1679 commits

Author	SHA1	Message	Date
0ko	5088d3ab12	fix(ui/buttons): implement .disabled class (#10410) ... Followup to https://codeberg.org/forgejo/forgejo/pulls/9359. `templates/repo/issue/list.tmpl` had buttons changed which had `.disabled` on them conditionally. * adjust devtest page to have such buttons * implement `.disabled` for the newer buttons that does the same thing as the `.ui` buttons do: apply custom opacity, disable pointer events * this is the most boring way of implementing this Reported-by: @Gusted Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10410 Reviewed-by: Gusted <gusted@noreply.codeberg.org>	2025-12-16 14:18:08 +01:00
Nikita Karamov	a22e5f86c6	fix: Allow SHA-256 in PR commit URLs (#10309) ... Closes #9129. I decided to try myself in contributing to Forgejo after having found this bug mentioned on Fedi. I have also added a basic test for this behaviour, but this means that this PR adds a SHA-256 repo to the fixture set, so it can be reused in other tests. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10309 Reviewed-by: Lucas <sclu1034@noreply.codeberg.org> Reviewed-by: 0ko <0ko@noreply.codeberg.org> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: Nikita Karamov <me@kytta.dev> Co-committed-by: Nikita Karamov <me@kytta.dev>	2025-12-16 00:45:00 +01:00
Rodrigo Villablanca	ebc36a9ec7	fix(10359): Count releases correctly when using filters (q) (#10387) ... This PR fixes the issue https://codeberg.org/forgejo/forgejo/issues/10359 ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [ ] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [ ] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/10387): <!--number 10387 --><!--line 0 --><!--description Zml4KDEwMzU5KTogQ291bnQgcmVsZWFzZXMgY29ycmVjdGx5IHdoZW4gdXNpbmcgZmlsdGVycyAocSk=-->fix(10359): Count releases correctly when using filters (q)<!--description--> <!--end release-notes-assistant--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10387 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: Rodrigo Villablanca <villa061004@gmail.com> Co-committed-by: Rodrigo Villablanca <villa061004@gmail.com>	2025-12-11 05:13:21 +01:00
floss4good	0ef51b24ab	fix: 'More actions' (⋯) dropdown from moderation reports overview page (#10339) ... Follow-up of !8716 (and !9951) A _More actions_ (`⋯`) dropdown (where content related actions are available) was added with !8716 for the moderation reports overview page. Until that PR was merged another PR (!9951) changed the structure of JS-less dropdowns and adjusted the CSS rules. This PR adds the missing `.content` container for the dropdown added with !8716 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10339 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: floss4good <floss4good@disroot.org> Co-committed-by: floss4good <floss4good@disroot.org>	2025-12-10 17:09:59 +01:00
Adora	f11d72a8a5	fix: issues and pulls route permitted extra characters (#10185) ... Fix a issue where the `/{owner}/{repo}/issues` and `/{owner}/{repo}/pulls` routes permitted the addition of extra characters in the URL. Resolves forgejo/forgejo#9954. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10185 Reviewed-by: Lucas <sclu1034@noreply.codeberg.org> Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: Adora <me@adora.codes> Co-committed-by: Adora <me@adora.codes>	2025-12-10 01:21:38 +01:00
floss4good	590104b5ca	feat: render a link to poster profile next to the ID within shadow copy details (#10194) ... Closes #10078 and includes another small improvement (for comments and issues/PRs the title from report/s details page already included the poster name; now it will clickable, opening the poster profile page). Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10194 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: floss4good <floss4good@disroot.org> Co-committed-by: floss4good <floss4good@disroot.org>	2025-12-09 15:19:10 +01:00
0ko	2bde157a0d	feat(i18n): translate system status data units in runtime (#10358) ... Followup to https://codeberg.org/forgejo/forgejo/pulls/2528 Instead of storing translated strings in memory, store raw numbers and translate at template rendering time. Our implementation of `TrSize` is not very efficient and is more expensive than just the underlying `humanize.IBytes`, but for me on localhost both ways render response to HTMLX's request to `/admin/system_status` in 0-1 ms. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10358 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: 0ko <0ko@noreply.codeberg.org> Co-committed-by: 0ko <0ko@noreply.codeberg.org>	2025-12-09 14:38:40 +01:00
0ko	fe53015fe4	fix(ui): do not wrongly highlight devtest link in navbar menu (#10357) ... Fix copypaste induced bug. Followup to https://codeberg.org/forgejo/forgejo/pulls/10263. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10357 Reviewed-by: Michael Kriese <michael.kriese@gmx.de> Reviewed-by: floss4good <floss4good@noreply.codeberg.org>	2025-12-07 17:44:28 +01:00
Andreas Ahlenstorf	ff4038970d	fix: display action run attempt status instead of job status (#10321) ... On the page displaying the logs of an action run attempt, the header directly above the logs always showed the status of the job. That resulted in the wrong status being displayed for previous run attempts. Fixes https://codeberg.org/forgejo/forgejo/issues/10236.  ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [x] in `web_src/js/*.test.js` if it can be unit tested. - [x] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [ ] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [ ] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/10321): <!--number 10321 --><!--line 0 --><!--description ZGlzcGxheSBhY3Rpb24gcnVuIGF0dGVtcHQgc3RhdHVzIGluc3RlYWQgb2Ygam9iIHN0YXR1cw==-->display action run attempt status instead of job status<!--description--> <!--end release-notes-assistant--> Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10321 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch> Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>	2025-12-07 15:10:47 +01:00
Mathieu Fenniak	ac487e93d9	fix: reduce runtime of container cleanup by relying on mass digest cleanup (#10297) ... The package cleanup routine checks every container version for whether it is referenced by a multi-platform manifest, which appears to be a performance problem indicated by CPU profiling collected in #9358 on SQLite systems. This PR removes that check completely, which isn't necessary since #4698 added a much more performant mass-cleanup of these dangling platform versions. May fix #9358 completely, but it leaves fundamental scalability concerns with SQLite due to long-running transactions. The transactions will be shorter with this change. Requires end-user testing to confirm if sufficiently fixed. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [x] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/10297): <!--number 10297 --><!--line 0 --><!--description cmVkdWNlIHJ1bnRpbWUgb2YgY29udGFpbmVyIGNsZWFudXAgYnkgcmVseWluZyBvbiBtYXNzIGRpZ2VzdCBjbGVhbnVw-->reduce runtime of container cleanup by relying on mass digest cleanup<!--description--> <!--end release-notes-assistant--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10297 Reviewed-by: Michael Kriese <michael.kriese@gmx.de> Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>	2025-12-05 15:45:47 +01:00
elle	f790d4dfe0	bug: signature: modify URL after error check (#10204) ... Modifies the parsed URL after the error check. Avoids a potential `nil`-pointer de-reference if an invalid URL string argument is provided. No current code path triggers the `nil`-pointer de-reference. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10204 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: elle <0xllx0@noreply.codeberg.org> Co-committed-by: elle <0xllx0@noreply.codeberg.org>	2025-12-03 16:53:19 +01:00
famfo	b428d47aaa	fix: add stub outboxes to actors (#10120) ... Mastodon doesn't create actors locally if the outbox is not found. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10120 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: famfo <famfo@famfo.xyz> Co-committed-by: famfo <famfo@famfo.xyz>	2025-12-01 16:51:35 +01:00
0ko	3f207017a8	feat(ui): improve admin dashboard cron list (#10270) ... * in both `/admin` and `/admin/cron`: use new buttons, they are slightly more compact, which i think fits this place well as currently rows here feel too tall * in `/admin/cron`: use `octicon-play` consistently with `/admin` instead of `octicon-triangle-right` * in `/admin`: replace verbose template HTML with Range-based generator * added integration test to verify page content <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - User Interface features - [PR](https://codeberg.org/forgejo/forgejo/pulls/10270): <!--number 10270 --><!--line 0 --><!--description ZmVhdCh1aSk6IGltcHJvdmUgYWRtaW4gZGFzaGJvYXJkIGNyb24gbGlzdA==-->feat(ui): improve admin dashboard cron list<!--description--> <!--end release-notes-assistant--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10270 Reviewed-by: Michael Kriese <michael.kriese@gmx.de> Reviewed-by: Otto <otto@codeberg.org> Co-authored-by: 0ko <0ko@noreply.codeberg.org> Co-committed-by: 0ko <0ko@noreply.codeberg.org>	2025-12-01 15:19:36 +01:00
0ko	1000a0da3a	chore(ui): cleanup reviews css, improve consistency (#10268) ... * show/hide resolved: got rid of classes `ui labeled button` - ignoring them overriding each other, they were contributing three useful CSS properties in total: ```css padding: 0; background: none; font-weight: 500; ``` and were also contributing an undesired margin:  * also fixed inconsistent font size between two views * additionally got rid of verbose fomantic classes since there was already a rule that could accept their properties * got rid of unused class `add-code-comment-right` * added testing for the hide/show/resolve/unresolved buttons, but not related to CSS, just thought it might be useful <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - User Interface changes without a feature or bug label - [PR](https://codeberg.org/forgejo/forgejo/pulls/10268): <!--number 10268 --><!--line 0 --><!--description Y2hvcmUodWkpOiBjbGVhbnVwIHJldmlld3MgY3NzLCBpbXByb3ZlIGNvbnNpc3RlbmN5-->chore(ui): cleanup reviews css, improve consistency<!--description--> <!--end release-notes-assistant--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10268 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Reviewed-by: Otto <otto@codeberg.org> Co-authored-by: 0ko <0ko@noreply.codeberg.org> Co-committed-by: 0ko <0ko@noreply.codeberg.org>	2025-12-01 01:30:25 +01:00
pat-s	c39a4368af	refactor: migrate from lib/pq to jackc/pgx (#10219) ... This PR migrates the unmaintaiend `lib/pq` library to `jackc/pgx`, which is the de-facto standard lib in go for postgres connections these days. Some implementation notes: We register both `pgx` and `postgresschema` driver names (for backward comp). We can't register `postgres` as this one is still used by `lib/pq` imported by `go-chi/session`, which is in use when users go for the "postgres" session type in the "Session config. It is questionable if anyone is really using the "postgres" driver option in the session config - but for consistency, it would be good to also migrate to `pgx` there, especially as the code lives within Forgejo under [go-chi/session](https://code.forgejo.org/go-chi/session). `pgx` supports multi-host notation in the connection string. New tests have been added therefore. `pgx` also allows for connection string parameters such as `?default_query_exec_mode=simple_protocol`. This should possibly allow running with `pgbouncer` "transaction" mode instead of "session", which could substantially enhance Postgres query handling. ## Checklist ### Tests - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [x] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10219 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: pat-s <patrick.schratz@gmail.com> Co-committed-by: pat-s <patrick.schratz@gmail.com>	2025-11-30 17:47:45 +01:00
0ko	d4068e6bcf	feat: improve devtest, link to it from user menu (#10263) ... Addition to the user menu in navbar: * display a link to `/devtest` if the instance run mode is dev instead of prod * I think this is useful because: * devtest pages are in general useful in development, but are not easy to discover by newcomers * if the instance uses incorrect run mode, this entry should annoy it's admin into fixing the issue Improvements to `/devtest`: * fix error pages links * add a few headers and explanation for what this page is for Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10263 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: 0ko <0ko@noreply.codeberg.org> Co-committed-by: 0ko <0ko@noreply.codeberg.org>	2025-11-30 17:03:22 +01:00
nachtjasmin	8ee4a7d658	chore: ensure consistent import aliasing for services and models (#10253) ... To make sure that the code stays maintainable, I added the `importas` linter to ensure that the imports for models and services stay consistent. I realised that this might be needed after finding some discrepancies between singular/plural naming, and, especially in the case of the `forgejo.org/services/context` package, multiple different aliases like `gitea_ctx`, `app_context` and `forgejo_context`. I decided for `app_context`, as that seems to be the most commonly used naming. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10253 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: nachtjasmin <nachtjasmin@posteo.de> Co-committed-by: nachtjasmin <nachtjasmin@posteo.de>	2025-11-30 17:00:57 +01:00
0ko	6edfeb60f9	ui: improve release editing (#9940) ... Converted 8 buttons, fixed a few bugs with markdown editor, added some testing for template logic. The fixes are not auto-testable within reasonable effort and the changes like button conversion have nothing specific to be tested for. ### Convert form buttons to new buttons |Before|After| |-|-| ||| ### Justify "Delete release" button away from other buttons |Before|| |-|-| |After|| |Before|| |-|-| |After|| ### Fix markdown editor on mobile |Before|After| |-|-| ||| ### Buttons preview on mobile |Before|After|Before|After| |-|-|-|-| ||||| Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9940 Reviewed-by: Gusted <gusted@noreply.codeberg.org>	2025-11-30 05:08:24 +01:00
Gusted	9bca858c42	fix: path escape browse further URL (#10265) ... - Resolves forgejo/forgejo#10214 - The renamed file can be any value, so escape it properly for usage in a URL path. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10265 Reviewed-by: Otto <otto@codeberg.org> Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>	2025-11-30 02:58:15 +01:00
Mathieu Fenniak	482ba3a4e5	feat(actions): support referencing ${{ needs... }} variables in strategy.matrix (#10244) ... https://code.forgejo.org/forgejo/forgejo-actions-feature-requests/issues/71 requires partial implementation in runner, and partial in Forgejo; this is the Forgejo implementation. Allows for the definition of dynamic job matrixes in Forgejo Actions, where an earlier job provides and output that is used in `strategy.matrix` for a later job that requires it. For example, adapted from the GitHub Actions example for this feature: ```yaml name: shared matrix on: push: workflow_dispatch: jobs: define-matrix: runs-on: docker outputs: colors: ${{ steps.colors.outputs.colors }} steps: - name: Define Colors id: colors run: | echo 'colors=["red", "green", "blue"]' >> "$GITHUB_OUTPUT" produce-artifacts: runs-on: docker needs: define-matrix strategy: matrix: color: ${{ fromJSON(needs.define-matrix.outputs.colors) }} steps: - name: Define Color env: color: ${{ matrix.color }} run: | echo "$color" > color - name: Produce Artifact uses: https://data.forgejo.org/forgejo/upload-artifact@v4 with: name: ${{ matrix.color }} path: color consume-artifacts: runs-on: docker needs: - define-matrix - produce-artifacts strategy: matrix: color: ${{ fromJSON(needs.define-matrix.outputs.colors) }} steps: - name: Retrieve Artifact uses: https://data.forgejo.org/forgejo/download-artifact@v4 with: name: ${{ matrix.color }} - name: Report Color run: | cat color ``` ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [x] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - https://codeberg.org/forgejo/docs/pulls/1607 - [ ] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [x] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Features - [PR](https://codeberg.org/forgejo/forgejo/pulls/10244): <!--number 10244 --><!--line 0 --><!--description ZmVhdChhY3Rpb25zKTogc3VwcG9ydCByZWZlcmVuY2luZyAke3sgbmVlZHMuLi4gfX0gdmFyaWFibGVzIGluIGBzdHJhdGVneS5tYXRyaXhg-->feat(actions): support referencing ${{ needs... }} variables in `strategy.matrix`<!--description--> <!--end release-notes-assistant--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10244 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>	2025-11-29 17:49:04 +01:00
0ko	3bf4f0275a	chore(e2e): use expect().toBeCloseTo instead of Math.round (#10257) ... Followup to https://codeberg.org/forgejo/forgejo/pulls/6799, https://codeberg.org/forgejo/forgejo/pulls/9057 toBeCloseTo() recently popped in autocomplete suggestions and it seems like a cleaner way than using Math.round Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10257 Reviewed-by: Otto <otto@codeberg.org> Co-authored-by: 0ko <0ko@noreply.codeberg.org> Co-committed-by: 0ko <0ko@noreply.codeberg.org>	2025-11-29 16:59:17 +01:00
0ko	79c47c2e50	feat(ui): improve modal width rules (#10246) ... Followup to https://codeberg.org/forgejo/forgejo/pulls/9636, https://codeberg.org/forgejo/forgejo/pulls/8859#issuecomment-6651595. 1. Due to lack of `min-width`, currently the new consistent dialogs can get disproportionally small to the screen. This PR adds a min-width of 400px. No deep consideration went into choosing this particular width. * To make the test not depend on modals we have in the UI with some arbitrary widths a devtest page was added instead 2. Use more horizontal space on narrow screens Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10246 Reviewed-by: Gusted <gusted@noreply.codeberg.org>	2025-11-28 19:38:50 +01:00
nachtjasmin	b8126d7f38	fix(ui): use octicon-repo-forked in repo list (#10227) ... Closes: #10153  Co-authored-by: 0ko <0ko@noreply.codeberg.org> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10227 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: nachtjasmin <nachtjasmin@posteo.de> Co-committed-by: nachtjasmin <nachtjasmin@posteo.de>	2025-11-26 11:21:20 +01:00
Andreas Ahlenstorf	ac9c4282bd	fix: download logs of currently displayed Action run attempt (#10225) ... While the page `/{owner}/{repo}/actions/runs/{run}/jobs/{job}/attempt/{attempt}` offers a button to download the logs of the currently displayed Action run attempt, it always sent the logs of the last attempt. For example, if there were two attempts, it was impossible to download the logs of the first attempt. With this fix, the user receives the logs of the attempt currently being displayed. Users that have the page open while Forgejo is being upgraded will not be able to download logs until they have refreshed the page. Fixes https://codeberg.org/forgejo/forgejo/issues/10221. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [ ] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [ ] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/10225): <!--number 10225 --><!--line 0 --><!--description ZG93bmxvYWQgbG9ncyBvZiBjdXJyZW50bHkgZGlzcGxheWVkIEFjdGlvbiBydW4gYXR0ZW1wdA==-->download logs of currently displayed Action run attempt<!--description--> <!--end release-notes-assistant--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10225 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch> Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>	2025-11-25 04:54:29 +01:00
floss4good	a93fa287f4	fix: make sure the details page is still rendered correctly even if the poster of reported comment was deleted (#10199) ... When opening the report details page of a reported comment who's poster was meanwhile deleted, the title was wrongly saying that _Reported content with type 4 and id ... no longer exists_ (on the overview page the title was correctly showing the content reference). This PR fixes the issue and adds some tests for this case. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10199 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: floss4good <floss4good@disroot.org> Co-committed-by: floss4good <floss4good@disroot.org>	2025-11-21 23:04:09 +01:00
0ko	de3f376882	feat(ui): convert disable/enable workflow menu to JS-less dropdown (#10133) ... * convert the dropdown (overflow menu) to the JS-less one * the "link" still relies on JS to make a POST, changing this is not in scope of this PR * fixed the weird behavior where opener changes it's color when hovering over the "link" * the bug where the script that refreshes the list once in a while closes an open dropdown is not fixed and is not in scope of this PR * use border in the opener * it might not look as sleek but it is easier to see and better for the user to be able to understand that this is an active intractable element * global dropdown improvements * add rounding rules for dropdowns with only one item - the first such case * add testing for rounding rules * added a devtest page to play with the dropdown component on Preview B: https://codeberg.org/forgejo/forgejo/attachments/1462cdda-71f5-45d0-a206-33bb17740cb8 A: https://codeberg.org/forgejo/forgejo/attachments/d3c265cb-6b77-40c8-9944-d9327f3bec65 B: https://codeberg.org/forgejo/forgejo/attachments/17f17c29-4dcd-4015-b5b9-6d438bd2eb0b A: https://codeberg.org/forgejo/forgejo/attachments/d94e196c-725e-47de-b4de-ed97b148ceb6 B: https://codeberg.org/forgejo/forgejo/attachments/1813ded9-f619-47d9-bf15-ad4bcd3535ab A: https://codeberg.org/forgejo/forgejo/attachments/09042e58-331e-414d-ac8f-0f1091033b7f Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10133 Reviewed-by: Otto <otto@codeberg.org>	2025-11-21 16:59:01 +01:00
Mathieu Fenniak	6c43dcbe0a	2025-11-21 combined security patches (#10037) ... [CVSS 5.3 Medium](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) -- The `/repos/{owner}/{repo}/issues/{index}/dependencies` APIs allow a user to link an issue in one repository as "depending upon" an issue in another repository. Forgejo's implementation had an incorrect permission check which would verify only that the user had write permissions on the issue being modified, and not on the issue it was linking to. Due to the incorrect permission check, it was possible to view limited information (the existence of, and title of) an issue in a private repository that the user does not have access to view. The permission check has been corrected to take into account visibility of the remote repository. [CVSS 5.3 Medium](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) -- Fetching information about a release via the `/repos/{owner}/{repo}/releases/tag/{tag}` API endpoint did not check whether the release was a draft, allowing accessing to information about a draft release to users who could predict an upcoming release tag but didn't have access to view it. The missing check has been added, returning a 404 response when the release is not published. [CVSS 6.3 Medium](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) -- Forgejo's web interface allows deleting tags on a git repository through a form post. The endpoint for this form post had misconfigured middleware handlers which enforce security rights, allowing an anonymous user, or a logged-in user without the correct permissions, to delete tags on repositories that they did not own by injecting arbitrary internal tag identifiers into the form. The middleware handler configuration has been corrected. [CVSS 2.1 Low](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) -- When the head branch of a pull request matches a branch protection rule, the head branch should be able to be merged or rebased only according to the "Push" rules defined in the protection rule. An implementation error checked those branch protection rules in the context of the base repository rather than the head repository, allowing users with write access to the base repository to be considered able to push to the branch, bypassing the "Enable push" option's expected security control. [CVSS 2.1 Low](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) -- An issue owner can manipulate form inputs to delete the content history of comments they did not create, as long as those comments are on issues that they own. Although comment content is not affected, the history of edits on the comment can be trimmed. The validation in the form handler was corrected. [CVSS 5.1 Medium](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) -- When a repository is configured with tag protection rules, it should not be possible for a user that is outside the whitelisted users or teams from modifying the protected tags. An incorrect parameter being passed to a security verification method allowed a user with write access to the repo to delete tags even if they were protected, as long as the tag was originally created by a user who is still authorized by the protection rules. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Security bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/10037): <!--number 10037 --><!--line 0 --><!--description Zml4KGFwaSk6IGZpeCBkZXBlbmRlbmN5IHJlcG8gcGVybXMgaW4gQ3JlYXRlL1JlbW92ZUlzc3VlRGVwZW5kZW5jeQ==-->fix(api): fix dependency repo perms in Create/RemoveIssueDependency<!--description--> - [PR](https://codeberg.org/forgejo/forgejo/pulls/10037): <!--number 10037 --><!--line 1 --><!--description Zml4KGFwaSk6IGRyYWZ0IHJlbGVhc2VzIGNvdWxkIGJlIHJlYWQgYmVmb3JlIGJlaW5nIHB1Ymxpc2hlZA==-->fix(api): draft releases could be read before being published<!--description--> - [PR](https://codeberg.org/forgejo/forgejo/pulls/10037): <!--number 10037 --><!--line 2 --><!--description bWlzY29uZmlndXJlZCBzZWN1cml0eSBjaGVja3Mgb24gdGFnIGRlbGV0ZSB3ZWIgZm9ybQ==-->misconfigured security checks on tag delete web form<!--description--> - [PR](https://codeberg.org/forgejo/forgejo/pulls/10037): <!--number 10037 --><!--line 3 --><!--description aW5jb3JyZWN0IGxvZ2ljIGluICJVcGRhdGUgUFIiIGRpZCBub3QgZW5mb3JjZSBoZWFkIGJyYW5jaCBwcm90ZWN0aW9uIHJ1bGVzIGNvcnJlY3RseQ==-->incorrect logic in "Update PR" did not enforce head branch protection rules correctly<!--description--> - [PR](https://codeberg.org/forgejo/forgejo/pulls/10037): <!--number 10037 --><!--line 4 --><!--description aXNzdWUgb3duZXIgY2FuIGRlbGV0ZSBhbm90aGVyIHVzZXIncyBjb21tZW50J3MgZWRpdCBoaXN0b3J5IG9uIHNhbWUgaXNzdWU=-->issue owner can delete another user's comment's edit history on same issue<!--description--> - [PR](https://codeberg.org/forgejo/forgejo/pulls/10037): <!--number 10037 --><!--line 5 --><!--description dGFnIHByb3RlY3Rpb24gcnVsZXMgY2FuIGJlIGJ5cGFzc2VkIGR1cmluZyB0YWcgZGVsZXRlIG9wZXJhdGlvbg==-->tag protection rules can be bypassed during tag delete operation<!--description--> <!--end release-notes-assistant--> Co-authored-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10037 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>	2025-11-21 05:23:43 +01:00
Gabor Pihaj	861272b0e9	test: compare file list instead of byte length in gzipped repo archive test (#10161) ... As discussed on matrix, on my NixOS machine and in a Ubuntu distrobox container these tests were failing, as the byte length of the response was different: ``` api_repo_archive_test.go:43: Error Trace: /home/vdx/workspace/personal/forgejo/tests/integration/api_repo_archive_test.go:43 Error: "[31 139 8 0 0 0 0 0 0 3 237 212 177 106 195 48 16 6 224 155 253 20 134 238 237 201 146 78 237 208 161 144 140 93 250 2 193 178 165 52 16 71 70 113 32 143 95 26 111 134 180 29 18 135 146 255 91 14 36 129 164 59 157 250 250 184 90 111 147 175 183 171 207 80 183 33 211 229 49 51 139 200 41 50 243 52 50 139 33 165 89 180 21 167 156 35 102 101 172 86 180 166 25 28 246 67 157 137 57 167 52 252 180 238 183 249 233 229 254 9 91 149 77 234 186 176 27 94 197 70 229 99 229 124 163 125 116 28 197 136 117 98 159 69 219 32 194 47 38 180 190 241 166 45 110 125 102 184 156 28 250 164 158 174 155 209 239 126 112 206 158 239 127 230 105 255 87 170 210 100 105 6 119 222 255 99 253 63 150 111 139 247 229 99 215 94 101 143 241 255 55 231 235 175 101 90 127 109 88 209 44 73 188 243 250 63 148 167 23 80 20 139 176 111 242 166 31 54 105 87 198 148 199 225 91 159 14 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 232 15 190 0 14 221 99 58 0 40 0 0]" should have 266 item(s), but has 264 ``` Instead of comparing the byte length of the gzipped archive, it's is probably an improvement to check the list of directories and files in the archive instead. The content of these files could be checked as well, as they are relatively small, but in general it might not always be feasible. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10161 Reviewed-by: Michael Kriese <michael.kriese@gmx.de> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: Gabor Pihaj <gabor.pihaj@gmail.com> Co-committed-by: Gabor Pihaj <gabor.pihaj@gmail.com>	2025-11-19 16:14:44 +01:00
Shiny Nematoda	255ed593d3	feat(issue-search): support query syntax (#9109) ... List of currently supported filters: - `is:open` (or `-is:closed`) - `is:closed` (or `-is:open`) - `is:all` - `author:<username>` - `assignee:<username>` - `review:<username>` - `mentions:<username>` - `modified:[>|<]<date>`, where `<date>` is the last update date. - `sort:<by>:[asc|desc]`, where `<by>` is among - created - comments - updated - deadline Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9109 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Reviewed-by: Ellen Εμιλία Άννα Zscheile <fogti@noreply.codeberg.org> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: Shiny Nematoda <snematoda.751k2@aleeas.com> Co-committed-by: Shiny Nematoda <snematoda.751k2@aleeas.com>	2025-11-19 16:05:42 +01:00
Calixte Pernot	4d0c7db6cd	feat: show link to pull requests targeting a non-default branch when pushing (#10079) ... This resolves #10057 by showing a list of links to pull requests with the head branch being the one just pushed. Since there may be multiple pull requests with different base branches, we find all of them and print them. Here is a comparison table for pushing to the `feature` branch when having 2 pull requests: `feature -> dev`, and `feature -> prod`. `main` being the default branch. ## Before remote: remote: Create a new pull request for 'feature': remote: http://localhost:3000/user1/repo1/compare/main...feature remote: ## After remote: remote: Create a new pull request for 'feature': remote: http://localhost:3000/user1/repo1/compare/main...feature remote: Visit the existing pull requests: remote: http://localhost:3000/user1/repo1/pulls/1 merges into dev remote: http://localhost:3000/user1/repo1/pulls/3 merges into prod remote: Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10079 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: Calixte Pernot <cpernot@praksys.net> Co-committed-by: Calixte Pernot <cpernot@praksys.net>	2025-11-19 14:59:13 +01:00
Earl Warren	238ecfdeb8	fix: garbage collect lingering actions logs (#10009) ... If, for any reason (e.g. server crash), a task is recorded as done in the database but the logs are still in the database instead of being in storage, they need to be collected. The log_in_storage field is only set to true after the logs have been transfered to storage and can be relied upon to reflect which tasks have lingering logs. A cron job collects lingering logs every day, 3000 at a time, sleeping one second between them. In normal circumstances there will be only a few of them, even on a large instance, and there is no need to collect them as quickly as possible. When there are a lot of them for some reason, garbage collection must happen at a rate that is not too hard on storage I/O. Refs https://codeberg.org/forgejo/forgejo/issues/9999 --- Note on backports: the v11 backport is done manually because of minor conflicts. https://codeberg.org/forgejo/forgejo/pulls/10024 ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [x] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/10009): <!--number 10009 --><!--line 0 --><!--description Z2FyYmFnZSBjb2xsZWN0IGxpbmdlcmluZyBhY3Rpb25zIGxvZ3M=-->garbage collect lingering actions logs<!--description--> <!--end release-notes-assistant--> Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10009 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: Earl Warren <contact@earl-warren.org> Co-committed-by: Earl Warren <contact@earl-warren.org>	2025-11-18 18:59:01 +01:00
RaymondKroon	81f20a69b6	fix: do casefolding in OAuth2 account autolinking (#10072) ... Resolves #9992. Creating new users will make sure to avoid creating duplicate users where the only difference is a casing. Error handling did not handle this correctly, resulting in 500. This is fixed by searching for LowerName in the error handling. Co-authored-by: Raymond Kroon <raymond.kroon@kadaster.nl> Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10072 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: RaymondKroon <raymondkroon@noreply.codeberg.org> Co-committed-by: RaymondKroon <raymondkroon@noreply.codeberg.org>	2025-11-16 16:39:06 +01:00
0ko	f0b4e3b943	feat(ui): JS-less dropdowns in navbar (#10025) ... Replaced dropdowns in the navbar with JS-less ones from https://codeberg.org/forgejo/forgejo/pulls/7906. Also made some changes to the dropdown component: * fixed variable name * painted backgrounds (hover, focus) are now consistently applied to the actual interactive items (`<a>`, `<button>`), not to `<li>`. This is consistent with how backgrounds are conditionally applied to pre-selected (`.active`) items and is better, as it allows to place additional things to `<li>`... * ...`<hr>` can now be placed in some `<li>` instead of requiring splitting into multiple `<ul>`. This is simpler in code and I am guessing this should be better for a11y as screen readers can cast one continuous list instead of multiple ones. But have no hard proof that this is actually better. My main motivation was to avoid ugly mistake-prone tmpl logic where unconditional `<ul>` was getting closed and reopened inside of a condition. I should note that on mobile all items, including these dropdowns, are hidden in another dropdown, and it stays JS-dependand for now. So this PR only makes this part of the UI JS-less for desktop. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10025 Reviewed-by: Robert Wolff <mahlzahn@posteo.de> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: 0ko <0ko@noreply.codeberg.org> Co-committed-by: 0ko <0ko@noreply.codeberg.org>	2025-11-16 14:56:42 +01:00
oliverpool	67df538958	feat: cache derived keys for faster keying (#10114) ... Currently `DeriveKey` is called every time that a secret must be encoded/decoded. Since this function is deterministic, its result can be cached to allow a 250x speedup (the original took less than half a microsecond, so this more of a micro-optimization...). ``` go test -bench=. goos: linux goarch: amd64 pkg: forgejo.org/modules/keying cpu: Intel(R) Core(TM) Ultra 5 125H BenchmarkExpandPRK-18 2071627 564.2 ns/op BenchmarkExpandPRKOnce-18 541438192 2.206 ns/op PASS ok forgejo.org/modules/keying 2.369s ``` ## Other changes - Since the keys can be constructed once, it simplifies a bit the callsites (`keying.TOTP.Encrypt(...)` instead of `keying.DeriveKey(keying.ContextTOTP).Encrypt(...)`) - All `Encrypt`/`Decrypt` calls will panic forever if called before `Init` has been called (current it panics as long as `Init` has not been called) - Calling `Init` twice with different keys will trigger a panic (currently racy) - Calling `Decrypt` with a short ciphertext does not panic anymore (like when calling with long-enough garbage) Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10114 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: oliverpool <git@olivier.pfad.fr> Co-committed-by: oliverpool <git@olivier.pfad.fr>	2025-11-16 14:29:14 +01:00
0ko	ed4be8bf54	fix(test): improve reliability of E2E "Button text replaced by JS" (#10075) ... Potentially addresses https://codeberg.org/forgejo/forgejo/pulls/9959#issuecomment-8214671 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10075 Reviewed-by: Otto <otto@codeberg.org> Co-authored-by: mfenniak <mfenniak@noreply.codeberg.org>	2025-11-16 04:45:20 +01:00
Gusted	691dd023ff	chore: unify the usage of CryptoRandomString (#10110) ... - Similair spirit of forgejo/forgejo!7453. - Refactor the code in such a way that it always succeeds. - To avoid doing mathematics if you use this function, define three security level (64, 128 and 256 bits) that correspond to a specific length which has that a security guarantee. I picked them as they fit the need for the existing usages of the code. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10110 Reviewed-by: Michael Kriese <michael.kriese@gmx.de> Reviewed-by: Lucas <sclu1034@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>	2025-11-15 13:24:53 +01:00
dawe	efd4d2d8f5	fix(ui): document token validity in key verification view (#9002) ... Document that the token is only valid for a minute. Add a link to get a new token. Resolves #8048 Co-authored-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9002 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: dawe <dawedawe@posteo.de> Co-committed-by: dawe <dawedawe@posteo.de>	2025-11-14 23:40:03 +01:00
0ko	a51a8d5701	chore(test): cleanup NewRequest which no longer supply CSRF values (#10119) ... Followup to https://codeberg.org/forgejo/forgejo/pulls/9830, which greatly simplified the tests that previously had to supply a csrf token in values map, but left behind the more complex funcs with empty maps. Also fixed a few typos which popped up in the diff. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10119 Reviewed-by: Michael Kriese <michael.kriese@gmx.de> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: 0ko <0ko@noreply.codeberg.org> Co-committed-by: 0ko <0ko@noreply.codeberg.org>	2025-11-14 23:21:10 +01:00
oliverpool	8f28cdefe0	feat(ui): add switch between formats when previewing CITATION.{cff,bib} files (#9103) ... See #8222 for context (loosely related to #4595). ## Implemented changes The conversion logic is kept in the frontend and the related npm libraries are lazy-loaded (unchanged). ### Show some tabs on the preview of the `CITATION.*` file to switch between the formats:   ### Convert the "Cite repository" to a simple link to the citation file So that this change can be considered non-breaking ## Current state (before this PR) The last non-test call of `git.Blob.GetBlobContent` is made to retrieve the content of an eventual CITATION file. This is available in the `...` menu near the clone URL:  And is displayed as a popup:  Co-authored-by: 0ko <0ko@noreply.codeberg.org> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9103 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: oliverpool <git@olivier.pfad.fr> Co-committed-by: oliverpool <git@olivier.pfad.fr>	2025-11-14 14:39:20 +01:00
Gusted	0737196842	chore: remove webkit and mobile safari from playwright (#10103) ... Webkit and Mobile safari are comically unreliable, will fail for unexplainable reasons and are very hard to run locally in comparison with the other supported platforms. I do not remember the last time where these two platforms were able to catch a regression where the other platforms did not. I would like to stress, for the historical record, that many hours has been devoted into adjusting the tests and following best practices to make these two platforms more stable but despite those, IMO wasted, efforts these two platforms are causing many hours of wasted CPU time simply because they are flaky and make (new) contributors nervous if their change contains a regression or not. To my knowledge, the tests are not broken for these two platforms. If you go to the issue tracker you will not find issues by users that use these two platforms and report that Forgejo is broken. It does not reflect reality. This is the sunk cost fallacy, bite the bullet and agree that these platforms will not contribute positively to Forgejo's excellent test suite. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10103 Reviewed-by: Michael Kriese <michael.kriese@gmx.de> Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>	2025-11-13 17:23:08 +01:00
Andreas Ahlenstorf	72b35c5a73	feat: display detailed action run diagnostics (#9966) ... Forgejo Actions allows variables in `jobs.<job_id>.runs-on`. However, the action list [skips checking whether a suitable runner](c3412d0579/routers/web/repo/actions/actions.go (L114-L148)) is available if an expression contains variables. That hampers a user's ability to figure out whether an expression was evaluated correctly and why a job might not be picked up by an available runner. This PR adds the ability to surface more complex and additional diagnostic information on the action view screen. Previously, only a job's status (waiting, running, ...) was displayed. Now, extended messages like "Waiting for a runner with the following labels: docker, trixie" are displayed with the possibility to show multiple messages simultaneously. How it looked before:  How it looks after updating Forgejo without reloading the window:  How it looks afterwards with a single label:  How it looks afterwards with multiple labels:  ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [x] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [ ] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Features - [PR](https://codeberg.org/forgejo/forgejo/pulls/9966): <!--number 9966 --><!--line 0 --><!--description ZGlzcGxheSBkZXRhaWxlZCBhY3Rpb24gcnVuIGRpYWdub3N0aWNz-->display detailed action run diagnostics<!--description--> <!--end release-notes-assistant--> Co-authored-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9966 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch> Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>	2025-11-11 04:39:02 +01:00
Andreas Ahlenstorf	b3f1f115f7	fix: include variable values in /repos/.../actions/variables API response (#10036) ... Previously, the variable value was empty when asking for a list of all repository variables. I have extended the test coverage of all related endpoints and made the existing tests independent of each other. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Other changes without a feature or bug label - [PR](https://codeberg.org/forgejo/forgejo/pulls/10036): <!--number 10036 --><!--line 0 --><!--description aW5jbHVkZSB2YXJpYWJsZSB2YWx1ZXMgaW4gL3JlcG9zLy4uLi9hY3Rpb25zL3ZhcmlhYmxlcyBBUEkgcmVzcG9uc2U=-->include variable values in /repos/.../actions/variables API response<!--description--> <!--end release-notes-assistant--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10036 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch> Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>	2025-11-10 23:07:32 +01:00
Gusted	5b77ddb050	feat: Use receive.hideRefs (#10015) ... In forgejo/forgejo!2834 and forgejo/forgejo!5307 it was made so it's no longer possible to modify and delete internal reference, not having this restriction lead to broken pull requests when people used something like `git push --mirror`. However it now still leads to problem with that command as the git client tries to delete such references. We can solve this by using git's `receive.hideRefs` to make this ref read-only and avoid advertising it when someone does `git push --mirror`. Resolves forgejo/forgejo#9942 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10015 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>	2025-11-10 14:36:15 +01:00
0ko	5c9a909c03	feat(ui): arrow key navigation in dropdown (#10033) ... Addresses https://codeberg.org/forgejo/forgejo/pulls/7906#issuecomment-5455662, https://codeberg.org/forgejo/forgejo/pulls/10025#issuecomment-8182184 Add arrow navigation to the JS-less/JS-enchanced dropdown component. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10033 Reviewed-by: Otto <otto@codeberg.org> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: 0ko <0ko@noreply.codeberg.org> Co-committed-by: 0ko <0ko@noreply.codeberg.org>	2025-11-10 13:35:38 +01:00
Gusted	dd83b834f6	chore: adjust failing E2E tests (#10028) ... Adjust the E2E tests to fail less often. See individual commits. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10028 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>	2025-11-09 05:56:38 +01:00
Mathieu Fenniak	ce93a16557	feat: allow/disallow users to run workflows when pushing to a pull request from a fork (#9397) ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9397 Reviewed-by: Lucas <sclu1034@noreply.codeberg.org> Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>	2025-11-09 01:40:29 +01:00
0ko	2f6ca55a1c	fix(ui): replace obsolete gt- helpers (#9964) ... Resolved a few obsolete (no longer functional) `gt-` helpers that were not converted into other classes at some point. `gt-interact-bg` was replaced by `interact-bg`. The remaining one was on action view page in a gear icon, which lacked proper background change on hover. `gt-font-18` & `gt-font-normal` were remaining in the repo name on repo page. I left out the `*-font-18` one out and kept fixed the font-weight, but also made the `/` use normal font-weight instead of semibold, which looks better. Preview Before: https://codeberg.org/attachments/e52d5ebc-7fa8-4057-8e4b-05d219525092 Gitea: https://codeberg.org/attachments/a9a50928-6e0e-483c-82fe-73b6c244f4d5 After: https://codeberg.org/attachments/fd04d5b1-1965-478f-9d45-97c5d994c780 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9964 Reviewed-by: Gusted <gusted@noreply.codeberg.org>	2025-11-08 18:21:05 +01:00
zokki	dc0a63efe2	fix: endless redirection loop between /user/settings/change_password and /user/settings/security (#10002) ... Fixes forgejo/forgejo#9980 ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [x] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/10002): <!--number 10002 --><!--line 0 --><!--description ZW5kbGVzcyByZWRpcmVjdGlvbiBsb29wIGJldHdlZW4gL3VzZXIvc2V0dGluZ3MvY2hhbmdlX3Bhc3N3b3JkIGFuZCAvdXNlci9zZXR0aW5ncy9zZWN1cml0eQ==-->endless redirection loop between /user/settings/change_password and /user/settings/security<!--description--> <!--end release-notes-assistant--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10002 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: zokki <zokki.softwareschmiede@gmail.com> Co-committed-by: zokki <zokki.softwareschmiede@gmail.com>	2025-11-07 21:12:47 +01:00
Earl Warren	57f986c7b1	feat: UI for the pull request trust management panel ... See the documentation pull request for a description https://codeberg.org/forgejo/docs/pulls/1567 https://forgejo.codeberg.page/@docs_pull_1567/docs/next/user/actions/security-pull-request/	2025-11-06 11:07:39 +01:00
Earl Warren	e41bcf5048	feat: add task to cleanup the ActionUser table weekly ... test coverage is provided by TestAPICron which runs registerCleanupActionUser()	2025-11-06 11:07:39 +01:00