Update CHANGELOG for v1.25.5 (#36885 )

Wait - ~~#36888~~
Update toolchain to 1.25.8 for v1.25 (#36888 )
2026-04-15 20:13:05 +00:00 · 2026-03-12 19:26:33 -06:00 · 2026-03-11 17:37:33 -07:00 · 2026-03-08 16:26:08 +00:00 · 2026-03-08 10:18:35 +00:00 · 2026-03-08 03:23:54 +00:00
160 changed files with 3914 additions and 1195 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,85 @@ This changelog goes through the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.com).

+## [1.25.5](https://github.com/go-gitea/gitea/releases/tag/1.25.5) - 2026-03-10
+
+* SECURITY
+  * Toolchain Update to Go 1.25.6 (#36480) (#36487)
+  * Adjust the toolchain version (#36537) (#36542)
+  * Update toolchain to 1.25.8 for v1.25 (#36888)
+  * Prevent redirect bypasses via backslash-encoded paths (#36660) (#36716)
+  * Fix get release draft permission check (#36659) (#36715)
+  * Fix a bug user could change another user's primary email (#36586) (#36607)
+  * Fix OAuth2 authorization code expiry and reuse handling (#36797) (#36851)
+  * Add validation constraints for repository creation fields (#36671) (#36757)
+  * Fix bug to check whether user can update pull request branch or rebase branch (#36465) (#36838)
+  * Add migration http transport for push/sync mirror lfs (#36665) (#36691)
+  * Fix track time list permission check (#36662) (#36744)
+  * Fix track time issue id (#36664) (#36689)
+  * Fix path resolving (#36734) (#36746)
+  * Fix dump release asset bug (#36799) (#36839)
+  * Fix org permission API visibility checks for hidden members and private orgs (#36798) (#36841)
+  * Fix forwarded proto handling for public URL detection (#36810) (#36836)
+  * Add a git grep search timeout (#36809) (#36835)
+  * Fix oauth2 s256 (#36462) (#36477)
+* ENHANCEMENTS
+  * Make `security-check` informational only (#36681) (#36852)
+  * Upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (#36840)
+  * Add some validation on values provided to USER_DISABLED_FEATURES and EXTERNAL_USER_DISABLED_FEATURES (#36688) (#36692)
+  * Upgrade gogit to 5.16.5 (#36687)
+  * Add wrap to runner label list (#36565) (#36574)
+  * Add dnf5 command for Fedora in RPM package instructions (#36527) (#36572)
+  * Allow scroll propagation outside code editor (#36502) (#36510)
+* BUGFIXES
+  * Fix non-admins unable to automerge PRs from forks (#36833) (#36843)
+  * Fix bug when pushing mirror with wiki (#36795) (#36807)
+  * Fix artifacts v4 backend upload problems (#36805) (#36834)
+  * Fix CRAN package version validation to allow more than 4 version components (#36813) (#36821)
+  * Fix force push time-line commit comments of pull request (#36653) (#36717)
+  * Fix SVG height calculation in diff viewer (#36748) (#36750)
+  * Fix push time bug (#36693) (#36713)
+  * Fix bug the protected branch rule name is conflicted with renamed branch name (#36650) (#36661)
+  * Fix bug when do LFS GC (#36500) (#36608)
+  * Fix focus lost bugs in the Monaco editor (#36609)
+  * Reprocess htmx content after loading more files (#36568) (#36577)
+  * Fix assignee sidebar links and empty placeholder (#36559) (#36563)
+  * Fix issues filter dropdown showing empty label scope section (#36535) (#36544)
+  * Fix various mermaid bugs (#36547) (#36552)
+  * Fix data race when uploading container blobs concurrently (#36524) (#36526)
+  * Correct spacing between username and bot label (#36473) (#36484)
+
+## [1.25.4](https://github.com/go-gitea/gitea/releases/tag/1.25.4) - 2026-01-15
+
+* SECURITY
+  * Release attachments must belong to the intended repo (#36347) (#36375)
+  * Fix permission check on org project operations (#36318) (#36373)
+  * Clean watches when make a repository private and check permission when send release emails (#36319) (#36370)
+  * Add more check for stopwatch read or list (#36340) (#36368)
+  * Fix openid setting check (#36346) (#36361)
+  * Fix cancel auto merge bug (#36341) (#36356)
+  * Fix delete attachment check (#36320) (#36355)
+  * LFS locks must belong to the intended repo (#36344) (#36349)
+  * Fix bug on notification read (#36339) #36387
+* ENHANCEMENTS
+  * Add more routes to the "expensive" list (#36290)
+  * Make "commit statuses" API accept slashes in "ref" (#36264) (#36275)
+* BUGFIXES
+  * Fix git http service handling #36396
+  * Fix markdown newline handling during IME composition (#36421) #36424
+  * Fix missing repository id when migrating release attachments (#36389)
+  * Fix bug when compare in the pull request (#36363) (#36372)
+  * Fix incorrect text content detection (#36364) (#36369)
+  * Fill missing `has_code` in repository api (#36338) (#36359)
+  * Fix notifications pagination query parameters (#36351) (#36358)
+  * Fix some trivial problems (#36336) (#36337)
+  * Prevent panic when GitLab release has more links than sources (#36295) (#36305)
+  * Fix stats bug when syncing release (#36285) (#36294)
+  * Always honor user's choice for "delete branch after merge" (#36281) (#36286)
+  * Use the requested host for LFS links (#36242) (#36258)
+  * Fix panic when get editor config file (#36241) (#36247)
+  * Fix regression in writing authorized principals (#36213) (#36218)
+  * Fix WebAuthn error checking (#36219) (#36235)
+
 ## [1.25.3](https://github.com/go-gitea/gitea/releases/tag/1.25.3) - 2025-12-17

 * SECURITY
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -166,19 +166,19 @@ Here's how to run the test suite:

 - code lint

-|                       |                                                                   |
-| :-------------------- | :---------------------------------------------------------------- |
-|``make lint``          | lint everything (not needed if you only change the front- **or** backend)    |
-|``make lint-frontend`` | lint frontend files  |
-|``make lint-backend``  | lint backend files   |
+|                       |                                                                           |
+| :-------------------- | :------------------------------------------------------------------------ |
+|``make lint``          | lint everything (not needed if you only change the front- **or** backend) |
+|``make lint-frontend`` | lint frontend files                                                       |
+|``make lint-backend``  | lint backend files                                                        |

 - run tests (we suggest running them on Linux)

-|  Command                               | Action                                           |              |
-| :------------------------------------- | :----------------------------------------------- | ------------ |
-|``make test[\#SpecificTestName]``       |  run unit test(s)  | |
-|``make test-sqlite[\#SpecificTestName]``|  run [integration](tests/integration) test(s) for SQLite |[More details](tests/integration/README.md)  |
-|``make test-e2e-sqlite[\#SpecificTestName]``|  run [end-to-end](tests/e2e) test(s) for SQLite |[More details](tests/e2e/README.md)  |
+|  Command                                   | Action                                                   |                                            |
+| :----------------------------------------- | :------------------------------------------------------- | ------------------------------------------ |
+|``make test[\#SpecificTestName]``           |  run unit test(s)                                        |                                            |
+|``make test-sqlite[\#SpecificTestName]``.   |  run [integration](tests/integration) test(s) for SQLite |[More details](tests/integration/README.md) |
+|``make test-e2e-sqlite[\#SpecificTestName]``|  run [end-to-end](tests/e2e) test(s) for SQLite          |[More details](tests/e2e/README.md)         |

 ## Translation

--- a/2
+++ b/2
@@ -766,7 +766,7 @@ generate-go: $(TAGS_PREREQ)

 .PHONY: security-check
 security-check:
-	go run $(GOVULNCHECK_PACKAGE) -show color ./...
+	go run $(GOVULNCHECK_PACKAGE) -show color ./... || true

 $(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ)
 ifneq ($(and $(STATIC),$(findstring pam,$(TAGS))),)
--- a/cmd/hook.go
+++ b/cmd/hook.go
@@ -163,6 +163,14 @@ func (n *nilWriter) WriteString(s string) (int, error) {
 	return len(s), nil
 }

+func parseGitHookCommitRefLine(line string) (oldCommitID, newCommitID string, refFullName git.RefName, ok bool) {
+	fields := strings.Split(line, " ")
+	if len(fields) != 3 {
+		return "", "", "", false
+	}
+	return fields[0], fields[1], git.RefName(fields[2]), true
+}
+
 func runHookPreReceive(ctx context.Context, c *cli.Command) error {
 	if isInternal, _ := strconv.ParseBool(os.Getenv(repo_module.EnvIsInternal)); isInternal {
 		return nil
@@ -197,6 +205,7 @@ Gitea or set your environment appropriately.`, "")
 		PullRequestID:                   prID,
 		DeployKeyID:                     deployKeyID,
 		ActionPerm:                      int(actionPerm),
+		IsWiki:                          isWiki,
 	}

 	scanner := bufio.NewScanner(os.Stdin)
@@ -228,14 +237,11 @@ Gitea or set your environment appropriately.`, "")
 			continue
 		}

-		fields := bytes.Fields(scanner.Bytes())
-		if len(fields) != 3 {
+		oldCommitID, newCommitID, refFullName, ok := parseGitHookCommitRefLine(scanner.Text())
+		if !ok {
 			continue
 		}

-		oldCommitID := string(fields[0])
-		newCommitID := string(fields[1])
-		refFullName := git.RefName(fields[2])
 		total++
 		lastline++

@@ -361,6 +367,7 @@ Gitea or set your environment appropriately.`, "")
 		GitPushOptions:                  pushOptions(),
 		PullRequestID:                   prID,
 		PushTrigger:                     repo_module.PushTrigger(os.Getenv(repo_module.EnvPushTrigger)),
+		IsWiki:                          isWiki,
 	}
 	oldCommitIDs := make([]string, hookBatchSize)
 	newCommitIDs := make([]string, hookBatchSize)
@@ -378,16 +385,13 @@ Gitea or set your environment appropriately.`, "")
 			continue
 		}

-		fields := bytes.Fields(scanner.Bytes())
-		if len(fields) != 3 {
+		var ok bool
+		oldCommitIDs[count], newCommitIDs[count], refFullNames[count], ok = parseGitHookCommitRefLine(scanner.Text())
+		if !ok {
 			continue
 		}

 		fmt.Fprintf(out, ".")
-		oldCommitIDs[count] = string(fields[0])
-		newCommitIDs[count] = string(fields[1])
-		refFullNames[count] = git.RefName(fields[2])
-
 		commitID, _ := git.NewIDFromString(newCommitIDs[count])
 		if refFullNames[count] == git.BranchPrefix+"master" && !commitID.IsZero() && count == total {
 			masterPushed = true
@@ -511,6 +515,7 @@ Gitea or set your environment appropriately.`, "")

 	reader := bufio.NewReader(os.Stdin)
 	repoUser := os.Getenv(repo_module.EnvRepoUsername)
+	isWiki, _ := strconv.ParseBool(os.Getenv(repo_module.EnvRepoIsWiki))
 	repoName := os.Getenv(repo_module.EnvRepoName)
 	pusherID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvPusherID), 10, 64)
 	pusherName := os.Getenv(repo_module.EnvPusherName)
@@ -588,6 +593,7 @@ Gitea or set your environment appropriately.`, "")
 		UserName:       pusherName,
 		UserID:         pusherID,
 		GitPushOptions: make(map[string]string),
+		IsWiki:         isWiki,
 	}
 	hookOptions.OldCommitIDs = make([]string, 0, hookBatchSize)
 	hookOptions.NewCommitIDs = make([]string, 0, hookBatchSize)
--- a/cmd/hook_test.go
+++ b/cmd/hook_test.go
@@ -39,3 +39,17 @@ func TestPktLine(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, []byte("0007a\nb"), w.Bytes())
 }
+
+func TestParseGitHookCommitRefLine(t *testing.T) {
+	oldCommitID, newCommitID, refName, ok := parseGitHookCommitRefLine("a b c")
+	assert.True(t, ok)
+	assert.Equal(t, "a", oldCommitID)
+	assert.Equal(t, "b", newCommitID)
+	assert.Equal(t, "c", string(refName))
+
+	_, _, _, ok = parseGitHookCommitRefLine("a\tb\tc")
+	assert.False(t, ok)
+
+	_, _, _, ok = parseGitHookCommitRefLine("a b")
+	assert.False(t, ok)
+}
--- a/go.mod
+++ b/go.mod
@@ -2,7 +2,7 @@ module code.gitea.io/gitea

 go 1.25.0

-toolchain go1.25.5
+toolchain go1.25.8

 // rfc5280 said: "The serial number is an integer assigned by the CA to each certificate."
 // But some CAs use negative serial number, just relax the check. related:
@@ -58,7 +58,7 @@ require (
 	github.com/go-co-op/gocron v1.37.0
 	github.com/go-enry/go-enry/v2 v2.9.2
 	github.com/go-git/go-billy/v5 v5.6.2
-	github.com/go-git/go-git/v5 v5.16.3
+	github.com/go-git/go-git/v5 v5.16.5
 	github.com/go-ldap/ldap/v3 v3.4.11
 	github.com/go-redsync/redsync/v4 v4.13.0
 	github.com/go-sql-driver/mysql v1.9.3
@@ -181,7 +181,7 @@ require (
 	github.com/caddyserver/zerossl v0.1.3 // indirect
 	github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/cloudflare/circl v1.6.3 // indirect
 	github.com/couchbase/go-couchbase v0.1.1 // indirect
 	github.com/couchbase/gomemcached v0.3.3 // indirect
 	github.com/couchbase/goutils v0.1.2 // indirect
--- a/go.sum
+++ b/go.sum
@@ -231,8 +231,8 @@ github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObk
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
-github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
+github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
@@ -339,8 +339,8 @@ github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UN
 github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.16.3 h1:Z8BtvxZ09bYm/yYNgPKCzgWtaRqDTgIKRgIRHBfU6Z8=
-github.com/go-git/go-git/v5 v5.16.3/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
+github.com/go-git/go-git/v5 v5.16.5 h1:mdkuqblwr57kVfXri5TTH+nMFLNUxIj9Z7F5ykFbw5s=
+github.com/go-git/go-git/v5 v5.16.5/go.mod h1:QOMLpNf1qxuSY4StA/ArOdfFR2TrKEjJiye2kel2m+M=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
--- a/models/asymkey/ssh_key_authorized_keys.go
+++ b/models/asymkey/ssh_key_authorized_keys.go
@@ -10,6 +10,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"regexp"
 	"strings"
 	"sync"

@@ -50,12 +51,42 @@ func WriteAuthorizedStringForValidKey(key *PublicKey, w io.Writer) error {
 	return err
 }

+var globalVars = sync.OnceValue(func() (ret struct {
+	principalRegexp *regexp.Regexp
+},
+) {
+	// principalRegexp expresses whether a principal is considered valid.
+	// This reverse engineers how sshd parses the authorized keys file,
+	// see e.g. https://github.com/openssh/openssh-portable/blob/32deb00b38b4ee2b3302f261ea1e68c04e020a08/auth2-pubkeyfile.c#L221-L256
+	// Any newline or # comment will be stripped when parsing, so don't allow
+	// those. Also, if any space or tab is present in the principal, the part
+	// proceeding this would be parsed as an option, so just avoid any whitespace
+	// altogether.
+	ret.principalRegexp = regexp.MustCompile(`^[^\s#]+$`)
+	return ret
+})
+
 func writeAuthorizedStringForKey(key *PublicKey, w io.Writer) (keyValid bool, err error) {
-	const tpl = AuthorizedStringCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict %s %s` + "\n"
-	pubKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(key.Content))
-	if err != nil {
-		return false, err
+	const tpl = AuthorizedStringCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict %s` + "\n"
+
+	var sshKey string
+
+	if key.Type == KeyTypePrincipal {
+		// TODO: actually using PublicKey to store "principal" is an abuse
+		if !globalVars().principalRegexp.MatchString(key.Content) {
+			return false, fmt.Errorf("invalid principal key: %s", key.Content)
+		}
+		sshKey = fmt.Sprintf("%s # user-%d", key.Content, key.OwnerID)
+	} else {
+		pubKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(key.Content))
+		if err != nil {
+			return false, err
+		}
+
+		sshKeyMarshalled := strings.TrimSpace(string(ssh.MarshalAuthorizedKey(pubKey)))
+		sshKey = fmt.Sprintf("%s user-%d", sshKeyMarshalled, key.OwnerID)
 	}
+
 	// now the key is valid, the code below could only return template/IO related errors
 	sbCmd := &strings.Builder{}
 	err = setting.SSH.AuthorizedKeysCommandTemplateTemplate.Execute(sbCmd, map[string]any{
@@ -69,9 +100,7 @@ func writeAuthorizedStringForKey(key *PublicKey, w io.Writer) (keyValid bool, er
 		return true, err
 	}
 	sshCommandEscaped := util.ShellEscape(sbCmd.String())
-	sshKeyMarshalled := strings.TrimSpace(string(ssh.MarshalAuthorizedKey(pubKey)))
-	sshKeyComment := fmt.Sprintf("user-%d", key.OwnerID)
-	_, err = fmt.Fprintf(w, tpl, sshCommandEscaped, sshKeyMarshalled, sshKeyComment)
+	_, err = fmt.Fprintf(w, tpl, sshCommandEscaped, sshKey)
 	return true, err
 }

--- a/models/asymkey/ssh_key_authorized_keys_test.go
+++ b/models/asymkey/ssh_key_authorized_keys_test.go
@@ -0,0 +1,90 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package asymkey
+
+import (
+	"strings"
+	"testing"
+
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/test"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestWriteAuthorizedStringForKey(t *testing.T) {
+	defer test.MockVariableValue(&setting.AppPath, "/tmp/gitea")()
+	defer test.MockVariableValue(&setting.CustomConf, "/tmp/app.ini")()
+	writeKey := func(t *testing.T, key *PublicKey) (bool, string, error) {
+		sb := &strings.Builder{}
+		valid, err := writeAuthorizedStringForKey(key, sb)
+		return valid, sb.String(), err
+	}
+	const validKeyContent = `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICV0MGX/W9IvLA4FXpIuUcdDcbj5KX4syHgsTy7soVgf`
+
+	testValid := func(t *testing.T, key *PublicKey, expected string) {
+		valid, content, err := writeKey(t, key)
+		assert.True(t, valid)
+		assert.Equal(t, expected, content)
+		assert.NoError(t, err)
+	}
+
+	testInvalid := func(t *testing.T, key *PublicKey) {
+		valid, content, err := writeKey(t, key)
+		assert.False(t, valid)
+		assert.Empty(t, content)
+		assert.Error(t, err)
+	}
+
+	t.Run("PublicKey", func(t *testing.T) {
+		testValid(t, &PublicKey{
+			OwnerID: 123,
+			Content: validKeyContent + " any-comment",
+			Type:    KeyTypeUser,
+		}, `# gitea public key
+command="/tmp/gitea --config=/tmp/app.ini serv key-0",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICV0MGX/W9IvLA4FXpIuUcdDcbj5KX4syHgsTy7soVgf user-123
+`)
+	})
+
+	t.Run("PublicKeyWithNewLine", func(t *testing.T) {
+		testValid(t, &PublicKey{
+			OwnerID: 123,
+			Content: validKeyContent + "\nany-more", // the new line should be ignored
+			Type:    KeyTypeUser,
+		}, `# gitea public key
+command="/tmp/gitea --config=/tmp/app.ini serv key-0",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICV0MGX/W9IvLA4FXpIuUcdDcbj5KX4syHgsTy7soVgf user-123
+`)
+	})
+
+	t.Run("PublicKeyInvalid", func(t *testing.T) {
+		testInvalid(t, &PublicKey{
+			OwnerID: 123,
+			Content: validKeyContent + "any-more",
+			Type:    KeyTypeUser,
+		})
+	})
+
+	t.Run("Principal", func(t *testing.T) {
+		testValid(t, &PublicKey{
+			OwnerID: 123,
+			Content: "any-content",
+			Type:    KeyTypePrincipal,
+		}, `# gitea public key
+command="/tmp/gitea --config=/tmp/app.ini serv key-0",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict any-content # user-123
+`)
+	})
+
+	t.Run("PrincipalInvalid", func(t *testing.T) {
+		testInvalid(t, &PublicKey{
+			OwnerID: 123,
+			Content: "a b",
+			Type:    KeyTypePrincipal,
+		})
+		testInvalid(t, &PublicKey{
+			OwnerID: 123,
+			Content: "a\nb",
+			Type:    KeyTypePrincipal,
+		})
+	})
+}
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@@ -14,6 +14,7 @@ import (
 	"net/url"
 	"slices"
 	"strings"
+	"time"

 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/container"
@@ -27,6 +28,11 @@ import (
 	"xorm.io/xorm"
 )

+// Authorization codes should expire within 10 minutes per https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2
+const oauth2AuthorizationCodeValidity = 10 * time.Minute
+
+var ErrOAuth2AuthorizationCodeInvalidated = errors.New("oauth2 authorization code already invalidated")
+
 // OAuth2Application represents an OAuth2 client (RFC 6749)
 type OAuth2Application struct {
 	ID           int64 `xorm:"pk autoincr"`
@@ -386,6 +392,14 @@ func (code *OAuth2AuthorizationCode) TableName() string {
 	return "oauth2_authorization_code"
 }

+// IsExpired reports whether the authorization code is expired.
+func (code *OAuth2AuthorizationCode) IsExpired() bool {
+	if code.ValidUntil.IsZero() {
+		return true
+	}
+	return code.ValidUntil <= timeutil.TimeStampNow()
+}
+
 // GenerateRedirectURI generates a redirect URI for a successful authorization request. State will be used if not empty.
 func (code *OAuth2AuthorizationCode) GenerateRedirectURI(state string) (*url.URL, error) {
 	redirect, err := url.Parse(code.RedirectURI)
@@ -403,8 +417,14 @@ func (code *OAuth2AuthorizationCode) GenerateRedirectURI(state string) (*url.URL

 // Invalidate deletes the auth code from the database to invalidate this code
 func (code *OAuth2AuthorizationCode) Invalidate(ctx context.Context) error {
-	_, err := db.GetEngine(ctx).ID(code.ID).NoAutoCondition().Delete(code)
-	return err
+	affected, err := db.GetEngine(ctx).ID(code.ID).NoAutoCondition().Delete(code)
+	if err != nil {
+		return err
+	}
+	if affected == 0 {
+		return ErrOAuth2AuthorizationCodeInvalidated
+	}
+	return nil
 }

 // ValidateCodeChallenge validates the given verifier against the saved code challenge. This is part of the PKCE implementation.
@@ -472,6 +492,7 @@ func (grant *OAuth2Grant) GenerateNewAuthorizationCode(ctx context.Context, redi
 	// for code scanners to grab sensitive tokens.
 	codeSecret := "gta_" + base32Lower.EncodeToString(rBytes)

+	validUntil := time.Now().Add(oauth2AuthorizationCodeValidity)
 	code = &OAuth2AuthorizationCode{
 		Grant:               grant,
 		GrantID:             grant.ID,
@@ -479,6 +500,7 @@ func (grant *OAuth2Grant) GenerateNewAuthorizationCode(ctx context.Context, redi
 		Code:                codeSecret,
 		CodeChallenge:       codeChallenge,
 		CodeChallengeMethod: codeChallengeMethod,
+		ValidUntil:          timeutil.TimeStamp(validUntil.Unix()),
 	}
 	if err := db.Insert(ctx, code); err != nil {
 		return nil, err
--- a/models/auth/oauth2_test.go
+++ b/models/auth/oauth2_test.go
@@ -5,13 +5,45 @@ package auth_test

 import (
 	"testing"
+	"time"

 	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/unittest"
+	"code.gitea.io/gitea/modules/timeutil"

 	"github.com/stretchr/testify/assert"
 )

+func TestOAuth2AuthorizationCodeValidity(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	t.Run("GenerateSetsValidUntil", func(t *testing.T) {
+		grant := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Grant{ID: 1})
+		expectedValidUntil := timeutil.TimeStamp(time.Now().Unix() + 600)
+		code, err := grant.GenerateNewAuthorizationCode(t.Context(), "http://127.0.0.1/", "", "")
+		assert.NoError(t, err)
+		assert.Equal(t, expectedValidUntil, code.ValidUntil)
+		assert.False(t, code.IsExpired())
+		assert.NoError(t, code.Invalidate(t.Context()))
+	})
+
+	t.Run("Expired", func(t *testing.T) {
+		defer timeutil.MockSet(time.Unix(2, 0).UTC())()
+
+		code := &auth_model.OAuth2AuthorizationCode{ValidUntil: timeutil.TimeStamp(1)}
+		assert.True(t, code.IsExpired())
+	})
+
+	t.Run("InvalidateTwice", func(t *testing.T) {
+		code, err := auth_model.GetOAuth2AuthorizationByCode(t.Context(), "authcode")
+		assert.NoError(t, err)
+		if assert.NotNil(t, code) {
+			assert.NoError(t, code.Invalidate(t.Context()))
+			assert.ErrorIs(t, code.Invalidate(t.Context()), auth_model.ErrOAuth2AuthorizationCodeInvalidated)
+		}
+	})
+}
+
 func TestOAuth2Application_GenerateClientSecret(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 	app := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Application{ID: 1})
--- a/models/fixtures/attachment.yml
+++ b/models/fixtures/attachment.yml
@@ -153,3 +153,16 @@
  download_count: 0
  size: 0
  created_unix: 946684800
+
+-
+  id: 13
+  uuid: a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a23
+  repo_id: 1
+  issue_id: 0
+  release_id: 4
+  uploader_id: 2
+  comment_id: 0
+  name: draft-attach
+  download_count: 0
+  size: 0
+  created_unix: 946684800
--- a/models/git/branch.go
+++ b/models/git/branch.go
@@ -397,10 +397,16 @@ func RenameBranch(ctx context.Context, repo *repo_model.Repository, from, to str

 		if protectedBranch != nil {
 			// there is a protect rule for this branch
-			protectedBranch.RuleName = to
-			if _, err = sess.ID(protectedBranch.ID).Cols("branch_name").Update(protectedBranch); err != nil {
+			existingRule, err := GetProtectedBranchRuleByName(ctx, repo.ID, to)
+			if err != nil {
 				return err
 			}
+			if existingRule == nil || existingRule.ID == protectedBranch.ID {
+				protectedBranch.RuleName = to
+				if _, err = sess.ID(protectedBranch.ID).Cols("branch_name").Update(protectedBranch); err != nil {
+					return err
+				}
+			}
 		} else {
 			// some glob protect rules may match this branch
 			protected, err := IsBranchProtected(ctx, repo.ID, from)
@@ -444,7 +450,7 @@ func RenameBranch(ctx context.Context, repo *repo_model.Repository, from, to str
 type FindRecentlyPushedNewBranchesOptions struct {
 	Repo            *repo_model.Repository
 	BaseRepo        *repo_model.Repository
-	CommitAfterUnix int64
+	PushedAfterUnix int64
 	MaxCount        int
 }

@@ -454,11 +460,11 @@ type RecentlyPushedNewBranch struct {
 	BranchDisplayName string
 	BranchLink        string
 	BranchCompareURL  string
-	CommitTime        timeutil.TimeStamp
+	PushedTime        timeutil.TimeStamp
 }

 // FindRecentlyPushedNewBranches return at most 2 new branches pushed by the user in 2 hours which has no opened PRs created
-// if opts.CommitAfterUnix is 0, we will find the branches that were committed to in the last 2 hours
+// if opts.PushedAfterUnix is 0, we will find the branches that were pushed in the last 2 hours
 // if opts.ListOptions is not set, we will only display top 2 latest branches.
 // Protected branches will be skipped since they are unlikely to be used to create new PRs.
 func FindRecentlyPushedNewBranches(ctx context.Context, doer *user_model.User, opts FindRecentlyPushedNewBranchesOptions) ([]*RecentlyPushedNewBranch, error) {
@@ -486,8 +492,8 @@ func FindRecentlyPushedNewBranches(ctx context.Context, doer *user_model.User, o
 	}
 	repoIDs := builder.Select("id").From("repository").Where(repoCond)

-	if opts.CommitAfterUnix == 0 {
-		opts.CommitAfterUnix = time.Now().Add(-time.Hour * 2).Unix()
+	if opts.PushedAfterUnix == 0 {
+		opts.PushedAfterUnix = time.Now().Add(-time.Hour * 2).Unix()
 	}

 	baseBranch, err := GetBranch(ctx, opts.BaseRepo.ID, opts.BaseRepo.DefaultBranch)
@@ -503,7 +509,7 @@ func FindRecentlyPushedNewBranches(ctx context.Context, doer *user_model.User, o
 				"pusher_id":  doer.ID,
 				"is_deleted": false,
 			},
-			builder.Gte{"commit_time": opts.CommitAfterUnix},
+			builder.Gte{"updated_unix": opts.PushedAfterUnix},
 			builder.In("repo_id", repoIDs),
 			// newly created branch have no changes, so skip them
 			builder.Neq{"commit_id": baseBranch.CommitID},
@@ -556,7 +562,7 @@ func FindRecentlyPushedNewBranches(ctx context.Context, doer *user_model.User, o
 				BranchName:        branch.Name,
 				BranchLink:        fmt.Sprintf("%s/src/branch/%s", branch.Repo.Link(), util.PathEscapeSegments(branch.Name)),
 				BranchCompareURL:  branch.Repo.ComposeBranchCompareURL(opts.BaseRepo, branch.Name),
-				CommitTime:        branch.CommitTime,
+				PushedTime:        branch.UpdatedUnix,
 			})
 		}
 		if len(newBranches) == opts.MaxCount {
--- a/models/git/branch_test.go
+++ b/models/git/branch_test.go
@@ -6,14 +6,17 @@ package git_test
 import (
 	"context"
 	"testing"
+	"time"

 	"code.gitea.io/gitea/models/db"
 	git_model "code.gitea.io/gitea/models/git"
 	issues_model "code.gitea.io/gitea/models/issues"
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/optional"
+	"code.gitea.io/gitea/modules/timeutil"

 	"github.com/stretchr/testify/assert"
 )
@@ -63,6 +66,36 @@ func TestGetDeletedBranch(t *testing.T) {
 	assert.NotNil(t, getDeletedBranch(t, firstBranch))
 }

+func TestFindRecentlyPushedNewBranchesUsesPushTime(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 10})
+	doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 12})
+	branch := unittest.AssertExistsAndLoadBean(t, &git_model.Branch{RepoID: repo.ID, Name: "outdated-new-branch"})
+
+	commitUnix := time.Now().Add(-3 * time.Hour).Unix()
+	pushUnix := time.Now().Add(-30 * time.Minute).Unix()
+	_, err := db.GetEngine(t.Context()).Exec(
+		"UPDATE branch SET commit_time = ?, updated_unix = ? WHERE id = ?",
+		commitUnix,
+		pushUnix,
+		branch.ID,
+	)
+	assert.NoError(t, err)
+
+	branches, err := git_model.FindRecentlyPushedNewBranches(t.Context(), doer, git_model.FindRecentlyPushedNewBranchesOptions{
+		Repo:            repo,
+		BaseRepo:        repo,
+		PushedAfterUnix: time.Now().Add(-time.Hour).Unix(),
+		MaxCount:        1,
+	})
+	assert.NoError(t, err)
+	if assert.Len(t, branches, 1) {
+		assert.Equal(t, branch.Name, branches[0].BranchName)
+		assert.Equal(t, timeutil.TimeStamp(pushUnix), branches[0].PushedTime)
+	}
+}
+
 func TestDeletedBranchLoadUser(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())

@@ -159,6 +192,53 @@ func TestRenameBranch(t *testing.T) {
 	})
 }

+func TestRenameBranchProtectedRuleConflict(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	master := unittest.AssertExistsAndLoadBean(t, &git_model.Branch{RepoID: repo1.ID, Name: "master"})
+
+	devBranch := &git_model.Branch{
+		RepoID:        repo1.ID,
+		Name:          "dev",
+		CommitID:      master.CommitID,
+		CommitMessage: master.CommitMessage,
+		CommitTime:    master.CommitTime,
+		PusherID:      master.PusherID,
+	}
+	assert.NoError(t, db.Insert(t.Context(), devBranch))
+
+	pbDev := git_model.ProtectedBranch{
+		RepoID:   repo1.ID,
+		RuleName: "dev",
+		CanPush:  true,
+	}
+	assert.NoError(t, git_model.UpdateProtectBranch(t.Context(), repo1, &pbDev, git_model.WhitelistOptions{}))
+
+	pbMain := git_model.ProtectedBranch{
+		RepoID:   repo1.ID,
+		RuleName: "main",
+		CanPush:  true,
+	}
+	assert.NoError(t, git_model.UpdateProtectBranch(t.Context(), repo1, &pbMain, git_model.WhitelistOptions{}))
+
+	assert.NoError(t, git_model.RenameBranch(t.Context(), repo1, "dev", "main", func(ctx context.Context, isDefault bool) error {
+		return nil
+	}))
+
+	unittest.AssertNotExistsBean(t, &git_model.Branch{RepoID: repo1.ID, Name: "dev"})
+	unittest.AssertExistsAndLoadBean(t, &git_model.Branch{RepoID: repo1.ID, Name: "main"})
+
+	protectedDev, err := git_model.GetProtectedBranchRuleByName(t.Context(), repo1.ID, "dev")
+	assert.NoError(t, err)
+	assert.NotNil(t, protectedDev)
+	assert.Equal(t, "dev", protectedDev.RuleName)
+
+	protectedMainByID, err := git_model.GetProtectedBranchRuleByID(t.Context(), repo1.ID, pbMain.ID)
+	assert.NoError(t, err)
+	assert.NotNil(t, protectedMainByID)
+	assert.Equal(t, "main", protectedMainByID.RuleName)
+}
+
 func TestOnlyGetDeletedBranchOnCorrectRepo(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())

--- a/models/git/lfs.go
+++ b/models/git/lfs.go
@@ -343,15 +343,12 @@ func IterateRepositoryIDsWithLFSMetaObjects(ctx context.Context, f func(ctx cont

 // IterateLFSMetaObjectsForRepoOptions provides options for IterateLFSMetaObjectsForRepo
 type IterateLFSMetaObjectsForRepoOptions struct {
-	OlderThan                 timeutil.TimeStamp
-	UpdatedLessRecentlyThan   timeutil.TimeStamp
-	OrderByUpdated            bool
-	LoopFunctionAlwaysUpdates bool
+	OlderThan               timeutil.TimeStamp
+	UpdatedLessRecentlyThan timeutil.TimeStamp
 }

 // IterateLFSMetaObjectsForRepo provides a iterator for LFSMetaObjects per Repo
 func IterateLFSMetaObjectsForRepo(ctx context.Context, repoID int64, f func(context.Context, *LFSMetaObject, int64) error, opts *IterateLFSMetaObjectsForRepoOptions) error {
-	var start int
 	batchSize := setting.Database.IterateBufferSize
 	engine := db.GetEngine(ctx)
 	type CountLFSMetaObject struct {
@@ -359,7 +356,7 @@ func IterateLFSMetaObjectsForRepo(ctx context.Context, repoID int64, f func(cont
 		LFSMetaObject `xorm:"extends"`
 	}

-	id := int64(0)
+	lastID := int64(0)

 	for {
 		beans := make([]*CountLFSMetaObject, 0, batchSize)
@@ -372,29 +369,23 @@ func IterateLFSMetaObjectsForRepo(ctx context.Context, repoID int64, f func(cont
 		if !opts.UpdatedLessRecentlyThan.IsZero() {
 			sess.And("`lfs_meta_object`.updated_unix < ?", opts.UpdatedLessRecentlyThan)
 		}
-		sess.GroupBy("`lfs_meta_object`.id")
-		if opts.OrderByUpdated {
-			sess.OrderBy("`lfs_meta_object`.updated_unix ASC")
-		} else {
-			sess.And("`lfs_meta_object`.id > ?", id)
-			sess.OrderBy("`lfs_meta_object`.id ASC")
-		}
-		if err := sess.Limit(batchSize, start).Find(&beans); err != nil {
+		sess.GroupBy("`lfs_meta_object`.id").
+			And("`lfs_meta_object`.id > ?", lastID).
+			OrderBy("`lfs_meta_object`.id ASC")
+
+		if err := sess.Limit(batchSize).Find(&beans); err != nil {
 			return err
 		}
 		if len(beans) == 0 {
 			return nil
 		}
-		if !opts.LoopFunctionAlwaysUpdates {
-			start += len(beans)
-		}

 		for _, bean := range beans {
 			if err := f(ctx, &bean.LFSMetaObject, bean.Count); err != nil {
 				return err
 			}
 		}
-		id = beans[len(beans)-1].ID
+		lastID = beans[len(beans)-1].ID
 	}
 }

--- a/models/git/lfs_lock.go
+++ b/models/git/lfs_lock.go
@@ -108,10 +108,10 @@ func GetLFSLock(ctx context.Context, repo *repo_model.Repository, path string) (
 	return rel, nil
 }

-// GetLFSLockByID returns release by given id.
-func GetLFSLockByID(ctx context.Context, id int64) (*LFSLock, error) {
+// GetLFSLockByIDAndRepo returns lfs lock by given id and repository id.
+func GetLFSLockByIDAndRepo(ctx context.Context, id, repoID int64) (*LFSLock, error) {
 	lock := new(LFSLock)
-	has, err := db.GetEngine(ctx).ID(id).Get(lock)
+	has, err := db.GetEngine(ctx).ID(id).And("repo_id = ?", repoID).Get(lock)
 	if err != nil {
 		return nil, err
 	} else if !has {
@@ -160,7 +160,7 @@ func CountLFSLockByRepoID(ctx context.Context, repoID int64) (int64, error) {
 // DeleteLFSLockByID deletes a lock by given ID.
 func DeleteLFSLockByID(ctx context.Context, id int64, repo *repo_model.Repository, u *user_model.User, force bool) (*LFSLock, error) {
 	return db.WithTx2(ctx, func(ctx context.Context) (*LFSLock, error) {
-		lock, err := GetLFSLockByID(ctx, id)
+		lock, err := GetLFSLockByIDAndRepo(ctx, id, repo.ID)
 		if err != nil {
 			return nil, err
 		}
--- a/models/git/lfs_lock_test.go
+++ b/models/git/lfs_lock_test.go
@@ -0,0 +1,82 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package git
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func createTestLock(t *testing.T, repo *repo_model.Repository, owner *user_model.User) *LFSLock {
+	t.Helper()
+
+	path := fmt.Sprintf("%s-%d-%d", t.Name(), repo.ID, time.Now().UnixNano())
+	lock, err := CreateLFSLock(t.Context(), repo, &LFSLock{
+		OwnerID: owner.ID,
+		Path:    path,
+	})
+	require.NoError(t, err)
+	return lock
+}
+
+func TestGetLFSLockByIDAndRepo(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	repo3 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 3})
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+
+	lockRepo1 := createTestLock(t, repo1, user2)
+	lockRepo3 := createTestLock(t, repo3, user4)
+
+	fetched, err := GetLFSLockByIDAndRepo(t.Context(), lockRepo1.ID, repo1.ID)
+	require.NoError(t, err)
+	assert.Equal(t, lockRepo1.ID, fetched.ID)
+	assert.Equal(t, repo1.ID, fetched.RepoID)
+
+	_, err = GetLFSLockByIDAndRepo(t.Context(), lockRepo1.ID, repo3.ID)
+	assert.Error(t, err)
+	assert.True(t, IsErrLFSLockNotExist(err))
+
+	_, err = GetLFSLockByIDAndRepo(t.Context(), lockRepo3.ID, repo1.ID)
+	assert.Error(t, err)
+	assert.True(t, IsErrLFSLockNotExist(err))
+}
+
+func TestDeleteLFSLockByIDRequiresRepoMatch(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	repo3 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 3})
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+
+	lockRepo1 := createTestLock(t, repo1, user2)
+	lockRepo3 := createTestLock(t, repo3, user4)
+
+	_, err := DeleteLFSLockByID(t.Context(), lockRepo3.ID, repo1, user2, true)
+	assert.Error(t, err)
+	assert.True(t, IsErrLFSLockNotExist(err))
+
+	existing, err := GetLFSLockByIDAndRepo(t.Context(), lockRepo3.ID, repo3.ID)
+	require.NoError(t, err)
+	assert.Equal(t, lockRepo3.ID, existing.ID)
+
+	deleted, err := DeleteLFSLockByID(t.Context(), lockRepo3.ID, repo3, user4, true)
+	require.NoError(t, err)
+	assert.Equal(t, lockRepo3.ID, deleted.ID)
+
+	deleted, err = DeleteLFSLockByID(t.Context(), lockRepo1.ID, repo1, user2, false)
+	require.NoError(t, err)
+	assert.Equal(t, lockRepo1.ID, deleted.ID)
+}
--- a/models/git/lfs_test.go
+++ b/models/git/lfs_test.go
@@ -0,0 +1,61 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package git_test
+
+import (
+	"bytes"
+	"context"
+	"strconv"
+	"testing"
+	"time"
+
+	"code.gitea.io/gitea/models/db"
+	git_model "code.gitea.io/gitea/models/git"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	"code.gitea.io/gitea/modules/lfs"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/test"
+	"code.gitea.io/gitea/modules/timeutil"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIterateLFSMetaObjectsForRepoUpdatesDoNotSkip(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	ctx := t.Context()
+	repo, err := repo_model.GetRepositoryByOwnerAndName(ctx, "user2", "repo1")
+	assert.NoError(t, err)
+
+	defer test.MockVariableValue(&setting.Database.IterateBufferSize, 1)()
+
+	created := make([]*git_model.LFSMetaObject, 0, 3)
+	for i := range 3 {
+		content := []byte("gitea-lfs-" + strconv.Itoa(i))
+		pointer, err := lfs.GeneratePointer(bytes.NewReader(content))
+		assert.NoError(t, err)
+
+		meta, err := git_model.NewLFSMetaObject(ctx, repo.ID, pointer)
+		assert.NoError(t, err)
+		created = append(created, meta)
+	}
+
+	iterated := make([]int64, 0, len(created))
+	cutoff := time.Now().Add(24 * time.Hour)
+	iterErr := git_model.IterateLFSMetaObjectsForRepo(ctx, repo.ID, func(ctx context.Context, meta *git_model.LFSMetaObject, count int64) error {
+		iterated = append(iterated, meta.ID)
+		_, err := db.GetEngine(ctx).ID(meta.ID).Cols("updated_unix").Update(&git_model.LFSMetaObject{
+			UpdatedUnix: timeutil.TimeStamp(time.Now().Unix()),
+		})
+		return err
+	}, &git_model.IterateLFSMetaObjectsForRepoOptions{
+		OlderThan:               timeutil.TimeStamp(cutoff.Unix()),
+		UpdatedLessRecentlyThan: timeutil.TimeStamp(cutoff.Unix()),
+	})
+	assert.NoError(t, iterErr)
+
+	expected := []int64{created[0].ID, created[1].ID, created[2].ID}
+	assert.Equal(t, expected, iterated)
+}
--- a/models/issues/comment.go
+++ b/models/issues/comment.go
@@ -692,7 +692,7 @@ func (c *Comment) LoadTime(ctx context.Context) error {
 		return nil
 	}
 	var err error
-	c.Time, err = GetTrackedTimeByID(ctx, c.TimeID)
+	c.Time, err = GetTrackedTimeByID(ctx, c.IssueID, c.TimeID)
 	return err
 }

--- a/models/issues/stopwatch.go
+++ b/models/issues/stopwatch.go
@@ -12,6 +12,8 @@ import (
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
+
+	"xorm.io/builder"
 )

 // Stopwatch represents a stopwatch for time tracking.
@@ -232,3 +234,14 @@ func CancelStopwatch(ctx context.Context, user *user_model.User, issue *Issue) (
 	})
 	return ok, err
 }
+
+// RemoveStopwatchesByRepoID removes all stopwatches for a user in a specific repository
+// this function should be called before removing all the issues of the repository
+func RemoveStopwatchesByRepoID(ctx context.Context, userID, repoID int64) error {
+	_, err := db.GetEngine(ctx).
+		Where("`stopwatch`.user_id = ?", userID).
+		And(builder.In("`stopwatch`.issue_id",
+			builder.Select("id").From("issue").Where(builder.Eq{"repo_id": repoID}))).
+		Delete(new(Stopwatch))
+	return err
+}
--- a/models/issues/tracked_time.go
+++ b/models/issues/tracked_time.go
@@ -311,13 +311,13 @@ func deleteTime(ctx context.Context, t *TrackedTime) error {
 }

 // GetTrackedTimeByID returns raw TrackedTime without loading attributes by id
-func GetTrackedTimeByID(ctx context.Context, id int64) (*TrackedTime, error) {
+func GetTrackedTimeByID(ctx context.Context, issueID, trackedTimeID int64) (*TrackedTime, error) {
 	time := new(TrackedTime)
-	has, err := db.GetEngine(ctx).ID(id).Get(time)
+	has, err := db.GetEngine(ctx).ID(trackedTimeID).Where("issue_id = ?", issueID).Get(time)
 	if err != nil {
 		return nil, err
 	} else if !has {
-		return nil, db.ErrNotExist{Resource: "tracked_time", ID: id}
+		return nil, db.ErrNotExist{Resource: "tracked_time", ID: trackedTimeID}
 	}
 	return time, nil
 }
--- a/models/packages/package_blob.go
+++ b/models/packages/package_blob.go
@@ -43,13 +43,15 @@ func GetOrInsertBlob(ctx context.Context, pb *PackageBlob) (*PackageBlob, bool,

 	existing := &PackageBlob{}

-	has, err := e.Where(builder.Eq{
+	hashCond := builder.Eq{
 		"size":        pb.Size,
 		"hash_md5":    pb.HashMD5,
 		"hash_sha1":   pb.HashSHA1,
 		"hash_sha256": pb.HashSHA256,
 		"hash_sha512": pb.HashSHA512,
-	}).Get(existing)
+	}
+
+	has, err := e.Where(hashCond).Get(existing)
 	if err != nil {
 		return nil, false, err
 	}
@@ -57,6 +59,11 @@ func GetOrInsertBlob(ctx context.Context, pb *PackageBlob) (*PackageBlob, bool,
 		return existing, true, nil
 	}
 	if _, err = e.Insert(pb); err != nil {
+		// Handle race condition: another request may have inserted the same blob
+		// between our SELECT and INSERT. Retry the SELECT to get the existing blob.
+		if has, _ = e.Where(hashCond).Get(existing); has {
+			return existing, true, nil
+		}
 		return nil, false, err
 	}
 	return pb, false, nil
--- a/models/packages/package_blob_test.go
+++ b/models/packages/package_blob_test.go
@@ -0,0 +1,51 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package packages
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/models/unittest"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/sync/errgroup"
+)
+
+func TestGetOrInsertBlobConcurrent(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	testBlob := PackageBlob{
+		Size:       123,
+		HashMD5:    "md5",
+		HashSHA1:   "sha1",
+		HashSHA256: "sha256",
+		HashSHA512: "sha512",
+	}
+
+	const numGoroutines = 3
+	var wg errgroup.Group
+	results := make([]*PackageBlob, numGoroutines)
+	existed := make([]bool, numGoroutines)
+	for idx := range numGoroutines {
+		wg.Go(func() error {
+			blob := testBlob // Create a copy of the test blob for each goroutine
+			var err error
+			results[idx], existed[idx], err = GetOrInsertBlob(t.Context(), &blob)
+			return err
+		})
+	}
+	require.NoError(t, wg.Wait())
+
+	// then: all GetOrInsertBlob succeeds with the same blob ID, and only one indicates it did not exist before
+	existedCount := 0
+	assert.NotNil(t, results[0])
+	for i := range numGoroutines {
+		assert.Equal(t, results[0].ID, results[i].ID)
+		if existed[i] {
+			existedCount++
+		}
+	}
+	assert.Equal(t, numGoroutines-1, existedCount)
+}
--- a/models/project/column.go
+++ b/models/project/column.go
@@ -213,6 +213,18 @@ func GetColumn(ctx context.Context, columnID int64) (*Column, error) {
 	return column, nil
 }

+func GetColumnByIDAndProjectID(ctx context.Context, columnID, projectID int64) (*Column, error) {
+	column := new(Column)
+	has, err := db.GetEngine(ctx).ID(columnID).And("project_id=?", projectID).Get(column)
+	if err != nil {
+		return nil, err
+	} else if !has {
+		return nil, ErrProjectColumnNotExist{ColumnID: columnID}
+	}
+
+	return column, nil
+}
+
 // UpdateColumn updates a project column
 func UpdateColumn(ctx context.Context, column *Column) error {
 	var fieldToUpdate []string
--- a/models/project/project.go
+++ b/models/project/project.go
@@ -302,6 +302,18 @@ func GetProjectByID(ctx context.Context, id int64) (*Project, error) {
 	return p, nil
 }

+func GetProjectByIDAndOwner(ctx context.Context, id, ownerID int64) (*Project, error) {
+	p := new(Project)
+	has, err := db.GetEngine(ctx).ID(id).And("owner_id = ?", ownerID).Get(p)
+	if err != nil {
+		return nil, err
+	} else if !has {
+		return nil, ErrProjectNotExist{ID: id}
+	}
+
+	return p, nil
+}
+
 // GetProjectForRepoByID returns the projects in a repository
 func GetProjectForRepoByID(ctx context.Context, repoID, id int64) (*Project, error) {
 	p := new(Project)
--- a/models/repo/attachment.go
+++ b/models/repo/attachment.go
@@ -166,6 +166,11 @@ func GetAttachmentByReleaseIDFileName(ctx context.Context, releaseID int64, file
 	return attach, nil
 }

+func GetUnlinkedAttachmentsByUserID(ctx context.Context, userID int64) ([]*Attachment, error) {
+	attachments := make([]*Attachment, 0, 10)
+	return attachments, db.GetEngine(ctx).Where("uploader_id = ? AND issue_id = 0 AND release_id = 0 AND comment_id = 0", userID).Find(&attachments)
+}
+
 // DeleteAttachment deletes the given attachment and optionally the associated file.
 func DeleteAttachment(ctx context.Context, a *Attachment, remove bool) error {
 	_, err := DeleteAttachments(ctx, []*Attachment{a}, remove)
--- a/models/repo/attachment_test.go
+++ b/models/repo/attachment_test.go
@@ -101,3 +101,19 @@ func TestGetAttachmentsByUUIDs(t *testing.T) {
 	assert.Equal(t, int64(1), attachList[0].IssueID)
 	assert.Equal(t, int64(5), attachList[1].IssueID)
 }
+
+func TestGetUnlinkedAttachmentsByUserID(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	attachments, err := repo_model.GetUnlinkedAttachmentsByUserID(t.Context(), 8)
+	assert.NoError(t, err)
+	assert.Len(t, attachments, 1)
+	assert.Equal(t, int64(10), attachments[0].ID)
+	assert.Zero(t, attachments[0].IssueID)
+	assert.Zero(t, attachments[0].ReleaseID)
+	assert.Zero(t, attachments[0].CommentID)
+
+	attachments, err = repo_model.GetUnlinkedAttachmentsByUserID(t.Context(), 1)
+	assert.NoError(t, err)
+	assert.Empty(t, attachments)
+}
--- a/models/repo/release.go
+++ b/models/repo/release.go
@@ -93,15 +93,25 @@ func init() {
 	db.RegisterModel(new(Release))
 }

-// LoadAttributes load repo and publisher attributes for a release
-func (r *Release) LoadAttributes(ctx context.Context) error {
-	var err error
-	if r.Repo == nil {
-		r.Repo, err = GetRepositoryByID(ctx, r.RepoID)
-		if err != nil {
-			return err
-		}
+// LegacyAttachmentMissingRepoIDCutoff marks the date when repo_id started to be written during uploads
+// (2026-01-16T00:00:00Z). Older rows might have repo_id=0 and should be tolerated once.
+const LegacyAttachmentMissingRepoIDCutoff timeutil.TimeStamp = 1768521600
+
+func (r *Release) LoadRepo(ctx context.Context) (err error) {
+	if r.Repo != nil {
+		return nil
 	}
+
+	r.Repo, err = GetRepositoryByID(ctx, r.RepoID)
+	return err
+}
+
+// LoadAttributes load repo and publisher attributes for a release
+func (r *Release) LoadAttributes(ctx context.Context) (err error) {
+	if err := r.LoadRepo(ctx); err != nil {
+		return err
+	}
+
 	if r.Publisher == nil {
 		r.Publisher, err = user_model.GetUserByID(ctx, r.PublisherID)
 		if err != nil {
@@ -168,6 +178,11 @@ func UpdateReleaseNumCommits(ctx context.Context, rel *Release) error {

 // AddReleaseAttachments adds a release attachments
 func AddReleaseAttachments(ctx context.Context, releaseID int64, attachmentUUIDs []string) (err error) {
+	rel, err := GetReleaseByID(ctx, releaseID)
+	if err != nil {
+		return err
+	}
+
 	// Check attachments
 	attachments, err := GetAttachmentsByUUIDs(ctx, attachmentUUIDs)
 	if err != nil {
@@ -175,6 +190,17 @@ func AddReleaseAttachments(ctx context.Context, releaseID int64, attachmentUUIDs
 	}

 	for i := range attachments {
+		if attachments[i].RepoID == 0 && attachments[i].CreatedUnix < LegacyAttachmentMissingRepoIDCutoff {
+			attachments[i].RepoID = rel.RepoID
+			if _, err = db.GetEngine(ctx).ID(attachments[i].ID).Cols("repo_id").Update(attachments[i]); err != nil {
+				return fmt.Errorf("update attachment repo_id [%d]: %w", attachments[i].ID, err)
+			}
+		}
+
+		if attachments[i].RepoID != rel.RepoID {
+			return util.NewPermissionDeniedErrorf("attachment belongs to different repository")
+		}
+
 		if attachments[i].ReleaseID != 0 {
 			return util.NewPermissionDeniedErrorf("release permission denied")
 		}
--- a/models/repo/release_test.go
+++ b/models/repo/release_test.go
@@ -6,7 +6,9 @@ package repo
 import (
 	"testing"

+	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/unittest"
+	"code.gitea.io/gitea/modules/util"

 	"github.com/stretchr/testify/assert"
 )
@@ -37,3 +39,54 @@ func Test_FindTagsByCommitIDs(t *testing.T) {
 	assert.Equal(t, "delete-tag", rels[1].TagName)
 	assert.Equal(t, "v1.0", rels[2].TagName)
 }
+
+func TestAddReleaseAttachmentsRejectsDifferentRepo(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	uuid := "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12" // attachment 2 belongs to repo 2
+	err := AddReleaseAttachments(t.Context(), 1, []string{uuid})
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, util.ErrPermissionDenied)
+
+	attach, err := GetAttachmentByUUID(t.Context(), uuid)
+	assert.NoError(t, err)
+	assert.Zero(t, attach.ReleaseID, "attachment should not be linked to release on failure")
+}
+
+func TestAddReleaseAttachmentsAllowsLegacyMissingRepoID(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	legacyUUID := "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a20" // attachment 10 has repo_id 0
+	err := AddReleaseAttachments(t.Context(), 1, []string{legacyUUID})
+	assert.NoError(t, err)
+
+	attach, err := GetAttachmentByUUID(t.Context(), legacyUUID)
+	assert.NoError(t, err)
+	assert.EqualValues(t, 1, attach.RepoID)
+	assert.EqualValues(t, 1, attach.ReleaseID)
+}
+
+func TestAddReleaseAttachmentsRejectsRecentZeroRepoID(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	recentUUID := "a0eebc99-9c0b-4ef8-bb6d-6bb9bd3800aa"
+	attachment := &Attachment{
+		UUID:        recentUUID,
+		RepoID:      0,
+		IssueID:     0,
+		ReleaseID:   0,
+		CommentID:   0,
+		Name:        "recent-zero",
+		CreatedUnix: LegacyAttachmentMissingRepoIDCutoff + 1,
+	}
+	assert.NoError(t, db.Insert(t.Context(), attachment))
+
+	err := AddReleaseAttachments(t.Context(), 1, []string{recentUUID})
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, util.ErrPermissionDenied)
+
+	attach, err := GetAttachmentByUUID(t.Context(), recentUUID)
+	assert.NoError(t, err)
+	assert.Zero(t, attach.ReleaseID)
+	assert.Zero(t, attach.RepoID)
+}
--- a/models/repo/watch.go
+++ b/models/repo/watch.go
@@ -176,3 +176,13 @@ func WatchIfAuto(ctx context.Context, userID, repoID int64, isWrite bool) error
 	}
 	return watchRepoMode(ctx, watch, WatchModeAuto)
 }
+
+// ClearRepoWatches clears all watches for a repository and from the user that watched it.
+// Used when a repository is set to private.
+func ClearRepoWatches(ctx context.Context, repoID int64) error {
+	if _, err := db.Exec(ctx, "UPDATE `repository` SET num_watches = 0 WHERE id = ?", repoID); err != nil {
+		return err
+	}
+
+	return db.DeleteBeans(ctx, Watch{RepoID: repoID})
+}
--- a/models/repo/watch_test.go
+++ b/models/repo/watch_test.go
@@ -13,6 +13,7 @@ import (
 	"code.gitea.io/gitea/modules/setting"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestIsWatching(t *testing.T) {
@@ -119,3 +120,21 @@ func TestWatchIfAuto(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Len(t, watchers, prevCount)
 }
+
+func TestClearRepoWatches(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	const repoID int64 = 1
+	watchers, err := repo_model.GetRepoWatchersIDs(t.Context(), repoID)
+	require.NoError(t, err)
+	require.NotEmpty(t, watchers)
+
+	assert.NoError(t, repo_model.ClearRepoWatches(t.Context(), repoID))
+
+	watchers, err = repo_model.GetRepoWatchersIDs(t.Context(), repoID)
+	assert.NoError(t, err)
+	assert.Empty(t, watchers)
+
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: repoID})
+	assert.Zero(t, repo.NumWatches)
+}
--- a/models/user/email_address.go
+++ b/models/user/email_address.go
@@ -276,17 +276,22 @@ func updateActivation(ctx context.Context, email *EmailAddress, activate bool) e
 	return UpdateUserCols(ctx, user, "rands")
 }

-func MakeActiveEmailPrimary(ctx context.Context, emailID int64) error {
-	return makeEmailPrimaryInternal(ctx, emailID, true)
+func MakeActiveEmailPrimary(ctx context.Context, ownerID, emailID int64) error {
+	return makeEmailPrimaryInternal(ctx, ownerID, emailID, true)
 }

-func MakeInactiveEmailPrimary(ctx context.Context, emailID int64) error {
-	return makeEmailPrimaryInternal(ctx, emailID, false)
+func MakeInactiveEmailPrimary(ctx context.Context, ownerID, emailID int64) error {
+	return makeEmailPrimaryInternal(ctx, ownerID, emailID, false)
 }

-func makeEmailPrimaryInternal(ctx context.Context, emailID int64, isActive bool) error {
+func makeEmailPrimaryInternal(ctx context.Context, ownerID, emailID int64, isActive bool) error {
 	email := &EmailAddress{}
-	if has, err := db.GetEngine(ctx).ID(emailID).Where(builder.Eq{"is_activated": isActive}).Get(email); err != nil {
+	if has, err := db.GetEngine(ctx).ID(emailID).
+		Where(builder.Eq{
+			"uid":          ownerID,
+			"is_activated": isActive,
+		}).
+		Get(email); err != nil {
 		return err
 	} else if !has {
 		return ErrEmailAddressNotExist{}
@@ -336,7 +341,7 @@ func ChangeInactivePrimaryEmail(ctx context.Context, uid int64, oldEmailAddr, ne
 		if err != nil {
 			return err
 		}
-		return MakeInactiveEmailPrimary(ctx, newEmail.ID)
+		return MakeInactiveEmailPrimary(ctx, uid, newEmail.ID)
 	})
 }

--- a/models/user/email_address_test.go
+++ b/models/user/email_address_test.go
@@ -46,22 +46,22 @@ func TestIsEmailUsed(t *testing.T) {
 func TestMakeEmailPrimary(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())

-	err := user_model.MakeActiveEmailPrimary(t.Context(), 9999999)
+	err := user_model.MakeActiveEmailPrimary(t.Context(), 1, 9999999)
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, user_model.ErrEmailAddressNotExist{})

 	email := unittest.AssertExistsAndLoadBean(t, &user_model.EmailAddress{Email: "user11@example.com"})
-	err = user_model.MakeActiveEmailPrimary(t.Context(), email.ID)
+	err = user_model.MakeActiveEmailPrimary(t.Context(), email.UID, email.ID)
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, user_model.ErrEmailAddressNotExist{}) // inactive email is considered as not exist for "MakeActiveEmailPrimary"

 	email = unittest.AssertExistsAndLoadBean(t, &user_model.EmailAddress{Email: "user9999999@example.com"})
-	err = user_model.MakeActiveEmailPrimary(t.Context(), email.ID)
+	err = user_model.MakeActiveEmailPrimary(t.Context(), email.UID, email.ID)
 	assert.Error(t, err)
 	assert.True(t, user_model.IsErrUserNotExist(err))

 	email = unittest.AssertExistsAndLoadBean(t, &user_model.EmailAddress{Email: "user101@example.com"})
-	err = user_model.MakeActiveEmailPrimary(t.Context(), email.ID)
+	err = user_model.MakeActiveEmailPrimary(t.Context(), email.UID, email.ID)
 	assert.NoError(t, err)

 	user, _ := user_model.GetUserByID(t.Context(), int64(10))
--- a/models/user/openid.go
+++ b/models/user/openid.go
@@ -102,7 +102,13 @@ func DeleteUserOpenID(ctx context.Context, openid *UserOpenID) (err error) {
 }

 // ToggleUserOpenIDVisibility toggles visibility of an openid address of given user.
-func ToggleUserOpenIDVisibility(ctx context.Context, id int64) (err error) {
-	_, err = db.GetEngine(ctx).Exec("update `user_open_id` set `show` = not `show` where `id` = ?", id)
-	return err
+func ToggleUserOpenIDVisibility(ctx context.Context, id int64, user *User) error {
+	affected, err := db.GetEngine(ctx).Exec("update `user_open_id` set `show` = not `show` where `id` = ? AND uid = ?", id, user.ID)
+	if err != nil {
+		return err
+	}
+	if n, _ := affected.RowsAffected(); n != 1 {
+		return util.NewNotExistErrorf("OpenID is unknown")
+	}
+	return nil
 }
--- a/models/user/openid_test.go
+++ b/models/user/openid_test.go
@@ -8,6 +8,7 @@ import (

 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/util"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -33,12 +34,14 @@ func TestGetUserOpenIDs(t *testing.T) {

 func TestToggleUserOpenIDVisibility(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
+	user, err := user_model.GetUserByID(t.Context(), int64(2))
+	require.NoError(t, err)
 	oids, err := user_model.GetUserOpenIDs(t.Context(), int64(2))
 	require.NoError(t, err)
 	require.Len(t, oids, 1)
 	assert.True(t, oids[0].Show)

-	err = user_model.ToggleUserOpenIDVisibility(t.Context(), oids[0].ID)
+	err = user_model.ToggleUserOpenIDVisibility(t.Context(), oids[0].ID, user)
 	require.NoError(t, err)

 	oids, err = user_model.GetUserOpenIDs(t.Context(), int64(2))
@@ -46,7 +49,7 @@ func TestToggleUserOpenIDVisibility(t *testing.T) {
 	require.Len(t, oids, 1)

 	assert.False(t, oids[0].Show)
-	err = user_model.ToggleUserOpenIDVisibility(t.Context(), oids[0].ID)
+	err = user_model.ToggleUserOpenIDVisibility(t.Context(), oids[0].ID, user)
 	require.NoError(t, err)

 	oids, err = user_model.GetUserOpenIDs(t.Context(), int64(2))
@@ -55,3 +58,13 @@ func TestToggleUserOpenIDVisibility(t *testing.T) {
 		assert.True(t, oids[0].Show)
 	}
 }
+
+func TestToggleUserOpenIDVisibilityRequiresOwnership(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	unauthorizedUser, err := user_model.GetUserByID(t.Context(), int64(2))
+	require.NoError(t, err)
+
+	err = user_model.ToggleUserOpenIDVisibility(t.Context(), int64(1), unauthorizedUser)
+	require.Error(t, err)
+	assert.ErrorIs(t, err, util.ErrNotExist)
+}
--- a/modules/eventsource/manager_run.go
+++ b/modules/eventsource/manager_run.go
@@ -9,6 +9,7 @@ import (

 	activities_model "code.gitea.io/gitea/models/activities"
 	issues_model "code.gitea.io/gitea/models/issues"
+	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/graceful"
 	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/log"
@@ -91,7 +92,13 @@ loop:
 				}

 				for _, userStopwatches := range usersStopwatches {
-					apiSWs, err := convert.ToStopWatches(ctx, userStopwatches.StopWatches)
+					u, err := user_model.GetUserByID(ctx, userStopwatches.UserID)
+					if err != nil {
+						log.Error("Unable to get user %d: %v", userStopwatches.UserID, err)
+						continue
+					}
+
+					apiSWs, err := convert.ToStopWatches(ctx, u, userStopwatches.StopWatches)
 					if err != nil {
 						if !issues_model.IsErrIssueNotExist(err) {
 							log.Error("Unable to APIFormat stopwatches: %v", err)
--- a/modules/git/blob_gogit.go
+++ b/modules/git/blob_gogit.go
@@ -9,24 +9,38 @@ package git
 import (
 	"io"

+	"code.gitea.io/gitea/modules/log"
+
 	"github.com/go-git/go-git/v5/plumbing"
 )

 // Blob represents a Git object.
 type Blob struct {
-	ID ObjectID
+	ID   ObjectID
+	repo *Repository
+	name string
+}

-	gogitEncodedObj plumbing.EncodedObject
-	name            string
+func (b *Blob) gogitEncodedObj() (plumbing.EncodedObject, error) {
+	return b.repo.gogitRepo.Storer.EncodedObject(plumbing.AnyObject, plumbing.Hash(b.ID.RawValue()))
 }

 // DataAsync gets a ReadCloser for the contents of a blob without reading it all.
 // Calling the Close function on the result will discard all unread output.
 func (b *Blob) DataAsync() (io.ReadCloser, error) {
-	return b.gogitEncodedObj.Reader()
+	obj, err := b.gogitEncodedObj()
+	if err != nil {
+		return nil, err
+	}
+	return obj.Reader()
 }

 // Size returns the uncompressed size of the blob
 func (b *Blob) Size() int64 {
-	return b.gogitEncodedObj.Size()
+	obj, err := b.gogitEncodedObj()
+	if err != nil {
+		log.Error("Error getting gogit encoded object for blob %s(%s): %v", b.name, b.ID.String(), err)
+		return 0
+	}
+	return obj.Size()
 }
--- a/modules/git/foreachref/parser.go
+++ b/modules/git/foreachref/parser.go
@@ -30,9 +30,11 @@ type Parser struct {
 func NewParser(r io.Reader, format Format) *Parser {
 	scanner := bufio.NewScanner(r)

-	// default MaxScanTokenSize = 64 kiB may be too small for some references,
-	// so allow the buffer to grow up to 4x if needed
-	scanner.Buffer(nil, 4*bufio.MaxScanTokenSize)
+	// default Scanner.MaxScanTokenSize = 64 kiB may be too small for some references,
+	// so allow the buffer to be large enough in case the ref has long content (e.g.: a tag with long message)
+	// as long as it doesn't exceed some reasonable limit (4 MiB here, or MAX_DISPLAY_FILE_SIZE=8MiB), it is OK
+	// there are still some choices: 1. add a config option for the limit; 2. don't use scanner and write our own parser to fully handle large contents
+	scanner.Buffer(nil, 4*1024*1024)

 	// in addition to the reference delimiter we specified in the --format,
 	// `git for-each-ref` will always add a newline after every reference.
--- a/modules/git/grep.go
+++ b/modules/git/grep.go
@@ -13,6 +13,7 @@ import (
 	"slices"
 	"strconv"
 	"strings"
+	"time"

 	"code.gitea.io/gitea/modules/git/gitcmd"
 	"code.gitea.io/gitea/modules/util"
@@ -41,6 +42,10 @@ type GrepOptions struct {
 	PathspecList      []string
 }

+// grepSearchTimeout is the timeout for git grep search, it should be long enough to get results
+// but not too long to cause performance issues
+const grepSearchTimeout = 30 * time.Second
+
 func GrepSearch(ctx context.Context, repo *Repository, search string, opts GrepOptions) ([]*GrepResult, error) {
 	stdoutReader, stdoutWriter, err := os.Pipe()
 	if err != nil {
@@ -85,9 +90,10 @@ func GrepSearch(ctx context.Context, repo *Repository, search string, opts GrepO
 	opts.MaxResultLimit = util.IfZero(opts.MaxResultLimit, 50)
 	stderr := bytes.Buffer{}
 	err = cmd.Run(ctx, &gitcmd.RunOpts{
-		Dir:    repo.Path,
-		Stdout: stdoutWriter,
-		Stderr: &stderr,
+		Dir:     repo.Path,
+		Stdout:  stdoutWriter,
+		Stderr:  &stderr,
+		Timeout: grepSearchTimeout,
 		PipelineFunc: func(ctx context.Context, cancel context.CancelFunc) error {
 			_ = stdoutWriter.Close()
 			defer stdoutReader.Close()
--- a/modules/git/repo_blob.go
+++ b/modules/git/repo_blob.go
@@ -9,5 +9,11 @@ func (repo *Repository) GetBlob(idStr string) (*Blob, error) {
 	if err != nil {
 		return nil, err
 	}
-	return repo.getBlob(id)
+	if id.IsZero() {
+		return nil, ErrNotExist{id.String(), ""}
+	}
+	return &Blob{
+		ID:   id,
+		repo: repo,
+	}, nil
 }
--- a/modules/git/repo_blob_gogit.go
+++ b/modules/git/repo_blob_gogit.go
@@ -1,22 +0,0 @@
-// Copyright 2018 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-//go:build gogit
-
-package git
-
-import (
-	"github.com/go-git/go-git/v5/plumbing"
-)
-
-func (repo *Repository) getBlob(id ObjectID) (*Blob, error) {
-	encodedObj, err := repo.gogitRepo.Storer.EncodedObject(plumbing.AnyObject, plumbing.Hash(id.RawValue()))
-	if err != nil {
-		return nil, ErrNotExist{id.String(), ""}
-	}
-
-	return &Blob{
-		ID:              id,
-		gogitEncodedObj: encodedObj,
-	}, nil
-}
--- a/modules/git/repo_blob_nogogit.go
+++ b/modules/git/repo_blob_nogogit.go
@@ -1,16 +0,0 @@
-// Copyright 2020 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-//go:build !gogit
-
-package git
-
-func (repo *Repository) getBlob(id ObjectID) (*Blob, error) {
-	if id.IsZero() {
-		return nil, ErrNotExist{id.String(), ""}
-	}
-	return &Blob{
-		ID:   id,
-		repo: repo,
-	}, nil
-}
--- a/modules/git/tree_entry_gogit.go
+++ b/modules/git/tree_entry_gogit.go
@@ -7,7 +7,6 @@
 package git

 import (
-	"github.com/go-git/go-git/v5/plumbing"
 	"github.com/go-git/go-git/v5/plumbing/filemode"
 	"github.com/go-git/go-git/v5/plumbing/object"
 )
@@ -83,14 +82,9 @@ func (te *TreeEntry) IsExecutable() bool {

 // Blob returns the blob object the entry
 func (te *TreeEntry) Blob() *Blob {
-	encodedObj, err := te.ptree.repo.gogitRepo.Storer.EncodedObject(plumbing.AnyObject, te.gogitTreeEntry.Hash)
-	if err != nil {
-		return nil
-	}
-
 	return &Blob{
-		ID:              ParseGogitHash(te.gogitTreeEntry.Hash),
-		gogitEncodedObj: encodedObj,
-		name:            te.Name(),
+		ID:   ParseGogitHash(te.gogitTreeEntry.Hash),
+		repo: te.ptree.repo,
+		name: te.Name(),
 	}
 }
--- a/modules/httplib/url.go
+++ b/modules/httplib/url.go
@@ -24,7 +24,18 @@ func urlIsRelative(s string, u *url.URL) bool {
 	if len(s) > 1 && (s[0] == '/' || s[0] == '\\') && (s[1] == '/' || s[1] == '\\') {
 		return false
 	}
-	return u != nil && u.Scheme == "" && u.Host == ""
+	if u == nil {
+		return false // invalid URL
+	}
+	if u.Scheme != "" || u.Host != "" {
+		return false // absolute URL with scheme or host
+	}
+	// Now, the URL is likely a relative URL
+	// HINT: GOLANG-HTTP-REDIRECT-BUG: Golang security vulnerability: "http.Redirect" calls "path.Clean" and changes the meaning of a path
+	// For example, `/a/../\b` will be changed to `/\b`, then it hits the first checked pattern and becomes an open redirect to "{current-scheme}://b"
+	// For a valid relative URL, its "path" shouldn't contain `\` because such char must be escaped.
+	// So if the "path" contains `\`, it is not a valid relative URL, then we can prevent open redirect.
+	return !strings.Contains(u.Path, "\\")
 }

 // IsRelativeURL detects if a URL is relative (no scheme or host)
@@ -35,14 +46,14 @@ func IsRelativeURL(s string) bool {

 func getRequestScheme(req *http.Request) string {
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
-	if s := req.Header.Get("X-Forwarded-Proto"); s != "" {
-		return s
+	if proto, ok := parseForwardedProtoValue(req.Header.Get("X-Forwarded-Proto")); ok {
+		return proto
 	}
-	if s := req.Header.Get("X-Forwarded-Protocol"); s != "" {
-		return s
+	if proto, ok := parseForwardedProtoValue(req.Header.Get("X-Forwarded-Protocol")); ok {
+		return proto
 	}
-	if s := req.Header.Get("X-Url-Scheme"); s != "" {
-		return s
+	if proto, ok := parseForwardedProtoValue(req.Header.Get("X-Url-Scheme")); ok {
+		return proto
 	}
 	if s := req.Header.Get("Front-End-Https"); s != "" {
 		return util.Iif(s == "on", "https", "http")
@@ -53,6 +64,13 @@ func getRequestScheme(req *http.Request) string {
 	return ""
 }

+func parseForwardedProtoValue(val string) (string, bool) {
+	if val == "http" || val == "https" {
+		return val, true
+	}
+	return "", false
+}
+
 // GuessCurrentAppURL tries to guess the current full public URL (with sub-path) by http headers. It always has a '/' suffix, exactly the same as setting.AppURL
 // TODO: should rename it to GuessCurrentPublicURL in the future
 func GuessCurrentAppURL(ctx context.Context) string {
--- a/modules/httplib/url_test.go
+++ b/modules/httplib/url_test.go
@@ -23,6 +23,7 @@ func TestIsRelativeURL(t *testing.T) {
 		"foo",
 		"/",
 		"/foo?k=%20#abc",
+		"/foo?k=\\",
 	}
 	for _, s := range rel {
 		assert.True(t, IsRelativeURL(s), "rel = %q", s)
@@ -32,6 +33,8 @@ func TestIsRelativeURL(t *testing.T) {
 		"\\\\",
 		"/\\",
 		"\\/",
+		"/a/../\\b",
+		"/any\\thing",
 		"mailto:a@b.com",
 		"https://test.com",
 	}
@@ -44,6 +47,7 @@ func TestGuessCurrentHostURL(t *testing.T) {
 	defer test.MockVariableValue(&setting.AppURL, "http://cfg-host/sub/")()
 	defer test.MockVariableValue(&setting.AppSubURL, "/sub")()
 	headersWithProto := http.Header{"X-Forwarded-Proto": {"https"}}
+	maliciousProtoHeaders := http.Header{"X-Forwarded-Proto": {"http://attacker.host/?trash="}}

 	t.Run("Legacy", func(t *testing.T) {
 		defer test.MockVariableValue(&setting.PublicURLDetection, setting.PublicURLLegacy)()
@@ -57,6 +61,9 @@ func TestGuessCurrentHostURL(t *testing.T) {
 		// if "X-Forwarded-Proto" exists, then use it and "Host" header
 		ctx = context.WithValue(t.Context(), RequestContextKey, &http.Request{Host: "req-host:3000", Header: headersWithProto})
 		assert.Equal(t, "https://req-host:3000", GuessCurrentHostURL(ctx))
+
+		ctx = context.WithValue(t.Context(), RequestContextKey, &http.Request{Host: "req-host:3000", Header: maliciousProtoHeaders})
+		assert.Equal(t, "http://cfg-host", GuessCurrentHostURL(ctx))
 	})

 	t.Run("Auto", func(t *testing.T) {
@@ -73,6 +80,9 @@ func TestGuessCurrentHostURL(t *testing.T) {

 		ctx = context.WithValue(t.Context(), RequestContextKey, &http.Request{Host: "req-host:3000", Header: headersWithProto})
 		assert.Equal(t, "https://req-host:3000", GuessCurrentHostURL(ctx))
+
+		ctx = context.WithValue(t.Context(), RequestContextKey, &http.Request{Host: "req-host:3000", Header: maliciousProtoHeaders})
+		assert.Equal(t, "http://req-host:3000", GuessCurrentHostURL(ctx))
 	})
 }

--- a/modules/migration/release.go
+++ b/modules/migration/release.go
@@ -10,9 +10,12 @@ import (

 // ReleaseAsset represents a release asset
 type ReleaseAsset struct {
-	ID            int64
-	Name          string
-	ContentType   *string `yaml:"content_type"`
+	ID   int64
+	Name string
+
+	// There was a field "ContentType (content_type)" because Some forges can provide that for assets,
+	// but we don't need it when migrating, so the field is omitted here.
+
 	Size          *int
 	DownloadCount *int `yaml:"download_count"`
 	Created       time.Time
--- a/modules/packages/cran/metadata.go
+++ b/modules/packages/cran/metadata.go
@@ -34,7 +34,7 @@ var (
 var (
 	fieldPattern         = regexp.MustCompile(`\A\S+:`)
 	namePattern          = regexp.MustCompile(`\A[a-zA-Z][a-zA-Z0-9\.]*[a-zA-Z0-9]\z`)
-	versionPattern       = regexp.MustCompile(`\A[0-9]+(?:[.\-][0-9]+){1,3}\z`)
+	versionPattern       = regexp.MustCompile(`\A[0-9]+(?:[.\-][0-9]+)+\z`)
 	authorReplacePattern = regexp.MustCompile(`[\[\(].+?[\]\)]`)
 )

--- a/modules/packages/cran/metadata_test.go
+++ b/modules/packages/cran/metadata_test.go
@@ -128,13 +128,22 @@ func TestParseDescription(t *testing.T) {
 	})

 	t.Run("InvalidVersion", func(t *testing.T) {
-		for _, version := range []string{"1", "1 0", "1.2.3.4.5", "1-2-3-4-5", "1.", "1.0.", "1-", "1-0-"} {
+		for _, version := range []string{"1", "1 0", "1.", "1.0.", "1-", "1-0-"} {
 			p, err := ParseDescription(createDescription(packageName, version))
 			assert.Nil(t, p)
 			assert.ErrorIs(t, err, ErrInvalidVersion)
 		}
 	})

+	t.Run("ValidVersionManyComponents", func(t *testing.T) {
+		for _, version := range []string{"0.3.4.0.2", "1.2.3.4.5", "1-2-3-4-5"} {
+			p, err := ParseDescription(createDescription(packageName, version))
+			assert.NoError(t, err)
+			assert.NotNil(t, p)
+			assert.Equal(t, version, p.Version)
+		}
+	})
+
 	t.Run("Valid", func(t *testing.T) {
 		p, err := ParseDescription(createDescription(packageName, packageVersion))
 		assert.NoError(t, err)
--- a/modules/repository/repo.go
+++ b/modules/repository/repo.go
@@ -233,7 +233,7 @@ func SyncReleasesWithTags(ctx context.Context, repo *repo_model.Repository, gitR
 				return fmt.Errorf("unable to update tag %s for pull-mirror Repo[%d:%s/%s]: %w", tag.Name, repo.ID, repo.OwnerName, repo.Name, err)
 			}
 		}
-		added, deleted, updated = len(deletes), len(updates), len(inserts)
+		added, deleted, updated = len(inserts), len(deletes), len(updates)
 		return nil
 	})
 	if err != nil {
--- a/modules/setting/admin.go
+++ b/modules/setting/admin.go
@@ -5,6 +5,7 @@ package setting

 import (
 	"code.gitea.io/gitea/modules/container"
+	"code.gitea.io/gitea/modules/log"
 )

 // Admin settings
@@ -15,12 +16,33 @@ var Admin struct {
 	ExternalUserDisableFeatures container.Set[string]
 }

+var validUserFeatures = container.SetOf(
+	UserFeatureDeletion,
+	UserFeatureManageSSHKeys,
+	UserFeatureManageGPGKeys,
+	UserFeatureManageMFA,
+	UserFeatureManageCredentials,
+	UserFeatureChangeUsername,
+	UserFeatureChangeFullName,
+)
+
 func loadAdminFrom(rootCfg ConfigProvider) {
 	sec := rootCfg.Section("admin")
 	Admin.DisableRegularOrgCreation = sec.Key("DISABLE_REGULAR_ORG_CREATION").MustBool(false)
 	Admin.DefaultEmailNotification = sec.Key("DEFAULT_EMAIL_NOTIFICATIONS").MustString("enabled")
 	Admin.UserDisabledFeatures = container.SetOf(sec.Key("USER_DISABLED_FEATURES").Strings(",")...)
 	Admin.ExternalUserDisableFeatures = container.SetOf(sec.Key("EXTERNAL_USER_DISABLE_FEATURES").Strings(",")...).Union(Admin.UserDisabledFeatures)
+
+	for feature := range Admin.UserDisabledFeatures {
+		if !validUserFeatures.Contains(feature) {
+			log.Warn("USER_DISABLED_FEATURES contains unknown feature %q", feature)
+		}
+	}
+	for feature := range Admin.ExternalUserDisableFeatures {
+		if !validUserFeatures.Contains(feature) && !Admin.UserDisabledFeatures.Contains(feature) {
+			log.Warn("EXTERNAL_USER_DISABLE_FEATURES contains unknown feature %q", feature)
+		}
+	}
 }

 const (
--- a/modules/storage/local.go
+++ b/modules/storage/local.go
@@ -5,6 +5,7 @@ package storage

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"net/url"
@@ -27,25 +28,32 @@ type LocalStorage struct {

 // NewLocalStorage returns a local files
 func NewLocalStorage(ctx context.Context, config *setting.Storage) (ObjectStorage, error) {
+	// prepare storage root path
 	if !filepath.IsAbs(config.Path) {
-		return nil, fmt.Errorf("LocalStorageConfig.Path should have been prepared by setting/storage.go and should be an absolute path, but not: %q", config.Path)
-	}
-	log.Info("Creating new Local Storage at %s", config.Path)
-	if err := os.MkdirAll(config.Path, os.ModePerm); err != nil {
-		return nil, err
+		return nil, fmt.Errorf("LocalStorage config.Path should have been prepared by setting/storage.go and should be an absolute path, but not: %q", config.Path)
 	}
+	storageRoot := util.FilePathJoinAbs(config.Path)

-	if config.TemporaryPath == "" {
-		config.TemporaryPath = filepath.Join(config.Path, "tmp")
+	// prepare storage temporary path
+	storageTmp := config.TemporaryPath
+	if storageTmp == "" {
+		storageTmp = filepath.Join(storageRoot, "tmp")
 	}
-	if !filepath.IsAbs(config.TemporaryPath) {
-		return nil, fmt.Errorf("LocalStorageConfig.TemporaryPath should be an absolute path, but not: %q", config.TemporaryPath)
+	if !filepath.IsAbs(storageTmp) {
+		return nil, fmt.Errorf("LocalStorage config.TemporaryPath should be an absolute path, but not: %q", config.TemporaryPath)
+	}
+	storageTmp = util.FilePathJoinAbs(storageTmp)
+
+	// create the storage root if not exist
+	log.Info("Creating new Local Storage at %s", storageRoot)
+	if err := os.MkdirAll(storageRoot, os.ModePerm); err != nil {
+		return nil, err
 	}

 	return &LocalStorage{
 		ctx:    ctx,
-		dir:    config.Path,
-		tmpdir: config.TemporaryPath,
+		dir:    storageRoot,
+		tmpdir: storageTmp,
 	}, nil
 }

@@ -108,9 +116,21 @@ func (l *LocalStorage) Stat(path string) (os.FileInfo, error) {
 	return os.Stat(l.buildLocalPath(path))
 }

-// Delete delete a file
+func (l *LocalStorage) deleteEmptyParentDirs(localFullPath string) {
+	for parent := filepath.Dir(localFullPath); len(parent) > len(l.dir); parent = filepath.Dir(parent) {
+		if err := os.Remove(parent); err != nil {
+			// since the target file has been deleted, parent dir error is not related to the file deletion itself.
+			break
+		}
+	}
+}
+
+// Delete deletes the file in storage and removes the empty parent directories (if possible)
 func (l *LocalStorage) Delete(path string) error {
-	return util.Remove(l.buildLocalPath(path))
+	localFullPath := l.buildLocalPath(path)
+	err := util.Remove(localFullPath)
+	l.deleteEmptyParentDirs(localFullPath)
+	return err
 }

 // URL gets the redirect URL to a file
@@ -118,34 +138,38 @@ func (l *LocalStorage) URL(path, name, _ string, reqParams url.Values) (*url.URL
 	return nil, ErrURLNotSupported
 }

+func (l *LocalStorage) normalizeWalkError(err error) error {
+	if errors.Is(err, os.ErrNotExist) {
+		// ignore it because the file may be deleted during the walk, and we don't care about it
+		return nil
+	}
+	return err
+}
+
 // IterateObjects iterates across the objects in the local storage
 func (l *LocalStorage) IterateObjects(dirName string, fn func(path string, obj Object) error) error {
 	dir := l.buildLocalPath(dirName)
-	return filepath.WalkDir(dir, func(path string, d os.DirEntry, err error) error {
-		if err != nil {
+	return filepath.WalkDir(dir, func(path string, d os.DirEntry, errWalk error) error {
+		if err := l.ctx.Err(); err != nil {
 			return err
 		}
-		select {
-		case <-l.ctx.Done():
-			return l.ctx.Err()
-		default:
+		if errWalk != nil {
+			return l.normalizeWalkError(errWalk)
 		}
-		if path == l.dir {
-			return nil
-		}
-		if d.IsDir() {
+		if path == l.dir || d.IsDir() {
 			return nil
 		}
+
 		relPath, err := filepath.Rel(l.dir, path)
 		if err != nil {
-			return err
+			return l.normalizeWalkError(err)
 		}
 		obj, err := os.Open(path)
 		if err != nil {
-			return err
+			return l.normalizeWalkError(err)
 		}
 		defer obj.Close()
-		return fn(relPath, obj)
+		return fn(filepath.ToSlash(relPath), obj)
 	})
 }

--- a/modules/storage/local_test.go
+++ b/modules/storage/local_test.go
@@ -4,11 +4,14 @@
 package storage

 import (
+	"os"
+	"strings"
 	"testing"

 	"code.gitea.io/gitea/modules/setting"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestBuildLocalPath(t *testing.T) {
@@ -53,6 +56,49 @@ func TestBuildLocalPath(t *testing.T) {
 	}
 }

+func TestLocalStorageDelete(t *testing.T) {
+	rootDir := t.TempDir()
+	st, err := NewLocalStorage(t.Context(), &setting.Storage{Path: rootDir})
+	require.NoError(t, err)
+
+	assertExists := func(t *testing.T, path string, exists bool) {
+		_, err = os.Stat(rootDir + "/" + path)
+		if exists {
+			require.NoError(t, err)
+		} else {
+			require.ErrorIs(t, err, os.ErrNotExist)
+		}
+	}
+
+	_, err = st.Save("dir/sub1/1-a.txt", strings.NewReader(""), -1)
+	require.NoError(t, err)
+	_, err = st.Save("dir/sub1/1-b.txt", strings.NewReader(""), -1)
+	require.NoError(t, err)
+	_, err = st.Save("dir/sub2/2-a.txt", strings.NewReader(""), -1)
+	require.NoError(t, err)
+
+	assertExists(t, "dir/sub1/1-a.txt", true)
+	assertExists(t, "dir/sub1/1-b.txt", true)
+	assertExists(t, "dir/sub2/2-a.txt", true)
+
+	require.NoError(t, st.Delete("dir/sub1/1-a.txt"))
+	assertExists(t, "dir/sub1", true)
+	assertExists(t, "dir/sub1/1-a.txt", false)
+	assertExists(t, "dir/sub1/1-b.txt", true)
+	assertExists(t, "dir/sub2/2-a.txt", true)
+
+	require.NoError(t, st.Delete("dir/sub1/1-b.txt"))
+	assertExists(t, ".", true)
+	assertExists(t, "dir/sub1", false)
+	assertExists(t, "dir/sub1/1-a.txt", false)
+	assertExists(t, "dir/sub1/1-b.txt", false)
+	assertExists(t, "dir/sub2/2-a.txt", true)
+
+	require.NoError(t, st.Delete("dir/sub2/2-a.txt"))
+	assertExists(t, ".", true)
+	assertExists(t, "dir", false)
+}
+
 func TestLocalStorageIterator(t *testing.T) {
 	testStorageIterator(t, setting.LocalStorageType, &setting.Storage{Path: t.TempDir()})
 }
--- a/modules/storage/storage.go
+++ b/modules/storage/storage.go
@@ -68,7 +68,12 @@ type ObjectStorage interface {
 	Stat(path string) (os.FileInfo, error)
 	Delete(path string) error
 	URL(path, name, method string, reqParams url.Values) (*url.URL, error)
-	IterateObjects(path string, iterator func(path string, obj Object) error) error
+
+	// IterateObjects calls the iterator function for each object in the storage with the given path as prefix
+	// The "fullPath" argument in callback is the full path in this storage.
+	// * IterateObjects("", ...): iterate all objects in this storage
+	// * IterateObjects("sub-path", ...): iterate all objects with "sub-path" as prefix in this storage, the "fullPath" will be like "sub-path/xxx"
+	IterateObjects(basePath string, iterator func(fullPath string, obj Object) error) error
 }

 // Copy copies a file from source ObjectStorage to dest ObjectStorage
--- a/modules/structs/repo.go
+++ b/modules/structs/repo.go
@@ -134,7 +134,7 @@ type CreateRepoOption struct {
 	// Whether the repository is private
 	Private bool `json:"private"`
 	// Label-Set to use
-	IssueLabels string `json:"issue_labels"`
+	IssueLabels string `json:"issue_labels" binding:"MaxSize(255)"`
 	// Whether the repository should be auto-initialized?
 	AutoInit bool `json:"auto_init"`
 	// Whether the repository is template
@@ -142,15 +142,15 @@ type CreateRepoOption struct {
 	// Gitignores to use
 	Gitignores string `json:"gitignores"`
 	// License to use
-	License string `json:"license"`
+	License string `json:"license" binding:"MaxSize(100)"`
 	// Readme of the repository to create
-	Readme string `json:"readme"`
+	Readme string `json:"readme" binding:"MaxSize(255)"`
 	// DefaultBranch of the repository (used when initializes and in template)
 	DefaultBranch string `json:"default_branch" binding:"GitRefName;MaxSize(100)"`
 	// TrustModel of the repository
 	// enum: default,collaborator,committer,collaboratorcommitter
 	TrustModel string `json:"trust_model"`
-	// ObjectFormatName of the underlying git repository
+	// ObjectFormatName of the underlying git repository, empty string for default (sha1)
 	// enum: sha1,sha256
 	ObjectFormatName string `json:"object_format_name" binding:"MaxSize(6)"`
 }
--- a/modules/typesniffer/typesniffer.go
+++ b/modules/typesniffer/typesniffer.go
@@ -107,6 +107,17 @@ func detectFileTypeBox(data []byte) (brands []string, found bool) {
 	return brands, true
 }

+func isEmbeddedOpenType(data []byte) bool {
+	// https://www.w3.org/submissions/EOT
+	if len(data) < 80 {
+		return false
+	}
+	version := binary.LittleEndian.Uint32(data[8:])  // Actually this standard is abandoned (for IE6-IE11 only), there are only 3 versions defined
+	magic := binary.LittleEndian.Uint16(data[34:36]) // MagicNumber: 0x504C ("LP")
+	reserved := data[64:80]                          // Reserved 1-4 (each: unsigned long)
+	return (version == 0x00010000 || version == 0x00020001 || version == 0x00020002) && magic == 0x504C && bytes.Count(reserved, []byte{0}) == len(reserved)
+}
+
 // DetectContentType extends http.DetectContentType with more content types. Defaults to text/plain if input is empty.
 func DetectContentType(data []byte) SniffedType {
 	if len(data) == 0 {
@@ -119,6 +130,18 @@ func DetectContentType(data []byte) SniffedType {
 		data = data[:SniffContentSize]
 	}

+	const typeMsFontObject = "application/vnd.ms-fontobject"
+	if ct == typeMsFontObject {
+		// Stupid Golang blindly detects any content with 34th-35th bytes being "LP" as font.
+		// If it is not really for ".eot" content, we try to detect it again by hiding the "LP", see the test for more details.
+		if isEmbeddedOpenType(data) {
+			return SniffedType{typeMsFontObject}
+		}
+		data = slices.Clone(data)
+		data[34] = 'l'
+		ct = http.DetectContentType(data)
+	}
+
 	vars := globalVars()
 	// SVG is unsupported by http.DetectContentType, https://github.com/golang/go/issues/15888
 	detectByHTML := strings.Contains(ct, "text/plain") || strings.Contains(ct, "text/html")
--- a/modules/typesniffer/typesniffer_test.go
+++ b/modules/typesniffer/typesniffer_test.go
@@ -6,6 +6,7 @@ package typesniffer
 import (
 	"encoding/base64"
 	"encoding/hex"
+	"net/http"
 	"strings"
 	"testing"

@@ -154,3 +155,25 @@ func TestDetectContentTypeAvif(t *testing.T) {
 	st := DetectContentType(buf)
 	assert.Equal(t, MimeTypeImageAvif, st.contentType)
 }
+
+func TestDetectContentTypeIncorrectFont(t *testing.T) {
+	s := "Stupid Golang keep detecting 34th LP as font"
+	// They don't want to have any improvement to it: https://github.com/golang/go/issues/77172
+	golangDetected := http.DetectContentType([]byte(s))
+	assert.Equal(t, "application/vnd.ms-fontobject", golangDetected)
+	// We have to make our patch to make it work correctly
+	ourDetected := DetectContentType([]byte(s))
+	assert.Equal(t, "text/plain; charset=utf-8", ourDetected.contentType)
+
+	// For binary content, ensure it still detects as font. The content is from "opensans-regular.eot"
+	b := []byte{
+		0x3d, 0x30, 0x00, 0x00, 0x6b, 0x2f, 0x00, 0x00, 0x02, 0x00, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00,
+		0x02, 0x0b, 0x06, 0x06, 0x03, 0x05, 0x04, 0x02, 0x02, 0x04, 0x01, 0x00, 0x90, 0x01, 0x00, 0x00,
+		0x04, 0x00, 0x4c, 0x50, 0xef, 0x02, 0x00, 0xe0, 0x5b, 0x20, 0x00, 0x40, 0x28, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x9f, 0x01, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x63, 0xf4, 0x17, 0x14,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x12, 0x00, 0x4f, 0x00, 0x70, 0x00, 0x65, 0x00, 0x6e, 0x00, 0x20, 0x00, 0x53, 0x00,
+	}
+	assert.Equal(t, "application/vnd.ms-fontobject", http.DetectContentType(b))
+	assert.Equal(t, "application/vnd.ms-fontobject", DetectContentType(b).contentType)
+}
--- a/modules/util/path.go
+++ b/modules/util/path.go
@@ -64,7 +64,7 @@ func PathJoinRelX(elem ...string) string {
 	return PathJoinRel(elems...)
 }

-const pathSeparator = string(os.PathSeparator)
+const filepathSeparator = string(os.PathSeparator)

 // FilePathJoinAbs joins the path elements into a single file path, each element is cleaned by filepath.Clean separately.
 // All slashes/backslashes are converted to path separators before cleaning, the result only contains path separators.
@@ -75,30 +75,32 @@ const pathSeparator = string(os.PathSeparator)
 //	{`/foo`, ``, `bar`} => `/foo/bar`
 //	{`/foo`, `..`, `bar`} => `/foo/bar`
 func FilePathJoinAbs(base string, sub ...string) string {
-	elems := make([]string, 1, len(sub)+1)
-
 	// POSIX filesystem can have `\` in file names. Windows: `\` and `/` are both used for path separators
 	// to keep the behavior consistent, we do not allow `\` in file names, replace all `\` with `/`
-	if isOSWindows() {
-		elems[0] = filepath.Clean(base)
-	} else {
-		elems[0] = filepath.Clean(strings.ReplaceAll(base, "\\", pathSeparator))
+	if !isOSWindows() {
+		base = strings.ReplaceAll(base, "\\", filepathSeparator)
 	}
-	if !filepath.IsAbs(elems[0]) {
-		// This shouldn't happen. If there is really necessary to pass in relative path, return the full path with filepath.Abs() instead
-		panic(fmt.Sprintf("FilePathJoinAbs: %q (for path %v) is not absolute, do not guess a relative path based on current working directory", elems[0], elems))
+	if !filepath.IsAbs(base) {
+		// This shouldn't happen. If it is really necessary to handle relative paths, use filepath.Abs() to get absolute paths first
+		panic(fmt.Sprintf("FilePathJoinAbs: %q (for path %v) is not absolute, do not guess a relative path based on current working directory", base, sub))
 	}
+	if len(sub) == 0 {
+		return filepath.Clean(base)
+	}
+
+	elems := make([]string, 1, len(sub)+1)
+	elems[0] = base
 	for _, s := range sub {
 		if s == "" {
 			continue
 		}
 		if isOSWindows() {
-			elems = append(elems, filepath.Clean(pathSeparator+s))
+			elems = append(elems, filepath.Clean(filepathSeparator+s))
 		} else {
-			elems = append(elems, filepath.Clean(pathSeparator+strings.ReplaceAll(s, "\\", pathSeparator)))
+			elems = append(elems, filepath.Clean(filepathSeparator+strings.ReplaceAll(s, "\\", filepathSeparator)))
 		}
 	}
-	// the elems[0] must be an absolute path, just join them together
+	// the elems[0] must be an absolute path, just join them together, and Join will also do Clean
 	return filepath.Join(elems...)
 }

@@ -115,12 +117,72 @@ func IsDir(dir string) (bool, error) {
 	return false, err
 }

-func IsRegularFile(filePath string) (bool, error) {
-	f, err := os.Lstat(filePath)
-	if err == nil {
-		return f.Mode().IsRegular(), nil
+var ErrNotRegularPathFile = errors.New("not a regular file")
+
+// ReadRegularPathFile reads a file with given sub path in root dir.
+// It returns error when the path is not a regular file, or any parent path is not a regular directory.
+func ReadRegularPathFile(root, filePathIn string, limit int) ([]byte, error) {
+	pathFields := strings.Split(PathJoinRelX(filePathIn), "/")
+
+	targetPathBuilder := strings.Builder{}
+	targetPathBuilder.Grow(len(root) + len(filePathIn) + 2)
+	targetPathBuilder.WriteString(root)
+	targetPathString := root
+	for i, subPath := range pathFields {
+		targetPathBuilder.WriteByte(filepath.Separator)
+		targetPathBuilder.WriteString(subPath)
+		targetPathString = targetPathBuilder.String()
+
+		expectFile := i == len(pathFields)-1
+		st, err := os.Lstat(targetPathString)
+		if err != nil {
+			return nil, err
+		}
+		if expectFile && !st.Mode().IsRegular() || !expectFile && !st.Mode().IsDir() {
+			return nil, fmt.Errorf("%w: %s", ErrNotRegularPathFile, filePathIn)
+		}
 	}
-	return false, err
+	f, err := os.Open(targetPathString)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+	return ReadWithLimit(f, limit)
+}
+
+// WriteRegularPathFile writes data to a file with given sub path in root dir, it creates parent directories if necessary.
+// The file is created with fileMode, and the directories are created with dirMode.
+// It returns error when the path already exists but is not a regular file, or any parent path is not a regular directory.
+func WriteRegularPathFile(root, filePathIn string, data []byte, dirMode, fileMode os.FileMode) error {
+	pathFields := strings.Split(PathJoinRelX(filePathIn), "/")
+
+	targetPathBuilder := strings.Builder{}
+	targetPathBuilder.Grow(len(root) + len(filePathIn) + 2)
+	targetPathBuilder.WriteString(root)
+	targetPathString := root
+	for i, subPath := range pathFields {
+		targetPathBuilder.WriteByte(filepath.Separator)
+		targetPathBuilder.WriteString(subPath)
+		targetPathString = targetPathBuilder.String()
+
+		expectFile := i == len(pathFields)-1
+		st, err := os.Lstat(targetPathString)
+		if err == nil {
+			if expectFile && !st.Mode().IsRegular() || !expectFile && !st.Mode().IsDir() {
+				return fmt.Errorf("%w: %s", ErrNotRegularPathFile, filePathIn)
+			}
+			continue
+		}
+		if !os.IsNotExist(err) {
+			return err
+		}
+		if !expectFile {
+			if err = os.Mkdir(targetPathString, dirMode); err != nil {
+				return err
+			}
+		}
+	}
+	return os.WriteFile(targetPathString, data, fileMode)
 }

 // IsExist checks whether a file or directory exists.
--- a/modules/util/path_test.go
+++ b/modules/util/path_test.go
@@ -6,6 +6,7 @@ package util
 import (
 	"net/url"
 	"os"
+	"path/filepath"
 	"runtime"
 	"testing"

@@ -230,3 +231,70 @@ func TestListDirRecursively(t *testing.T) {
 	require.NoError(t, err)
 	assert.ElementsMatch(t, []string{"d1/f-d1", "d1/s1/f-d1s1"}, res)
 }
+
+func TestReadWriteRegularPathFile(t *testing.T) {
+	const readLimit = 10000
+	tmpDir := t.TempDir()
+	rootDir := tmpDir + "/root"
+	_ = os.Mkdir(rootDir, 0o755)
+	_ = os.WriteFile(tmpDir+"/other-file", []byte("other-content"), 0o755)
+	_ = os.Mkdir(rootDir+"/real-dir", 0o755)
+	_ = os.WriteFile(rootDir+"/real-dir/real-file", []byte("dummy-content"), 0o644)
+	_ = os.Symlink(rootDir+"/real-dir", rootDir+"/link-dir")
+	_ = os.Symlink(rootDir+"/real-dir/real-file", rootDir+"/real-dir/link-file")
+
+	t.Run("Read", func(t *testing.T) {
+		content, err := os.ReadFile(filepath.Join(rootDir, "../other-file"))
+		require.NoError(t, err)
+		assert.Equal(t, "other-content", string(content))
+
+		content, err = ReadRegularPathFile(rootDir, "../other-file", readLimit)
+		require.ErrorIs(t, err, os.ErrNotExist)
+		assert.Empty(t, string(content))
+
+		content, err = ReadRegularPathFile(rootDir, "real-dir/real-file", readLimit)
+		require.NoError(t, err)
+		assert.Equal(t, "dummy-content", string(content))
+
+		_, err = ReadRegularPathFile(rootDir, "link-dir/real-file", readLimit)
+		require.ErrorIs(t, err, ErrNotRegularPathFile)
+		_, err = ReadRegularPathFile(rootDir, "real-dir/link-file", readLimit)
+		require.ErrorIs(t, err, ErrNotRegularPathFile)
+		_, err = ReadRegularPathFile(rootDir, "link-dir/link-file", readLimit)
+		require.ErrorIs(t, err, ErrNotRegularPathFile)
+	})
+
+	t.Run("Write", func(t *testing.T) {
+		assertFileContent := func(path, expected string) {
+			data, err := os.ReadFile(path)
+			if expected == "" {
+				assert.ErrorIs(t, err, os.ErrNotExist)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, expected, string(data), "file content mismatch for %s", path)
+		}
+
+		err := WriteRegularPathFile(rootDir, "new-dir/new-file", []byte("new-content"), 0o755, 0o644)
+		require.NoError(t, err)
+		assertFileContent(rootDir+"/new-dir/new-file", "new-content")
+
+		err = WriteRegularPathFile(rootDir, "link-dir/real-file", []byte("new-content"), 0o755, 0o644)
+		require.ErrorIs(t, err, ErrNotRegularPathFile)
+		err = WriteRegularPathFile(rootDir, "link-dir/link-file", []byte("new-content"), 0o755, 0o644)
+		require.ErrorIs(t, err, ErrNotRegularPathFile)
+		err = WriteRegularPathFile(rootDir, "link-dir/new-file", []byte("new-content"), 0o755, 0o644)
+		require.ErrorIs(t, err, ErrNotRegularPathFile)
+		err = WriteRegularPathFile(rootDir, "real-dir/link-file", []byte("new-content"), 0o755, 0o644)
+		require.ErrorIs(t, err, ErrNotRegularPathFile)
+
+		err = WriteRegularPathFile(rootDir, "../other-file", []byte("new-content"), 0o755, 0o644)
+		require.NoError(t, err)
+		assertFileContent(rootDir+"/../other-file", "other-content")
+		assertFileContent(rootDir+"/other-file", "new-content")
+
+		err = WriteRegularPathFile(rootDir, "real-dir/real-file", []byte("changed-content"), 0o755, 0o644)
+		require.NoError(t, err)
+		assertFileContent(rootDir+"/real-dir/real-file", "changed-content")
+	})
+}
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -834,6 +834,7 @@ add_new_openid = Add New OpenID URI
 add_email = Add Email Address
 add_openid = Add OpenID URI
 add_email_confirmation_sent = A confirmation email has been sent to "%s". Please check your inbox within the next %s to confirm your email address.
+email_primary_not_found = The selected email address could not be found.
 add_email_success = The new email address has been added.
 email_preference_set_success = Email preference has been set successfully.
 add_openid_success = The new OpenID address has been added.
--- a/package.json
+++ b/package.json
@@ -98,7 +98,7 @@
    "eslint-plugin-wc": "3.0.1",
    "globals": "16.4.0",
    "happy-dom": "18.0.1",
-    "markdownlint-cli": "0.45.0",
+    "markdownlint-cli": "0.48.0",
    "material-icon-theme": "5.27.0",
    "nolyfill": "1.0.44",
    "postcss-html": "1.8.0",
@@ -107,7 +107,7 @@
    "stylelint-declaration-block-no-ignored-properties": "2.8.0",
    "stylelint-declaration-strict-value": "1.10.11",
    "stylelint-value-no-unknown-custom-properties": "6.0.1",
-    "svgo": "4.0.0",
+    "svgo": "4.0.1",
    "typescript-eslint": "8.43.0",
    "updates": "16.7.0",
    "vite-string-plugin": "1.4.6",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -298,8 +298,8 @@ importers:
        specifier: 18.0.1
        version: 18.0.1
      markdownlint-cli:
-        specifier: 0.45.0
-        version: 0.45.0
+        specifier: 0.48.0
+        version: 0.48.0
      material-icon-theme:
        specifier: 5.27.0
        version: 5.27.0
@@ -325,8 +325,8 @@ importers:
        specifier: 6.0.1
        version: 6.0.1(stylelint@16.24.0(typescript@5.9.2))
      svgo:
-        specifier: 4.0.0
-        version: 4.0.0
+        specifier: 4.0.1
+        version: 4.0.1
      typescript-eslint:
        specifier: 8.43.0
        version: 8.43.0(eslint@9.35.0(jiti@2.5.1))(typescript@5.9.2)
@@ -1836,6 +1836,10 @@ packages:
  balanced-match@2.0.0:
    resolution: {integrity: sha512-1ugUSr8BHXRnK23KfuYS+gVMC3LB8QGH9W1iGtDPsNWoQbgtXSExkBu2aDR4epiGWZOjZsj6lDl/N/AqqTC3UA==}

+  balanced-match@4.0.4:
+    resolution: {integrity: sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==}
+    engines: {node: 18 || 20 || >=22}
+
  base64-js@1.5.1:
    resolution: {integrity: sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==}

@@ -1855,6 +1859,10 @@ packages:
  brace-expansion@2.0.2:
    resolution: {integrity: sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==}

+  brace-expansion@5.0.4:
+    resolution: {integrity: sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==}
+    engines: {node: 18 || 20 || >=22}
+
  braces@3.0.3:
    resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==}
    engines: {node: '>=8'}
@@ -2014,9 +2022,9 @@ packages:
    resolution: {integrity: sha512-Vw8qHK3bZM9y/P10u3Vib8o/DdkvA2OtPtZvD871QKjy74Wj1WSKFILMPRPSdUSx5RFK1arlJzEtA4PkFgnbuA==}
    engines: {node: '>=18'}

-  commander@13.1.0:
-    resolution: {integrity: sha512-/rFeCpNJQbhSZjGVwO9RFV3xPqbnERS8MmIQzCtD/zl6gpJuV/bMLuN92oG3F7d8oDEHHRrujSXNUr8fpjntKw==}
-    engines: {node: '>=18'}
+  commander@14.0.3:
+    resolution: {integrity: sha512-H+y0Jo/T1RZ9qPP4Eh1pkcQcLRglraJaSLoyOtHxu6AapkjWVCy2Sit1QQ4x3Dng8qDlSsZEet7g5Pq06MvTgw==}
+    engines: {node: '>=20'}

  commander@2.20.3:
    resolution: {integrity: sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==}
@@ -2104,6 +2112,10 @@ packages:
    resolution: {integrity: sha512-0eW44TGN5SQXU1mWSkKwFstI/22X2bG1nYzZTYMAWjylYURhse752YgbE4Cx46AC+bAvI+/dYTPRk1LqSUnu6w==}
    engines: {node: ^10 || ^12.20.0 || ^14.13.0 || >=15.0.0}

+  css-tree@3.2.1:
+    resolution: {integrity: sha512-X7sjQzceUhu1u7Y/ylrRZFU2FS6LRiFVp6rKLPg23y3x3c3DOKAwuXGDp+PAGjh6CSnCjYeAul8pcT8bAl+lSA==}
+    engines: {node: ^10 || ^12.20.0 || ^14.13.0 || >=15.0.0}
+
  css-what@6.2.2:
    resolution: {integrity: sha512-u/O3vwbptzhMs3L1fQE82ZSLHQQfto5gyZzwteVIEyeaY5Fc7R4dapF/BvRoSYFeqfBk4m0V1Vafq5Pjv25wvA==}
    engines: {node: '>= 6'}
@@ -2308,8 +2320,17 @@ packages:
      supports-color:
        optional: true

-  decode-named-character-reference@1.2.0:
-    resolution: {integrity: sha512-c6fcElNV6ShtZXmsgNgFFV5tVX2PaV4g+MOAkb8eXHvn6sryJBrZa9r0zV6+dtTyoCKxtDy5tyQ5ZwQuidtd+Q==}
+  debug@4.4.3:
+    resolution: {integrity: sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==}
+    engines: {node: '>=6.0'}
+    peerDependencies:
+      supports-color: '*'
+    peerDependenciesMeta:
+      supports-color:
+        optional: true
+
+  decode-named-character-reference@1.3.0:
+    resolution: {integrity: sha512-GtpQYB283KrPp6nRw50q3U9/VfOutZOe103qlN7BPP6Ad27xYnOIWv4lPzo8HCAL+mMZofJ9KEy30fq6MfaK6Q==}

  decode-uri-component@0.2.2:
    resolution: {integrity: sha512-FqUYQ+8o158GyGTrMFJms9qh3CqTKvAqgqsTnkLI8sKu0028orqBhxNMFkFen0zGyg6epACD32pjVk58ngIErQ==}
@@ -2675,6 +2696,10 @@ packages:
    resolution: {integrity: sha512-ca9pw9fomFcKPvFLXhBKUK90ZvGibiGOvRJNbjljY7s7uq/5YO4BOzcYtJqExdx99rF6aAcnRxHmcUHcz6sQsg==}
    engines: {node: '>=0.10'}

+  esquery@1.7.0:
+    resolution: {integrity: sha512-Ap6G0WQwcU/LHsvLwON1fAQX9Zp0A2Y6Y/cJBl9r/JbW90Zyg4/zbG6zzKa2OTALELarYHmKu0GhpM5EO+7T0g==}
+    engines: {node: '>=0.10'}
+
  esrecurse@4.3.0:
    resolution: {integrity: sha512-KmfKL3b6G+RXvP8N1vr3Tq1kL/oCFgn2NYXEtqP8/L3pKapUA4G8cFVaoF3SU323CD4XypR/ffioHmkti6/Tag==}
    engines: {node: '>=4.0'}
@@ -2835,6 +2860,10 @@ packages:
    resolution: {integrity: sha512-QZjmEOC+IT1uk6Rx0sX22V6uHWVwbdbxf1faPqJ1QhLdGgsRGCZoyaQBm/piRdJy/D2um6hM1UP7ZEeQ4EkP+Q==}
    engines: {node: '>=18'}

+  get-east-asian-width@1.5.0:
+    resolution: {integrity: sha512-CQ+bEO+Tva/qlmw24dCejulK5pMzVnUOFOijVogd3KQs07HnRIgp8TGipvCCRT06xeYEbpbgwaCxglFyiuIcmA==}
+    engines: {node: '>=18'}
+
  get-set-props@0.2.0:
    resolution: {integrity: sha512-YCmOj+4YAeEB5Dd9jfp6ETdejMet4zSxXjNkgaa4npBEKRI9uDOGB5MmAdAgi2OoFGAKshYhCbmLq2DS03CgVA==}
    engines: {node: '>=18.0.0'}
@@ -2860,11 +2889,6 @@ packages:
    resolution: {integrity: sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==}
    hasBin: true

-  glob@11.0.3:
-    resolution: {integrity: sha512-2Nim7dha1KVkaiF4q6Dj+ngPPMdfvLJEOpZk/jKiUAkqKebpGAWQXAq9z1xu9HKu5lWfqw/FASuccEjyznjPaA==}
-    engines: {node: 20 || >=22}
-    hasBin: true
-
  glob@7.2.3:
    resolution: {integrity: sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==}
    deprecated: Glob versions prior to v9 are no longer supported
@@ -3102,10 +3126,6 @@ packages:
  jackspeak@3.4.3:
    resolution: {integrity: sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==}

-  jackspeak@4.1.1:
-    resolution: {integrity: sha512-zptv57P3GpL+O0I7VdMJNBZCu+BPHVQUk55Ft8/QCJjTVxrnJHuVuX/0Bl2A6/+2oyR/ZMEuFKwmzqqZ/U5nPQ==}
-    engines: {node: 20 || >=22}
-
  jest-worker@27.5.1:
    resolution: {integrity: sha512-7vuh85V5cdDofPyxn58nrPjBktZo0u9x1g8WtjQol+jZDaE+fhN+cIvTj11GndBnMnyfrUOG1sZQxCdjKh+DKg==}
    engines: {node: '>= 10.13.0'}
@@ -3138,6 +3158,10 @@ packages:
    resolution: {integrity: sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==}
    hasBin: true

+  js-yaml@4.1.1:
+    resolution: {integrity: sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==}
+    hasBin: true
+
  jsdoc-type-pratt-parser@4.8.0:
    resolution: {integrity: sha512-iZ8Bdb84lWRuGHamRXFyML07r21pcwBrLkHEuHgEY5UbCouBwv7ECknDRKzsQIXMiqpPymqtIf8TC/shYKB5rw==}
    engines: {node: '>=12.0.0'}
@@ -3331,10 +3355,6 @@ packages:
  lru-cache@10.4.3:
    resolution: {integrity: sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==}

-  lru-cache@11.2.1:
-    resolution: {integrity: sha512-r8LA6i4LP4EeWOhqBaZZjDWwehd1xUJPCJd9Sv300H0ZmcUER4+JPh7bqqZeqs1o5pgtgvXm+d9UGrB5zZGDiQ==}
-    engines: {node: 20 || >=22}
-
  magic-string@0.25.9:
    resolution: {integrity: sha512-RmF0AsMzgt25qzqqLc1+MbHmhdx0ojF2Fvs4XnOqz2ZOBXzzkEwc/dJQZCYHAn7v1jbVOjAZfK8msRn4BxO4VQ==}

@@ -3344,17 +3364,17 @@ packages:
  markdown-escape@2.0.0:
    resolution: {integrity: sha512-Trz4v0+XWlwy68LJIyw3bLbsJiC8XAbRCKF9DbEtZjyndKOGVx6n+wNB0VfoRmY2LKboQLeniap3xrb6LGSJ8A==}

-  markdown-it@14.1.0:
-    resolution: {integrity: sha512-a54IwgWPaeBCAAsv13YgmALOF1elABB08FxO9i+r4VFk5Vl4pKokRPeX8u5TCgSsPi6ec1otfLjdOpVcgbpshg==}
+  markdown-it@14.1.1:
+    resolution: {integrity: sha512-BuU2qnTti9YKgK5N+IeMubp14ZUKUUw7yeJbkjtosvHiP0AZ5c8IAgEMk79D0eC8F23r4Ac/q8cAIFdm2FtyoA==}
    hasBin: true

-  markdownlint-cli@0.45.0:
-    resolution: {integrity: sha512-GiWr7GfJLVfcopL3t3pLumXCYs8sgWppjIA1F/Cc3zIMgD3tmkpyZ1xkm1Tej8mw53B93JsDjgA3KOftuYcfOw==}
+  markdownlint-cli@0.48.0:
+    resolution: {integrity: sha512-NkZQNu2E0Q5qLEEHwWj674eYISTLD4jMHkBzDobujXd1kv+yCxi8jOaD/rZoQNW1FBBMMGQpuW5So8B51N/e0A==}
    engines: {node: '>=20'}
    hasBin: true

-  markdownlint@0.38.0:
-    resolution: {integrity: sha512-xaSxkaU7wY/0852zGApM8LdlIfGCW8ETZ0Rr62IQtAnUMlMuifsg09vWJcNYeL4f0anvr8Vo4ZQar8jGpV0btQ==}
+  markdownlint@0.40.0:
+    resolution: {integrity: sha512-UKybllYNheWac61Ia7T6fzuQNDZimFIpCg2w6hHjgV1Qu0w1TV0LlSgryUGzM0bkKQCBhy2FDhEELB73Kb0kAg==}
    engines: {node: '>=20'}

  marked@15.0.12:
@@ -3380,6 +3400,9 @@ packages:
  mdn-data@2.12.2:
    resolution: {integrity: sha512-IEn+pegP1aManZuckezWCO+XZQDplx1366JoVhTpMpBB1sPey/SbveZQUosKiKiGYjg1wH4pMlNgXbCiYgihQA==}

+  mdn-data@2.27.1:
+    resolution: {integrity: sha512-9Yubnt3e8A0OKwxYSXyhLymGW4sCufcLG6VdiDdUGVkPhpqLxlvP5vl1983gQjJl3tqbrM731mjaZaP68AgosQ==}
+
  mdurl@2.0.0:
    resolution: {integrity: sha512-Lf+9+2r+Tdp5wXDXC4PcIBjTDtq4UKjCPMQhKIuzpJNW0b96kVqSwW0bT7FhRSfmAiFYgP+SCRvdrDozfh0U5w==}

@@ -3494,6 +3517,10 @@ packages:
    resolution: {integrity: sha512-IPZ167aShDZZUMdRk66cyQAW3qr0WzbHkPdMYa8bzZhlHhO3jALbKdxcaak7W9FfT2rZNpQuUu4Od7ILEpXSaw==}
    engines: {node: 20 || >=22}

+  minimatch@10.2.4:
+    resolution: {integrity: sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==}
+    engines: {node: 18 || 20 || >=22}
+
  minimatch@3.1.2:
    resolution: {integrity: sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==}

@@ -3676,10 +3703,6 @@ packages:
    resolution: {integrity: sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==}
    engines: {node: '>=16 || 14 >=14.18'}

-  path-scurry@2.0.0:
-    resolution: {integrity: sha512-ypGJsmGtdXUOeM5u93TyeIEfEhM6s+ljAhrk5vAvSx8uyY/02OvrZnA0YNGUrPXfpJMgI1ODd3nwz8Npx4O4cg==}
-    engines: {node: 20 || >=22}
-
  path-type@4.0.0:
    resolution: {integrity: sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==}
    engines: {node: '>=8'}
@@ -3997,8 +4020,9 @@ packages:
  sax@1.2.4:
    resolution: {integrity: sha512-NqVDv9TpANUjFm0N8uM5GxL36UgKi9/atZw+x7YFnQ8ckwFGKrl4xX4yWtrey3UJm5nP1kUbnYgLopqWNSRhWw==}

-  sax@1.4.1:
-    resolution: {integrity: sha512-+aWOz7yVScEGoKNd4PA10LZ8sk0A/z5+nXQG5giUO5rprX9jgYsTdov9qCchZiPIZezbZH+jRut8nPodFAX4Jg==}
+  sax@1.5.0:
+    resolution: {integrity: sha512-21IYA3Q5cQf089Z6tgaUTr7lDAyzoTPx5HRtbhsME8Udispad8dC/+sziTNugOEx54ilvatQ9YCzl4KQLPcRHA==}
+    engines: {node: '>=11.0.0'}

  schema-utils@4.3.2:
    resolution: {integrity: sha512-Gn/JaSk/Mt9gYubxTtSn/QCV4em9mpAPiR1rqy/Ocu19u/G9J5WWdNoUT4SiV6mFC3y6cxyFcFwdzPM3FgxGAQ==}
@@ -4017,6 +4041,11 @@ packages:
    engines: {node: '>=10'}
    hasBin: true

+  semver@7.7.4:
+    resolution: {integrity: sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==}
+    engines: {node: '>=10'}
+    hasBin: true
+
  serialize-javascript@6.0.2:
    resolution: {integrity: sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==}

@@ -4061,8 +4090,8 @@ packages:
    resolution: {integrity: sha512-qMCMfhY040cVHT43K9BFygqYbUPFZKHOg7K73mtTWJRb8pyP3fzf4Ixd5SzdEJQ6MRUg/WBnOLxghZtKKurENQ==}
    engines: {node: '>=10'}

-  smol-toml@1.3.4:
-    resolution: {integrity: sha512-UOPtVuYkzYGee0Bd2Szz8d2G3RfMfJ2t3qVdZUAozZyAk+a0Sxa+QKix0YCwjL/A1RR0ar44nCxaoN9FxdJGwA==}
+  smol-toml@1.6.0:
+    resolution: {integrity: sha512-4zemZi0HvTnYwLfrpk/CF9LOd9Lt87kAt50GnqhMpyF9U3poDAP2+iukq2bZsO/ufegbYehBkqINbsWxj4l4cw==}
    engines: {node: '>= 18'}

  solid-js@1.9.9:
@@ -4143,6 +4172,10 @@ packages:
    resolution: {integrity: sha512-tsaTIkKW9b4N+AEj+SVA+WhJzV7/zMhcSu78mLKWSk7cXMOSHsBKFWUs0fWwq8QyK3MgJBQRX6Gbi4kYbdvGkQ==}
    engines: {node: '>=18'}

+  string-width@8.1.0:
+    resolution: {integrity: sha512-Kxl3KJGb/gxkaUMOjRsQ8IrXiGW75O4E3RPjFIINOVH8AMl2SQ/yWdTzWwF3FevIX9LcMAjJW+GRwAlAbTSXdg==}
+    engines: {node: '>=20'}
+
  strip-ansi@6.0.1:
    resolution: {integrity: sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==}
    engines: {node: '>=8'}
@@ -4151,6 +4184,10 @@ packages:
    resolution: {integrity: sha512-gmBGslpoQJtgnMAvOVqGZpEz9dyoKTCzy2nfz/n8aIFhN/jCE/rCmcxabB6jOOHV+0WNnylOxaxBQPSvcWklhA==}
    engines: {node: '>=12'}

+  strip-ansi@7.2.0:
+    resolution: {integrity: sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==}
+    engines: {node: '>=12'}
+
  strip-bom@3.0.0:
    resolution: {integrity: sha512-vavAMRXOgBVNF6nyEEmL3DBK19iRpDcoIwW+swQ+CbGiu7lju6t+JklA1MHweoWtadgt4ISVUsXLyDq34ddcwA==}
    engines: {node: '>=4'}
@@ -4235,8 +4272,8 @@ packages:
  svg-tags@1.0.0:
    resolution: {integrity: sha512-ovssysQTa+luh7A5Weu3Rta6FJlFBBbInjOh722LIt6klpU2/HtdUbszju/G4devcvk8PGt7FCLv5wftu3THUA==}

-  svgo@4.0.0:
-    resolution: {integrity: sha512-VvrHQ+9uniE+Mvx3+C9IEe/lWasXCU0nXMY2kZeLrHNICuRiC8uMPyM14UEaMOFA5mhyQqEkB02VoQ16n3DLaw==}
+  svgo@4.0.1:
+    resolution: {integrity: sha512-XDpWUOPC6FEibaLzjfe0ucaV0YrOjYotGJO1WpF0Zd+n6ZGEQUsSugaoLq9QkEZtAfQIxT42UChcssDVPP3+/w==}
    engines: {node: '>=16'}
    hasBin: true

@@ -6292,6 +6329,8 @@ snapshots:

  balanced-match@2.0.0: {}

+  balanced-match@4.0.4: {}
+
  base64-js@1.5.1: {}

  big.js@5.2.2: {}
@@ -6309,6 +6348,10 @@ snapshots:
    dependencies:
      balanced-match: 1.0.2

+  brace-expansion@5.0.4:
+    dependencies:
+      balanced-match: 4.0.4
+
  braces@3.0.3:
    dependencies:
      fill-range: 7.1.1
@@ -6464,7 +6507,7 @@ snapshots:

  commander@12.1.0: {}

-  commander@13.1.0: {}
+  commander@14.0.3: {}

  commander@2.20.3: {}

@@ -6548,6 +6591,11 @@ snapshots:
      mdn-data: 2.12.2
      source-map-js: 1.2.1

+  css-tree@3.2.1:
+    dependencies:
+      mdn-data: 2.27.1
+      source-map-js: 1.2.1
+
  css-what@6.2.2: {}

  css@3.0.0:
@@ -6764,7 +6812,11 @@ snapshots:
    dependencies:
      ms: 2.1.3

-  decode-named-character-reference@1.2.0:
+  debug@4.4.3:
+    dependencies:
+      ms: 2.1.3
+
+  decode-named-character-reference@1.3.0:
    dependencies:
      character-entities: 2.0.2

@@ -7264,6 +7316,10 @@ snapshots:
    dependencies:
      estraverse: 5.3.0

+  esquery@1.7.0:
+    dependencies:
+      estraverse: 5.3.0
+
  esrecurse@4.3.0:
    dependencies:
      estraverse: 5.3.0
@@ -7402,6 +7458,8 @@ snapshots:

  get-east-asian-width@1.4.0: {}

+  get-east-asian-width@1.5.0: {}
+
  get-set-props@0.2.0: {}

  get-source@2.0.12:
@@ -7432,15 +7490,6 @@ snapshots:
      package-json-from-dist: 1.0.1
      path-scurry: 1.11.1

-  glob@11.0.3:
-    dependencies:
-      foreground-child: 3.3.1
-      jackspeak: 4.1.1
-      minimatch: 10.0.3
-      minipass: 7.1.2
-      package-json-from-dist: 1.0.1
-      path-scurry: 2.0.0
-
  glob@7.2.3:
    dependencies:
      fs.realpath: 1.0.0
@@ -7647,10 +7696,6 @@ snapshots:
    optionalDependencies:
      '@pkgjs/parseargs': 0.11.0

-  jackspeak@4.1.1:
-    dependencies:
-      '@isaacs/cliui': 8.0.2
-
  jest-worker@27.5.1:
    dependencies:
      '@types/node': 24.3.1
@@ -7675,6 +7720,10 @@ snapshots:
    dependencies:
      argparse: 2.0.1

+  js-yaml@4.1.1:
+    dependencies:
+      argparse: 2.0.1
+
  jsdoc-type-pratt-parser@4.8.0: {}

  jsep@1.4.0: {}
@@ -7833,8 +7882,6 @@ snapshots:

  lru-cache@10.4.3: {}

-  lru-cache@11.2.1: {}
-
  magic-string@0.25.9:
    dependencies:
      sourcemap-codec: 1.4.8
@@ -7845,7 +7892,7 @@ snapshots:

  markdown-escape@2.0.0: {}

-  markdown-it@14.1.0:
+  markdown-it@14.1.1:
    dependencies:
      argparse: 2.0.1
      entities: 4.5.0
@@ -7854,23 +7901,24 @@ snapshots:
      punycode.js: 2.3.1
      uc.micro: 2.1.0

-  markdownlint-cli@0.45.0:
+  markdownlint-cli@0.48.0:
    dependencies:
-      commander: 13.1.0
-      glob: 11.0.3
+      commander: 14.0.3
+      deep-extend: 0.6.0
      ignore: 7.0.5
-      js-yaml: 4.1.0
+      js-yaml: 4.1.1
      jsonc-parser: 3.3.1
      jsonpointer: 5.0.1
-      markdown-it: 14.1.0
-      markdownlint: 0.38.0
-      minimatch: 10.0.3
+      markdown-it: 14.1.1
+      markdownlint: 0.40.0
+      minimatch: 10.2.4
      run-con: 1.3.2
-      smol-toml: 1.3.4
+      smol-toml: 1.6.0
+      tinyglobby: 0.2.15
    transitivePeerDependencies:
      - supports-color

-  markdownlint@0.38.0:
+  markdownlint@0.40.0:
    dependencies:
      micromark: 4.0.2
      micromark-core-commonmark: 2.0.3
@@ -7880,6 +7928,7 @@ snapshots:
      micromark-extension-gfm-table: 2.1.1
      micromark-extension-math: 3.1.0
      micromark-util-types: 2.0.2
+      string-width: 8.1.0
    transitivePeerDependencies:
      - supports-color

@@ -7900,6 +7949,8 @@ snapshots:

  mdn-data@2.12.2: {}

+  mdn-data@2.27.1: {}
+
  mdurl@2.0.0: {}

  meow@13.2.0: {}
@@ -7935,7 +7986,7 @@ snapshots:

  micromark-core-commonmark@2.0.3:
    dependencies:
-      decode-named-character-reference: 1.2.0
+      decode-named-character-reference: 1.3.0
      devlop: 1.1.0
      micromark-factory-destination: 2.0.1
      micromark-factory-label: 2.0.1
@@ -8086,8 +8137,8 @@ snapshots:
  micromark@4.0.2:
    dependencies:
      '@types/debug': 4.1.12
-      debug: 4.4.1
-      decode-named-character-reference: 1.2.0
+      debug: 4.4.3
+      decode-named-character-reference: 1.3.0
      devlop: 1.1.0
      micromark-core-commonmark: 2.0.3
      micromark-factory-space: 2.0.1
@@ -8126,6 +8177,10 @@ snapshots:
    dependencies:
      '@isaacs/brace-expansion': 5.0.0

+  minimatch@10.2.4:
+    dependencies:
+      brace-expansion: 5.0.4
+
  minimatch@3.1.2:
    dependencies:
      brace-expansion: 1.1.12
@@ -8266,7 +8321,7 @@ snapshots:
      '@types/unist': 2.0.11
      character-entities-legacy: 3.0.0
      character-reference-invalid: 2.0.1
-      decode-named-character-reference: 1.2.0
+      decode-named-character-reference: 1.3.0
      is-alphanumerical: 2.0.1
      is-decimal: 2.0.1
      is-hexadecimal: 2.0.1
@@ -8295,11 +8350,6 @@ snapshots:
      lru-cache: 10.4.3
      minipass: 7.1.2

-  path-scurry@2.0.0:
-    dependencies:
-      lru-cache: 11.2.1
-      minipass: 7.1.2
-
  path-type@4.0.0: {}

  pathe@2.0.3: {}
@@ -8594,7 +8644,7 @@ snapshots:

  sax@1.2.4: {}

-  sax@1.4.1: {}
+  sax@1.5.0: {}

  schema-utils@4.3.2:
    dependencies:
@@ -8613,6 +8663,8 @@ snapshots:

  semver@7.7.2: {}

+  semver@7.7.4: {}
+
  serialize-javascript@6.0.2:
    dependencies:
      randombytes: 2.1.0
@@ -8649,7 +8701,7 @@ snapshots:
      astral-regex: 2.0.0
      is-fullwidth-code-point: 3.0.0

-  smol-toml@1.3.4: {}
+  smol-toml@1.6.0: {}

  solid-js@1.9.9:
    dependencies:
@@ -8735,6 +8787,11 @@ snapshots:
      get-east-asian-width: 1.4.0
      strip-ansi: 7.1.2

+  string-width@8.1.0:
+    dependencies:
+      get-east-asian-width: 1.5.0
+      strip-ansi: 7.2.0
+
  strip-ansi@6.0.1:
    dependencies:
      ansi-regex: 5.0.1
@@ -8743,6 +8800,10 @@ snapshots:
    dependencies:
      ansi-regex: 6.2.2

+  strip-ansi@7.2.0:
+    dependencies:
+      ansi-regex: 6.2.2
+
  strip-bom@3.0.0: {}

  strip-indent@4.1.0: {}
@@ -8861,15 +8922,15 @@ snapshots:

  svg-tags@1.0.0: {}

-  svgo@4.0.0:
+  svgo@4.0.1:
    dependencies:
      commander: 11.1.0
      css-select: 5.2.2
-      css-tree: 3.1.0
+      css-tree: 3.2.1
      css-what: 6.2.2
      csso: 5.0.5
      picocolors: 1.1.1
-      sax: 1.4.1
+      sax: 1.5.0

  svgson@5.3.1:
    dependencies:
@@ -9207,13 +9268,13 @@ snapshots:

  vue-eslint-parser@10.2.0(eslint@9.35.0(jiti@2.5.1)):
    dependencies:
-      debug: 4.4.1
+      debug: 4.4.3
      eslint: 9.35.0(jiti@2.5.1)
      eslint-scope: 8.4.0
      eslint-visitor-keys: 4.2.1
      espree: 10.4.0
-      esquery: 1.6.0
-      semver: 7.7.2
+      esquery: 1.7.0
+      semver: 7.7.4
    transitivePeerDependencies:
      - supports-color

--- a/routers/api/actions/artifacts.go
+++ b/routers/api/actions/artifacts.go
@@ -241,7 +241,7 @@ func (ar artifactRoutes) uploadArtifact(ctx *ArtifactContext) {
 	}

 	// get upload file size
-	fileRealTotalSize, contentLength := getUploadFileSize(ctx)
+	fileRealTotalSize := getUploadFileSize(ctx)

 	// get artifact retention days
 	expiredDays := setting.Actions.ArtifactRetentionDays
@@ -265,17 +265,17 @@ func (ar artifactRoutes) uploadArtifact(ctx *ArtifactContext) {
 		return
 	}

-	// save chunk to storage, if success, return chunk stotal size
+	// save chunk to storage, if success, return chunks total size
 	// if artifact is not gzip when uploading, chunksTotalSize ==  fileRealTotalSize
 	// if artifact is gzip when uploading, chunksTotalSize <  fileRealTotalSize
-	chunksTotalSize, err := saveUploadChunk(ar.fs, ctx, artifact, contentLength, runID)
+	chunksTotalSize, err := saveUploadChunkV3GetTotalSize(ar.fs, ctx, artifact, runID)
 	if err != nil {
 		log.Error("Error save upload chunk: %v", err)
 		ctx.HTTPError(http.StatusInternalServerError, "Error save upload chunk")
 		return
 	}

-	// update artifact size if zero or not match, over write artifact size
+	// update artifact size if zero or not match, overwrite artifact size
 	if artifact.FileSize == 0 ||
 		artifact.FileCompressedSize == 0 ||
 		artifact.FileSize != fileRealTotalSize ||
--- a/routers/api/actions/artifacts_chunks.go
+++ b/routers/api/actions/artifacts_chunks.go
@@ -12,7 +12,7 @@ import (
 	"fmt"
 	"hash"
 	"io"
-	"path/filepath"
+	"path"
 	"sort"
 	"strings"
 	"time"
@@ -20,18 +20,73 @@ import (
 	"code.gitea.io/gitea/models/actions"
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/storage"
 )

-func saveUploadChunkBase(st storage.ObjectStorage, ctx *ArtifactContext,
-	artifact *actions.ActionArtifact,
-	contentSize, runID, start, end, length int64, checkMd5 bool,
-) (int64, error) {
+type saveUploadChunkOptions struct {
+	start    int64
+	end      *int64
+	checkMd5 bool
+}
+
+func makeTmpPathNameV3(runID int64) string {
+	return fmt.Sprintf("tmp-upload/run-%d", runID)
+}
+
+func makeTmpPathNameV4(runID int64) string {
+	return fmt.Sprintf("tmp-upload/run-%d-v4", runID)
+}
+
+func makeChunkFilenameV3(runID, artifactID, start int64, endPtr *int64) string {
+	var end int64
+	if endPtr != nil {
+		end = *endPtr
+	}
+	return fmt.Sprintf("%d-%d-%d-%d.chunk", runID, artifactID, start, end)
+}
+
+func parseChunkFileItemV3(st storage.ObjectStorage, fpath string) (*chunkFileItem, error) {
+	baseName := path.Base(fpath)
+	if !strings.HasSuffix(baseName, ".chunk") {
+		return nil, errSkipChunkFile
+	}
+
+	var item chunkFileItem
+	var unusedRunID int64
+	if _, err := fmt.Sscanf(baseName, "%d-%d-%d-%d.chunk", &unusedRunID, &item.ArtifactID, &item.Start, &item.End); err != nil {
+		return nil, err
+	}
+
+	item.Path = fpath
+	if item.End == 0 {
+		fi, err := st.Stat(item.Path)
+		if err != nil {
+			return nil, err
+		}
+		item.Size = fi.Size()
+		item.End = item.Start + item.Size - 1
+	} else {
+		item.Size = item.End - item.Start + 1
+	}
+	return &item, nil
+}
+
+func saveUploadChunkV3(st storage.ObjectStorage, ctx *ArtifactContext, artifact *actions.ActionArtifact,
+	runID int64, opts saveUploadChunkOptions,
+) (writtenSize int64, retErr error) {
 	// build chunk store path
-	storagePath := fmt.Sprintf("tmp%d/%d-%d-%d-%d.chunk", runID, runID, artifact.ID, start, end)
+	storagePath := fmt.Sprintf("%s/%s", makeTmpPathNameV3(runID), makeChunkFilenameV3(runID, artifact.ID, opts.start, opts.end))
+
+	// "end" is optional, so "contentSize=-1" means read until EOF
+	contentSize := int64(-1)
+	if opts.end != nil {
+		contentSize = *opts.end - opts.start + 1
+	}
+
 	var r io.Reader = ctx.Req.Body
 	var hasher hash.Hash
-	if checkMd5 {
+	if opts.checkMd5 {
 		// use io.TeeReader to avoid reading all body to md5 sum.
 		// it writes data to hasher after reading end
 		// if hash is not matched, delete the read-end result
@@ -41,76 +96,81 @@ func saveUploadChunkBase(st storage.ObjectStorage, ctx *ArtifactContext,
 	// save chunk to storage
 	writtenSize, err := st.Save(storagePath, r, contentSize)
 	if err != nil {
-		return -1, fmt.Errorf("save chunk to storage error: %v", err)
+		return 0, fmt.Errorf("save chunk to storage error: %v", err)
 	}
-	var checkErr error
-	if checkMd5 {
+
+	defer func() {
+		if retErr != nil {
+			if err := st.Delete(storagePath); err != nil {
+				log.Error("Error deleting chunk: %s, %v", storagePath, err)
+			}
+		}
+	}()
+
+	if contentSize != -1 && writtenSize != contentSize {
+		return writtenSize, fmt.Errorf("writtenSize %d does not match contentSize %d", writtenSize, contentSize)
+	}
+	if opts.checkMd5 {
 		// check md5
 		reqMd5String := ctx.Req.Header.Get(artifactXActionsResultsMD5Header)
 		chunkMd5String := base64.StdEncoding.EncodeToString(hasher.Sum(nil))
-		log.Info("[artifact] check chunk md5, sum: %s, header: %s", chunkMd5String, reqMd5String)
+		log.Debug("[artifact] check chunk md5, sum: %s, header: %s", chunkMd5String, reqMd5String)
 		// if md5 not match, delete the chunk
 		if reqMd5String != chunkMd5String {
-			checkErr = errors.New("md5 not match")
+			return writtenSize, errors.New("md5 not match")
 		}
 	}
-	if writtenSize != contentSize {
-		checkErr = errors.Join(checkErr, fmt.Errorf("writtenSize %d not match contentSize %d", writtenSize, contentSize))
-	}
-	if checkErr != nil {
-		if err := st.Delete(storagePath); err != nil {
-			log.Error("Error deleting chunk: %s, %v", storagePath, err)
-		}
-		return -1, checkErr
-	}
-	log.Info("[artifact] save chunk %s, size: %d, artifact id: %d, start: %d, end: %d",
-		storagePath, contentSize, artifact.ID, start, end)
-	// return chunk total size
-	return length, nil
+	log.Debug("[artifact] save chunk %s, size: %d, artifact id: %d, start: %d, size: %d", storagePath, writtenSize, artifact.ID, opts.start, contentSize)
+	return writtenSize, nil
 }

-func saveUploadChunk(st storage.ObjectStorage, ctx *ArtifactContext,
-	artifact *actions.ActionArtifact,
-	contentSize, runID int64,
-) (int64, error) {
+func saveUploadChunkV3GetTotalSize(st storage.ObjectStorage, ctx *ArtifactContext, artifact *actions.ActionArtifact, runID int64) (totalSize int64, _ error) {
 	// parse content-range header, format: bytes 0-1023/146515
 	contentRange := ctx.Req.Header.Get("Content-Range")
-	start, end, length := int64(0), int64(0), int64(0)
-	if _, err := fmt.Sscanf(contentRange, "bytes %d-%d/%d", &start, &end, &length); err != nil {
-		log.Warn("parse content range error: %v, content-range: %s", err, contentRange)
-		return -1, fmt.Errorf("parse content range error: %v", err)
+	var start, end int64
+	if _, err := fmt.Sscanf(contentRange, "bytes %d-%d/%d", &start, &end, &totalSize); err != nil {
+		return 0, fmt.Errorf("parse content range error: %v", err)
 	}
-	return saveUploadChunkBase(st, ctx, artifact, contentSize, runID, start, end, length, true)
+	_, err := saveUploadChunkV3(st, ctx, artifact, runID, saveUploadChunkOptions{start: start, end: &end, checkMd5: true})
+	if err != nil {
+		return 0, err
+	}
+	return totalSize, nil
 }

-func appendUploadChunk(st storage.ObjectStorage, ctx *ArtifactContext,
-	artifact *actions.ActionArtifact,
-	start, contentSize, runID int64,
-) (int64, error) {
-	end := start + contentSize - 1
-	return saveUploadChunkBase(st, ctx, artifact, contentSize, runID, start, end, contentSize, false)
+// Returns uploaded length
+func appendUploadChunkV3(st storage.ObjectStorage, ctx *ArtifactContext, artifact *actions.ActionArtifact, runID, start int64) (int64, error) {
+	opts := saveUploadChunkOptions{start: start}
+	if ctx.Req.ContentLength > 0 {
+		end := start + ctx.Req.ContentLength - 1
+		opts.end = &end
+	}
+	return saveUploadChunkV3(st, ctx, artifact, runID, opts)
 }

 type chunkFileItem struct {
-	RunID      int64
 	ArtifactID int64
-	Start      int64
-	End        int64
 	Path       string
+
+	// these offset/size related fields might be missing when parsing, they will be filled in the listing functions
+	Size  int64
+	Start int64
+	End   int64 // inclusive: Size=10, Start=0, End=9
+
+	ChunkName string // v4 only
 }

-func listChunksByRunID(st storage.ObjectStorage, runID int64) (map[int64][]*chunkFileItem, error) {
-	storageDir := fmt.Sprintf("tmp%d", runID)
+func listV3UnorderedChunksMapByRunID(st storage.ObjectStorage, runID int64) (map[int64][]*chunkFileItem, error) {
+	storageDir := makeTmpPathNameV3(runID)
 	var chunks []*chunkFileItem
 	if err := st.IterateObjects(storageDir, func(fpath string, obj storage.Object) error {
-		baseName := filepath.Base(fpath)
-		// when read chunks from storage, it only contains storage dir and basename,
-		// no matter the subdirectory setting in storage config
-		item := chunkFileItem{Path: storageDir + "/" + baseName}
-		if _, err := fmt.Sscanf(baseName, "%d-%d-%d-%d.chunk", &item.RunID, &item.ArtifactID, &item.Start, &item.End); err != nil {
-			return fmt.Errorf("parse content range error: %v", err)
+		item, err := parseChunkFileItemV3(st, fpath)
+		if errors.Is(err, errSkipChunkFile) {
+			return nil
+		} else if err != nil {
+			return fmt.Errorf("unable to parse chunk name: %v", fpath)
 		}
-		chunks = append(chunks, &item)
+		chunks = append(chunks, item)
 		return nil
 	}); err != nil {
 		return nil, err
@@ -123,52 +183,78 @@ func listChunksByRunID(st storage.ObjectStorage, runID int64) (map[int64][]*chun
 	return chunksMap, nil
 }

-func listChunksByRunIDV4(st storage.ObjectStorage, runID, artifactID int64, blist *BlockList) ([]*chunkFileItem, error) {
-	storageDir := fmt.Sprintf("tmpv4%d", runID)
-	var chunks []*chunkFileItem
-	chunkMap := map[string]*chunkFileItem{}
-	dummy := &chunkFileItem{}
-	for _, name := range blist.Latest {
-		chunkMap[name] = dummy
+func listOrderedChunksForArtifact(st storage.ObjectStorage, runID, artifactID int64, blist *BlockList) ([]*chunkFileItem, error) {
+	emptyListAsError := func(chunks []*chunkFileItem) ([]*chunkFileItem, error) {
+		if len(chunks) == 0 {
+			return nil, fmt.Errorf("no chunk found for artifact id: %d", artifactID)
+		}
+		return chunks, nil
 	}
+
+	storageDir := makeTmpPathNameV4(runID)
+	var chunks []*chunkFileItem
+	var chunkMapV4 map[string]*chunkFileItem
+
+	if blist != nil {
+		// make a dummy map for quick lookup of chunk names, the values are nil now and will be filled after iterating storage objects
+		chunkMapV4 = map[string]*chunkFileItem{}
+		for _, name := range blist.Latest {
+			chunkMapV4[name] = nil
+		}
+	}
+
 	if err := st.IterateObjects(storageDir, func(fpath string, obj storage.Object) error {
-		baseName := filepath.Base(fpath)
-		if !strings.HasPrefix(baseName, "block-") {
+		item, err := parseChunkFileItemV4(st, artifactID, fpath)
+		if errors.Is(err, errSkipChunkFile) {
 			return nil
+		} else if err != nil {
+			return fmt.Errorf("unable to parse chunk name: %v", fpath)
 		}
-		// when read chunks from storage, it only contains storage dir and basename,
-		// no matter the subdirectory setting in storage config
-		item := chunkFileItem{Path: storageDir + "/" + baseName, ArtifactID: artifactID}
-		var size int64
-		var b64chunkName string
-		if _, err := fmt.Sscanf(baseName, "block-%d-%d-%s", &item.RunID, &size, &b64chunkName); err != nil {
-			return fmt.Errorf("parse content range error: %v", err)
-		}
-		rchunkName, err := base64.URLEncoding.DecodeString(b64chunkName)
-		if err != nil {
-			return fmt.Errorf("failed to parse chunkName: %v", err)
-		}
-		chunkName := string(rchunkName)
-		item.End = item.Start + size - 1
-		if _, ok := chunkMap[chunkName]; ok {
-			chunkMap[chunkName] = &item
+
+		// Single chunk upload with block id
+		if _, ok := chunkMapV4[item.ChunkName]; ok {
+			chunkMapV4[item.ChunkName] = item
+		} else if chunkMapV4 == nil {
+			if chunks != nil {
+				return errors.New("blockmap is required for chunks > 1")
+			}
+			chunks = []*chunkFileItem{item}
 		}
 		return nil
 	}); err != nil {
 		return nil, err
 	}
-	for i, name := range blist.Latest {
-		chunk, ok := chunkMap[name]
-		if !ok || chunk.Path == "" {
-			return nil, fmt.Errorf("missing Chunk (%d/%d): %s", i, len(blist.Latest), name)
+
+	if blist == nil && chunks == nil {
+		chunkUnorderedItemsMapV3, err := listV3UnorderedChunksMapByRunID(st, runID)
+		if err != nil {
+			return nil, err
 		}
-		chunks = append(chunks, chunk)
-		if i > 0 {
-			chunk.Start = chunkMap[blist.Latest[i-1]].End + 1
-			chunk.End += chunk.Start
+		chunks = chunkUnorderedItemsMapV3[artifactID]
+		sort.Slice(chunks, func(i, j int) bool {
+			return chunks[i].Start < chunks[j].Start
+		})
+		return emptyListAsError(chunks)
+	}
+
+	if len(chunks) == 0 && blist != nil {
+		for i, name := range blist.Latest {
+			chunk := chunkMapV4[name]
+			if chunk == nil {
+				return nil, fmt.Errorf("missing chunk (%d/%d): %s", i, len(blist.Latest), name)
+			}
+			chunks = append(chunks, chunk)
 		}
 	}
-	return chunks, nil
+	for i, chunk := range chunks {
+		if i == 0 {
+			chunk.End += chunk.Size - 1
+		} else {
+			chunk.Start = chunkMapV4[blist.Latest[i-1]].End + 1
+			chunk.End = chunk.Start + chunk.Size - 1
+		}
+	}
+	return emptyListAsError(chunks)
 }

 func mergeChunksForRun(ctx *ArtifactContext, st storage.ObjectStorage, runID int64, artifactName string) error {
@@ -181,13 +267,13 @@ func mergeChunksForRun(ctx *ArtifactContext, st storage.ObjectStorage, runID int
 		return err
 	}
 	// read all uploading chunks from storage
-	chunksMap, err := listChunksByRunID(st, runID)
+	unorderedChunksMap, err := listV3UnorderedChunksMapByRunID(st, runID)
 	if err != nil {
 		return err
 	}
 	// range db artifacts to merge chunks
 	for _, art := range artifacts {
-		chunks, ok := chunksMap[art.ID]
+		chunks, ok := unorderedChunksMap[art.ID]
 		if !ok {
 			log.Debug("artifact %d chunks not found", art.ID)
 			continue
@@ -239,12 +325,14 @@ func mergeChunksForArtifact(ctx *ArtifactContext, chunks []*chunkFileItem, st st
 	}
 	mergedReader := io.MultiReader(readers...)
 	shaPrefix := "sha256:"
-	var hash hash.Hash
+	var hashSha256 hash.Hash
 	if strings.HasPrefix(checksum, shaPrefix) {
-		hash = sha256.New()
+		hashSha256 = sha256.New()
+	} else if checksum != "" {
+		setting.PanicInDevOrTesting("unsupported checksum format: %s, will skip the checksum verification", checksum)
 	}
-	if hash != nil {
-		mergedReader = io.TeeReader(mergedReader, hash)
+	if hashSha256 != nil {
+		mergedReader = io.TeeReader(mergedReader, hashSha256)
 	}

 	// if chunk is gzip, use gz as extension
@@ -274,8 +362,8 @@ func mergeChunksForArtifact(ctx *ArtifactContext, chunks []*chunkFileItem, st st
 		}
 	}()

-	if hash != nil {
-		rawChecksum := hash.Sum(nil)
+	if hashSha256 != nil {
+		rawChecksum := hashSha256.Sum(nil)
 		actualChecksum := hex.EncodeToString(rawChecksum)
 		if !strings.HasSuffix(checksum, actualChecksum) {
 			return fmt.Errorf("update artifact error checksum is invalid %v vs %v", checksum, actualChecksum)
--- a/routers/api/actions/artifacts_utils.go
+++ b/routers/api/actions/artifacts_utils.go
@@ -20,8 +20,8 @@ const (
 	artifactXActionsResultsMD5Header = "x-actions-results-md5"
 )

-// The rules are from https://github.com/actions/toolkit/blob/main/packages/artifact/src/internal/path-and-artifact-name-validation.ts#L32
-var invalidArtifactNameChars = strings.Join([]string{"\\", "/", "\"", ":", "<", ">", "|", "*", "?", "\r", "\n"}, "")
+// The rules are from https://github.com/actions/toolkit/blob/main/packages/artifact/src/internal/upload/path-and-artifact-name-validation.ts
+const invalidArtifactNameChars = "\\/\":<>|*?\r\n"

 func validateArtifactName(ctx *ArtifactContext, artifactName string) bool {
 	if strings.ContainsAny(artifactName, invalidArtifactNameChars) {
@@ -84,11 +84,10 @@ func parseArtifactItemPath(ctx *ArtifactContext) (string, string, bool) {

 // getUploadFileSize returns the size of the file to be uploaded.
 // The raw size is the size of the file as reported by the header X-TFS-FileLength.
-func getUploadFileSize(ctx *ArtifactContext) (int64, int64) {
-	contentLength := ctx.Req.ContentLength
+func getUploadFileSize(ctx *ArtifactContext) int64 {
 	xTfsLength, _ := strconv.ParseInt(ctx.Req.Header.Get(artifactXTfsFileLengthHeader), 10, 64)
 	if xTfsLength > 0 {
-		return xTfsLength, contentLength
+		return xTfsLength
 	}
-	return contentLength, contentLength
+	return ctx.Req.ContentLength
 }
--- a/routers/api/actions/artifactsv4.go
+++ b/routers/api/actions/artifactsv4.go
@@ -90,10 +90,12 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/xml"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
+	"path"
 	"strconv"
 	"strings"
 	"time"
@@ -109,7 +111,7 @@ import (
 	"code.gitea.io/gitea/services/context"

 	"google.golang.org/protobuf/encoding/protojson"
-	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	"google.golang.org/protobuf/reflect/protoreflect"
 	"google.golang.org/protobuf/types/known/timestamppb"
 )

@@ -157,33 +159,81 @@ func ArtifactsV4Routes(prefix string) *web.Router {
 	return m
 }

-func (r artifactV4Routes) buildSignature(endp, expires, artifactName string, taskID, artifactID int64) []byte {
+func (r *artifactV4Routes) buildSignature(endpoint, expires, artifactName string, taskID, artifactID int64) []byte {
 	mac := hmac.New(sha256.New, setting.GetGeneralTokenSigningSecret())
-	mac.Write([]byte(endp))
+	mac.Write([]byte(endpoint))
 	mac.Write([]byte(expires))
 	mac.Write([]byte(artifactName))
-	fmt.Fprint(mac, taskID)
-	fmt.Fprint(mac, artifactID)
+	_, _ = fmt.Fprint(mac, taskID)
+	_, _ = fmt.Fprint(mac, artifactID)
 	return mac.Sum(nil)
 }

-func (r artifactV4Routes) buildArtifactURL(ctx *ArtifactContext, endp, artifactName string, taskID, artifactID int64) string {
+func (r *artifactV4Routes) buildArtifactURL(ctx *ArtifactContext, endpoint, artifactName string, taskID, artifactID int64) string {
 	expires := time.Now().Add(60 * time.Minute).Format("2006-01-02 15:04:05.999999999 -0700 MST")
 	uploadURL := strings.TrimSuffix(httplib.GuessCurrentAppURL(ctx), "/") + strings.TrimSuffix(r.prefix, "/") +
-		"/" + endp + "?sig=" + base64.URLEncoding.EncodeToString(r.buildSignature(endp, expires, artifactName, taskID, artifactID)) + "&expires=" + url.QueryEscape(expires) + "&artifactName=" + url.QueryEscape(artifactName) + "&taskID=" + strconv.FormatInt(taskID, 10) + "&artifactID=" + strconv.FormatInt(artifactID, 10)
+		"/" + endpoint +
+		"?sig=" + base64.RawURLEncoding.EncodeToString(r.buildSignature(endpoint, expires, artifactName, taskID, artifactID)) +
+		"&expires=" + url.QueryEscape(expires) +
+		"&artifactName=" + url.QueryEscape(artifactName) +
+		"&taskID=" + strconv.FormatInt(taskID, 10) +
+		"&artifactID=" + strconv.FormatInt(artifactID, 10)
 	return uploadURL
 }

-func (r artifactV4Routes) verifySignature(ctx *ArtifactContext, endp string) (*actions.ActionTask, string, bool) {
+func makeBlockFilenameV4(runID, artifactID, size int64, blockID string) string {
+	sizeInName := max(size, 0) // do not use "-1" in filename
+	return fmt.Sprintf("block-%d-%d-%d-%s", runID, artifactID, sizeInName, base64.URLEncoding.EncodeToString([]byte(blockID)))
+}
+
+var errSkipChunkFile = errors.New("skip this chunk file")
+
+func parseChunkFileItemV4(st storage.ObjectStorage, artifactID int64, fpath string) (*chunkFileItem, error) {
+	baseName := path.Base(fpath)
+	if !strings.HasPrefix(baseName, "block-") {
+		return nil, errSkipChunkFile
+	}
+	var item chunkFileItem
+	var unusedRunID int64
+	var b64chunkName string
+	_, err := fmt.Sscanf(baseName, "block-%d-%d-%d-%s", &unusedRunID, &item.ArtifactID, &item.Size, &b64chunkName)
+	if err != nil {
+		return nil, err
+	}
+	if item.ArtifactID != artifactID {
+		return nil, errSkipChunkFile
+	}
+	chunkName, err := base64.URLEncoding.DecodeString(b64chunkName)
+	if err != nil {
+		return nil, err
+	}
+	item.ChunkName = string(chunkName)
+	item.Path = fpath
+	if item.Size <= 0 {
+		fi, err := st.Stat(item.Path)
+		if err != nil {
+			return nil, err
+		}
+		item.Size = fi.Size()
+	}
+	return &item, nil
+}
+
+func (r *artifactV4Routes) verifySignature(ctx *ArtifactContext, endp string) (*actions.ActionTask, string, bool) {
 	rawTaskID := ctx.Req.URL.Query().Get("taskID")
 	rawArtifactID := ctx.Req.URL.Query().Get("artifactID")
 	sig := ctx.Req.URL.Query().Get("sig")
 	expires := ctx.Req.URL.Query().Get("expires")
 	artifactName := ctx.Req.URL.Query().Get("artifactName")
-	dsig, _ := base64.URLEncoding.DecodeString(sig)
-	taskID, _ := strconv.ParseInt(rawTaskID, 10, 64)
-	artifactID, _ := strconv.ParseInt(rawArtifactID, 10, 64)
-
+	dsig, errSig := base64.RawURLEncoding.DecodeString(sig)
+	taskID, errTask := strconv.ParseInt(rawTaskID, 10, 64)
+	artifactID, errArtifactID := strconv.ParseInt(rawArtifactID, 10, 64)
+	err := errors.Join(errSig, errTask, errArtifactID)
+	if err != nil {
+		log.Error("Error decoding signature values: %v", err)
+		ctx.HTTPError(http.StatusBadRequest, "Error decoding signature values")
+		return nil, "", false
+	}
 	expecedsig := r.buildSignature(endp, expires, artifactName, taskID, artifactID)
 	if !hmac.Equal(dsig, expecedsig) {
 		log.Error("Error unauthorized")
@@ -226,7 +276,7 @@ func (r *artifactV4Routes) getArtifactByName(ctx *ArtifactContext, runID int64,
 	return &art, nil
 }

-func (r *artifactV4Routes) parseProtbufBody(ctx *ArtifactContext, req protoreflect.ProtoMessage) bool {
+func (r *artifactV4Routes) parseProtobufBody(ctx *ArtifactContext, req protoreflect.ProtoMessage) bool {
 	body, err := io.ReadAll(ctx.Req.Body)
 	if err != nil {
 		log.Error("Error decode request body: %v", err)
@@ -242,7 +292,7 @@ func (r *artifactV4Routes) parseProtbufBody(ctx *ArtifactContext, req protorefle
 	return true
 }

-func (r *artifactV4Routes) sendProtbufBody(ctx *ArtifactContext, req protoreflect.ProtoMessage) {
+func (r *artifactV4Routes) sendProtobufBody(ctx *ArtifactContext, req protoreflect.ProtoMessage) {
 	resp, err := protojson.Marshal(req)
 	if err != nil {
 		log.Error("Error encode response body: %v", err)
@@ -257,7 +307,7 @@ func (r *artifactV4Routes) sendProtbufBody(ctx *ArtifactContext, req protoreflec
 func (r *artifactV4Routes) createArtifact(ctx *ArtifactContext) {
 	var req CreateArtifactRequest

-	if ok := r.parseProtbufBody(ctx, &req); !ok {
+	if ok := r.parseProtobufBody(ctx, &req); !ok {
 		return
 	}
 	_, _, ok := validateRunIDV4(ctx, req.WorkflowRunBackendId)
@@ -291,7 +341,7 @@ func (r *artifactV4Routes) createArtifact(ctx *ArtifactContext) {
 		Ok:              true,
 		SignedUploadUrl: r.buildArtifactURL(ctx, "UploadArtifact", artifactName, ctx.ActionTask.ID, artifact.ID),
 	}
-	r.sendProtbufBody(ctx, &respData)
+	r.sendProtobufBody(ctx, &respData)
 }

 func (r *artifactV4Routes) uploadArtifact(ctx *ArtifactContext) {
@@ -303,34 +353,34 @@ func (r *artifactV4Routes) uploadArtifact(ctx *ArtifactContext) {
 	comp := ctx.Req.URL.Query().Get("comp")
 	switch comp {
 	case "block", "appendBlock":
-		blockid := ctx.Req.URL.Query().Get("blockid")
-		if blockid == "" {
-			// get artifact by name
-			artifact, err := r.getArtifactByName(ctx, task.Job.RunID, artifactName)
+		// get artifact by name
+		artifact, err := r.getArtifactByName(ctx, task.Job.RunID, artifactName)
+		if err != nil {
+			log.Error("Error artifact not found: %v", err)
+			ctx.HTTPError(http.StatusNotFound, "Error artifact not found")
+			return
+		}
+		blockID := ctx.Req.URL.Query().Get("blockid")
+		if blockID == "" {
+			uploadedLength, err := appendUploadChunkV3(r.fs, ctx, artifact, artifact.RunID, artifact.FileSize)
 			if err != nil {
-				log.Error("Error artifact not found: %v", err)
-				ctx.HTTPError(http.StatusNotFound, "Error artifact not found")
+				log.Error("Error appending chunk %v", err)
+				ctx.HTTPError(http.StatusInternalServerError, "Error appending Chunk")
 				return
 			}
-
-			_, err = appendUploadChunk(r.fs, ctx, artifact, artifact.FileSize, ctx.Req.ContentLength, artifact.RunID)
-			if err != nil {
-				log.Error("Error runner api getting task: task is not running")
-				ctx.HTTPError(http.StatusInternalServerError, "Error runner api getting task: task is not running")
-				return
-			}
-			artifact.FileCompressedSize += ctx.Req.ContentLength
-			artifact.FileSize += ctx.Req.ContentLength
+			artifact.FileCompressedSize += uploadedLength
+			artifact.FileSize += uploadedLength
 			if err := actions.UpdateArtifactByID(ctx, artifact.ID, artifact); err != nil {
 				log.Error("Error UpdateArtifactByID: %v", err)
 				ctx.HTTPError(http.StatusInternalServerError, "Error UpdateArtifactByID")
 				return
 			}
 		} else {
-			_, err := r.fs.Save(fmt.Sprintf("tmpv4%d/block-%d-%d-%s", task.Job.RunID, task.Job.RunID, ctx.Req.ContentLength, base64.URLEncoding.EncodeToString([]byte(blockid))), ctx.Req.Body, -1)
+			blockFilename := makeBlockFilenameV4(task.Job.RunID, artifact.ID, ctx.Req.ContentLength, blockID)
+			_, err := r.fs.Save(fmt.Sprintf("%s/%s", makeTmpPathNameV4(task.Job.RunID), blockFilename), ctx.Req.Body, ctx.Req.ContentLength)
 			if err != nil {
-				log.Error("Error runner api getting task: task is not running")
-				ctx.HTTPError(http.StatusInternalServerError, "Error runner api getting task: task is not running")
+				log.Error("Error uploading block blob %v", err)
+				ctx.HTTPError(http.StatusInternalServerError, "Error uploading block blob")
 				return
 			}
 		}
@@ -338,10 +388,10 @@ func (r *artifactV4Routes) uploadArtifact(ctx *ArtifactContext) {
 	case "blocklist":
 		rawArtifactID := ctx.Req.URL.Query().Get("artifactID")
 		artifactID, _ := strconv.ParseInt(rawArtifactID, 10, 64)
-		_, err := r.fs.Save(fmt.Sprintf("tmpv4%d/%d-%d-blocklist", task.Job.RunID, task.Job.RunID, artifactID), ctx.Req.Body, -1)
+		_, err := r.fs.Save(fmt.Sprintf("%s/%d-%d-blocklist", makeTmpPathNameV4(task.Job.RunID), task.Job.RunID, artifactID), ctx.Req.Body, -1)
 		if err != nil {
-			log.Error("Error runner api getting task: task is not running")
-			ctx.HTTPError(http.StatusInternalServerError, "Error runner api getting task: task is not running")
+			log.Error("Error uploading blocklist %v", err)
+			ctx.HTTPError(http.StatusInternalServerError, "Error uploading blocklist")
 			return
 		}
 		ctx.JSON(http.StatusCreated, "created")
@@ -357,7 +407,7 @@ type Latest struct {
 }

 func (r *artifactV4Routes) readBlockList(runID, artifactID int64) (*BlockList, error) {
-	blockListName := fmt.Sprintf("tmpv4%d/%d-%d-blocklist", runID, runID, artifactID)
+	blockListName := fmt.Sprintf("%s/%d-%d-blocklist", makeTmpPathNameV4(runID), runID, artifactID)
 	s, err := r.fs.Open(blockListName)
 	if err != nil {
 		return nil, err
@@ -367,17 +417,22 @@ func (r *artifactV4Routes) readBlockList(runID, artifactID int64) (*BlockList, e
 	blockList := &BlockList{}
 	err = xdec.Decode(blockList)

+	_ = s.Close()
+
 	delerr := r.fs.Delete(blockListName)
 	if delerr != nil {
 		log.Warn("Failed to delete blockList %s: %v", blockListName, delerr)
 	}
-	return blockList, err
+	if err != nil {
+		return nil, err
+	}
+	return blockList, nil
 }

 func (r *artifactV4Routes) finalizeArtifact(ctx *ArtifactContext) {
 	var req FinalizeArtifactRequest

-	if ok := r.parseProtbufBody(ctx, &req); !ok {
+	if ok := r.parseProtobufBody(ctx, &req); !ok {
 		return
 	}
 	_, runID, ok := validateRunIDV4(ctx, req.WorkflowRunBackendId)
@@ -394,30 +449,20 @@ func (r *artifactV4Routes) finalizeArtifact(ctx *ArtifactContext) {
 	}

 	var chunks []*chunkFileItem
-	blockList, err := r.readBlockList(runID, artifact.ID)
+	blockList, blockListErr := r.readBlockList(runID, artifact.ID)
+	chunks, err = listOrderedChunksForArtifact(r.fs, runID, artifact.ID, blockList)
 	if err != nil {
-		log.Warn("Failed to read BlockList, fallback to old behavior: %v", err)
-		chunkMap, err := listChunksByRunID(r.fs, runID)
-		if err != nil {
-			log.Error("Error merge chunks: %v", err)
-			ctx.HTTPError(http.StatusInternalServerError, "Error merge chunks")
-			return
-		}
-		chunks, ok = chunkMap[artifact.ID]
-		if !ok {
-			log.Error("Error merge chunks")
-			ctx.HTTPError(http.StatusInternalServerError, "Error merge chunks")
-			return
-		}
-	} else {
-		chunks, err = listChunksByRunIDV4(r.fs, runID, artifact.ID, blockList)
-		if err != nil {
-			log.Error("Error merge chunks: %v", err)
-			ctx.HTTPError(http.StatusInternalServerError, "Error merge chunks")
-			return
-		}
-		artifact.FileSize = chunks[len(chunks)-1].End + 1
-		artifact.FileCompressedSize = chunks[len(chunks)-1].End + 1
+		log.Error("Error list chunks: %v", errors.Join(blockListErr, err))
+		ctx.HTTPError(http.StatusInternalServerError, "Error list chunks")
+		return
+	}
+	artifact.FileSize = chunks[len(chunks)-1].End + 1
+	artifact.FileCompressedSize = chunks[len(chunks)-1].End + 1
+
+	if req.Size != artifact.FileSize {
+		log.Error("Error merge chunks size mismatch")
+		ctx.HTTPError(http.StatusInternalServerError, "Error merge chunks size mismatch")
+		return
 	}

 	checksum := ""
@@ -434,13 +479,13 @@ func (r *artifactV4Routes) finalizeArtifact(ctx *ArtifactContext) {
 		Ok:         true,
 		ArtifactId: artifact.ID,
 	}
-	r.sendProtbufBody(ctx, &respData)
+	r.sendProtobufBody(ctx, &respData)
 }

 func (r *artifactV4Routes) listArtifacts(ctx *ArtifactContext) {
 	var req ListArtifactsRequest

-	if ok := r.parseProtbufBody(ctx, &req); !ok {
+	if ok := r.parseProtobufBody(ctx, &req); !ok {
 		return
 	}
 	_, runID, ok := validateRunIDV4(ctx, req.WorkflowRunBackendId)
@@ -485,13 +530,13 @@ func (r *artifactV4Routes) listArtifacts(ctx *ArtifactContext) {
 	respData := ListArtifactsResponse{
 		Artifacts: list,
 	}
-	r.sendProtbufBody(ctx, &respData)
+	r.sendProtobufBody(ctx, &respData)
 }

 func (r *artifactV4Routes) getSignedArtifactURL(ctx *ArtifactContext) {
 	var req GetSignedArtifactURLRequest

-	if ok := r.parseProtbufBody(ctx, &req); !ok {
+	if ok := r.parseProtobufBody(ctx, &req); !ok {
 		return
 	}
 	_, runID, ok := validateRunIDV4(ctx, req.WorkflowRunBackendId)
@@ -525,7 +570,7 @@ func (r *artifactV4Routes) getSignedArtifactURL(ctx *ArtifactContext) {
 	if respData.SignedUrl == "" {
 		respData.SignedUrl = r.buildArtifactURL(ctx, "DownloadArtifact", artifactName, ctx.ActionTask.ID, artifact.ID)
 	}
-	r.sendProtbufBody(ctx, &respData)
+	r.sendProtobufBody(ctx, &respData)
 }

 func (r *artifactV4Routes) downloadArtifact(ctx *ArtifactContext) {
@@ -555,7 +600,7 @@ func (r *artifactV4Routes) downloadArtifact(ctx *ArtifactContext) {
 func (r *artifactV4Routes) deleteArtifact(ctx *ArtifactContext) {
 	var req DeleteArtifactRequest

-	if ok := r.parseProtbufBody(ctx, &req); !ok {
+	if ok := r.parseProtobufBody(ctx, &req); !ok {
 		return
 	}
 	_, runID, ok := validateRunIDV4(ctx, req.WorkflowRunBackendId)
@@ -582,5 +627,5 @@ func (r *artifactV4Routes) deleteArtifact(ctx *ArtifactContext) {
 		Ok:         true,
 		ArtifactId: artifact.ID,
 	}
-	r.sendProtbufBody(ctx, &respData)
+	r.sendProtobufBody(ctx, &respData)
 }
--- a/routers/api/packages/container/blob.go
+++ b/routers/api/packages/container/blob.go
@@ -26,9 +26,18 @@ import (

 // saveAsPackageBlob creates a package blob from an upload
 // The uploaded blob gets stored in a special upload version to link them to the package/image
-func saveAsPackageBlob(ctx context.Context, hsr packages_module.HashedSizeReader, pci *packages_service.PackageCreationInfo) (*packages_model.PackageBlob, error) { //nolint:unparam // PackageBlob is never used
+// There will be concurrent uploading for the same blob, so it needs a global lock per blob hash
+func saveAsPackageBlob(ctx context.Context, hsr packages_module.HashedSizeReader, pci *packages_service.PackageCreationInfo) (*packages_model.PackageBlob, error) { //nolint:unparam //returned PackageBlob is never used
 	pb := packages_service.NewPackageBlob(hsr)
+	err := globallock.LockAndDo(ctx, "container-blob:"+pb.HashSHA256, func(ctx context.Context) error {
+		var err error
+		pb, err = saveAsPackageBlobInternal(ctx, hsr, pci, pb)
+		return err
+	})
+	return pb, err
+}

+func saveAsPackageBlobInternal(ctx context.Context, hsr packages_module.HashedSizeReader, pci *packages_service.PackageCreationInfo, pb *packages_model.PackageBlob) (*packages_model.PackageBlob, error) {
 	exists := false

 	contentStore := packages_module.NewContentStore()
@@ -67,7 +76,7 @@ func saveAsPackageBlob(ctx context.Context, hsr packages_module.HashedSizeReader
 		return createFileForBlob(ctx, uploadVersion, pb)
 	})
 	if err != nil {
-		if !exists {
+		if !exists && pb != nil { // pb can be nil if GetOrInsertBlob failed
 			if err := contentStore.Delete(packages_module.BlobHash256Key(pb.HashSHA256)); err != nil {
 				log.Error("Error deleting package blob from content store: %v", err)
 			}
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -1400,19 +1400,19 @@ func Routes() *web.Router {
 					})
 					m.Get("/{base}/*", repo.GetPullRequestByBaseHead)
 				}, mustAllowPulls, reqRepoReader(unit.TypeCode), context.ReferencesGitRepo())
-				m.Group("/statuses", func() {
+				m.Group("/statuses", func() { // "/statuses/{sha}" only accepts commit ID
 					m.Combo("/{sha}").Get(repo.GetCommitStatuses).
 						Post(reqToken(), reqRepoWriter(unit.TypeCode), bind(api.CreateStatusOption{}), repo.NewCommitStatus)
 				}, reqRepoReader(unit.TypeCode))
 				m.Group("/commits", func() {
 					m.Get("", context.ReferencesGitRepo(), repo.GetAllCommits)
-					m.Group("/{ref}", func() {
-						m.Get("/status", repo.GetCombinedCommitStatusByRef)
-						m.Get("/statuses", repo.GetCommitStatusesByRef)
-					}, context.ReferencesGitRepo())
-					m.Group("/{sha}", func() {
-						m.Get("/pull", repo.GetCommitPullRequest)
-					}, context.ReferencesGitRepo())
+					m.PathGroup("/*", func(g *web.RouterPathGroup) {
+						// Mis-configured reverse proxy might decode the `%2F` to slash ahead, so we need to support both formats (escaped, unescaped) here.
+						// It also matches GitHub's behavior
+						g.MatchPath("GET", "/<ref:*>/status", repo.GetCombinedCommitStatusByRef)
+						g.MatchPath("GET", "/<ref:*>/statuses", repo.GetCommitStatusesByRef)
+						g.MatchPath("GET", "/<sha>/pull", repo.GetCommitPullRequest)
+					})
 				}, reqRepoReader(unit.TypeCode))
 				m.Group("/git", func() {
 					m.Group("/commits", func() {
--- a/routers/api/v1/org/org.go
+++ b/routers/api/v1/org/org.go
@@ -135,7 +135,7 @@ func GetUserOrgsPermissions(ctx *context.APIContext) {

 	op := api.OrganizationPermissions{}

-	if !organization.HasOrgOrUserVisible(ctx, o, ctx.ContextUser) {
+	if !organization.HasOrgOrUserVisible(ctx, o, ctx.Doer) {
 		ctx.APIErrorNotFound("HasOrgOrUserVisible", nil)
 		return
 	}
--- a/routers/api/v1/repo/issue_stopwatch.go
+++ b/routers/api/v1/repo/issue_stopwatch.go
@@ -224,7 +224,7 @@ func GetStopwatches(ctx *context.APIContext) {
 		return
 	}

-	apiSWs, err := convert.ToStopWatches(ctx, sws)
+	apiSWs, err := convert.ToStopWatches(ctx, ctx.Doer, sws)
 	if err != nil {
 		ctx.APIErrorInternal(err)
 		return
--- a/routers/api/v1/repo/issue_tracked_time.go
+++ b/routers/api/v1/repo/issue_tracked_time.go
@@ -356,7 +356,7 @@ func DeleteTime(ctx *context.APIContext) {
 		return
 	}

-	time, err := issues_model.GetTrackedTimeByID(ctx, ctx.PathParamInt64("id"))
+	time, err := issues_model.GetTrackedTimeByID(ctx, issue.ID, ctx.PathParamInt64("id"))
 	if err != nil {
 		if db.IsErrNotExist(err) {
 			ctx.APIErrorNotFound(err)
--- a/routers/api/v1/repo/pull.go
+++ b/routers/api/v1/repo/pull.go
@@ -1337,7 +1337,7 @@ func CancelScheduledAutoMerge(ctx *context.APIContext) {
 	}

 	if ctx.Doer.ID != autoMerge.DoerID {
-		allowed, err := access_model.IsUserRepoAdmin(ctx, ctx.Repo.Repository, ctx.Doer)
+		allowed, err := pull_service.IsUserAllowedToMerge(ctx, pull, ctx.Repo.Permission, ctx.Doer)
 		if err != nil {
 			ctx.APIErrorInternal(err)
 			return
@@ -1548,9 +1548,9 @@ func GetPullRequestFiles(ctx *context.APIContext) {

 	var prInfo *pull_service.CompareInfo
 	if pr.HasMerged {
-		prInfo, err = pull_service.GetCompareInfo(ctx, pr.BaseRepo, pr.BaseRepo, baseGitRepo, pr.MergeBase, pr.GetGitHeadRefName(), true, false)
+		prInfo, err = pull_service.GetCompareInfo(ctx, pr.BaseRepo, pr.BaseRepo, baseGitRepo, pr.MergeBase, pr.GetGitHeadRefName(), false, false)
 	} else {
-		prInfo, err = pull_service.GetCompareInfo(ctx, pr.BaseRepo, pr.BaseRepo, baseGitRepo, pr.BaseBranch, pr.GetGitHeadRefName(), true, false)
+		prInfo, err = pull_service.GetCompareInfo(ctx, pr.BaseRepo, pr.BaseRepo, baseGitRepo, pr.BaseBranch, pr.GetGitHeadRefName(), false, false)
 	}
 	if err != nil {
 		ctx.APIErrorInternal(err)
--- a/routers/api/v1/repo/release.go
+++ b/routers/api/v1/repo/release.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"net/http"

+	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/perm"
 	repo_model "code.gitea.io/gitea/models/repo"
@@ -21,6 +22,28 @@ import (
 	release_service "code.gitea.io/gitea/services/release"
 )

+func hasRepoWriteScope(ctx *context.APIContext) bool {
+	scope, ok := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)
+	if ctx.Data["IsApiToken"] != true || !ok {
+		return true
+	}
+
+	requiredScopes := auth_model.GetRequiredScopes(auth_model.Write, auth_model.AccessTokenScopeCategoryRepository)
+	allow, err := scope.HasScope(requiredScopes...)
+	if err != nil {
+		ctx.APIError(http.StatusForbidden, "checking scope failed: "+err.Error())
+		return false
+	}
+	return allow
+}
+
+func canAccessDraftRelease(ctx *context.APIContext) bool {
+	if !ctx.IsSigned || !ctx.Repo.CanWrite(unit.TypeReleases) {
+		return false
+	}
+	return hasRepoWriteScope(ctx)
+}
+
 // GetRelease get a single release of a repository
 func GetRelease(ctx *context.APIContext) {
 	// swagger:operation GET /repos/{owner}/{repo}/releases/{id} repository repoGetRelease
@@ -62,6 +85,15 @@ func GetRelease(ctx *context.APIContext) {
 		return
 	}

+	if release.IsDraft { // only the users with write access can see draft releases
+		if !canAccessDraftRelease(ctx) {
+			if !ctx.Written() {
+				ctx.APIErrorNotFound()
+			}
+			return
+		}
+	}
+
 	if err := release.LoadAttributes(ctx); err != nil {
 		ctx.APIErrorInternal(err)
 		return
@@ -151,9 +183,13 @@ func ListReleases(ctx *context.APIContext) {
 	//     "$ref": "#/responses/notFound"
 	listOptions := utils.GetListOptions(ctx)

+	includeDrafts := (ctx.Repo.AccessMode >= perm.AccessModeWrite || ctx.Repo.UnitAccessMode(unit.TypeReleases) >= perm.AccessModeWrite) && hasRepoWriteScope(ctx)
+	if ctx.Written() {
+		return
+	}
 	opts := repo_model.FindReleasesOptions{
 		ListOptions:   listOptions,
-		IncludeDrafts: ctx.Repo.AccessMode >= perm.AccessModeWrite || ctx.Repo.UnitAccessMode(unit.TypeReleases) >= perm.AccessModeWrite,
+		IncludeDrafts: includeDrafts,
 		IncludeTags:   false,
 		IsDraft:       ctx.FormOptionalBool("draft"),
 		IsPreRelease:  ctx.FormOptionalBool("pre-release"),
--- a/routers/api/v1/repo/release_attachment.go
+++ b/routers/api/v1/repo/release_attachment.go
@@ -34,6 +34,14 @@ func checkReleaseMatchRepo(ctx *context.APIContext, releaseID int64) bool {
 		ctx.APIErrorNotFound()
 		return false
 	}
+	if release.IsDraft {
+		if !canAccessDraftRelease(ctx) {
+			if !ctx.Written() {
+				ctx.APIErrorNotFound()
+			}
+			return false
+		}
+	}
 	return true
 }

@@ -141,6 +149,14 @@ func ListReleaseAttachments(ctx *context.APIContext) {
 		ctx.APIErrorNotFound()
 		return
 	}
+	if release.IsDraft {
+		if !canAccessDraftRelease(ctx) {
+			if !ctx.Written() {
+				ctx.APIErrorNotFound()
+			}
+			return
+		}
+	}
 	if err := release.LoadAttributes(ctx); err != nil {
 		ctx.APIErrorInternal(err)
 		return
@@ -398,7 +414,6 @@ func DeleteReleaseAttachment(ctx *context.APIContext) {
 		ctx.APIErrorNotFound()
 		return
 	}
-	// FIXME Should prove the existence of the given repo, but results in unnecessary database requests

 	if err := repo_model.DeleteAttachment(ctx, attach, true); err != nil {
 		ctx.APIErrorInternal(err)
--- a/routers/common/blockexpensive.go
+++ b/routers/common/blockexpensive.go
@@ -44,9 +44,11 @@ func isRoutePathExpensive(routePattern string) bool {
 		"/{username}/{reponame}/blame/",
 		"/{username}/{reponame}/commit/",
 		"/{username}/{reponame}/commits/",
+		"/{username}/{reponame}/compare/",
 		"/{username}/{reponame}/graph",
 		"/{username}/{reponame}/media/",
 		"/{username}/{reponame}/raw/",
+		"/{username}/{reponame}/rss/branch/",
 		"/{username}/{reponame}/src/",

 		// issue & PR related (no trailing slash)
--- a/routers/private/hook_pre_receive.go
+++ b/routers/private/hook_pre_receive.go
@@ -149,7 +149,11 @@ func preReceiveBranch(ctx *preReceiveContext, oldCommitID, newCommitID string, r
 	gitRepo := ctx.Repo.GitRepo
 	objectFormat := ctx.Repo.GetObjectFormat()

-	if branchName == repo.DefaultBranch && newCommitID == objectFormat.EmptyObjectID().String() {
+	defaultBranch := repo.DefaultBranch
+	if ctx.opts.IsWiki && repo.DefaultWikiBranch != "" {
+		defaultBranch = repo.DefaultWikiBranch
+	}
+	if branchName == defaultBranch && newCommitID == objectFormat.EmptyObjectID().String() {
 		log.Warn("Forbidden: Branch: %s is the default branch in %-v and cannot be deleted", branchName, repo)
 		ctx.JSON(http.StatusForbidden, private.Response{
 			UserMsg: fmt.Sprintf("branch %s is the default branch and cannot be deleted", branchName),
--- a/routers/web/auth/oauth2_provider.go
+++ b/routers/web/auth/oauth2_provider.go
@@ -4,6 +4,7 @@
 package auth

 import (
+	"errors"
 	"fmt"
 	"html"
 	"html/template"
@@ -230,8 +231,7 @@ func AuthorizeOAuth(ctx *context.Context) {

 	// pkce support
 	switch form.CodeChallengeMethod {
-	case "S256":
-	case "plain":
+	case "S256", "plain":
 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallengeMethod); err != nil {
 			handleAuthorizeError(ctx, AuthorizeError{
 				ErrorCode:        ErrorCodeServerError,
@@ -614,6 +614,14 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, s
 		})
 		return
 	}
+	if authorizationCode.IsExpired() {
+		_ = authorizationCode.Invalidate(ctx)
+		handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{
+			ErrorCode:        oauth2_provider.AccessTokenErrorCodeInvalidGrant,
+			ErrorDescription: "authorization code expired",
+		})
+		return
+	}
 	// check if code verifier authorizes the client, PKCE support
 	if !authorizationCode.ValidateCodeChallenge(form.CodeVerifier) {
 		handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{
@@ -632,9 +640,15 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, s
 	}
 	// remove token from database to deny duplicate usage
 	if err := authorizationCode.Invalidate(ctx); err != nil {
+		errDescription := "cannot process your request"
+		errCode := oauth2_provider.AccessTokenErrorCodeInvalidRequest
+		if errors.Is(err, auth.ErrOAuth2AuthorizationCodeInvalidated) {
+			errDescription = "authorization code already used"
+			errCode = oauth2_provider.AccessTokenErrorCodeInvalidGrant
+		}
 		handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{
-			ErrorCode:        oauth2_provider.AccessTokenErrorCodeInvalidRequest,
-			ErrorDescription: "cannot proceed your request",
+			ErrorCode:        errCode,
+			ErrorDescription: errDescription,
 		})
 		return
 	}
--- a/routers/web/org/projects.go
+++ b/routers/web/org/projects.go
@@ -205,22 +205,24 @@ func ChangeProjectStatus(ctx *context.Context) {
 	}
 	id := ctx.PathParamInt64("id")

-	if err := project_model.ChangeProjectStatusByRepoIDAndID(ctx, 0, id, toClose); err != nil {
-		ctx.NotFoundOrServerError("ChangeProjectStatusByRepoIDAndID", project_model.IsErrProjectNotExist, err)
-		return
-	}
-	ctx.JSONRedirect(project_model.ProjectLinkForOrg(ctx.ContextUser, id))
-}
-
-// DeleteProject delete a project
-func DeleteProject(ctx *context.Context) {
-	p, err := project_model.GetProjectByID(ctx, ctx.PathParamInt64("id"))
+	project, err := project_model.GetProjectByIDAndOwner(ctx, id, ctx.ContextUser.ID)
 	if err != nil {
 		ctx.NotFoundOrServerError("GetProjectByID", project_model.IsErrProjectNotExist, err)
 		return
 	}
-	if p.OwnerID != ctx.ContextUser.ID {
-		ctx.NotFound(nil)
+
+	if err := project_model.ChangeProjectStatusByRepoIDAndID(ctx, 0, project.ID, toClose); err != nil {
+		ctx.NotFoundOrServerError("ChangeProjectStatusByRepoIDAndID", project_model.IsErrProjectNotExist, err)
+		return
+	}
+	ctx.JSONRedirect(project_model.ProjectLinkForOrg(ctx.ContextUser, project.ID))
+}
+
+// DeleteProject delete a project
+func DeleteProject(ctx *context.Context) {
+	p, err := project_model.GetProjectByIDAndOwner(ctx, ctx.PathParamInt64("id"), ctx.ContextUser.ID)
+	if err != nil {
+		ctx.NotFoundOrServerError("GetProjectByID", project_model.IsErrProjectNotExist, err)
 		return
 	}

@@ -246,15 +248,11 @@ func RenderEditProject(ctx *context.Context) {
 		return
 	}

-	p, err := project_model.GetProjectByID(ctx, ctx.PathParamInt64("id"))
+	p, err := project_model.GetProjectByIDAndOwner(ctx, ctx.PathParamInt64("id"), ctx.ContextUser.ID)
 	if err != nil {
 		ctx.NotFoundOrServerError("GetProjectByID", project_model.IsErrProjectNotExist, err)
 		return
 	}
-	if p.OwnerID != ctx.ContextUser.ID {
-		ctx.NotFound(nil)
-		return
-	}

 	ctx.Data["projectID"] = p.ID
 	ctx.Data["title"] = p.Title
@@ -288,15 +286,11 @@ func EditProjectPost(ctx *context.Context) {
 		return
 	}

-	p, err := project_model.GetProjectByID(ctx, projectID)
+	p, err := project_model.GetProjectByIDAndOwner(ctx, projectID, ctx.ContextUser.ID)
 	if err != nil {
 		ctx.NotFoundOrServerError("GetProjectByID", project_model.IsErrProjectNotExist, err)
 		return
 	}
-	if p.OwnerID != ctx.ContextUser.ID {
-		ctx.NotFound(nil)
-		return
-	}

 	p.Title = form.Title
 	p.Description = form.Content
@@ -316,15 +310,12 @@ func EditProjectPost(ctx *context.Context) {

 // ViewProject renders the project with board view for a project
 func ViewProject(ctx *context.Context) {
-	project, err := project_model.GetProjectByID(ctx, ctx.PathParamInt64("id"))
+	project, err := project_model.GetProjectByIDAndOwner(ctx, ctx.PathParamInt64("id"), ctx.ContextUser.ID)
 	if err != nil {
 		ctx.NotFoundOrServerError("GetProjectByID", project_model.IsErrProjectNotExist, err)
 		return
 	}
-	if project.OwnerID != ctx.ContextUser.ID {
-		ctx.NotFound(nil)
-		return
-	}
+
 	if err := project.LoadOwner(ctx); err != nil {
 		ctx.ServerError("LoadOwner", err)
 		return
@@ -455,28 +446,15 @@ func DeleteProjectColumn(ctx *context.Context) {
 		return
 	}

-	project, err := project_model.GetProjectByID(ctx, ctx.PathParamInt64("id"))
+	project, err := project_model.GetProjectByIDAndOwner(ctx, ctx.PathParamInt64("id"), ctx.ContextUser.ID)
 	if err != nil {
 		ctx.NotFoundOrServerError("GetProjectByID", project_model.IsErrProjectNotExist, err)
 		return
 	}

-	pb, err := project_model.GetColumn(ctx, ctx.PathParamInt64("columnID"))
+	_, err = project_model.GetColumnByIDAndProjectID(ctx, ctx.PathParamInt64("columnID"), project.ID)
 	if err != nil {
-		ctx.ServerError("GetProjectColumn", err)
-		return
-	}
-	if pb.ProjectID != ctx.PathParamInt64("id") {
-		ctx.JSON(http.StatusUnprocessableEntity, map[string]string{
-			"message": fmt.Sprintf("ProjectColumn[%d] is not in Project[%d] as expected", pb.ID, project.ID),
-		})
-		return
-	}
-
-	if project.OwnerID != ctx.ContextUser.ID {
-		ctx.JSON(http.StatusUnprocessableEntity, map[string]string{
-			"message": fmt.Sprintf("ProjectColumn[%d] is not in Owner[%d] as expected", pb.ID, ctx.ContextUser.ID),
-		})
+		ctx.NotFoundOrServerError("GetColumnByIDAndProjectID", project_model.IsErrProjectColumnNotExist, err)
 		return
 	}

@@ -492,7 +470,7 @@ func DeleteProjectColumn(ctx *context.Context) {
 func AddColumnToProjectPost(ctx *context.Context) {
 	form := web.GetForm(ctx).(*forms.EditProjectColumnForm)

-	project, err := project_model.GetProjectByID(ctx, ctx.PathParamInt64("id"))
+	project, err := project_model.GetProjectByIDAndOwner(ctx, ctx.PathParamInt64("id"), ctx.ContextUser.ID)
 	if err != nil {
 		ctx.NotFoundOrServerError("GetProjectByID", project_model.IsErrProjectNotExist, err)
 		return
@@ -520,30 +498,18 @@ func CheckProjectColumnChangePermissions(ctx *context.Context) (*project_model.P
 		return nil, nil
 	}

-	project, err := project_model.GetProjectByID(ctx, ctx.PathParamInt64("id"))
+	project, err := project_model.GetProjectByIDAndOwner(ctx, ctx.PathParamInt64("id"), ctx.ContextUser.ID)
 	if err != nil {
 		ctx.NotFoundOrServerError("GetProjectByID", project_model.IsErrProjectNotExist, err)
 		return nil, nil
 	}

-	column, err := project_model.GetColumn(ctx, ctx.PathParamInt64("columnID"))
+	column, err := project_model.GetColumnByIDAndProjectID(ctx, ctx.PathParamInt64("columnID"), project.ID)
 	if err != nil {
-		ctx.ServerError("GetProjectColumn", err)
-		return nil, nil
-	}
-	if column.ProjectID != ctx.PathParamInt64("id") {
-		ctx.JSON(http.StatusUnprocessableEntity, map[string]string{
-			"message": fmt.Sprintf("ProjectColumn[%d] is not in Project[%d] as expected", column.ID, project.ID),
-		})
+		ctx.NotFoundOrServerError("GetColumnByIDAndProjectID", project_model.IsErrProjectColumnNotExist, err)
 		return nil, nil
 	}

-	if project.OwnerID != ctx.ContextUser.ID {
-		ctx.JSON(http.StatusUnprocessableEntity, map[string]string{
-			"message": fmt.Sprintf("ProjectColumn[%d] is not in Repository[%d] as expected", column.ID, project.ID),
-		})
-		return nil, nil
-	}
 	return project, column
 }

@@ -595,24 +561,15 @@ func MoveIssues(ctx *context.Context) {
 		return
 	}

-	project, err := project_model.GetProjectByID(ctx, ctx.PathParamInt64("id"))
+	project, err := project_model.GetProjectByIDAndOwner(ctx, ctx.PathParamInt64("id"), ctx.ContextUser.ID)
 	if err != nil {
 		ctx.NotFoundOrServerError("GetProjectByID", project_model.IsErrProjectNotExist, err)
 		return
 	}
-	if project.OwnerID != ctx.ContextUser.ID {
-		ctx.NotFound(nil)
-		return
-	}

-	column, err := project_model.GetColumn(ctx, ctx.PathParamInt64("columnID"))
+	column, err := project_model.GetColumnByIDAndProjectID(ctx, ctx.PathParamInt64("columnID"), project.ID)
 	if err != nil {
-		ctx.NotFoundOrServerError("GetProjectColumn", project_model.IsErrProjectColumnNotExist, err)
-		return
-	}
-
-	if column.ProjectID != project.ID {
-		ctx.NotFound(nil)
+		ctx.NotFoundOrServerError("GetColumnByIDAndProjectID", project_model.IsErrProjectColumnNotExist, err)
 		return
 	}

--- a/routers/web/org/projects_test.go
+++ b/routers/web/org/projects_test.go
@@ -4,11 +4,14 @@
 package org_test

 import (
+	"net/http"
 	"testing"

 	"code.gitea.io/gitea/models/unittest"
+	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/web/org"
 	"code.gitea.io/gitea/services/contexttest"
+	"code.gitea.io/gitea/services/forms"

 	"github.com/stretchr/testify/assert"
 )
@@ -26,3 +29,30 @@ func TestCheckProjectColumnChangePermissions(t *testing.T) {
 	assert.NotNil(t, column)
 	assert.False(t, ctx.Written())
 }
+
+func TestChangeProjectStatusRejectsForeignProjects(t *testing.T) {
+	unittest.PrepareTestEnv(t)
+	// project 4 is owned by user2 not user1
+	ctx, _ := contexttest.MockContext(t, "user1/-/projects/4/close")
+	contexttest.LoadUser(t, ctx, 1)
+	ctx.ContextUser = ctx.Doer
+	ctx.SetPathParam("action", "close")
+	ctx.SetPathParam("id", "4")
+
+	org.ChangeProjectStatus(ctx)
+
+	assert.Equal(t, http.StatusNotFound, ctx.Resp.WrittenStatus())
+}
+
+func TestAddColumnToProjectPostRejectsForeignProjects(t *testing.T) {
+	unittest.PrepareTestEnv(t)
+	ctx, _ := contexttest.MockContext(t, "user1/-/projects/4/columns/new")
+	contexttest.LoadUser(t, ctx, 1)
+	ctx.ContextUser = ctx.Doer
+	ctx.SetPathParam("id", "4")
+	web.SetForm(ctx, &forms.EditProjectColumnForm{Title: "foreign"})
+
+	org.AddColumnToProjectPost(ctx)
+
+	assert.Equal(t, http.StatusNotFound, ctx.Resp.WrittenStatus())
+}
--- a/routers/web/repo/attachment.go
+++ b/routers/web/repo/attachment.go
@@ -4,11 +4,12 @@
 package repo

 import (
-	"fmt"
 	"net/http"

+	issues_model "code.gitea.io/gitea/models/issues"
 	access_model "code.gitea.io/gitea/models/perm/access"
 	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/modules/httpcache"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
@@ -40,7 +41,7 @@ func uploadAttachment(ctx *context.Context, repoID int64, allowedTypes string) {

 	file, header, err := ctx.Req.FormFile("file")
 	if err != nil {
-		ctx.HTTPError(http.StatusInternalServerError, fmt.Sprintf("FormFile: %v", err))
+		ctx.ServerError("FormFile", err)
 		return
 	}
 	defer file.Close()
@@ -56,7 +57,7 @@ func uploadAttachment(ctx *context.Context, repoID int64, allowedTypes string) {
 			ctx.HTTPError(http.StatusBadRequest, err.Error())
 			return
 		}
-		ctx.HTTPError(http.StatusInternalServerError, fmt.Sprintf("NewAttachment: %v", err))
+		ctx.ServerError("UploadAttachmentGeneralSizeLimit", err)
 		return
 	}

@@ -74,13 +75,44 @@ func DeleteAttachment(ctx *context.Context) {
 		ctx.HTTPError(http.StatusBadRequest, err.Error())
 		return
 	}
-	if !ctx.IsSigned || (ctx.Doer.ID != attach.UploaderID) {
+
+	if !ctx.IsSigned {
 		ctx.HTTPError(http.StatusForbidden)
 		return
 	}
+
+	if attach.RepoID != ctx.Repo.Repository.ID {
+		ctx.HTTPError(http.StatusBadRequest, "attachment does not belong to this repository")
+		return
+	}
+
+	if ctx.Doer.ID != attach.UploaderID {
+		if attach.IssueID > 0 {
+			issue, err := issues_model.GetIssueByID(ctx, attach.IssueID)
+			if err != nil {
+				ctx.ServerError("GetIssueByID", err)
+				return
+			}
+			if !ctx.Repo.Permission.CanWriteIssuesOrPulls(issue.IsPull) {
+				ctx.HTTPError(http.StatusForbidden)
+				return
+			}
+		} else if attach.ReleaseID > 0 {
+			if !ctx.Repo.Permission.CanWrite(unit.TypeReleases) {
+				ctx.HTTPError(http.StatusForbidden)
+				return
+			}
+		} else {
+			if !ctx.Repo.Permission.IsAdmin() && !ctx.Repo.Permission.IsOwner() {
+				ctx.HTTPError(http.StatusForbidden)
+				return
+			}
+		}
+	}
+
 	err = repo_model.DeleteAttachment(ctx, attach, true)
 	if err != nil {
-		ctx.HTTPError(http.StatusInternalServerError, fmt.Sprintf("DeleteAttachment: %v", err))
+		ctx.ServerError("DeleteAttachment", err)
 		return
 	}
 	ctx.JSON(http.StatusOK, map[string]string{
@@ -100,23 +132,41 @@ func ServeAttachment(ctx *context.Context, uuid string) {
 		return
 	}

-	repository, unitType, err := repo_service.LinkedRepository(ctx, attach)
-	if err != nil {
-		ctx.ServerError("LinkedRepository", err)
+	// prevent visiting attachment from other repository directly
+	// The check will be ignored before this code merged.
+	if attach.CreatedUnix > repo_model.LegacyAttachmentMissingRepoIDCutoff && ctx.Repo.Repository != nil && ctx.Repo.Repository.ID != attach.RepoID {
+		ctx.HTTPError(http.StatusNotFound)
 		return
 	}

-	if repository == nil { // If not linked
+	unitType, repoID, err := repo_service.GetAttachmentLinkedTypeAndRepoID(ctx, attach)
+	if err != nil {
+		ctx.ServerError("GetAttachmentLinkedTypeAndRepoID", err)
+		return
+	}
+
+	if unitType == unit.TypeInvalid { // unlinked attachment can only be accessed by the uploader
 		if !(ctx.IsSigned && attach.UploaderID == ctx.Doer.ID) { // We block if not the uploader
 			ctx.HTTPError(http.StatusNotFound)
 			return
 		}
-	} else { // If we have the repository we check access
-		perm, err := access_model.GetUserRepoPermission(ctx, repository, ctx.Doer)
-		if err != nil {
-			ctx.HTTPError(http.StatusInternalServerError, "GetUserRepoPermission", err.Error())
-			return
+	} else { // If we have the linked type, we need to check access
+		var perm access_model.Permission
+		if ctx.Repo.Repository == nil {
+			repo, err := repo_model.GetRepositoryByID(ctx, repoID)
+			if err != nil {
+				ctx.ServerError("GetRepositoryByID", err)
+				return
+			}
+			perm, err = access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)
+			if err != nil {
+				ctx.ServerError("GetUserRepoPermission", err)
+				return
+			}
+		} else {
+			perm = ctx.Repo.Permission
 		}
+
 		if !perm.CanRead(unitType) {
 			ctx.HTTPError(http.StatusNotFound)
 			return
--- a/routers/web/repo/githttp.go
+++ b/routers/web/repo/githttp.go
@@ -31,6 +31,7 @@ import (
 	repo_module "code.gitea.io/gitea/modules/repository"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/services/context"
 	repo_service "code.gitea.io/gitea/services/repository"

@@ -57,7 +58,7 @@ func CorsHandler() func(next http.Handler) http.Handler {
 }

 // httpBase implementation git smart HTTP protocol
-func httpBase(ctx *context.Context) *serviceHandler {
+func httpBase(ctx *context.Context, optGitService ...string) *serviceHandler {
 	username := ctx.PathParam("username")
 	reponame := strings.TrimSuffix(ctx.PathParam("reponame"), ".git")

@@ -67,18 +68,14 @@ func httpBase(ctx *context.Context) *serviceHandler {
 	}

 	var isPull, receivePack bool
-	service := ctx.FormString("service")
-	if service == "git-receive-pack" ||
-		strings.HasSuffix(ctx.Req.URL.Path, "git-receive-pack") {
-		isPull = false
+	switch util.OptionalArg(optGitService) {
+	case "git-receive-pack":
 		receivePack = true
-	} else if service == "git-upload-pack" ||
-		strings.HasSuffix(ctx.Req.URL.Path, "git-upload-pack") {
+	case "git-upload-pack":
 		isPull = true
-	} else if service == "git-upload-archive" ||
-		strings.HasSuffix(ctx.Req.URL.Path, "git-upload-archive") {
+	case "git-upload-archive":
 		isPull = true
-	} else {
+	default:
 		isPull = ctx.Req.Method == http.MethodHead || ctx.Req.Method == http.MethodGet
 	}

@@ -411,13 +408,19 @@ func prepareGitCmdWithAllowedService(service string) (*gitcmd.Command, error) {
 	return nil, fmt.Errorf("service %q is not allowed", service)
 }

-func serviceRPC(ctx *context.Context, h *serviceHandler, service string) {
+func serviceRPC(ctx *context.Context, service string) {
 	defer func() {
 		if err := ctx.Req.Body.Close(); err != nil {
 			log.Error("serviceRPC: Close: %v", err)
 		}
 	}()

+	h := httpBase(ctx, "git-"+service)
+	if h == nil {
+		ctx.Resp.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
 	expectedContentType := fmt.Sprintf("application/x-git-%s-request", service)
 	if ctx.Req.Header.Get("Content-Type") != expectedContentType {
 		log.Error("Content-Type (%q) doesn't match expected: %q", ctx.Req.Header.Get("Content-Type"), expectedContentType)
@@ -472,26 +475,12 @@ func serviceRPC(ctx *context.Context, h *serviceHandler, service string) {

 // ServiceUploadPack implements Git Smart HTTP protocol
 func ServiceUploadPack(ctx *context.Context) {
-	h := httpBase(ctx)
-	if h != nil {
-		serviceRPC(ctx, h, "upload-pack")
-	}
+	serviceRPC(ctx, "upload-pack")
 }

 // ServiceReceivePack implements Git Smart HTTP protocol
 func ServiceReceivePack(ctx *context.Context) {
-	h := httpBase(ctx)
-	if h != nil {
-		serviceRPC(ctx, h, "receive-pack")
-	}
-}
-
-func getServiceType(ctx *context.Context) string {
-	serviceType := ctx.Req.FormValue("service")
-	if !strings.HasPrefix(serviceType, "git-") {
-		return ""
-	}
-	return strings.TrimPrefix(serviceType, "git-")
+	serviceRPC(ctx, "receive-pack")
 }

 func updateServerInfo(ctx gocontext.Context, dir string) []byte {
@@ -512,12 +501,12 @@ func packetWrite(str string) []byte {

 // GetInfoRefs implements Git dumb HTTP
 func GetInfoRefs(ctx *context.Context) {
-	h := httpBase(ctx)
+	service := strings.TrimPrefix(ctx.Req.FormValue("service"), "git-")
+	h := httpBase(ctx, "git-"+service)
 	if h == nil {
 		return
 	}
 	setHeaderNoCache(ctx)
-	service := getServiceType(ctx)
 	cmd, err := prepareGitCmdWithAllowedService(service)
 	if err == nil {
 		if protocol := ctx.Req.Header.Get("Git-Protocol"); protocol != "" && safeGitProtocolHeader.MatchString(protocol) {
--- a/routers/web/repo/issue_timetrack.go
+++ b/routers/web/repo/issue_timetrack.go
@@ -60,7 +60,7 @@ func DeleteTime(c *context.Context) {
 		return
 	}

-	t, err := issues_model.GetTrackedTimeByID(c, c.PathParamInt64("timeid"))
+	t, err := issues_model.GetTrackedTimeByID(c, issue.ID, c.PathParamInt64("timeid"))
 	if err != nil {
 		if db.IsErrNotExist(err) {
 			c.NotFound(err)
--- a/routers/web/repo/pull.go
+++ b/routers/web/repo/pull.go
@@ -32,6 +32,7 @@ import (
 	"code.gitea.io/gitea/modules/graceful"
 	issue_template "code.gitea.io/gitea/modules/issue/template"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/optional"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/templates"
 	"code.gitea.io/gitea/modules/util"
@@ -1100,11 +1101,9 @@ func MergePullRequest(ctx *context.Context) {
 		message += "\n\n" + form.MergeMessageField
 	}

-	deleteBranchAfterMerge, err := pull_service.ShouldDeleteBranchAfterMerge(ctx, form.DeleteBranchAfterMerge, ctx.Repo.Repository, pr)
-	if err != nil {
-		ctx.ServerError("ShouldDeleteBranchAfterMerge", err)
-		return
-	}
+	// There is always a checkbox on the UI (the DeleteBranchAfterMerge is nil if the checkbox is not checked),
+	// just use the user's choice, don't use pull_service.ShouldDeleteBranchAfterMerge to decide
+	deleteBranchAfterMerge := optional.FromPtr(form.DeleteBranchAfterMerge).Value()

 	if form.MergeWhenChecksSucceed {
 		// delete all scheduled auto merges
@@ -1230,6 +1229,28 @@ func CancelAutoMergePullRequest(ctx *context.Context) {
 		return
 	}

+	exist, autoMerge, err := pull_model.GetScheduledMergeByPullID(ctx, issue.PullRequest.ID)
+	if err != nil {
+		ctx.ServerError("GetScheduledMergeByPullID", err)
+		return
+	}
+	if !exist {
+		ctx.NotFound(nil)
+		return
+	}
+
+	if ctx.Doer.ID != autoMerge.DoerID {
+		allowed, err := pull_service.IsUserAllowedToMerge(ctx, issue.PullRequest, ctx.Repo.Permission, ctx.Doer)
+		if err != nil {
+			ctx.ServerError("IsUserAllowedToMerge", err)
+			return
+		}
+		if !allowed {
+			ctx.HTTPError(http.StatusForbidden, "user has no permission to cancel the scheduled auto merge")
+			return
+		}
+	}
+
 	if err := automerge.RemoveScheduledAutoMerge(ctx, ctx.Doer, issue.PullRequest); err != nil {
 		if db.IsErrNotExist(err) {
 			ctx.Flash.Error(ctx.Tr("repo.pulls.auto_merge_not_scheduled"))
--- a/routers/web/user/notification.go
+++ b/routers/web/user/notification.go
@@ -15,6 +15,7 @@ import (
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/container"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/optional"
 	"code.gitea.io/gitea/modules/setting"
@@ -128,7 +129,9 @@ func prepareUserNotificationsData(ctx *context.Context) {
 	ctx.Data["Notifications"] = notifications
 	ctx.Data["Link"] = setting.AppSubURL + "/notifications"
 	ctx.Data["SequenceNumber"] = ctx.FormString("sequence-number")
+
 	pager.AddParamFromRequest(ctx.Req)
+	pager.RemoveParam(container.SetOf("div-only", "sequence-number"))
 	ctx.Data["Page"] = pager
 }

--- a/routers/web/user/setting/account.go
+++ b/routers/web/user/setting/account.go
@@ -113,7 +113,12 @@ func EmailPost(ctx *context.Context) {

 	// Make email address primary.
 	if ctx.FormString("_method") == "PRIMARY" {
-		if err := user_model.MakeActiveEmailPrimary(ctx, ctx.FormInt64("id")); err != nil {
+		if err := user_model.MakeActiveEmailPrimary(ctx, ctx.Doer.ID, ctx.FormInt64("id")); err != nil {
+			if user_model.IsErrEmailAddressNotExist(err) {
+				ctx.Flash.Error(ctx.Tr("settings.email_primary_not_found"))
+				ctx.Redirect(setting.AppSubURL + "/user/settings/account")
+				return
+			}
 			ctx.ServerError("MakeEmailPrimary", err)
 			return
 		}
--- a/routers/web/user/setting/security/main_test.go
+++ b/routers/web/user/setting/security/main_test.go
@@ -0,0 +1,14 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package security
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/models/unittest"
+)
+
+func TestMain(m *testing.M) {
+	unittest.MainTest(m)
+}
--- a/routers/web/user/setting/security/openid.go
+++ b/routers/web/user/setting/security/openid.go
@@ -4,12 +4,14 @@
 package security

 import (
+	"errors"
 	"net/http"

 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/auth/openid"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/services/context"
 	"code.gitea.io/gitea/services/forms"
@@ -116,7 +118,11 @@ func DeleteOpenID(ctx *context.Context) {
 	}

 	if err := user_model.DeleteUserOpenID(ctx, &user_model.UserOpenID{ID: ctx.FormInt64("id"), UID: ctx.Doer.ID}); err != nil {
-		ctx.ServerError("DeleteUserOpenID", err)
+		if errors.Is(err, util.ErrNotExist) {
+			ctx.HTTPError(http.StatusNotFound)
+		} else {
+			ctx.ServerError("DeleteUserOpenID", err)
+		}
 		return
 	}
 	log.Trace("OpenID address deleted: %s", ctx.Doer.Name)
@@ -132,8 +138,12 @@ func ToggleOpenIDVisibility(ctx *context.Context) {
 		return
 	}

-	if err := user_model.ToggleUserOpenIDVisibility(ctx, ctx.FormInt64("id")); err != nil {
-		ctx.ServerError("ToggleUserOpenIDVisibility", err)
+	if err := user_model.ToggleUserOpenIDVisibility(ctx, ctx.FormInt64("id"), ctx.Doer); err != nil {
+		if errors.Is(err, util.ErrNotExist) {
+			ctx.HTTPError(http.StatusNotFound)
+		} else {
+			ctx.ServerError("ToggleUserOpenIDVisibility", err)
+		}
 		return
 	}

--- a/routers/web/user/setting/security/openid_test.go
+++ b/routers/web/user/setting/security/openid_test.go
@@ -0,0 +1,36 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package security
+
+import (
+	"net/http"
+	"testing"
+
+	"code.gitea.io/gitea/models/unittest"
+	"code.gitea.io/gitea/services/contexttest"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDeleteOpenIDReturnsNotFoundForOtherUsersAddress(t *testing.T) {
+	unittest.PrepareTestEnv(t)
+	ctx, _ := contexttest.MockContext(t, "POST /user/settings/security")
+	contexttest.LoadUser(t, ctx, 2)
+	ctx.SetFormString("id", "1")
+
+	DeleteOpenID(ctx)
+
+	assert.Equal(t, http.StatusNotFound, ctx.Resp.WrittenStatus())
+}
+
+func TestToggleOpenIDVisibilityReturnsNotFoundForOtherUsersAddress(t *testing.T) {
+	unittest.PrepareTestEnv(t)
+	ctx, _ := contexttest.MockContext(t, "POST /user/settings/security")
+	contexttest.LoadUser(t, ctx, 2)
+	ctx.SetFormString("id", "1")
+
+	ToggleOpenIDVisibility(ctx)
+
+	assert.Equal(t, http.StatusNotFound, ctx.Resp.WrittenStatus())
+}
--- a/routers/web/user/stop_watch.go
+++ b/routers/web/user/stop_watch.go
@@ -29,7 +29,7 @@ func GetStopwatches(ctx *context.Context) {
 		return
 	}

-	apiSWs, err := convert.ToStopWatches(ctx, sws)
+	apiSWs, err := convert.ToStopWatches(ctx, ctx.Doer, sws)
 	if err != nil {
 		ctx.HTTPError(http.StatusInternalServerError, err.Error())
 		return
--- a/services/actions/commit_status.go
+++ b/services/actions/commit_status.go
@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"path"
+	"strings"

 	actions_model "code.gitea.io/gitea/models/actions"
 	"code.gitea.io/gitea/models/db"
@@ -91,6 +92,7 @@ func createCommitStatus(ctx context.Context, job *actions_model.ActionRunJob) er
 		runName = wfs[0].Name
 	}
 	ctxname := fmt.Sprintf("%s / %s (%s)", runName, job.Name, event)
+	ctxname = strings.TrimSpace(ctxname) // git_model.NewCommitStatus also trims spaces
 	state := toCommitStatus(job.Status)
 	if statuses, err := git_model.GetLatestCommitStatus(ctx, repo.ID, sha, db.ListOptionsAll); err == nil {
 		for _, v := range statuses {
--- a/services/automerge/automerge.go
+++ b/services/automerge/automerge.go
@@ -241,9 +241,9 @@ func handlePullRequestAutoMerge(pullID int64, sha string) {
 		return
 	}

-	perm, err := access_model.GetUserRepoPermission(ctx, pr.HeadRepo, doer)
+	perm, err := access_model.GetUserRepoPermission(ctx, pr.BaseRepo, doer)
 	if err != nil {
-		log.Error("GetUserRepoPermission %-v: %v", pr.HeadRepo, err)
+		log.Error("GetUserRepoPermission %-v: %v", pr.BaseRepo, err)
 		return
 	}

--- a/services/context/pagination.go
+++ b/services/context/pagination.go
@@ -8,8 +8,10 @@ import (
 	"html/template"
 	"net/http"
 	"net/url"
+	"slices"
 	"strings"

+	"code.gitea.io/gitea/modules/container"
 	"code.gitea.io/gitea/modules/paginator"
 )

@@ -49,6 +51,14 @@ func (p *Pagination) AddParamFromRequest(req *http.Request) {
 	p.AddParamFromQuery(req.URL.Query())
 }

+func (p *Pagination) RemoveParam(keys container.Set[string]) {
+	p.urlParams = slices.DeleteFunc(p.urlParams, func(s string) bool {
+		k, _, _ := strings.Cut(s, "=")
+		k, _ = url.QueryUnescape(k)
+		return keys.Contains(k)
+	})
+}
+
 // GetParams returns the configured URL params
 func (p *Pagination) GetParams() template.URL {
 	return template.URL(strings.Join(p.urlParams, "&"))
--- a/services/context/pagination_test.go
+++ b/services/context/pagination_test.go
@@ -0,0 +1,35 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package context
+
+import (
+	"net/url"
+	"testing"
+
+	"code.gitea.io/gitea/modules/container"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPagination(t *testing.T) {
+	p := NewPagination(1, 1, 1, 1)
+	params := url.Values{}
+	params.Add("k1", "11")
+	params.Add("k1", "12")
+	params.Add("k", "a")
+	params.Add("k", "b")
+	params.Add("k2", "21")
+	params.Add("k2", "22")
+	params.Add("foo", "bar")
+
+	p.AddParamFromQuery(params)
+	v, _ := url.ParseQuery(string(p.GetParams()))
+	assert.Equal(t, params, v)
+
+	p.RemoveParam(container.SetOf("k", "foo"))
+	params.Del("k")
+	params.Del("foo")
+	v, _ = url.ParseQuery(string(p.GetParams()))
+	assert.Equal(t, params, v)
+}
--- a/services/convert/issue.go
+++ b/services/convert/issue.go
@@ -10,8 +10,10 @@ import (
 	"strings"

 	issues_model "code.gitea.io/gitea/models/issues"
+	access_model "code.gitea.io/gitea/models/perm/access"
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/cache"
 	"code.gitea.io/gitea/modules/label"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
@@ -163,11 +165,12 @@ func ToTrackedTime(ctx context.Context, doer *user_model.User, t *issues_model.T
 }

 // ToStopWatches convert Stopwatch list to api.StopWatches
-func ToStopWatches(ctx context.Context, sws []*issues_model.Stopwatch) (api.StopWatches, error) {
+func ToStopWatches(ctx context.Context, doer *user_model.User, sws []*issues_model.Stopwatch) (api.StopWatches, error) {
 	result := api.StopWatches(make([]api.StopWatch, 0, len(sws)))

 	issueCache := make(map[int64]*issues_model.Issue)
 	repoCache := make(map[int64]*repo_model.Repository)
+	permCache := make(map[int64]access_model.Permission)
 	var (
 		issue *issues_model.Issue
 		repo  *repo_model.Repository
@@ -182,13 +185,30 @@ func ToStopWatches(ctx context.Context, sws []*issues_model.Stopwatch) (api.Stop
 			if err != nil {
 				return nil, err
 			}
+			issueCache[sw.IssueID] = issue
 		}
 		repo, ok = repoCache[issue.RepoID]
 		if !ok {
 			repo, err = repo_model.GetRepositoryByID(ctx, issue.RepoID)
 			if err != nil {
-				return nil, err
+				log.Error("GetRepositoryByID(%d): %v", issue.RepoID, err)
+				continue
 			}
+			repoCache[issue.RepoID] = repo
+		}
+
+		// ADD: Check user permissions
+		perm, ok := permCache[repo.ID]
+		if !ok {
+			perm, err = access_model.GetUserRepoPermission(ctx, repo, doer)
+			if err != nil {
+				continue
+			}
+			permCache[repo.ID] = perm
+		}
+
+		if !perm.CanReadIssuesOrPulls(issue.IsPull) {
+			continue
 		}

 		result = append(result, api.StopWatch{
@@ -207,7 +227,21 @@ func ToStopWatches(ctx context.Context, sws []*issues_model.Stopwatch) (api.Stop
 // ToTrackedTimeList converts TrackedTimeList to API format
 func ToTrackedTimeList(ctx context.Context, doer *user_model.User, tl issues_model.TrackedTimeList) api.TrackedTimeList {
 	result := make([]*api.TrackedTime, 0, len(tl))
+	permCache := cache.NewEphemeralCache()
 	for _, t := range tl {
+		// If the issue is not loaded, conservatively skip this entry to avoid bypassing permission checks.
+		if t.Issue == nil || t.Issue.Repo == nil {
+			continue
+		}
+		perm, err := cache.GetWithEphemeralCache(ctx, permCache, "repo-perm", t.Issue.RepoID, func(ctx context.Context, repoID int64) (access_model.Permission, error) {
+			return access_model.GetUserRepoPermission(ctx, t.Issue.Repo, doer)
+		})
+		if err != nil {
+			continue
+		}
+		if !perm.CanReadIssuesOrPulls(t.Issue.IsPull) {
+			continue
+		}
 		result = append(result, ToTrackedTime(ctx, doer, t))
 	}
 	return result
--- a/services/convert/issue_test.go
+++ b/services/convert/issue_test.go
@@ -8,14 +8,17 @@ import (
 	"testing"
 	"time"

+	"code.gitea.io/gitea/models/db"
 	issues_model "code.gitea.io/gitea/models/issues"
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/timeutil"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestLabel_ToLabel(t *testing.T) {
@@ -55,3 +58,69 @@ func TestMilestone_APIFormat(t *testing.T) {
 		Deadline:     milestone.DeadlineUnix.AsTimePtr(),
 	}, *ToAPIMilestone(milestone))
 }
+
+func TestToStopWatchesRespectsPermissions(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	ctx := t.Context()
+	publicSW := unittest.AssertExistsAndLoadBean(t, &issues_model.Stopwatch{ID: 1})
+	privateIssue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{RepoID: 3})
+	privateSW := &issues_model.Stopwatch{IssueID: privateIssue.ID, UserID: 5}
+	assert.NoError(t, db.Insert(ctx, privateSW))
+	assert.NotZero(t, privateSW.ID)
+
+	regularUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+	adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+
+	sws := []*issues_model.Stopwatch{publicSW, privateSW}
+
+	visible, err := ToStopWatches(ctx, regularUser, sws)
+	assert.NoError(t, err)
+	assert.Len(t, visible, 1)
+	assert.Equal(t, "repo1", visible[0].RepoName)
+
+	visibleAdmin, err := ToStopWatches(ctx, adminUser, sws)
+	assert.NoError(t, err)
+	assert.Len(t, visibleAdmin, 2)
+	assert.ElementsMatch(t, []string{"repo1", "repo3"}, []string{visibleAdmin[0].RepoName, visibleAdmin[1].RepoName})
+}
+
+func TestToTrackedTime(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	ctx := t.Context()
+	publicIssue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{RepoID: 1})
+	privateIssue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{RepoID: 3})
+	regularUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+	adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+
+	publicTrackedTime := &issues_model.TrackedTime{IssueID: publicIssue.ID, UserID: regularUser.ID, Time: 3600}
+	privateTrackedTime := &issues_model.TrackedTime{IssueID: privateIssue.ID, UserID: regularUser.ID, Time: 1800}
+	require.NoError(t, db.Insert(ctx, publicTrackedTime))
+	require.NoError(t, db.Insert(ctx, privateTrackedTime))
+
+	t.Run("NilIssues", func(t *testing.T) {
+		list := ToTrackedTimeList(ctx, regularUser, issues_model.TrackedTimeList{publicTrackedTime, privateTrackedTime})
+		assert.Empty(t, list)
+	})
+
+	t.Run("NilRepo", func(t *testing.T) {
+		badTrackedTime := &issues_model.TrackedTime{Issue: &issues_model.Issue{RepoID: 999999}}
+		visible := ToTrackedTimeList(ctx, regularUser, issues_model.TrackedTimeList{badTrackedTime})
+		assert.Empty(t, visible)
+	})
+
+	trackedTimes := issues_model.TrackedTimeList{publicTrackedTime, privateTrackedTime}
+	require.NoError(t, trackedTimes.LoadAttributes(ctx))
+
+	t.Run("ToRegularUser", func(t *testing.T) {
+		list := ToTrackedTimeList(ctx, regularUser, trackedTimes)
+		require.Len(t, list, 1)
+		assert.Equal(t, "repo1", list[0].Issue.Repo.Name)
+	})
+	t.Run("ToAdminUser", func(t *testing.T) {
+		list := ToTrackedTimeList(ctx, adminUser, trackedTimes)
+		require.Len(t, list, 2)
+		assert.ElementsMatch(t, []string{"repo1", "repo3"}, []string{list[0].Issue.Repo.Name, list[1].Issue.Repo.Name})
+	})
+}
--- a/services/convert/notification.go
+++ b/services/convert/notification.go
@@ -8,8 +8,8 @@ import (
 	"net/url"

 	activities_model "code.gitea.io/gitea/models/activities"
-	"code.gitea.io/gitea/models/perm"
 	access_model "code.gitea.io/gitea/models/perm/access"
+	"code.gitea.io/gitea/modules/log"
 	api "code.gitea.io/gitea/modules/structs"
 )

@@ -25,11 +25,17 @@ func ToNotificationThread(ctx context.Context, n *activities_model.Notification)

 	// since user only get notifications when he has access to use minimal access mode
 	if n.Repository != nil {
-		result.Repository = ToRepo(ctx, n.Repository, access_model.Permission{AccessMode: perm.AccessModeRead})
-
-		// This permission is not correct and we should not be reporting it
-		for repository := result.Repository; repository != nil; repository = repository.Parent {
-			repository.Permissions = nil
+		perm, err := access_model.GetUserRepoPermission(ctx, n.Repository, n.User)
+		if err != nil {
+			log.Error("GetUserRepoPermission failed: %v", err)
+			return result
+		}
+		if perm.HasAnyUnitAccessOrPublicAccess() { // if user has been revoked access to repo, do not show repo info
+			result.Repository = ToRepo(ctx, n.Repository, perm)
+			// This permission is not correct and we should not be reporting it
+			for repository := result.Repository; repository != nil; repository = repository.Parent {
+				repository.Permissions = nil
+			}
 		}
 	}

--- a/services/convert/notification_test.go
+++ b/services/convert/notification_test.go
@@ -0,0 +1,57 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package convert
+
+import (
+	"testing"
+
+	activities_model "code.gitea.io/gitea/models/activities"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/timeutil"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestToNotificationThreadIncludesRepoForAccessibleUser(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	n := newRepoNotification(t, 1, 4)
+	thread := ToNotificationThread(t.Context(), n)
+
+	if assert.NotNil(t, thread.Repository) {
+		assert.Equal(t, n.Repository.FullName(), thread.Repository.FullName)
+		assert.Nil(t, thread.Repository.Permissions)
+	}
+}
+
+func TestToNotificationThreadOmitsRepoWhenAccessRevoked(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	n := newRepoNotification(t, 2, 4)
+	thread := ToNotificationThread(t.Context(), n)
+
+	assert.Nil(t, thread.Repository)
+}
+
+func newRepoNotification(t *testing.T, repoID, userID int64) *activities_model.Notification {
+	t.Helper()
+
+	ctx := t.Context()
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: repoID})
+	assert.NoError(t, repo.LoadOwner(ctx))
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: userID})
+
+	return &activities_model.Notification{
+		ID:          repoID*1000 + userID,
+		UserID:      user.ID,
+		RepoID:      repo.ID,
+		Status:      activities_model.NotificationStatusUnread,
+		Source:      activities_model.NotificationSourceRepository,
+		UpdatedUnix: timeutil.TimeStampNow(),
+		Repository:  repo,
+		User:        user,
+	}
+}
--- a/services/convert/repository.go
+++ b/services/convert/repository.go
@@ -127,20 +127,10 @@ func innerToRepo(ctx context.Context, repo *repo_model.Repository, permissionInR
 		projectsMode = config.ProjectsMode
 	}

-	hasReleases := false
-	if _, err := repo.GetUnit(ctx, unit_model.TypeReleases); err == nil {
-		hasReleases = true
-	}
-
-	hasPackages := false
-	if _, err := repo.GetUnit(ctx, unit_model.TypePackages); err == nil {
-		hasPackages = true
-	}
-
-	hasActions := false
-	if _, err := repo.GetUnit(ctx, unit_model.TypeActions); err == nil {
-		hasActions = true
-	}
+	hasCode := repo.UnitEnabled(ctx, unit_model.TypeCode)
+	hasReleases := repo.UnitEnabled(ctx, unit_model.TypeReleases)
+	hasPackages := repo.UnitEnabled(ctx, unit_model.TypePackages)
+	hasActions := repo.UnitEnabled(ctx, unit_model.TypeActions)

 	if err := repo.LoadOwner(ctx); err != nil {
 		return nil
@@ -221,6 +211,7 @@ func innerToRepo(ctx context.Context, repo *repo_model.Repository, permissionInR
 		Updated:                       repo.UpdatedUnix.AsTime(),
 		ArchivedAt:                    repo.ArchivedUnix.AsTime(),
 		Permissions:                   permission,
+		HasCode:                       hasCode,
 		HasIssues:                     hasIssues,
 		ExternalTracker:               externalTracker,
 		InternalTracker:               internalTracker,
--- a/services/forms/repo_form.go
+++ b/services/forms/repo_form.go
@@ -27,9 +27,9 @@ type CreateRepoForm struct {
 	DefaultBranch string `binding:"GitRefName;MaxSize(100)"`
 	AutoInit      bool
 	Gitignores    string
-	IssueLabels   string
-	License       string
-	Readme        string
+	IssueLabels   string `binding:"MaxSize(255)"`
+	License       string `binding:"MaxSize(100)"`
+	Readme        string `binding:"MaxSize(255)"`
 	Template      bool

 	RepoTemplate    int64
@@ -41,7 +41,7 @@ type CreateRepoForm struct {
 	Labels          bool
 	ProtectedBranch bool

-	ForkSingleBranch string
+	ForkSingleBranch string `binding:"MaxSize(255)"`
 	ObjectFormatName string
 }

--- a/services/lfs/locks.go
+++ b/services/lfs/locks.go
@@ -90,7 +90,7 @@ func GetListLockHandler(ctx *context.Context) {
 			})
 			return
 		}
-		lock, err := git_model.GetLFSLockByID(ctx, v)
+		lock, err := git_model.GetLFSLockByIDAndRepo(ctx, v, repository.ID)
 		if err != nil && !git_model.IsErrLFSLockNotExist(err) {
 			log.Error("Unable to get lock with ID[%s]: Error: %v", v, err)
 		}
--- a/services/lfs/server.go
+++ b/services/lfs/server.go
@@ -14,7 +14,6 @@ import (
 	"maps"
 	"net/http"
 	"net/url"
-	"path"
 	"regexp"
 	"strconv"
 	"strings"
@@ -29,6 +28,7 @@ import (
 	"code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/auth/httpauth"
+	"code.gitea.io/gitea/modules/httplib"
 	"code.gitea.io/gitea/modules/json"
 	lfs_module "code.gitea.io/gitea/modules/lfs"
 	"code.gitea.io/gitea/modules/log"
@@ -45,6 +45,7 @@ type requestContext struct {
 	Repo          string
 	Authorization string
 	Method        string
+	RepoGitURL    string
 }

 // Claims is a JWT Token Claims
@@ -84,17 +85,17 @@ func GetLFSAuthTokenWithBearer(opts AuthTokenOptions) (string, error) {

 // DownloadLink builds a URL to download the object.
 func (rc *requestContext) DownloadLink(p lfs_module.Pointer) string {
-	return setting.AppURL + path.Join(url.PathEscape(rc.User), url.PathEscape(rc.Repo+".git"), "info/lfs/objects", url.PathEscape(p.Oid))
+	return rc.RepoGitURL + "/info/lfs/objects/" + url.PathEscape(p.Oid)
 }

 // UploadLink builds a URL to upload the object.
 func (rc *requestContext) UploadLink(p lfs_module.Pointer) string {
-	return setting.AppURL + path.Join(url.PathEscape(rc.User), url.PathEscape(rc.Repo+".git"), "info/lfs/objects", url.PathEscape(p.Oid), strconv.FormatInt(p.Size, 10))
+	return rc.RepoGitURL + "/info/lfs/objects/" + url.PathEscape(p.Oid) + "/" + strconv.FormatInt(p.Size, 10)
 }

 // VerifyLink builds a URL for verifying the object.
 func (rc *requestContext) VerifyLink(p lfs_module.Pointer) string {
-	return setting.AppURL + path.Join(url.PathEscape(rc.User), url.PathEscape(rc.Repo+".git"), "info/lfs/verify")
+	return rc.RepoGitURL + "/info/lfs/verify"
 }

 // CheckAcceptMediaType checks if the client accepts the LFS media type.
@@ -422,11 +423,14 @@ func decodeJSON(req *http.Request, v any) error {
 }

 func getRequestContext(ctx *context.Context) *requestContext {
+	ownerName := ctx.PathParam("username")
+	repoName := strings.TrimSuffix(ctx.PathParam("reponame"), ".git")
 	return &requestContext{
-		User:          ctx.PathParam("username"),
-		Repo:          strings.TrimSuffix(ctx.PathParam("reponame"), ".git"),
+		User:          ownerName,
+		Repo:          repoName,
 		Authorization: ctx.Req.Header.Get("Authorization"),
 		Method:        ctx.Req.Method,
+		RepoGitURL:    httplib.GuessCurrentAppURL(ctx) + url.PathEscape(ownerName) + "/" + url.PathEscape(repoName+".git"),
 	}
 }

--- a/Show More
+++ b/Show More