change log for 1.26.1 (#37357 )

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Stabilize e2e logout propagation test (#37408 )
2026-05-15 09:47:10 +00:00 · 2026-04-24 12:40:36 -07:00 · 2026-04-25 00:20:09 +08:00 · 2026-04-24 17:45:10 +08:00 · 2026-04-23 23:33:25 +00:00 · 2026-04-23 21:15:53 +02:00
163 changed files with 2723 additions and 1593 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,7 +4,29 @@ This changelog goes through the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.com).

-## [1.26.0-rc0](https://github.com/go-gitea/gitea/releases/tag/v1.26.0-rc0) - 2026-04-07
+## [1.26.1](https://github.com/go-gitea/gitea/releases/tag/v1.26.1) - 2026-04-21
+
+* BUGFIXES
+  * Add event.schedule context for schedule actions task (#37320) (#37348)
+  * Fix an issue where changing an organization's visibility caused problems when users had forked its repositories. (#37324) (#37344)
+  * Use modern "git update-index --cacheinfo" syntax to support more file names (#37338) (#37343)
+  * Fix URL related escaping for oauth2 (#37334) (#37340)
+  * When the requested arch rpm is missing fall back to noarch (#37236) (#37339)
+  * Fix actions concurrency groups cross-branch leak (#37311) (#37331)
+  * Fix bug when accessing user badges (#37321) (#37329)
+  * Fix AppFullLink (#37325) (#37328)
+  * Fix container auth for public instance (#37290) (#37294)
+  * Enhance GetActionWorkflow to support fallback references (#37189) (#37283)
+  * Fix vite manifest update masking build errors (#37279) (#37310)
+  * Fix Mermaid diagrams failing when node labels contain line breaks (#37296) (#37299)
+  * Use TriggerEvent instead of Event in workflow runs API response for scheduled runs (#37288) #37360
+  * Add URL to Learn more about blocking a user. (#37355) #37367
+  * Fix button layout shift when collapsing file tree in editor (#37363) #37375
+  * Fix org team assignee/reviewer lookups for team member permissions (#37365) #37391
+  * Fix repo init README EOL (#37388) #37399
+  * Fix: dump with default zip type produces uncompressed zip (#37401)#37402
+
+## [1.26.0](https://github.com/go-gitea/gitea/releases/tag/v1.26.0) - 2026-04-17

 * BREAKING
  * Correct swagger annotations for enums, status codes, and notification state (#37030)
@@ -30,7 +52,8 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
  * Add summary to action runs view (#36883)
  * Add user badges (#36752)
  * Add configurable permissions for Actions automatic tokens (#36173)
-  * Add per-runner “Disable/Pause”  (#36776)
+  * Add per-runner "Disable/Pause"  (#36776)
+  * Feature non-zipped actions artifacts (action v7 / nodejs / npm v6.2.0) (#36786)
 * PERFORMANCE
  * WorkflowDispatch API optionally return runid (#36706)
  * Add render cache for SVG icons (#36863)
@@ -41,6 +64,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
  * Refactor cat-file batch operations and support `--batch-command` approach (#35775)
  * Use merge tree to detect conflicts when possible (#36400)
 * ENHANCEMENTS
+  * Implement logout redirection for reverse proxy auth setups (#36085) (#37171)
  * Adds option to force update new branch in contents routes (#35592)
  * Add viewer controller for mermaid (zoom, drag) (#36557)
  * Add code editor setting dropdowns (#36534)
@@ -49,7 +73,6 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
  * Allow configuring default PR base branch (fixes #36412) (#36425)
  * Add support for RPM Errata (updateinfo.xml) (#37125)
  * Require additional user confirmation for making repo private (#36959)
-  * Feature non-zipped actions artifacts (action v7 / nodejs / npm v6.2.0) (#36786)
  * Add `actions.WORKFLOW_DIRS` setting (#36619)
  * Avoid opening new tab when downloading actions logs (#36740)
  * Implements OIDC RP-Initiated Logout (#36724)
@@ -67,7 +90,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
  * Refactor storage content-type handling of ServeDirectURL (#36804)
  * Use "Enable Gravatar" but not "Disable" (#36771)
  * Use case-insensitive matching for Git error "Not a valid object name" (#36728)
-  * Add “Copy Source” to markup comment menu (#36726)
+  * Add "Copy Source" to markup comment menu (#36726)
  * Change image transparency grid to CSS (#36711)
  * Add "Run" prefix for unnamed action steps (#36624)
  * Persist actions log time display settings in `localStorage` (#36623)
@@ -139,6 +162,20 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
  * Expose content_version for optimistic locking on issue and PR edits (#37035)
  * Pass ServeHeaderOptions by value instead of pointer, fine tune httplib tests (#36982)
 * BUGFIXES
+  * Frontend iframe renderer framework: 3D models, OpenAPI (#37233) (#37273)
+  * Fix CODEOWNERS absolute path matching. (#37244) (#37264)
+  * Swift registry metadata: preserve more JSON fields and accept empty metadata (#37254) (#37261)
+  * Fix user ssh key exporting and tests (#37256) (#37258)
+  * Fix team member avatar size and add tooltip (#37253)
+  * Fix commit title rendering in action run and blame (#37243) (#37251)
+  * Fix corrupted JSON caused by goccy library (#37214) (#37220)
+  * Add test for "fetch redirect", add CSS value validation for external render (#37207) (#37216)
+  * Fix incorrect concurrency check (#37205) (#37215)
+  * Fix handle missing base branch in PR commits API (#37193) (#37203)
+  * Fix encoding for Matrix Webhooks (#37190) (#37201)
+  * Fix handle fork-only commits in compare API (#37185) (#37199)
+  * Indicate form field readonly via background, fix RunUser config (#37175, #37180) (#37178)
+  * Report structurally invalid workflows to users (#37116) (#37164)
  * Fix API not persisting pull request unit config when has_pull_requests is not set (#36718)
  * Rename CSS variables and improve colorblind themes (#36353)
  * Hide `add-matcher` and `remove-matcher` from actions job logs (#36520)
@@ -232,6 +269,9 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
  * Only turn links to current instance into hash links (#36237)
  * Fix typos in code comments: doesnt, dont, wont (#36890)
 * REFACTOR
+  * Clean up and improve non-gitea js error filter (#37148) (#37155)
+  * Always show owner/repo name in compare page dropdowns (#37172) (#37200)
+  * Remove dead CSS rules (#37173) (#37177)
  * Replace Monaco with CodeMirror (#36764)
  * Replace CSRF cookie with `CrossOriginProtection` (#36183)
  * Replace index with id in actions routes (#36842)
@@ -289,6 +329,9 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
  * Add e2e reaction test, improve accessibility, enable parallel testing (#37081)
  * Increase e2e test timeouts on CI to fix flaky tests (#37053)
 * BUILD
+  * Upgrade go-git to v5.18.0 (#37269)
+  * Replace rollup-plugin-license with rolldown-license-plugin (#37130) (#37158)
+  * Bump min go version to 1.26.2 (#37139) (#37143)
  * Convert locale files from ini to json format (#35489)
  * Bump golangci-lint to 2.7.2, enable modernize stringsbuilder (#36180)
  * Port away from `flake-utils` (#35675)
--- a/build/generate-go-licenses.go
+++ b/build/generate-go-licenses.go
@@ -19,6 +19,7 @@ import (

 // regexp is based on go-license, excluding README and NOTICE
 // https://github.com/google/go-licenses/blob/master/licenses/find.go
+// also defined in vite.config.ts
 var licenseRe = regexp.MustCompile(`^(?i)((UN)?LICEN(S|C)E|COPYING).*$`)

 // primaryLicenseRe matches exact primary license filenames without suffixes.
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -41,10 +41,10 @@
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 ;; App name that shows in every page title
-APP_NAME = ; Gitea: Git with a cup of tea
+;APP_NAME = Gitea: Git with a cup of tea
 ;;
 ;; RUN_USER will automatically detect the current user - but you can set it here change it if you run locally
-RUN_USER = ; git
+;RUN_USER =
 ;;
 ;; Application run mode, affects performance and debugging: "dev" or "prod", default is "prod"
 ;; Mode "dev" makes Gitea easier to develop and debug, values other than "dev" are treated as "prod" which is for production use.
@@ -461,6 +461,11 @@ INTERNAL_TOKEN =
 ;; Name of cookie used to store authentication information.
 ;COOKIE_REMEMBER_NAME = gitea_incredible
 ;;
+;; URL or path that Gitea should redirect users to *after* performing its own logout.
+;; Use this, if needed, when authentication is handled by a reverse proxy or SSO.
+;; For example: "/my-sso/logout?return=/my-sso/home"
+;REVERSE_PROXY_LOGOUT_REDIRECT =
+;;
 ;; Reverse proxy authentication header name of user name, email, and full name
 ;REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
 ;REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-EMAIL
--- a/eslint.config.ts
+++ b/eslint.config.ts
@@ -926,6 +926,7 @@ export default defineConfig([
  {
    ...playwright.configs['flat/recommended'],
    files: ['tests/e2e/**/*.test.ts'],
+    languageOptions: {globals: {...globals.nodeBuiltin, ...globals.browser}},
    rules: {
      ...playwright.configs['flat/recommended'].rules,
      'playwright/expect-expect': [0],
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module code.gitea.io/gitea

-go 1.26.1
+go 1.26.2

 // rfc5280 said: "The serial number is an integer assigned by the CA to each certificate."
 // But some CAs use negative serial number, just relax the check. related:
@@ -12,7 +12,7 @@ require (
 	code.gitea.io/sdk/gitea v0.24.1
 	codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570
 	connectrpc.com/connect v1.19.1
-	gitea.com/go-chi/binding v0.0.0-20240430071103-39a851e106ed
+	gitea.com/go-chi/binding v0.0.0-20260414111559-654cea7ac60a
 	gitea.com/go-chi/cache v0.2.1
 	gitea.com/go-chi/captcha v0.0.0-20240315150714-fb487f629098
 	gitea.com/go-chi/session v0.0.0-20251124165456-68e0254e989e
@@ -52,12 +52,11 @@ require (
 	github.com/go-co-op/gocron/v2 v2.19.1
 	github.com/go-enry/go-enry/v2 v2.9.5
 	github.com/go-git/go-billy/v5 v5.8.0
-	github.com/go-git/go-git/v5 v5.17.2
+	github.com/go-git/go-git/v5 v5.18.0
 	github.com/go-ldap/ldap/v3 v3.4.13
 	github.com/go-redsync/redsync/v4 v4.16.0
 	github.com/go-sql-driver/mysql v1.9.3
 	github.com/go-webauthn/webauthn v0.16.1
-	github.com/goccy/go-json v0.10.6
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f
 	github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85
 	github.com/golang-jwt/jwt/v5 v5.3.1
@@ -196,6 +195,7 @@ require (
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
 	github.com/go-webauthn/x v0.2.2 // indirect
+	github.com/goccy/go-json v0.10.6 // indirect
 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
--- a/go.sum
+++ b/go.sum
@@ -18,8 +18,8 @@ filippo.io/edwards25519 v1.2.0 h1:crnVqOiS4jqYleHd9vaKZ+HKtHfllngJIiOpNpoJsjo=
 filippo.io/edwards25519 v1.2.0/go.mod h1:xzAOLCNug/yB62zG1bQ8uziwrIqIuxhctzJT18Q77mc=
 gitea.com/gitea/act v0.261.10 h1:ndwbtuMXXz1dpYF2iwY1/PkgKNETo4jmPXfinTZt8cs=
 gitea.com/gitea/act v0.261.10/go.mod h1:oIkqQHvU0lfuIWwcpqa4FmU+t3prA89tgkuHUTsrI2c=
-gitea.com/go-chi/binding v0.0.0-20240430071103-39a851e106ed h1:EZZBtilMLSZNWtHHcgq2mt6NSGhJSZBuduAlinMEmso=
-gitea.com/go-chi/binding v0.0.0-20240430071103-39a851e106ed/go.mod h1:E3i3cgB04dDx0v3CytCgRTTn9Z/9x891aet3r456RVw=
+gitea.com/go-chi/binding v0.0.0-20260414111559-654cea7ac60a h1:JHoBrfuTSF9Ke9aNfSYj1XRPBHjKPgCApVprnt2Am0M=
+gitea.com/go-chi/binding v0.0.0-20260414111559-654cea7ac60a/go.mod h1:FOsLJIMdpiHzBp3Vby6Wfkdw2ppGscrjgU1IC7E4/zQ=
 gitea.com/go-chi/cache v0.2.1 h1:bfAPkvXlbcZxPCpcmDVCWoHgiBSBmZN/QosnZvEC0+g=
 gitea.com/go-chi/cache v0.2.1/go.mod h1:Qic0HZ8hOHW62ETGbonpwz8WYypj9NieU9659wFUJ8Q=
 gitea.com/go-chi/captcha v0.0.0-20240315150714-fb487f629098 h1:p2ki+WK0cIeNQuqjR98IP2KZQKRzJJiV7aTeMAFwaWo=
@@ -304,8 +304,8 @@ github.com/go-git/go-billy/v5 v5.8.0 h1:I8hjc3LbBlXTtVuFNJuwYuMiHvQJDq1AT6u4DwDz
 github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.17.2 h1:B+nkdlxdYrvyFK4GPXVU8w1U+YkbsgciIR7f2sZJ104=
-github.com/go-git/go-git/v5 v5.17.2/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo=
+github.com/go-git/go-git/v5 v5.18.0 h1:O831KI+0PR51hM2kep6T8k+w0/LIAD490gvqMCvL5hM=
+github.com/go-git/go-git/v5 v5.18.0/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo=
 github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
 github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
 github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
--- a/models/asymkey/ssh_key.go
+++ b/models/asymkey/ssh_key.go
@@ -15,6 +15,7 @@ import (
 	"code.gitea.io/gitea/models/perm"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"

@@ -64,7 +65,12 @@ func (key *PublicKey) AfterLoad() {

 // OmitEmail returns content of public key without email address.
 func (key *PublicKey) OmitEmail() string {
-	return strings.Join(strings.Split(key.Content, " ")[:2], " ")
+	fields := strings.Split(key.Content, " ") // format: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC... comment
+	if len(fields) < 2 {
+		setting.PanicInDevOrTesting("invalid public key %d content: %s", key.ID, key.Content)
+		return "" // not a valid public key, it shouldn't really happen, the value is managed internally
+	}
+	return strings.Join(fields[:2], " ")
 }

 func addKey(ctx context.Context, key *PublicKey) (err error) {
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@@ -633,7 +633,7 @@ func GetActiveOAuth2SourceByAuthName(ctx context.Context, name string) (*Source,
 	}

 	if !has {
-		return nil, fmt.Errorf("oauth2 source not found, name: %q", name)
+		return nil, util.NewNotExistErrorf("oauth2 source not found, name: %q", name)
 	}

 	return authSource, nil
--- a/models/fixtures/action_run.yml
+++ b/models/fixtures/action_run.yml
@@ -89,7 +89,7 @@
  ref: "refs/heads/test"
  commit_sha: "c2d72f548424103f01ee1dc02889c1e2bff816b0"
  event: "push"
-  trigger_event: "push"
+  trigger_event: "schedule"
  is_fork_pull_request: 0
  status: 1
  started: 1683636528
--- a/models/issues/pull.go
+++ b/models/issues/pull.go
@@ -877,7 +877,12 @@ func ParseCodeOwnersLine(ctx context.Context, tokens []string) (*CodeOwnerRule,

 	warnings := make([]string, 0)

-	expr := fmt.Sprintf("^%s$", strings.TrimPrefix(tokens[0], "!"))
+	// Strip leading "!" for negative rules, then strip leading "/" since
+	// git returns relative paths (e.g. "docs/foo.md" not "/docs/foo.md")
+	// and the regex is already anchored with ^...$, so the "/" is redundant.
+	pattern := strings.TrimPrefix(tokens[0], "!")
+	pattern = strings.TrimPrefix(pattern, "/")
+	expr := fmt.Sprintf("^%s$", pattern)
 	rule.Rule, err = regexp2.Compile(expr, regexp2.None)
 	if err != nil {
 		warnings = append(warnings, fmt.Sprintf("incorrect codeowner regexp: %s", err))
--- a/models/issues/pull_test.go
+++ b/models/issues/pull_test.go
@@ -17,16 +17,43 @@ import (
 	"github.com/stretchr/testify/require"
 )

-func TestPullRequest_LoadAttributes(t *testing.T) {
+func TestPullRequest(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	t.Run("LoadAttributes", testPullRequestLoadAttributes)
+	t.Run("LoadIssue", testPullRequestLoadIssue)
+	t.Run("LoadBaseRepo", testPullRequestLoadBaseRepo)
+	t.Run("LoadHeadRepo", testPullRequestLoadHeadRepo)
+	t.Run("PullRequestsNewest", testPullRequestsNewest)
+	t.Run("PullRequestsOldest", testPullRequestsOldest)
+	t.Run("GetUnmergedPullRequest", testGetUnmergedPullRequest)
+	t.Run("HasUnmergedPullRequestsByHeadInfo", testHasUnmergedPullRequestsByHeadInfo)
+	t.Run("GetUnmergedPullRequestsByHeadInfo", testGetUnmergedPullRequestsByHeadInfo)
+	t.Run("GetUnmergedPullRequestsByBaseInfo", testGetUnmergedPullRequestsByBaseInfo)
+	t.Run("GetPullRequestByIndex", testGetPullRequestByIndex)
+	t.Run("GetPullRequestByID", testGetPullRequestByID)
+	t.Run("GetPullRequestByIssueID", testGetPullRequestByIssueID)
+	t.Run("PullRequest_UpdateCols", testPullRequestUpdateCols)
+	t.Run("PullRequest_IsWorkInProgress", testPullRequestIsWorkInProgress)
+	t.Run("PullRequest_GetWorkInProgressPrefixWorkInProgress", testPullRequestGetWorkInProgressPrefixWorkInProgress)
+	t.Run("DeleteOrphanedObjects", testDeleteOrphanedObjects)
+	t.Run("ParseCodeOwnersLine", testParseCodeOwnersLine)
+	t.Run("CodeOwnerAbsolutePathPatterns", testCodeOwnerAbsolutePathPatterns)
+	t.Run("GetApprovers", testGetApprovers)
+	t.Run("GetPullRequestByMergedCommit", testGetPullRequestByMergedCommit)
+	t.Run("Migrate_InsertPullRequests", testMigrateInsertPullRequests)
+	t.Run("PullRequestsClosedRecentSortType", testPullRequestsClosedRecentSortType)
+	t.Run("LoadRequestedReviewers", testLoadRequestedReviewers)
+}
+
+func testPullRequestLoadAttributes(t *testing.T) {
 	pr := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: 1})
 	assert.NoError(t, pr.LoadAttributes(t.Context()))
 	assert.NotNil(t, pr.Merger)
 	assert.Equal(t, pr.MergerID, pr.Merger.ID)
 }

-func TestPullRequest_LoadIssue(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
+func testPullRequestLoadIssue(t *testing.T) {
 	pr := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: 1})
 	assert.NoError(t, pr.LoadIssue(t.Context()))
 	assert.NotNil(t, pr.Issue)
@@ -36,8 +63,7 @@ func TestPullRequest_LoadIssue(t *testing.T) {
 	assert.Equal(t, int64(2), pr.Issue.ID)
 }

-func TestPullRequest_LoadBaseRepo(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
+func testPullRequestLoadBaseRepo(t *testing.T) {
 	pr := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: 1})
 	assert.NoError(t, pr.LoadBaseRepo(t.Context()))
 	assert.NotNil(t, pr.BaseRepo)
@@ -47,8 +73,7 @@ func TestPullRequest_LoadBaseRepo(t *testing.T) {
 	assert.Equal(t, pr.BaseRepoID, pr.BaseRepo.ID)
 }

-func TestPullRequest_LoadHeadRepo(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
+func testPullRequestLoadHeadRepo(t *testing.T) {
 	pr := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: 1})
 	assert.NoError(t, pr.LoadHeadRepo(t.Context()))
 	assert.NotNil(t, pr.HeadRepo)
@@ -59,8 +84,7 @@ func TestPullRequest_LoadHeadRepo(t *testing.T) {

 // TODO TestNewPullRequest

-func TestPullRequestsNewest(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
+func testPullRequestsNewest(t *testing.T) {
 	prs, count, err := issues_model.PullRequests(t.Context(), 1, &issues_model.PullRequestsOptions{
 		ListOptions: db.ListOptions{
 			Page: 1,
@@ -77,7 +101,7 @@ func TestPullRequestsNewest(t *testing.T) {
 	}
 }

-func TestPullRequests_Closed_RecentSortType(t *testing.T) {
+func testPullRequestsClosedRecentSortType(t *testing.T) {
 	// Issue ID | Closed At.  | Updated At
 	//    2     | 1707270001  | 1707270001
 	//    3     | 1707271000  | 1707279999
@@ -90,7 +114,6 @@ func TestPullRequests_Closed_RecentSortType(t *testing.T) {
 		{"recentclose", []int64{11, 3, 2}},
 	}

-	assert.NoError(t, unittest.PrepareTestDatabase())
 	_, err := db.Exec(t.Context(), "UPDATE issue SET closed_unix = 1707270001, updated_unix = 1707270001, is_closed = true WHERE id = 2")
 	require.NoError(t, err)
 	_, err = db.Exec(t.Context(), "UPDATE issue SET closed_unix = 1707271000, updated_unix = 1707279999, is_closed = true WHERE id = 3")
@@ -118,9 +141,7 @@ func TestPullRequests_Closed_RecentSortType(t *testing.T) {
 	}
 }

-func TestLoadRequestedReviewers(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
-
+func testLoadRequestedReviewers(t *testing.T) {
 	pull := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: 2})
 	assert.NoError(t, pull.LoadIssue(t.Context()))
 	issue := pull.Issue
@@ -146,8 +167,7 @@ func TestLoadRequestedReviewers(t *testing.T) {
 	assert.Empty(t, pull.RequestedReviewers)
 }

-func TestPullRequestsOldest(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
+func testPullRequestsOldest(t *testing.T) {
 	prs, count, err := issues_model.PullRequests(t.Context(), 1, &issues_model.PullRequestsOptions{
 		ListOptions: db.ListOptions{
 			Page: 1,
@@ -164,8 +184,7 @@ func TestPullRequestsOldest(t *testing.T) {
 	}
 }

-func TestGetUnmergedPullRequest(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
+func testGetUnmergedPullRequest(t *testing.T) {
 	pr, err := issues_model.GetUnmergedPullRequest(t.Context(), 1, 1, "branch2", "master", issues_model.PullRequestFlowGithub)
 	assert.NoError(t, err)
 	assert.Equal(t, int64(2), pr.ID)
@@ -175,9 +194,7 @@ func TestGetUnmergedPullRequest(t *testing.T) {
 	assert.True(t, issues_model.IsErrPullRequestNotExist(err))
 }

-func TestHasUnmergedPullRequestsByHeadInfo(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
-
+func testHasUnmergedPullRequestsByHeadInfo(t *testing.T) {
 	exist, err := issues_model.HasUnmergedPullRequestsByHeadInfo(t.Context(), 1, "branch2")
 	assert.NoError(t, err)
 	assert.True(t, exist)
@@ -187,8 +204,7 @@ func TestHasUnmergedPullRequestsByHeadInfo(t *testing.T) {
 	assert.False(t, exist)
 }

-func TestGetUnmergedPullRequestsByHeadInfo(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
+func testGetUnmergedPullRequestsByHeadInfo(t *testing.T) {
 	prs, err := issues_model.GetUnmergedPullRequestsByHeadInfo(t.Context(), 1, "branch2")
 	assert.NoError(t, err)
 	assert.Len(t, prs, 1)
@@ -198,8 +214,7 @@ func TestGetUnmergedPullRequestsByHeadInfo(t *testing.T) {
 	}
 }

-func TestGetUnmergedPullRequestsByBaseInfo(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
+func testGetUnmergedPullRequestsByBaseInfo(t *testing.T) {
 	prs, err := issues_model.GetUnmergedPullRequestsByBaseInfo(t.Context(), 1, "master")
 	assert.NoError(t, err)
 	assert.Len(t, prs, 1)
@@ -209,8 +224,7 @@ func TestGetUnmergedPullRequestsByBaseInfo(t *testing.T) {
 	assert.Equal(t, "master", pr.BaseBranch)
 }

-func TestGetPullRequestByIndex(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
+func testGetPullRequestByIndex(t *testing.T) {
 	pr, err := issues_model.GetPullRequestByIndex(t.Context(), 1, 2)
 	assert.NoError(t, err)
 	assert.Equal(t, int64(1), pr.BaseRepoID)
@@ -225,8 +239,7 @@ func TestGetPullRequestByIndex(t *testing.T) {
 	assert.True(t, issues_model.IsErrPullRequestNotExist(err))
 }

-func TestGetPullRequestByID(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
+func testGetPullRequestByID(t *testing.T) {
 	pr, err := issues_model.GetPullRequestByID(t.Context(), 1)
 	assert.NoError(t, err)
 	assert.Equal(t, int64(1), pr.ID)
@@ -237,8 +250,7 @@ func TestGetPullRequestByID(t *testing.T) {
 	assert.True(t, issues_model.IsErrPullRequestNotExist(err))
 }

-func TestGetPullRequestByIssueID(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
+func testGetPullRequestByIssueID(t *testing.T) {
 	pr, err := issues_model.GetPullRequestByIssueID(t.Context(), 2)
 	assert.NoError(t, err)
 	assert.Equal(t, int64(2), pr.IssueID)
@@ -248,8 +260,7 @@ func TestGetPullRequestByIssueID(t *testing.T) {
 	assert.True(t, issues_model.IsErrPullRequestNotExist(err))
 }

-func TestPullRequest_UpdateCols(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
+func testPullRequestUpdateCols(t *testing.T) {
 	pr := &issues_model.PullRequest{
 		ID:         1,
 		BaseBranch: "baseBranch",
@@ -265,9 +276,7 @@ func TestPullRequest_UpdateCols(t *testing.T) {

 // TODO TestAddTestPullRequestTask

-func TestPullRequest_IsWorkInProgress(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
-
+func testPullRequestIsWorkInProgress(t *testing.T) {
 	pr := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: 2})
 	pr.LoadIssue(t.Context())

@@ -280,9 +289,7 @@ func TestPullRequest_IsWorkInProgress(t *testing.T) {
 	assert.True(t, pr.IsWorkInProgress(t.Context()))
 }

-func TestPullRequest_GetWorkInProgressPrefixWorkInProgress(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
-
+func testPullRequestGetWorkInProgressPrefixWorkInProgress(t *testing.T) {
 	pr := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: 2})
 	pr.LoadIssue(t.Context())

@@ -296,9 +303,7 @@ func TestPullRequest_GetWorkInProgressPrefixWorkInProgress(t *testing.T) {
 	assert.Equal(t, "[wip]", pr.GetWorkInProgressPrefix(t.Context()))
 }

-func TestDeleteOrphanedObjects(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
-
+func testDeleteOrphanedObjects(t *testing.T) {
 	countBefore, err := db.GetEngine(t.Context()).Count(&issues_model.PullRequest{})
 	assert.NoError(t, err)

@@ -317,7 +322,7 @@ func TestDeleteOrphanedObjects(t *testing.T) {
 	assert.Equal(t, countBefore, countAfter)
 }

-func TestParseCodeOwnersLine(t *testing.T) {
+func testParseCodeOwnersLine(t *testing.T) {
 	type CodeOwnerTest struct {
 		Line   string
 		Tokens []string
@@ -331,6 +336,8 @@ func TestParseCodeOwnersLine(t *testing.T) {
 		{Line: `docs/(aws|google|azure)/[^/]*\\.(md|txt) @org3 @org2/team2`, Tokens: []string{`docs/(aws|google|azure)/[^/]*\.(md|txt)`, "@org3", "@org2/team2"}},
 		{Line: `\#path @org3`, Tokens: []string{`#path`, "@org3"}},
 		{Line: `path\ with\ spaces/ @org3`, Tokens: []string{`path with spaces/`, "@org3"}},
+		{Line: `/docs/.*\\.md @user1`, Tokens: []string{`/docs/.*\.md`, "@user1"}},
+		{Line: `!/assets/.*\\.(bin|exe|msi) @user1`, Tokens: []string{`!/assets/.*\.(bin|exe|msi)`, "@user1"}},
 	}

 	for _, g := range given {
@@ -339,8 +346,37 @@ func TestParseCodeOwnersLine(t *testing.T) {
 	}
 }

-func TestGetApprovers(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
+func testCodeOwnerAbsolutePathPatterns(t *testing.T) {
+	type testCase struct {
+		content  string
+		file     string
+		expected bool
+	}
+
+	cases := []testCase{
+		// Absolute path pattern should match (leading "/" stripped)
+		{content: "/README.md @user5\n", file: "README.md", expected: true},
+		// Absolute path pattern in subdirectory
+		{content: "/docs/.* @user5\n", file: "docs/foo.md", expected: true},
+		// Absolute path should not match nested paths it shouldn't
+		{content: "/docs/.* @user5\n", file: "other/docs/foo.md", expected: false},
+		// Relative path still works
+		{content: "README.md @user5\n", file: "README.md", expected: true},
+		// Negated absolute path pattern
+		{content: "!/.* @user5\n", file: "README.md", expected: false},
+	}
+
+	for _, c := range cases {
+		rules, _ := issues_model.GetCodeOwnersFromContent(t.Context(), c.content)
+		require.NotEmpty(t, rules)
+		rule := rules[0]
+		regexpMatched, _ := rule.Rule.MatchString(c.file)
+		ruleMatched := regexpMatched == !rule.Negative
+		assert.Equal(t, c.expected, ruleMatched, "pattern %q against file %q", c.content, c.file)
+	}
+}
+
+func testGetApprovers(t *testing.T) {
 	pr := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: 5})
 	// Official reviews are already deduplicated. Allow unofficial reviews
 	// to assert that there are no duplicated approvers.
@@ -350,8 +386,7 @@ func TestGetApprovers(t *testing.T) {
 	assert.Equal(t, expected, approvers)
 }

-func TestGetPullRequestByMergedCommit(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
+func testGetPullRequestByMergedCommit(t *testing.T) {
 	pr, err := issues_model.GetPullRequestByMergedCommit(t.Context(), 1, "1a8823cd1a9549fde083f992f6b9b87a7ab74fb3")
 	assert.NoError(t, err)
 	assert.EqualValues(t, 1, pr.ID)
@@ -362,8 +397,7 @@ func TestGetPullRequestByMergedCommit(t *testing.T) {
 	assert.ErrorAs(t, err, &issues_model.ErrPullRequestNotExist{})
 }

-func TestMigrate_InsertPullRequests(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
+func testMigrateInsertPullRequests(t *testing.T) {
 	reponame := "repo1"
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{Name: reponame})
 	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
--- a/models/organization/org_user.go
+++ b/models/organization/org_user.go
@@ -8,10 +8,7 @@ import (
 	"fmt"

 	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/models/perm"
-	"code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
-	"code.gitea.io/gitea/modules/container"
 	"code.gitea.io/gitea/modules/log"

 	"xorm.io/builder"
@@ -129,49 +126,6 @@ func IsUserOrgOwner(ctx context.Context, users user_model.UserList, orgID int64)
 	return results
 }

-// GetOrgAssignees returns all users that have write access and can be assigned to issues
-// of the any repository in the organization.
-func GetOrgAssignees(ctx context.Context, orgID int64) (_ []*user_model.User, err error) {
-	e := db.GetEngine(ctx)
-	userIDs := make([]int64, 0, 10)
-	if err = e.Table("access").
-		Join("INNER", "repository", "`repository`.id = `access`.repo_id").
-		Where("`repository`.owner_id = ? AND `access`.mode >= ?", orgID, perm.AccessModeWrite).
-		Select("user_id").
-		Find(&userIDs); err != nil {
-		return nil, err
-	}
-
-	additionalUserIDs := make([]int64, 0, 10)
-	if err = e.Table("team_user").
-		Join("INNER", "team_repo", "`team_repo`.team_id = `team_user`.team_id").
-		Join("INNER", "team_unit", "`team_unit`.team_id = `team_user`.team_id").
-		Join("INNER", "repository", "`repository`.id = `team_repo`.repo_id").
-		Where("`repository`.owner_id = ? AND (`team_unit`.access_mode >= ? OR (`team_unit`.access_mode = ? AND `team_unit`.`type` = ?))",
-			orgID, perm.AccessModeWrite, perm.AccessModeRead, unit.TypePullRequests).
-		Distinct("`team_user`.uid").
-		Select("`team_user`.uid").
-		Find(&additionalUserIDs); err != nil {
-		return nil, err
-	}
-
-	uniqueUserIDs := make(container.Set[int64])
-	uniqueUserIDs.AddMultiple(userIDs...)
-	uniqueUserIDs.AddMultiple(additionalUserIDs...)
-
-	users := make([]*user_model.User, 0, len(uniqueUserIDs))
-	if len(userIDs) > 0 {
-		if err = e.In("id", uniqueUserIDs.Values()).
-			Where(builder.Eq{"`user`.is_active": true}).
-			OrderBy(user_model.GetOrderByName()).
-			Find(&users); err != nil {
-			return nil, err
-		}
-	}
-
-	return users, nil
-}
-
 func loadOrganizationOwners(ctx context.Context, users user_model.UserList, orgID int64) (map[int64]*TeamUser, error) {
 	if len(users) == 0 {
 		return nil, nil //nolint:nilnil // return nil when there are no users
--- a/models/packages/package_property.go
+++ b/models/packages/package_property.go
@@ -52,13 +52,13 @@ func InsertProperty(ctx context.Context, refType PropertyType, refID int64, name
 // GetProperties gets all properties
 func GetProperties(ctx context.Context, refType PropertyType, refID int64) ([]*PackageProperty, error) {
 	pps := make([]*PackageProperty, 0, 10)
-	return pps, db.GetEngine(ctx).Where("ref_type = ? AND ref_id = ?", refType, refID).Find(&pps)
+	return pps, db.GetEngine(ctx).Where("ref_type = ? AND ref_id = ?", refType, refID).OrderBy("id").Find(&pps)
 }

 // GetPropertiesByName gets all properties with a specific name
 func GetPropertiesByName(ctx context.Context, refType PropertyType, refID int64, name string) ([]*PackageProperty, error) {
 	pps := make([]*PackageProperty, 0, 10)
-	return pps, db.GetEngine(ctx).Where("ref_type = ? AND ref_id = ? AND name = ?", refType, refID, name).Find(&pps)
+	return pps, db.GetEngine(ctx).Where("ref_type = ? AND ref_id = ? AND name = ?", refType, refID, name).OrderBy("id").Find(&pps)
 }

 // UpdateProperty updates a property
--- a/models/renderhelper/repo_file.go
+++ b/models/renderhelper/repo_file.go
@@ -50,8 +50,8 @@ type RepoFileOptions struct {
 	DeprecatedRepoName  string // it is only a patch for the non-standard "markup" api
 	DeprecatedOwnerName string // it is only a patch for the non-standard "markup" api

-	CurrentRefPath  string // eg: "branch/main"
-	CurrentTreePath string // eg: "path/to/file" in the repo
+	CurrentRefPath  string // eg: "branch/main", it is a sub URL path escaped by callers, TODO: rename to CurrentRefSubURL
+	CurrentTreePath string // eg: "path/to/file" in the repo, it is the tree path without URL path escaping
 }

 func NewRenderContextRepoFile(ctx context.Context, repo *repo_model.Repository, opts ...RepoFileOptions) *markup.RenderContext {
@@ -70,6 +70,10 @@ func NewRenderContextRepoFile(ctx context.Context, repo *repo_model.Repository,
 			"repo": helper.opts.DeprecatedRepoName,
 		})
 	}
+	// External render's iframe needs this to generate correct links
+	// TODO: maybe need to make it access "CurrentRefPath" directly (but impossible at the moment due to cycle-import)
+	// CurrentRefPath is already path-escaped by callers
+	rctx.RenderOptions.Metas["RefTypeNameSubURL"] = helper.opts.CurrentRefPath
 	rctx = rctx.WithHelper(helper).WithEnableHeadingIDGeneration(true)
 	return rctx
 }
--- a/models/repo/user_repo.go
+++ b/models/repo/user_repo.go
@@ -8,6 +8,7 @@ import (
 	"strings"

 	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/organization"
 	"code.gitea.io/gitea/models/perm"
 	"code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
@@ -94,8 +95,7 @@ func GetWatchedRepos(ctx context.Context, opts *WatchedReposOptions) ([]*Reposit
 	return db.FindAndCount[Repository](ctx, opts)
 }

-// GetRepoAssignees returns all users that have write access and can be assigned to issues
-// of the repository,
+// GetRepoAssignees returns all users that have write access and can be assigned to issues or pull-requests of the repository,
 func GetRepoAssignees(ctx context.Context, repo *Repository) (_ []*user_model.User, err error) {
 	if err = repo.LoadOwner(ctx); err != nil {
 		return nil, err
@@ -114,15 +114,9 @@ func GetRepoAssignees(ctx context.Context, repo *Repository) (_ []*user_model.Us
 	uniqueUserIDs.AddMultiple(userIDs...)

 	if repo.Owner.IsOrganization() {
-		additionalUserIDs := make([]int64, 0, 10)
-		if err = e.Table("team_user").
-			Join("INNER", "team_repo", "`team_repo`.team_id = `team_user`.team_id").
-			Join("INNER", "team_unit", "`team_unit`.team_id = `team_user`.team_id").
-			Where("`team_repo`.repo_id = ? AND (`team_unit`.access_mode >= ? OR (`team_unit`.access_mode = ? AND `team_unit`.`type` = ?))",
-				repo.ID, perm.AccessModeWrite, perm.AccessModeRead, unit.TypePullRequests).
-			Distinct("`team_user`.uid").
-			Select("`team_user`.uid").
-			Find(&additionalUserIDs); err != nil {
+		// issues and pull requests both need "assignee list"
+		additionalUserIDs, err := organization.GetTeamUserIDsWithAccessToAnyRepoUnit(ctx, repo.OwnerID, repo.ID, perm.AccessModeRead, unit.TypeIssues, unit.TypePullRequests)
+		if err != nil {
 			return nil, err
 		}
 		uniqueUserIDs.AddMultiple(additionalUserIDs...)
--- a/models/repo/user_repo_test.go
+++ b/models/repo/user_repo_test.go
@@ -6,7 +6,12 @@ package repo_test
 import (
 	"testing"

+	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/organization"
+	perm_model "code.gitea.io/gitea/models/perm"
+	access_model "code.gitea.io/gitea/models/perm/access"
 	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"

@@ -14,9 +19,14 @@ import (
 	"github.com/stretchr/testify/require"
 )

-func TestRepoAssignees(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
+func TestUserRepo(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+	t.Run("GetIssuePostersWithSearch", testUserRepoGetIssuePostersWithSearch)
+	t.Run("Assignees", testUserRepoAssignees)
+	t.Run("AssigneesNoTeamUnit", testRepoAssigneesNoTeamUnit)
+}

+func testUserRepoAssignees(t *testing.T) {
 	repo2 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2})
 	users, err := repo_model.GetRepoAssignees(t.Context(), repo2)
 	assert.NoError(t, err)
@@ -39,9 +49,29 @@ func TestRepoAssignees(t *testing.T) {
 	}
 }

-func TestGetIssuePostersWithSearch(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
+func testRepoAssigneesNoTeamUnit(t *testing.T) {
+	ctx := t.Context()

+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 32})
+	require.NoError(t, repo.LoadOwner(ctx))
+	require.True(t, repo.Owner.IsOrganization())
+
+	require.NoError(t, db.TruncateBeans(ctx, &organization.Team{}, &organization.TeamUser{}, &organization.TeamRepo{}, &organization.TeamUnit{}, &access_model.Access{}))
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+	team := &organization.Team{OrgID: repo.OwnerID, LowerName: "admin-team", AccessMode: perm_model.AccessModeAdmin}
+	require.NoError(t, db.Insert(ctx, team))
+	require.NoError(t, db.Insert(ctx, &organization.TeamUser{OrgID: repo.OwnerID, TeamID: team.ID, UID: user.ID}))
+	require.NoError(t, db.Insert(ctx, &organization.TeamRepo{OrgID: repo.OwnerID, TeamID: team.ID, RepoID: repo.ID}))
+	require.NoError(t, db.Insert(ctx, &organization.TeamUnit{OrgID: repo.OwnerID, TeamID: team.ID, Type: unit.TypePullRequests, AccessMode: perm_model.AccessModeNone}))
+
+	users, err := repo_model.GetRepoAssignees(ctx, repo)
+	require.NoError(t, err)
+	require.Len(t, users, 1)
+	assert.ElementsMatch(t, []int64{4}, []int64{users[0].ID})
+}
+
+func testUserRepoGetIssuePostersWithSearch(t *testing.T) {
 	repo2 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2})

 	users, err := repo_model.GetIssuePostersWithSearch(t.Context(), repo2, false, "USER")
--- a/models/user/badge.go
+++ b/models/user/badge.go
@@ -64,7 +64,7 @@ type GetBadgeUsersOptions struct {
 func GetBadgeUsers(ctx context.Context, opts *GetBadgeUsersOptions) ([]*User, int64, error) {
 	sess := db.GetEngine(ctx).
 		Select("`user`.*").
-		Join("INNER", "user_badge", "`user_badge`.user_id=user.id").
+		Join("INNER", "user_badge", "`user_badge`.user_id=`user`.id").
 		Join("INNER", "badge", "`user_badge`.badge_id=badge.id").
 		Where("badge.slug=?", opts.BadgeSlug)

--- a/modules/actions/workflows.go
+++ b/modules/actions/workflows.go
@@ -103,10 +103,20 @@ func GetEventsFromContent(content []byte) ([]*jobparser.Event, error) {
 	if err != nil {
 		return nil, err
 	}
+	if err := ValidateWorkflowContent(content); err != nil {
+		return nil, err
+	}

 	return events, nil
 }

+// ValidateWorkflowContent catches structural errors (e.g. blank lines in run: | blocks)
+// that model.ReadWorkflow alone does not detect.
+func ValidateWorkflowContent(content []byte) error {
+	_, err := jobparser.Parse(content)
+	return err
+}
+
 func DetectWorkflows(
 	gitRepo *git.Repository,
 	commit *git.Commit,
--- a/modules/actions/workflows_test.go
+++ b/modules/actions/workflows_test.go
@@ -9,16 +9,26 @@ import (
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/test"
 	webhook_module "code.gitea.io/gitea/modules/webhook"

 	"github.com/stretchr/testify/assert"
 )

+func fullWorkflowContent(part string) []byte {
+	return []byte(`
+name: test
+` + part + `
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo hello
+`)
+}
+
 func TestIsWorkflow(t *testing.T) {
-	oldDirs := setting.Actions.WorkflowDirs
-	defer func() {
-		setting.Actions.WorkflowDirs = oldDirs
-	}()
+	defer test.MockVariableValue(&setting.Actions.WorkflowDirs)()

 	tests := []struct {
 		name     string
@@ -218,7 +228,7 @@ func TestDetectMatched(t *testing.T) {

 	for _, tc := range testCases {
 		t.Run(tc.desc, func(t *testing.T) {
-			evts, err := GetEventsFromContent([]byte(tc.yamlOn))
+			evts, err := GetEventsFromContent(fullWorkflowContent(tc.yamlOn))
 			assert.NoError(t, err)
 			assert.Len(t, evts, 1)
 			assert.Equal(t, tc.expected, detectMatched(nil, tc.commit, tc.triggedEvent, tc.payload, evts[0]))
@@ -373,7 +383,7 @@ func TestMatchIssuesEvent(t *testing.T) {

 	for _, tc := range testCases {
 		t.Run(tc.desc, func(t *testing.T) {
-			evts, err := GetEventsFromContent([]byte(tc.yamlOn))
+			evts, err := GetEventsFromContent(fullWorkflowContent(tc.yamlOn))
 			assert.NoError(t, err)
 			assert.Len(t, evts, 1)

--- a/modules/dump/dumper.go
+++ b/modules/dump/dumper.go
@@ -4,6 +4,7 @@
 package dump

 import (
+	"archive/zip"
 	"context"
 	"errors"
 	"fmt"
@@ -85,7 +86,7 @@ func NewDumper(ctx context.Context, format string, output io.Writer) (*Dumper, e
 	var comp archives.ArchiverAsync
 	switch format {
 	case "zip":
-		comp = archives.Zip{}
+		comp = archives.Zip{Compression: zip.Deflate}
 	case "tar":
 		comp = archives.Tar{}
 	case "tar.sz":
--- a/modules/git/catfile_batch_reader.go
+++ b/modules/git/catfile_batch_reader.go
@@ -13,63 +13,45 @@ import (
 	"strconv"
 	"strings"
 	"sync/atomic"
-	"time"

 	"code.gitea.io/gitea/modules/git/gitcmd"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/util"
 )

-var catFileBatchDebugWaitClose atomic.Int64
-
 type catFileBatchCommunicator struct {
-	closeFunc   func(err error)
+	closeFunc   atomic.Pointer[func(err error)]
 	reqWriter   io.Writer
 	respReader  *bufio.Reader
 	debugGitCmd *gitcmd.Command
 }

-func (b *catFileBatchCommunicator) Close() {
-	if b.closeFunc != nil {
-		b.closeFunc(nil)
-		b.closeFunc = nil
+func (b *catFileBatchCommunicator) Close(err ...error) {
+	if fn := b.closeFunc.Swap(nil); fn != nil {
+		(*fn)(util.OptionalArg(err))
 	}
 }

-// newCatFileBatch opens git cat-file --batch in the provided repo and returns a stdin pipe, a stdout reader and cancel function
-func newCatFileBatch(ctx context.Context, repoPath string, cmdCatFile *gitcmd.Command) (ret *catFileBatchCommunicator) {
+// newCatFileBatch opens git cat-file --batch/--batch-check/--batch-command command and prepares the stdin/stdout pipes for communication.
+func newCatFileBatch(ctx context.Context, repoPath string, cmdCatFile *gitcmd.Command) *catFileBatchCommunicator {
 	ctx, ctxCancel := context.WithCancelCause(ctx)
-
-	// We often want to feed the commits in order into cat-file --batch, followed by their trees and subtrees as necessary.
 	stdinWriter, stdoutReader, stdPipeClose := cmdCatFile.MakeStdinStdoutPipe()
-	pipeClose := func() {
-		if delay := catFileBatchDebugWaitClose.Load(); delay > 0 {
-			time.Sleep(time.Duration(delay)) // for testing purpose only
-		}
-		stdPipeClose()
-	}
-	closeFunc := func(err error) {
-		ctxCancel(err)
-		pipeClose()
-	}
-	return newCatFileBatchWithCloseFunc(ctx, repoPath, cmdCatFile, stdinWriter, stdoutReader, closeFunc)
-}
-
-func newCatFileBatchWithCloseFunc(ctx context.Context, repoPath string, cmdCatFile *gitcmd.Command,
-	stdinWriter gitcmd.PipeWriter, stdoutReader gitcmd.PipeReader, closeFunc func(err error),
-) *catFileBatchCommunicator {
 	ret := &catFileBatchCommunicator{
 		debugGitCmd: cmdCatFile,
-		closeFunc:   closeFunc,
 		reqWriter:   stdinWriter,
 		respReader:  bufio.NewReaderSize(stdoutReader, 32*1024), // use a buffered reader for rich operations
 	}
+	ret.closeFunc.Store(new(func(err error) {
+		ctxCancel(err)
+		stdPipeClose()
+	}))

 	err := cmdCatFile.WithDir(repoPath).StartWithStderr(ctx)
 	if err != nil {
 		log.Error("Unable to start git command %v: %v", cmdCatFile.LogString(), err)
 		// ideally here it should return the error, but it would require refactoring all callers
 		// so just return a dummy communicator that does nothing, almost the same behavior as before, not bad
-		closeFunc(err)
+		ret.Close(err)
 		return ret
 	}

@@ -78,12 +60,33 @@ func newCatFileBatchWithCloseFunc(ctx context.Context, repoPath string, cmdCatFi
 		if err != nil && !errors.Is(err, context.Canceled) {
 			log.Error("cat-file --batch command failed in repo %s, error: %v", repoPath, err)
 		}
-		closeFunc(err)
+		ret.Close(err)
 	}()

 	return ret
 }

+func (b *catFileBatchCommunicator) debugKill() (ret struct {
+	beforeClose chan struct{}
+	blockClose  chan struct{}
+	afterClose  chan struct{}
+},
+) {
+	ret.beforeClose = make(chan struct{})
+	ret.blockClose = make(chan struct{})
+	ret.afterClose = make(chan struct{})
+	oldCloseFunc := b.closeFunc.Load()
+	b.closeFunc.Store(new(func(err error) {
+		b.closeFunc.Store(nil)
+		close(ret.beforeClose)
+		<-ret.blockClose
+		(*oldCloseFunc)(err)
+		close(ret.afterClose)
+	}))
+	b.debugGitCmd.DebugKill()
+	return ret
+}
+
 // catFileBatchParseInfoLine reads the header line from cat-file --batch
 // We expect: <oid> SP <type> SP <size> LF
 // then leaving the rest of the stream "<contents> LF" to be read
--- a/modules/git/catfile_batch_test.go
+++ b/modules/git/catfile_batch_test.go
@@ -7,9 +7,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
-	"sync"
 	"testing"
-	"time"

 	"code.gitea.io/gitea/modules/test"

@@ -39,13 +37,22 @@ func testCatFileBatch(t *testing.T) {
 		require.Error(t, err)
 	})

-	simulateQueryTerminated := func(pipeCloseDelay, pipeReadDelay time.Duration) (errRead error) {
-		catFileBatchDebugWaitClose.Store(int64(pipeCloseDelay))
-		defer catFileBatchDebugWaitClose.Store(0)
+	simulateQueryTerminated := func(t *testing.T, errBeforePipeClose, errAfterPipeClose error) {
+		readError := func(t *testing.T, r io.Reader, expectedErr error) {
+			if expectedErr == nil {
+				return // expectedErr == nil means this read should be skipped
+			}
+			n, err := r.Read(make([]byte, 100))
+			assert.Zero(t, n)
+			assert.ErrorIs(t, err, expectedErr)
+		}
+
 		batch, err := NewBatch(t.Context(), filepath.Join(testReposDir, "repo1_bare"))
 		require.NoError(t, err)
 		defer batch.Close()
-		_, _ = batch.QueryInfo("e2129701f1a4d54dc44f03c93bca0a2aec7c5449")
+		_, err = batch.QueryInfo("e2129701f1a4d54dc44f03c93bca0a2aec7c5449")
+		require.NoError(t, err)
+
 		var c *catFileBatchCommunicator
 		switch b := batch.(type) {
 		case *catFileBatchLegacy:
@@ -58,24 +65,18 @@ func testCatFileBatch(t *testing.T) {
 			t.FailNow()
 		}

-		wg := sync.WaitGroup{}
-		wg.Go(func() {
-			time.Sleep(pipeReadDelay)
-			var n int
-			n, errRead = c.respReader.Read(make([]byte, 100))
-			assert.Zero(t, n)
-		})
-		time.Sleep(10 * time.Millisecond)
-		c.debugGitCmd.DebugKill()
-		wg.Wait()
-		return errRead
-	}
+		require.NotEqual(t, errBeforePipeClose == nil, errAfterPipeClose == nil, "must set exactly one of the expected errors")

+		inceptor := c.debugKill()
+		<-inceptor.beforeClose                         // wait for the command's Close to be called, the pipe is not closed yet
+		readError(t, c.respReader, errBeforePipeClose) // then caller will read on an open pipe which will be closed soon
+		close(inceptor.blockClose)                     // continue to close the pipe
+		<-inceptor.afterClose                          // wait for the pipe to be closed
+		readError(t, c.respReader, errAfterPipeClose)  // then caller will read on a closed pipe
+	}
 	t.Run("QueryTerminated", func(t *testing.T) {
-		err := simulateQueryTerminated(0, 20*time.Millisecond)
-		assert.ErrorIs(t, err, os.ErrClosed) // pipes are closed faster
-		err = simulateQueryTerminated(40*time.Millisecond, 20*time.Millisecond)
-		assert.ErrorIs(t, err, io.EOF) // reader is faster
+		simulateQueryTerminated(t, io.EOF, nil)       // reader is faster
+		simulateQueryTerminated(t, nil, os.ErrClosed) // pipes are closed faster
 	})

 	batch, err := NewBatch(t.Context(), filepath.Join(testReposDir, "repo1_bare"))
--- a/modules/json/jsongoccy.go
+++ b/modules/json/jsongoccy.go
@@ -1,35 +0,0 @@
-// Copyright 2025 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package json
-
-import (
-	"bytes"
-	"io"
-
-	"github.com/goccy/go-json"
-)
-
-var _ Interface = jsonGoccy{}
-
-type jsonGoccy struct{}
-
-func (jsonGoccy) Marshal(v any) ([]byte, error) {
-	return json.Marshal(v)
-}
-
-func (jsonGoccy) Unmarshal(data []byte, v any) error {
-	return json.Unmarshal(data, v)
-}
-
-func (jsonGoccy) NewEncoder(writer io.Writer) Encoder {
-	return json.NewEncoder(writer)
-}
-
-func (jsonGoccy) NewDecoder(reader io.Reader) Decoder {
-	return json.NewDecoder(reader)
-}
-
-func (jsonGoccy) Indent(dst *bytes.Buffer, src []byte, prefix, indent string) error {
-	return json.Indent(dst, src, prefix, indent)
-}
--- a/modules/json/jsonlegacy.go
+++ b/modules/json/jsonlegacy.go
@@ -6,12 +6,12 @@
 package json

 import (
-	"encoding/json"
+	"encoding/json" //nolint:depguard // this package wraps it
 	"io"
 )

 func getDefaultJSONHandler() Interface {
-	return jsonGoccy{}
+	return jsonV1{}
 }

 func MarshalKeepOptionalEmpty(v any) ([]byte, error) {
--- a/modules/markup/external/external.go
+++ b/modules/markup/external/external.go
@@ -21,7 +21,33 @@ import (

 // RegisterRenderers registers all supported third part renderers according settings
 func RegisterRenderers() {
-	markup.RegisterRenderer(&openAPIRenderer{})
+	markup.RegisterRenderer(&frontendRenderer{
+		name: "openapi-swagger",
+		patterns: []string{
+			"openapi.yaml",
+			"openapi.yml",
+			"openapi.json",
+			"swagger.yaml",
+			"swagger.yml",
+			"swagger.json",
+		},
+	})
+
+	markup.RegisterRenderer(&frontendRenderer{
+		name: "viewer-3d",
+		patterns: []string{
+			// It needs more logic to make it overall right (render a text 3D model automatically):
+			// we need to distinguish the ambiguous filename extensions.
+			// For example: "*.amf, *.obj, *.off, *.step" might be or not be a 3D model file.
+			// So when it is a text file, we can't assume that "we only render it by 3D plugin",
+			// otherwise the end users would be impossible to view its real content when the file is not a 3D model.
+			"*.3dm", "*.3ds", "*.3mf", "*.amf", "*.bim", "*.brep",
+			"*.dae", "*.fbx", "*.fcstd", "*.glb", "*.gltf",
+			"*.ifc", "*.igs", "*.iges", "*.stp", "*.step",
+			"*.stl", "*.obj", "*.off", "*.ply", "*.wrl",
+		},
+	})
+
 	for _, renderer := range setting.ExternalMarkupRenderers {
 		markup.RegisterRenderer(&Renderer{renderer})
 	}
--- a/modules/markup/external/frontend.go
+++ b/modules/markup/external/frontend.go
@@ -0,0 +1,95 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package external
+
+import (
+	"encoding/base64"
+	"io"
+	"unicode/utf8"
+
+	"code.gitea.io/gitea/modules/htmlutil"
+	"code.gitea.io/gitea/modules/markup"
+	"code.gitea.io/gitea/modules/public"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
+)
+
+type frontendRenderer struct {
+	name     string
+	patterns []string
+}
+
+var (
+	_ markup.PostProcessRenderer = (*frontendRenderer)(nil)
+	_ markup.ExternalRenderer    = (*frontendRenderer)(nil)
+)
+
+func (p *frontendRenderer) Name() string {
+	return p.name
+}
+
+func (p *frontendRenderer) NeedPostProcess() bool {
+	return false
+}
+
+func (p *frontendRenderer) FileNamePatterns() []string {
+	// TODO: the file extensions are ambiguous, even if the file name matches, it doesn't mean that the file is a 3D model
+	// There are some approaches to make it more accurate, but they are all complicated:
+	// A. Make backend know everything (detect a file is a 3D model or not)
+	// B. Let frontend renders to try render one by one
+	//
+	// If there would be more frontend renders in the future, we need to implement the "frontend" approach:
+	// 1. Make backend or parent window collect the supported extensions of frontend renders (done: backend external render framework)
+	// 2. If the current file matches any extension, start the general iframe embedded render (done: this renderer)
+	// 3. The iframe window calls the frontend renders one by one (done: frontend external render)
+	// 4. Report the render result to parent by postMessage (TODO: when needed)
+	return p.patterns
+}
+
+func (p *frontendRenderer) SanitizerRules() []setting.MarkupSanitizerRule {
+	return nil
+}
+
+func (p *frontendRenderer) GetExternalRendererOptions() (ret markup.ExternalRendererOptions) {
+	ret.SanitizerDisabled = true
+	ret.DisplayInIframe = true
+	ret.ContentSandbox = "allow-scripts allow-forms allow-modals allow-popups allow-downloads"
+	return ret
+}
+
+func (p *frontendRenderer) Render(ctx *markup.RenderContext, input io.Reader, output io.Writer) error {
+	if ctx.RenderOptions.StandalonePageOptions == nil {
+		opts := p.GetExternalRendererOptions()
+		return markup.RenderIFrame(ctx, &opts, output)
+	}
+
+	content, err := util.ReadWithLimit(input, int(setting.UI.MaxDisplayFileSize))
+	if err != nil {
+		return err
+	}
+
+	contentEncoding, contentString := "text", util.UnsafeBytesToString(content)
+	if !utf8.Valid(content) {
+		contentEncoding = "base64"
+		contentString = base64.StdEncoding.EncodeToString(content)
+	}
+
+	_, err = htmlutil.HTMLPrintf(output,
+		`<!DOCTYPE html>
+<html>
+<head>
+	<!-- external-render-helper will be injected here by the markup render -->
+	<meta name="viewport" content="width=device-width, initial-scale=1">
+</head>
+<body>
+	<div id="frontend-render-viewer" data-frontend-renders="%s" data-file-tree-path="%s"></div>
+	<textarea id="frontend-render-data" data-content-encoding="%s" hidden>%s</textarea>
+	<script nonce type="module" src="%s"></script>
+</body>
+</html>`,
+		p.name, ctx.RenderOptions.RelativePath,
+		contentEncoding, contentString,
+		public.AssetURI("js/external-render-frontend.js"))
+	return err
+}
--- a/modules/markup/external/openapi.go
+++ b/modules/markup/external/openapi.go
@@ -1,84 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package external
-
-import (
-	"fmt"
-	"html"
-	"io"
-
-	"code.gitea.io/gitea/modules/markup"
-	"code.gitea.io/gitea/modules/public"
-	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/util"
-)
-
-type openAPIRenderer struct{}
-
-var (
-	_ markup.PostProcessRenderer = (*openAPIRenderer)(nil)
-	_ markup.ExternalRenderer    = (*openAPIRenderer)(nil)
-)
-
-func (p *openAPIRenderer) Name() string {
-	return "openapi"
-}
-
-func (p *openAPIRenderer) NeedPostProcess() bool {
-	return false
-}
-
-func (p *openAPIRenderer) FileNamePatterns() []string {
-	return []string{
-		"openapi.yaml",
-		"openapi.yml",
-		"openapi.json",
-		"swagger.yaml",
-		"swagger.yml",
-		"swagger.json",
-	}
-}
-
-func (p *openAPIRenderer) SanitizerRules() []setting.MarkupSanitizerRule {
-	return nil
-}
-
-func (p *openAPIRenderer) GetExternalRendererOptions() (ret markup.ExternalRendererOptions) {
-	ret.SanitizerDisabled = true
-	ret.DisplayInIframe = true
-	ret.ContentSandbox = "allow-scripts allow-forms allow-modals allow-popups allow-downloads"
-	return ret
-}
-
-func (p *openAPIRenderer) Render(ctx *markup.RenderContext, input io.Reader, output io.Writer) error {
-	if ctx.RenderOptions.StandalonePageOptions == nil {
-		opts := p.GetExternalRendererOptions()
-		return markup.RenderIFrame(ctx, &opts, output)
-	}
-
-	content, err := util.ReadWithLimit(input, int(setting.UI.MaxDisplayFileSize))
-	if err != nil {
-		return err
-	}
-
-	// HINT: SWAGGER-OPENAPI-VIEWER: another place "templates/swagger/openapi-viewer.tmpl"
-	_, err = io.WriteString(output, fmt.Sprintf(
-		`<!DOCTYPE html>
-<html>
-<head>
-	<meta name="viewport" content="width=device-width, initial-scale=1">
-	<link rel="stylesheet" href="%s">
-</head>
-<body>
-	<div id="swagger-ui"><textarea class="swagger-spec-content" data-spec-filename="%s">%s</textarea></div>
-	<script type="module" src="%s"></script>
-</body>
-</html>`,
-		public.AssetURI("css/swagger.css"),
-		html.EscapeString(ctx.RenderOptions.RelativePath),
-		html.EscapeString(util.UnsafeBytesToString(content)),
-		public.AssetURI("js/swagger.js"),
-	))
-	return err
-}
--- a/modules/markup/render.go
+++ b/modules/markup/render.go
@@ -6,6 +6,7 @@ package markup
 import (
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"html/template"
 	"io"
@@ -43,7 +44,8 @@ type WebThemeInterface interface {
 }

 type StandalonePageOptions struct {
-	CurrentWebTheme WebThemeInterface
+	CurrentWebTheme   WebThemeInterface
+	RenderQueryString string
 }

 type RenderOptions struct {
@@ -206,17 +208,23 @@ func RenderString(ctx *RenderContext, content string) (string, error) {
 }

 func RenderIFrame(ctx *RenderContext, opts *ExternalRendererOptions, output io.Writer) error {
+	ownerName, repoName := ctx.RenderOptions.Metas["user"], ctx.RenderOptions.Metas["repo"]
+	refSubURL := ctx.RenderOptions.Metas["RefTypeNameSubURL"]
+	if ownerName == "" || repoName == "" || refSubURL == "" {
+		setting.PanicInDevOrTesting("RenderIFrame requires user, repo and RefTypeNameSubURL metas")
+		return errors.New("RenderIFrame requires user, repo and RefTypeNameSubURL metas")
+	}
 	src := fmt.Sprintf("%s/%s/%s/render/%s/%s", setting.AppSubURL,
-		url.PathEscape(ctx.RenderOptions.Metas["user"]),
-		url.PathEscape(ctx.RenderOptions.Metas["repo"]),
-		util.PathEscapeSegments(ctx.RenderOptions.Metas["RefTypeNameSubURL"]),
+		url.PathEscape(ownerName),
+		url.PathEscape(repoName),
+		ctx.RenderOptions.Metas["RefTypeNameSubURL"],
 		util.PathEscapeSegments(ctx.RenderOptions.RelativePath),
 	)
 	var extraAttrs template.HTML
 	if opts.ContentSandbox != "" {
 		extraAttrs = htmlutil.HTMLFormat(` sandbox="%s"`, opts.ContentSandbox)
 	}
-	_, err := htmlutil.HTMLPrintf(output, `<iframe data-src="%s" class="external-render-iframe"%s></iframe>`, src, extraAttrs)
+	_, err := htmlutil.HTMLPrintf(output, `<iframe data-src="%s" data-global-init="initExternalRenderIframe" class="external-render-iframe"%s></iframe>`, src, extraAttrs)
 	return err
 }

@@ -228,7 +236,7 @@ func pipes() (io.ReadCloser, io.WriteCloser, func()) {
 	}
 }

-func getExternalRendererOptions(renderer Renderer) (ret ExternalRendererOptions, _ bool) {
+func GetExternalRendererOptions(renderer Renderer) (ret ExternalRendererOptions, _ bool) {
 	if externalRender, ok := renderer.(ExternalRenderer); ok {
 		return externalRender.GetExternalRendererOptions(), true
 	}
@@ -237,7 +245,7 @@ func getExternalRendererOptions(renderer Renderer) (ret ExternalRendererOptions,

 func RenderWithRenderer(ctx *RenderContext, renderer Renderer, input io.Reader, output io.Writer) error {
 	var extraHeadHTML template.HTML
-	if extOpts, ok := getExternalRendererOptions(renderer); ok && extOpts.DisplayInIframe {
+	if extOpts, ok := GetExternalRendererOptions(renderer); ok && extOpts.DisplayInIframe {
 		if ctx.RenderOptions.StandalonePageOptions == nil {
 			// for an external "DisplayInIFrame" render, it could only output its content in a standalone page
 			// otherwise, a <iframe> should be outputted to embed the external rendered page
@@ -248,7 +256,12 @@ func RenderWithRenderer(ctx *RenderContext, renderer Renderer, input io.Reader,
 		extraLinkHref := ctx.RenderOptions.StandalonePageOptions.CurrentWebTheme.PublicAssetURI()
 		// "<script>" must go before "<link>", to make Golang's http.DetectContentType() can still recognize the content as "text/html"
 		// DO NOT use "type=module", the script must run as early as possible, to set up the environment in the iframe
-		extraHeadHTML = htmlutil.HTMLFormat(`<script crossorigin src="%s"></script><link rel="stylesheet" href="%s">`, extraScriptSrc, extraLinkHref)
+		extraHeadHTML = htmlutil.HTMLFormat(
+			`<script nonce crossorigin src="%s" id="gitea-external-render-helper" data-render-query-string="%s"></script>`+
+				`<link rel="stylesheet" href="%s">`,
+			extraScriptSrc, ctx.RenderOptions.StandalonePageOptions.RenderQueryString,
+			extraLinkHref,
+		)
 	}

 	ctx.usedByRender = true
--- a/modules/markup/render_test.go
+++ b/modules/markup/render_test.go
@@ -24,8 +24,8 @@ func TestRenderIFrame(t *testing.T) {

 	// the value is read from config RENDER_CONTENT_SANDBOX, empty means "disabled"
 	ret := render(ctx, ExternalRendererOptions{ContentSandbox: ""})
-	assert.Equal(t, `<iframe data-src="/test-owner/test-repo/render/src/branch/master/tree-path" class="external-render-iframe"></iframe>`, ret)
+	assert.Equal(t, `<iframe data-src="/test-owner/test-repo/render/src/branch/master/tree-path" data-global-init="initExternalRenderIframe" class="external-render-iframe"></iframe>`, ret)

 	ret = render(ctx, ExternalRendererOptions{ContentSandbox: "allow"})
-	assert.Equal(t, `<iframe data-src="/test-owner/test-repo/render/src/branch/master/tree-path" class="external-render-iframe" sandbox="allow"></iframe>`, ret)
+	assert.Equal(t, `<iframe data-src="/test-owner/test-repo/render/src/branch/master/tree-path" data-global-init="initExternalRenderIframe" class="external-render-iframe" sandbox="allow"></iframe>`, ret)
 }
--- a/modules/packages/swift/metadata.go
+++ b/modules/packages/swift/metadata.go
@@ -47,6 +47,7 @@ type Metadata struct {
 	Keywords      []string             `json:"keywords,omitempty"`
 	RepositoryURL string               `json:"repository_url,omitempty"`
 	License       string               `json:"license,omitempty"`
+	LicenseURL    string               `json:"license_url,omitempty"`
 	Author        Person               `json:"author"`
 	Manifests     map[string]*Manifest `json:"manifests,omitempty"`
 }
@@ -67,7 +68,8 @@ type SoftwareSourceCode struct {
 	Keywords            []string            `json:"keywords,omitempty"`
 	CodeRepository      string              `json:"codeRepository,omitempty"`
 	License             string              `json:"license,omitempty"`
-	Author              Person              `json:"author"`
+	LicenseURL          string              `json:"licenseURL,omitempty"`
+	Author              *Person             `json:"author,omitempty"`
 	ProgrammingLanguage ProgrammingLanguage `json:"programmingLanguage"`
 	RepositoryURLs      []string            `json:"repositoryURLs,omitempty"`
 }
@@ -181,26 +183,31 @@ func ParsePackage(sr io.ReaderAt, size int64, mr io.Reader) (*Package, error) {
 		if err := json.NewDecoder(mr).Decode(&ssc); err != nil {
 			return nil, err
 		}
-
 		p.Metadata.Description = ssc.Description
 		p.Metadata.Keywords = ssc.Keywords
 		p.Metadata.License = ssc.License
-		author := Person{
-			Name:       ssc.Author.Name,
-			GivenName:  ssc.Author.GivenName,
-			MiddleName: ssc.Author.MiddleName,
-			FamilyName: ssc.Author.FamilyName,
+		p.Metadata.LicenseURL = ssc.LicenseURL
+		if ssc.Author != nil {
+			author := Person{
+				Name:       ssc.Author.Name,
+				GivenName:  ssc.Author.GivenName,
+				MiddleName: ssc.Author.MiddleName,
+				FamilyName: ssc.Author.FamilyName,
+			}
+			// If Name is not provided, generate it from individual name components
+			if author.Name == "" {
+				author.Name = author.String()
+			}
+			p.Metadata.Author = author
 		}
-		// If Name is not provided, generate it from individual name components
-		if author.Name == "" {
-			author.Name = author.String()
-		}
-		p.Metadata.Author = author

 		p.Metadata.RepositoryURL = ssc.CodeRepository
 		if !validation.IsValidURL(p.Metadata.RepositoryURL) {
 			p.Metadata.RepositoryURL = ""
 		}
+		if !validation.IsValidURL(p.Metadata.LicenseURL) {
+			p.Metadata.LicenseURL = ""
+		}

 		p.RepositoryURLs = ssc.RepositoryURLs
 	}
--- a/modules/packages/swift/metadata_test.go
+++ b/modules/packages/swift/metadata_test.go
@@ -4,11 +4,12 @@
 package swift

 import (
-	"archive/zip"
 	"bytes"
 	"strings"
 	"testing"

+	"code.gitea.io/gitea/modules/test"
+
 	"github.com/hashicorp/go-version"
 	"github.com/stretchr/testify/assert"
 )
@@ -18,36 +19,24 @@ const (
 	packageVersion       = "1.0.1"
 	packageDescription   = "Package Description"
 	packageRepositoryURL = "https://gitea.io/gitea/gitea"
+	packageLicenseURL    = "https://opensource.org/license/mit"
 	packageAuthor        = "KN4CK3R"
 	packageLicense       = "MIT"
 )

 func TestParsePackage(t *testing.T) {
-	createArchive := func(files map[string][]byte) *bytes.Reader {
-		var buf bytes.Buffer
-		zw := zip.NewWriter(&buf)
-		for filename, content := range files {
-			w, _ := zw.Create(filename)
-			w.Write(content)
-		}
-		zw.Close()
-		return bytes.NewReader(buf.Bytes())
-	}
-
 	t.Run("MissingManifestFile", func(t *testing.T) {
-		data := createArchive(map[string][]byte{"dummy.txt": {}})
-
-		p, err := ParsePackage(data, data.Size(), nil)
+		data := test.WriteZipArchive(map[string]string{"dummy.txt": ""})
+		p, err := ParsePackage(bytes.NewReader(data.Bytes()), int64(data.Len()), nil)
 		assert.Nil(t, p)
 		assert.ErrorIs(t, err, ErrMissingManifestFile)
 	})

 	t.Run("ManifestFileTooLarge", func(t *testing.T) {
-		data := createArchive(map[string][]byte{
-			"Package.swift": make([]byte, maxManifestFileSize+1),
+		data := test.WriteZipArchive(map[string]string{
+			"Package.swift": strings.Repeat("a", maxManifestFileSize+1),
 		})
-
-		p, err := ParsePackage(data, data.Size(), nil)
+		p, err := ParsePackage(bytes.NewReader(data.Bytes()), int64(data.Len()), nil)
 		assert.Nil(t, p)
 		assert.ErrorIs(t, err, ErrManifestFileTooLarge)
 	})
@@ -56,12 +45,12 @@ func TestParsePackage(t *testing.T) {
 		content1 := "// swift-tools-version:5.7\n//\n//  Package.swift"
 		content2 := "// swift-tools-version:5.6\n//\n//  Package@swift-5.6.swift"

-		data := createArchive(map[string][]byte{
-			"Package.swift":           []byte(content1),
-			"Package@swift-5.5.swift": []byte(content2),
+		data := test.WriteZipArchive(map[string]string{
+			"Package.swift":           content1,
+			"Package@swift-5.5.swift": content2,
 		})

-		p, err := ParsePackage(data, data.Size(), nil)
+		p, err := ParsePackage(bytes.NewReader(data.Bytes()), int64(data.Len()), nil)
 		assert.NotNil(t, p)
 		assert.NoError(t, err)

@@ -77,14 +66,13 @@ func TestParsePackage(t *testing.T) {
 	})

 	t.Run("WithMetadata", func(t *testing.T) {
-		data := createArchive(map[string][]byte{
-			"Package.swift": []byte("// swift-tools-version:5.7\n//\n//  Package.swift"),
+		data := test.WriteZipArchive(map[string]string{
+			"Package.swift": "// swift-tools-version:5.7\n//\n//  Package.swift",
 		})

 		p, err := ParsePackage(
-			data,
-			data.Size(),
-			strings.NewReader(`{"name":"`+packageName+`","version":"`+packageVersion+`","description":"`+packageDescription+`","keywords":["swift","package"],"license":"`+packageLicense+`","codeRepository":"`+packageRepositoryURL+`","author":{"givenName":"`+packageAuthor+`"},"repositoryURLs":["`+packageRepositoryURL+`"]}`),
+			bytes.NewReader(data.Bytes()), int64(data.Len()),
+			strings.NewReader(`{"name":"`+packageName+`","version":"`+packageVersion+`","description":"`+packageDescription+`","keywords":["swift","package"],"license":"`+packageLicense+`","licenseURL":"`+packageLicenseURL+`","codeRepository":"`+packageRepositoryURL+`","author":{"givenName":"`+packageAuthor+`"},"repositoryURLs":["`+packageRepositoryURL+`"]}`),
 		)
 		assert.NotNil(t, p)
 		assert.NoError(t, err)
@@ -97,6 +85,7 @@ func TestParsePackage(t *testing.T) {
 		assert.Equal(t, packageDescription, p.Metadata.Description)
 		assert.ElementsMatch(t, []string{"swift", "package"}, p.Metadata.Keywords)
 		assert.Equal(t, packageLicense, p.Metadata.License)
+		assert.Equal(t, packageLicenseURL, p.Metadata.LicenseURL)
 		assert.Equal(t, packageAuthor, p.Metadata.Author.Name)
 		assert.Equal(t, packageAuthor, p.Metadata.Author.GivenName)
 		assert.Equal(t, packageRepositoryURL, p.Metadata.RepositoryURL)
@@ -104,14 +93,13 @@ func TestParsePackage(t *testing.T) {
 	})

 	t.Run("WithExplicitNameField", func(t *testing.T) {
-		data := createArchive(map[string][]byte{
-			"Package.swift": []byte("// swift-tools-version:5.7\n//\n//  Package.swift"),
+		data := test.WriteZipArchive(map[string]string{
+			"Package.swift": "// swift-tools-version:5.7\n//\n//  Package.swift",
 		})

 		authorName := "John Doe"
 		p, err := ParsePackage(
-			data,
-			data.Size(),
+			bytes.NewReader(data.Bytes()), int64(data.Len()),
 			strings.NewReader(`{"name":"`+packageName+`","version":"`+packageVersion+`","description":"`+packageDescription+`","author":{"name":"`+authorName+`","givenName":"John","familyName":"Doe"}}`),
 		)
 		assert.NotNil(t, p)
@@ -122,15 +110,30 @@ func TestParsePackage(t *testing.T) {
 		assert.Equal(t, "Doe", p.Metadata.Author.FamilyName)
 	})

+	t.Run("WithEmptyJSONMetadata", func(t *testing.T) {
+		data := test.WriteZipArchive(map[string]string{
+			"Package.swift": "// swift-tools-version:5.7\n//\n//  Package.swift",
+		})
+
+		p, err := ParsePackage(
+			bytes.NewReader(data.Bytes()), int64(data.Len()),
+			strings.NewReader(`{}`),
+		)
+		assert.NotNil(t, p)
+		assert.NoError(t, err)
+		assert.NotNil(t, p.Metadata)
+		assert.Empty(t, p.Metadata.Author.Name)
+		assert.Empty(t, p.RepositoryURLs)
+	})
+
 	t.Run("NameFieldGeneration", func(t *testing.T) {
-		data := createArchive(map[string][]byte{
-			"Package.swift": []byte("// swift-tools-version:5.7\n//\n//  Package.swift"),
+		data := test.WriteZipArchive(map[string]string{
+			"Package.swift": "// swift-tools-version:5.7\n//\n//  Package.swift",
 		})

 		// Test with only individual name components - Name should be auto-generated
 		p, err := ParsePackage(
-			data,
-			data.Size(),
+			bytes.NewReader(data.Bytes()), int64(data.Len()),
 			strings.NewReader(`{"author":{"givenName":"John","middleName":"Q","familyName":"Doe"}}`),
 		)
 		assert.NotNil(t, p)
--- a/modules/public/manifest.go
+++ b/modules/public/manifest.go
@@ -56,6 +56,8 @@ func parseManifest(data []byte) (map[string]string, map[string]string) {
 		paths[key] = entry.File
 		names[entry.File] = entry.Name
 		// Map associated CSS files, e.g. "css/index.css" -> "css/index.B3zrQPqD.css"
+		// FIXME: INCORRECT-VITE-MANIFEST-PARSER: the logic is wrong, Vite manifest doesn't work this way
+		// It just happens to be correct for the current modules dependencies
 		for _, css := range entry.CSS {
 			cssKey := path.Dir(css) + "/" + entry.Name + path.Ext(css)
 			paths[cssKey] = css
--- a/modules/setting/security.go
+++ b/modules/setting/security.go
@@ -31,6 +31,7 @@ var (
 	ReverseProxyAuthEmail              string
 	ReverseProxyAuthFullName           string
 	ReverseProxyLimit                  int
+	ReverseProxyLogoutRedirect         string
 	ReverseProxyTrustedProxies         []string
 	MinPasswordLength                  int
 	ImportLocalPaths                   bool
@@ -124,6 +125,7 @@ func loadSecurityFrom(rootCfg ConfigProvider) {
 	ReverseProxyAuthFullName = sec.Key("REVERSE_PROXY_AUTHENTICATION_FULL_NAME").MustString("X-WEBAUTH-FULLNAME")

 	ReverseProxyLimit = sec.Key("REVERSE_PROXY_LIMIT").MustInt(1)
+	ReverseProxyLogoutRedirect = sec.Key("REVERSE_PROXY_LOGOUT_REDIRECT").String()
 	ReverseProxyTrustedProxies = sec.Key("REVERSE_PROXY_TRUSTED_PROXIES").Strings(",")
 	if len(ReverseProxyTrustedProxies) == 0 {
 		ReverseProxyTrustedProxies = []string{"127.0.0.0/8", "::1/128"}
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -201,7 +201,7 @@ func mustCurrentRunUserMatch(rootCfg ConfigProvider) {
 	if HasInstallLock(rootCfg) {
 		currentUser, match := IsRunUserMatchCurrentUser(RunUser)
 		if !match {
-			log.Fatal("Expect user '%s' but current user is: %s", RunUser, currentUser)
+			log.Fatal("Expect user '%s' (RUN_USER in app.ini) but current user is: %s", RunUser, currentUser)
 		}
 	}
 }
--- a/modules/templates/helper_test.go
+++ b/modules/templates/helper_test.go
@@ -5,6 +5,7 @@ package templates

 import (
 	"html/template"
+	"net/url"
 	"strings"
 	"testing"

@@ -169,9 +170,21 @@ func TestQueryBuild(t *testing.T) {
 	})
 }

+const queryNonASCII = " !\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~" // all non-letter & non-number chars
+
 func TestQueryEscape(t *testing.T) {
 	// this test is a reference for "urlQueryEscape" in JS
-	in := "!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~" // all non-letter & non-number chars
-	expected := "%21%22%23%24%25%26%27%28%29%2A%2B%2C-.%2F%3A%3B%3C%3D%3E%3F%40%5B%5C%5D%5E_%60%7B%7C%7D~"
-	assert.Equal(t, expected, string(queryEscape(in)))
+	// Special case for space encoding:
+	// * RFC 3986: Uniform Resource Identifier (URI): %20
+	// * WHATWG HTML: application/x-www-form-urlencoded: +
+	// * JavaScript: encodeURIComponent() uses "%20". URLSearchParams uses "+"
+	// * Golang: QueryEscape uses "+"
+	expected := "+%21%22%23%24%25%26%27%28%29%2A%2B%2C-.%2F%3A%3B%3C%3D%3E%3F%40%5B%5C%5D%5E_%60%7B%7C%7D~"
+	assert.Equal(t, expected, url.QueryEscape(queryNonASCII))
+}
+
+func TestPathEscape(t *testing.T) {
+	// this test is a reference for "pathEscape" in JS
+	expected := "%20%21%22%23$%25&%27%28%29%2A+%2C-.%2F:%3B%3C=%3E%3F@%5B%5C%5D%5E_%60%7B%7C%7D~"
+	assert.Equal(t, expected, url.PathEscape(queryNonASCII))
 }
--- a/modules/test/utils.go
+++ b/modules/test/utils.go
@@ -5,6 +5,7 @@ package test

 import (
 	"archive/tar"
+	"archive/zip"
 	"bytes"
 	"compress/gzip"
 	"io"
@@ -97,6 +98,17 @@ func WriteTarArchive(files map[string]string) *bytes.Buffer {
 	return WriteTarCompression(func(w io.Writer) io.WriteCloser { return util.NopCloser{Writer: w} }, files)
 }

+func WriteZipArchive(files map[string]string) *bytes.Buffer {
+	buf := &bytes.Buffer{}
+	zw := zip.NewWriter(buf)
+	for name, content := range files {
+		w, _ := zw.Create(name)
+		_, _ = w.Write([]byte(content))
+	}
+	_ = zw.Close()
+	return buf
+}
+
 func WriteTarCompression[F func(io.Writer) io.WriteCloser | func(io.Writer) (io.WriteCloser, error)](compression F, files map[string]string) *bytes.Buffer {
 	buf := &bytes.Buffer{}
 	var cw io.WriteCloser
--- a/modules/util/util.go
+++ b/modules/util/util.go
@@ -255,11 +255,13 @@ func EnumValue[T comparable](val EnumConst[T]) (ret T, valid bool) {
 	return enums[0], false
 }

-func ReserveLineBreakForTextarea(input string) string {
+func NormalizeStringEOL(input string) string {
 	// Since the content is from a form which is a textarea, the line endings are \r\n.
 	// It's a standard behavior of HTML.
-	// But we want to store them as \n like what GitHub does.
-	// And users are unlikely to really need to keep the \r.
+	// But in most cases, we only want "\n" for EOL
+	// * Text files: use "\n" by default because "\r\n" sometimes doesn't work in POSIX
+	// * Actions values: store them as "\n" like what GitHub does.
+	// And users are unlikely to really need the "\r".
 	// Other than this, we should respect the original content, even leading or trailing spaces.
-	return strings.ReplaceAll(input, "\r\n", "\n")
+	return UnsafeBytesToString(NormalizeEOL(UnsafeStringToBytes(input)))
 }
--- a/modules/util/util_test.go
+++ b/modules/util/util_test.go
@@ -175,9 +175,9 @@ func TestToTitleCase(t *testing.T) {
 	assert.Equal(t, `Foo Bar Baz`, ToTitleCase(`FOO BAR BAZ`))
 }

-func TestReserveLineBreakForTextarea(t *testing.T) {
-	assert.Equal(t, "test\ndata", ReserveLineBreakForTextarea("test\r\ndata"))
-	assert.Equal(t, "test\ndata\n", ReserveLineBreakForTextarea("test\r\ndata\r\n"))
+func TestNormalizeStringEOL(t *testing.T) {
+	assert.Equal(t, "test\ndata", NormalizeStringEOL("test\r\ndata"))
+	assert.Equal(t, " test\ndata\n ", NormalizeStringEOL(" test\rdata\r "))
 }

 func TestOptionalArg(t *testing.T) {
@@ -192,3 +192,10 @@ func TestOptionalArg(t *testing.T) {
 	assert.Equal(t, 42, bar(nil))
 	assert.Equal(t, 100, bar(nil, 100))
 }
+
+func TestPathEscapeSegments(t *testing.T) {
+	assert.Equal(t, "a", PathEscapeSegments("a"))
+	assert.Equal(t, "a/b", PathEscapeSegments("a/b"))
+	assert.Equal(t, "a/b%20c", PathEscapeSegments("a/b c"))
+	assert.Equal(t, "a/b+c", PathEscapeSegments("a/b+c"))
+}
--- a/modules/validation/binding.go
+++ b/modules/validation/binding.go
@@ -5,12 +5,14 @@ package validation

 import (
 	"fmt"
+	"io"
 	"regexp"
 	"strings"

 	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/glob"
+	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/util"

 	"gitea.com/go-chi/binding"
@@ -31,8 +33,23 @@ const (
 	ErrInvalidBadgeSlug = "InvalidBadgeSlug"
 )

+type jsonProvider struct{}
+
+func (j jsonProvider) Marshal(v any) ([]byte, error) { return json.Marshal(v) }
+
+func (j jsonProvider) Unmarshal(data []byte, v any) error { return json.Unmarshal(data, v) }
+
+func (j jsonProvider) NewDecoder(reader io.Reader) binding.JSONDecoder {
+	return json.NewDecoder(reader)
+}
+
+func (j jsonProvider) NewEncoder(writer io.Writer) binding.JSONEncoder {
+	return json.NewEncoder(writer)
+}
+
 // AddBindingRules adds additional binding rules
 func AddBindingRules() {
+	binding.JSONProvider = jsonProvider{}
 	addGitRefNameBindingRule()
 	addValidURLListBindingRule()
 	addValidURLBindingRule()
--- a/options/locale/locale_en-US.json
+++ b/options/locale/locale_en-US.json
@@ -269,7 +269,7 @@
  "install.lfs_path": "Git LFS Root Path",
  "install.lfs_path_helper": "Files tracked by Git LFS will be stored in this directory. Leave empty to disable.",
  "install.run_user": "Run As Username",
-  "install.run_user_helper": "The operating system username that Gitea runs as. Note that this user must have access to the repository root path.",
+  "install.run_user_helper": "The operating system username that Gitea runs as, it must have write access to the data paths. This value is auto-detected and cannot be changed here. To use a different user, restart Gitea under that account.",
  "install.domain": "Server Domain",
  "install.domain_helper": "Domain or host address for the server.",
  "install.ssh_port": "SSH Server Port",
@@ -316,7 +316,6 @@
  "install.invalid_db_table": "The database table \"%s\" is invalid: %v",
  "install.invalid_repo_path": "The repository root path is invalid: %v",
  "install.invalid_app_data_path": "The app data path is invalid: %v",
-  "install.run_user_not_match": "The 'run as' username is not the current username: %s -> %s",
  "install.internal_token_failed": "Failed to generate internal token: %v",
  "install.secret_key_failed": "Failed to generate secret key: %v",
  "install.save_config_failed": "Failed to save configuration: %v",
@@ -638,14 +637,8 @@
  "user.block.unblock.failure": "Failed to unblock user: %s",
  "user.block.blocked": "You have blocked this user.",
  "user.block.title": "Block a user",
-  "user.block.info": "Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.",
-  "user.block.info_1": "Blocking a user prevents the following actions on your account and your repositories:",
-  "user.block.info_2": "following your account",
-  "user.block.info_3": "send you notifications by @mentioning your username",
-  "user.block.info_4": "inviting you as a collaborator to their repositories",
-  "user.block.info_5": "starring, forking or watching on repositories",
-  "user.block.info_6": "opening and commenting on issues or pull requests",
-  "user.block.info_7": "reacting to your comments in issues or pull requests",
+  "user.block.info": "Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues.",
+  "user.block.info.docs": "Learn more about blocking a user.",
  "user.block.user_to_block": "User to block",
  "user.block.note": "Note",
  "user.block.note.title": "Optional note:",
--- a/package.json
+++ b/package.json
@@ -59,7 +59,7 @@
    "pdfobject": "2.3.1",
    "perfect-debounce": "2.1.0",
    "postcss": "8.5.8",
-    "rollup-plugin-license": "3.7.0",
+    "rolldown-license-plugin": "2.2.0",
    "sortablejs": "1.15.7",
    "swagger-ui-dist": "5.32.1",
    "tailwindcss": "3.4.19",
@@ -73,8 +73,7 @@
    "vite-string-plugin": "2.0.2",
    "vue": "3.5.31",
    "vue-bar-graph": "2.2.0",
-    "vue-chartjs": "5.3.3",
-    "wrap-ansi": "10.0.0"
+    "vue-chartjs": "5.3.3"
  },
  "devDependencies": {
    "@eslint-community/eslint-plugin-eslint-comments": "4.7.1",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -185,9 +185,9 @@ importers:
      postcss:
        specifier: 8.5.8
        version: 8.5.8
-      rollup-plugin-license:
-        specifier: 3.7.0
-        version: 3.7.0(picomatch@4.0.4)(rollup@4.60.1)
+      rolldown-license-plugin:
+        specifier: 2.2.0
+        version: 2.2.0
      sortablejs:
        specifier: 1.15.7
        version: 1.15.7
@@ -230,9 +230,6 @@ importers:
      vue-chartjs:
        specifier: 5.3.3
        version: 5.3.3(chart.js@4.5.1)(vue@3.5.31(typescript@6.0.2))
-      wrap-ansi:
-        specifier: 10.0.0
-        version: 10.0.0
    devDependencies:
      '@eslint-community/eslint-plugin-eslint-comments':
        specifier: 4.7.1
@@ -1235,144 +1232,6 @@ packages:
  '@rolldown/pluginutils@1.0.0-rc.2':
    resolution: {integrity: sha512-izyXV/v+cHiRfozX62W9htOAvwMo4/bXKDrQ+vom1L1qRuexPock/7VZDAhnpHCLNejd3NJ6hiab+tO0D44Rgw==}

-  '@rollup/rollup-android-arm-eabi@4.60.1':
-    resolution: {integrity: sha512-d6FinEBLdIiK+1uACUttJKfgZREXrF0Qc2SmLII7W2AD8FfiZ9Wjd+rD/iRuf5s5dWrr1GgwXCvPqOuDquOowA==}
-    cpu: [arm]
-    os: [android]
-
-  '@rollup/rollup-android-arm64@4.60.1':
-    resolution: {integrity: sha512-YjG/EwIDvvYI1YvYbHvDz/BYHtkY4ygUIXHnTdLhG+hKIQFBiosfWiACWortsKPKU/+dUwQQCKQM3qrDe8c9BA==}
-    cpu: [arm64]
-    os: [android]
-
-  '@rollup/rollup-darwin-arm64@4.60.1':
-    resolution: {integrity: sha512-mjCpF7GmkRtSJwon+Rq1N8+pI+8l7w5g9Z3vWj4T7abguC4Czwi3Yu/pFaLvA3TTeMVjnu3ctigusqWUfjZzvw==}
-    cpu: [arm64]
-    os: [darwin]
-
-  '@rollup/rollup-darwin-x64@4.60.1':
-    resolution: {integrity: sha512-haZ7hJ1JT4e9hqkoT9R/19XW2QKqjfJVv+i5AGg57S+nLk9lQnJ1F/eZloRO3o9Scy9CM3wQ9l+dkXtcBgN5Ew==}
-    cpu: [x64]
-    os: [darwin]
-
-  '@rollup/rollup-freebsd-arm64@4.60.1':
-    resolution: {integrity: sha512-czw90wpQq3ZsAVBlinZjAYTKduOjTywlG7fEeWKUA7oCmpA8xdTkxZZlwNJKWqILlq0wehoZcJYfBvOyhPTQ6w==}
-    cpu: [arm64]
-    os: [freebsd]
-
-  '@rollup/rollup-freebsd-x64@4.60.1':
-    resolution: {integrity: sha512-KVB2rqsxTHuBtfOeySEyzEOB7ltlB/ux38iu2rBQzkjbwRVlkhAGIEDiiYnO2kFOkJp+Z7pUXKyrRRFuFUKt+g==}
-    cpu: [x64]
-    os: [freebsd]
-
-  '@rollup/rollup-linux-arm-gnueabihf@4.60.1':
-    resolution: {integrity: sha512-L+34Qqil+v5uC0zEubW7uByo78WOCIrBvci69E7sFASRl0X7b/MB6Cqd1lky/CtcSVTydWa2WZwFuWexjS5o6g==}
-    cpu: [arm]
-    os: [linux]
-    libc: [glibc]
-
-  '@rollup/rollup-linux-arm-musleabihf@4.60.1':
-    resolution: {integrity: sha512-n83O8rt4v34hgFzlkb1ycniJh7IR5RCIqt6mz1VRJD6pmhRi0CXdmfnLu9dIUS6buzh60IvACM842Ffb3xd6Gg==}
-    cpu: [arm]
-    os: [linux]
-    libc: [musl]
-
-  '@rollup/rollup-linux-arm64-gnu@4.60.1':
-    resolution: {integrity: sha512-Nql7sTeAzhTAja3QXeAI48+/+GjBJ+QmAH13snn0AJSNL50JsDqotyudHyMbO2RbJkskbMbFJfIJKWA6R1LCJQ==}
-    cpu: [arm64]
-    os: [linux]
-    libc: [glibc]
-
-  '@rollup/rollup-linux-arm64-musl@4.60.1':
-    resolution: {integrity: sha512-+pUymDhd0ys9GcKZPPWlFiZ67sTWV5UU6zOJat02M1+PiuSGDziyRuI/pPue3hoUwm2uGfxdL+trT6Z9rxnlMA==}
-    cpu: [arm64]
-    os: [linux]
-    libc: [musl]
-
-  '@rollup/rollup-linux-loong64-gnu@4.60.1':
-    resolution: {integrity: sha512-VSvgvQeIcsEvY4bKDHEDWcpW4Yw7BtlKG1GUT4FzBUlEKQK0rWHYBqQt6Fm2taXS+1bXvJT6kICu5ZwqKCnvlQ==}
-    cpu: [loong64]
-    os: [linux]
-    libc: [glibc]
-
-  '@rollup/rollup-linux-loong64-musl@4.60.1':
-    resolution: {integrity: sha512-4LqhUomJqwe641gsPp6xLfhqWMbQV04KtPp7/dIp0nzPxAkNY1AbwL5W0MQpcalLYk07vaW9Kp1PBhdpZYYcEw==}
-    cpu: [loong64]
-    os: [linux]
-    libc: [musl]
-
-  '@rollup/rollup-linux-ppc64-gnu@4.60.1':
-    resolution: {integrity: sha512-tLQQ9aPvkBxOc/EUT6j3pyeMD6Hb8QF2BTBnCQWP/uu1lhc9AIrIjKnLYMEroIz/JvtGYgI9dF3AxHZNaEH0rw==}
-    cpu: [ppc64]
-    os: [linux]
-    libc: [glibc]
-
-  '@rollup/rollup-linux-ppc64-musl@4.60.1':
-    resolution: {integrity: sha512-RMxFhJwc9fSXP6PqmAz4cbv3kAyvD1etJFjTx4ONqFP9DkTkXsAMU4v3Vyc5BgzC+anz7nS/9tp4obsKfqkDHg==}
-    cpu: [ppc64]
-    os: [linux]
-    libc: [musl]
-
-  '@rollup/rollup-linux-riscv64-gnu@4.60.1':
-    resolution: {integrity: sha512-QKgFl+Yc1eEk6MmOBfRHYF6lTxiiiV3/z/BRrbSiW2I7AFTXoBFvdMEyglohPj//2mZS4hDOqeB0H1ACh3sBbg==}
-    cpu: [riscv64]
-    os: [linux]
-    libc: [glibc]
-
-  '@rollup/rollup-linux-riscv64-musl@4.60.1':
-    resolution: {integrity: sha512-RAjXjP/8c6ZtzatZcA1RaQr6O1TRhzC+adn8YZDnChliZHviqIjmvFwHcxi4JKPSDAt6Uhf/7vqcBzQJy0PDJg==}
-    cpu: [riscv64]
-    os: [linux]
-    libc: [musl]
-
-  '@rollup/rollup-linux-s390x-gnu@4.60.1':
-    resolution: {integrity: sha512-wcuocpaOlaL1COBYiA89O6yfjlp3RwKDeTIA0hM7OpmhR1Bjo9j31G1uQVpDlTvwxGn2nQs65fBFL5UFd76FcQ==}
-    cpu: [s390x]
-    os: [linux]
-    libc: [glibc]
-
-  '@rollup/rollup-linux-x64-gnu@4.60.1':
-    resolution: {integrity: sha512-77PpsFQUCOiZR9+LQEFg9GClyfkNXj1MP6wRnzYs0EeWbPcHs02AXu4xuUbM1zhwn3wqaizle3AEYg5aeoohhg==}
-    cpu: [x64]
-    os: [linux]
-    libc: [glibc]
-
-  '@rollup/rollup-linux-x64-musl@4.60.1':
-    resolution: {integrity: sha512-5cIATbk5vynAjqqmyBjlciMJl1+R/CwX9oLk/EyiFXDWd95KpHdrOJT//rnUl4cUcskrd0jCCw3wpZnhIHdD9w==}
-    cpu: [x64]
-    os: [linux]
-    libc: [musl]
-
-  '@rollup/rollup-openbsd-x64@4.60.1':
-    resolution: {integrity: sha512-cl0w09WsCi17mcmWqqglez9Gk8isgeWvoUZ3WiJFYSR3zjBQc2J5/ihSjpl+VLjPqjQ/1hJRcqBfLjssREQILw==}
-    cpu: [x64]
-    os: [openbsd]
-
-  '@rollup/rollup-openharmony-arm64@4.60.1':
-    resolution: {integrity: sha512-4Cv23ZrONRbNtbZa37mLSueXUCtN7MXccChtKpUnQNgF010rjrjfHx3QxkS2PI7LqGT5xXyYs1a7LbzAwT0iCA==}
-    cpu: [arm64]
-    os: [openharmony]
-
-  '@rollup/rollup-win32-arm64-msvc@4.60.1':
-    resolution: {integrity: sha512-i1okWYkA4FJICtr7KpYzFpRTHgy5jdDbZiWfvny21iIKky5YExiDXP+zbXzm3dUcFpkEeYNHgQ5fuG236JPq0g==}
-    cpu: [arm64]
-    os: [win32]
-
-  '@rollup/rollup-win32-ia32-msvc@4.60.1':
-    resolution: {integrity: sha512-u09m3CuwLzShA0EYKMNiFgcjjzwqtUMLmuCJLeZWjjOYA3IT2Di09KaxGBTP9xVztWyIWjVdsB2E9goMjZvTQg==}
-    cpu: [ia32]
-    os: [win32]
-
-  '@rollup/rollup-win32-x64-gnu@4.60.1':
-    resolution: {integrity: sha512-k+600V9Zl1CM7eZxJgMyTUzmrmhB/0XZnF4pRypKAlAgxmedUA+1v9R+XOFv56W4SlHEzfeMtzujLJD22Uz5zg==}
-    cpu: [x64]
-    os: [win32]
-
-  '@rollup/rollup-win32-x64-msvc@4.60.1':
-    resolution: {integrity: sha512-lWMnixq/QzxyhTV6NjQJ4SFo1J6PvOX8vUx5Wb4bBPsEb+8xZ89Bz6kOXpfXj9ak9AHTQVQzlgzBEc1SyM27xQ==}
-    cpu: [x64]
-    os: [win32]
-
  '@rtsao/scc@1.1.0':
    resolution: {integrity: sha512-zt6OdqaDoOnJ1ZYsCYGt9YmWzDXl4vQdKTyJev62gFhRGKdx7mcT54V9KIjg+d2wi9EXsPvAPKe7i7WjfVWB8g==}

@@ -1892,10 +1751,6 @@ packages:
    resolution: {integrity: sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==}
    engines: {node: '>=8'}

-  ansi-styles@6.2.3:
-    resolution: {integrity: sha512-4Dj6M28JB+oAH8kFkTLUo+a2jwOFkuqb3yucU0CANcRRUbxS0cP0nZYCGjcc3BNXwRIsUVmDGgzawme7zvJHvg==}
-    engines: {node: '>=12'}
-
  ansi_up@6.0.6:
    resolution: {integrity: sha512-yIa1x3Ecf8jWP4UWEunNjqNX6gzE4vg2gGz+xqRGY+TBSucnYp6RRdPV4brmtg6bQ1ljD48mZ5iGSEj7QEpRKA==}

@@ -1916,10 +1771,6 @@ packages:
    resolution: {integrity: sha512-COROpnaoap1E2F000S62r6A60uHZnmlvomhfyT2DlTcrY1OrBKn2UhH7qn5wTC9zMvD0AY7csdPSNwKP+7WiQw==}
    engines: {node: '>= 0.4'}

-  array-find-index@1.0.2:
-    resolution: {integrity: sha512-M1HQyIXcBGtVywBt8WVdim+lrNaK7VHp99Qt5pSNziXznKHViIBbXWtfRTpEFpF/c4FdfxNAsCCwPp5phBYJtw==}
-    engines: {node: '>=0.10.0'}
-
  asciinema-player@3.15.1:
    resolution: {integrity: sha512-agVYeNlPxthLyAb92l9AS7ypW0uhesqOuQzyR58Q4Sj+MvesQztZBgx86lHqNJkB8rQ6EP0LeA9czGytQUBpYw==}

@@ -2113,9 +1964,6 @@ packages:
    resolution: {integrity: sha512-ObxuY6vnbWTN6Od72xfwN9DbzC7Y2vv8u1Soi9ahRKL37gb6y1qk6/dgjs+3JWuXJHWvsg3BXIwzd/rkmAwavg==}
    engines: {node: '>= 12.0.0'}

-  commenting@1.1.0:
-    resolution: {integrity: sha512-YeNK4tavZwtH7jEgK1ZINXzLKm6DZdEMfsaaieOsCAN0S8vsY7UeuO3Q7d/M018EFgE+IeUAuBOKkFccBZsUZA==}
-
  compare-versions@6.1.1:
    resolution: {integrity: sha512-4hm4VPpIecmlg59CHXnRDnqGplJFrbLG4aFEl5vl6cK1u76ws3LLvX7ikFnTDl5vo39sjWD6AaDPYodJp/NNHg==}

@@ -3385,9 +3233,6 @@ packages:
  mlly@1.8.2:
    resolution: {integrity: sha512-d+ObxMQFmbt10sretNDytwt85VrbkhhUA/JBGm1MPaWJ65Cl4wOgLaB1NYvJSZ0Ef03MMEU/0xpPMXUIQ29UfA==}

-  moment@2.30.1:
-    resolution: {integrity: sha512-uEmtNhbDOrWPFS+hdjFCBfy9f2YoyzRpwcl+DqpC6taX21FzsTLQVbMV/W7PzNSX6x/bhC1zA3c2UQ5NzH6how==}
-
  moo@0.5.3:
    resolution: {integrity: sha512-m2fmM2dDm7GZQsY7KK2cme8agi+AAljILjQnof7p1ZMDe6dQ4bdnSMx0cPppudoeNv5hEFQirN6u+O4fDE0IWA==}

@@ -3478,10 +3323,6 @@ packages:
  package-manager-detector@1.6.0:
    resolution: {integrity: sha512-61A5ThoTiDG/C8s8UMZwSorAGwMJ0ERVGj2OjoW5pAalsNOg15+iQiPzrLJ4jhZ1HJzmC2PIHT2oEiH3R5fzNA==}

-  package-name-regex@2.0.6:
-    resolution: {integrity: sha512-gFL35q7kbE/zBaPA3UKhp2vSzcPYx2ecbYuwv1ucE9Il6IIgBDweBlH8D68UFGZic2MkllKa2KHCfC1IQBQUYA==}
-    engines: {node: '>=12'}
-
  parent-module@1.0.1:
    resolution: {integrity: sha512-GQ2EWRpQV8/o+Aw8YqtfZZPfNRWZYkbidE9k5rpl/hC3vtHHBfGm2Ifi6qWV+coDGkrUKZAxE3Lot5kcsRlh+g==}
    engines: {node: '>=6'}
@@ -3706,22 +3547,14 @@ packages:
  robust-predicates@3.0.3:
    resolution: {integrity: sha512-NS3levdsRIUOmiJ8FZWCP7LG3QpJyrs/TE0Zpf1yvZu8cAJJ6QMW92H1c7kWpdIHo8RvmLxN/o2JXTKHp74lUA==}

+  rolldown-license-plugin@2.2.0:
+    resolution: {integrity: sha512-7a/v9/9o5/pCpPtx4WSX68/xHC8wmmR/cxkofWQ7I7ep5Tvhjb9KkIUdTyuKc52SHiGSz2PxrS0qm/z2PjJyiQ==}
+
  rolldown@1.0.0-rc.12:
    resolution: {integrity: sha512-yP4USLIMYrwpPHEFB5JGH1uxhcslv6/hL0OyvTuY+3qlOSJvZ7ntYnoWpehBxufkgN0cvXxppuTu5hHa/zPh+A==}
    engines: {node: ^20.19.0 || >=22.12.0}
    hasBin: true

-  rollup-plugin-license@3.7.0:
-    resolution: {integrity: sha512-RvvOIF+GH3fBR3wffgc/vmjQn6qOn72WjppWVDp/v+CLpT0BbcRBdSkPeeIOL6U5XccdYgSIMjUyXgxlKEEFcw==}
-    engines: {node: '>=14.0.0'}
-    peerDependencies:
-      rollup: ^1.0.0 || ^2.0.0 || ^3.0.0 || ^4.0.0
-
-  rollup@4.60.1:
-    resolution: {integrity: sha512-VmtB2rFU/GroZ4oL8+ZqXgSA38O6GR8KSIvWmEFv63pQ0G6KaBH9s07PO8XTXP4vI+3UJUEypOfjkGfmSBBR0w==}
-    engines: {node: '>=18.0.0', npm: '>=8.0.0'}
-    hasBin: true
-
  roughjs@4.6.6:
    resolution: {integrity: sha512-ZUz/69+SYpFN/g/lUlo2FXcIjRkSu3nDarreVdGGndHEBJ6cXPdKguS8JGxwj5HA5xIbVKSmLgr5b3AWxtRfvQ==}

@@ -3805,27 +3638,6 @@ packages:
    resolution: {integrity: sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==}
    engines: {node: '>=0.10.0'}

-  spdx-compare@1.0.0:
-    resolution: {integrity: sha512-C1mDZOX0hnu0ep9dfmuoi03+eOdDoz2yvK79RxbcrVEG1NO1Ph35yW102DHWKN4pk80nwCgeMmSY5L25VE4D9A==}
-
-  spdx-exceptions@2.5.0:
-    resolution: {integrity: sha512-PiU42r+xO4UbUS1buo3LPJkjlO7430Xn5SVAhdpzzsPHsjbYVflnnFdATgabnLude+Cqu25p6N+g2lw/PFsa4w==}
-
-  spdx-expression-parse@3.0.1:
-    resolution: {integrity: sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==}
-
-  spdx-expression-validate@2.0.0:
-    resolution: {integrity: sha512-b3wydZLM+Tc6CFvaRDBOF9d76oGIHNCLYFeHbftFXUWjnfZWganmDmvtM5sm1cRwJc/VDBMLyGGrsLFd1vOxbg==}
-
-  spdx-license-ids@3.0.23:
-    resolution: {integrity: sha512-CWLcCCH7VLu13TgOH+r8p1O/Znwhqv/dbb6lqWy67G+pT1kHmeD/+V36AVb/vq8QMIQwVShJ6Ssl5FPh0fuSdw==}
-
-  spdx-ranges@2.1.1:
-    resolution: {integrity: sha512-mcdpQFV7UDAgLpXEE/jOMqvK4LBoO0uTQg0uvXUewmEFhpiZx5yJSZITHB8w1ZahKdhfZqP5GPEOKLyEq5p8XA==}
-
-  spdx-satisfies@5.0.1:
-    resolution: {integrity: sha512-Nwor6W6gzFp8XX4neaKQ7ChV4wmpSh2sSDemMFSzHxpTw460jxFYeOn+jq4ybnSSw/5sc3pjka9MQPouksQNpw==}
-
  spectral-cli-bundle@1.0.7:
    resolution: {integrity: sha512-vIUC0nwv9tYxWV1xHdR3CTVDOEEtLKaDCcQpARZgO0Db7VmSpSWJ4xrnVPNSmO59hBtGwW2CVzHf0OimJBaKAA==}
    engines: {node: '>=20'}
@@ -4256,10 +4068,6 @@ packages:
    resolution: {integrity: sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA==}
    engines: {node: '>=0.10.0'}

-  wrap-ansi@10.0.0:
-    resolution: {integrity: sha512-SGcvg80f0wUy2/fXES19feHMz8E0JoXv2uNgHOu4Dgi2OrCy1lqwFYEJz1BLbDI0exjPMe/ZdzZ/YpGECBG/aQ==}
-    engines: {node: '>=20'}
-
  write-file-atomic@7.0.1:
    resolution: {integrity: sha512-OTIk8iR8/aCRWBqvxrzxR0hgxWpnYBblY1S5hDWBQfk/VFmJwzmJgQFN3WsoUKHISv2eAwe+PpbUzyL1CKTLXg==}
    engines: {node: ^20.17.0 || >=22.9.0}
@@ -5205,81 +5013,6 @@ snapshots:

  '@rolldown/pluginutils@1.0.0-rc.2': {}

-  '@rollup/rollup-android-arm-eabi@4.60.1':
-    optional: true
-
-  '@rollup/rollup-android-arm64@4.60.1':
-    optional: true
-
-  '@rollup/rollup-darwin-arm64@4.60.1':
-    optional: true
-
-  '@rollup/rollup-darwin-x64@4.60.1':
-    optional: true
-
-  '@rollup/rollup-freebsd-arm64@4.60.1':
-    optional: true
-
-  '@rollup/rollup-freebsd-x64@4.60.1':
-    optional: true
-
-  '@rollup/rollup-linux-arm-gnueabihf@4.60.1':
-    optional: true
-
-  '@rollup/rollup-linux-arm-musleabihf@4.60.1':
-    optional: true
-
-  '@rollup/rollup-linux-arm64-gnu@4.60.1':
-    optional: true
-
-  '@rollup/rollup-linux-arm64-musl@4.60.1':
-    optional: true
-
-  '@rollup/rollup-linux-loong64-gnu@4.60.1':
-    optional: true
-
-  '@rollup/rollup-linux-loong64-musl@4.60.1':
-    optional: true
-
-  '@rollup/rollup-linux-ppc64-gnu@4.60.1':
-    optional: true
-
-  '@rollup/rollup-linux-ppc64-musl@4.60.1':
-    optional: true
-
-  '@rollup/rollup-linux-riscv64-gnu@4.60.1':
-    optional: true
-
-  '@rollup/rollup-linux-riscv64-musl@4.60.1':
-    optional: true
-
-  '@rollup/rollup-linux-s390x-gnu@4.60.1':
-    optional: true
-
-  '@rollup/rollup-linux-x64-gnu@4.60.1':
-    optional: true
-
-  '@rollup/rollup-linux-x64-musl@4.60.1':
-    optional: true
-
-  '@rollup/rollup-openbsd-x64@4.60.1':
-    optional: true
-
-  '@rollup/rollup-openharmony-arm64@4.60.1':
-    optional: true
-
-  '@rollup/rollup-win32-arm64-msvc@4.60.1':
-    optional: true
-
-  '@rollup/rollup-win32-ia32-msvc@4.60.1':
-    optional: true
-
-  '@rollup/rollup-win32-x64-gnu@4.60.1':
-    optional: true
-
-  '@rollup/rollup-win32-x64-msvc@4.60.1':
-    optional: true
-
  '@rtsao/scc@1.1.0': {}

  '@scarf/scarf@1.4.0': {}
@@ -5925,8 +5658,6 @@ snapshots:
    dependencies:
      color-convert: 2.0.1

-  ansi-styles@6.2.3: {}
-
  ansi_up@6.0.6: {}

  any-promise@1.3.0: {}
@@ -5942,8 +5673,6 @@ snapshots:

  aria-query@5.3.2: {}

-  array-find-index@1.0.2: {}
-
  asciinema-player@3.15.1:
    dependencies:
      '@babel/runtime': 7.29.2
@@ -6112,8 +5841,6 @@ snapshots:

  comment-parser@1.4.6: {}

-  commenting@1.1.0: {}
-
  compare-versions@6.1.1: {}

  concat-map@0.0.1: {}
@@ -7556,8 +7283,6 @@ snapshots:
      pkg-types: 1.3.1
      ufo: 1.6.3

-  moment@2.30.1: {}
-
  moo@0.5.3: {}

  ms@2.1.3: {}
@@ -7627,8 +7352,6 @@ snapshots:

  package-manager-detector@1.6.0: {}

-  package-name-regex@2.0.6: {}
-
  parent-module@1.0.1:
    dependencies:
      callsites: 3.1.0
@@ -7815,6 +7538,8 @@ snapshots:

  robust-predicates@3.0.3: {}

+  rolldown-license-plugin@2.2.0: {}
+
  rolldown@1.0.0-rc.12(@emnapi/core@1.9.1)(@emnapi/runtime@1.9.1):
    dependencies:
      '@oxc-project/types': 0.122.0
@@ -7839,51 +7564,6 @@ snapshots:
      - '@emnapi/core'
      - '@emnapi/runtime'

-  rollup-plugin-license@3.7.0(picomatch@4.0.4)(rollup@4.60.1):
-    dependencies:
-      commenting: 1.1.0
-      fdir: 6.5.0(picomatch@4.0.4)
-      lodash: 4.17.23
-      magic-string: 0.30.21
-      moment: 2.30.1
-      package-name-regex: 2.0.6
-      rollup: 4.60.1
-      spdx-expression-validate: 2.0.0
-      spdx-satisfies: 5.0.1
-    transitivePeerDependencies:
-      - picomatch
-
-  rollup@4.60.1:
-    dependencies:
-      '@types/estree': 1.0.8
-    optionalDependencies:
-      '@rollup/rollup-android-arm-eabi': 4.60.1
-      '@rollup/rollup-android-arm64': 4.60.1
-      '@rollup/rollup-darwin-arm64': 4.60.1
-      '@rollup/rollup-darwin-x64': 4.60.1
-      '@rollup/rollup-freebsd-arm64': 4.60.1
-      '@rollup/rollup-freebsd-x64': 4.60.1
-      '@rollup/rollup-linux-arm-gnueabihf': 4.60.1
-      '@rollup/rollup-linux-arm-musleabihf': 4.60.1
-      '@rollup/rollup-linux-arm64-gnu': 4.60.1
-      '@rollup/rollup-linux-arm64-musl': 4.60.1
-      '@rollup/rollup-linux-loong64-gnu': 4.60.1
-      '@rollup/rollup-linux-loong64-musl': 4.60.1
-      '@rollup/rollup-linux-ppc64-gnu': 4.60.1
-      '@rollup/rollup-linux-ppc64-musl': 4.60.1
-      '@rollup/rollup-linux-riscv64-gnu': 4.60.1
-      '@rollup/rollup-linux-riscv64-musl': 4.60.1
-      '@rollup/rollup-linux-s390x-gnu': 4.60.1
-      '@rollup/rollup-linux-x64-gnu': 4.60.1
-      '@rollup/rollup-linux-x64-musl': 4.60.1
-      '@rollup/rollup-openbsd-x64': 4.60.1
-      '@rollup/rollup-openharmony-arm64': 4.60.1
-      '@rollup/rollup-win32-arm64-msvc': 4.60.1
-      '@rollup/rollup-win32-ia32-msvc': 4.60.1
-      '@rollup/rollup-win32-x64-gnu': 4.60.1
-      '@rollup/rollup-win32-x64-msvc': 4.60.1
-      fsevents: 2.3.3
-
  roughjs@4.6.6:
    dependencies:
      hachure-fill: 0.5.2
@@ -7958,33 +7638,6 @@ snapshots:

  source-map-js@1.2.1: {}

-  spdx-compare@1.0.0:
-    dependencies:
-      array-find-index: 1.0.2
-      spdx-expression-parse: 3.0.1
-      spdx-ranges: 2.1.1
-
-  spdx-exceptions@2.5.0: {}
-
-  spdx-expression-parse@3.0.1:
-    dependencies:
-      spdx-exceptions: 2.5.0
-      spdx-license-ids: 3.0.23
-
-  spdx-expression-validate@2.0.0:
-    dependencies:
-      spdx-expression-parse: 3.0.1
-
-  spdx-license-ids@3.0.23: {}
-
-  spdx-ranges@2.1.1: {}
-
-  spdx-satisfies@5.0.1:
-    dependencies:
-      spdx-compare: 1.0.0
-      spdx-expression-parse: 3.0.1
-      spdx-ranges: 2.1.1
-
  spectral-cli-bundle@1.0.7:
    optionalDependencies:
      fsevents: 2.3.3
@@ -8453,12 +8106,6 @@ snapshots:

  word-wrap@1.2.5: {}

-  wrap-ansi@10.0.0:
-    dependencies:
-      ansi-styles: 6.2.3
-      string-width: 8.2.0
-      strip-ansi: 7.2.0
-
  write-file-atomic@7.0.1:
    dependencies:
      signal-exit: 4.1.0
--- a/routers/api/packages/container/container.go
+++ b/routers/api/packages/container/container.go
@@ -27,6 +27,7 @@ import (
 	container_module "code.gitea.io/gitea/modules/packages/container"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/storage"
+	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/routers/api/packages/helper"
 	auth_service "code.gitea.io/gitea/services/auth"
@@ -125,8 +126,15 @@ func APIUnauthorizedError(ctx *context.Context) {
 	// container registry requires that the "/v2" must be in the root, so the sub-path in AppURL should be removed
 	realmURL := httplib.GuessCurrentHostURL(ctx) + "/v2/token"
 	ctx.Resp.Header().Add("WWW-Authenticate", `Bearer realm="`+realmURL+`",service="container_registry",scope="*"`)
-	// support apple container like: container registry login <gitea-host> -u
-	ctx.Resp.Header().Add("WWW-Authenticate", `Basic realm="Gitea Container Registry"`)
+
+	ownerName := ctx.PathParam("username")
+	owner, _ := user_model.GetUserByName(ctx, ownerName)
+	requireSignIn := owner != nil && owner.Visibility != structs.VisibleTypePublic
+	requireSignIn = requireSignIn || setting.Service.RequireSignInViewStrict
+	if requireSignIn {
+		// support apple container like: container registry login <gitea-host> -u
+		ctx.Resp.Header().Add("WWW-Authenticate", `Basic realm="Gitea Container Registry"`)
+	}
 	apiErrorDefined(ctx, errUnauthorized)
 }

--- a/routers/api/packages/rpm/rpm.go
+++ b/routers/api/packages/rpm/rpm.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 	"strings"
 	"time"

@@ -220,30 +221,38 @@ func UploadPackageFile(ctx *context.Context) {
 func DownloadPackageFile(ctx *context.Context) {
 	name := ctx.PathParam("name")
 	version := ctx.PathParam("version")
+	architecture := ctx.PathParam("architecture")
+	group := ctx.PathParam("group")

-	s, u, pf, err := packages_service.OpenFileForDownloadByPackageNameAndVersion(
-		ctx,
-		&packages_service.PackageInfo{
-			Owner:       ctx.Package.Owner,
-			PackageType: packages_model.TypeRpm,
-			Name:        name,
-			Version:     version,
-		},
-		&packages_service.PackageFileInfo{
-			Filename:     fmt.Sprintf("%s-%s.%s.rpm", name, version, ctx.PathParam("architecture")),
-			CompositeKey: ctx.PathParam("group"),
-		},
-		ctx.Req.Method,
-	)
-	if err != nil {
-		if errors.Is(err, util.ErrNotExist) {
-			apiError(ctx, http.StatusNotFound, err)
-		} else {
-			apiError(ctx, http.StatusInternalServerError, err)
-		}
-		return
+	openForDownload := func(filename string) (io.ReadSeekCloser, *url.URL, *packages_model.PackageFile, error) {
+		return packages_service.OpenFileForDownloadByPackageNameAndVersion(
+			ctx,
+			&packages_service.PackageInfo{
+				Owner:       ctx.Package.Owner,
+				PackageType: packages_model.TypeRpm,
+				Name:        name,
+				Version:     version,
+			},
+			&packages_service.PackageFileInfo{
+				Filename:     filename,
+				CompositeKey: group,
+			},
+			ctx.Req.Method,
+		)
 	}

+	s, u, pf, err := openForDownload(fmt.Sprintf("%s-%s.%s.rpm", name, version, architecture))
+	if errors.Is(err, util.ErrNotExist) && architecture != "noarch" {
+		s, u, pf, err = openForDownload(fmt.Sprintf("%s-%s.%s.rpm", name, version, "noarch"))
+	}
+
+	if errors.Is(err, util.ErrNotExist) {
+		apiError(ctx, http.StatusNotFound, err)
+		return
+	} else if err != nil {
+		apiError(ctx, http.StatusInternalServerError, err)
+		return
+	}
 	helper.ServePackageFile(ctx, s, u, pf)
 }

--- a/routers/api/packages/swift/swift.go
+++ b/routers/api/packages/swift/swift.go
@@ -198,6 +198,23 @@ func PackageVersionMetadata(ctx *context.Context) {
 	}

 	metadata := pd.Metadata.(*swift_module.Metadata)
+	repositoryURLs := make([]string, 0, len(pd.VersionProperties))
+	for _, property := range pd.VersionProperties {
+		if property.Name == swift_module.PropertyRepositoryURL {
+			repositoryURLs = append(repositoryURLs, property.Value)
+		}
+	}
+
+	var author *swift_module.Person
+	if metadata.Author.Name != "" || metadata.Author.GivenName != "" || metadata.Author.MiddleName != "" || metadata.Author.FamilyName != "" {
+		author = &swift_module.Person{
+			Type:       "Person",
+			Name:       metadata.Author.Name,
+			GivenName:  metadata.Author.GivenName,
+			MiddleName: metadata.Author.MiddleName,
+			FamilyName: metadata.Author.FamilyName,
+		}
+	}

 	setResponseHeaders(ctx.Resp, &headers{})

@@ -220,18 +237,14 @@ func PackageVersionMetadata(ctx *context.Context) {
 			Keywords:       metadata.Keywords,
 			CodeRepository: metadata.RepositoryURL,
 			License:        metadata.License,
+			LicenseURL:     metadata.LicenseURL,
+			Author:         author,
 			ProgrammingLanguage: swift_module.ProgrammingLanguage{
 				Type: "ComputerLanguage",
 				Name: "Swift",
 				URL:  "https://swift.org",
 			},
-			Author: swift_module.Person{
-				Type:       "Person",
-				Name:       metadata.Author.String(),
-				GivenName:  metadata.Author.GivenName,
-				MiddleName: metadata.Author.MiddleName,
-				FamilyName: metadata.Author.FamilyName,
-			},
+			RepositoryURLs: repositoryURLs,
 		},
 	})
 }
--- a/routers/api/v1/repo/compare.go
+++ b/routers/api/v1/repo/compare.go
@@ -62,13 +62,20 @@ func CompareDiff(ctx *context.APIContext) {

 	apiCommits := make([]*api.Commit, 0, len(compareInfo.Commits))
 	userCache := make(map[string]*user_model.User)
+
 	for i := 0; i < len(compareInfo.Commits); i++ {
-		apiCommit, err := convert.ToCommit(ctx, ctx.Repo.Repository, ctx.Repo.GitRepo, compareInfo.Commits[i], userCache,
+		apiCommit, err := convert.ToCommit(
+			ctx,
+			compareInfo.HeadRepo,
+			compareInfo.HeadGitRepo,
+			compareInfo.Commits[i],
+			userCache,
 			convert.ToCommitOptions{
 				Stat:         true,
 				Verification: verification,
 				Files:        files,
-			})
+			},
+		)
 		if err != nil {
 			ctx.APIErrorInternal(err)
 			return
--- a/routers/api/v1/repo/pull.go
+++ b/routers/api/v1/repo/pull.go
@@ -22,6 +22,7 @@ import (
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/git"
+	"code.gitea.io/gitea/modules/git/gitcmd"
 	"code.gitea.io/gitea/modules/gitrepo"
 	"code.gitea.io/gitea/modules/graceful"
 	"code.gitea.io/gitea/modules/log"
@@ -1429,7 +1430,11 @@ func GetPullRequestCommits(ctx *context.APIContext) {
 	} else {
 		compareInfo, err = git_service.GetCompareInfo(ctx, pr.BaseRepo, pr.BaseRepo, baseGitRepo, git.RefNameFromBranch(pr.BaseBranch), git.RefName(pr.GetGitHeadRefName()), false, false)
 	}
-	if err != nil {
+
+	if gitcmd.StderrHasPrefix(err, "fatal: bad revision") {
+		ctx.APIError(http.StatusNotFound, "invalid base branch or revision")
+		return
+	} else if err != nil {
 		ctx.APIErrorInternal(err)
 		return
 	}
--- a/routers/common/redirect.go
+++ b/routers/common/redirect.go
@@ -16,11 +16,12 @@ func FetchRedirectDelegate(resp http.ResponseWriter, req *http.Request) {
 	// 2. when use "window.reload()", the hash is not respected, the newly loaded page won't scroll to the hash target.
 	// The typical page is "issue comment" page. The backend responds "/owner/repo/issues/1#comment-2",
 	// then frontend needs this delegate to redirect to the new location with hash correctly.
-	redirect := req.PostFormValue("redirect")
-	if !httplib.IsCurrentGiteaSiteURL(req.Context(), redirect) {
-		resp.WriteHeader(http.StatusBadRequest)
+	redirect := req.FormValue("redirect")
+	if req.Method != http.MethodPost || !httplib.IsCurrentGiteaSiteURL(req.Context(), redirect) {
+		http.Error(resp, "Bad Request", http.StatusBadRequest)
 		return
 	}
-	resp.Header().Add("Location", redirect)
+	// no OpenRedirect, the "redirect" is validated by "IsCurrentGiteaSiteURL" above
+	resp.Header().Set("Location", redirect)
 	resp.WriteHeader(http.StatusSeeOther)
 }
--- a/routers/common/redirect_test.go
+++ b/routers/common/redirect_test.go
@@ -0,0 +1,48 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/test"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestFetchRedirectDelegate(t *testing.T) {
+	defer test.MockVariableValue(&setting.AppURL, "https://gitea/")()
+
+	cases := []struct {
+		method string
+		input  string
+		status int
+	}{
+		{method: "POST", input: "/foo?k=v", status: http.StatusSeeOther},
+		{method: "GET", input: "/foo?k=v", status: http.StatusBadRequest},
+		{method: "POST", input: `\/foo?k=v`, status: http.StatusBadRequest},
+		{method: "POST", input: `\\/foo?k=v`, status: http.StatusBadRequest},
+		{method: "POST", input: "https://gitea/xxx", status: http.StatusSeeOther},
+		{method: "POST", input: "https://other/xxx", status: http.StatusBadRequest},
+	}
+	for _, c := range cases {
+		t.Run(c.method+" "+c.input, func(t *testing.T) {
+			resp := httptest.NewRecorder()
+			req := httptest.NewRequest(c.method, "/?redirect="+url.QueryEscape(c.input), nil)
+			FetchRedirectDelegate(resp, req)
+			assert.Equal(t, c.status, resp.Code)
+			if c.status == http.StatusSeeOther {
+				assert.Equal(t, c.input, resp.Header().Get("Location"))
+			} else {
+				assert.Empty(t, resp.Header().Get("Location"))
+				assert.Equal(t, "Bad Request", strings.TrimSpace(resp.Body.String()))
+			}
+		})
+	}
+}
--- a/routers/install/install.go
+++ b/routers/install/install.go
@@ -26,7 +26,6 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/templates"
 	"code.gitea.io/gitea/modules/timeutil"
-	"code.gitea.io/gitea/modules/user"
 	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/modules/web/middleware"
 	"code.gitea.io/gitea/routers/common"
@@ -87,15 +86,7 @@ func Install(ctx *context.Context) {
 	form.AppName = setting.AppName
 	form.RepoRootPath = setting.RepoRootPath
 	form.LFSRootPath = setting.LFS.Storage.Path
-
-	// Note(unknown): it's hard for Windows users change a running user,
-	// 	so just use current one if config says default.
-	if setting.IsWindows && setting.RunUser == "git" {
-		form.RunUser = user.CurrentUsername()
-	} else {
-		form.RunUser = setting.RunUser
-	}
-
+	form.RunUser = setting.RunUser
 	form.Domain = setting.Domain
 	form.SSHPort = setting.SSH.Port
 	form.HTTPPort = setting.HTTPPort
@@ -272,13 +263,6 @@ func SubmitInstall(ctx *context.Context) {
 		return
 	}

-	currentUser, match := setting.IsRunUserMatchCurrentUser(form.RunUser)
-	if !match {
-		ctx.Data["Err_RunUser"] = true
-		ctx.RenderWithErrDeprecated(ctx.Tr("install.run_user_not_match", form.RunUser, currentUser), tplInstall, &form)
-		return
-	}
-
 	// Check logic loophole between disable self-registration and no admin account.
 	if form.DisableRegistration && len(form.AdminName) == 0 {
 		ctx.Data["Err_Services"] = true
--- a/routers/web/auth/auth.go
+++ b/routers/web/auth/auth.go
@@ -230,7 +230,7 @@ func performAutoLoginOAuth2(ctx *context.Context, data *preparedSignInData) bool
 		return false
 	}

-	skipToOAuthURL := setting.AppSubURL + "/user/oauth2/" + url.QueryEscape(data.oauth2Providers[0].DisplayName())
+	skipToOAuthURL := setting.AppSubURL + "/user/oauth2/" + url.PathEscape(data.oauth2Providers[0].DisplayName())
 	if redirectTo := ctx.FormString("redirect_to"); redirectTo != "" {
 		skipToOAuthURL += "?redirect_to=" + url.QueryEscape(redirectTo)
 	}
@@ -493,12 +493,17 @@ func SignOut(ctx *context.Context) {
 }

 func buildSignOutRedirectURL(ctx *context.Context) string {
-	// TODO: can also support REVERSE_PROXY_AUTHENTICATION logout URL in the future
 	if ctx.Doer != nil && ctx.Doer.LoginType == auth.OAuth2 {
 		if s := buildOIDCEndSessionURL(ctx, ctx.Doer); s != "" {
 			return s
 		}
 	}
+
+	// The assumption is: if reverse proxy auth is enabled, then the users should only sign-in via reverse proxy auth.
+	// TODO: in the future, if we need to distinguish different sign-in methods, we need to save the sign-in method in session and check here
+	if setting.Service.EnableReverseProxyAuth && setting.ReverseProxyLogoutRedirect != "" {
+		return setting.ReverseProxyLogoutRedirect
+	}
 	return setting.AppSubURL + "/"
 }

--- a/routers/web/auth/auth_test.go
+++ b/routers/web/auth/auth_test.go
@@ -4,6 +4,7 @@
 package auth

 import (
+	"html/template"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@@ -67,15 +68,15 @@ func TestWebAuthOAuth2(t *testing.T) {
 	defer test.MockVariableValue(&setting.OAuth2Client.EnableAutoRegistration, true)()

 	_ = oauth2.Init(t.Context())
-	addOAuth2Source(t, "dummy-auth-source", oauth2.Source{})
+	addOAuth2Source(t, "dummy+auth's source", oauth2.Source{})

 	t.Run("OAuth2MissingField", func(t *testing.T) {
 		defer test.MockVariableValue(&gothic.CompleteUserAuth, func(res http.ResponseWriter, req *http.Request) (goth.User, error) {
-			return goth.User{Provider: "dummy-auth-source", UserID: "dummy-user"}, nil
+			return goth.User{Provider: "dummy+auth's source", UserID: "dummy-user"}, nil
 		})()
 		mockOpt := contexttest.MockContextOption{SessionStore: session.NewMockMemStore("dummy-sid")}
-		ctx, resp := contexttest.MockContext(t, "/user/oauth2/dummy-auth-source/callback?code=dummy-code", mockOpt)
-		ctx.SetPathParam("provider", "dummy-auth-source")
+		ctx, resp := contexttest.MockContext(t, "/user/oauth2/..../callback?code=dummy-code", mockOpt)
+		ctx.SetPathParamRaw("provider", "dummy+auth%27s%20source")
 		SignInOAuthCallback(ctx)
 		assert.Equal(t, http.StatusSeeOther, resp.Code)
 		assert.Equal(t, "/user/link_account", test.RedirectURL(resp))
@@ -83,13 +84,13 @@ func TestWebAuthOAuth2(t *testing.T) {
 		// then the user will be redirected to the link account page, and see a message about the missing fields
 		ctx, _ = contexttest.MockContext(t, "/user/link_account", mockOpt)
 		LinkAccount(ctx)
-		assert.EqualValues(t, "auth.oauth_callback_unable_auto_reg:dummy-auth-source,email", ctx.Data["AutoRegistrationFailedPrompt"])
+		assert.Equal(t, template.HTML("auth.oauth_callback_unable_auto_reg:dummy+auth&#39;s source,email"), ctx.Data["AutoRegistrationFailedPrompt"])
 	})

 	t.Run("OAuth2CallbackError", func(t *testing.T) {
 		mockOpt := contexttest.MockContextOption{SessionStore: session.NewMockMemStore("dummy-sid")}
-		ctx, resp := contexttest.MockContext(t, "/user/oauth2/dummy-auth-source/callback", mockOpt)
-		ctx.SetPathParam("provider", "dummy-auth-source")
+		ctx, resp := contexttest.MockContext(t, "/user/oauth2/...../callback", mockOpt)
+		ctx.SetPathParamRaw("provider", "dummy+auth%27s%20source")
 		SignInOAuthCallback(ctx)
 		assert.Equal(t, http.StatusSeeOther, resp.Code)
 		assert.Equal(t, "/user/login", test.RedirectURL(resp))
@@ -112,8 +113,8 @@ func TestWebAuthOAuth2(t *testing.T) {
 				assert.Equal(t, expectedRedirect, test.RedirectURL(resp))
 			}
 		}
-		testSignIn(t, "/user/login", http.StatusSeeOther, "/user/oauth2/dummy-auth-source")
-		testSignIn(t, "/user/login?redirect_to=/", http.StatusSeeOther, "/user/oauth2/dummy-auth-source?redirect_to=%2F")
+		testSignIn(t, "/user/login", http.StatusSeeOther, "/user/oauth2/dummy+auth%27s%20source")
+		testSignIn(t, "/user/login?redirect_to=/", http.StatusSeeOther, "/user/oauth2/dummy+auth%27s%20source?redirect_to=%2F")

 		*enablePassword, *enableOpenID, *enablePasskey = true, false, false
 		testSignIn(t, "/user/login", http.StatusOK, "")
--- a/routers/web/org/projects.go
+++ b/routers/web/org/projects.go
@@ -11,7 +11,6 @@ import (

 	"code.gitea.io/gitea/models/db"
 	issues_model "code.gitea.io/gitea/models/issues"
-	org_model "code.gitea.io/gitea/models/organization"
 	project_model "code.gitea.io/gitea/models/project"
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unit"
@@ -459,9 +458,9 @@ func ViewProject(ctx *context.Context) {
 	ctx.Data["MilestoneID"] = milestoneID

 	// Get assignees.
-	assigneeUsers, err := org_model.GetOrgAssignees(ctx, project.OwnerID)
+	assigneeUsers, err := project_service.LoadIssuesAssigneesForProject(ctx, issuesMap)
 	if err != nil {
-		ctx.ServerError("GetRepoAssignees", err)
+		ctx.ServerError("LoadIssuesAssigneesForProject", err)
 		return
 	}
 	ctx.Data["Assignees"] = shared_user.MakeSelfOnTop(ctx.Doer, assigneeUsers)
--- a/routers/web/repo/actions/actions.go
+++ b/routers/web/repo/actions/actions.go
@@ -151,6 +151,11 @@ func prepareWorkflowTemplate(ctx *context.Context, commit *git.Commit) (workflow
 			workflows = append(workflows, workflow)
 			continue
 		}
+		if err := actions.ValidateWorkflowContent(content); err != nil {
+			workflow.ErrMsg = ctx.Locale.TrString("actions.runs.invalid_workflow_helper", err.Error())
+			workflows = append(workflows, workflow)
+			continue
+		}
 		workflow.Workflow = wf
 		// The workflow must contain at least one job without "needs". Otherwise, a deadlock will occur and no jobs will be able to run.
 		hasJobWithoutNeeds := false
@@ -315,6 +320,10 @@ func prepareWorkflowList(ctx *context.Context, workflows []WorkflowInfo) {
 			if !job.Status.IsWaiting() {
 				continue
 			}
+			if err := actions.ValidateWorkflowContent(job.WorkflowPayload); err != nil {
+				runErrors[run.ID] = ctx.Locale.TrString("actions.runs.invalid_workflow_helper", err.Error())
+				break
+			}
 			hasOnlineRunner := false
 			for _, runner := range runners {
 				if !runner.IsDisabled && runner.CanMatchLabels(job.RunsOn) {
--- a/routers/web/repo/render.go
+++ b/routers/web/repo/render.go
@@ -43,7 +43,8 @@ func RenderFile(ctx *context.Context) {
 		CurrentRefPath:  ctx.Repo.RefTypeNameSubURL(),
 		CurrentTreePath: path.Dir(ctx.Repo.TreePath),
 	}).WithRelativePath(ctx.Repo.TreePath).WithStandalonePage(markup.StandalonePageOptions{
-		CurrentWebTheme: ctx.TemplateContext.CurrentWebTheme(),
+		CurrentWebTheme:   ctx.TemplateContext.CurrentWebTheme(),
+		RenderQueryString: ctx.Req.URL.RawQuery,
 	})
 	renderer, rendererInput, err := rctx.DetectMarkupRendererByReader(blobReader)
 	if err != nil {
--- a/routers/web/repo/setting/webhook.go
+++ b/routers/web/repo/setting/webhook.go
@@ -450,12 +450,21 @@ func MatrixHooksEditPost(ctx *context.Context) {
 	editWebhook(ctx, matrixHookParams(ctx))
 }

+func matrixRoomIDEncode(roomID string) string {
+	// See https://spec.matrix.org/latest/appendices/#room-ids
+	// Some (unrelated) demo links: https://spec.matrix.org/latest/appendices/#matrixto-navigation
+	// API spec: https://spec.matrix.org/v1.18/client-server-api/#sending-events-to-a-room
+	// Some of their examples show links like: "PUT /rooms/!roomid:domain/state/m.example.event"
+	return strings.NewReplacer("%21", "!", "%3A", ":").Replace(url.PathEscape(roomID))
+}
+
 func matrixHookParams(ctx *context.Context) webhookParams {
 	form := web.GetForm(ctx).(*forms.NewMatrixHookForm)

+	// TODO: need to migrate to the latest (v3) API: https://spec.matrix.org/v1.18/client-server-api/
 	return webhookParams{
 		Type:        webhook_module.MATRIX,
-		URL:         fmt.Sprintf("%s/_matrix/client/r0/rooms/%s/send/m.room.message", form.HomeserverURL, url.PathEscape(form.RoomID)),
+		URL:         fmt.Sprintf("%s/_matrix/client/r0/rooms/%s/send/m.room.message", form.HomeserverURL, matrixRoomIDEncode(form.RoomID)),
 		ContentType: webhook.ContentTypeJSON,
 		HTTPMethod:  http.MethodPut,
 		WebhookForm: form.WebhookForm,
--- a/routers/web/repo/setting/webhook_test.go
+++ b/routers/web/repo/setting/webhook_test.go
@@ -0,0 +1,15 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestWebhookMatrix(t *testing.T) {
+	assert.Equal(t, "!roomid:domain", matrixRoomIDEncode("!roomid:domain"))
+	assert.Equal(t, "!room%23id:domain", matrixRoomIDEncode("!room#id:domain")) // maybe it should never really happen in real world
+}
--- a/routers/web/repo/view_file.go
+++ b/routers/web/repo/view_file.go
@@ -21,12 +21,11 @@ import (
 	"code.gitea.io/gitea/modules/git/attribute"
 	"code.gitea.io/gitea/modules/highlight"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/markup"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/services/context"
 	issue_service "code.gitea.io/gitea/services/issue"
-
-	"github.com/nektos/act/pkg/model"
 )

 func prepareLatestCommitInfo(ctx *context.Context) bool {
@@ -78,14 +77,17 @@ func handleFileViewRenderMarkup(ctx *context.Context, prefetchBuf []byte, utf8Re
 		return false
 	}

-	ctx.Data["MarkupType"] = rctx.RenderOptions.MarkupType
-
 	var err error
 	ctx.Data["EscapeStatus"], ctx.Data["FileContent"], err = markupRenderToHTML(ctx, rctx, renderer, utf8Reader)
 	if err != nil {
 		ctx.ServerError("Render", err)
 		return true
 	}
+
+	opts, ok := markup.GetExternalRendererOptions(renderer)
+	usingIframe := ok && opts.DisplayInIframe
+	ctx.Data["MarkupType"] = rctx.RenderOptions.MarkupType
+	ctx.Data["RenderAsMarkup"] = util.Iif(usingIframe, "markup-iframe", "markup-inplace")
 	return true
 }

@@ -184,8 +186,7 @@ func prepareFileView(ctx *context.Context, entry *git.TreeEntry) {
 		if err != nil {
 			log.Error("actions.GetContentFromEntry: %v", err)
 		}
-		_, workFlowErr := model.ReadWorkflow(bytes.NewReader(content))
-		if workFlowErr != nil {
+		if workFlowErr := actions.ValidateWorkflowContent(content); workFlowErr != nil {
 			ctx.Data["FileError"] = ctx.Locale.Tr("actions.runs.invalid_workflow_helper", workFlowErr.Error())
 		}
 	} else if issue_service.IsCodeOwnerFile(ctx.Repo.TreePath) {
@@ -238,8 +239,6 @@ func prepareFileView(ctx *context.Context, entry *git.TreeEntry) {
 	case fInfo.blobOrLfsSize >= setting.UI.MaxDisplayFileSize:
 		ctx.Data["IsFileTooLarge"] = true
 	case handleFileViewRenderMarkup(ctx, buf, contentReader):
-		// it also sets ctx.Data["FileContent"] and more
-		ctx.Data["IsMarkup"] = true
 	case handleFileViewRenderSource(ctx, attrs, fInfo, contentReader):
 		// it also sets ctx.Data["FileContent"] and more
 		ctx.Data["IsDisplayingSource"] = true
--- a/routers/web/repo/view_readme.go
+++ b/routers/web/repo/view_readme.go
@@ -195,16 +195,16 @@ func prepareToRenderReadmeFile(ctx *context.Context, subfolder string, readmeFil
 	}).WithRelativePath(readmeFullPath)
 	renderer := rctx.DetectMarkupRenderer(buf)
 	if renderer != nil {
-		ctx.Data["IsMarkup"] = true
+		ctx.Data["RenderAsMarkup"] = "markup-inplace"
 		ctx.Data["MarkupType"] = rctx.RenderOptions.MarkupType
 		ctx.Data["EscapeStatus"], ctx.Data["FileContent"], err = markupRenderToHTML(ctx, rctx, renderer, rd)
 		if err != nil {
 			log.Error("Render failed for %s in %-v: %v Falling back to rendering source", readmeFile.Name(), ctx.Repo.Repository, err)
-			delete(ctx.Data, "IsMarkup")
+			delete(ctx.Data, "RenderAsMarkup")
 		}
 	}

-	if ctx.Data["IsMarkup"] != true {
+	if ctx.Data["RenderAsMarkup"] == nil {
 		ctx.Data["IsPlainText"] = true
 		content, err := io.ReadAll(rd)
 		if err != nil {
--- a/routers/web/shared/secrets/secrets.go
+++ b/routers/web/shared/secrets/secrets.go
@@ -29,7 +29,7 @@ func SetSecretsContext(ctx *context.Context, ownerID, repoID int64) {
 func PerformSecretsPost(ctx *context.Context, ownerID, repoID int64, redirectURL string) {
 	form := web.GetForm(ctx).(*forms.AddSecretForm)

-	s, _, err := secret_service.CreateOrUpdateSecret(ctx, ownerID, repoID, form.Name, util.ReserveLineBreakForTextarea(form.Data), form.Description)
+	s, _, err := secret_service.CreateOrUpdateSecret(ctx, ownerID, repoID, form.Name, util.NormalizeStringEOL(form.Data), form.Description)
 	if err != nil {
 		log.Error("CreateOrUpdateSecret failed: %v", err)
 		ctx.JSONError(ctx.Tr("secrets.save_failed"))
--- a/routers/web/user/home.go
+++ b/routers/web/user/home.go
@@ -655,6 +655,9 @@ func ShowSSHKeys(ctx *context.Context) {
 	// "authorized_keys" file format: "#" followed by comment line per key
 	buf.WriteString("# Gitea isn't a key server. The keys are exported as the user uploaded and might not have been fully verified.\n")
 	for i := range keys {
+		if keys[i].Type == asymkey_model.KeyTypePrincipal {
+			continue // SSH principal keys are not for signing or authentication
+		}
 		buf.WriteString(keys[i].OmitEmail())
 		buf.WriteString("\n")
 	}
--- a/services/actions/commit_status.go
+++ b/services/actions/commit_status.go
@@ -8,7 +8,6 @@ import (
 	"errors"
 	"fmt"
 	"path"
-	"strconv"
 	"strings"

 	actions_model "code.gitea.io/gitea/models/actions"
@@ -143,57 +142,59 @@ func createCommitStatus(ctx context.Context, repo *repo_model.Repository, event,
 	if wfs, err := jobparser.Parse(job.WorkflowPayload); err == nil && len(wfs) > 0 {
 		runName = wfs[0].Name
 	}
-	ctxName := fmt.Sprintf("%s / %s (%s)", runName, job.Name, event)
-	ctxName = strings.TrimSpace(ctxName) // git_model.NewCommitStatus also trims spaces
+	ctxName := strings.TrimSpace(fmt.Sprintf("%s / %s (%s)", runName, job.Name, event)) // git_model.NewCommitStatus also trims spaces
 	state := toCommitStatus(job.Status)
-	if statuses, err := git_model.GetLatestCommitStatus(ctx, repo.ID, commitID, db.ListOptionsAll); err == nil {
-		for _, v := range statuses {
-			if v.Context == ctxName {
-				if v.State == state {
-					// no need to update
-					return nil
-				}
-				break
-			}
-		}
-	} else {
+	targetURL := fmt.Sprintf("%s/jobs/%d", run.Link(), job.ID)
+	description := toCommitStatusDescription(job)
+
+	statuses, err := git_model.GetLatestCommitStatus(ctx, repo.ID, commitID, db.ListOptionsAll)
+	if err != nil {
 		return fmt.Errorf("GetLatestCommitStatus: %w", err)
 	}
-
-	var description string
-	switch job.Status {
-	// TODO: if we want support description in different languages, we need to support i18n placeholders in it
-	case actions_model.StatusSuccess:
-		description = fmt.Sprintf("Successful in %s", job.Duration())
-	case actions_model.StatusFailure:
-		description = fmt.Sprintf("Failing after %s", job.Duration())
-	case actions_model.StatusCancelled:
-		description = "Has been cancelled"
-	case actions_model.StatusSkipped:
-		description = "Has been skipped"
-	case actions_model.StatusRunning:
-		description = "Has started running"
-	case actions_model.StatusWaiting:
-		description = "Waiting to run"
-	case actions_model.StatusBlocked:
-		description = "Blocked by required conditions"
-	default:
-		description = "Unknown status: " + strconv.Itoa(int(job.Status))
+	for _, v := range statuses {
+		if v.Context == ctxName {
+			if v.State == state && v.TargetURL == targetURL && v.Description == description {
+				return nil
+			}
+			break
+		}
 	}

 	creator := user_model.NewActionsUser()
 	status := git_model.CommitStatus{
 		SHA:         commitID,
-		TargetURL:   fmt.Sprintf("%s/jobs/%d", run.Link(), job.ID),
+		TargetURL:   targetURL,
 		Description: description,
 		Context:     ctxName,
-		CreatorID:   creator.ID,
 		State:       state,
+		CreatorID:   creator.ID,
 	}

 	return commitstatus_service.CreateCommitStatus(ctx, repo, creator, commitID, &status)
 }

+func toCommitStatusDescription(job *actions_model.ActionRunJob) string {
+	switch job.Status {
+	// TODO: if we want support description in different languages, we need to support i18n placeholders in it
+	case actions_model.StatusSuccess:
+		return fmt.Sprintf("Successful in %s", job.Duration())
+	case actions_model.StatusFailure:
+		return fmt.Sprintf("Failing after %s", job.Duration())
+	case actions_model.StatusCancelled:
+		return "Has been cancelled"
+	case actions_model.StatusSkipped:
+		return "Has been skipped"
+	case actions_model.StatusRunning:
+		return "Has started running"
+	case actions_model.StatusWaiting:
+		return "Waiting to run"
+	case actions_model.StatusBlocked:
+		return "Blocked by required conditions"
+	default:
+		return fmt.Sprintf("Unknown status: %d", job.Status)
+	}
+}
+
 func toCommitStatus(status actions_model.Status) commitstatus.CommitStatusState {
 	switch status {
 	case actions_model.StatusSuccess:
--- a/services/actions/commit_status_test.go
+++ b/services/actions/commit_status_test.go
@@ -0,0 +1,88 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"testing"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	"code.gitea.io/gitea/models/db"
+	git_model "code.gitea.io/gitea/models/git"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	"code.gitea.io/gitea/modules/commitstatus"
+	"code.gitea.io/gitea/modules/gitrepo"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCreateCommitStatus_Dedupe(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
+	gitRepo, err := gitrepo.OpenRepository(t.Context(), repo)
+	require.NoError(t, err)
+	defer gitRepo.Close()
+
+	commit, err := gitRepo.GetBranchCommit(repo.DefaultBranch)
+	require.NoError(t, err)
+
+	run := &actions_model.ActionRun{
+		ID:         99001,
+		RepoID:     repo.ID,
+		Repo:       repo,
+		WorkflowID: "status-dedupe-test.yaml",
+	}
+	job := &actions_model.ActionRunJob{
+		ID:     99002,
+		RunID:  run.ID,
+		RepoID: repo.ID,
+		Name:   "status-dedupe-job",
+		Status: actions_model.StatusWaiting,
+	}
+
+	expectedContext := "status-dedupe-test.yaml / status-dedupe-job (push)"
+	expectedTargetURL := run.Link() + "/jobs/99002"
+
+	require.NoError(t, createCommitStatus(t.Context(), repo, "push", commit.ID.String(), run, job))
+
+	statuses := findCommitStatusesForContext(t, repo.ID, commit.ID.String(), expectedContext)
+	require.Len(t, statuses, 1)
+	assert.Equal(t, commitstatus.CommitStatusPending, statuses[0].State)
+	assert.Equal(t, "Waiting to run", statuses[0].Description)
+	assert.Equal(t, expectedTargetURL, statuses[0].TargetURL)
+
+	job.Status = actions_model.StatusRunning
+	require.NoError(t, createCommitStatus(t.Context(), repo, "push", commit.ID.String(), run, job))
+
+	statuses = findCommitStatusesForContext(t, repo.ID, commit.ID.String(), expectedContext)
+	require.Len(t, statuses, 2)
+	assert.Equal(t, "Waiting to run", statuses[0].Description)
+	assert.Equal(t, commitstatus.CommitStatusPending, statuses[1].State)
+	assert.Equal(t, "Has started running", statuses[1].Description)
+	assert.Equal(t, expectedTargetURL, statuses[1].TargetURL)
+
+	require.NoError(t, createCommitStatus(t.Context(), repo, "push", commit.ID.String(), run, job))
+	statuses = findCommitStatusesForContext(t, repo.ID, commit.ID.String(), expectedContext)
+	assert.Len(t, statuses, 2)
+
+	job.Status = actions_model.StatusSuccess
+	require.NoError(t, createCommitStatus(t.Context(), repo, "push", commit.ID.String(), run, job))
+	statuses = findCommitStatusesForContext(t, repo.ID, commit.ID.String(), expectedContext)
+	require.Len(t, statuses, 3)
+	assert.Equal(t, commitstatus.CommitStatusSuccess, statuses[2].State)
+}
+
+func findCommitStatusesForContext(t *testing.T, repoID int64, sha, context string) []*git_model.CommitStatus {
+	t.Helper()
+
+	var statuses []*git_model.CommitStatus
+	err := db.GetEngine(t.Context()).
+		Where("repo_id = ? AND sha = ? AND context = ?", repoID, sha, context).
+		Asc("`index`").
+		Find(&statuses)
+	require.NoError(t, err)
+	return statuses
+}
--- a/services/actions/context.go
+++ b/services/actions/context.go
@@ -73,7 +73,7 @@ func GenerateGiteaContext(run *actions_model.ActionRun, job *actions_model.Actio
 		"repository_owner":  run.Repo.OwnerName,                       // string, The repository owner's name. For example, Codertocat.
 		"repositoryUrl":     run.Repo.HTMLURL(),                       // string, The Git URL to the repository. For example, git://github.com/codertocat/hello-world.git.
 		"retention_days":    "",                                       // string, The number of days that workflow run logs and artifacts are kept.
-		"run_id":            "",                                       // string, A unique number for each workflow run within a repository. This number does not change if you re-run the workflow run.
+		"run_id":            strconv.FormatInt(run.ID, 10),            // string, A unique number for each workflow run within a repository. This number does not change if you re-run the workflow run.
 		"run_number":        strconv.FormatInt(run.Index, 10),         // string, A unique number for each run of a particular workflow in a repository. This number begins at 1 for the workflow's first run, and increments with each new run. This number does not change if you re-run the workflow run.
 		"run_attempt":       "",                                       // string, A unique number for each attempt of a particular workflow run in a repository. This number begins at 1 for the workflow run's first attempt, and increments with each re-run.
 		"secret_source":     "Actions",                                // string, The source of a secret used in a workflow. Possible values are None, Actions, Dependabot, or Codespaces.
--- a/services/actions/context_test.go
+++ b/services/actions/context_test.go
@@ -4,14 +4,86 @@
 package actions

 import (
+	"strconv"
 	"testing"

 	actions_model "code.gitea.io/gitea/models/actions"
 	"code.gitea.io/gitea/models/unittest"

+	act_model "github.com/nektos/act/pkg/model"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

+func TestEvaluateRunConcurrency_RunIDFallback(t *testing.T) {
+	// Unit-level check that EvaluateRunConcurrencyFillModel resolves
+	// github.run_id from run.ID. The full-flow regression — that run.ID is
+	// non-zero by the time evaluation happens — is in
+	// TestPrepareRunAndInsert_ExpressionsSeeRunID.
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	ctx := t.Context()
+
+	runA := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 791})
+	runB := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 792})
+
+	expr := &act_model.RawConcurrency{
+		Group:            "${{ github.workflow }}-${{ github.head_ref || github.run_id }}",
+		CancelInProgress: "true",
+	}
+
+	assert.NoError(t, EvaluateRunConcurrencyFillModel(ctx, runA, expr, nil, nil))
+	assert.NoError(t, EvaluateRunConcurrencyFillModel(ctx, runB, expr, nil, nil))
+
+	assert.Contains(t, runA.ConcurrencyGroup, "791")
+	assert.Contains(t, runB.ConcurrencyGroup, "792")
+	assert.NotEqual(t, runA.ConcurrencyGroup, runB.ConcurrencyGroup)
+}
+
+func TestPrepareRunAndInsert_ExpressionsSeeRunID(t *testing.T) {
+	// Regression for the cross-branch concurrency leak: github.run_id must
+	// be available during BOTH jobparser.Parse (run-name) and workflow-level
+	// concurrency evaluation. Re-ordering db.Insert relative to either step
+	// would leave run.ID at 0 and break this test.
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	ctx := t.Context()
+
+	content := []byte(`name: cross-branch
+run-name: "Run ${{ github.run_id }}"
+on: push
+concurrency:
+  group: group-${{ github.run_id }}
+  cancel-in-progress: true
+jobs:
+  hello:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo hi
+`)
+
+	run := &actions_model.ActionRun{
+		Title:         "before parse",
+		RepoID:        4,
+		OwnerID:       1,
+		WorkflowID:    "expr-runid.yaml",
+		TriggerUserID: 1,
+		Ref:           "refs/heads/master",
+		CommitSHA:     "c2d72f548424103f01ee1dc02889c1e2bff816b0",
+		Event:         "push",
+		TriggerEvent:  "push",
+		EventPayload:  "{}",
+	}
+	require.NoError(t, PrepareRunAndInsert(ctx, content, run, nil))
+	require.Positive(t, run.ID)
+
+	persisted := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: run.ID})
+	runIDStr := strconv.FormatInt(run.ID, 10)
+	assert.Equal(t, "Run "+runIDStr, persisted.Title)
+	assert.Equal(t, "group-"+runIDStr, persisted.ConcurrencyGroup)
+	// Rerun reads raw_concurrency from the DB to re-evaluate the group;
+	// see services/actions/rerun.go. Must survive the insert.
+	assert.NotEmpty(t, persisted.RawConcurrency)
+}
+
 func TestFindTaskNeeds(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())

--- a/services/actions/job_emitter.go
+++ b/services/actions/job_emitter.go
@@ -151,21 +151,28 @@ func findBlockedRunByConcurrency(ctx context.Context, repoID int64, concurrencyG
 func checkRunConcurrency(ctx context.Context, run *actions_model.ActionRun) (jobs, updatedJobs []*actions_model.ActionRunJob, err error) {
 	checkedConcurrencyGroup := make(container.Set[string])

-	// check run (workflow-level) concurrency
-	if run.ConcurrencyGroup != "" {
-		concurrentRun, err := findBlockedRunByConcurrency(ctx, run.RepoID, run.ConcurrencyGroup)
+	collect := func(concurrencyGroup string) error {
+		concurrentRun, err := findBlockedRunByConcurrency(ctx, run.RepoID, concurrencyGroup)
 		if err != nil {
-			return nil, nil, fmt.Errorf("find blocked run by concurrency: %w", err)
+			return fmt.Errorf("find blocked run by concurrency: %w", err)
 		}
 		if concurrentRun != nil && !concurrentRun.NeedApproval {
 			js, ujs, err := checkJobsOfRun(ctx, concurrentRun)
 			if err != nil {
-				return nil, nil, err
+				return err
 			}
 			jobs = append(jobs, js...)
 			updatedJobs = append(updatedJobs, ujs...)
 		}
-		checkedConcurrencyGroup.Add(run.ConcurrencyGroup)
+		checkedConcurrencyGroup.Add(concurrencyGroup)
+		return nil
+	}
+
+	// check run (workflow-level) concurrency
+	if run.ConcurrencyGroup != "" {
+		if err := collect(run.ConcurrencyGroup); err != nil {
+			return nil, nil, err
+		}
 	}

 	// check job concurrency
@@ -177,22 +184,12 @@ func checkRunConcurrency(ctx context.Context, run *actions_model.ActionRun) (job
 		if !job.Status.IsDone() {
 			continue
 		}
-		if job.ConcurrencyGroup == "" && checkedConcurrencyGroup.Contains(job.ConcurrencyGroup) {
+		if job.ConcurrencyGroup == "" || checkedConcurrencyGroup.Contains(job.ConcurrencyGroup) {
 			continue
 		}
-		concurrentRun, err := findBlockedRunByConcurrency(ctx, job.RepoID, job.ConcurrencyGroup)
-		if err != nil {
-			return nil, nil, fmt.Errorf("find blocked run by concurrency: %w", err)
+		if err := collect(job.ConcurrencyGroup); err != nil {
+			return nil, nil, err
 		}
-		if concurrentRun != nil && !concurrentRun.NeedApproval {
-			js, ujs, err := checkJobsOfRun(ctx, concurrentRun)
-			if err != nil {
-				return nil, nil, err
-			}
-			jobs = append(jobs, js...)
-			updatedJobs = append(updatedJobs, ujs...)
-		}
-		checkedConcurrencyGroup.Add(job.ConcurrencyGroup)
 	}
 	return jobs, updatedJobs, nil
 }
--- a/services/actions/job_emitter_test.go
+++ b/services/actions/job_emitter_test.go
@@ -7,6 +7,8 @@ import (
 	"testing"

 	actions_model "code.gitea.io/gitea/models/actions"
+	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/unittest"

 	"github.com/stretchr/testify/assert"
 )
@@ -134,3 +136,68 @@ jobs:
 		})
 	}
 }
+
+// Test_checkRunConcurrency_NoDuplicateConcurrencyGroupCheck verifies that when a run's
+// ConcurrencyGroup has already been checked at the run level, the same group is not
+// re-checked for individual jobs.
+func Test_checkRunConcurrency_NoDuplicateConcurrencyGroupCheck(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	ctx := t.Context()
+
+	// Run A: the triggering run with a concurrency group.
+	runA := &actions_model.ActionRun{
+		RepoID:           4,
+		OwnerID:          1,
+		TriggerUserID:    1,
+		WorkflowID:       "test.yml",
+		Index:            9901,
+		Ref:              "refs/heads/main",
+		Status:           actions_model.StatusRunning,
+		ConcurrencyGroup: "test-cg",
+	}
+	assert.NoError(t, db.Insert(ctx, runA))
+
+	// A done job for run A with the same ConcurrencyGroup.
+	// This triggers the job-level concurrency check in checkRunConcurrency.
+	jobADone := &actions_model.ActionRunJob{
+		RunID:            runA.ID,
+		RepoID:           4,
+		OwnerID:          1,
+		JobID:            "job1",
+		Name:             "job1",
+		Status:           actions_model.StatusSuccess,
+		ConcurrencyGroup: "test-cg",
+	}
+	assert.NoError(t, db.Insert(ctx, jobADone))
+
+	// Blocked run B competing for the same concurrency group.
+	runB := &actions_model.ActionRun{
+		RepoID:           4,
+		OwnerID:          1,
+		TriggerUserID:    1,
+		WorkflowID:       "test.yml",
+		Index:            9902,
+		Ref:              "refs/heads/main",
+		Status:           actions_model.StatusBlocked,
+		ConcurrencyGroup: "test-cg",
+	}
+	assert.NoError(t, db.Insert(ctx, runB))
+
+	// A blocked job belonging to run B (no job-level concurrency group).
+	jobBBlocked := &actions_model.ActionRunJob{
+		RunID:   runB.ID,
+		RepoID:  4,
+		OwnerID: 1,
+		JobID:   "job1",
+		Name:    "job1",
+		Status:  actions_model.StatusBlocked,
+	}
+	assert.NoError(t, db.Insert(ctx, jobBBlocked))
+
+	jobs, _, err := checkRunConcurrency(ctx, runA)
+	assert.NoError(t, err)
+
+	if assert.Len(t, jobs, 1) {
+		assert.Equal(t, jobBBlocked.ID, jobs[0].ID)
+	}
+}
--- a/services/actions/notifier.go
+++ b/services/actions/notifier.go
@@ -5,6 +5,7 @@ package actions

 import (
 	"context"
+	"errors"

 	actions_model "code.gitea.io/gitea/models/actions"
 	issues_model "code.gitea.io/gitea/models/issues"
@@ -20,6 +21,7 @@ import (
 	"code.gitea.io/gitea/modules/repository"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
 	webhook_module "code.gitea.io/gitea/modules/webhook"
 	"code.gitea.io/gitea/services/convert"
 	notify_service "code.gitea.io/gitea/services/notify"
@@ -805,7 +807,10 @@ func (n *actionsNotifier) WorkflowRunStatusUpdate(ctx context.Context, repo *rep
 	}
 	defer gitRepo.Close()

-	convertedWorkflow, err := convert.GetActionWorkflow(ctx, gitRepo, repo, run.WorkflowID)
+	convertedWorkflow, err := convert.GetActionWorkflowByRef(ctx, gitRepo, repo, run.WorkflowID, git.RefName(run.Ref))
+	if err != nil && errors.Is(err, util.ErrNotExist) {
+		convertedWorkflow, err = convert.GetActionWorkflow(ctx, gitRepo, repo, run.WorkflowID)
+	}
 	if err != nil {
 		log.Error("GetActionWorkflow: %v", err)
 		return
--- a/services/actions/run.go
+++ b/services/actions/run.go
@@ -13,6 +13,7 @@ import (
 	"code.gitea.io/gitea/modules/util"
 	notify_service "code.gitea.io/gitea/services/notify"

+	act_model "github.com/nektos/act/pkg/model"
 	"go.yaml.in/yaml/v4"
 )

@@ -34,25 +35,7 @@ func PrepareRunAndInsert(ctx context.Context, content []byte, run *actions_model
 		return fmt.Errorf("ReadWorkflowRawConcurrency: %w", err)
 	}

-	if wfRawConcurrency != nil {
-		err = EvaluateRunConcurrencyFillModel(ctx, run, wfRawConcurrency, vars, inputsWithDefaults)
-		if err != nil {
-			return fmt.Errorf("EvaluateRunConcurrencyFillModel: %w", err)
-		}
-	}
-
-	giteaCtx := GenerateGiteaContext(run, nil)
-
-	jobs, err := jobparser.Parse(content, jobparser.WithVars(vars), jobparser.WithGitContext(giteaCtx.ToGitHubContext()), jobparser.WithInputs(inputsWithDefaults))
-	if err != nil {
-		return fmt.Errorf("parse workflow: %w", err)
-	}
-
-	if len(jobs) > 0 && jobs[0].RunName != "" {
-		run.Title = jobs[0].RunName
-	}
-
-	if err = InsertRun(ctx, run, jobs, vars, inputsWithDefaults); err != nil {
+	if err = InsertRun(ctx, run, content, vars, inputsWithDefaults, wfRawConcurrency); err != nil {
 		return fmt.Errorf("InsertRun: %w", err)
 	}

@@ -74,7 +57,7 @@ func PrepareRunAndInsert(ctx context.Context, content []byte, run *actions_model

 // InsertRun inserts a run
 // The title will be cut off at 255 characters if it's longer than 255 characters.
-func InsertRun(ctx context.Context, run *actions_model.ActionRun, jobs []*jobparser.SingleWorkflow, vars map[string]string, inputs map[string]any) error {
+func InsertRun(ctx context.Context, run *actions_model.ActionRun, content []byte, vars map[string]string, inputs map[string]any, wfRawConcurrency *act_model.RawConcurrency) error {
 	return db.WithTx(ctx, func(ctx context.Context) error {
 		index, err := db.GetNextResourceIndex(ctx, "action_run_index", run.RepoID)
 		if err != nil {
@@ -82,23 +65,36 @@ func InsertRun(ctx context.Context, run *actions_model.ActionRun, jobs []*jobpar
 		}
 		run.Index = index
 		run.Title = util.EllipsisDisplayString(run.Title, 255)
+		run.Status = actions_model.StatusWaiting

-		// check run (workflow-level) concurrency
-		run.Status, err = PrepareToStartRunWithConcurrency(ctx, run)
-		if err != nil {
-			return err
-		}
-
+		// Insert before parsing jobs or evaluating workflow-level concurrency
+		// so that run.ID is populated. Expressions referencing github.run_id —
+		// in run-name, job names, runs-on, or a workflow-level concurrency
+		// group like `${{ github.head_ref || github.run_id }}` — would otherwise
+		// interpolate to an empty string.
 		if err := db.Insert(ctx, run); err != nil {
 			return err
 		}

-		if err := run.LoadRepo(ctx); err != nil {
-			return err
+		giteaCtx := GenerateGiteaContext(run, nil)
+		jobs, err := jobparser.Parse(content, jobparser.WithVars(vars), jobparser.WithGitContext(giteaCtx.ToGitHubContext()), jobparser.WithInputs(inputs))
+		if err != nil {
+			return fmt.Errorf("parse workflow: %w", err)
 		}

-		if err := actions_model.UpdateRepoRunsNumbers(ctx, run.Repo); err != nil {
-			return err
+		titleChanged := len(jobs) > 0 && jobs[0].RunName != ""
+		if titleChanged {
+			run.Title = util.EllipsisDisplayString(jobs[0].RunName, 255)
+		}
+
+		if wfRawConcurrency != nil {
+			if err := EvaluateRunConcurrencyFillModel(ctx, run, wfRawConcurrency, vars, inputs); err != nil {
+				return fmt.Errorf("EvaluateRunConcurrencyFillModel: %w", err)
+			}
+			run.Status, err = PrepareToStartRunWithConcurrency(ctx, run)
+			if err != nil {
+				return err
+			}
 		}

 		runJobs := make([]*actions_model.ActionRunJob, 0, len(jobs))
@@ -168,7 +164,14 @@ func InsertRun(ctx context.Context, run *actions_model.ActionRun, jobs []*jobpar
 		}

 		run.Status = actions_model.AggregateJobStatus(runJobs)
-		if err := actions_model.UpdateRun(ctx, run, "status"); err != nil {
+		cols := []string{"status"}
+		if titleChanged {
+			cols = append(cols, "title")
+		}
+		if wfRawConcurrency != nil {
+			cols = append(cols, "raw_concurrency", "concurrency_group", "concurrency_cancel")
+		}
+		if err := actions_model.UpdateRun(ctx, run, cols...); err != nil {
 			return err
 		}

--- a/services/actions/schedule_tasks.go
+++ b/services/actions/schedule_tasks.go
@@ -12,6 +12,7 @@ import (
 	"code.gitea.io/gitea/models/db"
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unit"
+	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/timeutil"
 	webhook_module "code.gitea.io/gitea/modules/webhook"
@@ -67,7 +68,7 @@ func startTasks(ctx context.Context) error {
 				continue
 			}

-			if err := CreateScheduleTask(ctx, row.Schedule); err != nil {
+			if err := CreateScheduleTask(ctx, row); err != nil {
 				log.Error("CreateScheduleTask: %v", err)
 				return err
 			}
@@ -97,9 +98,12 @@ func startTasks(ctx context.Context) error {
 	return nil
 }

-// CreateScheduleTask creates a scheduled task from a cron action schedule.
+// CreateScheduleTask creates a scheduled task from a cron action schedule spec.
 // It creates an action run based on the schedule, inserts it into the database, and creates commit statuses for each job.
-func CreateScheduleTask(ctx context.Context, cron *actions_model.ActionSchedule) error {
+func CreateScheduleTask(ctx context.Context, spec *actions_model.ActionScheduleSpec) error {
+	cron := spec.Schedule
+	eventPayload := withScheduleInEventPayload(cron.EventPayload, spec.Spec)
+
 	// Create a new action run based on the schedule
 	run := &actions_model.ActionRun{
 		Title:         cron.Title,
@@ -110,7 +114,7 @@ func CreateScheduleTask(ctx context.Context, cron *actions_model.ActionSchedule)
 		Ref:           cron.Ref,
 		CommitSHA:     cron.CommitSHA,
 		Event:         cron.Event,
-		EventPayload:  cron.EventPayload,
+		EventPayload:  eventPayload,
 		TriggerEvent:  string(webhook_module.HookEventSchedule),
 		ScheduleID:    cron.ID,
 		Status:        actions_model.StatusWaiting,
@@ -126,3 +130,24 @@ func CreateScheduleTask(ctx context.Context, cron *actions_model.ActionSchedule)
 	// Return nil if no errors occurred
 	return nil
 }
+
+func withScheduleInEventPayload(eventPayload, schedule string) string {
+	if schedule == "" || eventPayload == "" {
+		return eventPayload
+	}
+
+	event := map[string]any{}
+	if err := json.Unmarshal([]byte(eventPayload), &event); err != nil {
+		log.Error("withScheduleInEventPayload: unmarshal: %v", err)
+		return eventPayload
+	}
+
+	event["schedule"] = schedule
+	updatedPayload, err := json.Marshal(event)
+	if err != nil {
+		log.Error("withScheduleInEventPayload: marshal: %v", err)
+		return eventPayload
+	}
+
+	return string(updatedPayload)
+}
--- a/services/actions/schedule_tasks_test.go
+++ b/services/actions/schedule_tasks_test.go
@@ -0,0 +1,41 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/modules/json"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestWithScheduleInEventPayload(t *testing.T) {
+	t.Run("adds schedule to existing payload", func(t *testing.T) {
+		payload := `{"ref":"refs/heads/main"}`
+		updated := withScheduleInEventPayload(payload, "*/5 * * * *")
+
+		event := map[string]any{}
+		assert.NoError(t, json.Unmarshal([]byte(updated), &event))
+		assert.Equal(t, "*/5 * * * *", event["schedule"])
+		assert.Equal(t, "refs/heads/main", event["ref"])
+	})
+
+	t.Run("keeps empty payload", func(t *testing.T) {
+		updated := withScheduleInEventPayload("", "37 12 5 1 2")
+		assert.Empty(t, updated)
+	})
+
+	t.Run("keeps payload when schedule empty", func(t *testing.T) {
+		payload := `{"ref":"refs/heads/main"}`
+		updated := withScheduleInEventPayload(payload, "")
+		assert.Equal(t, payload, updated)
+	})
+
+	t.Run("keeps payload when malformed JSON", func(t *testing.T) {
+		payload := `not a json object`
+		updated := withScheduleInEventPayload(payload, "*/5 * * * *")
+		assert.Equal(t, payload, updated)
+	})
+}
--- a/services/actions/variables.go
+++ b/services/actions/variables.go
@@ -16,7 +16,7 @@ func CreateVariable(ctx context.Context, ownerID, repoID int64, name, data, desc
 		return nil, err
 	}

-	v, err := actions_model.InsertVariable(ctx, ownerID, repoID, name, util.ReserveLineBreakForTextarea(data), description)
+	v, err := actions_model.InsertVariable(ctx, ownerID, repoID, name, util.NormalizeStringEOL(data), description)
 	if err != nil {
 		return nil, err
 	}
@@ -29,7 +29,7 @@ func UpdateVariableNameData(ctx context.Context, variable *actions_model.ActionV
 		return false, err
 	}

-	variable.Data = util.ReserveLineBreakForTextarea(variable.Data)
+	variable.Data = util.NormalizeStringEOL(variable.Data)

 	return actions_model.UpdateVariableCols(ctx, variable, "name", "data", "description")
 }
--- a/services/context/base_path.go
+++ b/services/context/base_path.go
@@ -44,9 +44,9 @@ func (b *Base) PathParamInt(p string) int {

 // SetPathParam set request path params into routes
 func (b *Base) SetPathParam(name, value string) {
-	if strings.HasPrefix(name, ":") {
-		setting.PanicInDevOrTesting("path param should not start with ':'")
-		name = name[1:]
-	}
 	chi.RouteContext(b).URLParams.Add(name, url.PathEscape(value))
 }
+
+func (b *Base) SetPathParamRaw(name, value string) {
+	chi.RouteContext(b).URLParams.Add(name, value)
+}
--- a/services/context/context_response.go
+++ b/services/context/context_response.go
@@ -22,6 +22,7 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/templates"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web/middleware"
 )

@@ -143,11 +144,9 @@ func (ctx *Context) NotFound(logErr error) {
 }

 func (ctx *Context) notFoundInternal(logMsg string, logErr error) {
+	// TODO: it's safe to show the error message to end users if the error is fully controlled by our error system
 	if logErr != nil {
 		log.Log(2, log.DEBUG, "%s: %v", logMsg, logErr)
-		if !setting.IsProd {
-			ctx.Data["ErrorMsg"] = logErr
-		}
 	}

 	// response simple message if Accept isn't text/html
@@ -166,11 +165,17 @@ func (ctx *Context) notFoundInternal(logMsg string, logErr error) {

 	ctx.Data["IsRepo"] = ctx.Repo.Repository != nil
 	ctx.Data["Title"] = "Page Not Found"
+	ctx.Data["ErrorMsg"] = "" // FIXME: the template never renders this message, need to fix in the future (and show safe messages to end users)
 	ctx.HTML(http.StatusNotFound, "status/404")
 }

 // ServerError displays a 500 (Internal Server Error) page and prints the given error, if any.
+// If the error is controlled by our error system, a related 404 page can be displayed instead.
 func (ctx *Context) ServerError(logMsg string, logErr error) {
+	if errors.Is(logErr, util.ErrNotExist) {
+		ctx.notFoundInternal(logMsg, logErr)
+		return
+	}
 	ctx.serverErrorInternal(logMsg, logErr)
 }

--- a/services/context/context_template.go
+++ b/services/context/context_template.go
@@ -81,5 +81,5 @@ func (c TemplateContext) AppFullLink(link ...string) template.URL {
 	if len(link) == 0 {
 		return template.URL(s)
 	}
-	return template.URL(s + strings.TrimPrefix(link[0], "/"))
+	return template.URL(s + "/" + strings.TrimPrefix(link[0], "/"))
 }
--- a/services/context/context_test.go
+++ b/services/context/context_test.go
@@ -49,3 +49,17 @@ func TestRedirectToCurrentSite(t *testing.T) {
 		})
 	}
 }
+
+func TestAppFullLink(t *testing.T) {
+	setting.IsInTesting = true
+	defer test.MockVariableValue(&setting.AppURL, "https://gitea.example.com/sub/")()
+	defer test.MockVariableValue(&setting.AppSubURL, "/sub")()
+	defer test.MockVariableValue(&setting.PublicURLDetection, setting.PublicURLNever)()
+
+	req := httptest.NewRequest(http.MethodGet, "https://gitea.example.com/sub/", nil)
+	tmplCtx := NewTemplateContext(req.Context(), req)
+
+	assert.Equal(t, "https://gitea.example.com/sub", string(tmplCtx.AppFullLink()))
+	assert.Equal(t, "https://gitea.example.com/sub/user/repo", string(tmplCtx.AppFullLink("user/repo")))
+	assert.Equal(t, "https://gitea.example.com/sub/user/repo", string(tmplCtx.AppFullLink("/user/repo")))
+}
--- a/services/convert/action_test.go
+++ b/services/convert/action_test.go
@@ -0,0 +1,126 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package convert
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unit"
+	"code.gitea.io/gitea/models/unittest"
+	"code.gitea.io/gitea/modules/git"
+	"code.gitea.io/gitea/modules/git/gitcmd"
+	"code.gitea.io/gitea/modules/util"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// buildWorkflowTestRepo creates a temporary git repository for testing GetActionWorkflow.
+// The default branch "main" has no workflow files; "feature" and "release-v1" each add their own workflow file.
+func buildWorkflowTestRepo(t *testing.T) string {
+	t.Helper()
+	ctx := t.Context()
+	tmpDir := t.TempDir()
+
+	_, _, err := gitcmd.NewCommand("init").WithDir(tmpDir).RunStdString(ctx)
+	require.NoError(t, err)
+
+	readme := "readme"
+	featureWF := "on: [push]\njobs:\n  test:\n    runs-on: ubuntu-latest\n    steps:\n      - run: echo test\n"
+	releaseWF := "on: [push]\njobs:\n  release:\n    runs-on: ubuntu-latest\n    steps:\n      - run: echo release\n"
+
+	// Build a git fast-import stream:
+	//   :4 = initial commit on main (README.md only)
+	//   :5 = feature branch commit (adds feature workflow)
+	//   :6 = release commit from :4 (adds release workflow, tagged release-v1, not on main)
+	var sb strings.Builder
+	fmt.Fprintf(&sb, "blob\nmark :1\ndata %d\n%s\n", len(readme), readme)
+	fmt.Fprintf(&sb, "blob\nmark :2\ndata %d\n%s\n", len(featureWF), featureWF)
+	fmt.Fprintf(&sb, "blob\nmark :3\ndata %d\n%s\n", len(releaseWF), releaseWF)
+	fmt.Fprintf(&sb, "commit refs/heads/main\nmark :4\nauthor Test <test@gitea.com> 1000000000 +0000\ncommitter Test <test@gitea.com> 1000000000 +0000\ndata 14\ninitial commit\nM 100644 :1 README.md\n\n")
+	fmt.Fprintf(&sb, "commit refs/heads/feature\nmark :5\nauthor Test <test@gitea.com> 1000000001 +0000\ncommitter Test <test@gitea.com> 1000000001 +0000\ndata 12\nadd workflow\nfrom :4\nM 100644 :2 .gitea/workflows/my-workflow.yml\n\n")
+	fmt.Fprintf(&sb, "reset refs/pull/42/merge\nfrom :5\n\n")
+	fmt.Fprintf(&sb, "commit refs/heads/main\nmark :6\nauthor Test <test@gitea.com> 1000000002 +0000\ncommitter Test <test@gitea.com> 1000000002 +0000\ndata 16\nrelease workflow\nfrom :4\nM 100644 :3 .gitea/workflows/my-workflow.yml\n\n")
+	fmt.Fprintf(&sb, "reset refs/tags/release-v1\nfrom :6\n\n")
+	fmt.Fprintf(&sb, "reset refs/heads/main\nfrom :4\n\n")
+	fmt.Fprintf(&sb, "done\n")
+
+	_, _, err = gitcmd.NewCommand("fast-import").WithDir(tmpDir).WithStdinBytes([]byte(sb.String())).RunStdString(ctx)
+	require.NoError(t, err)
+
+	return tmpDir
+}
+
+func TestGetActionWorkflow_FallbackRef(t *testing.T) {
+	ctx := t.Context()
+
+	repoDir := buildWorkflowTestRepo(t)
+
+	gitRepo, err := git.OpenRepository(ctx, repoDir)
+	require.NoError(t, err)
+	defer gitRepo.Close()
+
+	repo := &repo_model.Repository{
+		DefaultBranch: "main",
+		OwnerName:     "test-owner",
+		Name:          "test-repo",
+		Units: []*repo_model.RepoUnit{
+			{
+				Type:   unit.TypeActions,
+				Config: &repo_model.ActionsConfig{},
+			},
+		},
+	}
+
+	t.Run("returns error when workflow only on non-default branch", func(t *testing.T) {
+		_, err := GetActionWorkflow(ctx, gitRepo, repo, "my-workflow.yml")
+		require.Error(t, err)
+		assert.ErrorIs(t, err, util.ErrNotExist)
+	})
+
+	t.Run("returns workflow when found via ref", func(t *testing.T) {
+		wf, err := GetActionWorkflowByRef(ctx, gitRepo, repo, "my-workflow.yml", git.RefName("refs/heads/feature"))
+		require.NoError(t, err)
+		assert.Equal(t, "my-workflow.yml", wf.ID)
+	})
+
+	t.Run("returns workflow when found via pull ref", func(t *testing.T) {
+		wf, err := GetActionWorkflowByRef(ctx, gitRepo, repo, "my-workflow.yml", git.RefName("refs/pull/42/merge"))
+		require.NoError(t, err)
+		assert.Equal(t, "my-workflow.yml", wf.ID)
+		assert.Contains(t, wf.HTMLURL, "/src/commit/")
+	})
+
+	t.Run("returns workflow with tag link when found via tag ref", func(t *testing.T) {
+		wf, err := GetActionWorkflowByRef(ctx, gitRepo, repo, "my-workflow.yml", git.RefName("refs/tags/release-v1"))
+		require.NoError(t, err)
+		assert.Equal(t, "my-workflow.yml", wf.ID)
+		assert.Contains(t, wf.HTMLURL, "/src/tag/release-v1/")
+	})
+
+	t.Run("returns error when workflow missing from ref", func(t *testing.T) {
+		_, err := GetActionWorkflowByRef(ctx, gitRepo, repo, "nonexistent.yml", git.RefName("refs/heads/feature"))
+		require.Error(t, err)
+		assert.ErrorIs(t, err, util.ErrNotExist)
+	})
+}
+
+func TestToActionWorkflowRun_UsesTriggerEvent(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2})
+	run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 803})
+
+	// Scheduled runs keep Event as the registration event (push) and use TriggerEvent as the real trigger.
+	run.Event = "push"
+	run.TriggerEvent = "schedule"
+
+	apiRun, err := ToActionWorkflowRun(t.Context(), repo, run)
+	require.NoError(t, err)
+	assert.Equal(t, "schedule", apiRun.Event)
+}
--- a/services/convert/convert.go
+++ b/services/convert/convert.go
@@ -260,7 +260,7 @@ func ToActionWorkflowRun(ctx context.Context, repo *repo_model.Repository, run *
 		RunNumber:    run.Index,
 		StartedAt:    run.Started.AsLocalTime(),
 		CompletedAt:  run.Stopped.AsLocalTime(),
-		Event:        string(run.Event),
+		Event:        run.TriggerEvent,
 		DisplayTitle: run.Title,
 		HeadBranch:   git.RefName(run.Ref).BranchName(),
 		HeadSha:      run.CommitSHA,
@@ -387,12 +387,15 @@ func ToActionWorkflowJob(ctx context.Context, repo *repo_model.Repository, task
 	}, nil
 }

-func getActionWorkflowEntry(ctx context.Context, repo *repo_model.Repository, commit *git.Commit, branchName, folder string, entry *git.TreeEntry) *api.ActionWorkflow {
+func getActionWorkflowEntry(ctx context.Context, repo *repo_model.Repository, commit *git.Commit, refName git.RefName, folder string, entry *git.TreeEntry) *api.ActionWorkflow {
 	cfgUnit := repo.MustGetUnit(ctx, unit.TypeActions)
 	cfg := cfgUnit.ActionsConfig()

 	workflowURL := fmt.Sprintf("%s/actions/workflows/%s", repo.APIURL(), util.PathEscapeSegments(entry.Name()))
-	workflowRepoURL := fmt.Sprintf("%s/src/branch/%s/%s/%s", repo.HTMLURL(ctx), util.PathEscapeSegments(branchName), util.PathEscapeSegments(folder), util.PathEscapeSegments(entry.Name()))
+	workflowRepoURL := fmt.Sprintf("%s/src/commit/%s/%s/%s", repo.HTMLURL(ctx), commit.ID.String(), util.PathEscapeSegments(folder), util.PathEscapeSegments(entry.Name()))
+	if refWebLinkPath := refName.RefWebLinkPath(); refWebLinkPath != "" {
+		workflowRepoURL = fmt.Sprintf("%s/src/%s/%s/%s", repo.HTMLURL(ctx), refWebLinkPath, util.PathEscapeSegments(folder), util.PathEscapeSegments(entry.Name()))
+	}
 	badgeURL := fmt.Sprintf("%s/actions/workflows/%s/badge.svg?branch=%s", repo.HTMLURL(ctx), util.PathEscapeSegments(entry.Name()), url.QueryEscape(repo.DefaultBranch))

 	// See https://docs.github.com/en/rest/actions/workflows?apiVersion=2022-11-28#get-a-workflow
@@ -457,7 +460,7 @@ func ListActionWorkflows(ctx context.Context, gitrepo *git.Repository, repo *rep

 	workflows := make([]*api.ActionWorkflow, len(entries))
 	for i, entry := range entries {
-		workflows[i] = getActionWorkflowEntry(ctx, repo, defaultBranchCommit, repo.DefaultBranch, folder, entry)
+		workflows[i] = getActionWorkflowEntry(ctx, repo, defaultBranchCommit, git.RefNameFromBranch(repo.DefaultBranch), folder, entry)
 	}

 	return workflows, nil
@@ -469,14 +472,35 @@ func GetActionWorkflow(ctx context.Context, gitrepo *git.Repository, repo *repo_
 		return nil, err
 	}

-	folder, entries, err := actions.ListWorkflows(defaultBranchCommit)
+	return getActionWorkflowFromCommit(ctx, repo, defaultBranchCommit, git.RefNameFromBranch(repo.DefaultBranch), workflowID)
+}
+
+func GetActionWorkflowByRef(ctx context.Context, gitrepo *git.Repository, repo *repo_model.Repository, workflowID string, ref git.RefName) (*api.ActionWorkflow, error) {
+	if ref == "" {
+		return nil, util.NewNotExistErrorf("workflow %q not found", workflowID)
+	}
+
+	refCommitID, err := gitrepo.GetRefCommitID(ref.String())
+	if err != nil {
+		return nil, err
+	}
+	refCommit, err := gitrepo.GetCommit(refCommitID)
+	if err != nil {
+		return nil, err
+	}
+
+	return getActionWorkflowFromCommit(ctx, repo, refCommit, ref, workflowID)
+}
+
+func getActionWorkflowFromCommit(ctx context.Context, repo *repo_model.Repository, commit *git.Commit, refName git.RefName, workflowID string) (*api.ActionWorkflow, error) {
+	folder, entries, err := actions.ListWorkflows(commit)
 	if err != nil {
 		return nil, err
 	}

 	for _, entry := range entries {
 		if entry.Name() == workflowID {
-			return getActionWorkflowEntry(ctx, repo, defaultBranchCommit, repo.DefaultBranch, folder, entry), nil
+			return getActionWorkflowEntry(ctx, repo, commit, refName, folder, entry), nil
 		}
 	}

--- a/services/forms/repo_form.go
+++ b/services/forms/repo_form.go
@@ -10,7 +10,9 @@ import (

 	issues_model "code.gitea.io/gitea/models/issues"
 	project_model "code.gitea.io/gitea/models/project"
+	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web/middleware"
 	"code.gitea.io/gitea/services/context"
 	"code.gitea.io/gitea/services/webhook"
@@ -523,16 +525,49 @@ func (f *InitializeLabelsForm) Validate(req *http.Request, errs binding.Errors)
 type MergePullRequestForm struct {
 	// required: true
 	// enum: ["merge","rebase","rebase-merge","squash","fast-forward-only","manually-merged"]
-	Do                     string `binding:"Required;In(merge,rebase,rebase-merge,squash,fast-forward-only,manually-merged)"`
-	MergeTitleField        string
-	MergeMessageField      string
-	MergeCommitID          string // only used for manually-merged
+	Do                     string `json:"do" binding:"Required;In(merge,rebase,rebase-merge,squash,fast-forward-only,manually-merged)"`
+	MergeTitleField        string `json:"merge_title_field,omitempty"`
+	MergeMessageField      string `json:"merge_message_field,omitempty"`
+	MergeCommitID          string `json:"merge_commit_id,omitempty"` // only used for manually-merged
 	HeadCommitID           string `json:"head_commit_id,omitempty"`
 	ForceMerge             bool   `json:"force_merge,omitempty"`
 	MergeWhenChecksSucceed bool   `json:"merge_when_checks_succeed,omitempty"`
 	DeleteBranchAfterMerge *bool  `json:"delete_branch_after_merge,omitempty"`
 }

+func (f *MergePullRequestForm) UnmarshalJSON(b []byte) error {
+	// This is for backward compatibility, to support both field names like "do" and "Do",
+	// because old code doesn't have "json" tag for these fields
+	type aux struct {
+		Do1                string `json:"do"`
+		Do2                string `json:"Do"`
+		MergeTitleField1   string `json:"merge_title_field"`
+		MergeTitleField2   string `json:"MergeTitleField"`
+		MergeMessageField1 string `json:"merge_message_field"`
+		MergeMessageField2 string `json:"MergeMessageField"`
+		MergeCommitID1     string `json:"merge_commit_id"`
+		MergeCommitID2     string `json:"MergeCommitID"`
+
+		HeadCommitID           string `json:"head_commit_id"`
+		ForceMerge             bool   `json:"force_merge"`
+		MergeWhenChecksSucceed bool   `json:"merge_when_checks_succeed"`
+		DeleteBranchAfterMerge *bool  `json:"delete_branch_after_merge"`
+	}
+	var a aux
+	if err := json.Unmarshal(b, &a); err != nil {
+		return err
+	}
+	f.Do = util.IfZero(a.Do1, a.Do2)
+	f.MergeTitleField = util.IfZero(a.MergeTitleField1, a.MergeTitleField2)
+	f.MergeMessageField = util.IfZero(a.MergeMessageField1, a.MergeMessageField2)
+	f.MergeCommitID = util.IfZero(a.MergeCommitID1, a.MergeCommitID2)
+	f.HeadCommitID = a.HeadCommitID
+	f.ForceMerge = a.ForceMerge
+	f.MergeWhenChecksSucceed = a.MergeWhenChecksSucceed
+	f.DeleteBranchAfterMerge = a.DeleteBranchAfterMerge
+	return nil
+}
+
 // Validate validates the fields
 func (f *MergePullRequestForm) Validate(req *http.Request, errs binding.Errors) binding.Errors {
 	ctx := context.GetValidateContext(req)
--- a/services/forms/repo_form_test.go
+++ b/services/forms/repo_form_test.go
@@ -6,7 +6,10 @@ package forms
 import (
 	"testing"

+	"code.gitea.io/gitea/modules/json"
+
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestSubmitReviewForm_IsEmpty(t *testing.T) {
@@ -37,3 +40,48 @@ func TestSubmitReviewForm_IsEmpty(t *testing.T) {
 		assert.Equal(t, v.expected, v.form.HasEmptyContent())
 	}
 }
+
+func TestMergePullRequestForm(t *testing.T) {
+	expected := &MergePullRequestForm{
+		Do:                     "merge",
+		MergeTitleField:        "title",
+		MergeMessageField:      "message",
+		MergeCommitID:          "merge-id",
+		HeadCommitID:           "head-id",
+		ForceMerge:             true,
+		MergeWhenChecksSucceed: true,
+		DeleteBranchAfterMerge: new(true),
+	}
+
+	t.Run("NewFields", func(t *testing.T) {
+		input := `{
+	"do": "merge",
+	"merge_title_field": "title",
+	"merge_message_field": "message",
+	"merge_commit_id": "merge-id",
+	"head_commit_id": "head-id",
+	"force_merge": true,
+	"merge_when_checks_succeed": true,
+	"delete_branch_after_merge": true
+}`
+		var m *MergePullRequestForm
+		require.NoError(t, json.Unmarshal([]byte(input), &m))
+		assert.Equal(t, expected, m)
+	})
+
+	t.Run("OldFields", func(t *testing.T) {
+		input := `{
+	"Do": "merge",
+	"MergeTitleField": "title",
+	"MergeMessageField": "message",
+	"MergeCommitID": "merge-id",
+	"head_commit_id": "head-id",
+	"force_merge": true,
+	"merge_when_checks_succeed": true,
+	"delete_branch_after_merge": true
+}`
+		var m *MergePullRequestForm
+		require.NoError(t, json.Unmarshal([]byte(input), &m))
+		assert.Equal(t, expected, m)
+	})
+}
--- a/services/org/org.go
+++ b/services/org/org.go
@@ -102,10 +102,14 @@ func DeleteOrganization(ctx context.Context, org *org_model.Organization, purge
 	return nil
 }

-func updateOrgRepoForVisibilityChanged(ctx context.Context, repo *repo_model.Repository, makePrivate bool) error {
+func updateRepoForVisibilityChanged(ctx context.Context, repo *repo_model.Repository, makePrivate bool) error {
+	if err := repo.LoadOwner(ctx); err != nil {
+		return fmt.Errorf("LoadOwner: %w", err)
+	}
+
 	// Organization repository need to recalculate access table when visibility is changed.
-	if err := access_model.RecalculateTeamAccesses(ctx, repo, 0); err != nil {
-		return fmt.Errorf("recalculateTeamAccesses: %w", err)
+	if err := access_model.RecalculateAccesses(ctx, repo); err != nil {
+		return fmt.Errorf("RecalculateAccesses: %w", err)
 	}

 	if makePrivate {
@@ -135,7 +139,7 @@ func updateOrgRepoForVisibilityChanged(ctx context.Context, repo *repo_model.Rep
 		return fmt.Errorf("getRepositoriesByForkID: %w", err)
 	}
 	for i := range forkRepos {
-		if err := updateOrgRepoForVisibilityChanged(ctx, forkRepos[i], makePrivate); err != nil {
+		if err := updateRepoForVisibilityChanged(ctx, forkRepos[i], makePrivate); err != nil {
 			return fmt.Errorf("updateRepoForVisibilityChanged[%s]: %w", forkRepos[i].FullName(), err)
 		}
 	}
@@ -161,8 +165,8 @@ func ChangeOrganizationVisibility(ctx context.Context, org *org_model.Organizati
 			return err
 		}
 		for _, repo := range repos {
-			if err := updateOrgRepoForVisibilityChanged(ctx, repo, visibility == structs.VisibleTypePrivate); err != nil {
-				return fmt.Errorf("updateOrgRepoForVisibilityChanged: %w", err)
+			if err := updateRepoForVisibilityChanged(ctx, repo, visibility == structs.VisibleTypePrivate); err != nil {
+				return fmt.Errorf("updateRepoForVisibilityChanged: %w", err)
 			}
 		}
 		return nil
--- a/services/org/org_test.go
+++ b/services/org/org_test.go
@@ -10,6 +10,7 @@ import (
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/util"

 	"github.com/stretchr/testify/assert"
@@ -60,4 +61,11 @@ func TestOrg(t *testing.T) {
 		assert.Error(t, DeleteOrganization(t.Context(), user, false))
 		unittest.CheckConsistencyFor(t, &user_model.User{}, &organization.Team{})
 	})
+
+	t.Run("ChangeVisibilityWithUserFork", func(t *testing.T) {
+		// org 19 has a repository 27 which has a forked repository 29 by user 20
+		org := unittest.AssertExistsAndLoadBean(t, &organization.Organization{ID: 19})
+		require.NoError(t, ChangeOrganizationVisibility(t.Context(), org, structs.VisibleTypePrivate))
+		unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: org.ID, Visibility: structs.VisibleTypePrivate})
+	})
 }
--- a/services/projects/issue.go
+++ b/services/projects/issue.go
@@ -6,11 +6,14 @@ package project
 import (
 	"context"
 	"errors"
+	"slices"
+	"strings"

 	"code.gitea.io/gitea/models/db"
 	issues_model "code.gitea.io/gitea/models/issues"
 	project_model "code.gitea.io/gitea/models/project"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/container"
 	"code.gitea.io/gitea/modules/optional"
 )

@@ -86,6 +89,31 @@ func MoveIssuesOnProjectColumn(ctx context.Context, doer *user_model.User, colum
 	})
 }

+func LoadIssuesAssigneesForProject(ctx context.Context, issuesMap map[int64]issues_model.IssueList) ([]*user_model.User, error) {
+	var issueList issues_model.IssueList
+	for _, colIssues := range issuesMap {
+		issueList = append(issueList, colIssues...)
+	}
+	err := issueList.LoadAssignees(ctx)
+	if err != nil {
+		return nil, err
+	}
+	users := make([]*user_model.User, 0, len(issueList))
+	usersAdded := container.Set[int64]{}
+	for _, issue := range issueList {
+		for _, assignee := range issue.Assignees {
+			if !usersAdded.Contains(assignee.ID) {
+				usersAdded.Add(assignee.ID)
+				users = append(users, assignee)
+			}
+		}
+	}
+	slices.SortFunc(users, func(a, b *user_model.User) int {
+		return strings.Compare(a.Name, b.Name)
+	})
+	return users, nil
+}
+
 // LoadIssuesFromProject load issues assigned to each project column inside the given project
 func LoadIssuesFromProject(ctx context.Context, project *project_model.Project, opts *issues_model.IssuesOptions) (results map[int64]issues_model.IssueList, _ error) {
 	issueList, err := issues_model.Issues(ctx, opts.Copy(func(o *issues_model.IssuesOptions) {
--- a/services/projects/issue_test.go
+++ b/services/projects/issue_test.go
@@ -15,6 +15,7 @@ import (
 	user_model "code.gitea.io/gitea/models/user"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func Test_Projects(t *testing.T) {
@@ -207,4 +208,18 @@ func Test_Projects(t *testing.T) {
 			assert.Len(t, columnIssues[3], 1)
 		})
 	})
+
+	t.Run("LoadIssuesAssigneesForProject", func(t *testing.T) {
+		issuesMap := map[int64]issues_model.IssueList{}
+		issue1 := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 1})
+		issue6 := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 6})
+		issuesMap[1] = issues_model.IssueList{issue1}
+		issuesMap[2] = issues_model.IssueList{issue6}
+		assignees, err := LoadIssuesAssigneesForProject(t.Context(), issuesMap)
+		require.NoError(t, err)
+		require.Len(t, assignees, 3)
+		require.Equal(t, "user1", assignees[0].Name)
+		require.Equal(t, "user10", assignees[1].Name)
+		require.Equal(t, "user2", assignees[2].Name)
+	})
 }
--- a/services/pull/reviewer.go
+++ b/services/pull/reviewer.go
@@ -40,15 +40,8 @@ func GetReviewers(ctx context.Context, repo *repo_model.Repository, doerID, post
 	uniqueUserIDs.AddMultiple(collaboratorIDs...)

 	if repo.Owner.IsOrganization() {
-		additionalUserIDs := make([]int64, 0, 10)
-		if err := e.Table("team_user").
-			Join("INNER", "team_repo", "`team_repo`.team_id = `team_user`.team_id").
-			Join("INNER", "team_unit", "`team_unit`.team_id = `team_user`.team_id").
-			Where("`team_repo`.repo_id = ? AND (`team_unit`.access_mode >= ? AND `team_unit`.`type` = ?)",
-				repo.ID, perm.AccessModeRead, unit.TypePullRequests).
-			Distinct("`team_user`.uid").
-			Select("`team_user`.uid").
-			Find(&additionalUserIDs); err != nil {
+		additionalUserIDs, err := organization.GetTeamUserIDsWithAccessToAnyRepoUnit(ctx, repo.OwnerID, repo.ID, perm.AccessModeRead, unit.TypePullRequests)
+		if err != nil {
 			return nil, err
 		}
 		uniqueUserIDs.AddMultiple(additionalUserIDs...)
--- a/services/repository/create.go
+++ b/services/repository/create.go
@@ -31,6 +31,7 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/templates/vars"
+	"code.gitea.io/gitea/modules/util"
 )

 // CreateRepoOptions contains the create repository options
@@ -85,7 +86,7 @@ func prepareRepoCommit(ctx context.Context, repo *repo_model.Repository, tmpDir
 	cloneLink := repo.CloneLink(ctx, nil /* no doer so do not generate user-related SSH link */)
 	match := map[string]string{
 		"Name":           repo.Name,
-		"Description":    repo.Description,
+		"Description":    util.NormalizeStringEOL(repo.Description),
 		"CloneURL.SSH":   cloneLink.SSH,
 		"CloneURL.HTTPS": cloneLink.HTTPS,
 		"OwnerName":      repo.OwnerName,
--- a/services/repository/files/temp_repo.go
+++ b/services/repository/files/temp_repo.go
@@ -178,8 +178,9 @@ func (t *TemporaryUploadRepository) HashObjectAndWrite(ctx context.Context, cont

 // AddObjectToIndex adds the provided object hash to the index with the provided mode and path
 func (t *TemporaryUploadRepository) AddObjectToIndex(ctx context.Context, mode, objectHash, objectPath string) error {
-	if err := gitcmd.NewCommand("update-index", "--add", "--replace", "--cacheinfo").
-		AddDynamicArguments(mode, objectHash, objectPath).WithDir(t.basePath).RunWithStderr(ctx); err != nil {
+	cmd := gitcmd.NewCommand("update-index", "--add", "--replace", "--cacheinfo").
+		AddDynamicArguments(mode + "," + objectHash + "," + objectPath).WithDir(t.basePath)
+	if err := cmd.RunWithStderr(ctx); err != nil {
 		if matched, _ := regexp.MatchString(".*Invalid path '.*", err.Stderr()); matched {
 			return ErrFilePathInvalid{
 				Message: objectPath,
--- a/services/repository/files/temp_repo_test.go
+++ b/services/repository/files/temp_repo_test.go
@@ -0,0 +1,45 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package files
+
+import (
+	"bytes"
+	"testing"
+
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/modules/git"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestTemporaryUploadRepository(t *testing.T) {
+	mockedRepo := &repo_model.Repository{Name: "mocked-repo-name", OwnerName: "mocked-owner-name"}
+
+	doTest := func(t *testing.T, objectFormatName string) {
+		tmpGitRepo, err := NewTemporaryUploadRepository(mockedRepo)
+		require.NoError(t, err)
+		defer tmpGitRepo.Close()
+
+		require.NoError(t, tmpGitRepo.Init(t.Context(), objectFormatName))
+
+		require.NoError(t, tmpGitRepo.RemoveFilesFromIndex(t.Context(), "any-file-name"))
+		require.NoError(t, tmpGitRepo.RemoveFilesFromIndex(t.Context(), "--any-file-name"))
+
+		objID, err := tmpGitRepo.HashObjectAndWrite(t.Context(), bytes.NewReader(nil))
+		require.NoError(t, err)
+		require.NoError(t, tmpGitRepo.AddObjectToIndex(t.Context(), "100644", objID, "any-file-name"))
+		require.NoError(t, tmpGitRepo.AddObjectToIndex(t.Context(), "100644", objID, "--any-file-name"))
+	}
+
+	t.Run("sha1", func(t *testing.T) {
+		doTest(t, git.Sha1ObjectFormat.Name())
+	})
+
+	t.Run("sha256", func(t *testing.T) {
+		if !git.DefaultFeatures().SupportHashSha256 {
+			t.Skip("sha256 is not supported")
+		}
+		doTest(t, git.Sha256ObjectFormat.Name())
+	})
+}
--- a/services/webhook/notifier.go
+++ b/services/webhook/notifier.go
@@ -5,6 +5,7 @@ package webhook

 import (
 	"context"
+	"errors"

 	actions_model "code.gitea.io/gitea/models/actions"
 	git_model "code.gitea.io/gitea/models/git"
@@ -22,6 +23,7 @@ import (
 	"code.gitea.io/gitea/modules/repository"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
 	webhook_module "code.gitea.io/gitea/modules/webhook"
 	"code.gitea.io/gitea/services/convert"
 	notify_service "code.gitea.io/gitea/services/notify"
@@ -1032,7 +1034,10 @@ func (*webhookNotifier) WorkflowRunStatusUpdate(ctx context.Context, repo *repo_
 	}
 	defer gitRepo.Close()

-	convertedWorkflow, err := convert.GetActionWorkflow(ctx, gitRepo, repo, run.WorkflowID)
+	convertedWorkflow, err := convert.GetActionWorkflowByRef(ctx, gitRepo, repo, run.WorkflowID, git.RefName(run.Ref))
+	if err != nil && errors.Is(err, util.ErrNotExist) {
+		convertedWorkflow, err = convert.GetActionWorkflow(ctx, gitRepo, repo, run.WorkflowID)
+	}
 	if err != nil {
 		log.Error("GetActionWorkflow: %v", err)
 		return
--- a/tailwind.config.ts
+++ b/tailwind.config.ts
@@ -93,6 +93,9 @@ export default {
        return [`${i}`, `${i === 0 ? '0' : `${i}px`}`];
      })),
    },
+    extend: {
+      zIndex: {'1': '1'},
+    },
  },
  plugins: [
    plugin(({addUtilities}) => {
--- a/templates/devtest/form-fields.tmpl
+++ b/templates/devtest/form-fields.tmpl
@@ -0,0 +1,109 @@
+{{template "devtest/devtest-header"}}
+<div class="page-content devtest ui container">
+	<form class="ui form left-right-form">
+		<h4 class="ui dividing header">Input</h4>
+		<div class="inline field">
+			<label>Normal</label>
+			<input type="text" value="value">
+		</div>
+		<div class="inline field">
+			<label>Readonly</label>
+			<input type="text" value="value" readonly>
+		</div>
+		<div class="inline disabled field">
+			<label>Disabled</label>
+			<input type="text" value="value" disabled>
+		</div>
+		<div class="inline field error">
+			<label>Error</label>
+			<input type="text" value="value">
+		</div>
+
+		<h4 class="ui dividing header">Textarea</h4>
+		<div class="inline field">
+			<label>Normal</label>
+			<textarea rows="2">value</textarea>
+		</div>
+		<div class="inline field">
+			<label>Readonly</label>
+			<textarea rows="2" readonly>value</textarea>
+		</div>
+		<div class="inline disabled field">
+			<label>Disabled</label>
+			<textarea rows="2" disabled>value</textarea>
+		</div>
+		<div class="inline field error">
+			<label>Error</label>
+			<textarea rows="2">value</textarea>
+		</div>
+
+		<h4 class="ui dividing header">Dropdown</h4>
+		<div class="inline field">
+			<label>Normal</label>
+			<div class="ui selection dropdown">
+				<input type="hidden" value="a">
+				{{svg "octicon-triangle-down" 14 "dropdown icon"}}
+				<div class="text">Option A</div>
+				<div class="menu">
+					<div class="item" data-value="a">Option A</div>
+					<div class="item" data-value="b">Option B</div>
+				</div>
+			</div>
+		</div>
+		<div class="inline field">
+			<label>Readonly</label>
+			<div class="ui selection dropdown" readonly>
+				<input type="hidden" value="a">
+				{{svg "octicon-triangle-down" 14 "dropdown icon"}}
+				<div class="text">Option A</div>
+				<div class="menu">
+					<div class="item" data-value="a">Option A</div>
+					<div class="item" data-value="b">Option B</div>
+				</div>
+			</div>
+		</div>
+		<div class="inline disabled field">
+			<label>Disabled</label>
+			<div class="ui selection dropdown">
+				<input type="hidden" value="a">
+				{{svg "octicon-triangle-down" 14 "dropdown icon"}}
+				<div class="text">Option A</div>
+				<div class="menu">
+					<div class="item" data-value="a">Option A</div>
+					<div class="item" data-value="b">Option B</div>
+				</div>
+			</div>
+		</div>
+		<div class="inline field error">
+			<label>Error</label>
+			<div class="ui selection dropdown">
+				<input type="hidden" value="a">
+				{{svg "octicon-triangle-down" 14 "dropdown icon"}}
+				<div class="text">Option A</div>
+				<div class="menu">
+					<div class="item" data-value="a">Option A</div>
+					<div class="item" data-value="b">Option B</div>
+				</div>
+			</div>
+		</div>
+
+		<h4 class="ui dividing header">Required</h4>
+		<div class="inline required field">
+			<label>Normal</label>
+			<input type="text" value="value">
+		</div>
+		<div class="inline required field">
+			<label>Readonly</label>
+			<input type="text" value="value" readonly>
+		</div>
+		<div class="inline required disabled field">
+			<label>Disabled</label>
+			<input type="text" value="value" disabled>
+		</div>
+		<div class="inline required field error">
+			<label>Error</label>
+			<input type="text" value="value">
+		</div>
+	</form>
+</div>
+{{template "devtest/devtest-footer"}}
--- a/templates/install.tmpl
+++ b/templates/install.tmpl
@@ -117,7 +117,7 @@
 						<input id="lfs_root_path" name="lfs_root_path" value="{{.lfs_root_path}}">
 						<span class="help">{{ctx.Locale.Tr "install.lfs_path_helper"}}</span>
 					</div>
-					<div class="inline required field {{if .Err_RunUser}}error{{end}}">
+					<div class="inline field">
 						<label for="run_user">{{ctx.Locale.Tr "install.run_user"}}</label>
 						<input id="run_user" name="run_user" value="{{.run_user}}" readonly>
 						<span class="help">{{ctx.Locale.Tr "install.run_user_helper"}}</span>
--- a/templates/org/home.tmpl
+++ b/templates/org/home.tmpl
@@ -63,7 +63,7 @@
 						{{$isMember := .IsOrganizationMember}}
 						{{range .Members}}
 							{{if or $isMember (call $.IsPublicMember .ID)}}
-								<a href="{{.HomeLink}}" title="{{.Name}}{{if .FullName}} ({{.FullName}}){{end}}">{{ctx.AvatarUtils.Avatar . 48}}</a>
+								{{template "shared/user/avatarlink" dict "user" . "size" 32 "tooltip" true}}
 							{{end}}
 						{{end}}
 					</div>
--- a/templates/org/team/sidebar.tmpl
+++ b/templates/org/team/sidebar.tmpl
@@ -4,14 +4,14 @@
 		<div class="ui right">
 			{{if .Team.IsMember ctx $.SignedUser.ID}}
 				<form>
-					<button class="ui red tiny button delete-button" data-modal-id="leave-team-sidebar"
+					<button class="ui red mini compact button delete-button" data-modal-id="leave-team-sidebar"
 						data-url="{{.OrgLink}}/teams/{{.Team.LowerName | PathEscape}}/action/leave" data-datauid="{{$.SignedUser.ID}}"
 						data-name="{{.Team.Name}}">{{ctx.Locale.Tr "org.teams.leave"}}</button>
 				</form>
 			{{else if .IsOrganizationOwner}}
 				<form method="post" action="{{.OrgLink}}/teams/{{.Team.LowerName | PathEscape}}/action/join">
 					<input type="hidden" name="page" value="team">
-					<button type="submit" class="ui primary tiny button" name="uid" value="{{$.SignedUser.ID}}">{{ctx.Locale.Tr "org.teams.join"}}</button>
+					<button type="submit" class="ui primary mini compact button" name="uid" value="{{$.SignedUser.ID}}">{{ctx.Locale.Tr "org.teams.join"}}</button>
 				</form>
 			{{end}}
 		</div>
--- a/templates/org/team/teams.tmpl
+++ b/templates/org/team/teams.tmpl
@@ -17,23 +17,23 @@
 					<div class="ui top attached header">
 						<a class="tw-text-text" href="{{$.OrgLink}}/teams/{{.LowerName | PathEscape}}"><strong>{{.Name}}</strong></a>
 						<div class="ui right">
-							<a class="ui primary tiny button" href="{{$.OrgLink}}/teams/{{.LowerName | PathEscape}}">{{ctx.Locale.Tr "view"}}</a>
+							<a class="ui primary mini compact button" href="{{$.OrgLink}}/teams/{{.LowerName | PathEscape}}">{{ctx.Locale.Tr "view"}}</a>
 							{{if .IsMember ctx $.SignedUser.ID}}
 								<form>
-									<button class="ui red tiny button delete-button" data-modal-id="leave-team"
+									<button class="ui red mini compact button delete-button" data-modal-id="leave-team"
 										data-url="{{$.OrgLink}}/teams/{{.LowerName | PathEscape}}/action/leave" data-datauid="{{$.SignedUser.ID}}"
 										data-name="{{.Name}}">{{ctx.Locale.Tr "org.teams.leave"}}</button>
 								</form>
 							{{else if $.IsOrganizationOwner}}
 								<form method="post" action="{{$.OrgLink}}/teams/{{.LowerName | PathEscape}}/action/join">
-									<button type="submit" class="ui primary tiny button" name="uid" value="{{$.SignedUser.ID}}">{{ctx.Locale.Tr "org.teams.join"}}</button>
+									<button type="submit" class="ui primary mini compact button" name="uid" value="{{$.SignedUser.ID}}">{{ctx.Locale.Tr "org.teams.join"}}</button>
 								</form>
 							{{end}}
 						</div>
 					</div>
 					<div class="ui attached segment members">
 						{{range .Members}}
-							{{template "shared/user/avatarlink" dict "user" .}}
+							{{template "shared/user/avatarlink" dict "user" . "size" 32 "tooltip" true}}
 						{{end}}
 					</div>
 					<div class="ui bottom attached header">
--- a/templates/repo/actions/list.tmpl
+++ b/templates/repo/actions/list.tmpl
@@ -25,49 +25,49 @@
 				</div>
 			</div>
 			<div class="flex-container-main">
-				<div class="ui top attached header tw-flex tw-items-center tw-justify-between">
-					<span class="tw-text-base tw-font-semibold">{{ctx.Locale.TrN .Page.Paginater.Total "actions.runs.workflow_run_count_1" "actions.runs.workflow_run_count_n" .Page.Paginater.Total}}</span>
-					<div class="ui secondary filter menu tw-flex tw-items-center tw-m-0">
-					<!-- Actor -->
-					<div class="ui{{if not .Actors}} disabled{{end}} dropdown jump item">
-						<span class="text">{{ctx.Locale.Tr "actions.runs.actor"}}</span>
-						{{svg "octicon-triangle-down" 14 "dropdown icon"}}
-						<div class="menu">
-							<div class="ui icon search input">
-								<i class="icon">{{svg "octicon-search"}}</i>
-								<input type="text" placeholder="{{ctx.Locale.Tr "actions.runs.actor"}}">
-							</div>
-							<a class="item{{if not $.CurActor}} active{{end}}" href="?workflow={{$.CurWorkflow}}&status={{$.CurStatus}}&actor=0">
-								{{ctx.Locale.Tr "actions.runs.actors_no_select"}}
-							</a>
-							{{range .Actors}}
-								<a class="item{{if eq .ID $.CurActor}} active{{end}}" href="?workflow={{$.CurWorkflow}}&actor={{.ID}}&status={{$.CurStatus}}">
-									{{ctx.AvatarUtils.Avatar . 20}} {{.GetDisplayName}}
+				<div class="ui top attached header flex-text-block tw-flex-wrap tw-justify-between">
+					<strong>{{ctx.Locale.TrN .Page.Paginater.Total "actions.runs.workflow_run_count_1" "actions.runs.workflow_run_count_n" .Page.Paginater.Total}}</strong>
+					<div class="ui secondary filter menu flex-text-block tw-m-0">
+						<!-- Actor -->
+						<div class="ui{{if not .Actors}} disabled{{end}} dropdown jump item">
+							<span class="text">{{ctx.Locale.Tr "actions.runs.actor"}}</span>
+							{{svg "octicon-triangle-down" 14 "dropdown icon"}}
+							<div class="menu">
+								<div class="ui icon search input">
+									<i class="icon">{{svg "octicon-search"}}</i>
+									<input type="text" placeholder="{{ctx.Locale.Tr "actions.runs.actor"}}">
+								</div>
+								<a class="item{{if not $.CurActor}} active{{end}}" href="?workflow={{$.CurWorkflow}}&status={{$.CurStatus}}&actor=0">
+									{{ctx.Locale.Tr "actions.runs.actors_no_select"}}
 								</a>
-							{{end}}
-						</div>
-					</div>
-					<!-- Status -->
-					<div class="ui dropdown jump item">
-						<span class="text">{{ctx.Locale.Tr "actions.runs.status"}}</span>
-						{{svg "octicon-triangle-down" 14 "dropdown icon"}}
-						<div class="menu">
-							<div class="ui icon search input">
-								<i class="icon">{{svg "octicon-search"}}</i>
-								<input type="text" placeholder="{{ctx.Locale.Tr "actions.runs.status"}}">
+								{{range .Actors}}
+									<a class="item{{if eq .ID $.CurActor}} active{{end}}" href="?workflow={{$.CurWorkflow}}&actor={{.ID}}&status={{$.CurStatus}}">
+										{{ctx.AvatarUtils.Avatar . 20}} {{.GetDisplayName}}
+									</a>
+								{{end}}
+							</div>
+						</div>
+						<!-- Status -->
+						<div class="ui dropdown jump item">
+							<span class="text">{{ctx.Locale.Tr "actions.runs.status"}}</span>
+							{{svg "octicon-triangle-down" 14 "dropdown icon"}}
+							<div class="menu">
+								<div class="ui icon search input">
+									<i class="icon">{{svg "octicon-search"}}</i>
+									<input type="text" placeholder="{{ctx.Locale.Tr "actions.runs.status"}}">
+								</div>
+								<a class="item{{if not $.CurStatus}} active{{end}}" href="?workflow={{$.CurWorkflow}}&actor={{$.CurActor}}&status=0">
+									{{ctx.Locale.Tr "actions.runs.status_no_select"}}
+								</a>
+								{{range .StatusInfoList}}
+									<a class="item{{if eq .Status $.CurStatus}} active{{end}}" href="?workflow={{$.CurWorkflow}}&actor={{$.CurActor}}&status={{.Status}}">
+										{{.DisplayedStatus}}
+									</a>
+								{{end}}
 							</div>
-							<a class="item{{if not $.CurStatus}} active{{end}}" href="?workflow={{$.CurWorkflow}}&actor={{$.CurActor}}&status=0">
-								{{ctx.Locale.Tr "actions.runs.status_no_select"}}
-							</a>
-							{{range .StatusInfoList}}
-								<a class="item{{if eq .Status $.CurStatus}} active{{end}}" href="?workflow={{$.CurWorkflow}}&actor={{$.CurActor}}&status={{.Status}}">
-									{{.DisplayedStatus}}
-								</a>
-							{{end}}
 						</div>
-					</div>

-					{{if .AllowDisableOrEnableWorkflow}}
+						{{if .AllowDisableOrEnableWorkflow}}
 						<button class="ui jump dropdown btn interact-bg tw-p-2">
 							{{svg "octicon-kebab-horizontal"}}
 							<div class="menu">
@@ -76,7 +76,7 @@
 								</a>
 							</div>
 						</button>
-					{{end}}
+						{{end}}
 					</div>
 				</div>

--- a/templates/repo/actions/runs_list.tmpl
+++ b/templates/repo/actions/runs_list.tmpl
@@ -11,9 +11,13 @@
 				{{template "repo/actions/status" (dict "status" $run.Status.String)}}
 			</div>
 			<div class="flex-item-main">
-				<a class="flex-item-title" title="{{$run.Title}}" href="{{$run.Link}}">
-					{{or $run.Title (ctx.Locale.Tr "actions.runs.empty_commit_message")}}
-				</a>
+				<span class="flex-item-title" title="{{$run.Title}}">
+					{{if $run.Title}}
+						{{ctx.RenderUtils.RenderCommitMessageLinkSubject $run.Title $run.Link $.Repository}}
+					{{else}}
+						<a href="{{$run.Link}}">{{ctx.Locale.Tr "actions.runs.empty_commit_message"}}</a>
+					{{end}}
+				</span>
 				<div class="flex-item-body">
 					<span><b>{{if not $.CurWorkflow}}{{$run.WorkflowID}} {{end}}#{{$run.Index}}</b>:</span>

--- a/templates/repo/actions/workflow_dispatch.tmpl
+++ b/templates/repo/actions/workflow_dispatch.tmpl
@@ -1,6 +1,9 @@
-<div class="ui blue info attached message tw-relative tw-z-10 tw-flex tw-justify-between tw-items-center">
-	<span class="ui text middle">{{ctx.Locale.Tr "actions.workflow.has_workflow_dispatch"}}</span>
-	<button class="ui mini button show-modal" data-modal="#runWorkflowDispatchModal">{{ctx.Locale.Tr "actions.workflow.run"}}{{svg "octicon-triangle-down" 14 "dropdown icon"}}</button>
+{{/* "z-index" is used to maintain continuous attached styling and keep the colored border-bottom visible (pre-existing fomantic issue with negative margins) */}}
+<div class="ui blue info attached message flex-text-block tw-flex-wrap tw-justify-between tw-z-1">
+	<span>{{ctx.Locale.Tr "actions.workflow.has_workflow_dispatch"}}</span>
+	<div class="flex-text-block tw-bg-box-body tw-rounded">{{/*make the button have correct hovered color */}}
+		<button class="ui mini button show-modal" data-modal="#runWorkflowDispatchModal">{{ctx.Locale.Tr "actions.workflow.run"}}{{svg "octicon-triangle-down" 14 "dropdown icon"}}</button>
+	</div>
 </div>
 <div id="runWorkflowDispatchModal" class="ui tiny modal">
 	<div class="content">
--- a/templates/repo/blame.tmpl
+++ b/templates/repo/blame.tmpl
@@ -45,10 +45,8 @@
 										<div class="blame-avatar">
 											{{$row.Avatar}}
 										</div>
-										<div class="blame-message">
-											<a class="suppressed tw-text-text" href="{{$row.CommitURL}}" title="{{$row.CommitMessage}}">
-												{{$row.CommitMessage}}
-											</a>
+										<div class="blame-message muted-links" title="{{$row.CommitMessage}}">
+											{{ctx.RenderUtils.RenderCommitMessageLinkSubject $row.CommitMessage $row.CommitURL $.Repository}}
 										</div>
 										<div class="blame-time not-mobile">
 											{{$row.CommitSince}}
--- a/templates/repo/diff/compare.tmpl
+++ b/templates/repo/diff/compare.tmpl
@@ -13,22 +13,16 @@
 				{{ctx.Locale.Tr "action.compare_commits_general"}}
 			{{end}}
 		</h2>
-		{{$BaseCompareName := $.BaseName -}}
-		{{- $HeadCompareName := $.HeadRepo.OwnerName -}}
-		{{- if and (eq $.BaseName $.HeadRepo.OwnerName) (ne $.Repository.Name $.HeadRepo.Name) -}}
-			{{- $HeadCompareName = printf "%s/%s" $.HeadRepo.OwnerName $.HeadRepo.Name -}}
-		{{- end -}}
-		{{- $OwnForkCompareName := "" -}}
-		{{- if .OwnForkRepo -}}
-			{{- $OwnForkCompareName = .OwnForkRepo.OwnerName -}}
-		{{- end -}}
-		{{- $RootRepoCompareName := "" -}}
-		{{- if .RootRepo -}}
-			{{- $RootRepoCompareName = .RootRepo.OwnerName -}}
-			{{- if eq $.HeadRepo.OwnerName .RootRepo.OwnerName -}}
-				{{- $HeadCompareName = printf "%s/%s" $.HeadRepo.OwnerName $.HeadRepo.Name -}}
-			{{- end -}}
-		{{- end -}}
+		{{$BaseCompareName := $.Repository.FullName -}}
+		{{$HeadCompareName := $.HeadRepo.FullName -}}
+		{{$OwnForkCompareName := "" -}}
+		{{if $.OwnForkRepo -}}
+			{{$OwnForkCompareName = $.OwnForkRepo.FullName -}}
+		{{end -}}
+		{{$RootRepoCompareName := "" -}}
+		{{if $.RootRepo -}}
+			{{$RootRepoCompareName = $.RootRepo.FullName -}}
+		{{end -}}

 		<div class="ui segment choose branch">
 			<a class="tw-mr-2" href="{{$.HeadRepo.Link}}/compare/{{PathEscapeSegments $.HeadBranch}}{{$compareSeparator}}{{if not $.PullRequestCtx.SameRepo}}{{PathEscape $.BaseName}}/{{PathEscape $.Repository.Name}}:{{end}}{{PathEscapeSegments $.BaseBranch}}" title="{{ctx.Locale.Tr "repo.pulls.switch_head_and_base"}}">{{svg "octicon-git-compare"}}</a>
--- a/Show More
+++ b/Show More