------------------------------------------- | ------------------------------------------- |
-| ``make test-backend[\#SpecificTestName]``     | run unit test(s)                                     |                                             |
+|``make test[\#SpecificTestName]``            |  run unit test(s)                                        |                                             |
-| ``make test-integration[\#SpecificTestName]`` | run [integration](tests/integration) test(s)         | [More details](tests/integration/README.md) |
+|``make test-sqlite[\#SpecificTestName]``     |  run [integration](tests/integration) test(s) for SQLite | [More details](tests/integration/README.md) |
-| ``make test-e2e``                             | run [end-to-end](tests/e2e) test(s) using Playwright |                                             |
+|``make test-e2e``                            |  run [end-to-end](tests/e2e) test(s) using Playwright    |                                             |
 - E2E test environment variables
@@ -151,7 +202,7 @@ Here's how to run the test suite:
 | :-------------------------------- | :---------------------------------------------------------- |
 | ``GITEA_TEST_E2E_DEBUG``          | When set, show Gitea server output                          |
 | ``GITEA_TEST_E2E_FLAGS``          | Additional flags passed to Playwright, for example ``--ui`` |
-| ``GITEA_TEST_E2E_TIMEOUT_FACTOR`` | Timeout multiplier (default: 4 on CI, 1 locally)            |
+| ``GITEA_TEST_E2E_TIMEOUT_FACTOR`` | Timeout multiplier (default: 3 on CI, 1 locally)            |
 ## Translation
@@ -165,8 +216,6 @@ The tool `go run build/backport-locale.go` can be used to backport locales from
 ## Code review
 How labels, milestones, and the merge queue work is documented in [docs/community-governance.md](docs/community-governance.md).
 ### Pull request format
 Please try to make your pull request easy to review for us. \
@@ -189,38 +238,6 @@ In the PR title, describe the problem you are fixing, not how you are fixing it.
 Use the first comment as a summary of your PR. \
 In the PR summary, you can describe exactly how you are fixing this problem.
 PR titles must follow the [Conventional Commits](https://www.conventionalcommits.org/) format, because PRs are squash-merged and the PR title becomes the resulting commit message:
 ```text
 type(scope)!: subject
 ```
 The scope in parentheses is optional. A `!` immediately before the colon marks a [breaking change](https://www.conventionalcommits.org/en/v1.0.0/#summary): either `type!:` or `type(scope)!:` (not `type!(scope):`).
 Use one of these types:
 - `build`: Changes affecting the build system, packaging, or external dependencies
 - `ci`: Changes to CI/CD configuration files and scripts
 - `chore`: Maintenance changes that do not affect production code or should not appear in the changelog
 - `docs`: Documentation-only changes
 - `feat`: A larger user-facing feature, improvement, or new functionality
 - `enhance`: Small or trivial user-facing improvements or UX polish (for example wording changes, color adjustments, spacing or padding tweaks, placeholders, small UI behavior improvements)
 - `fix`: A bug fix, UX correction, or security-related dependency update
 - `perf`: Performance improvements (speed, memory, scalability)
 - `refactor`: A code change that neither fixes a bug nor adds a feature
 - `revert`: Reverts a previous change
 - `style`: Formatting or style-only changes that do not affect code behavior (for example lint-driven edits)
 - `test`: Adding or correcting tests
 Examples:
 ```text
 fix(web): prevent avatar upload crash on empty file
 feat(api): add pagination to repo hooks list
 enhance(repo): improve diff toolbar spacing
 ci(workflows): lint PR titles in CI
 ```
 Keep this summary up-to-date as the PR evolves. \
 If your PR changes the UI, you must add **after** screenshots in the PR summary. \
 If you are not implementing a new feature, you should also post **before** screenshots for comparison.
@@ -233,10 +250,6 @@ Another requirement for merging PRs is that the PR is labeled correctly.\
 However, this is not your job as a contributor, but the job of the person merging your PR.\
 If you think that your PR was labeled incorrectly, or notice that it was merged without labels, please let us know.
 For pull requests that use a valid Conventional Commits title, CI automatically applies a matching `type/…` label when the title prefix is `feat`, `enhance`, `fix`, `docs`, or `test` (for example `enhance(web): …` receives `type/enhancement`).\
 That label is kept in sync with the PR title when the title is edited.\
 Other title prefixes do not get an automatic `type/…` label; the merger still assigns the correct labels (including `type/…` when needed) for changelog and backport decisions.
 If your PR closes some issues, you must note that in a way that both GitHub and Gitea understand, i.e. by appending a paragraph like
 ```text
@@ -247,6 +260,29 @@ Fixes/Closes/Resolves #<ISSUE_NR_Y>.
 to your summary. \
 Each issue that will be closed must stand on a separate line.
 ### Milestone
 A PR should only be assigned to a milestone if it will likely be merged into the given version. \
 As a rule of thumb, assume that a PR will stay open for an additional month for every 100 added lines. \
 PRs without a milestone may not be merged.
 ### Labels
 Almost all labels used inside Gitea can be classified as one of the following:
 - `modifies/…`: Determines which parts of the codebase are affected. These labels will be set through the CI.
 - `topic/…`:  Determines the conceptual component of Gitea that is affected, i.e. issues, projects, or authentication. At best, PRs should only target one component but there might be overlap. Must be set manually.
 - `type/…`: Determines the type of an issue or PR (feature, refactoring, docs, bug, …). If GitHub supported scoped labels, these labels would be exclusive, so you should set **exactly** one, not more or less (every PR should fall into one of the provided categories, and only one).
 - `issue/…` / `pr/…`: Labels that are specific to issues or PRs respectively and that are only necessary in a given context, i.e. `issue/not-a-bug` or `pr/need-2-approvals`
 Every PR should be labeled correctly with every label that applies.
 There are also some labels that will be managed automatically.\
 In particular, these are
 - the amount of pending required approvals
 - has all `backport`s or needs a manual backport
 ### Breaking PRs
 #### What is a breaking PR?
@@ -275,29 +311,165 @@ Breaking PRs will not be merged as long as not both of these requirements are me
 ### Maintaining open PRs
-Code review starts when you open a non-draft PR or move a draft out of draft state. After that, do not rebase or squash your branch; it makes new changes harder to review.
+The moment you create a non-draft PR or the moment you convert a draft PR to a non-draft PR is the moment code review starts for it. \
 Once that happens, do not rebase or squash your branch anymore as it makes it difficult to review the new changes. \
 Merge the base branch into your branch only when you really need to, i.e. because of conflicting changes in the mean time. \
 This reduces unnecessary CI runs. \
 Don't worry about merge commits messing up your commit history as every PR will be squash merged. \
 This means that all changes are joined into a single new commit whose message is as described below.
-Merge the base branch into yours only when you need to, for example because of conflicting changes elsewhere. That limits unnecessary CI runs.
+### Getting PRs merged
-Every PR is squash-merged, so merge commits on your branch do not matter for final history. The squash produces a single commit; mergers follow the [commit message format](docs/community-governance.md#commit-messages) in the governance guide.
+Changes to Gitea must be reviewed before they are accepted — no matter who
 makes the change, even if they are an owner or a maintainer. \
 The only exception are critical bugs that prevent Gitea from being compiled or started. \
 Specifically, we require two approvals from maintainers for every PR. \
 Once this criteria has been met, your PR receives the `lgtm/done` label. \
 From this point on, your only responsibility is to fix merge conflicts or respond to/implement requests by maintainers. \
 It is the responsibility of the maintainers from this point to get your PR merged.
-### Reviewing PRs
+If a PR has the `lgtm/done` label and there are no open discussions or merge conflicts anymore, any maintainer can add the `reviewed/wait-merge` label. \
 This label means that the PR is part of the merge queue and will be merged as soon as possible. \
 The merge queue will be cleared in the order of the list below:
-Maintainers are encouraged to review pull requests in areas where they have expertise or particular interest.
+<https://github.com/go-gitea/gitea/pulls?q=is%3Apr+label%3Areviewed%2Fwait-merge+sort%3Acreated-asc+is%3Aopen>
-#### For PR authors
+Gitea uses it's own tool, the <https://github.com/GiteaBot/gitea-backporter> to automate parts of the review process. \
 This tool does the things listed below automatically:
- **Response**: When answering reviewer questions, use real-world cases or examples and avoid speculation.
+- create a backport PR if needed once the initial PR was merged
- **Discussion**: A discussion is always welcome and should be used to clarify the changes and the intent of the PR.
+- remove the PR from the merge queue after the PR merged
- **Help**: If you need help with the PR or comments are unclear, ask for clarification.
+- keep the oldest branch in the merge queue up to date with merges
-Guidance for reviewers, the merge queue, and the squash commit message format is in [docs/community-governance.md](docs/community-governance.md).
+### Final call
 If a PR has been ignored for more than 7 days with no comments or reviews, and the author or any maintainer believes it will not survive a long wait (such as a refactoring PR), they can send "final call" to the TOC by mentioning them in a comment.
 After another 7 days, if there is still zero approval, this is considered a polite refusal, and the PR will be closed to avoid wasting further time. Therefore, the "final call" has a cost, and should be used cautiously.
 However, if there are no objections from maintainers, the PR can be merged with only one approval from the TOC (not the author).
 ### Commit messages
 Mergers are able and required to rewrite the PR title and summary (the first comment of a PR) so that it can produce an easily understandable commit message if necessary. \
 The final commit message should no longer contain any uncertainty such as `hopefully, <x> won't happen anymore`. Replace uncertainty with certainty.
 #### PR Co-authors
 A person counts as a PR co-author the moment they (co-)authored a commit that is not simply a `Merge base branch into branch` commit. \
 Mergers are required to remove such "false-positive" co-authors when writing the commit message. \
 The true co-authors must remain in the commit message.
 #### PRs targeting `main`
 The commit message of PRs targeting `main` is always
 ```bash
 $PR_TITLE ($PR_INDEX)
 $REWRITTEN_PR_SUMMARY
 ```
 #### Backport PRs
 The commit message of backport PRs is always
 ```bash
 $PR_TITLE ($INITIAL_PR_INDEX) ($BACKPORT_PR_INDEX)
 $REWRITTEN_PR_SUMMARY
 ```
 ## Documentation
 If you add a new feature or change an existing aspect of Gitea, the documentation for that feature must be created or updated in another PR at [https://gitea.com/gitea/docs](https://gitea.com/gitea/docs).
 **The docs directory on main repository will be removed at some time. We will have a yaml file to store configuration file's meta data. After that completed, configuration documentation should be in the main repository.**
 ## API v1
 The API is documented by [swagger](https://gitea.com/api/swagger) and is based on [the GitHub API](https://docs.github.com/en/rest).
 ### GitHub API compatibility
 Gitea's API should use the same endpoints and fields as the GitHub API as far as possible, unless there are good reasons to deviate. \
 If Gitea provides functionality that GitHub does not, a new endpoint can be created. \
 If information is provided by Gitea that is not provided by the GitHub API, a new field can be used that doesn't collide with any GitHub fields. \
 Updating an existing API should not remove existing fields unless there is a really good reason to do so. \
 The same applies to status responses. If you notice a problem, feel free to leave a comment in the code for future refactoring to API v2 (which is currently not planned).
 ### Adding/Maintaining API routes
 All expected results (errors, success, fail messages) must be documented ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/repo/issue.go#L319-L327)). \
 All JSON input types must be defined as a struct in [modules/structs/](modules/structs/) ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/modules/structs/issue.go#L76-L91)) \
 and referenced in [routers/api/v1/swagger/options.go](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/swagger/options.go). \
 They can then be used like [this example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/repo/issue.go#L318). \
 All JSON responses must be defined as a struct in [modules/structs/](modules/structs/) ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/modules/structs/issue.go#L36-L68)) \
 and referenced in its category in [routers/api/v1/swagger/](routers/api/v1/swagger/) ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/swagger/issue.go#L11-L16)) \
 They can be used like [this example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/repo/issue.go#L277-L279).
 ### When to use what HTTP method
 In general, HTTP methods are chosen as follows:
 - **GET** endpoints return the requested object(s) and status **OK (200)**
 - **DELETE** endpoints return the status **No Content (204)** and no content either
 - **POST** endpoints are used to **create** new objects (e.g. a User) and return the status **Created (201)** and the created object
 - **PUT** endpoints are used to **add/assign** existing Objects (e.g. a user to a team) and return the status **No Content (204)** and no content either
 - **PATCH** endpoints are used to **edit/change** an existing object and return the changed object and the status **OK (200)**
 ### Requirements for API routes
 All parameters of endpoints changing/editing an object must be optional (except the ones to identify the object, which are required).
 Endpoints returning lists must
 - support pagination (`page` & `limit` options in query)
 - set `X-Total-Count` header via **SetTotalCountHeader** ([example](https://github.com/go-gitea/gitea/blob/7aae98cc5d4113f1e9918b7ee7dd09f67c189e3e/routers/api/v1/repo/issue.go#L444))
 ## Backports and Frontports
 ### What is backported?
 We backport PRs given the following circumstances:
 1. Feature freeze is active, but `<version>-rc0` has not been released yet. Here, we backport as much as possible. <!-- TODO: Is that our definition with the new backport bot? -->
 2. `rc0` has been released. Here, we only backport bug- and security-fixes, and small enhancements. Large PRs such as refactors are not backported anymore. <!-- TODO: Is that our definition with the new backport bot? -->
 3. We never backport new features.
 4. We never backport breaking changes except when
    1. The breaking change has no effect on the vast majority of users
    2. The component triggering the breaking change is marked as experimental
 ### How to backport?
 In the past, it was necessary to manually backport your PRs. \
 Now, that's not a requirement anymore as our [backport bot](https://github.com/GiteaBot) tries to create backports automatically once the PR is merged when the PR
 - does not have the label `backport/manual`
 - has the label `backport/<version>`
 The `backport/manual` label signifies either that you want to backport the change yourself, or that there were conflicts when backporting, thus you **must** do it yourself.
 ### Format of backport PRs
 The title of backport PRs should be
 ```
 <original PR title> (#<original pr number>)
 ```
 The first two lines of the summary of the backporting PR should be
 ```
 Backport #<original pr number>
 ```
 with the rest of the summary and labels matching the original PR.
 ### Frontports
 Frontports behave exactly as described above for backports.
 ## Developer Certificate of Origin (DCO)
 We consider the act of contributing to the code by submitting a Pull Request as the "Sign off" or agreement to the certifications and terms of the [DCO](DCO) and [MIT license](LICENSE). \
@@ -311,3 +483,148 @@ Signed-off-by: Joe Smith <joe.smith@email.com>
 If you set the `user.name` and `user.email` Git config options, you can add the line to the end of your commits automatically with `git commit -s`.
 We assume in good faith that the information you provide is legally binding.
 ## Release Cycle
 We adopted a release schedule to streamline the process of working on, finishing, and issuing releases. \
 The overall goal is to make a major release every three or four months, which breaks down into two or three months of general development followed by one month of testing and polishing known as the release freeze. \
 All the feature pull requests should be
 merged before feature freeze. All feature pull requests haven't been merged before this feature freeze will be moved to next milestone, please notice our feature freeze announcement on discord. And, during the frozen period, a corresponding
 release branch is open for fixes backported from main branch. Release candidates
 are made during this period for user testing to
 obtain a final version that is maintained in this branch.
 During a development cycle, we may also publish any necessary minor releases
 for the previous version. For example, if the latest, published release is
 v1.2, then minor changes for the previous release—e.g., v1.1.0 -> v1.1.1—are
 still possible.
 ## Maintainers
 To make sure every PR is checked, we have [maintainers](MAINTAINERS). \
 Every PR **must** be reviewed by at least two maintainers (or owners) before it can get merged. \
 For refactoring PRs after a week and documentation only PRs, the approval of only one maintainer is enough. \
 A maintainer should be a contributor of Gitea and contributed at least
 4 accepted PRs. A contributor should apply as a maintainer in the
 [Discord](https://discord.gg/Gitea) `#develop` channel. The team maintainers may invite the contributor. A maintainer
 should spend some time on code reviews. If a maintainer has no
 time to do that, they should apply to leave the maintainers team
 and we will give them the honor of being a member of the [advisors
 team](https://github.com/orgs/go-gitea/teams/advisors). Of course, if
 an advisor has time to code review, we will gladly welcome them back
 to the maintainers team. If a maintainer is inactive for more than 3
 months and forgets to leave the maintainers team, the owners may move
 him or her from the maintainers team to the advisors team.
 For security reasons, Maintainers should use 2FA for their accounts and
 if possible provide GPG signed commits.
 https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/
 https://help.github.com/articles/signing-commits-with-gpg/
 Furthermore, any account with write access (like bots and TOC members) **must** use 2FA.
 https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/
 ## Technical Oversight Committee (TOC)
 At the start of 2023, the `Owners` team was dissolved. Instead, the governance charter proposed a technical oversight committee (TOC) which expands the ownership team of the Gitea project from three elected positions to six positions. Three positions are elected as it has been over the past years, and the other three consist of appointed members from the Gitea company.
 https://blog.gitea.com/quarterly-23q1/
 ### TOC election process
 Any maintainer is eligible to be part of the community TOC if they are not associated with the Gitea company.
 A maintainer can either nominate themselves, or can be nominated by other maintainers to be a candidate for the TOC election.
 If you are nominated by someone else, you must first accept your nomination before the vote starts to be a candidate.
 The TOC is elected for one year, the TOC election happens yearly.
 After the announcement of the results of the TOC election, elected members have two weeks time to confirm or refuse the seat.
 If an elected member does not answer within this timeframe, they are automatically assumed to refuse the seat.
 Refusals result in the person with the next highest vote getting the same choice.
 As long as seats are empty in the TOC, members of the previous TOC can fill them until an elected member accepts the seat.
 If an elected member that accepts the seat does not have 2FA configured yet, they will be temporarily counted as `answer pending` until they manage to configure 2FA, thus leaving their seat empty for this duration.
 ### Current TOC members
 - 2024-01-01 ~ 2024-12-31
  - Company
    - [Jason Song](https://gitea.com/wolfogre) <i@wolfogre.com>
    - [Lunny Xiao](https://gitea.com/lunny) <xiaolunwen@gmail.com>
    - [Matti Ranta](https://gitea.com/techknowlogick) <techknowlogick@gitea.com>
  - Community
    - [6543](https://gitea.com/6543) <6543@obermui.de>
    - [delvh](https://gitea.com/delvh) <dev.lh@web.de>
    - [John Olheiser](https://gitea.com/jolheiser) <john.olheiser@gmail.com>
 ### Previous TOC/owners members
 Here's the history of the owners and the time they served:
 - [Lunny Xiao](https://gitea.com/lunny) - 2016, 2017, [2018](https://github.com/go-gitea/gitea/issues/3255), [2019](https://github.com/go-gitea/gitea/issues/5572), [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801), [2022](https://github.com/go-gitea/gitea/issues/17872), 2023
 - [Kim Carlbäcker](https://github.com/bkcsoft) - 2016, 2017
 - [Thomas Boerger](https://gitea.com/tboerger) - 2016, 2017
 - [Lauris Bukšis-Haberkorns](https://gitea.com/lafriks) - [2018](https://github.com/go-gitea/gitea/issues/3255), [2019](https://github.com/go-gitea/gitea/issues/5572), [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801)
 - [Matti Ranta](https://gitea.com/techknowlogick) - [2019](https://github.com/go-gitea/gitea/issues/5572), [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801), [2022](https://github.com/go-gitea/gitea/issues/17872), 2023
 - [Andrew Thornton](https://gitea.com/zeripath) - [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801), [2022](https://github.com/go-gitea/gitea/issues/17872), 2023
 - [6543](https://gitea.com/6543) - 2023
 - [John Olheiser](https://gitea.com/jolheiser) - 2023
 - [Jason Song](https://gitea.com/wolfogre) - 2023
 ## Governance Compensation
 Each member of the community elected TOC will be granted $500 each month as compensation for their work.
 Furthermore, any community release manager for a specific release or LTS will be compensated $500 for the delivery of said release.
 These funds will come from community sources like the OpenCollective rather than directly from the company.
 Only non-company members are eligible for this compensation, and if a member of the community TOC takes the responsibility of release manager, they would only be compensated for their TOC duties.
 Gitea Ltd employees are not eligible to receive any funds from the OpenCollective unless it is reimbursement for a purchase made for the Gitea project itself.
 ## TOC & Working groups
 With Gitea covering many projects outside of the main repository, several groups will be created to help focus on specific areas instead of requiring maintainers to be a jack-of-all-trades. Maintainers are of course more than welcome to be part of multiple groups should they wish to contribute in multiple places.
 The currently proposed groups are:
 - **Core Group**: maintain the primary Gitea repository
 - **Integration Group**: maintain the Gitea ecosystem's related tools, including go-sdk/tea/changelog/bots etc.
 - **Documentation Group**: maintain related documents and repositories
 - **Translation Group**: coordinate with translators and maintain translations
 - **Security Group**: managed by TOC directly, members are decided by TOC, maintains security patches/responsible for security items
 ## Roadmap
 Each year a roadmap will be discussed with the entire Gitea maintainers team, and feedback will be solicited from various stakeholders.
 TOC members need to review the roadmap every year and work together on the direction of the project.
 When a vote is required for a proposal or other change, the vote of community elected TOC members count slightly more than the vote of company elected TOC members. With this approach, we both avoid ties and ensure that changes align with the mission statement and community opinion.
 You can visit our roadmap on the wiki.
 ## Versions
 Gitea has the `main` branch as a tip branch and has version branches
 such as `release/v1.19`. `release/v1.19` is a release branch and we will
 tag `v1.19.0` for binary download. If `v1.19.0` has bugs, we will accept
 pull requests on the `release/v1.19` branch and publish a `v1.19.1` tag,
 after bringing the bug fix also to the main branch.
 Since the `main` branch is a tip version, if you wish to use Gitea
 in production, please download the latest release tag version. All the
 branches will be protected via GitHub, all the PRs to every branch must
 be reviewed by two maintainers and must pass the automatic tests.
 ## Releasing Gitea
 - Let $vmaj, $vmin and $vpat be Major, Minor and Patch version numbers, $vpat should be rc1, rc2, 0, 1, ...... $vmaj.$vmin will be kept the same as milestones on github or gitea in future.
 - Before releasing, confirm all the version's milestone issues or PRs has been resolved. Then discuss the release on Discord channel #maintainers and get agreed with almost all the owners and mergers. Or you can declare the version and if nobody is against it in about several hours.
 - If this is a big version first you have to create PR for changelog on branch `main` with PRs with label `changelog` and after it has been merged do following steps:
  - Create `-dev` tag as `git tag -s -F release.notes v$vmaj.$vmin.0-dev` and push the tag as `git push origin v$vmaj.$vmin.0-dev`.
  - When CI has finished building tag then you have to create a new branch named `release/v$vmaj.$vmin`
 - If it is bugfix version create PR for changelog on branch `release/v$vmaj.$vmin` and wait till it is reviewed and merged.
 - Add a tag as `git tag -s -F release.notes v$vmaj.$vmin.$`, release.notes file could be a temporary file to only include the changelog this version which you added to `CHANGELOG.md`.
 - And then push the tag as `git push origin v$vmaj.$vmin.$`. Drone CI will automatically create a release and upload all the compiled binary. (But currently it doesn't add the release notes automatically. Maybe we should fix that.)
 - If needed send a frontport PR for the changelog to branch `main` and update the version in `docs/config.yaml` to refer to the new version.
 - Send PR to [blog repository](https://gitea.com/gitea/blog) announcing the release.
 - Verify all release assets were correctly published through CI on dl.gitea.com and GitHub releases. Once ACKed:
  - bump the version of https://dl.gitea.com/gitea/version.json
  - merge the blog post PR
  - announce the release in discord `#announcements`
--- a/4
+++ b/4
@@ -3,7 +3,7 @@
 FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.26-alpine3.23 AS frontend-build
 RUN apk --no-cache add build-base git nodejs pnpm
 WORKDIR /src
-COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY package.json pnpm-lock.yaml .npmrc ./
 RUN --mount=type=cache,target=/root/.local/share/pnpm/store pnpm install --frozen-lockfile
 COPY --exclude=.git/ . .
 RUN make frontend
@@ -12,7 +12,7 @@ RUN make frontend
 FROM docker.io/library/golang:1.26-alpine3.23 AS build-env
 ARG GITEA_VERSION
-ARG TAGS=""
+ARG TAGS="sqlite sqlite_unlock_notify"
 ENV TAGS="bindata timetzdata $TAGS"
 ARG CGO_EXTRA_CFLAGS
--- a/Dockerfile.rootless
+++ b/Dockerfile.rootless
@@ -3,7 +3,7 @@
 FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.26-alpine3.23 AS frontend-build
 RUN apk --no-cache add build-base git nodejs pnpm
 WORKDIR /src
-COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY package.json pnpm-lock.yaml .npmrc ./
 RUN --mount=type=cache,target=/root/.local/share/pnpm/store pnpm install --frozen-lockfile
 COPY --exclude=.git/ . .
 RUN make frontend
@@ -12,7 +12,7 @@ RUN make frontend
 FROM docker.io/library/golang:1.26-alpine3.23 AS build-env
 ARG GITEA_VERSION
-ARG TAGS=""
+ARG TAGS="sqlite sqlite_unlock_notify"
 ENV TAGS="bindata timetzdata $TAGS"
 ARG CGO_EXTRA_CFLAGS
--- a/388
+++ b/388
@@ -7,41 +7,33 @@ export GOEXPERIMENT ?= jsonv2
 GO ?= go
 SHASUM ?= shasum -a 256
 HAS_GO := $(shell hash $(GO) > /dev/null 2>&1 && echo yes)
 COMMA := ,
-XGO_VERSION := go-1.26.x
+XGO_VERSION := go-1.25.x
-AIR_PACKAGE ?= github.com/air-verse/air@v1.65.1 # renovate: datasource=go
+AIR_PACKAGE ?= github.com/air-verse/air@v1
-EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3.6.1 # renovate: datasource=go
+EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.12.2 # renovate: datasource=go
+GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.9.2
-GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.15 # renovate: datasource=go
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4
-MISSPELL_PACKAGE ?= github.com/golangci/misspell/cmd/misspell@v0.8.0 # renovate: datasource=go
+GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.15
-SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.33.2 # renovate: datasource=go
+MISSPELL_PACKAGE ?= github.com/golangci/misspell/cmd/misspell@v0.8.0
-XGO_PACKAGE ?= src.techknowlogick.com/xgo@v1.9.0 # renovate: datasource=go
+SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.33.1
-GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1.3.0 # renovate: datasource=go
+XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
-ACTIONLINT_PACKAGE ?= github.com/rhysd/actionlint/cmd/actionlint@v1.7.12 # renovate: datasource=go
+GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1
 ACTIONLINT_PACKAGE ?= github.com/rhysd/actionlint/cmd/actionlint@v1.7.11
 DOCKER_IMAGE ?= gitea/gitea
 DOCKER_TAG ?= latest
 DOCKER_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)
 HAS_GO := $(shell hash $(GO) > /dev/null 2>&1 && echo yes)
 ifeq ($(HAS_GO), yes)
 	CGO_EXTRA_CFLAGS := -DSQLITE_MAX_VARIABLE_NUMBER=32766
 	CGO_CFLAGS ?= $(shell $(GO) env CGO_CFLAGS) $(CGO_EXTRA_CFLAGS)
 endif
 MAKE_EVIDENCE_DIR := .make_evidence
 # Use sqlite as default database if running tests, only do so for local tests, not in CI.
 # CI should explicitly set the database to avoid unexpected results.
 ifneq ($(findstring test-,$(MAKECMDGOALS)),)
 	ifeq ($(CI),)
 		GITEA_TEST_DATABASE ?= sqlite
 	endif
 endif
 TAGS ?=
 TAGS_EVIDENCE := $(MAKE_EVIDENCE_DIR)/tags
 CGO_ENABLED ?= 0
-ifneq (,$(findstring sqlite_mattn,$(TAGS))$(findstring pam,$(TAGS)))
+ifneq (,$(findstring sqlite,$(TAGS))$(findstring pam,$(TAGS)))
 	CGO_ENABLED = 1
 endif
@@ -58,16 +50,15 @@ else ifeq ($(patsubst Windows%,Windows,$(OS)),Windows)
 		IS_WINDOWS := yes
 	endif
 endif
 # GOFLAGS and EXTRA_GOFLAGS are for the 'go build' command only
 ifeq ($(IS_WINDOWS),yes)
 	GOFLAGS := -v -buildmode=exe
 	EXECUTABLE ?= gitea.exe
 	EXECUTABLE_E2E ?= gitea-e2e.exe
 else
 	GOFLAGS := -v
 	EXECUTABLE ?= gitea
 	EXECUTABLE_E2E ?= gitea-e2e
 endif
 EXTRA_GOFLAGS ?=
 ifeq ($(shell sed --version 2>/dev/null | grep -q GNU && echo gnu),gnu)
 	SED_INPLACE := sed -i
@@ -75,8 +66,15 @@ else
 	SED_INPLACE := sed -i ''
 endif
-# GOTEST_FLAGS is for unit test and integration test
+EXTRA_GOFLAGS ?=
-GOTEST_FLAGS ?= -timeout 40m
+
 MAKE_EVIDENCE_DIR := .make_evidence
 GOTESTFLAGS ?=
 ifeq ($(RACE_ENABLED),true)
 	GOFLAGS += -race
 	GOTESTFLAGS += -race
 endif
 STORED_VERSION_FILE := VERSION
@@ -129,6 +127,12 @@ AIR_TMP_DIR := .air
 GO_LICENSE_FILE := assets/go-licenses.json
 TAGS ?=
 TAGS_SPLIT := $(subst $(COMMA), ,$(TAGS))
 TAGS_EVIDENCE := $(MAKE_EVIDENCE_DIR)/tags
 TEST_TAGS ?= $(TAGS_SPLIT) sqlite sqlite_unlock_notify
 TAR_EXCLUDES := .git data indexers queues log node_modules $(EXECUTABLE) $(DIST) $(MAKE_EVIDENCE_DIR) $(AIR_TMP_DIR)
 GO_DIRS := build cmd models modules routers services tests tools
@@ -148,7 +152,6 @@ ESLINT_CONCURRENCY ?= 2
 SWAGGER_SPEC := templates/swagger/v1_json.tmpl
 SWAGGER_SPEC_INPUT := templates/swagger/v1_input.json
 SWAGGER_EXCLUDE := code.gitea.io/sdk
 OPENAPI3_SPEC := templates/swagger/v1_openapi3_json.tmpl
 TEST_MYSQL_HOST ?= mysql:3306
 TEST_MYSQL_DBNAME ?= testgitea
@@ -161,19 +164,13 @@ TEST_PGSQL_PASSWORD ?= postgres
 TEST_PGSQL_SCHEMA ?= gtestschema
 TEST_MINIO_ENDPOINT ?= minio:9000
 TEST_MSSQL_HOST ?= mssql:1433
-TEST_MSSQL_DBNAME ?= testgitea
+TEST_MSSQL_DBNAME ?= gitea
 TEST_MSSQL_USERNAME ?= sa
 TEST_MSSQL_PASSWORD ?= MwantsaSecurePassword1
 # Include local Makefile
 # Makefile.local is listed in .gitignore
-ifneq ("$(wildcard Makefile.local)","")
+sinclude Makefile.local
 	include Makefile.local
 endif
 $(foreach v, $(filter TEST_%, $(.VARIABLES)), $(eval MAKEFILE_VARS+=$v=$($v)))
 $(foreach v, $(filter GITEA_TEST_%, $(.VARIABLES)), $(eval MAKEFILE_VARS+=$v=$($v)))
 export MAKEFILE_VARS
 .PHONY: all
 all: build
@@ -182,8 +179,15 @@ all: build
 help: Makefile ## print Makefile help information.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m[TARGETS] default target: build\033[0m\n\n\033[35mTargets:\033[0m\n"} /^[0-9A-Za-z._-]+:.*?##/ { printf "  \033[36m%-45s\033[0m %s\n", $$1, $$2 }' Makefile #$(MAKEFILE_LIST)
 	@printf "  \033[36m%-46s\033[0m %s\n" "test-e2e" "test end to end using playwright"
-	@printf "  \033[36m%-46s\033[0m %s\n" "test-backend[#TestSpecificName]" "run unit test (sqlite only)"
+	@printf "  \033[36m%-46s\033[0m %s\n" "test[#TestSpecificName]" "run unit test"
-	@printf "  \033[36m%-46s\033[0m %s\n" "test-integration[#TestSpecificName]" "run integration test for GITEA_TEST_DATABASE (sqlite, mysql, pgsql, mssql)"
+	@printf "  \033[36m%-46s\033[0m %s\n" "test-sqlite[#TestSpecificName]" "run integration test for sqlite"
 .PHONY: git-check
 git-check:
 	@if git lfs >/dev/null 2>&1 ; then : ; else \
 		echo "Gitea requires git with lfs support to run tests." ; \
 		exit 1; \
 	fi
 .PHONY: clean-all
 clean-all: clean ## delete backend, frontend and integration files
@@ -191,12 +195,18 @@ clean-all: clean ## delete backend, frontend and integration files
 .PHONY: clean
 clean: ## delete backend and integration files
-	rm -f $(EXECUTABLE) test-*.test tests/*.ini
+	rm -rf $(EXECUTABLE) $(EXECUTABLE_E2E) $(DIST) $(BINDATA_DEST_WILDCARD) \
-	rm -rf  $(DIST) $(BINDATA_DEST_WILDCARD) man tests/integration/gitea-integration-*
+		integrations*.test \
 		tests/integration/gitea-integration-* \
 		tests/integration/indexers-* \
 		tests/sqlite.ini tests/mysql.ini tests/pgsql.ini tests/mssql.ini man/ \
 		tests/e2e/gitea-e2e-*/ \
 		tests/e2e/indexers-*/ \
 		tests/e2e/reports/ tests/e2e/test-artifacts/ tests/e2e/test-snapshots/
 .PHONY: fmt
 fmt: ## format the Go and template code
-	$(GO) run $(GOLANGCI_LINT_PACKAGE) fmt
+	@GOFUMPT_PACKAGE=$(GOFUMPT_PACKAGE) $(GO) run tools/code-batch-process.go gitea-fmt -w '{file-list}'
 	$(eval TEMPLATES := $(shell find templates -type f -name '*.tmpl'))
 	@# strip whitespace after '{{' or '(' and before '}}' or ')' unless there is only
 	@# whitespace before it
@@ -224,7 +234,7 @@ TAGS_PREREQ := $(TAGS_EVIDENCE)
 endif
 .PHONY: generate-swagger
-generate-swagger: $(SWAGGER_SPEC) $(OPENAPI3_SPEC) ## generate the swagger spec from code comments
+generate-swagger: $(SWAGGER_SPEC) ## generate the swagger spec from code comments
 $(SWAGGER_SPEC): $(GO_SOURCES) $(SWAGGER_SPEC_INPUT)
 	$(GO) run $(SWAGGER_PACKAGE) generate spec --exclude "$(SWAGGER_EXCLUDE)" --input "$(SWAGGER_SPEC_INPUT)" --output './$(SWAGGER_SPEC)'
@@ -246,21 +256,6 @@ swagger-validate: ## check if the swagger spec is valid
 	$(GO) run $(SWAGGER_PACKAGE) validate './$(SWAGGER_SPEC)'
 	@$(SED_INPLACE) -E -e 's|"basePath":( *)"/(.*)"|"basePath":\1"\2"|g' './$(SWAGGER_SPEC)' # remove the prefix slash from basePath
 .PHONY: generate-openapi3
 generate-openapi3: $(OPENAPI3_SPEC) ## generate the OpenAPI 3.0 spec from the Swagger 2.0 spec
 $(OPENAPI3_SPEC): $(SWAGGER_SPEC) build/generate-openapi.go $(wildcard build/openapi3gen/*.go)
 	$(GO) run build/generate-openapi.go
 .PHONY: openapi3-check
 openapi3-check: generate-openapi3
 	@diff=$$(git diff --color=always '$(OPENAPI3_SPEC)'); \
 	if [ -n "$$diff" ]; then \
 		echo "Please run 'make generate-openapi3' and commit the result:"; \
 		printf "%s" "$${diff}"; \
 		exit 1; \
 	fi
 .PHONY: checks
 checks: checks-frontend checks-backend ## run various consistency checks
@@ -268,10 +263,10 @@ checks: checks-frontend checks-backend ## run various consistency checks
 checks-frontend: lockfile-check svg-check ## check frontend files
 .PHONY: checks-backend
-checks-backend: tidy-check swagger-check openapi3-check fmt-check swagger-validate security-check ## check backend files
+checks-backend: tidy-check swagger-check fmt-check swagger-validate security-check ## check backend files
 .PHONY: lint
-lint: lint-frontend lint-backend lint-templates lint-swagger lint-spell lint-md lint-actions lint-json lint-yaml ## lint everything
+lint: lint-frontend lint-backend lint-spell ## lint everything
 .PHONY: lint-fix
 lint-fix: lint-frontend-fix lint-backend-fix lint-spell-fix ## lint everything and fix issues
@@ -283,10 +278,10 @@ lint-frontend: lint-js lint-css ## lint frontend files
 lint-frontend-fix: lint-js-fix lint-css-fix ## lint frontend files and fix issues
 .PHONY: lint-backend
-lint-backend: lint-go lint-editorconfig ## lint backend files
+lint-backend: lint-go lint-go-gitea-vet lint-editorconfig ## lint backend files
 .PHONY: lint-backend-fix
-lint-backend-fix: lint-go-fix lint-editorconfig ## lint backend files and fix issues
+lint-backend-fix: lint-go-fix lint-go-gitea-vet lint-editorconfig ## lint backend files and fix issues
 .PHONY: lint-js
 lint-js: node_modules ## lint js and ts files
@@ -318,10 +313,6 @@ lint-md: node_modules ## lint markdown files
 lint-md-fix: node_modules ## lint markdown files and fix issues
 	pnpm exec markdownlint --fix *.md
 .PHONY: lint-pr-title
 lint-pr-title: ## lint PR title against Conventional Commits (set PR_TITLE=...)
 	@node ./tools/lint-pr-title.ts
 .PHONY: lint-spell
 lint-spell: ## lint spelling
 	@git ls-files $(SPELLCHECK_FILES) | xargs go run $(MISSPELL_PACKAGE) -dict assets/misspellings.csv -error
@@ -332,11 +323,23 @@ lint-spell-fix: ## lint spelling and fix issues
 .PHONY: lint-go
 lint-go: ## lint go files
-	GO=$(GO) GOLANGCI_LINT_PACKAGE=$(GOLANGCI_LINT_PACKAGE) $(GO) run ./tools/lint-go-all.go
+	$(GO) run $(GOLANGCI_LINT_PACKAGE) run
 .PHONY: lint-go-fix
 lint-go-fix: ## lint go files and fix issues
-	GO=$(GO) GOLANGCI_LINT_PACKAGE=$(GOLANGCI_LINT_PACKAGE) $(GO) run ./tools/lint-go-all.go --fix
+	$(GO) run $(GOLANGCI_LINT_PACKAGE) run --fix
 # workaround step for the lint-go-windows CI task because 'go run' can not
 # have distinct GOOS/GOARCH for its build and run steps
 .PHONY: lint-go-windows
 lint-go-windows:
 	@GOOS= GOARCH= $(GO) install $(GOLANGCI_LINT_PACKAGE)
 	golangci-lint run
 .PHONY: lint-go-gitea-vet
 lint-go-gitea-vet: ## lint go files with gitea-vet
 	@echo "Running gitea-vet..."
 	@$(GO) vet -vettool="$(shell GOOS= GOARCH= go tool -n gitea-vet)" ./...
 .PHONY: lint-editorconfig
 lint-editorconfig:
@@ -344,9 +347,8 @@ lint-editorconfig:
 	@$(GO) run $(EDITORCONFIG_CHECKER_PACKAGE) $(EDITORCONFIG_FILES)
 .PHONY: lint-actions
-lint-actions: .venv ## lint action workflow files
+lint-actions: ## lint action workflow files
-	@$(GO) run $(ACTIONLINT_PACKAGE)
+	$(GO) run $(ACTIONLINT_PACKAGE)
 	@uv run --frozen zizmor --quiet --min-confidence=medium .github
 .PHONY: lint-templates
 lint-templates: .venv node_modules ## lint template files
@@ -377,10 +379,13 @@ watch-frontend: node_modules ## start vite dev server for frontend
 watch-backend: ## watch backend files and continuously rebuild
 	GITEA_RUN_MODE=dev $(GO) run $(AIR_PACKAGE) -c .air.toml
 .PHONY: test
 test: test-frontend test-backend ## test everything
 .PHONY: test-backend
 test-backend: ## test backend files
-	@echo "Running go test with $(GOTEST_FLAGS) -tags '$(TAGS)'..."
+	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@$(GO) test $(GOTEST_FLAGS) -tags='$(TAGS)' $(GO_TEST_PACKAGES)
+	@$(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_PACKAGES)
 .PHONY: test-frontend
 test-frontend: node_modules ## test frontend files
@@ -398,10 +403,10 @@ test-check:
 		exit 1; \
 	fi
-.PHONY: test-backend\#%
+.PHONY: test\#%
-test-backend\#%:
+test\#%:
-	@echo "Running go test with -tags '$(TAGS)'..."
+	@echo "Running go test with -tags '$(TEST_TAGS)'..."
-	@$(GO) test $(GOTEST_FLAGS) -tags='$(TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)
+	@$(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)
 .PHONY: coverage
 coverage:
@@ -411,8 +416,8 @@ coverage:
 .PHONY: unit-test-coverage
 unit-test-coverage:
-	@echo "Running unit-test-coverage $(GOTEST_FLAGS) -tags '$(TAGS)'..."
+	@echo "Running unit-test-coverage $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@$(GO) test $(GOTEST_FLAGS) -tags='$(TAGS)' -cover -coverprofile coverage.out $(GO_TEST_PACKAGES) && echo "\n==>\033[32m Ok\033[m\n" || exit 1
+	@$(GO) test $(GOTESTFLAGS) -timeout=20m -tags='$(TEST_TAGS)' -cover -coverprofile coverage.out $(GO_TEST_PACKAGES) && echo "\n==>\033[32m Ok\033[m\n" || exit 1
 .PHONY: tidy
 tidy: ## run go mod tidy
@@ -439,41 +444,193 @@ go-licenses: $(GO_LICENSE_FILE) ## regenerate go licenses
 $(GO_LICENSE_FILE): go.mod go.sum
 	GO=$(GO) $(GO) run build/generate-go-licenses.go $(GO_LICENSE_FILE)
-.PHONY: test-integration
+generate-ini-sqlite:
-test-integration:
+	sed -e 's|{{WORK_PATH}}|$(CURDIR)/tests/$(or $(TEST_TYPE),integration)/gitea-$(or $(TEST_TYPE),integration)-sqlite|g' \
-	@# Use a compiled binary: testlogger forwards gitea logs to t.Log, so `go test -v`
+		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
-	@# would flood output per passing test. testcache can't help these tests anyway —
+			tests/sqlite.ini.tmpl > tests/sqlite.ini
 	@# they mutate the work directory, so cache inputs change between runs.
 	$(GO) test $(GOTEST_FLAGS) -tags '$(TAGS)' -c code.gitea.io/gitea/tests/integration -o ./test-integration-$(GITEA_TEST_DATABASE).test
 	./test-integration-$(GITEA_TEST_DATABASE).test
-.PHONY: test-integration\#%
+.PHONY: test-sqlite
-test-integration\#%:
+test-sqlite: integrations.sqlite.test generate-ini-sqlite
-	$(GO) test $(GOTEST_FLAGS) -tags '$(TAGS)' -run $(subst .,/,$*) code.gitea.io/gitea/tests/integration
+	GITEA_TEST_CONF=tests/sqlite.ini ./integrations.sqlite.test
-.PHONY: test-migration
+.PHONY: test-sqlite\#%
-test-migration: migrations.integration.test migrations.individual.test
+test-sqlite\#%: integrations.sqlite.test generate-ini-sqlite
 	GITEA_TEST_CONF=tests/sqlite.ini ./integrations.sqlite.test -test.run $(subst .,/,$*)
-.PHONY: migrations.integration.test
+.PHONY: test-sqlite-migration
-migrations.integration.test:
+test-sqlite-migration:  migrations.sqlite.test migrations.individual.sqlite.test
 	$(GO) test $(GOTEST_FLAGS) -tags '$(TAGS)' code.gitea.io/gitea/tests/integration/migration-test
-.PHONY: migrations.individual.test
+generate-ini-mysql:
-migrations.individual.test:
+	sed -e 's|{{TEST_MYSQL_HOST}}|${TEST_MYSQL_HOST}|g' \
-	@# tests of multiple packages use the same database, don't run in parallel
+		-e 's|{{TEST_MYSQL_DBNAME}}|${TEST_MYSQL_DBNAME}|g' \
-	$(GO) test $(GOTEST_FLAGS) -tags '$(TAGS)' -p 1 $(MIGRATE_TEST_PACKAGES)
+		-e 's|{{TEST_MYSQL_USERNAME}}|${TEST_MYSQL_USERNAME}|g' \
 		-e 's|{{TEST_MYSQL_PASSWORD}}|${TEST_MYSQL_PASSWORD}|g' \
 		-e 's|{{WORK_PATH}}|$(CURDIR)/tests/$(or $(TEST_TYPE),integration)/gitea-$(or $(TEST_TYPE),integration)-mysql|g' \
 		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
 			tests/mysql.ini.tmpl > tests/mysql.ini
-.PHONY: migrations.individual.test\#%
+.PHONY: test-mysql
-migrations.individual.test\#%:
+test-mysql: integrations.mysql.test generate-ini-mysql
-	$(GO) test $(GOTEST_FLAGS) -tags '$(TAGS)' code.gitea.io/gitea/models/migrations/$*
+	GITEA_TEST_CONF=tests/mysql.ini ./integrations.mysql.test
 .PHONY: test-mysql\#%
 test-mysql\#%: integrations.mysql.test generate-ini-mysql
 	GITEA_TEST_CONF=tests/mysql.ini ./integrations.mysql.test -test.run $(subst .,/,$*)
 .PHONY: test-mysql-migration
 test-mysql-migration: migrations.mysql.test migrations.individual.mysql.test
 generate-ini-pgsql:
 	sed -e 's|{{TEST_PGSQL_HOST}}|${TEST_PGSQL_HOST}|g' \
 		-e 's|{{TEST_PGSQL_DBNAME}}|${TEST_PGSQL_DBNAME}|g' \
 		-e 's|{{TEST_PGSQL_USERNAME}}|${TEST_PGSQL_USERNAME}|g' \
 		-e 's|{{TEST_PGSQL_PASSWORD}}|${TEST_PGSQL_PASSWORD}|g' \
 		-e 's|{{TEST_PGSQL_SCHEMA}}|${TEST_PGSQL_SCHEMA}|g' \
 		-e 's|{{TEST_MINIO_ENDPOINT}}|${TEST_MINIO_ENDPOINT}|g' \
 		-e 's|{{WORK_PATH}}|$(CURDIR)/tests/$(or $(TEST_TYPE),integration)/gitea-$(or $(TEST_TYPE),integration)-pgsql|g' \
 		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
 			tests/pgsql.ini.tmpl > tests/pgsql.ini
 .PHONY: test-pgsql
 test-pgsql: integrations.pgsql.test generate-ini-pgsql
 	GITEA_TEST_CONF=tests/pgsql.ini ./integrations.pgsql.test
 .PHONY: test-pgsql\#%
 test-pgsql\#%: integrations.pgsql.test generate-ini-pgsql
 	GITEA_TEST_CONF=tests/pgsql.ini ./integrations.pgsql.test -test.run $(subst .,/,$*)
 .PHONY: test-pgsql-migration
 test-pgsql-migration: migrations.pgsql.test migrations.individual.pgsql.test
 generate-ini-mssql:
 	sed -e 's|{{TEST_MSSQL_HOST}}|${TEST_MSSQL_HOST}|g' \
 		-e 's|{{TEST_MSSQL_DBNAME}}|${TEST_MSSQL_DBNAME}|g' \
 		-e 's|{{TEST_MSSQL_USERNAME}}|${TEST_MSSQL_USERNAME}|g' \
 		-e 's|{{TEST_MSSQL_PASSWORD}}|${TEST_MSSQL_PASSWORD}|g' \
 		-e 's|{{WORK_PATH}}|$(CURDIR)/tests/$(or $(TEST_TYPE),integration)/gitea-$(or $(TEST_TYPE),integration)-mssql|g' \
 		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
 			tests/mssql.ini.tmpl > tests/mssql.ini
 .PHONY: test-mssql
 test-mssql: integrations.mssql.test generate-ini-mssql
 	GITEA_TEST_CONF=tests/mssql.ini ./integrations.mssql.test
 .PHONY: test-mssql\#%
 test-mssql\#%: integrations.mssql.test generate-ini-mssql
 	GITEA_TEST_CONF=tests/mssql.ini ./integrations.mssql.test -test.run $(subst .,/,$*)
 .PHONY: test-mssql-migration
 test-mssql-migration: migrations.mssql.test migrations.individual.mssql.test
 .PHONY: playwright
 playwright: deps-frontend
-	@./tools/test-e2e.sh install
+	@# on GitHub Actions VMs, playwright's system deps are pre-installed
 	@pnpm exec playwright install $(if $(GITHUB_ACTIONS),,--with-deps) chromium firefox $(PLAYWRIGHT_FLAGS)
 .PHONY: test-e2e
-test-e2e: playwright frontend backend
+test-e2e: playwright $(EXECUTABLE_E2E)
-	@EXECUTABLE=$(EXECUTABLE) ./tools/test-e2e.sh run $(GITEA_TEST_E2E_FLAGS)
+	@EXECUTABLE=$(EXECUTABLE_E2E) ./tools/test-e2e.sh $(GITEA_TEST_E2E_FLAGS)
 .PHONY: bench-sqlite
 bench-sqlite: integrations.sqlite.test generate-ini-sqlite
 	GITEA_TEST_CONF=tests/sqlite.ini ./integrations.sqlite.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
 .PHONY: bench-mysql
 bench-mysql: integrations.mysql.test generate-ini-mysql
 	GITEA_TEST_CONF=tests/mysql.ini ./integrations.mysql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
 .PHONY: bench-mssql
 bench-mssql: integrations.mssql.test generate-ini-mssql
 	GITEA_TEST_CONF=tests/mssql.ini ./integrations.mssql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
 .PHONY: bench-pgsql
 bench-pgsql: integrations.pgsql.test generate-ini-pgsql
 	GITEA_TEST_CONF=tests/pgsql.ini ./integrations.pgsql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
 .PHONY: integration-test-coverage
 integration-test-coverage: integrations.cover.test generate-ini-mysql
 	GITEA_TEST_CONF=tests/mysql.ini ./integrations.cover.test -test.coverprofile=integration.coverage.out
 .PHONY: integration-test-coverage-sqlite
 integration-test-coverage-sqlite: integrations.cover.sqlite.test generate-ini-sqlite
 	GITEA_TEST_CONF=tests/sqlite.ini ./integrations.cover.sqlite.test -test.coverprofile=integration.coverage.out
 integrations.mysql.test: git-check $(GO_SOURCES)
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.mysql.test
 integrations.pgsql.test: git-check $(GO_SOURCES)
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.pgsql.test
 integrations.mssql.test: git-check $(GO_SOURCES)
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.mssql.test
 integrations.sqlite.test: git-check $(GO_SOURCES)
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.sqlite.test -tags '$(TEST_TAGS)'
 integrations.cover.test: git-check $(GO_SOURCES)
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.test
 integrations.cover.sqlite.test: git-check $(GO_SOURCES)
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.sqlite.test -tags '$(TEST_TAGS)'
 .PHONY: migrations.mysql.test
 migrations.mysql.test: $(GO_SOURCES) generate-ini-mysql
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.mysql.test
 	GITEA_TEST_CONF=tests/mysql.ini ./migrations.mysql.test
 .PHONY: migrations.pgsql.test
 migrations.pgsql.test: $(GO_SOURCES) generate-ini-pgsql
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.pgsql.test
 	GITEA_TEST_CONF=tests/pgsql.ini ./migrations.pgsql.test
 .PHONY: migrations.mssql.test
 migrations.mssql.test: $(GO_SOURCES) generate-ini-mssql
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.mssql.test
 	GITEA_TEST_CONF=tests/mssql.ini ./migrations.mssql.test
 .PHONY: migrations.sqlite.test
 migrations.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.sqlite.test -tags '$(TEST_TAGS)'
 	GITEA_TEST_CONF=tests/sqlite.ini ./migrations.sqlite.test
 .PHONY: migrations.individual.mysql.test
 migrations.individual.mysql.test: $(GO_SOURCES) generate-ini-mysql
 	GITEA_TEST_CONF=tests/mysql.ini $(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -p 1 $(MIGRATE_TEST_PACKAGES)
 .PHONY: migrations.individual.sqlite.test\#%
 migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
 	GITEA_TEST_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
 .PHONY: migrations.individual.pgsql.test
 migrations.individual.pgsql.test: $(GO_SOURCES) generate-ini-pgsql
 	GITEA_TEST_CONF=tests/pgsql.ini $(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -p 1 $(MIGRATE_TEST_PACKAGES)
 .PHONY: migrations.individual.pgsql.test\#%
 migrations.individual.pgsql.test\#%: $(GO_SOURCES) generate-ini-pgsql
 	GITEA_TEST_CONF=tests/pgsql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
 .PHONY: migrations.individual.mssql.test
 migrations.individual.mssql.test: $(GO_SOURCES) generate-ini-mssql
 	GITEA_TEST_CONF=tests/mssql.ini $(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -p 1 $(MIGRATE_TEST_PACKAGES)
 .PHONY: migrations.individual.mssql.test\#%
 migrations.individual.mssql.test\#%: $(GO_SOURCES) generate-ini-mssql
 	GITEA_TEST_CONF=tests/mssql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
 .PHONY: migrations.individual.sqlite.test
 migrations.individual.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
 	GITEA_TEST_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -p 1 $(MIGRATE_TEST_PACKAGES)
 .PHONY: migrations.individual.sqlite.test\#%
 migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
 	GITEA_TEST_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
 .PHONY: check
 check: test
 .PHONY: install $(TAGS_PREREQ)
 install: $(wildcard *.go)
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) install -v -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)'
 .PHONY: build
 build: frontend backend ## build everything
@@ -506,6 +663,9 @@ ifneq ($(and $(STATIC),$(findstring pam,$(TAGS))),)
 endif
 	CGO_ENABLED="$(CGO_ENABLED)" CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(EXTLDFLAGS) $(LDFLAGS)' -o $@
 $(EXECUTABLE_E2E): $(GO_SOURCES) $(FRONTEND_DEST)
 	CGO_ENABLED=1 $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TEST_TAGS)' -ldflags '-s -w $(EXTLDFLAGS) $(LDFLAGS)' -o $@
 .PHONY: release
 release: frontend generate release-windows release-linux release-darwin release-freebsd release-copy release-compress vendor release-sources release-check
@@ -570,6 +730,7 @@ deps-backend: ## install backend dependencies
 deps-tools: ## install tool dependencies
 	$(GO) install $(AIR_PACKAGE) & \
 	$(GO) install $(EDITORCONFIG_CHECKER_PACKAGE) & \
 	$(GO) install $(GOFUMPT_PACKAGE) & \
 	$(GO) install $(GOLANGCI_LINT_PACKAGE) & \
 	$(GO) install $(GXZ_PACKAGE) & \
 	$(GO) install $(MISSPELL_PACKAGE) & \
@@ -600,13 +761,7 @@ update-js: node_modules ## update js dependencies
 	pnpm exec updates -u -f package.json
 	rm -rf node_modules pnpm-lock.yaml
 	pnpm install
 	@touch node_modules
 	$(MAKE) --no-print-directory nolyfill
 .PHONY: nolyfill
 nolyfill: node_modules ## apply nolyfill overrides to package.json and relock
 	pnpm exec nolyfill install
 	node tools/migrate-nolyfills.ts
 	pnpm install
 	@touch node_modules
@@ -661,10 +816,6 @@ generate-gitignore: ## update gitignore files
 generate-images: | node_modules ## generate images
 	cd tools && node generate-images.ts $(TAGS)
 .PHONY: generate-codemirror-languages
 generate-codemirror-languages: | node_modules ## generate codemirror languages
 	node tools/generate-codemirror-languages.ts
 .PHONY: generate-manpage
 generate-manpage: ## generate manpage
 	@[ -f gitea ] || make backend
@@ -673,6 +824,11 @@ generate-manpage: ## generate manpage
 	@gzip -9 man/man1/gitea.1 && echo man/man1/gitea.1.gz created
 	@#TODO A small script that formats config-cheat-sheet.en-us.md nicely for use as a config man page
 .PHONY: docker
 docker:
 	docker build --disable-content-trust=false -t $(DOCKER_REF) .
 # support also build args docker build --build-arg GITEA_VERSION=v1.2.3 --build-arg TAGS="bindata sqlite sqlite_unlock_notify"  .
 # Disable parallel execution because it would break some targets that don't
 # specify exact dependencies like 'backend' which does currently not depend
 # on 'frontend' to enable Node.js-less builds from source tarballs.
--- a/README.md
+++ b/README.md
@@ -44,6 +44,10 @@ From the root of the source tree, run:
    TAGS="bindata" make build
 or if SQLite support is required:
    TAGS="bindata sqlite sqlite_unlock_notify" make build
 The `build` target is split into two sub-targets:
 - `make backend` which requires [Go Stable](https://go.dev/dl/), the required version is defined in [go.mod](/go.mod).
--- a/README.zh-cn.md
+++ b/README.zh-cn.md
@@ -38,6 +38,10 @@
    TAGS="bindata" make build
 如果需要 SQLite 支持：
    TAGS="bindata sqlite sqlite_unlock_notify" make build
 `build` 目标分为两个子目标：
 - `make backend` 需要 [Go Stable](https://go.dev/dl/)，所需版本在 [go.mod](/go.mod) 中定义。
--- a/README.zh-tw.md
+++ b/README.zh-tw.md
@@ -38,6 +38,10 @@
    TAGS="bindata" make build
 如果需要 SQLite 支援：
    TAGS="bindata sqlite sqlite_unlock_notify" make build
 `build` 目標分為兩個子目標：
 - `make backend` 需要 [Go Stable](https://go.dev/dl/)，所需版本在 [go.mod](/go.mod) 中定義。
--- a/assets/codemirror-languages.json
+++ b/assets/codemirror-languages.json
--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
--- a/build/generate-gitignores.go
+++ b/build/generate-gitignores.go
@@ -1,6 +1,3 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 //go:build ignore
 package main
--- a/build/generate-openapi.go
+++ b/build/generate-openapi.go
@@ -1,97 +0,0 @@
 // Copyright 2026 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 // generate-openapi converts Gitea's Swagger 2.0 spec into an OpenAPI 3.0 spec.
 //
 // Gitea generates a Swagger 2.0 spec from code annotations (make generate-swagger).
 // This tool converts it to OAS3 so that SDK generators and tools that require
 // OAS3 (e.g. progenitor for Rust) can consume it directly. The conversion also
 // deduplicates inline enum definitions into named schema components, producing
 // cleaner SDK output with proper enum types instead of anonymous strings.
 //
 // Run: go run build/generate-openapi.go
 // Output: templates/swagger/v1_openapi3_json.tmpl
 //go:build ignore
 package main
 import (
 	"encoding/json"
 	"fmt"
 	"log"
 	"os"
 	"regexp"
 	"sort"
 	"strings"
 	"code.gitea.io/gitea/build/openapi3gen"
 	"github.com/getkin/kin-openapi/openapi3"
 )
 const (
 	swaggerSpecPath = "templates/swagger/v1_json.tmpl"
 	openapi3OutPath = "templates/swagger/v1_openapi3_json.tmpl"
 	appSubUrlVar = "{{.SwaggerAppSubUrl}}"
 	appVerVar    = "{{.SwaggerAppVer}}"
 	appSubUrlPlaceholder = "GITEA_APP_SUB_URL_PLACEHOLDER"
 	appVerPlaceholder    = "0.0.0-gitea-placeholder"
 )
 var (
 	appSubUrlRe = regexp.MustCompile(regexp.QuoteMeta(appSubUrlVar))
 	appVerRe    = regexp.MustCompile(regexp.QuoteMeta(appVerVar))
 	enumScanDirs = []string{
 		"modules/structs",
 		"modules/commitstatus",
 	}
 )
 func main() {
 	astEnumMap, err := openapi3gen.ScanSwaggerEnumTypes(enumScanDirs)
 	if err != nil {
 		log.Fatalf("scanning swagger:enum annotations: %v", err)
 	}
 	names := make([]string, 0, len(astEnumMap))
 	for _, n := range astEnumMap {
 		names = append(names, n)
 	}
 	sort.Strings(names)
 	fmt.Fprintf(os.Stderr, "discovered %d swagger:enum types: %s\n", len(names), strings.Join(names, ", "))
 	data, err := os.ReadFile(swaggerSpecPath)
 	if err != nil {
 		log.Fatalf("reading swagger spec: %v", err)
 	}
 	cleaned := appSubUrlRe.ReplaceAll(data, []byte(appSubUrlPlaceholder))
 	cleaned = appVerRe.ReplaceAll(cleaned, []byte(appVerPlaceholder))
 	oas3, err := openapi3gen.Convert(cleaned, astEnumMap)
 	if err != nil {
 		log.Fatalf("converting to openapi 3.0: %v", err)
 	}
 	oas3.Servers = openapi3.Servers{
 		{URL: appSubUrlPlaceholder + "/api/v1"},
 	}
 	out, err := json.MarshalIndent(oas3, "", "  ")
 	if err != nil {
 		log.Fatalf("marshaling openapi 3.0: %v", err)
 	}
 	result := strings.ReplaceAll(string(out), appSubUrlPlaceholder, appSubUrlVar)
 	result = strings.ReplaceAll(result, appVerPlaceholder, appVerVar)
 	result = strings.TrimSpace(result)
 	if err := os.WriteFile(openapi3OutPath, []byte(result), 0o644); err != nil {
 		log.Fatalf("writing openapi 3.0 spec: %v", err)
 	}
 	fmt.Printf("Generated %s\n", openapi3OutPath)
 }
--- a/build/openapi3gen/convert.go
+++ b/build/openapi3gen/convert.go
@@ -1,281 +0,0 @@
 // Copyright 2026 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 package openapi3gen
 import (
 	"fmt"
 	"regexp"
 	"strings"
 	"code.gitea.io/gitea/modules/json"
 	"github.com/getkin/kin-openapi/openapi2"
 	"github.com/getkin/kin-openapi/openapi2conv"
 	"github.com/getkin/kin-openapi/openapi3"
 )
 // rxDeprecated matches "deprecated" as a word at the start of a description
 // or preceded by whitespace/punctuation that indicates a leading marker (e.g.
 // "Deprecated: true", "deprecated (use X instead)"). Rejects negated phrases
 // like "not deprecated" or "previously deprecated, now supported".
 var rxDeprecated = regexp.MustCompile(`(?i)(?:^|[\n.;])\s*deprecated\b`)
 // Convert parses a Swagger 2.0 spec and returns an OAS3 spec, applying
 // Gitea-specific post-processing: file-schema fixups, URI formats,
 // deprecated flags, and shared-enum extraction.
 //
 // astEnumMap is a value-set-key → Go-type-name map (built by
 // ScanSwaggerEnumTypes). If a shared enum in the spec has no entry in the
 // map, Convert returns an error — no fallback naming.
 func Convert(swaggerJSON []byte, astEnumMap map[string]string) (*openapi3.T, error) {
 	var swagger2 openapi2.T
 	if err := json.Unmarshal(swaggerJSON, &swagger2); err != nil {
 		return nil, fmt.Errorf("parsing swagger 2.0: %w", err)
 	}
 	oas3, err := openapi2conv.ToV3(&swagger2)
 	if err != nil {
 		return nil, fmt.Errorf("converting to openapi 3.0: %w", err)
 	}
 	fixFileSchemas(oas3)
 	addURIFormats(oas3)
 	addDeprecatedFlags(oas3)
 	if err := extractSharedEnums(oas3, astEnumMap); err != nil {
 		return nil, err
 	}
 	return oas3, nil
 }
 func fixFileSchemas(doc *openapi3.T) {
 	for _, pathItem := range doc.Paths.Map() {
 		for _, op := range []*openapi3.Operation{
 			pathItem.Get, pathItem.Post, pathItem.Put, pathItem.Patch,
 			pathItem.Delete, pathItem.Head, pathItem.Options, pathItem.Trace,
 		} {
 			if op == nil {
 				continue
 			}
 			for _, resp := range op.Responses.Map() {
 				if resp.Value == nil {
 					continue
 				}
 				for _, mediaType := range resp.Value.Content {
 					fixSchema(mediaType.Schema)
 				}
 			}
 			if op.RequestBody != nil && op.RequestBody.Value != nil {
 				for _, mediaType := range op.RequestBody.Value.Content {
 					fixSchema(mediaType.Schema)
 				}
 			}
 		}
 	}
 }
 // fixSchema rewrites any "type: file" schemas to the OAS3 equivalent
 // (type: string, format: binary), recursing into Properties, Items, and
 // AllOf/OneOf/AnyOf/Not branches. $ref nodes are skipped so shared schemas
 // are rewritten exactly once when visited through their declaration.
 func fixSchema(ref *openapi3.SchemaRef) {
 	if ref == nil || ref.Value == nil || ref.Ref != "" {
 		return
 	}
 	s := ref.Value
 	if s.Type.Is("file") {
 		s.Type = &openapi3.Types{"string"}
 		s.Format = "binary"
 	}
 	for _, p := range s.Properties {
 		fixSchema(p)
 	}
 	fixSchema(s.Items)
 	for _, sub := range s.AllOf {
 		fixSchema(sub)
 	}
 	for _, sub := range s.OneOf {
 		fixSchema(sub)
 	}
 	for _, sub := range s.AnyOf {
 		fixSchema(sub)
 	}
 	fixSchema(s.Not)
 }
 // addURIFormats sets format: uri on string properties whose names indicate
 // they hold URLs. This information is lost in Swagger 2.0 but is valuable
 // for code generators.
 func addURIFormats(doc *openapi3.T) {
 	if doc.Components == nil {
 		return
 	}
 	for _, schemaRef := range doc.Components.Schemas {
 		if schemaRef.Value == nil {
 			continue
 		}
 		for propName, propRef := range schemaRef.Value.Properties {
 			if propRef == nil || propRef.Value == nil || propRef.Ref != "" {
 				continue
 			}
 			prop := propRef.Value
 			if !prop.Type.Is("string") || prop.Format != "" {
 				continue
 			}
 			if isURLProperty(propName) {
 				prop.Format = "uri"
 			}
 		}
 	}
 }
 func isURLProperty(name string) bool {
 	if strings.HasSuffix(name, "_url") {
 		return true
 	}
 	switch name {
 	case "url", "html_url", "clone_url":
 		return true
 	}
 	return false
 }
 // addDeprecatedFlags sets deprecated: true on schema properties whose
 // description starts with a "deprecated" marker (e.g. "Deprecated: true"
 // or "deprecated (use X instead)"). Does not match negated phrases.
 func addDeprecatedFlags(doc *openapi3.T) {
 	if doc.Components == nil {
 		return
 	}
 	for _, schemaRef := range doc.Components.Schemas {
 		if schemaRef.Value == nil {
 			continue
 		}
 		for _, propRef := range schemaRef.Value.Properties {
 			if propRef == nil || propRef.Value == nil || propRef.Ref != "" {
 				continue
 			}
 			if rxDeprecated.MatchString(propRef.Value.Description) {
 				propRef.Value.Deprecated = true
 			}
 		}
 	}
 }
 type enumUsage struct {
 	schemaName string
 	propName   string
 	propRef    *openapi3.SchemaRef
 	inItems    bool
 }
 // extractSharedEnums finds identical enum arrays used by multiple schema
 // properties, creates a standalone named schema for each, and replaces
 // the inline enums with $ref pointers.
 //
 // If the derived enum name collides with an existing component schema, or
 // no // swagger:enum annotation matches the value set, generation aborts
 // with an actionable error — there are no silent fallbacks.
 func extractSharedEnums(doc *openapi3.T, astEnumMap map[string]string) error {
 	if doc.Components == nil {
 		return nil
 	}
 	enumGroups := map[string][]enumUsage{}
 	for schemaName, schemaRef := range doc.Components.Schemas {
 		if schemaRef.Value == nil {
 			continue
 		}
 		for propName, propRef := range schemaRef.Value.Properties {
 			if propRef == nil || propRef.Value == nil || propRef.Ref != "" {
 				continue
 			}
 			if len(propRef.Value.Enum) > 1 && propRef.Value.Type.Is("string") {
 				key := EnumKey(propRef.Value.Enum)
 				enumGroups[key] = append(enumGroups[key], enumUsage{schemaName, propName, propRef, false})
 			}
 			if propRef.Value.Type.Is("array") && propRef.Value.Items != nil &&
 				propRef.Value.Items.Value != nil && propRef.Value.Items.Ref == "" &&
 				len(propRef.Value.Items.Value.Enum) > 1 && propRef.Value.Items.Value.Type.Is("string") {
 				key := EnumKey(propRef.Value.Items.Value.Enum)
 				enumGroups[key] = append(enumGroups[key], enumUsage{schemaName, propName, propRef, true})
 			}
 		}
 	}
 	for key, usages := range enumGroups {
 		if len(usages) < 2 {
 			continue
 		}
 		enumName, err := deriveEnumName(key, usages, astEnumMap)
 		if err != nil {
 			return err
 		}
 		if _, exists := doc.Components.Schemas[enumName]; exists {
 			return fmt.Errorf("enum name collision: %s already exists as a component schema", enumName)
 		}
 		var enumValues []any
 		if usages[0].inItems {
 			enumValues = usages[0].propRef.Value.Items.Value.Enum
 		} else {
 			enumValues = usages[0].propRef.Value.Enum
 		}
 		doc.Components.Schemas[enumName] = &openapi3.SchemaRef{
 			Value: &openapi3.Schema{
 				Type: &openapi3.Types{"string"},
 				Enum: enumValues,
 			},
 		}
 		ref := "#/components/schemas/" + enumName
 		for _, usage := range usages {
 			if usage.inItems {
 				usage.propRef.Value.Items = &openapi3.SchemaRef{Ref: ref}
 			} else {
 				old := usage.propRef.Value
 				if old.Description == "" && !old.Deprecated && old.Format == "" {
 					usage.propRef.Ref = ref
 					usage.propRef.Value = nil
 				} else {
 					usage.propRef.Value = &openapi3.Schema{
 						AllOf: openapi3.SchemaRefs{
 							{Ref: ref},
 						},
 						Description: old.Description,
 						Deprecated:  old.Deprecated,
 						Format:      old.Format,
 					}
 				}
 			}
 		}
 	}
 	return nil
 }
 // deriveEnumName looks up a shared enum's Go type name from astEnumMap by
 // value-set key. If no annotation matches, returns an error identifying the
 // offending properties and the fix.
 func deriveEnumName(key string, usages []enumUsage, astEnumMap map[string]string) (string, error) {
 	if name, ok := astEnumMap[key]; ok {
 		return name, nil
 	}
 	props := map[string]bool{}
 	for _, u := range usages {
 		props[fmt.Sprintf("%s.%s", u.schemaName, u.propName)] = true
 	}
 	propList := make([]string, 0, len(props))
 	for p := range props {
 		propList = append(propList, p)
 	}
 	return "", fmt.Errorf(
 		"no swagger:enum annotation matches value-set %q used by %d properties: %v; "+
 			"fix by adding a named string type with // swagger:enum to modules/structs or modules/commitstatus",
 		key, len(usages), propList,
 	)
 }
--- a/build/openapi3gen/convert_test.go
+++ b/build/openapi3gen/convert_test.go
@@ -1,170 +0,0 @@
 // Copyright 2026 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 package openapi3gen
 import (
 	"strings"
 	"testing"
 	"github.com/getkin/kin-openapi/openapi3"
 )
 func TestDeriveEnumName_hit(t *testing.T) {
 	key := EnumKey([]any{"red", "green", "blue"})
 	astMap := map[string]string{key: "Color"}
 	usages := []enumUsage{{schemaName: "Paint", propName: "color"}}
 	got, err := deriveEnumName(key, usages, astMap)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	if got != "Color" {
 		t.Fatalf("got %q, want %q", got, "Color")
 	}
 }
 func TestDeriveEnumName_miss(t *testing.T) {
 	key := EnumKey([]any{"x", "y"})
 	usages := []enumUsage{{schemaName: "Thing", propName: "kind"}}
 	_, err := deriveEnumName(key, usages, map[string]string{})
 	if err == nil {
 		t.Fatal("expected miss error, got nil")
 	}
 	msg := err.Error()
 	if !strings.Contains(msg, "Thing.kind") {
 		t.Fatalf("error %q should list the missing usage", msg)
 	}
 	if !strings.Contains(msg, "swagger:enum") {
 		t.Fatalf("error %q should hint at the fix", msg)
 	}
 }
 func TestExtractSharedEnums_usesASTMap(t *testing.T) {
 	doc := &openapi3.T{
 		Components: &openapi3.Components{
 			Schemas: openapi3.Schemas{
 				"A": {Value: &openapi3.Schema{
 					Type: &openapi3.Types{"object"},
 					Properties: openapi3.Schemas{
 						"color": {Value: &openapi3.Schema{
 							Type: &openapi3.Types{"string"},
 							Enum: []any{"red", "green", "blue"},
 						}},
 					},
 				}},
 				"B": {Value: &openapi3.Schema{
 					Type: &openapi3.Types{"object"},
 					Properties: openapi3.Schemas{
 						"color": {Value: &openapi3.Schema{
 							Type: &openapi3.Types{"string"},
 							Enum: []any{"red", "green", "blue"},
 						}},
 					},
 				}},
 			},
 		},
 	}
 	astMap := map[string]string{EnumKey([]any{"red", "green", "blue"}): "Color"}
 	if err := extractSharedEnums(doc, astMap); err != nil {
 		t.Fatalf("extractSharedEnums: %v", err)
 	}
 	if _, ok := doc.Components.Schemas["Color"]; !ok {
 		t.Fatalf("expected Color schema to be extracted")
 	}
 }
 func TestFixFileSchemas_recursesIntoNested(t *testing.T) {
 	fileType := func() *openapi3.SchemaRef {
 		return &openapi3.SchemaRef{Value: &openapi3.Schema{Type: &openapi3.Types{"file"}}}
 	}
 	doc := &openapi3.T{
 		Paths: openapi3.NewPaths(),
 	}
 	doc.Paths.Set("/upload", &openapi3.PathItem{
 		Post: &openapi3.Operation{
 			RequestBody: &openapi3.RequestBodyRef{
 				Value: &openapi3.RequestBody{
 					Content: openapi3.Content{
 						"multipart/form-data": {
 							Schema: &openapi3.SchemaRef{Value: &openapi3.Schema{
 								Type: &openapi3.Types{"object"},
 								Properties: openapi3.Schemas{
 									"attachment": fileType(),
 									"items": {Value: &openapi3.Schema{
 										Type:  &openapi3.Types{"array"},
 										Items: fileType(),
 									}},
 									"alt": {Value: &openapi3.Schema{
 										AllOf: openapi3.SchemaRefs{fileType()},
 									}},
 									"one": {Value: &openapi3.Schema{
 										OneOf: openapi3.SchemaRefs{fileType()},
 									}},
 									"any": {Value: &openapi3.Schema{
 										AnyOf: openapi3.SchemaRefs{fileType()},
 									}},
 									"not": {Value: &openapi3.Schema{
 										Not: fileType(),
 									}},
 								},
 							}},
 						},
 					},
 				},
 			},
 			Responses: openapi3.NewResponses(),
 		},
 	})
 	fixFileSchemas(doc)
 	props := doc.Paths.Value("/upload").Post.RequestBody.Value.Content["multipart/form-data"].Schema.Value.Properties
 	if !props["attachment"].Value.Type.Is("string") || props["attachment"].Value.Format != "binary" {
 		t.Errorf("nested property not fixed: %+v", props["attachment"].Value)
 	}
 	if !props["items"].Value.Items.Value.Type.Is("string") || props["items"].Value.Items.Value.Format != "binary" {
 		t.Errorf("array items not fixed: %+v", props["items"].Value.Items.Value)
 	}
 	if !props["alt"].Value.AllOf[0].Value.Type.Is("string") || props["alt"].Value.AllOf[0].Value.Format != "binary" {
 		t.Errorf("allOf branch not fixed: %+v", props["alt"].Value.AllOf[0].Value)
 	}
 	if !props["one"].Value.OneOf[0].Value.Type.Is("string") || props["one"].Value.OneOf[0].Value.Format != "binary" {
 		t.Errorf("oneOf branch not fixed: %+v", props["one"].Value.OneOf[0].Value)
 	}
 	if !props["any"].Value.AnyOf[0].Value.Type.Is("string") || props["any"].Value.AnyOf[0].Value.Format != "binary" {
 		t.Errorf("anyOf branch not fixed: %+v", props["any"].Value.AnyOf[0].Value)
 	}
 	if !props["not"].Value.Not.Value.Type.Is("string") || props["not"].Value.Not.Value.Format != "binary" {
 		t.Errorf("not branch not fixed: %+v", props["not"].Value.Not.Value)
 	}
 }
 func TestExtractSharedEnums_missReturnsError(t *testing.T) {
 	doc := &openapi3.T{
 		Components: &openapi3.Components{
 			Schemas: openapi3.Schemas{
 				"A": {Value: &openapi3.Schema{
 					Type: &openapi3.Types{"object"},
 					Properties: openapi3.Schemas{
 						"color": {Value: &openapi3.Schema{
 							Type: &openapi3.Types{"string"},
 							Enum: []any{"red", "green"},
 						}},
 					},
 				}},
 				"B": {Value: &openapi3.Schema{
 					Type: &openapi3.Types{"object"},
 					Properties: openapi3.Schemas{
 						"color": {Value: &openapi3.Schema{
 							Type: &openapi3.Types{"string"},
 							Enum: []any{"red", "green"},
 						}},
 					},
 				}},
 			},
 		},
 	}
 	if err := extractSharedEnums(doc, map[string]string{}); err == nil {
 		t.Fatal("expected miss error")
 	}
 }
--- a/build/openapi3gen/enumscan.go
+++ b/build/openapi3gen/enumscan.go
@@ -1,188 +0,0 @@
 // Copyright 2026 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 // Package openapi3gen converts Gitea's Swagger 2.0 spec to an OpenAPI 3.0
 // spec. It discovers Go enum type names by scanning swagger:enum annotations
 // in the source tree, then names extracted shared-enum schemas accordingly.
 package openapi3gen
 import (
 	"fmt"
 	"go/ast"
 	"go/parser"
 	"go/token"
 	"os"
 	"path/filepath"
 	"regexp"
 	"sort"
 	"strconv"
 	"strings"
 )
 // EnumKey returns a canonical key for a set of enum values: values are
 // stringified, sorted, and joined with "|". Used to match enum value sets
 // across spec properties and scanned Go type declarations.
 func EnumKey(values []any) string {
 	strs := make([]string, len(values))
 	for i, v := range values {
 		strs[i] = fmt.Sprintf("%v", v)
 	}
 	sort.Strings(strs)
 	return strings.Join(strs, "|")
 }
 var rxSwaggerEnum = regexp.MustCompile(`swagger:enum\s+(\w+)`)
 // ScanSwaggerEnumTypes walks .go files under each dir and returns a map from
 // a canonical value-set key (see EnumKey) to the Go type name declared with
 // // swagger:enum TypeName.
 //
 // Returns an error on parse failure, on an annotation for a type whose
 // constants can't be extracted, or on value-set collisions between two
 // different enum types.
 func ScanSwaggerEnumTypes(dirs []string) (map[string]string, error) {
 	fset := token.NewFileSet()
 	parsed := []*ast.File{}
 	for _, dir := range dirs {
 		entries, err := os.ReadDir(dir)
 		if err != nil {
 			return nil, fmt.Errorf("reading %s: %w", dir, err)
 		}
 		for _, entry := range entries {
 			if entry.IsDir() || !strings.HasSuffix(entry.Name(), ".go") {
 				continue
 			}
 			if strings.HasSuffix(entry.Name(), "_test.go") {
 				continue
 			}
 			path := filepath.Join(dir, entry.Name())
 			file, err := parser.ParseFile(fset, path, nil, parser.ParseComments)
 			if err != nil {
 				return nil, fmt.Errorf("%s: %w", path, err)
 			}
 			parsed = append(parsed, file)
 		}
 	}
 	enumTypes := map[string]string{} // typeName → "" (presence marker)
 	enumValues := map[string][]any{} // typeName → values
 	// Pass 1: collect every // swagger:enum TypeName declaration.
 	for _, file := range parsed {
 		for _, decl := range file.Decls {
 			gd, ok := decl.(*ast.GenDecl)
 			if !ok || gd.Tok != token.TYPE {
 				continue
 			}
 			if err := collectEnumType(gd, enumTypes); err != nil {
 				return nil, fmt.Errorf("%s: %w", fset.Position(gd.Pos()).Filename, err)
 			}
 		}
 	}
 	// Pass 2: collect const values; now every annotated type is visible.
 	for _, file := range parsed {
 		for _, decl := range file.Decls {
 			gd, ok := decl.(*ast.GenDecl)
 			if !ok || gd.Tok != token.CONST {
 				continue
 			}
 			collectEnumValues(gd, enumTypes, enumValues)
 		}
 	}
 	result := map[string]string{}
 	for typeName := range enumTypes {
 		values, ok := enumValues[typeName]
 		if !ok || len(values) == 0 {
 			return nil, fmt.Errorf("swagger:enum %s has no const block with typed string values", typeName)
 		}
 		key := EnumKey(values)
 		if existing, ok := result[key]; ok && existing != typeName {
 			return nil, fmt.Errorf("swagger:enum value-set collision: %s and %s both use %q", existing, typeName, key)
 		}
 		result[key] = typeName
 	}
 	return result, nil
 }
 // collectEnumType scans a `type` GenDecl for // swagger:enum annotations,
 // handling both the lone form (`// swagger:enum Foo\n type Foo string`)
 // where the comment group is attached to the GenDecl, and the grouped form:
 //
 //	type (
 //	    // swagger:enum Foo
 //	    Foo string
 //	)
 //
 // where the comment group is attached to each TypeSpec. Caveat: Go's parser
 // only attaches a CommentGroup when it is immediately adjacent to the decl.
 // A blank line (not a `//` continuation line) between the comment and the
 // declaration drops the Doc, so annotations MUST sit directly above their
 // type. All current annotated files obey this — the rule is noted here so
 // a future edit that inserts a blank line fails fast rather than silently.
 func collectEnumType(gd *ast.GenDecl, enumTypes map[string]string) error {
 	if err := registerEnumAnnotation(gd.Doc, gd.Specs, enumTypes); err != nil {
 		return err
 	}
 	for _, spec := range gd.Specs {
 		ts, ok := spec.(*ast.TypeSpec)
 		if !ok || ts.Doc == nil {
 			continue
 		}
 		if err := registerEnumAnnotation(ts.Doc, []ast.Spec{ts}, enumTypes); err != nil {
 			return err
 		}
 	}
 	return nil
 }
 func registerEnumAnnotation(doc *ast.CommentGroup, specs []ast.Spec, enumTypes map[string]string) error {
 	if doc == nil {
 		return nil
 	}
 	matches := rxSwaggerEnum.FindStringSubmatch(doc.Text())
 	if len(matches) < 2 {
 		return nil
 	}
 	annotated := matches[1]
 	for _, spec := range specs {
 		ts, ok := spec.(*ast.TypeSpec)
 		if !ok {
 			continue
 		}
 		if ts.Name.Name == annotated {
 			enumTypes[annotated] = ""
 			return nil
 		}
 	}
 	return fmt.Errorf("swagger:enum %s: no type declaration with that name in the same decl group; check for a typo", annotated)
 }
 func collectEnumValues(gd *ast.GenDecl, enumTypes map[string]string, enumValues map[string][]any) {
 	for _, spec := range gd.Specs {
 		vs, ok := spec.(*ast.ValueSpec)
 		if !ok || vs.Type == nil {
 			continue
 		}
 		ident, ok := vs.Type.(*ast.Ident)
 		if !ok {
 			continue
 		}
 		if _, isEnum := enumTypes[ident.Name]; !isEnum {
 			continue
 		}
 		for _, val := range vs.Values {
 			lit, ok := val.(*ast.BasicLit)
 			if !ok || lit.Kind != token.STRING {
 				continue
 			}
 			unquoted, err := strconv.Unquote(lit.Value)
 			if err != nil {
 				continue
 			}
 			enumValues[ident.Name] = append(enumValues[ident.Name], unquoted)
 		}
 	}
 }
--- a/build/openapi3gen/enumscan_test.go
+++ b/build/openapi3gen/enumscan_test.go
@@ -1,239 +0,0 @@
 // Copyright 2026 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 package openapi3gen
 import (
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
 )
 func TestEnumKey_sortsAndJoins(t *testing.T) {
 	key := EnumKey([]any{"b", "a", "c"})
 	if key != "a|b|c" {
 		t.Fatalf("EnumKey = %q, want %q", key, "a|b|c")
 	}
 }
 func TestEnumKey_handlesNonStringValues(t *testing.T) {
 	key := EnumKey([]any{2, 1, 3})
 	if key != "1|2|3" {
 		t.Fatalf("EnumKey = %q, want %q", key, "1|2|3")
 	}
 }
 func TestScanSwaggerEnumTypes_basic(t *testing.T) {
 	dir := t.TempDir()
 	src := `package fixture
 // Color is a primary color.
 // swagger:enum Color
 type Color string
 const (
 	ColorRed   Color = "red"
 	ColorGreen Color = "green"
 	ColorBlue  Color = "blue"
 )
 `
 	if err := os.WriteFile(filepath.Join(dir, "color.go"), []byte(src), 0o644); err != nil {
 		t.Fatal(err)
 	}
 	got, err := ScanSwaggerEnumTypes([]string{dir})
 	if err != nil {
 		t.Fatalf("ScanSwaggerEnumTypes: %v", err)
 	}
 	wantKey := EnumKey([]any{"red", "green", "blue"})
 	if got[wantKey] != "Color" {
 		t.Fatalf("map[%q] = %q, want %q", wantKey, got[wantKey], "Color")
 	}
 }
 func TestScanSwaggerEnumTypes_orphanAnnotation(t *testing.T) {
 	dir := t.TempDir()
 	src := `package fixture
 // swagger:enum Sttype
 type StateType string
 const (
 	StateOpen StateType = "open"
 )
 `
 	if err := os.WriteFile(filepath.Join(dir, "typo.go"), []byte(src), 0o644); err != nil {
 		t.Fatal(err)
 	}
 	_, err := ScanSwaggerEnumTypes([]string{dir})
 	if err == nil {
 		t.Fatal("expected error for annotation referencing a non-matching type name")
 	}
 	if !strings.Contains(err.Error(), "Sttype") {
 		t.Fatalf("error %q should mention the typo'd name Sttype", err.Error())
 	}
 }
 func TestScanSwaggerEnumTypes_collision(t *testing.T) {
 	dir := t.TempDir()
 	src := `package fixture
 // swagger:enum Alpha
 type Alpha string
 const (
 	AlphaX Alpha = "x"
 	AlphaY Alpha = "y"
 )
 // swagger:enum Beta
 type Beta string
 const (
 	BetaX Beta = "x"
 	BetaY Beta = "y"
 )
 `
 	if err := os.WriteFile(filepath.Join(dir, "dup.go"), []byte(src), 0o644); err != nil {
 		t.Fatal(err)
 	}
 	_, err := ScanSwaggerEnumTypes([]string{dir})
 	if err == nil {
 		t.Fatal("expected collision error, got nil")
 	}
 	msg := err.Error()
 	if !strings.Contains(msg, "Alpha") || !strings.Contains(msg, "Beta") {
 		t.Fatalf("error %q should mention both Alpha and Beta", msg)
 	}
 }
 func TestScanSwaggerEnumTypes_parseFailure(t *testing.T) {
 	dir := t.TempDir()
 	if err := os.WriteFile(filepath.Join(dir, "bad.go"), []byte("package fixture\nfunc Foo() {"), 0o644); err != nil {
 		t.Fatal(err)
 	}
 	_, err := ScanSwaggerEnumTypes([]string{dir})
 	if err == nil {
 		t.Fatal("expected parse error, got nil")
 	}
 }
 func TestScanSwaggerEnumTypes_annotationWithoutConsts(t *testing.T) {
 	dir := t.TempDir()
 	src := `package fixture
 // swagger:enum Lonely
 type Lonely string
 `
 	if err := os.WriteFile(filepath.Join(dir, "lonely.go"), []byte(src), 0o644); err != nil {
 		t.Fatal(err)
 	}
 	_, err := ScanSwaggerEnumTypes([]string{dir})
 	if err == nil {
 		t.Fatal("expected error for annotation without consts")
 	}
 	if !strings.Contains(err.Error(), "Lonely") {
 		t.Fatalf("error %q should mention Lonely", err.Error())
 	}
 }
 func TestScanSwaggerEnumTypes_constsAndTypeInDifferentFiles(t *testing.T) {
 	dir := t.TempDir()
 	// Name ordering: `a_consts.go` < `b_type.go`, so readdir returns consts first.
 	// Old single-pass scanner would miss the values; two-pass must not.
 	constsSrc := `package fixture
 const (
 	HueA Hue = "a"
 	HueB Hue = "b"
 )
 `
 	typeSrc := `package fixture
 // swagger:enum Hue
 type Hue string
 `
 	if err := os.WriteFile(filepath.Join(dir, "a_consts.go"), []byte(constsSrc), 0o644); err != nil {
 		t.Fatal(err)
 	}
 	if err := os.WriteFile(filepath.Join(dir, "b_type.go"), []byte(typeSrc), 0o644); err != nil {
 		t.Fatal(err)
 	}
 	got, err := ScanSwaggerEnumTypes([]string{dir})
 	if err != nil {
 		t.Fatalf("ScanSwaggerEnumTypes: %v", err)
 	}
 	wantKey := EnumKey([]any{"a", "b"})
 	if got[wantKey] != "Hue" {
 		t.Fatalf("map[%q] = %q, want %q", wantKey, got[wantKey], "Hue")
 	}
 }
 func TestScanSwaggerEnumTypes_constsBeforeType(t *testing.T) {
 	dir := t.TempDir()
 	src := `package fixture
 const (
 	ShadeDark  Shade = "dark"
 	ShadeLight Shade = "light"
 )
 // swagger:enum Shade
 type Shade string
 `
 	if err := os.WriteFile(filepath.Join(dir, "shade.go"), []byte(src), 0o644); err != nil {
 		t.Fatal(err)
 	}
 	got, err := ScanSwaggerEnumTypes([]string{dir})
 	if err != nil {
 		t.Fatalf("ScanSwaggerEnumTypes: %v", err)
 	}
 	wantKey := EnumKey([]any{"dark", "light"})
 	if got[wantKey] != "Shade" {
 		t.Fatalf("map[%q] = %q, want %q", wantKey, got[wantKey], "Shade")
 	}
 }
 func TestScanSwaggerEnumTypes_groupedTypeDecl(t *testing.T) {
 	dir := t.TempDir()
 	src := `package fixture
 type (
 	// swagger:enum Color
 	Color string
 	// swagger:enum Shade
 	Shade string
 )
 const (
 	ColorRed  Color = "red"
 	ColorBlue Color = "blue"
 )
 const (
 	ShadeDark  Shade = "dark"
 	ShadeLight Shade = "light"
 )
 `
 	if err := os.WriteFile(filepath.Join(dir, "grouped.go"), []byte(src), 0o644); err != nil {
 		t.Fatal(err)
 	}
 	got, err := ScanSwaggerEnumTypes([]string{dir})
 	if err != nil {
 		t.Fatalf("ScanSwaggerEnumTypes: %v", err)
 	}
 	colorKey := EnumKey([]any{"red", "blue"})
 	shadeKey := EnumKey([]any{"dark", "light"})
 	if got[colorKey] != "Color" {
 		t.Fatalf("Color: map[%q] = %q, want %q", colorKey, got[colorKey], "Color")
 	}
 	if got[shadeKey] != "Shade" {
 		t.Fatalf("Shade: map[%q] = %q, want %q", shadeKey, got[shadeKey], "Shade")
 	}
 }
--- a/build/test-env-check.sh
+++ b/build/test-env-check.sh
@@ -0,0 +1,24 @@
 #!/bin/sh
 set -e
 if [ ! -f ./build/test-env-check.sh ]; then
  echo "${0} can only be executed in gitea source root directory"
  exit 1
 fi
 echo "check uid ..."
 # the uid of gitea defined in "https://gitea.com/gitea/test-env" is 1000
 gitea_uid=$(id -u gitea)
 if [ "$gitea_uid" != "1000" ]; then
  echo "The uid of linux user 'gitea' is expected to be 1000, but it is $gitea_uid"
  exit 1
 fi
 cur_uid=$(id -u)
 if [ "$cur_uid" != "0" -a "$cur_uid" != "$gitea_uid" ]; then
  echo "The uid of current linux user is expected to be 0 or $gitea_uid, but it is $cur_uid"
  exit 1
 fi
--- a/build/test-env-prepare.sh
+++ b/build/test-env-prepare.sh
@@ -0,0 +1,11 @@
 #!/bin/sh
 set -e
 if [ ! -f ./build/test-env-prepare.sh ]; then
  echo "${0} can only be executed in gitea source root directory"
  exit 1
 fi
 echo "change the owner of files to gitea ..."
 chown -R gitea:gitea .
--- a/cmd/admin_user_change_password_test.go
+++ b/cmd/admin_user_change_password_test.go
@@ -4,7 +4,6 @@
 package cmd
 import (
 	"io"
 	"testing"
 	"code.gitea.io/gitea/models/db"
@@ -83,9 +82,7 @@ func TestChangePasswordCommand(t *testing.T) {
 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
-				cmd := microcmdUserChangePassword()
+				err := microcmdUserChangePassword().Run(ctx, tc.args)
 				cmd.Writer, cmd.ErrWriter = io.Discard, io.Discard
 				err := cmd.Run(ctx, tc.args)
 				require.Error(t, err)
 				require.Contains(t, err.Error(), tc.expectedErr)
 			})
--- a/cmd/cert_test.go
+++ b/cmd/cert_test.go
@@ -4,7 +4,6 @@
 package cmd
 import (
 	"io"
 	"path/filepath"
 	"testing"
@@ -108,7 +107,6 @@ func TestCertCommandFailures(t *testing.T) {
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
 			app := cmdCert()
 			app.Writer, app.ErrWriter = io.Discard, io.Discard
 			tempDir := t.TempDir()
 			certFile := filepath.Join(tempDir, "cert.pem")
--- a/cmd/helper.go
+++ b/cmd/helper.go
@@ -124,7 +124,7 @@ func PrepareConsoleLoggerLevel(defaultLevel log.Level) func(context.Context, *cl
 		if setting.InstallLock {
 			// During config loading, there might also be logs (for example: deprecation warnings).
 			// It must make sure that console logger is set up before config is loaded.
-			log.Error("Config is loaded before console logger is setup, it will cause bugs. Please fix it. CustomConf=%s", setting.CustomConf)
+			log.Error("Config is loaded before console logger is setup, it will cause bugs. Please fix it.")
 			return nil, errors.New("console logger must be setup before config is loaded")
 		}
 		level := defaultLevel
@@ -134,7 +134,7 @@ func PrepareConsoleLoggerLevel(defaultLevel log.Level) func(context.Context, *cl
 		if globalBool(c, "debug") || globalBool(c, "verbose") {
 			level = log.TRACE
 		}
-		log.SetupStderrLogger(log.DEFAULT, "console-stderr", level)
+		log.SetConsoleLogger(log.DEFAULT, "console-default", level)
 		return ctx, nil
 	}
 }
--- a/cmd/cmd_test.go
+++ b/cmd/cmd_test.go
@@ -0,0 +1,38 @@
 // Copyright 2025 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 package cmd
 import (
 	"context"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/urfave/cli/v3"
 )
 func TestDefaultCommand(t *testing.T) {
 	test := func(t *testing.T, args []string, expectedRetName string, expectedRetValid bool) {
 		called := false
 		cmd := &cli.Command{
 			DefaultCommand: "test",
 			Commands: []*cli.Command{
 				{
 					Name: "test",
 					Action: func(ctx context.Context, command *cli.Command) error {
 						retName, retValid := isValidDefaultSubCommand(command)
 						assert.Equal(t, expectedRetName, retName)
 						assert.Equal(t, expectedRetValid, retValid)
 						called = true
 						return nil
 					},
 				},
 			},
 		}
 		assert.NoError(t, cmd.Run(t.Context(), args))
 		assert.True(t, called)
 	}
 	test(t, []string{"./gitea"}, "", true)
 	test(t, []string{"./gitea", "test"}, "", true)
 	test(t, []string{"./gitea", "other"}, "other", false)
 }
--- a/cmd/cmdtest/cmd_test.go
+++ b/cmd/cmdtest/cmd_test.go
@@ -1,237 +0,0 @@
 // Copyright 2026 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 // Tests here reload the config system multiple times with uncontrollable details.
 // So they must be in a separate package, to avoid affecting other tests
 package cmdtest
 import (
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"path/filepath"
 	"strings"
 	"testing"
 	"code.gitea.io/gitea/cmd"
 	"code.gitea.io/gitea/models/unittest"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/test"
 	"code.gitea.io/gitea/modules/util"
 	"github.com/stretchr/testify/assert"
 	"github.com/urfave/cli/v3"
 )
 func TestMain(m *testing.M) {
 	unittest.MainTest(m)
 }
 func makePathOutput(workPath, customPath, customConf string) string {
 	return fmt.Sprintf("WorkPath=%s\nCustomPath=%s\nCustomConf=%s", workPath, customPath, customConf)
 }
 func newTestApp(testCmd cli.Command) *cli.Command {
 	app := cmd.NewMainApp(cmd.AppVersion{})
 	testCmd.Name = util.IfZero(testCmd.Name, "test-cmd")
 	cmd.PrepareSubcommandWithGlobalFlags(&testCmd)
 	app.Commands = append(app.Commands, &testCmd)
 	app.DefaultCommand = testCmd.Name
 	return app
 }
 type runResult struct {
 	Stdout   string
 	Stderr   string
 	ExitCode int
 }
 func runTestApp(app *cli.Command, args ...string) (runResult, error) {
 	outBuf := new(strings.Builder)
 	errBuf := new(strings.Builder)
 	app.Writer = outBuf
 	app.ErrWriter = errBuf
 	exitCode := -1
 	defer test.MockVariableValue(&cli.ErrWriter, app.ErrWriter)()
 	defer test.MockVariableValue(&cli.OsExiter, func(code int) {
 		if exitCode == -1 {
 			exitCode = code // save the exit code once and then reset the writer (to simulate the exit)
 			app.Writer, app.ErrWriter, cli.ErrWriter = io.Discard, io.Discard, io.Discard
 		}
 	})()
 	err := cmd.RunMainApp(app, args...)
 	return runResult{outBuf.String(), errBuf.String(), exitCode}, err
 }
 func TestCliCmd(t *testing.T) {
 	defaultWorkPath := filepath.FromSlash("/tmp/mocked-work-path")
 	defaultCustomPath := filepath.Join(defaultWorkPath, "custom")
 	defaultCustomConf := filepath.Join(defaultCustomPath, "conf/app.ini")
 	defer setting.MockBuiltinPaths(defaultWorkPath, "", "")()
 	cli.CommandHelpTemplate = "(command help template)"
 	cli.RootCommandHelpTemplate = "(app help template)"
 	cli.SubcommandHelpTemplate = "(subcommand help template)"
 	cases := []struct {
 		env map[string]string
 		cmd string
 		exp string
 	}{
 		// help commands
 		{
 			cmd: "./gitea -h",
 			exp: "DEFAULT CONFIGURATION:",
 		},
 		{
 			cmd: "./gitea help",
 			exp: "DEFAULT CONFIGURATION:",
 		},
 		{
 			cmd: "./gitea -c /dev/null -h",
 			exp: "ConfigFile: /dev/null",
 		},
 		{
 			cmd: "./gitea -c /dev/null help",
 			exp: "ConfigFile: /dev/null",
 		},
 		{
 			cmd: "./gitea help -c /dev/null",
 			exp: "ConfigFile: /dev/null",
 		},
 		{
 			cmd: "./gitea -c /dev/null test-cmd -h",
 			exp: "ConfigFile: /dev/null",
 		},
 		{
 			cmd: "./gitea test-cmd -c /dev/null -h",
 			exp: "ConfigFile: /dev/null",
 		},
 		{
 			cmd: "./gitea test-cmd -h -c /dev/null",
 			exp: "ConfigFile: /dev/null",
 		},
 		{
 			cmd: "./gitea -c /dev/null test-cmd help",
 			exp: "ConfigFile: /dev/null",
 		},
 		{
 			cmd: "./gitea test-cmd -c /dev/null help",
 			exp: "ConfigFile: /dev/null",
 		},
 		{
 			cmd: "./gitea test-cmd help -c /dev/null",
 			exp: "ConfigFile: /dev/null",
 		},
 		// parse paths
 		{
 			cmd: "./gitea test-cmd",
 			exp: makePathOutput(defaultWorkPath, defaultCustomPath, defaultCustomConf),
 		},
 		{
 			cmd: "./gitea -c /tmp/app.ini test-cmd",
 			exp: makePathOutput(defaultWorkPath, defaultCustomPath, "/tmp/app.ini"),
 		},
 		{
 			cmd: "./gitea test-cmd -c /tmp/app.ini",
 			exp: makePathOutput(defaultWorkPath, defaultCustomPath, "/tmp/app.ini"),
 		},
 		{
 			env: map[string]string{"GITEA_WORK_DIR": "/tmp"},
 			cmd: "./gitea test-cmd",
 			exp: makePathOutput("/tmp", "/tmp/custom", "/tmp/custom/conf/app.ini"),
 		},
 		{
 			env: map[string]string{"GITEA_WORK_DIR": "/tmp"},
 			cmd: "./gitea test-cmd --work-path /tmp/other",
 			exp: makePathOutput("/tmp/other", "/tmp/other/custom", "/tmp/other/custom/conf/app.ini"),
 		},
 		{
 			env: map[string]string{"GITEA_WORK_DIR": "/tmp"},
 			cmd: "./gitea test-cmd --config /tmp/app-other.ini",
 			exp: makePathOutput("/tmp", "/tmp/custom", "/tmp/app-other.ini"),
 		},
 	}
 	for _, c := range cases {
 		t.Run(c.cmd, func(t *testing.T) {
 			app := newTestApp(cli.Command{
 				Action: func(ctx context.Context, cmd *cli.Command) error {
 					_, _ = fmt.Fprint(cmd.Root().Writer, makePathOutput(setting.AppWorkPath, setting.CustomPath, setting.CustomConf))
 					return nil
 				},
 			})
 			for k, v := range c.env {
 				t.Setenv(k, v)
 			}
 			args := strings.Split(c.cmd, " ") // for test only, "split" is good enough
 			r, err := runTestApp(app, args...)
 			assert.NoError(t, err, c.cmd)
 			assert.NotEmpty(t, c.exp, c.cmd)
 			if !assert.Contains(t, r.Stdout, c.exp, c.cmd) {
 				t.Log("Full output:\n" + r.Stdout)
 				t.Log("Expected:\n" + c.exp)
 			}
 		})
 	}
 }
 func TestCliCmdError(t *testing.T) {
 	app := newTestApp(cli.Command{Action: func(ctx context.Context, cmd *cli.Command) error { return errors.New("normal error") }})
 	r, err := runTestApp(app, "./gitea", "test-cmd")
 	assert.Error(t, err)
 	assert.Equal(t, 1, r.ExitCode)
 	assert.Empty(t, r.Stdout)
 	assert.Equal(t, "Command error: normal error\n", r.Stderr)
 	app = newTestApp(cli.Command{Action: func(ctx context.Context, cmd *cli.Command) error { return cli.Exit("exit error", 2) }})
 	r, err = runTestApp(app, "./gitea", "test-cmd")
 	assert.Error(t, err)
 	assert.Equal(t, 2, r.ExitCode)
 	assert.Empty(t, r.Stdout)
 	assert.Equal(t, "exit error\n", r.Stderr)
 	app = newTestApp(cli.Command{Action: func(ctx context.Context, cmd *cli.Command) error { return nil }})
 	r, err = runTestApp(app, "./gitea", "test-cmd", "--no-such")
 	assert.Error(t, err)
 	assert.Equal(t, 1, r.ExitCode)
 	assert.Empty(t, r.Stdout)
 	assert.Equal(t, "Incorrect Usage: flag provided but not defined: -no-such\n\n", r.Stderr)
 	app = newTestApp(cli.Command{Action: func(ctx context.Context, cmd *cli.Command) error { return nil }})
 	r, err = runTestApp(app, "./gitea", "test-cmd")
 	assert.NoError(t, err)
 	assert.Equal(t, -1, r.ExitCode) // the cli.OsExiter is not called
 	assert.Empty(t, r.Stdout)
 	assert.Empty(t, r.Stderr)
 }
 func TestCliCmdBefore(t *testing.T) {
 	ctxNew := context.WithValue(context.Background(), any("key"), "value")
 	configValues := map[string]string{}
 	setting.CustomConf = "/tmp/any.ini"
 	var actionCtx context.Context
 	app := newTestApp(cli.Command{
 		Before: func(context.Context, *cli.Command) (context.Context, error) {
 			configValues["before"] = setting.CustomConf
 			return ctxNew, nil
 		},
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configValues["action"] = setting.CustomConf
 			actionCtx = ctx
 			return nil
 		},
 	})
 	_, err := runTestApp(app, "./gitea", "--config", "/dev/null", "test-cmd")
 	assert.NoError(t, err)
 	assert.Equal(t, ctxNew, actionCtx)
 	assert.Equal(t, "/tmp/any.ini", configValues["before"], "BeforeFunc must be called before preparing config")
 	assert.Equal(t, "/dev/null", configValues["action"])
 }
--- a/cmd/doctor.go
+++ b/cmd/doctor.go
@@ -21,6 +21,7 @@ import (
 	"code.gitea.io/gitea/services/doctor"
 	"github.com/urfave/cli/v3"
 	"xorm.io/xorm"
 )
 func newDoctorCommand() *cli.Command {
@@ -131,7 +132,7 @@ func runRecreateTable(ctx context.Context, cmd *cli.Command) error {
 	}
 	recreateTables := migrate_base.RecreateTables(beans...)
-	return db.InitEngineWithMigration(context.Background(), func(ctx context.Context, x db.EngineMigration) error {
+	return db.InitEngineWithMigration(context.Background(), func(ctx context.Context, x *xorm.Engine) error {
 		if err := migrations.EnsureUpToDate(ctx, x); err != nil {
 			return err
 		}
--- a/cmd/dump.go
+++ b/cmd/dump.go
@@ -203,8 +203,8 @@ func runDump(ctx context.Context, cmd *cli.Command) error {
 			}
 		}()
-		targetDBType := setting.DatabaseType(cmd.String("database"))
+		targetDBType := cmd.String("database")
-		if targetDBType != "" && targetDBType != setting.Database.Type {
+		if len(targetDBType) > 0 && targetDBType != setting.Database.Type.String() {
 			log.Info("Dumping database %s => %s...", setting.Database.Type, targetDBType)
 		} else {
 			log.Info("Dumping database...")
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -48,7 +48,7 @@ DEFAULT CONFIGURATION:
 	}
 }
-func PrepareSubcommandWithGlobalFlags(originCmd *cli.Command) {
+func prepareSubcommandWithGlobalFlags(originCmd *cli.Command) {
 	originBefore := originCmd.Before
 	originCmd.Before = func(ctxOrig context.Context, cmd *cli.Command) (ctx context.Context, err error) {
 		ctx = ctxOrig
@@ -145,7 +145,7 @@ func NewMainApp(appVer AppVersion) *cli.Command {
 	app.Before = PrepareConsoleLoggerLevel(log.INFO)
 	for i := range subCmdWithConfig {
-		PrepareSubcommandWithGlobalFlags(subCmdWithConfig[i])
+		prepareSubcommandWithGlobalFlags(subCmdWithConfig[i])
 	}
 	app.Commands = append(app.Commands, subCmdWithConfig...)
 	app.Commands = append(app.Commands, subCmdStandalone...)
--- a/cmd/main_test.go
+++ b/cmd/main_test.go
@@ -5,9 +5,17 @@ package cmd
 import (
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"path/filepath"
 	"strings"
 	"testing"
 	"code.gitea.io/gitea/models/unittest"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/test"
 	"code.gitea.io/gitea/modules/util"
 	"github.com/stretchr/testify/assert"
 	"github.com/urfave/cli/v3"
@@ -17,28 +25,209 @@ func TestMain(m *testing.M) {
 	unittest.MainTest(m)
 }
-func TestDefaultCommand(t *testing.T) {
+func makePathOutput(workPath, customPath, customConf string) string {
-	test := func(t *testing.T, args []string, expectedRetName string, expectedRetValid bool) {
+	return fmt.Sprintf("WorkPath=%s\nCustomPath=%s\nCustomConf=%s", workPath, customPath, customConf)
-		called := false
+}
-		cmd := &cli.Command{
+
-			DefaultCommand: "test",
+func newTestApp(testCmd cli.Command) *cli.Command {
-			Commands: []*cli.Command{
+	app := NewMainApp(AppVersion{})
-				{
+	testCmd.Name = util.IfZero(testCmd.Name, "test-cmd")
-					Name: "test",
+	prepareSubcommandWithGlobalFlags(&testCmd)
-					Action: func(ctx context.Context, command *cli.Command) error {
+	app.Commands = append(app.Commands, &testCmd)
-						retName, retValid := isValidDefaultSubCommand(command)
+	app.DefaultCommand = testCmd.Name
-						assert.Equal(t, expectedRetName, retName)
+	return app
-						assert.Equal(t, expectedRetValid, retValid)
+}
-						called = true
+
-						return nil
+type runResult struct {
-					},
+	Stdout   string
-				},
+	Stderr   string
-			},
+	ExitCode int
-		}
+}
-		assert.NoError(t, cmd.Run(t.Context(), args))
+
-		assert.True(t, called)
+func runTestApp(app *cli.Command, args ...string) (runResult, error) {
-	}
+	outBuf := new(strings.Builder)
-	test(t, []string{"./gitea"}, "", true)
+	errBuf := new(strings.Builder)
-	test(t, []string{"./gitea", "test"}, "", true)
+	app.Writer = outBuf
-	test(t, []string{"./gitea", "other"}, "other", false)
+	app.ErrWriter = errBuf
 	exitCode := -1
 	defer test.MockVariableValue(&cli.ErrWriter, app.ErrWriter)()
 	defer test.MockVariableValue(&cli.OsExiter, func(code int) {
 		if exitCode == -1 {
 			exitCode = code // save the exit code once and then reset the writer (to simulate the exit)
 			app.Writer, app.ErrWriter, cli.ErrWriter = io.Discard, io.Discard, io.Discard
 		}
 	})()
 	err := RunMainApp(app, args...)
 	return runResult{outBuf.String(), errBuf.String(), exitCode}, err
 }
 func TestCliCmd(t *testing.T) {
 	defaultWorkPath := filepath.Dir(setting.AppPath)
 	defaultCustomPath := filepath.Join(defaultWorkPath, "custom")
 	defaultCustomConf := filepath.Join(defaultCustomPath, "conf/app.ini")
 	cli.CommandHelpTemplate = "(command help template)"
 	cli.RootCommandHelpTemplate = "(app help template)"
 	cli.SubcommandHelpTemplate = "(subcommand help template)"
 	cases := []struct {
 		env map[string]string
 		cmd string
 		exp string
 	}{
 		// help commands
 		{
 			cmd: "./gitea -h",
 			exp: "DEFAULT CONFIGURATION:",
 		},
 		{
 			cmd: "./gitea help",
 			exp: "DEFAULT CONFIGURATION:",
 		},
 		{
 			cmd: "./gitea -c /dev/null -h",
 			exp: "ConfigFile: /dev/null",
 		},
 		{
 			cmd: "./gitea -c /dev/null help",
 			exp: "ConfigFile: /dev/null",
 		},
 		{
 			cmd: "./gitea help -c /dev/null",
 			exp: "ConfigFile: /dev/null",
 		},
 		{
 			cmd: "./gitea -c /dev/null test-cmd -h",
 			exp: "ConfigFile: /dev/null",
 		},
 		{
 			cmd: "./gitea test-cmd -c /dev/null -h",
 			exp: "ConfigFile: /dev/null",
 		},
 		{
 			cmd: "./gitea test-cmd -h -c /dev/null",
 			exp: "ConfigFile: /dev/null",
 		},
 		{
 			cmd: "./gitea -c /dev/null test-cmd help",
 			exp: "ConfigFile: /dev/null",
 		},
 		{
 			cmd: "./gitea test-cmd -c /dev/null help",
 			exp: "ConfigFile: /dev/null",
 		},
 		{
 			cmd: "./gitea test-cmd help -c /dev/null",
 			exp: "ConfigFile: /dev/null",
 		},
 		// parse paths
 		{
 			cmd: "./gitea test-cmd",
 			exp: makePathOutput(defaultWorkPath, defaultCustomPath, defaultCustomConf),
 		},
 		{
 			cmd: "./gitea -c /tmp/app.ini test-cmd",
 			exp: makePathOutput(defaultWorkPath, defaultCustomPath, "/tmp/app.ini"),
 		},
 		{
 			cmd: "./gitea test-cmd -c /tmp/app.ini",
 			exp: makePathOutput(defaultWorkPath, defaultCustomPath, "/tmp/app.ini"),
 		},
 		{
 			env: map[string]string{"GITEA_WORK_DIR": "/tmp"},
 			cmd: "./gitea test-cmd",
 			exp: makePathOutput("/tmp", "/tmp/custom", "/tmp/custom/conf/app.ini"),
 		},
 		{
 			env: map[string]string{"GITEA_WORK_DIR": "/tmp"},
 			cmd: "./gitea test-cmd --work-path /tmp/other",
 			exp: makePathOutput("/tmp/other", "/tmp/other/custom", "/tmp/other/custom/conf/app.ini"),
 		},
 		{
 			env: map[string]string{"GITEA_WORK_DIR": "/tmp"},
 			cmd: "./gitea test-cmd --config /tmp/app-other.ini",
 			exp: makePathOutput("/tmp", "/tmp/custom", "/tmp/app-other.ini"),
 		},
 	}
 	for _, c := range cases {
 		t.Run(c.cmd, func(t *testing.T) {
 			defer test.MockVariableValue(&setting.InstallLock, false)()
 			app := newTestApp(cli.Command{
 				Action: func(ctx context.Context, cmd *cli.Command) error {
 					_, _ = fmt.Fprint(cmd.Root().Writer, makePathOutput(setting.AppWorkPath, setting.CustomPath, setting.CustomConf))
 					return nil
 				},
 			})
 			for k, v := range c.env {
 				t.Setenv(k, v)
 			}
 			args := strings.Split(c.cmd, " ") // for test only, "split" is good enough
 			r, err := runTestApp(app, args...)
 			assert.NoError(t, err, c.cmd)
 			assert.NotEmpty(t, c.exp, c.cmd)
 			if !assert.Contains(t, r.Stdout, c.exp, c.cmd) {
 				t.Log("Full output:\n" + r.Stdout)
 				t.Log("Expected:\n" + c.exp)
 			}
 		})
 	}
 }
 func TestCliCmdError(t *testing.T) {
 	app := newTestApp(cli.Command{Action: func(ctx context.Context, cmd *cli.Command) error { return errors.New("normal error") }})
 	r, err := runTestApp(app, "./gitea", "test-cmd")
 	assert.Error(t, err)
 	assert.Equal(t, 1, r.ExitCode)
 	assert.Empty(t, r.Stdout)
 	assert.Equal(t, "Command error: normal error\n", r.Stderr)
 	app = newTestApp(cli.Command{Action: func(ctx context.Context, cmd *cli.Command) error { return cli.Exit("exit error", 2) }})
 	r, err = runTestApp(app, "./gitea", "test-cmd")
 	assert.Error(t, err)
 	assert.Equal(t, 2, r.ExitCode)
 	assert.Empty(t, r.Stdout)
 	assert.Equal(t, "exit error\n", r.Stderr)
 	app = newTestApp(cli.Command{Action: func(ctx context.Context, cmd *cli.Command) error { return nil }})
 	r, err = runTestApp(app, "./gitea", "test-cmd", "--no-such")
 	assert.Error(t, err)
 	assert.Equal(t, 1, r.ExitCode)
 	assert.Empty(t, r.Stdout)
 	assert.Equal(t, "Incorrect Usage: flag provided but not defined: -no-such\n\n", r.Stderr)
 	app = newTestApp(cli.Command{Action: func(ctx context.Context, cmd *cli.Command) error { return nil }})
 	r, err = runTestApp(app, "./gitea", "test-cmd")
 	assert.NoError(t, err)
 	assert.Equal(t, -1, r.ExitCode) // the cli.OsExiter is not called
 	assert.Empty(t, r.Stdout)
 	assert.Empty(t, r.Stderr)
 }
 func TestCliCmdBefore(t *testing.T) {
 	ctxNew := context.WithValue(context.Background(), any("key"), "value")
 	configValues := map[string]string{}
 	setting.CustomConf = "/tmp/any.ini"
 	var actionCtx context.Context
 	app := newTestApp(cli.Command{
 		Before: func(context.Context, *cli.Command) (context.Context, error) {
 			configValues["before"] = setting.CustomConf
 			return ctxNew, nil
 		},
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			configValues["action"] = setting.CustomConf
 			actionCtx = ctx
 			return nil
 		},
 	})
 	_, err := runTestApp(app, "./gitea", "--config", "/dev/null", "test-cmd")
 	assert.NoError(t, err)
 	assert.Equal(t, ctxNew, actionCtx)
 	assert.Equal(t, "/tmp/any.ini", configValues["before"], "BeforeFunc must be called before preparing config")
 	assert.Equal(t, "/dev/null", configValues["action"])
 }
--- a/cmd/web.go
+++ b/cmd/web.go
@@ -150,7 +150,7 @@ func serveInstall(cmd *cli.Command) error {
 	c := install.Routes()
 	err := listen(c, false)
 	if err != nil {
-		log.Error("Unable to open listener for installer. Is Gitea already running?")
+		log.Critical("Unable to open listener for installer. Is Gitea already running?")
 		graceful.GetManager().DoGracefulShutdown()
 	}
 	select {
@@ -375,7 +375,7 @@ func listen(m http.Handler, handleRedirector bool) error {
 		log.Fatal("Invalid protocol: %s", setting.Protocol)
 	}
 	if err != nil {
-		log.Error("Failed to start server: %v", err)
+		log.Critical("Failed to start server: %v", err)
 	}
 	log.Info("HTTP Listener: %s Closed", listenAddr)
 	return err
--- a/contrib/backport/README
+++ b/contrib/backport/README
@@ -0,0 +1,41 @@
 `backport`
 ==========
 `backport` is a command to help create backports of PRs. It backports a
 provided PR from main on to a released version.
 It will create a backport branch, cherry-pick the PR's merge commit, adjust
 the commit message and then push this back up to your fork's remote.
 The default version will read from `docs/config.yml`. You can override this
 using the option `--version`.
 The upstream branches will be fetched, using the remote `origin`. This can
 be overridden using `--upstream`, and fetching can be avoided using
 `--no-fetch`.
 By default the branch created will be called `backport-$PR-$VERSION`. You
 can override this using the option `--backport-branch`. This branch will
 be created from `--release-branch` which is `release/$(VERSION)`
 by default and will be pulled from `$(UPSTREAM)`.
 The merge-commit as determined by the github API will be used as the SHA to
 cherry-pick. You can override this using `--cherry-pick`.
 The commit message will be amended to add the `Backport` header.
 `--no-amend-message` can be set to stop this from happening.
 If cherry-pick is successful the backported branch will be pushed up to your
 fork using your remote. These will be determined using `git remote -v`. You
 can set your fork name using `--fork-user` and your remote name using
 `--remote`. You can avoid pushing using `--no-push`.
 If the push is successful, `xdg-open` will be called to open a backport url.
 You can stop this using `--no-xdg-open`.
 Installation
 ============
 ```bash
 go install contrib/backport/backport.go
 ```
--- a/contrib/backport/backport.go
+++ b/contrib/backport/backport.go
@@ -0,0 +1,456 @@
 // Copyright 2023 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 //nolint:forbidigo // use of print functions is allowed in cli
 package main
 import (
 	"context"
 	"errors"
 	"fmt"
 	"log"
 	"net/http"
 	"os"
 	"os/exec"
 	"path"
 	"strconv"
 	"strings"
 	"github.com/google/go-github/v84/github"
 	"github.com/urfave/cli/v3"
 	"gopkg.in/yaml.v3"
 )
 const defaultVersion = "v1.18" // to backport to
 func main() {
 	app := &cli.Command{}
 	app.Name = "backport"
 	app.Usage = "Backport provided PR-number on to the current or previous released version"
 	app.Description = `Backport will look-up the PR in Gitea's git log and attempt to cherry-pick it on the current version`
 	app.ArgsUsage = "<PR-to-backport>"
 	app.Flags = []cli.Flag{
 		&cli.StringFlag{
 			Name:  "version",
 			Usage: "Version branch to backport on to",
 		},
 		&cli.StringFlag{
 			Name:  "upstream",
 			Value: "origin",
 			Usage: "Upstream remote for the Gitea upstream",
 		},
 		&cli.StringFlag{
 			Name:  "release-branch",
 			Value: "",
 			Usage: "Release branch to backport on. Will default to release/<version>",
 		},
 		&cli.StringFlag{
 			Name:  "cherry-pick",
 			Usage: "SHA to cherry-pick as backport",
 		},
 		&cli.StringFlag{
 			Name:  "backport-branch",
 			Usage: "Backport branch to backport on to (default: backport-<pr>-<version>",
 		},
 		&cli.StringFlag{
 			Name:  "remote",
 			Value: "",
 			Usage: "Remote for your fork of the Gitea upstream",
 		},
 		&cli.StringFlag{
 			Name:  "fork-user",
 			Value: "",
 			Usage: "Forked user name on Github",
 		},
 		&cli.StringFlag{
 			Name:  "gh-access-token",
 			Value: "",
 			Usage: "Access token for GitHub api request",
 		},
 		&cli.BoolFlag{
 			Name:  "no-fetch",
 			Usage: "Set this flag to prevent fetch of remote branches",
 		},
 		&cli.BoolFlag{
 			Name:  "no-amend-message",
 			Usage: "Set this flag to prevent automatic amendment of the commit message",
 		},
 		&cli.BoolFlag{
 			Name:  "no-push",
 			Usage: "Set this flag to prevent pushing the backport up to your fork",
 		},
 		&cli.BoolFlag{
 			Name:  "no-xdg-open",
 			Usage: "Set this flag to not use xdg-open to open the PR URL",
 		},
 		&cli.BoolFlag{
 			Name:  "continue",
 			Usage: "Set this flag to continue from a git cherry-pick that has broken",
 		},
 	}
 	cli.RootCommandHelpTemplate = `NAME:
 	{{.Name}} - {{.Usage}}
 USAGE:
 	{{.HelpName}} {{if .VisibleFlags}}[options]{{end}} {{if .ArgsUsage}}{{.ArgsUsage}}{{else}}[arguments...]{{end}}
 	{{if len .Authors}}
 AUTHOR:
 	{{range .Authors}}{{ . }}{{end}}
 	{{end}}{{if .Commands}}
 OPTIONS:
 	{{range .VisibleFlags}}{{.}}
 	{{end}}{{end}}
 `
 	app.Action = runBackport
 	if err := app.Run(context.Background(), os.Args); err != nil {
 		fmt.Fprintf(os.Stderr, "Unable to backport: %v\n", err)
 	}
 }
 func runBackport(ctx context.Context, c *cli.Command) error {
 	continuing := c.Bool("continue")
 	var pr string
 	version := c.String("version")
 	if version == "" && continuing {
 		// determine version from current branch name
 		var err error
 		pr, version, err = readCurrentBranch(ctx)
 		if err != nil {
 			return err
 		}
 	}
 	if version == "" {
 		version = readVersion()
 	}
 	if version == "" {
 		version = defaultVersion
 	}
 	upstream := c.String("upstream")
 	if upstream == "" {
 		upstream = "origin"
 	}
 	forkUser := c.String("fork-user")
 	remote := c.String("remote")
 	if remote == "" && !c.Bool("--no-push") {
 		var err error
 		remote, forkUser, err = determineRemote(ctx, forkUser)
 		if err != nil {
 			return err
 		}
 	}
 	upstreamReleaseBranch := c.String("release-branch")
 	if upstreamReleaseBranch == "" {
 		upstreamReleaseBranch = path.Join("release", version)
 	}
 	localReleaseBranch := path.Join(upstream, upstreamReleaseBranch)
 	args := c.Args().Slice()
 	if len(args) == 0 && pr == "" {
 		return errors.New("no PR number provided\nProvide a PR number to backport")
 	} else if len(args) != 1 && pr == "" {
 		return fmt.Errorf("multiple PRs provided %v\nOnly a single PR can be backported at a time", args)
 	}
 	if pr == "" {
 		pr = args[0]
 	}
 	backportBranch := c.String("backport-branch")
 	if backportBranch == "" {
 		backportBranch = "backport-" + pr + "-" + version
 	}
 	fmt.Printf("* Backporting %s to %s as %s\n", pr, localReleaseBranch, backportBranch)
 	sha := c.String("cherry-pick")
 	accessToken := c.String("gh-access-token")
 	if sha == "" {
 		var err error
 		sha, err = determineSHAforPR(ctx, pr, accessToken)
 		if err != nil {
 			return err
 		}
 	}
 	if sha == "" {
 		return fmt.Errorf("unable to determine sha for cherry-pick of %s", pr)
 	}
 	if !c.Bool("no-fetch") {
 		if err := fetchRemoteAndMain(ctx, upstream, upstreamReleaseBranch); err != nil {
 			return err
 		}
 	}
 	if !continuing {
 		if err := checkoutBackportBranch(ctx, backportBranch, localReleaseBranch); err != nil {
 			return err
 		}
 	}
 	if err := cherrypick(ctx, sha); err != nil {
 		return err
 	}
 	if !c.Bool("no-amend-message") {
 		if err := amendCommit(ctx, pr); err != nil {
 			return err
 		}
 	}
 	if !c.Bool("no-push") {
 		url := "https://github.com/go-gitea/gitea/compare/" + upstreamReleaseBranch + "..." + forkUser + ":" + backportBranch
 		if err := gitPushUp(ctx, remote, backportBranch); err != nil {
 			return err
 		}
 		if !c.Bool("no-xdg-open") {
 			if err := xdgOpen(ctx, url); err != nil {
 				return err
 			}
 		} else {
 			fmt.Printf("* Navigate to %s to open PR\n", url)
 		}
 	}
 	return nil
 }
 func xdgOpen(ctx context.Context, url string) error {
 	fmt.Printf("* `xdg-open %s`\n", url)
 	out, err := exec.CommandContext(ctx, "xdg-open", url).Output()
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "%s", string(out))
 		return fmt.Errorf("unable to xdg-open to %s: %w", url, err)
 	}
 	return nil
 }
 func gitPushUp(ctx context.Context, remote, backportBranch string) error {
 	fmt.Printf("* `git push -u %s %s`\n", remote, backportBranch)
 	out, err := exec.CommandContext(ctx, "git", "push", "-u", remote, backportBranch).Output()
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "%s", string(out))
 		return fmt.Errorf("unable to push up to %s: %w", remote, err)
 	}
 	return nil
 }
 func amendCommit(ctx context.Context, pr string) error {
 	fmt.Printf("* Amending commit to prepend `Backport #%s` to body\n", pr)
 	out, err := exec.CommandContext(ctx, "git", "log", "-1", "--pretty=format:%B").Output()
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "%s", string(out))
 		return fmt.Errorf("unable to get last log message: %w", err)
 	}
 	parts := strings.SplitN(string(out), "\n", 2)
 	if len(parts) != 2 {
 		return fmt.Errorf("unable to interpret log message:\n%s", string(out))
 	}
 	subject, body := parts[0], parts[1]
 	if !strings.HasSuffix(subject, " (#"+pr+")") {
 		subject = subject + " (#" + pr + ")"
 	}
 	out, err = exec.CommandContext(ctx, "git", "commit", "--amend", "-m", subject+"\n\nBackport #"+pr+"\n"+body).Output()
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "%s", string(out))
 		return fmt.Errorf("unable to amend last log message: %w", err)
 	}
 	return nil
 }
 func cherrypick(ctx context.Context, sha string) error {
 	// Check if a CHERRY_PICK_HEAD exists
 	if _, err := os.Stat(".git/CHERRY_PICK_HEAD"); err == nil {
 		// Assume that we are in the middle of cherry-pick - continue it
 		fmt.Println("* Attempting git cherry-pick --continue")
 		out, err := exec.CommandContext(ctx, "git", "cherry-pick", "--continue").Output()
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "git cherry-pick --continue failed:\n%s\n", string(out))
 			return fmt.Errorf("unable to continue cherry-pick: %w", err)
 		}
 		return nil
 	}
 	fmt.Printf("* Attempting git cherry-pick %s\n", sha)
 	out, err := exec.CommandContext(ctx, "git", "cherry-pick", sha).Output()
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "git cherry-pick %s failed:\n%s\n", sha, string(out))
 		return fmt.Errorf("git cherry-pick %s failed: %w", sha, err)
 	}
 	return nil
 }
 func checkoutBackportBranch(ctx context.Context, backportBranch, releaseBranch string) error {
 	out, err := exec.CommandContext(ctx, "git", "branch", "--show-current").Output()
 	if err != nil {
 		return fmt.Errorf("unable to check current branch %w", err)
 	}
 	currentBranch := strings.TrimSpace(string(out))
 	fmt.Printf("* Current branch is %s\n", currentBranch)
 	if currentBranch == backportBranch {
 		fmt.Printf("* Current branch is %s - not checking out\n", currentBranch)
 		return nil
 	}
 	if _, err := exec.CommandContext(ctx, "git", "rev-list", "-1", backportBranch).Output(); err == nil {
 		fmt.Printf("* Branch %s already exists. Checking it out...\n", backportBranch)
 		return exec.CommandContext(ctx, "git", "checkout", "-f", backportBranch).Run()
 	}
 	fmt.Printf("* `git checkout -b %s %s`\n", backportBranch, releaseBranch)
 	return exec.CommandContext(ctx, "git", "checkout", "-b", backportBranch, releaseBranch).Run()
 }
 func fetchRemoteAndMain(ctx context.Context, remote, releaseBranch string) error {
 	fmt.Printf("* `git fetch %s main`\n", remote)
 	out, err := exec.CommandContext(ctx, "git", "fetch", remote, "main").Output()
 	if err != nil {
 		fmt.Println(string(out))
 		return fmt.Errorf("unable to fetch %s from %s: %w", "main", remote, err)
 	}
 	fmt.Println(string(out))
 	fmt.Printf("* `git fetch %s %s`\n", remote, releaseBranch)
 	out, err = exec.CommandContext(ctx, "git", "fetch", remote, releaseBranch).Output()
 	if err != nil {
 		fmt.Println(string(out))
 		return fmt.Errorf("unable to fetch %s from %s: %w", releaseBranch, remote, err)
 	}
 	fmt.Println(string(out))
 	return nil
 }
 func determineRemote(ctx context.Context, forkUser string) (string, string, error) {
 	out, err := exec.CommandContext(ctx, "git", "remote", "-v").Output()
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "Unable to list git remotes:\n%s\n", string(out))
 		return "", "", fmt.Errorf("unable to determine forked remote: %w", err)
 	}
 	lines := strings.SplitSeq(string(out), "\n")
 	for line := range lines {
 		fields := strings.Split(line, "\t")
 		name, remote := fields[0], fields[1]
 		// only look at pushers
 		if !strings.HasSuffix(remote, " (push)") {
 			continue
 		}
 		// only look at github.com pushes
 		if !strings.Contains(remote, "github.com") {
 			continue
 		}
 		// ignore go-gitea/gitea
 		if strings.Contains(remote, "go-gitea/gitea") {
 			continue
 		}
 		if !strings.Contains(remote, forkUser) {
 			continue
 		}
 		if after, ok := strings.CutPrefix(remote, "git@github.com:"); ok {
 			forkUser = after
 		} else if after, ok := strings.CutPrefix(remote, "https://github.com/"); ok {
 			forkUser = after
 		} else if after, ok := strings.CutPrefix(remote, "https://www.github.com/"); ok {
 			forkUser = after
 		} else if forkUser == "" {
 			return "", "", fmt.Errorf("unable to extract forkUser from remote %s: %s", name, remote)
 		}
 		idx := strings.Index(forkUser, "/")
 		if idx >= 0 {
 			forkUser = forkUser[:idx]
 		}
 		return name, forkUser, nil
 	}
 	return "", "", fmt.Errorf("unable to find appropriate remote in:\n%s", string(out))
 }
 func readCurrentBranch(ctx context.Context) (pr, version string, err error) {
 	out, err := exec.CommandContext(ctx, "git", "branch", "--show-current").Output()
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "Unable to read current git branch:\n%s\n", string(out))
 		return "", "", fmt.Errorf("unable to read current git branch: %w", err)
 	}
 	parts := strings.Split(strings.TrimSpace(string(out)), "-")
 	if len(parts) != 3 || parts[0] != "backport" {
 		fmt.Fprintf(os.Stderr, "Unable to continue from git branch:\n%s\n", string(out))
 		return "", "", fmt.Errorf("unable to continue from git branch:\n%s", string(out))
 	}
 	return parts[1], parts[2], nil
 }
 func readVersion() string {
 	bs, err := os.ReadFile("docs/config.yaml")
 	if err != nil {
 		if err == os.ErrNotExist {
 			log.Println("`docs/config.yaml` not present")
 			return ""
 		}
 		fmt.Fprintf(os.Stderr, "Unable to read `docs/config.yaml`: %v\n", err)
 		return ""
 	}
 	type params struct {
 		Version string
 	}
 	type docConfig struct {
 		Params params
 	}
 	dc := &docConfig{}
 	if err := yaml.Unmarshal(bs, dc); err != nil {
 		fmt.Fprintf(os.Stderr, "Unable to read `docs/config.yaml`: %v\n", err)
 		return ""
 	}
 	if dc.Params.Version == "" {
 		fmt.Fprintf(os.Stderr, "No version in `docs/config.yaml`")
 		return ""
 	}
 	version := dc.Params.Version
 	if version[0] != 'v' {
 		version = "v" + version
 	}
 	split := strings.SplitN(version, ".", 3)
 	return strings.Join(split[:2], ".")
 }
 func determineSHAforPR(ctx context.Context, prStr, accessToken string) (string, error) {
 	prNum, err := strconv.Atoi(prStr)
 	if err != nil {
 		return "", err
 	}
 	client := github.NewClient(http.DefaultClient)
 	if accessToken != "" {
 		client = client.WithAuthToken(accessToken)
 	}
 	pr, _, err := client.PullRequests.Get(ctx, "go-gitea", "gitea", prNum)
 	if err != nil {
 		return "", err
 	}
 	if pr.Merged == nil || !*pr.Merged {
 		return "", fmt.Errorf("PR #%d is not yet merged - cannot determine sha to backport", prNum)
 	}
 	if pr.MergeCommitSHA != nil {
 		return *pr.MergeCommitSHA, nil
 	}
 	return "", nil
 }
--- a/contrib/development/vscode/settings.json
+++ b/contrib/development/vscode/settings.json
@@ -1,4 +0,0 @@
 {
    "go.buildTags": "",
    "go.testFlags": ["-v"]
 }
--- a/contrib/development/vscode/tasks.json
+++ b/contrib/development/vscode/tasks.json
@@ -1,27 +0,0 @@
 {
  "version": "2.0.0",
  "tasks": [
    {
      "label": "Build",
      "type": "shell",
      "command": "go",
      "group": "build",
      "presentation": {
        "echo": true,
        "reveal": "always",
        "focus": false,
        "panel": "shared"
      },
      "linux": {
        "args": ["build", "-o", "gitea", "${workspaceRoot}/main.go" ]
      },
      "osx": {
        "args": ["build", "-o", "gitea", "${workspaceRoot}/main.go" ]
      },
      "windows": {
        "args": ["build", "-o", "gitea.exe", "\"${workspaceRoot}\\main.go\""]
      },
      "problemMatcher": ["$go"]
    }
  ]
 }
--- a/contrib/grafana-monitoring-mixin/.gitignore
+++ b/contrib/grafana-monitoring-mixin/.gitignore
--- a/contrib/grafana-monitoring-mixin/Makefile
+++ b/contrib/grafana-monitoring-mixin/Makefile
--- a/contrib/grafana-monitoring-mixin/README.md
+++ b/contrib/grafana-monitoring-mixin/README.md
--- a/contrib/grafana-monitoring-mixin/config.libsonnet
+++ b/contrib/grafana-monitoring-mixin/config.libsonnet
--- a/contrib/grafana-monitoring-mixin/dashboards/dashboards.libsonnet
+++ b/contrib/grafana-monitoring-mixin/dashboards/dashboards.libsonnet
--- a/contrib/grafana-monitoring-mixin/dashboards/overview.libsonnet
+++ b/contrib/grafana-monitoring-mixin/dashboards/overview.libsonnet
--- a/contrib/grafana-monitoring-mixin/jsonnetfile.json
+++ b/contrib/grafana-monitoring-mixin/jsonnetfile.json
--- a/contrib/grafana-monitoring-mixin/jsonnetfile.lock.json
+++ b/contrib/grafana-monitoring-mixin/jsonnetfile.lock.json
--- a/contrib/grafana-monitoring-mixin/lib/alerts.jsonnet
+++ b/contrib/grafana-monitoring-mixin/lib/alerts.jsonnet
--- a/contrib/grafana-monitoring-mixin/lib/dashboards.jsonnet
+++ b/contrib/grafana-monitoring-mixin/lib/dashboards.jsonnet
--- a/contrib/grafana-monitoring-mixin/lib/rules.jsonnet
+++ b/contrib/grafana-monitoring-mixin/lib/rules.jsonnet
--- a/contrib/grafana-monitoring-mixin/mixin.libsonnet
+++ b/contrib/grafana-monitoring-mixin/mixin.libsonnet
--- a/contrib/development/README.md
+++ b/contrib/development/README.md
--- a/contrib/development/vscode/launch.json
+++ b/contrib/development/vscode/launch.json
@@ -13,6 +13,19 @@
      },
      "args": ["web"],
      "showLog": true
    },
    {
      "name": "Launch (with SQLite3)",
      "type": "go",
      "request": "launch",
      "mode": "debug",
      "buildFlags": "-tags='sqlite sqlite_unlock_notify'",
      "program": "${workspaceRoot}/main.go",
      "env": {
        "GITEA_WORK_DIR": "${workspaceRoot}",
      },
      "args": ["web"],
      "showLog": true
    }
  ]
 }
--- a/contrib/ide/vscode/settings.json
+++ b/contrib/ide/vscode/settings.json
@@ -0,0 +1,4 @@
 {
    "go.buildTags": "'sqlite sqlite_unlock_notify'",
    "go.testFlags": ["-v"]
 }
--- a/contrib/ide/vscode/tasks.json
+++ b/contrib/ide/vscode/tasks.json
@@ -0,0 +1,49 @@
 {
  "version": "2.0.0",
  "tasks": [
    {
      "label": "Build",
      "type": "shell",
      "command": "go",
      "group": "build",
      "presentation": {
        "echo": true,
        "reveal": "always",
        "focus": false,
        "panel": "shared"
      },
      "linux": {
        "args": ["build", "-o", "gitea", "${workspaceRoot}/main.go" ]
      },
      "osx": {
        "args": ["build", "-o", "gitea", "${workspaceRoot}/main.go" ]
      },
      "windows": {
        "args": ["build", "-o", "gitea.exe", "\"${workspaceRoot}\\main.go\""]
      },
      "problemMatcher": ["$go"]
    },
    {
      "label": "Build (with SQLite3)",
      "type": "shell",
      "command": "go",
      "group": "build",
      "presentation": {
        "echo": true,
        "reveal": "always",
        "focus": false,
        "panel": "shared"
      },
      "linux": {
        "args": ["build", "-tags=\"sqlite sqlite_unlock_notify\"", "-o", "gitea", "${workspaceRoot}/main.go"]
      },
      "osx": {
        "args": ["build", "-tags=\"sqlite sqlite_unlock_notify\"", "-o", "gitea", "${workspaceRoot}/main.go"]
      },
      "windows": {
        "args": ["build", "-tags=\"sqlite sqlite_unlock_notify\"", "-o", "gitea.exe", "\"${workspaceRoot}\\main.go\""]
      },
      "problemMatcher": ["$go"]
    }
  ]
 }
--- a/contrib/init/centos/gitea
+++ b/contrib/init/centos/gitea
@@ -0,0 +1,93 @@
 #!/bin/sh
 #
 #       /etc/rc.d/init.d/gitea
 #
 #       Runs the Gitea Git with a cup of tea.
 #
 #
 # chkconfig:   - 85 15
 #
 ### BEGIN INIT INFO
 # Provides:          gitea
 # Required-Start:    $remote_fs $syslog
 # Required-Stop:     $remote_fs $syslog
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: Start gitea at boot time.
 # Description:       Control gitea.
 ### END INIT INFO
 # Source function library.
 . /etc/init.d/functions
 # Default values
 NAME=gitea
 GITEA_HOME=/var/lib/${NAME}
 GITEA_PATH=/usr/local/bin/${NAME}
 GITEA_USER=git
 SERVICENAME="Gitea - Git with a cup of tea"
 LOCKFILE=/var/lock/subsys/gitea
 LOGPATH=${GITEA_HOME}/log
 LOGFILE=${LOGPATH}/gitea.log
 RETVAL=0
 # Read configuration from /etc/sysconfig/gitea to override defaults
 [ -r /etc/sysconfig/$NAME ] && . /etc/sysconfig/$NAME
 # Don't do anything if nothing is installed
 [ -x ${GITEA_PATH} ] || exit 0
 # exit if logpath dir is not created.
 [ -x ${LOGPATH} ] || exit 0
 DAEMON_OPTS="--check $NAME"
 # Set additional options, if any
 [ ! -z "$GITEA_USER" ] && DAEMON_OPTS="$DAEMON_OPTS --user=${GITEA_USER}"
 start() {
  cd ${GITEA_HOME}
  echo -n "Starting ${SERVICENAME}: "
  daemon $DAEMON_OPTS "${GITEA_PATH} web -c /etc/${NAME}/app.ini > ${LOGFILE} 2>&1 &"
  RETVAL=$?
  echo
  [ $RETVAL = 0 ] && touch ${LOCKFILE}
  return $RETVAL
 }
 stop() {
  cd ${GITEA_HOME}
        echo -n "Shutting down ${SERVICENAME}: "
        killproc ${NAME}
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && rm -f ${LOCKFILE}
 }
 case "$1" in
    start)
        status ${NAME} > /dev/null 2>&1 && exit 0
        start
        ;;
    stop)
        stop
        ;;
    status)
        status ${NAME}
        ;;
    restart)
        stop
        start
        ;;
    reload)
        stop
        start
        ;;
    *)
        echo "Usage: ${NAME} {start|stop|status|restart}"
        exit 1
        ;;
 esac
 exit $RETVAL
--- a/contrib/init/debian/gitea
+++ b/contrib/init/debian/gitea
@@ -0,0 +1,89 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          gitea
 # Required-Start:    $syslog $network
 # Required-Stop:     $syslog
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: A self-hosted Git service written in Go.
 # Description:       A self-hosted Git service written in Go.
 ### END INIT INFO
 # Author: Danny Boisvert
 # Do NOT "set -e"
 # PATH should only include /usr/* if it runs after the mountnfs.sh script
 PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin
 DESC="Gitea - Git with a cup of tea"
 NAME=gitea
 SERVICEVERBOSE=yes
 PIDFILE=/run/$NAME.pid
 SCRIPTNAME=/etc/init.d/$NAME
 WORKINGDIR=/var/lib/$NAME
 DAEMON=/usr/local/bin/$NAME
 DAEMON_ARGS="web -c /etc/$NAME/app.ini"
 USER=git
 USERBIND=""
 # If you want to bind Gitea to a port below 1024 uncomment
 # the line below
 #USERBIND="setcap cap_net_bind_service=+ep"
 STOP_SCHEDULE="${STOP_SCHEDULE:-QUIT/5/TERM/1/KILL/5}"
 # Read configuration variable file if it is present
 [ -r /etc/default/$NAME ] && . /etc/default/$NAME
 # Exit if the package is not installed
 [ -x "$DAEMON" ] || exit 0
 do_start()
 {
    $USERBIND $DAEMON
    sh -c "USER=$USER HOME=/home/$USER GITEA_WORK_DIR=$WORKINGDIR start-stop-daemon --start --quiet --pidfile $PIDFILE --make-pidfile \\
        --background --chdir $WORKINGDIR --chuid $USER \\
        --exec $DAEMON -- $DAEMON_ARGS"
 }
 do_stop()
 {
    start-stop-daemon --stop --quiet --retry=$STOP_SCHEDULE --pidfile $PIDFILE --name $NAME --oknodo
    rm -f $PIDFILE
 }
 do_status()
 {
    if [ -f $PIDFILE ]; then
        if kill -0 $(cat "$PIDFILE"); then
            echo "$NAME is running, PID is $(cat $PIDFILE)"
        else
            echo "$NAME process is dead, but pidfile exists"
        fi
    else
        echo "$NAME is not running"
    fi
 }
 case "$1" in
    start)
        echo "Starting $DESC" "$NAME"
        do_start
        ;;
    stop)
        echo "Stopping $DESC" "$NAME"
        do_stop
        ;;
    status)
        do_status
        ;;
    restart)
        echo "Restarting $DESC" "$NAME"
        do_stop
        do_start
        ;;
    *)
        echo "Usage: $SCRIPTNAME {start|stop|status|restart}" >&2
        exit 2
        ;;
 esac
 exit 0
--- a/contrib/service/freebsd/gitea
+++ b/contrib/service/freebsd/gitea
--- a/contrib/service/gentoo/gitea
+++ b/contrib/service/gentoo/gitea
--- a/contrib/service/openbsd/gitea
+++ b/contrib/service/openbsd/gitea
--- a/contrib/service/openwrt/gitea
+++ b/contrib/service/openwrt/gitea
--- a/contrib/service/sunos/gitea.xml
+++ b/contrib/service/sunos/gitea.xml
--- a/contrib/init/suse/gitea
+++ b/contrib/init/suse/gitea
@@ -0,0 +1,115 @@
 #!/bin/sh
 #
 #       /etc/init.d/gitea
 #
 #       Runs the Gitea Git with a cup of tea.
 #
 ### BEGIN INIT INFO
 # Provides:          gitea
 # Required-Start:    $remote_fs
 # Required-Stop:     $remote_fs
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: Start gitea at boot time.
 # Description:       Control gitea.
 ### END INIT INFO
 # Default values
 NAME=gitea
 GITEA_HOME=/var/lib/$NAME
 GITEA_PATH=/usr/local/bin/$NAME
 GITEA_USER=git
 SERVICENAME="Gitea - Git with a cup of tea"
 LOCKFILE=/var/lock/subsys/gitea
 LOGPATH=${GITEA_HOME}/log
 LOGFILE=${LOGPATH}/error.log
 # gitea creates its own gitea.log from stdout
 RETVAL=0
 # Read configuration from /etc/sysconfig/gitea to override defaults
 [ -r /etc/sysconfig/$NAME ] && . /etc/sysconfig/$NAME
 # Don't do anything if nothing is installed
 test -x ${GITEA_PATH} || { echo "$NAME not installed";
 	if [ "$1" = "stop" ]; then exit 0;
 	else exit 5; fi; }
 # exit if logpath dir is not created.
 test -r ${LOGPATH} || { echo "$LOGPATH not existing";
 	if [ "$1" = "stop" ]; then exit 0;
 	else exit 6; fi; }
 # Source function library.
 . /etc/rc.status
 # Reset status of this service
 rc_reset
 case "$1" in
    start)
 		echo -n "Starting ${SERVICENAME} "
 		# As we can't use startproc, we have to check ourselves if the service is already running
 		/sbin/checkproc ${GITEA_PATH}
 		if [ $? -eq 0 ]; then
 			# return skipped as service is already running
 			(exit 5)
 		else
 			su - ${GITEA_USER} -c "USER=${GITEA_USER} GITEA_WORK_DIR=${GITEA_HOME} ${GITEA_PATH} web -c /etc/${NAME}/app.ini 2>&1 >>${LOGFILE} &"
 		fi
 		# Remember status and be verbose
 		rc_status -v
 	;;
 	stop)
 		echo -n "Shutting down ${SERVICENAME} "
 		## Stop daemon with killproc(8) and if this fails
 		## killproc sets the return value according to LSB.
 		/sbin/killproc ${GITEA_PATH}
 		# Remember status and be verbose
 		rc_status -v
 	;;
 	restart)
 		## Stop the service and regardless of whether it was
 		## running or not, start it again.
 		$0 stop
 		$0 start
 		# Remember status and be quiet
 		rc_status
 	;;
 	status)
 		echo -n "Checking for ${SERVICENAME} "
 		## Check status with checkproc(8), if process is running
 		## checkproc will return with exit status 0.
 		# Return value is slightly different for the status command:
 		# 0 - service up and running
 		# 1 - service dead, but /run/  pid  file exists
 		# 2 - service dead, but /var/lock/ lock file exists
 		# 3 - service not running (unused)
 		# 4 - service status unknown :-(
 		# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
 		# NOTE: checkproc returns LSB compliant status values.
 		/sbin/checkproc ${GITEA_PATH}
 		# NOTE: rc_status knows that we called this init script with
 		# "status" option and adapts its messages accordingly.
 		rc_status -v
 	;;
    *)
 		echo "Usage: $0 {start|stop|status|restart}"
 		exit 1
 	;;
 esac
 rc_exit
--- a/contrib/service/sysvinit/gitea
+++ b/contrib/service/sysvinit/gitea
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          gitea
 # Required-Start:    $syslog $network
@@ -9,8 +9,6 @@
 # Description:       A self-hosted Git service written in Go.
 ### END INIT INFO
 # This is a System V Init (init.d) startup script for legacy Linux distributions
 # Do NOT "set -e"
 # PATH should only include /usr/* if it runs after the mountnfs.sh script
@@ -26,9 +24,6 @@ DAEMON_ARGS="web -c /etc/$NAME/app.ini"
 USER=git
 STOP_SCHEDULE="${STOP_SCHEDULE:-QUIT/5/TERM/1/KILL/5}"
 # If you want to bind Gitea to a port below 1024, apply "setcap" to the gitea binary
 #setcap cap_net_bind_service=+ep $DAEMON"
 # Read configuration variable file if it is present
 [ -r /etc/default/$NAME ] && . /etc/default/$NAME
--- a/contrib/service/launchd/io.gitea.web.plist
+++ b/contrib/service/launchd/io.gitea.web.plist
--- a/contrib/sample-page/privacy.html.sample
+++ b/contrib/sample-page/privacy.html.sample
--- a/contrib/sample-page/tos.html.sample
+++ b/contrib/sample-page/tos.html.sample
--- a/contrib/service/supervisor/gitea
+++ b/contrib/service/supervisor/gitea
--- a/contrib/service/systemd/gitea.service
+++ b/contrib/service/systemd/gitea.service
--- a/contrib/update_dependencies.sh
+++ b/contrib/update_dependencies.sh
@@ -0,0 +1,8 @@
 #!/usr/bin/env bash
 grep 'git' go.mod | grep '\.com' | grep -v indirect | grep -v replace | cut -f 2 | cut -d ' ' -f 1 | while read line; do
  go get -u "$line"
  make vendor
  git add .
  git commit -m "update $line"
 done
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -383,7 +383,7 @@ USER = root
 ;;
 ;DB_TYPE = sqlite3
 ;PATH= ; defaults to data/gitea.db
-;SQLITE_TIMEOUT = ; Query timeout in milliseconds, defaults to: 20000
+;SQLITE_TIMEOUT = ; Query timeout defaults to: 500
 ;SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -525,11 +525,8 @@ INTERNAL_TOKEN =
 ;; Set to "enforced", to force users to enroll into Two-Factor Authentication, users without 2FA have no access to repositories via API or web.
 ;TWO_FACTOR_AUTH =
 ;;
-;; The value of the X-Frame-Options HTTP header for all responses. Use "unset" to remove the header.
+;; The value of the X-Frame-Options HTTP header for HTML responses. Use "unset" to remove the header.
 ;X_FRAME_OPTIONS = SAMEORIGIN
 ;;
 ;; The value of the X-Content-Type-Options HTTP header for all responses. Use "unset" to remove the header.
 ;X_CONTENT_TYPE_OPTIONS = nosniff
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -595,11 +592,6 @@ ENABLED = true
 ;; * https://github.com/git-ecosystem/git-credential-manager
 ;; * https://gitea.com/gitea/tea
 ;DEFAULT_APPLICATIONS = git-credential-oauth, git-credential-manager, tea
 ;;
 ;; By default, OAuth2 applications can only use "http" and "https" as their redirect URI schemes.
 ;; If you need to use other schemes (e.g. for desktop applications), you can specify them here as a comma-separated list.
 ;; For example: set "my-scheme, com.example.app" to support "my-scheme://..." and "com.example.app://..." redirect URIs.
 ;CUSTOM_SCHEMES =
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -1172,7 +1164,7 @@ LEVEL = Info
 ;; Default source for the pull request title when opening a new PR.
 ;; "first-commit" uses the oldest commit's summary.
 ;; "auto" uses commit's summary if the PR only has one commit, normalizes the branch name if multiple commits.
-;DEFAULT_TITLE_SOURCE = first-commit
+;DEFAULT_TITLE_SOURCE = auto
 ;;
 ;; Delay mergeable check until page view or API access, for pull requests that have not been updated in the specified days when their base branches get updated.
 ;; Use "-1" to always check all pull requests (old behavior). Use "0" to always delay the checks.
@@ -1524,7 +1516,7 @@ LEVEL = Info
 ;; Issue Indexer settings
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
-;; Issue indexer type, currently support: bleve, db, elasticsearch (also compatible with OpenSearch) or meilisearch default is bleve
+;; Issue indexer type, currently support: bleve, db, elasticsearch or meilisearch default is bleve
 ;ISSUE_INDEXER_TYPE = bleve
 ;;
 ;; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
@@ -1551,7 +1543,7 @@ LEVEL = Info
 ;; If empty then it defaults to `sources` only, as if you'd like to disable fully please see REPO_INDEXER_ENABLED.
 ;REPO_INDEXER_REPO_TYPES = sources,forks,mirrors,templates
 ;;
-;; Code search engine type, could be `bleve` or `elasticsearch` (also compatible with OpenSearch).
+;; Code search engine type, could be `bleve` or `elasticsearch`.
 ;REPO_INDEXER_TYPE = bleve
 ;;
 ;; Index file used for code search. available when `REPO_INDEXER_TYPE` is bleve
@@ -2981,8 +2973,6 @@ LEVEL = Info
 ;; Comma-separated list of workflow directories, the first one to exist
 ;; in a repo is used to find Actions workflow files
 ;WORKFLOW_DIRS = .gitea/workflows,.github/workflows
 ;; Maximum number of attempts a single workflow run can have. Default value is 50.
 ;MAX_RERUN_ATTEMPTS = 50
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
--- a/docs/community-governance.md
+++ b/docs/community-governance.md
@@ -1,198 +0,0 @@
 # Community governance and review process
 This document describes maintainer expectations, project governance, and the detailed pull request review workflow (labels, merge queue, commit message format for mergers). For what contributors should do when opening and updating a PR, see [CONTRIBUTING.md](../CONTRIBUTING.md).
 ## Code review
 ### Milestone
 A PR should only be assigned to a milestone if it will likely be merged into the given version. \
 PRs without a milestone may not be merged.
 ### Labels
 Almost all labels used inside Gitea can be classified as one of the following:
 - `modifies/…`: Determines which parts of the codebase are affected. These labels will be set through the CI.
 - `topic/…`:  Determines the conceptual component of Gitea that is affected, i.e. issues, projects, or authentication. At best, PRs should only target one component but there might be overlap. Must be set manually.
 - `type/…`: Determines the type of an issue or PR (feature, refactoring, docs, bug, …). If GitHub supported scoped labels, these labels would be exclusive, so you should set **exactly** one, not more or less (every PR should fall into one of the provided categories, and only one).
 - `issue/…` / `lgtm/…`: Labels that are specific to issues or PRs respectively and that are only necessary in a given context, i.e. `issue/not-a-bug` or `lgtm/need 2`
 Every PR should be labeled correctly with every label that applies.
 There are also some labels that will be managed automatically.\
 In particular, these are
 - the amount of pending required approvals
 - has all `backport`s or needs a manual backport
 ### Reviewing PRs
 Maintainers are encouraged to review pull requests in areas where they have expertise or particular interest.
 #### For reviewers
 - **Verification**: Verify that the PR accurately reflects the changes, and verify that the tests and documentation are complete and aligned with the implementation.
 - **Actionable feedback**: Say what should change and why, and distinguish required changes from optional suggestions.
 - **Feedback**: Focus feedback on the issue itself and avoid comments about the contributor's abilities.
 - **Request changes**: If you request changes (i.e., block a PR), give a clear rationale and, whenever possible, a concrete path to resolution.
 - **Approval**: Only approve a PR when you are fully satisfied with its current state - "rubber-stamp" approvals need to be highlighted as such.
 ### Getting PRs merged
 Changes to Gitea must be reviewed before they are accepted, including changes from owners and maintainers. The exception is critical bugs that prevent Gitea from compiling or starting.
 We require two maintainer approvals for every PR. When that is satisfied, your PR gets the `lgtm/done` label. After that, you mainly fix merge conflicts and respond to or implement maintainer requests; maintainers drive getting the PR merged.
 If a PR has `lgtm/done`, no open discussions, and no merge conflicts, any maintainer may add `reviewed/wait-merge`. That puts the PR in the merge queue. PRs are merged from the queue in the order of this list:
 <https://github.com/go-gitea/gitea/pulls?q=is%3Apr+label%3Areviewed%2Fwait-merge+sort%3Acreated-asc+is%3Aopen>
 Gitea uses its own tool, <https://github.com/go-gitea/gitea/blob/main/.github/workflows/giteabot.yml>, to automate parts of the review process. The backporter:
 - Creates a backport PR when needed after the initial PR merges.
 - Removes the PR from the merge queue after it merges.
 - Keeps the oldest branch in the merge queue up to date with merges.
 ### Final call
 If a PR has been ignored for more than 7 days with no comments or reviews, and the author or any maintainer believes it will not survive a long wait (such as a refactoring PR), they can send "final call" to the TOC by mentioning them in a comment.
 After another 7 days, if there is still zero approval, this is considered a polite refusal, and the PR will be closed to avoid wasting further time. Therefore, the "final call" has a cost, and should be used cautiously.
 However, if there are no objections from maintainers, the PR can be merged with only one approval from the TOC (not the author).
 ### Commit messages
 Mergers are required to rewrite the PR title and the first comment (the summary) when necessary so the squash commit message is clear.
 The final commit message should not hedge: replace phrases like `hopefully, <x> won't happen anymore` with definite wording.
 #### PR Co-authors
 A person counts as a PR co-author once they (co-)authored a commit that is not simply a `Merge base branch into branch` commit. Mergers must remove such false-positive co-authors when writing the squash message. Every true co-author must remain in the commit message.
 #### PRs targeting `main`
 The commit message of PRs targeting `main` is always
 ```bash
 $PR_TITLE ($PR_INDEX)
 $REWRITTEN_PR_SUMMARY
 ```
 #### Backport PRs
 The commit message of backport PRs is always
 ```bash
 $PR_TITLE ($INITIAL_PR_INDEX) ($BACKPORT_PR_INDEX)
 $REWRITTEN_PR_SUMMARY
 ```
 ## Maintainers
 We list [maintainers](../MAINTAINERS) so every PR gets proper review.
 #### Review expectations
 Every PR **must** be reviewed by at least two maintainers (or owners) before merge. **Exception:** after one week, refactoring PRs and documentation-only PRs need only one maintainer approval.
 Maintainers are expected to spend time on code reviews.
 #### Becoming a maintainer
 A maintainer should already be a Gitea contributor with at least four merged PRs. To apply, use the [Discord](https://discord.gg/Gitea) `#develop` channel. Maintainer teams may also invite contributors.
 #### Stepping down, advisors, and inactivity
 If you cannot keep reviewing, apply to leave the maintainers team. You can join the [advisors team](https://github.com/orgs/go-gitea/teams/advisors); advisors who want to review again are welcome back as maintainers.
 If a maintainer is inactive for more than three months and has not left the team, owners may move them to the advisors team.
 #### Account security
 For security, maintainers should enable 2FA and sign commits with GPG when possible:
 - [Two-factor authentication](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication)
 - [Signing commits with GPG](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits)
 Any account with write access (including bots and TOC members) **must** use [2FA](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication).
 ## Technical Oversight Committee (TOC)
 At the start of 2023, the `Owners` team was dissolved. Instead, the governance charter proposed a technical oversight committee (TOC) which expands the ownership team of the Gitea project from three elected positions to six positions. Three positions are elected as it has been over the past years, and the other three consist of appointed members from the Gitea company.
 https://blog.gitea.com/quarterly-23q1/
 ### TOC election process
 Any maintainer is eligible to be part of the community TOC if they are not associated with the Gitea company.
 A maintainer can either nominate themselves, or can be nominated by other maintainers to be a candidate for the TOC election.
 If you are nominated by someone else, you must first accept your nomination before the vote starts to be a candidate.
 The TOC is elected for one year, the TOC election happens yearly.
 After the announcement of the results of the TOC election, elected members have two weeks time to confirm or refuse the seat.
 If an elected member does not answer within this timeframe, they are automatically assumed to refuse the seat.
 Refusals result in the person with the next highest vote getting the same choice.
 As long as seats are empty in the TOC, members of the previous TOC can fill them until an elected member accepts the seat.
 If an elected member that accepts the seat does not have 2FA configured yet, they will be temporarily counted as `answer pending` until they manage to configure 2FA, thus leaving their seat empty for this duration.
 ### Current TOC members
 - 2024-01-01 ~ 2024-12-31
  - Company
    - [Jason Song](https://gitea.com/wolfogre) <i@wolfogre.com>
    - [Lunny Xiao](https://gitea.com/lunny) <xiaolunwen@gmail.com>
    - [Matti Ranta](https://gitea.com/techknowlogick) <techknowlogick@gitea.com>
  - Community
    - [6543](https://gitea.com/6543) <6543@obermui.de>
    - [delvh](https://gitea.com/delvh) <dev.lh@web.de>
    - [John Olheiser](https://gitea.com/jolheiser) <john.olheiser@gmail.com>
 ### Previous TOC/owners members
 Here's the history of the owners and the time they served:
 - [Lunny Xiao](https://gitea.com/lunny) - 2016, 2017, [2018](https://github.com/go-gitea/gitea/issues/3255), [2019](https://github.com/go-gitea/gitea/issues/5572), [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801), [2022](https://github.com/go-gitea/gitea/issues/17872), 2023
 - [Kim Carlbäcker](https://github.com/bkcsoft) - 2016, 2017
 - [Thomas Boerger](https://gitea.com/tboerger) - 2016, 2017
 - [Lauris Bukšis-Haberkorns](https://gitea.com/lafriks) - [2018](https://github.com/go-gitea/gitea/issues/3255), [2019](https://github.com/go-gitea/gitea/issues/5572), [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801)
 - [Matti Ranta](https://gitea.com/techknowlogick) - [2019](https://github.com/go-gitea/gitea/issues/5572), [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801), [2022](https://github.com/go-gitea/gitea/issues/17872), 2023
 - [Andrew Thornton](https://gitea.com/zeripath) - [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801), [2022](https://github.com/go-gitea/gitea/issues/17872), 2023
 - [6543](https://gitea.com/6543) - 2023
 - [John Olheiser](https://gitea.com/jolheiser) - 2023
 - [Jason Song](https://gitea.com/wolfogre) - 2023
 ## Governance Compensation
 Each member of the community elected TOC will be granted $500 each month as compensation for their work.
 Furthermore, any community release manager for a specific release or LTS will be compensated $500 for the delivery of said release.
 These funds will come from community sources like the OpenCollective rather than directly from the company.
 Only non-company members are eligible for this compensation, and if a member of the community TOC takes the responsibility of release manager, they would only be compensated for their TOC duties.
 Gitea Ltd employees are not eligible to receive any funds from the OpenCollective unless it is reimbursement for a purchase made for the Gitea project itself.
 ## TOC & Working groups
 With Gitea covering many projects outside of the main repository, several groups will be created to help focus on specific areas instead of requiring maintainers to be a jack-of-all-trades. Maintainers are of course more than welcome to be part of multiple groups should they wish to contribute in multiple places.
 The currently proposed groups are:
 - **Core Group**: maintain the primary Gitea repository
 - **Integration Group**: maintain the Gitea ecosystem's related tools, including go-sdk/tea/changelog/bots etc.
 - **Documentation Group**: maintain related documents and repositories
 - **Translation Group**: coordinate with translators and maintain translations
 - **Security Group**: managed by TOC directly, members are decided by TOC, maintains security patches/responsible for security items
 ## Roadmap
 Each year a roadmap will be discussed with the entire Gitea maintainers team, and feedback will be solicited from various stakeholders.
 TOC members need to review the roadmap every year and work together on the direction of the project.
 When a vote is required for a proposal or other change, the vote of community elected TOC members count slightly more than the vote of company elected TOC members. With this approach, we both avoid ties and ensure that changes align with the mission statement and community opinion.
 You can visit our roadmap on the wiki.
--- a/docs/guideline-backend.md
+++ b/docs/guideline-backend.md
@@ -1,58 +0,0 @@
 # Backend development
 This document covers backend-specific contribution expectations. For general contribution workflow, see [CONTRIBUTING.md](../CONTRIBUTING.md).
 For coding style and architecture, see also the [backend development guideline](https://docs.gitea.com/contributing/guidelines-backend) on the documentation site.
 ## Dependencies
 Go dependencies are managed using [Go Modules](https://go.dev/cmd/go/#hdr-Module_maintenance). \
 You can find more details in the [go mod documentation](https://go.dev/ref/mod) and the [Go Modules Wiki](https://github.com/golang/go/wiki/Modules).
 Pull requests should only modify `go.mod` and `go.sum` where it is related to your change, be it a bugfix or a new feature. \
 Apart from that, these files should only be modified by Pull Requests whose only purpose is to update dependencies.
 The `go.mod`, `go.sum` update needs to be justified as part of the PR description,
 and must be verified by the reviewers and/or merger to always reference
 an existing upstream commit.
 ## API v1
 The API is documented by [swagger](https://gitea.com/api/swagger) and is based on [the GitHub API](https://docs.github.com/en/rest).
 ### GitHub API compatibility
 Gitea's API should use the same endpoints and fields as the GitHub API as far as possible, unless there are good reasons to deviate. \
 If Gitea provides functionality that GitHub does not, a new endpoint can be created. \
 If information is provided by Gitea that is not provided by the GitHub API, a new field can be used that doesn't collide with any GitHub fields. \
 Updating an existing API should not remove existing fields unless there is a really good reason to do so. \
 The same applies to status responses. If you notice a problem, feel free to leave a comment in the code for future refactoring to API v2 (which is currently not planned).
 ### Adding/Maintaining API routes
 All expected results (errors, success, fail messages) must be documented ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/repo/issue.go#L319-L327)). \
 All JSON input types must be defined as a struct in [modules/structs/](modules/structs/) ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/modules/structs/issue.go#L76-L91)) \
 and referenced in [routers/api/v1/swagger/options.go](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/swagger/options.go). \
 They can then be used like [this example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/repo/issue.go#L318). \
 All JSON responses must be defined as a struct in [modules/structs/](modules/structs/) ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/modules/structs/issue.go#L36-L68)) \
 and referenced in its category in [routers/api/v1/swagger/](routers/api/v1/swagger/) ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/swagger/issue.go#L11-L16)) \
 They can be used like [this example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/repo/issue.go#L277-L279).
 ### When to use what HTTP method
 In general, HTTP methods are chosen as follows:
 - **GET** endpoints return the requested object(s) and status **OK (200)**
 - **DELETE** endpoints return the status **No Content (204)** and no content either
 - **POST** endpoints are used to **create** new objects (e.g. a User) and return the status **Created (201)** and the created object
 - **PUT** endpoints are used to **add/assign** existing Objects (e.g. a user to a team) and return the status **No Content (204)** and no content either
 - **PATCH** endpoints are used to **edit/change** an existing object and return the changed object and the status **OK (200)**
 ### Requirements for API routes
 All parameters of endpoints changing/editing an object must be optional (except the ones to identify the object, which are required).
 Endpoints returning lists must
 - support pagination (`page` & `limit` options in query)
 - set `X-Total-Count` header via **SetTotalCountHeader** ([example](https://github.com/go-gitea/gitea/blob/7aae98cc5d4113f1e9918b7ee7dd09f67c189e3e/routers/api/v1/repo/issue.go#L444))
--- a/docs/guideline-frontend.md
+++ b/docs/guideline-frontend.md
@@ -1,17 +0,0 @@
 # Frontend development
 This document covers frontend-specific contribution expectations. For general contribution workflow, see [CONTRIBUTING.md](../CONTRIBUTING.md).
 ## Dependencies
 For the frontend, we use [npm](https://www.npmjs.com/).
 The same restrictions apply for frontend dependencies as for [backend dependencies](guideline-backend.md#dependencies), with the exceptions that the files for it are `package.json` and `package-lock.json`, and that new versions must always reference an existing version.
 ## Design guideline
 Depending on your change, please read the
 - [backend development guideline](https://docs.gitea.com/contributing/guidelines-backend)
 - [frontend development guideline](https://docs.gitea.com/contributing/guidelines-frontend)
 - [refactoring guideline](https://docs.gitea.com/contributing/guidelines-refactoring)
--- a/docs/release-management.md
+++ b/docs/release-management.md
@@ -1,115 +0,0 @@
 # Release management
 This document describes the release cycle, backports, versioning, and the release manager checklist. For everyday contribution workflow, see [CONTRIBUTING.md](../CONTRIBUTING.md).
 ## Backports and Frontports
 ### What is backported?
 We backport PRs given the following circumstances:
 1. Feature freeze is active, but `<version>-rc0` has not been released yet. Here, we backport as much as possible. <!-- TODO: Is that our definition with the new backport bot? -->
 2. `rc0` has been released. Here, we only backport bug- and security-fixes, and small enhancements. Large PRs such as refactors are not backported anymore. <!-- TODO: Is that our definition with the new backport bot? -->
 3. We never backport new features.
 4. We never backport breaking changes except when
    1. The breaking change has no effect on the vast majority of users
    2. The component triggering the breaking change is marked as experimental
 ### How to backport?
 In the past, it was necessary to manually backport your PRs. \
 Now, that's not a requirement anymore as our [backport bot](https://github.com/GiteaBot) tries to create backports automatically once the PR is merged when the PR
 - does not have the label `backport/manual`
 - has the label `backport/<version>`
 The `backport/manual` label signifies either that you want to backport the change yourself, or that there were conflicts when backporting, thus you **must** do it yourself.
 ### Format of backport PRs
 The title of backport PRs should be
 ```
 <original PR title> (#<original pr number>)
 ```
 The first two lines of the summary of the backporting PR should be
 ```
 Backport #<original pr number>
 ```
 with the rest of the summary and labels matching the original PR.
 ### Frontports
 Frontports behave exactly as described above for backports.
 ## Release Cycle
 We use a release schedule so work, stabilization, and releases stay predictable.
 ### Cadence
 - Aim for a major release about every three or four months.
 - Roughly two or three months of general development, then about one month of testing and polish called the **release freeze**.
 - *Starting with v1.26 the release cycle will be more predictable and follow a more regular schedule.*
 ### Release schedule
 We will try to publish a new major version every three months:
 - v1.26.0 in April 2026
 - v1.27.0 in June 2026
 - v1.28.0 in September 2026
 - v1.29.0 in December 2026
 #### How is the release handled?
 - The release manager will tag the release candidate (e.g. `v1.26.0-rc0`) and publish it for testing in the **first week of the release month**.
 - If there are no major issues, the release manager will check with the other maintainers and then tag the final release (e.g. `v1.26.0`) in the **one or two weeks following the release candidate**.
 ### Feature freeze
 - Merge feature PRs before the freeze when you can.
 - Feature PRs still open at the freeze move to the next milestone. Watch Discord for the freeze announcement.
 - During the freeze, a **release branch** takes fixes backported from `main`. Release candidates ship for testing; the final release for that line is maintained from that branch.
 ### Patch releases
 During a cycle we may ship patch releases for an older line. For example, if the latest release is v1.2, we can still publish v1.1.1 after v1.1.0.
 ### End of life (EOL)
 We support per standard the last major release. For example, if the latest release is v1.26, we support v1.26 and v1.25, but not v1.24 anymore. We will only publish security fixes for the last major release, so if you are using an older release, please upgrade to a supported release as soon as possible.
 Also we always try to support the latest on main branch, so if you are using the latest on main, you should be fine.
 ## Versions
 Gitea has the `main` branch as a tip branch and has version branches
 such as `release/v1.19`. `release/v1.19` is a release branch and we will
 tag `v1.19.0` for binary download. If `v1.19.0` has bugs, we will accept
 pull requests on the `release/v1.19` branch and publish a `v1.19.1` tag,
 after bringing the bug fix also to the main branch.
 Since the `main` branch is a tip version, if you wish to use Gitea
 in production, please download the latest release tag version. All the
 branches will be protected via GitHub, all the PRs to every branch must
 be reviewed by two maintainers and must pass the automatic tests.
 ## Releasing Gitea
 - Let MAJOR, MINOR and PATCH be Major, Minor and Patch version numbers, PATCH should be rc1, rc2, 0, 1, ...... MAJOR.MINOR will be kept the same as milestones on github or gitea in future.
 - Before releasing, confirm all the version's milestone issues or PRs has been resolved. Then discuss the release on Discord channel #maintainers and get agreed with almost all the owners and mergers. Or you can declare the version and if nobody is against it in about several hours.
 - If this is a big version first you have to create PR for changelog on branch `main` with PRs with label `changelog` and after it has been merged do following steps:
  - Create `-dev` tag as `git tag -s -F release.notes vMAJOR.MINOR.0-dev` and push the tag as `git push origin vMAJOR.MINOR.0-dev`.
  - When CI has finished building tag then you have to create a new branch named `release/vMAJOR.MINOR`
 - If it is bugfix version create PR for changelog on branch `release/vMAJOR.MINOR` and wait till it is reviewed and merged.
 - Add a tag as `git tag -s -F release.notes vMAJOR.MINOR.PATCH`, release.notes file could be a temporary file to only include the changelog this version which you added to `CHANGELOG.md`.
 - And then push the tag as `git push origin vMAJOR.MINOR.$`. CI will automatically create a release and upload all the compiled binary. (But currently it doesn't add the release notes automatically. Maybe we should fix that.)
 - If needed send a frontport PR for the changelog to branch `main` and update the version in `docs/config.yaml` to refer to the new version.
 - Send PR to [blog repository](https://gitea.com/gitea/blog) announcing the release.
 - Verify all release assets were correctly published through CI on dl.gitea.com and GitHub releases. Once ACKed:
  - bump the version of https://dl.gitea.com/gitea/version.json
  - merge the blog post PR
  - announce the release in discord `#announcements`
--- a/eslint.config.ts
+++ b/eslint.config.ts
@@ -570,8 +570,12 @@ export default defineConfig([
      'no-redeclare': [0], // must be disabled for typescript overloads
      'no-regex-spaces': [2],
      'no-restricted-exports': [0],
      'no-restricted-globals': [2, ...restrictedGlobals],
      'no-restricted-properties': [2, ...restrictedProperties],
      'no-restricted-imports': [2, {paths: [
        {name: 'jquery', message: 'Use the global $ instead', allowTypeImports: true},
        {name: 'htmx.org', message: 'Use the global htmx instead', allowTypeImports: true},
        {name: 'idiomorph/htmx', message: 'Loaded in globals.ts', allowTypeImports: true},
      ]}],
      'no-restricted-syntax': [2, 'WithStatement', 'ForInStatement', 'LabeledStatement', 'SequenceExpression'],
      'no-return-assign': [0],
@@ -1019,10 +1023,6 @@ export default defineConfig([
  },
  {
    files: ['web_src/**/*'],
-    languageOptions: {globals: {...globals.browser, ...globals.jquery}},
+    languageOptions: {globals: {...globals.browser, ...globals.jquery, htmx: false}},
    rules: {
      'no-restricted-globals': [2, ...restrictedGlobals],
      'no-restricted-properties': [2, ...restrictedProperties],
    },
  },
 ]);
--- a/eslint.json.config.ts
+++ b/eslint.json.config.ts
@@ -13,18 +13,12 @@ export default defineConfig([
    language: 'json/json',
    extends: ['json/recommended'],
  },
  {
    files: ['**/*.json5'],
    plugins: {json},
    language: 'json/json5',
    extends: ['json/recommended'],
  },
  {
    files: [
      'tsconfig.json',
      '.devcontainer/*.json',
      '.vscode/*.json',
-      'contrib/development/vscode/*.json',
+      'contrib/ide/vscode/*.json',
    ],
    plugins: {json},
    language: 'json/jsonc',
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
  "nodes": {
    "nixpkgs": {
      "locked": {
-        "lastModified": 1776877367,
+        "lastModified": 1775036866,
-        "narHash": "sha256-EHq1/OX139R1RvBzOJ0aMRT3xnWyqtHBRUBuO1gFzjI=",
+        "narHash": "sha256-ZojAnPuCdy657PbTq5V0Y+AHKhZAIwSIT2cb8UgAz/U=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "0726a0ecb6d4e08f6adced58726b95db924cef57",
+        "rev": "6201e203d09599479a3b3450ed24fa81537ebc4e",
        "type": "github"
      },
      "original": {
--- a/Show More
+++ b/Show More