chore: add email blocklist unit test

(cherry picked from commit a511e37572)

.air.toml

@@ -11,7 +11,7 @@ include_file = ["main.go"]
 include_dir = ["cmd", "models", "modules", "options", "routers", "services"]
 exclude_dir = [
   "models/fixtures",
-  "models/gitea_migrations/fixtures",
+  "models/migrations/fixtures",
   "modules/avatar/identicon/testdata",
   "modules/avatar/testdata",
   "modules/git/tests",

.deadcode-out

@@ -13,30 +13,34 @@ forgejo.org/models
 	IsErrSHANotFound
 	IsErrMergeDivergingFastForwardOnly
 
+forgejo.org/models/activities
+	GetActivityByID
+	NewFederatedUserActivity
+	CreateUserActivity
+	GetFollowingFeeds
+	FederatedUserActivity.loadActor
+
 forgejo.org/models/auth
 	WebAuthnCredentials
 
 forgejo.org/models/db
 	TruncateBeans
-	TruncateBeansCascade
+	InTransaction
 	DumpTables
-	GetTableNames
-	extendBeansForCascade
-	IsErrNameActivityPubInvalid
 
 forgejo.org/models/dbfs
 	file.renameTo
 	Create
 	Rename
 
+forgejo.org/models/forgefed
+	GetFederationHost
+
 forgejo.org/models/forgejo/semver
 	GetVersion
 	SetVersionString
 	SetVersion
 
-forgejo.org/models/forgejo_migrations
-	resetMigrations
-
 forgejo.org/models/git
 	RemoveDeletedBranchByID
 
@@ -50,14 +54,24 @@ forgejo.org/models/organization
 forgejo.org/models/perm/access
 	GetRepoWriters
 
+forgejo.org/models/repo
+	WatchRepoMode
+
 forgejo.org/models/user
-	IsErrUserWrongType
 	IsErrExternalLoginUserAlreadyExist
 	IsErrExternalLoginUserNotExist
 	NewFederatedUser
+	NewFederatedUserFollower
 	IsErrUserSettingIsNotExist
 	GetUserAllSettings
 	DeleteUserSetting
+	GetFederatedUser
+	GetFederatedUserByUserID
+	UpdateFederatedUser
+	GetFollowersForUser
+	AddFollower
+	RemoveFollower
+	IsFollowingAp
 
 forgejo.org/modules/activitypub
 	NewContext
@@ -77,6 +91,7 @@ forgejo.org/modules/base
 	SetupGiteaRoot
 
 forgejo.org/modules/cache
+	GetInt
 	WithNoCacheContext
 	RemoveContextData
 
@@ -87,13 +102,24 @@ forgejo.org/modules/eventsource
 	Event.String
 
 forgejo.org/modules/forgefed
+	NewForgeFollowFromAp
+	NewForgeFollow
+	ForgeFollow.MarshalJSON
+	ForgeFollow.UnmarshalJSON
+	ForgeFollow.Validate
 	NewForgeUndoLike
 	ForgeUndoLike.UnmarshalJSON
 	ForgeUndoLike.Validate
+	NewForgeUserActivityFromAp
+	NewForgeUserActivity
+	ForgeUserActivity.Validate
 	NewPersonIDFromModel
 	GetItemByType
 	JSONUnmarshalerFn
 	NotEmpty
+	NewForgeUserActivityNoteFromAp
+	newNote
+	ForgeUserActivityNote.Validate
 	ToRepository
 	OnRepository
 
@@ -103,7 +129,6 @@ forgejo.org/modules/git
 	AddChangesWithArgs
 	CommitChanges
 	CommitChangesWithArgs
-	IsErrMoreThanOne
 	SetUpdateHook
 	openRepositoryWithDefaultContext
 	ToEntryMode
@@ -132,9 +157,6 @@ forgejo.org/modules/json
 	StdJSON.Indent
 
 forgejo.org/modules/log
-	eventWriterBuffer.Close
-	eventWriterBuffer.Write
-	eventWriterBuffer.GetString
 	NewEventWriterBuffer
 
 forgejo.org/modules/markup
@@ -209,6 +231,7 @@ forgejo.org/modules/util/filebuffer
 
 forgejo.org/modules/validation
 	IsErrNotValid
+	ValidateIDExists
 
 forgejo.org/modules/web
 	RouteMock
@@ -225,22 +248,15 @@ forgejo.org/routers/web/org
 forgejo.org/services/context
 	GetPrivateContext
 
-forgejo.org/services/notify
-	UnregisterNotifier
-
 forgejo.org/services/repository
 	IsErrForkAlreadyExist
 
 forgejo.org/services/repository/files
 	ContentType.String
-	RepoFileOptionMode
 
 forgejo.org/services/repository/gitgraph
 	Parser.Reset
 
-forgejo.org/services/stats
-	Flush
-
 forgejo.org/services/webhook
 	NewNotifier
 

.devcontainer/devcontainer.json

@@ -1,12 +1,12 @@
 {
-  "name": "forgejo-dev",
-  "image": "mcr.microsoft.com/devcontainers/go:1.26-trixie",
+  "name": "Gitea DevContainer",
+  "image": "mcr.microsoft.com/devcontainers/go:1.24-bullseye",
   "features": {
     // installs nodejs into container
     "ghcr.io/devcontainers/features/node:1": {
-      "version": "24"
+      "version": "22"
     },
-    "ghcr.io/devcontainers/features/git-lfs:1.2.5": {},
+    "ghcr.io/devcontainers/features/git-lfs:1.2.4": {},
     "ghcr.io/warrenbuckley/codespace-features/sqlite:1": {}
   },
   "customizations": {

.editorconfig

@@ -30,6 +30,7 @@ insert_final_newline = false
 [options/locale/locale_*.ini]
 insert_final_newline = false
 
-# Weblate is configured to use one tab for indention
+# Weblate JSON output defaults to four spaces
 [options/locale_next/locale_*.json]
-indent_style = tab
+indent_style = space
+indent_size = 4

.forgejo/cascading-release-end-to-end

@@ -2,9 +2,6 @@
 
 set -ex
 
-# WARNING: Changes to the behaviour of this file should be backported to all active releases, as it is used in
-# `build-release.yml` from release branches.
-
 end_to_end=$1
 end_to_end_pr=$2
 forgejo=$3

.forgejo/issue_template/1-problem.yaml

@@ -1,107 +0,0 @@
-name: "Step 1: Report a problem or need"
-description: Please start here and describe your situation.
-title: "problem: "
-labels: ["problem", "impact/unknown"]
-body:
-- type: markdown
-  attributes:
-    value: |
-      **NOTE: If your issue is a security concern, please email <security@forgejo.org> ([security.txt](https://forgejo.org/.well-known/security.txt)) instead of opening a public issue.**
-- type: markdown
-  attributes:
-    value: |
-      - Please speak English, as this is the language all maintainers can speak and write.
-      - Be civil, and follow the [Forgejo Code of Conduct](https://codeberg.org/forgejo/code-of-conduct).
-      - Take a moment to [check if a similar problem has already been discussed in the past.](https://codeberg.org/forgejo/forgejo/issues?q=&type=all&labels=78137). Feel free to add your own experience there, if applicable.
-- type: markdown
-  attributes:
-    value: |
-      ### New workflow
-      
-      We are currently experimenting with a new workflow to manage issues and better understand your problems and needs. This is step 1 of the workflow: Please try to focus on explaining the problem you are facing, which could be a bug in the code, a moment of confusion, or a need that you have.
-      
-      We do not expect anything from Forgejo users after creating a problem report, but we appreciate if you stay responsive to further questions. If you want, you can also participate in a discussion for solutions.
-      
-      Forgejo contributors will review your report, try to understand how important it is to you and other Forgejo users, and suggest potential solutions. In a next step, solutions can be documented and implemented.
-      
-      If you want to learn more about the background of our workflow, feel invited to read and participate in [the discussion that led to the current approach](https://codeberg.org/forgejo/discussions/issues/415). We are looking forward to your feedback.
-- type: dropdown
-  id: can-reproduce
-  attributes:
-    label: Does your problem still exist on the latest Forgejo version?
-    description: |
-      Please try reproducing your problem at https://dev.next.forgejo.org or a local development version of Forgejo.
-      If you check that your problem is not already addressed by a recent change, this will save all volunteers involved a lot of time.
-    options:
-    - "Yes, the problem still exists (tested on a next instance)"
-    - "Yes, the problem still exists (tested locally with the latest development version)"
-    - "Unknown, I can't try it for some reason (please explain)"
-  validations:
-    required: true
-- type: textarea
-  id: environment
-  attributes:
-    label: About your usage of Forgejo
-    description: |
-      Please provide a brief description of your usage of Forgejo. There is no clear guideline on how much you need to share here. You can be brief, but we value the insights you provide us to better understand your use case. Thank you very much!
-      <details><summary>Further instructions</summary>
-      
-      * When reporting problems with certain functionality, you should include related information. Examples:
-        * When reporting an issue with setting up an identity provider, it is useful to know if you use Forgejo in a 10-users non-profit / start up, or if you are talking about a school / university with several thousands of users.
-        * When describing confusion, it will be relevant to know your skill level and background ("New, but used a similar product", "In my role as a project manager ..."), so we know for which target audience we need to design the functionality.
-        * When reporting workflow issues or needs, it will be useful to know how large your project is, how many team members you have, which skill level we are talking about etc. For example, we might choose a different design depending on whether a feature is only for professional developers or for hobby coders.
-      * If you want, we always appreciate generic information about your Forgejo usage to help us understand your usage and make better decisions. For example:
-        * Your personal relation to Forgejo and user role ("I'm new to Forgejo, but used a comparable product called …", "In my role as a designer, …").
-      * If you already explained your usage of Forgejo elsewhere (e.g. in another issue or in a user research repository), feel free to just drop a link.
-      
-      </details>
-  validations:
-    required: true
-- type: textarea
-  id: description
-  attributes:
-    label: Problem description
-    description: |
-      Please describe your problem as a first-hand experience. Try to focus on the problem. You do not have to find a solution, you can leave this to us.
-      <details><summary>Further instructions</summary>
-      
-      * Start by explaining what you want to achieve ("I wanted to find an issue to work on").
-      * Try to include steps that you took and that resulted in the current situation. ("I opened the issue tracker, clicked on …, then …").
-      * If there were moments of confusion, please describe them. ("There was a button saying … and I was not sure if it would do what I expect").
-      * If you want to do something and don't know how or if it is possible, explain the goal ("I would like to know if there are issues that meet the following criteria …").
-      
-      </details>
-  validations:
-    required: true
-- type: textarea
-  id: workarounds
-  attributes:
-    label: Potential workarounds
-    description: |
-      If you found a solution to your problem, even if it is not great, please share your experiences with it.
-      <details><summary>Further instructions</summary>
-      
-      * Start by explaining what you tried and how it worked out ("I used X and it gives me the results, but it takes a lot of time to click through the UI").
-      * What are the major problems with your workaround(s)? ("It takes long to get there", "It looks very ugly")
-      
-      </details>
-- type: input
-  id: forgejo-ver
-  attributes:
-    label: Forgejo Version
-    description: Forgejo version (or commit reference) your instance is running or that you used to reproduce the bug on Forgejo Next.
-- type: textarea
-  id: versions
-  attributes:
-    label: Other details about your environment (software names and versions)
-    description: |
-      Please include details to help us understand your problem: browser engine and version (for UI issues), operating system and version running Forgejo, database engine and version, deployment methods and relevant third-party packages (e.g. renderers, identity providers)
-  validations:
-    required: true
-- type: markdown
-  attributes:
-    value: |
-      ### Solutions
-      
-      *Accepted solutions to address this problem will go here*
-  visible: [content]

.forgejo/issue_template/2-enhancement.yaml

@@ -1,39 +0,0 @@
-name: "Step 2: Enhancement"
-description: "[Advanced users only] Suggest a solution to one or multiple problems that have already been reported (see step 1)."
-title: "enh: "
-labels: ["enhancement/feature"]
-body:
-- type: markdown
-  attributes:
-    value: |
-      - Please speak English, as this is the language all maintainers can speak and write.
-      - Be civil, and follow the [Forgejo Code of Conduct](https://codeberg.org/forgejo/code-of-conduct).
-- type: markdown
-  attributes:
-    value: |
-      ### New workflow
-      
-      We are currently experimenting with a new workflow to manage issues and better understand your problems and needs. This is step 2 of the workflow, which is intended for Forgejo contributors: If you just want to raise a problem or need you have, please refer to step 1.
-      
-      This step allows to document a solution to one or multiple problems. It allows developers to focus on actionable implementation tasks without the clutter of previous discussions or triaging work.
-      
-      If you want to learn more about the background of our workflow, feel invited to read and participate in [the discussion that led to the current approach](https://codeberg.org/forgejo/discussions/issues/415). We are looking forward to your feedback.
-- type: textarea
-  id: problems
-  attributes:
-    label: Existing problems this enhancement addresses
-    description: Only list the issue numbers of the **existing** problems that your proposal addresses. **Do not add new descriptions.** If you haven't previously described a problem, please [complete step one of the workflow](https://codeberg.org/forgejo/forgejo/issues/new?template=.forgejo%2fissue_template%2fproblem.yaml) and describe the problem you'd like to solve first.
-  validations:
-    required: true
-- type: textarea
-  id: description
-  attributes:
-    label: Enhancement description
-    description: Describe the changes you suggest for Forgejo and explain how they address the problems.
-  validations:
-    required: true
-- type: textarea
-  id: details
-  attributes:
-    label: Details and notes
-    description: Feel free to supply additional information like technical considerations, link to alternative solutions, UI mockups etc.

.forgejo/issue_template/bug-report-ui.yaml

@@ -1,5 +1,5 @@
 name: 🦋 Bug Report (web interface / frontend)
-description: "[Advanced users only] Something doesn't look quite as it should?  Report it here!"
+description: Something doesn't look quite as it should?  Report it here!
 title: "bug: "
 labels: ["bug/new-report", "forgejo/ui"]
 body:
@@ -23,9 +23,8 @@ body:
       It is running the latest development branch and will confirm the problem is not already fixed.
       If you can reproduce it, provide a URL in the description.
     options:
-    - "Yes, I've linked the repository below"
-    - "No, I've tried it and the problem is not present there"
-    - "No, I can't try it on the test instance for some reason"
+    - "Yes"
+    - "No"
   validations:
     required: true
 - type: textarea

.forgejo/issue_template/bug-report.yaml

@@ -1,5 +1,5 @@
 name: 🐛 Bug Report (server / backend)
-description: "[Advanced users only] Found something you weren't expecting? Report it here!"
+description: Found something you weren't expecting? Report it here!
 title: "bug: "
 labels: bug/new-report
 body:
@@ -23,9 +23,8 @@ body:
       It is running the latest development branch and will confirm the problem is not already fixed.
       If you can reproduce it, provide a URL in the description.
     options:
-    - "Yes, I've linked the repository below"
-    - "No, I've tried it and the problem is not present there"
-    - "No, I can't try it on the test instance for some reason"
+    - "Yes"
+    - "No"
   validations:
     required: true
 - type: textarea

.forgejo/issue_template/config.yml

@@ -1,4 +1,3 @@
-blank_issues_enabled: false
 contact_links:
   - name: 🔓 Security Reports
     url: mailto:security@forgejo.org

.forgejo/issue_template/feature-request.yaml

@@ -0,0 +1,31 @@
+name: 💡 Feature Request
+description: Got an idea for a feature that Forgejo doesn't have yet? Suggest it here!
+title: "feat: "
+labels: ["enhancement/feature"]
+body:
+- type: markdown
+  attributes:
+    value: |
+      - Please speak English, as this is the language all maintainers can speak and write.
+      - Be as clear and concise as possible. A very verbose request is harder to interpret in a concrete way.
+      - Be civil, and follow the [Forgejo Code of Conduct](https://codeberg.org/forgejo/code-of-conduct).
+      - Please make sure you are using the latest release of Forgejo and take a moment to [check that your feature hasn't already been suggested](https://codeberg.org/forgejo/forgejo/issues?q=&type=all&labels=78139).
+- type: textarea
+  id: needs-benefits
+  attributes:
+    label: Needs and benefits
+    description: As concisely as possible, describe the benefits your feature request will provide or the problems it will try to solve.
+  validations:
+    required: true
+- type: textarea
+  id: description
+  attributes:
+    label: Feature Description
+    description: As concisely as possible, describe the feature you would like to see added or the changes you would like to see made to Forgejo.
+  validations:
+    required: true
+- type: textarea
+  id: screenshots
+  attributes:
+    label: Screenshots
+    description: If you can, provide screenshots of an implementation on another site, e.g. GitHub.

.forgejo/pull_request_template.md

@@ -10,22 +10,13 @@ labels:
 
 ## Checklist
 
-The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
+The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
 
-### Tests for Go changes
-
-(can be removed for JavaScript changes)
+### Tests
 
 - I added test coverage for Go changes...
   - [ ] in their respective `*_test.go` for unit tests.
   - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
-- I ran...
-  - [ ] `make pr-go` before pushing
-
-### Tests for JavaScript changes
-
-(can be removed for Go changes)
-
 - I added test coverage for JavaScript changes...
   - [ ] in `web_src/js/*.test.js` if it can be unit tested.
   - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
@@ -37,9 +28,6 @@ The [contributor guide](https://forgejo.org/docs/next/contributor/) contains inf
 
 ### Release notes
 
-- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
-- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
-
-*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*
-
-The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.
+- [ ] I do not want this change to show in the release notes.
+- [ ] I want the title to show in the release notes with a link to this pull request.
+- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

.forgejo/testdata/build-release/Dockerfile

@@ -1,4 +1,4 @@
-FROM data.forgejo.org/oci/alpine:3.23
+FROM data.forgejo.org/oci/alpine:3.22
 ARG RELEASE_VERSION=unkown
 LABEL maintainer="contact@forgejo.org" \
       org.opencontainers.image.version="${RELEASE_VERSION}"

.forgejo/workflows-composite/build-backend/action.yaml

@@ -3,7 +3,7 @@ runs:
   steps:
     - run: |
         su forgejo -c 'make deps-backend'
-    - uses: https://data.forgejo.org/actions/cache@v5
+    - uses: https://data.forgejo.org/actions/cache@v4
       id: cache-backend
       with:
         path: ${{github.workspace}}/gitea

.forgejo/workflows-composite/install-minimum-git-version/action.yaml

@@ -1,22 +0,0 @@
-#
-# Install the minimal version of Git supported by Forgejo
-#
-runs:
-  using: "composite"
-  steps:
-    - name: install git and git-lfs
-      run: |
-        set -x
-
-        export DEBIAN_FRONTEND=noninteractive
-
-        apt-get update -qq
-        apt-get -q install -y -qq curl ca-certificates
-
-        curl -sS -o /tmp/git-man.deb https://archive.ubuntu.com/ubuntu/pool/main/g/git/git-man_2.34.1-1ubuntu1_all.deb
-        curl -sS -o /tmp/git.deb https://archive.ubuntu.com/ubuntu/pool/main/g/git/git_2.34.1-1ubuntu1_amd64.deb
-        curl -sS -o /tmp/git-lfs.deb https://archive.ubuntu.com/ubuntu/pool/universe/g/git-lfs/git-lfs_3.0.2-1_amd64.deb
-
-        apt-get -q install --allow-downgrades -y -qq /tmp/git-man.deb
-        apt-get -q install --allow-downgrades -y -qq /tmp/git.deb
-        apt-get -q install --allow-downgrades -y -qq /tmp/git-lfs.deb

.forgejo/workflows-composite/setup-cache-go/action.yaml

@@ -17,7 +17,7 @@ runs:
         apt-get -q install -qq -y zstd
 
     - name: "Set up Go using setup-go"
-      uses: https://data.forgejo.org/actions/setup-go@v6
+      uses: https://data.forgejo.org/actions/setup-go@v5
       id: go-version
       with:
         go-version-file: "go.mod"
@@ -50,11 +50,12 @@ runs:
 
     - name: "Restore Go dependencies from cache or mark for later caching"
       id: cache-deps
-      uses: https://data.forgejo.org/actions/cache@v5
+      uses: https://data.forgejo.org/actions/cache@v4
       with:
-        key: setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-${{ steps.go-version.outputs.go_version }}-${{ hashFiles('go.sum', 'go.mod', 'Makefile') }}
+        key: setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-${{ steps.go-version.outputs.go_version }}-${{ hashFiles('go.sum', 'go.mod') }}
         restore-keys: |
           setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-${{ steps.go-version.outputs.go_version }}-
+          setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-
         path: |
           ${{ steps.go-environment.outputs.modcache }}
           ${{ steps.go-environment.outputs.cache }}

.forgejo/workflows/backport.yml

@@ -40,14 +40,14 @@ jobs:
       )
     runs-on: docker
     container:
-      image: 'data.forgejo.org/oci/node:24-bookworm'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
     steps:
       - name: event info
         run: |
           cat <<'EOF'
           ${{ toJSON(github) }}
           EOF
-      - uses: https://data.forgejo.org/actions/git-backporting@v4.9.1
+      - uses: https://data.forgejo.org/actions/git-backporting@v4.8.5
         with:
           target-branch-pattern: "^backport/(?<target>(v.*))$"
           strategy: ort

.forgejo/workflows/build-release-integration.yml

@@ -1,8 +1,4 @@
 name: Integration tests for the release process
-enable-email-notifications: true
-
-env:
-  FORGEJO_VERSION: 11.0.13 # renovate: datasource=docker depName=data.forgejo.org/forgejo/forgejo
 
 on:
   push:
@@ -29,14 +25,14 @@ jobs:
     if: vars.ROLE == 'forgejo-coding'
     runs-on: lxc-bookworm
     steps:
-      - uses: https://data.forgejo.org/actions/checkout@v6
+      - uses: https://data.forgejo.org/actions/checkout@v4
 
       - id: forgejo
-        uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.11
+        uses: https://data.forgejo.org/actions/setup-forgejo@v3.0.1
         with:
           user: root
           password: admin1234
-          image-version: ${{ env.FORGEJO_VERSION }}
+          image-version: 1.21
           lxc-ip-prefix: 10.0.9
 
       - name: publish the forgejo release

.forgejo/workflows/build-release.yml

@@ -33,7 +33,7 @@ jobs:
     # root is used for testing, allow it
     if: vars.ROLE == 'forgejo-integration' || github.repository_owner == 'root'
     steps:
-      - uses: https://data.forgejo.org/actions/checkout@v6
+      - uses: https://data.forgejo.org/actions/checkout@v4
         with:
           fetch-depth: 0
 
@@ -43,11 +43,11 @@ jobs:
           repository="${{ github.repository }}"
           echo "value=${repository##*/}" >> "$GITHUB_OUTPUT"
 
-      - uses: https://data.forgejo.org/actions/setup-node@v6
+      - uses: https://data.forgejo.org/actions/setup-node@v4
         with:
           node-version: 22
 
-      - uses: https://data.forgejo.org/actions/setup-go@v6
+      - uses: https://data.forgejo.org/actions/setup-go@v5
         with:
           go-version-file: "go.mod"
 
@@ -93,7 +93,7 @@ jobs:
 
       - name: cache node_modules
         id: node
-        uses: https://data.forgejo.org/actions/cache@v5
+        uses: https://data.forgejo.org/actions/cache@v4
         with:
           path: |
             node_modules
@@ -164,7 +164,7 @@ jobs:
 
       - name: build container & release
         if: ${{ secrets.TOKEN != '' }}
-        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.6.0
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.4.1
         with:
           forgejo: "${{ env.GITHUB_SERVER_URL }}"
           owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
@@ -183,7 +183,7 @@ jobs:
 
       - name: build rootless container
         if: ${{ secrets.TOKEN != '' }}
-        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.6.0
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.4.1
         with:
           forgejo: "${{ env.GITHUB_SERVER_URL }}"
           owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
@@ -201,18 +201,17 @@ jobs:
 
       - name: end-to-end tests
         if: ${{ secrets.TOKEN != '' && vars.ROLE == 'forgejo-integration' && vars.SKIP_END_TO_END != 'true' }}
-        uses: https://data.forgejo.org/actions/cascading-pr@v2.3.0
+        uses: https://data.forgejo.org/actions/cascading-pr@v2.2.0
         with:
           origin-url: ${{ env.GITHUB_SERVER_URL }}
           origin-repo: ${{ github.repository }}
           origin-token: ${{ secrets.CASCADE_ORIGIN_TOKEN }}
-          origin-ref: ${{ github.ref }}
+          origin-ref: refs/heads/forgejo
           destination-url: https://code.forgejo.org
           destination-fork-repo: ${{ vars.CASCADE_DESTINATION_DOER }}/end-to-end
           destination-repo: forgejo/end-to-end
           destination-branch: main
           destination-token: ${{ secrets.CASCADE_DESTINATION_TOKEN }}
-          close: true
           update: .forgejo/cascading-release-end-to-end
 
       - name: copy to experimental
@@ -227,14 +226,11 @@ jobs:
             curl -sS -X DELETE $url/api/v1/repos/forgejo-experimental/forgejo/releases/tags/$tag > /dev/null
             curl -sS -X DELETE $url/api/v1/repos/forgejo-experimental/forgejo/tags/$tag > /dev/null
           fi
-          # actions/checkout@v6 sets http.https://codeberg.org/.extraheader with the automatic token. Get rid of it so
-          # it does not prevent using the token that has write permissions. As of @v6, it is stored in
-          # $RUNNER_TEMP/git-credentials-(uuid).config and included in the repo via
-          # includeif.gitdir:...=$RUNNER_TEMP/git-credentials-(uuid).config. Since we don't need these credentials
-          # anymore we can just remove the generated config file.
-          rm -f $RUNNER_TEMP/git-credentials-*
+          # actions/checkout@v3 sets http.https://codeberg.org/.extraheader with the automatic token.
+          # Get rid of it so it does not prevent using the token that has write permissions
+          git config --local --unset http.https://codeberg.org/.extraheader
           if test -f .git/shallow ; then
-            echo "unexpected .git/shallow file is present"
+            echo "unexptected .git/shallow file is present"
             echo "it suggests a checkout --depth X was used which may prevent pushing the commit"
             echo "it happens when actions/checkout is called without depth: 0"
           fi

.forgejo/workflows/cascade-setup-end-to-end.yml

@@ -35,13 +35,13 @@ jobs:
       )
     runs-on: docker
     container:
-      image: data.forgejo.org/oci/node:24-bookworm
+      image: data.forgejo.org/oci/node:22-bookworm
     steps:
-      - uses: https://data.forgejo.org/actions/checkout@v6
+      - uses: https://data.forgejo.org/actions/checkout@v4
         with:
           fetch-depth: '0'
           show-progress: 'false'
-      - uses: https://data.forgejo.org/actions/cascading-pr@v2.3.0
+      - uses: https://data.forgejo.org/actions/cascading-pr@v2.2.0
         with:
           origin-url: ${{ env.GITHUB_SERVER_URL }}
           origin-repo: ${{ github.repository }}
@@ -53,5 +53,5 @@ jobs:
           destination-repo: forgejo/end-to-end
           destination-branch: main
           destination-token: ${{ secrets.END_TO_END_CASCADING_PR_DESTINATION }}
-          close: true
+          close-merge: true
           update: .forgejo/cascading-pr-end-to-end

.forgejo/workflows/coverage.yml

@@ -1,89 +0,0 @@
-name: coverage
-
-on:
-  workflow_dispatch:
-    inputs:
-      repository:
-        description: 'repository'
-        type: string
-      ref:
-        description: 'ref'
-        type: string
-      unit-tests-env:
-        description: 'COVERAGE_TEST_PACKAGES=forgejo.org/modules/actions'
-        type: string
-      integration-tests-env:
-        description: 'COVERAGE_TEST_ARGS=-run=TestAPIListRepoComments'
-        type: string
-
-jobs:
-  all:
-    runs-on: docker
-    container:
-      image: 'data.forgejo.org/oci/ci:1'
-      options: --tmpfs /tmp:exec,noatime
-    services:
-      elasticsearch:
-        image: data.forgejo.org/oci/bitnami/elasticsearch:7
-        options: --tmpfs /bitnami/elasticsearch/data
-        env:
-          discovery.type: single-node
-          ES_JAVA_OPTS: "-Xms512m -Xmx512m"
-      minio:
-        image: data.forgejo.org/oci/bitnami/minio:2024.8.17
-        options: >-
-          --hostname gitea.minio --tmpfs /bitnami/minio/data:noatime
-        env:
-          MINIO_DOMAIN: minio
-          MINIO_ROOT_USER: 123456
-          MINIO_ROOT_PASSWORD: 12345678
-      mysql:
-        image: 'data.forgejo.org/oci/bitnami/mysql:8.4'
-        env:
-          ALLOW_EMPTY_PASSWORD: yes
-          MYSQL_DATABASE: testgitea
-          #
-          # See also https://codeberg.org/forgejo/forgejo/issues/976
-          #
-          MYSQL_EXTRA_FLAGS: --innodb-adaptive-flushing=OFF --innodb-buffer-pool-size=4G --innodb-log-buffer-size=128M --innodb-flush-log-at-trx-commit=0 --innodb-flush-log-at-timeout=30 --innodb-flush-method=nosync --innodb-fsync-threshold=1000000000 --disable-log-bin
-        options: --tmpfs /bitnami/mysql/data:noatime
-      ldap:
-        image: data.forgejo.org/oci/forgejo-test-openldap:latest
-      pgsql:
-        image: data.forgejo.org/oci/bitnami/postgresql:16
-        env:
-          POSTGRESQL_DATABASE: test
-          POSTGRESQL_PASSWORD: postgres
-          POSTGRESQL_FSYNC: off
-          POSTGRESQL_EXTRA_FLAGS: -c full_page_writes=off
-        options: --tmpfs /bitnami/postgresql
-      cacher:
-        image: registry.redict.io/redict:7.3.6-scratch
-        options: --tmpfs /data:noatime
-    steps:
-      - uses: https://data.forgejo.org/actions/checkout@v6
-        with:
-          repository: ${{ inputs.repository }}
-          ref: ${{ inputs.ref }}
-      - uses: ./.forgejo/workflows-composite/setup-env
-      - name: install git >= 2.42
-        uses: ./.forgejo/workflows-composite/apt-install-from
-        with:
-          packages: git
-      - uses: ./.forgejo/workflows-composite/build-backend
-      - run: |
-          su forgejo -c '${{ inputs.unit-tests-env }} make coverage-run'
-          su forgejo -c '${{ inputs.integration-tests-env }} make coverage-run-pgsql'
-          su forgejo -c '${{ inputs.integration-tests-env }} make coverage-run-mysql'
-          su forgejo -c '${{ inputs.integration-tests-env }} make coverage-run-sqlite'
-          su forgejo -c 'make coverage-merge'
-        timeout-minutes: 180
-        env:
-          TEST_ELASTICSEARCH_URL: http://elasticsearch:9200
-          TEST_MINIO_ENDPOINT: minio:9000
-          TEST_LDAP: 1
-          TEST_REDIS_SERVER: cacher:6379
-      - uses: https://data.forgejo.org/forgejo/upload-artifact@v5
-        with:
-          name: coverage
-          path: ${{ forge.workspace }}/coverage/merged

.forgejo/workflows/forgejo-integration-cleanup.yml

@@ -9,7 +9,7 @@ jobs:
     if: vars.ROLE == 'forgejo-integration'
     runs-on: docker
     container:
-      image: 'data.forgejo.org/oci/node:24-bookworm'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
     steps:
 
       - name: apt install curl jq

.forgejo/workflows/merge-requirements.yml

@@ -1,4 +1,4 @@
-# Copyright 2025 The Forgejo Authors
+# Copyright 2024 The Forgejo Authors
 # SPDX-License-Identifier: MIT
 
 name: requirements
@@ -13,11 +13,10 @@ on:
 
 jobs:
   merge-conditions:
-    if: >
-      vars.ROLE == 'forgejo-coding' && forge.event.pull_request.head.repo.full_name != 'forgejo-cascading-pr/forgejo'
+    if: vars.ROLE == 'forgejo-coding'
     runs-on: docker
     container:
-      image: 'data.forgejo.org/oci/node:24-bookworm'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
     steps:
       - name: Debug output
         run: |
@@ -27,9 +26,9 @@ jobs:
       - name: Missing test label
         if: >
           !(
-            contains(toJSON(forge.event.pull_request.labels), 'test/present')
-            || contains(toJSON(forge.event.pull_request.labels), 'test/not-needed')
-            || contains(toJSON(forge.event.pull_request.labels), 'test/manual')
+            contains(toJSON(github.event.pull_request.labels), 'test/present')
+            || contains(toJSON(github.event.pull_request.labels), 'test/not-needed')
+            || contains(toJSON(github.event.pull_request.labels), 'test/manual')
           )
         run: |
           echo "A team member must set the label to either 'present', 'not-needed' or 'manual'."
@@ -37,8 +36,8 @@ jobs:
       - name: Missing manual test instructions
         if: >
           (
-            contains(toJSON(forge.event.pull_request.labels), 'test/manual')
-            && !contains(toJSON(forge.event.pull_request.body), '# Test')
+            contains(toJSON(github.event.pull_request.labels), 'test/manual')
+            && !contains(toJSON(github.event.pull_request.body), '# Test')
           )
         run: |
           echo "Manual test label is set. The PR description needs to contain test steps introduced by a heading like:"

.forgejo/workflows/mirror.yml

@@ -11,7 +11,7 @@ jobs:
     if: ${{ secrets.MIRROR_TOKEN != '' }}
     runs-on: docker
     container:
-      image: 'data.forgejo.org/oci/node:24-bookworm'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
     steps:
       - name: git push {v*/,}forgejo
         run: |

.forgejo/workflows/publish-release.yml

@@ -41,10 +41,10 @@ jobs:
     runs-on: lxc-bookworm
     if: vars.DOER != '' && vars.FORGEJO != '' && vars.TO_OWNER != '' && vars.FROM_OWNER != '' && secrets.TOKEN != ''
     steps:
-      - uses: https://data.forgejo.org/actions/checkout@v6
+      - uses: https://data.forgejo.org/actions/checkout@v4
 
       - name: copy & sign
-        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/publish@v5.6.0
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/publish@v5.4.1
         with:
           from-forgejo: ${{ vars.FORGEJO }}
           to-forgejo: ${{ vars.FORGEJO }}
@@ -63,14 +63,14 @@ jobs:
 
       - name: get trigger mirror issue
         id: mirror
-        uses: https://data.forgejo.org/infrastructure/issue-action/get@v1.5.0
+        uses: https://data.forgejo.org/infrastructure/issue-action/get@v1.3.0
         with:
           forgejo: https://code.forgejo.org
           repository: forgejo/forgejo
           labels: mirror-trigger
 
       - name: trigger the mirror
-        uses: https://data.forgejo.org/infrastructure/issue-action/set@v1.5.0
+        uses: https://data.forgejo.org/infrastructure/issue-action/set@v1.3.0
         with:
           forgejo: https://code.forgejo.org
           repository: forgejo/forgejo
@@ -80,7 +80,7 @@ jobs:
           label: trigger
 
       - name: upgrade v*.next.forgejo.org
-        uses: https://data.forgejo.org/infrastructure/next-digest@v1.2.2
+        uses: https://data.forgejo.org/infrastructure/next-digest@v1.1.0
         with:
           url: https://placeholder:${{ secrets.TOKEN_NEXT_DIGEST }}@invisible.forgejo.org/infrastructure/next-digest
           ref_name: '${{ github.ref_name }}'

.forgejo/workflows/release-notes-assistant-milestones.yml

@@ -5,34 +5,32 @@ on:
     - cron: '@daily'
 
 env:
-  RNA_WORKDIR: /srv/rna
-  RNA_VERSION: v1.6.1 # renovate: datasource=forgejo-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org
+  RNA_VERSION: v1.2.5 # renovate: datasource=gitea-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org
 
 jobs:
   release-notes:
     if: vars.ROLE == 'forgejo-coding'
     runs-on: docker
     container:
-      image: 'data.forgejo.org/oci/ci:1'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
     steps:
-      - uses: https://data.forgejo.org/actions/checkout@v6
+      - uses: https://data.forgejo.org/actions/checkout@v4
 
-      - uses: https://data.forgejo.org/actions/cache@v5
+      - uses: https://data.forgejo.org/actions/setup-go@v5
         with:
-          key: rna-${{ env.RNA_VERSION }}
-          path: ${{ env.RNA_WORKDIR }}
+          go-version-file: "go.mod"
+          cache: false
 
-      - name: install release-notes-assistant
+      - name: apt install jq
         run: |
-          set -x
-          wget -O /usr/local/bin/rna https://code.forgejo.org/forgejo/release-notes-assistant/releases/download/${{ env.RNA_VERSION}}/release-notes-assistant
-          chmod +x /usr/local/bin/rna
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -qq
+          apt-get -q install -y -qq jq
 
       - name: update open milestones
         run: |
           set -x
-          mkdir -p ${{ env.RNA_WORKDIR }}
-          curl -sS $FORGEJO_SERVER_URL/api/v1/repos/$FORGEJO_REPOSITORY/milestones?state=open | jq -r '.[] | .title' | while read forgejo version ; do
+          curl -sS $GITHUB_SERVER_URL/api/v1/repos/$GITHUB_REPOSITORY/milestones?state=open | jq -r '.[] | .title' | while read forgejo version ; do
             milestone="$forgejo $version"
-            rna --workdir ${{ env.RNA_WORKDIR }} --config .release-notes-assistant.yaml --storage milestone --storage-location "$milestone" --forgejo-url $FORGEJO_SERVER_URL --repository $FORGEJO_REPOSITORY --token ${{ secrets.RELEASE_NOTES_ASSISTANT_TOKEN }} release $version
+            go run code.forgejo.org/forgejo/release-notes-assistant@$RNA_VERSION --config .release-notes-assistant.yaml --storage milestone --storage-location "$milestone"  --forgejo-url $GITHUB_SERVER_URL --repository $GITHUB_REPOSITORY --token ${{ secrets.RELEASE_NOTES_ASSISTANT_TOKEN }} release $version
           done

.forgejo/workflows/release-notes-assistant.yml

@@ -8,16 +8,16 @@ on:
       - labeled
 
 env:
-  RNA_VERSION: v1.6.1 # renovate: datasource=forgejo-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org
+  RNA_VERSION: v1.2.5 # renovate: datasource=gitea-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org
 
 jobs:
   release-notes:
     if: ( vars.ROLE == 'forgejo-coding' ) && contains(github.event.pull_request.labels.*.name, 'worth a release-note')
     runs-on: docker
     container:
-      image: 'data.forgejo.org/oci/ci:1'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
     steps:
-      - uses: https://data.forgejo.org/actions/checkout@v6
+      - uses: https://data.forgejo.org/actions/checkout@v4
 
       - name: event
         run: |
@@ -28,12 +28,17 @@ jobs:
           ${{ toJSON(github.event) }}
           EOF
 
-      - name: install release-notes-assistant
+      - uses: https://data.forgejo.org/actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+          cache: false
+
+      - name: apt install jq
         run: |
-          set -x
-          wget -O /usr/local/bin/rna https://code.forgejo.org/forgejo/release-notes-assistant/releases/download/${{ env.RNA_VERSION}}/release-notes-assistant
-          chmod +x /usr/local/bin/rna
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -qq
+          apt-get -q install -y -qq jq
 
       - name: release-notes-assistant preview
         run: |
-          rna --config .release-notes-assistant.yaml --storage pr --storage-location ${{ github.event.pull_request.number }} --forgejo-url $GITHUB_SERVER_URL --repository $GITHUB_REPOSITORY --token ${{ secrets.RELEASE_NOTES_ASSISTANT_TOKEN }} preview ${{ github.event.pull_request.number }}
+          go run code.forgejo.org/forgejo/release-notes-assistant@$RNA_VERSION --config .release-notes-assistant.yaml --storage pr --storage-location ${{ github.event.pull_request.number }}  --forgejo-url $GITHUB_SERVER_URL --repository $GITHUB_REPOSITORY --token ${{ secrets.RELEASE_NOTES_ASSISTANT_TOKEN }} preview ${{ github.event.pull_request.number }}

.forgejo/workflows/renovate.yml

@@ -0,0 +1,74 @@
+#
+# Runs every 2 hours, but Renovate is limited to create new PR before 4am.
+# See renovate.json for more settings.
+# Automerge is enabled for Renovate PR's but need to be approved before.
+#
+name: renovate
+
+on:
+  push:
+    branches:
+      - renovate/** # self-test updates
+    paths:
+      - .forgejo/workflows/renovate.yml
+  schedule:
+    - cron: '0 0/2 * * *'
+  workflow_dispatch:
+
+env:
+  RENOVATE_DRY_RUN: ${{ (github.event_name != 'schedule' && github.ref_name != github.event.repository.default_branch) && 'full' || '' }}
+  RENOVATE_REPOSITORIES: ${{ github.repository }}
+  # fix because 10.0.0-58-7e1df53+gitea-1.22.0 < 10.0.0 for semver
+  # and codeberg api returns such versions from `git describe --tags`
+  # RENOVATE_X_PLATFORM_VERSION: 10.0.0+gitea-1.22.0 currently not needed
+
+jobs:
+  renovate:
+    if: vars.ROLE == 'forgejo-coding' && secrets.RENOVATE_TOKEN != ''
+
+    runs-on: docker
+    container:
+      image: data.forgejo.org/renovate/renovate:41.1.4
+
+    steps:
+      - name: Load renovate repo cache
+        uses: https://data.forgejo.org/actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+        with:
+          path: |
+            .tmp/cache/renovate/repository
+            .tmp/cache/renovate/renovate-cache-sqlite
+            .tmp/osv
+          key: repo-cache-${{ github.run_id }}
+          restore-keys: |
+            repo-cache-
+
+      - name: Run renovate
+        run: renovate
+        env:
+          GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_COM_TOKEN }}
+          LOG_LEVEL: debug
+          RENOVATE_BASE_DIR: ${{ github.workspace }}/.tmp
+          RENOVATE_ENDPOINT: ${{ github.server_url }}
+          RENOVATE_PLATFORM: gitea
+          RENOVATE_REPOSITORY_CACHE: 'enabled'
+          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
+          RENOVATE_GIT_AUTHOR: 'Renovate Bot <forgejo-renovate-action@forgejo.org>'
+
+          RENOVATE_X_SQLITE_PACKAGE_CACHE: true
+
+          GIT_AUTHOR_NAME: 'Renovate Bot'
+          GIT_AUTHOR_EMAIL: 'forgejo-renovate-action@forgejo.org'
+          GIT_COMMITTER_NAME: 'Renovate Bot'
+          GIT_COMMITTER_EMAIL: 'forgejo-renovate-action@forgejo.org'
+
+          OSV_OFFLINE_ROOT_DIR: ${{ github.workspace }}/.tmp/osv
+
+      - name: Save renovate repo cache
+        if: always() && env.RENOVATE_DRY_RUN != 'full'
+        uses: https://data.forgejo.org/actions/cache/save@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+        with:
+          path: |
+            .tmp/cache/renovate/repository
+            .tmp/cache/renovate/renovate-cache-sqlite
+            .tmp/osv
+          key: repo-cache-${{ github.run_id }}

.forgejo/workflows/testing-integration.yml

@@ -31,13 +31,16 @@ jobs:
     if: vars.ROLE == 'forgejo-integration'
     runs-on: docker
     container:
-      image: 'data.forgejo.org/oci/node:24-trixie'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
       options: --tmpfs /tmp:exec,noatime
     steps:
-      - uses: https://data.forgejo.org/actions/checkout@v6
+      - uses: https://data.forgejo.org/actions/checkout@v4
       - uses: ./.forgejo/workflows-composite/setup-env
-      - name: install git 2.34.1 and git-lfs 3.0.2
-        uses: ./.forgejo/workflows-composite/install-minimum-git-version
+      - name: install git 2.30
+        uses: ./.forgejo/workflows-composite/apt-install-from
+        with:
+          packages: git/bullseye git-lfs/bullseye
+          release: bullseye
       - uses: ./.forgejo/workflows-composite/build-backend
       - run: |
           su forgejo -c 'make test-backend test-check'
@@ -50,13 +53,16 @@ jobs:
     if: vars.ROLE == 'forgejo-integration'
     runs-on: docker
     container:
-      image: 'data.forgejo.org/oci/node:24-trixie'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
       options: --tmpfs /tmp:exec,noatime
     steps:
-      - uses: https://data.forgejo.org/actions/checkout@v6
+      - uses: https://data.forgejo.org/actions/checkout@v4
       - uses: ./.forgejo/workflows-composite/setup-env
-      - name: install git 2.34.1 and git-lfs 3.0.2
-        uses: ./.forgejo/workflows-composite/install-minimum-git-version
+      - name: install git 2.30
+        uses: ./.forgejo/workflows-composite/apt-install-from
+        with:
+          packages: git/bullseye git-lfs/bullseye
+          release: bullseye
       - uses: ./.forgejo/workflows-composite/build-backend
       - run: |
           su forgejo -c 'make test-sqlite-migration test-sqlite'
@@ -66,34 +72,3 @@ jobs:
           RACE_ENABLED: true
           TEST_TAGS: sqlite sqlite_unlock_notify
           USE_REPO_TEST_DIR: 1
-  test-mariadb:
-#    if: vars.ROLE == 'forgejo-coding'
-    if: vars.ROLE == 'forgejo-integration'
-    runs-on: docker
-    name: ${{ format('test-mariadb (v{0})', matrix.version) }}
-    strategy:
-      matrix:
-        version: ['10.6', '11.8']
-    container:
-      image: 'data.forgejo.org/oci/node:24-trixie'
-      options: --tmpfs /tmp:exec,noatime
-    services:
-      mysql:
-        image: ${{ format('data.forgejo.org/oci/mariadb:{0}', matrix.version) }}
-        env:
-          MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: yes
-          MARIADB_DATABASE: testgitea
-        options: --tmpfs /var/lib/mysql:noatime
-    steps:
-      - uses: https://data.forgejo.org/actions/checkout@v6
-      - uses: ./.forgejo/workflows-composite/setup-env
-      - name: install dependencies
-        run: apt-get update -qq && apt-get -q install -qq -y git-lfs
-        env:
-          DEBIAN_FRONTEND: noninteractive
-      - uses: ./.forgejo/workflows-composite/build-backend
-      - run: |
-          su forgejo -c 'make test-mysql-migration test-mysql'
-        timeout-minutes: 120
-        env:
-          USE_REPO_TEST_DIR: 1

.forgejo/workflows/testing.yml

@@ -1,5 +1,4 @@
 name: testing
-enable-email-notifications: true
 
 on:
   pull_request:
@@ -14,7 +13,7 @@ jobs:
     if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
     runs-on: docker
     container:
-      image: 'data.forgejo.org/oci/node:24-trixie'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
       options: --tmpfs /tmp:exec,noatime
     steps:
       - name: event info
@@ -22,35 +21,23 @@ jobs:
           cat <<'EOF'
           ${{ toJSON(github) }}
           EOF
-      - uses: https://data.forgejo.org/actions/checkout@v6
+      - uses: https://data.forgejo.org/actions/checkout@v4
       - uses: ./.forgejo/workflows-composite/setup-env
-      # DO NOT add checks here, but rather in the makefile
-      - run: su forgejo -c './tools/cimake.sh pr-go'
-      # this will re-run the backend target also contained in pr-go, but
-      # a re-build is insignificant
+      - run: su forgejo -c 'make deps-backend deps-tools'
+      - run: su forgejo -c 'make --always-make -j$(nproc) lint-backend tidy-check swagger-check lint-swagger fmt-check swagger-validate' # ensure the "go-licenses" make target runs
       - uses: ./.forgejo/workflows-composite/build-backend
   frontend-checks:
     if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
     runs-on: docker
     container:
-      image: 'data.forgejo.org/oci/node:24-trixie'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
       options: --tmpfs /tmp:exec,noatime
     steps:
-      - uses: https://data.forgejo.org/actions/checkout@v6
-
-      - uses: https://data.forgejo.org/actions/setup-node@v6
-        with:
-          node-version-file: .node-version
-
+      - uses: https://data.forgejo.org/actions/checkout@v4
       - run: make deps-frontend
       - run: make lint-frontend
       - run: make checks-frontend
-      - name: make test-frontend-coverage
-        run: |
-          # Usage of `dayjs` can be impacted by local system timezone and can be sensitive to DST differences; since
-          # frontend tests are very short they're run twice with varying DST rules to reduce regression risk.
-          TZ=Europe/Berlin make test-frontend-coverage
-          TZ=America/Edmonton make test-frontend-coverage
+      - run: make test-frontend-coverage
       - run: make frontend
       - name: Install zstd for cache saving
         # works around https://github.com/actions/cache/issues/1169, because the
@@ -58,8 +45,8 @@ jobs:
         run: |
           apt-get update -qq
           apt-get -q install -qq -y zstd
-      - name: 'Cache frontend build for playwright testing'
-        uses: https://data.forgejo.org/actions/cache/save@v5
+      - name: "Cache frontend build for playwright testing"
+        uses: https://data.forgejo.org/actions/cache/save@v4
         with:
           path: ${{github.workspace}}/public/assets
           key: frontend-build-${{ github.sha }}
@@ -68,7 +55,7 @@ jobs:
     runs-on: docker
     needs: [backend-checks, frontend-checks]
     container:
-      image: 'data.forgejo.org/oci/node:24-trixie'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
       options: --tmpfs /tmp:exec,noatime
     services:
       elasticsearch:
@@ -76,7 +63,7 @@ jobs:
         options: --tmpfs /bitnami/elasticsearch/data
         env:
           discovery.type: single-node
-          ES_JAVA_OPTS: '-Xms512m -Xmx512m'
+          ES_JAVA_OPTS: "-Xms512m -Xmx512m"
       minio:
         image: data.forgejo.org/oci/bitnami/minio:2024.8.17
         options: >-
@@ -86,8 +73,12 @@ jobs:
           MINIO_ROOT_USER: 123456
           MINIO_ROOT_PASSWORD: 12345678
     steps:
-      - uses: https://data.forgejo.org/actions/checkout@v6
+      - uses: https://data.forgejo.org/actions/checkout@v4
       - uses: ./.forgejo/workflows-composite/setup-env
+      - name: install git >= 2.42
+        uses: ./.forgejo/workflows-composite/apt-install-from
+        with:
+          packages: git
       - name: test release-notes-assistant.sh
         run: |
           apt-get -q install -qq -y jq
@@ -109,17 +100,17 @@ jobs:
       image: 'data.forgejo.org/oci/playwright:latest'
       options: --tmpfs /tmp:exec,noatime
     steps:
-      - uses: https://data.forgejo.org/actions/checkout@v6
+      - uses: https://data.forgejo.org/actions/checkout@v4
         with:
           fetch-depth: 20
       - uses: ./.forgejo/workflows-composite/setup-env
-      - name: 'Restore frontend build'
-        uses: https://data.forgejo.org/actions/cache/restore@v5
+      - name: "Restore frontend build"
+        uses: https://data.forgejo.org/actions/cache/restore@v4
         id: cache-frontend
         with:
           path: ${{github.workspace}}/public/assets
           key: frontend-build-${{ github.sha }}
-      - name: 'Build frontend (if not cached)'
+      - name: "Build frontend (if not cached)"
         if: steps.cache-frontend.outputs.cache-hit != 'true'
         run: |
           su forgejo -c 'make deps-frontend frontend'
@@ -131,7 +122,7 @@ jobs:
           echo "all=1" >> "$GITHUB_OUTPUT"
       - name: Get changed files
         id: changed-files
-        uses: https://data.forgejo.org/tj-actions/changed-files@v47
+        uses: https://data.forgejo.org/tj-actions/changed-files@v46
         with:
           separator: '\n'
       - run: |
@@ -144,7 +135,7 @@ jobs:
           RUN_ALL: ${{steps.run-all.all}}
       - name: Upload test artifacts on failure
         if: failure()
-        uses: https://data.forgejo.org/forgejo/upload-artifact@v5
+        uses: https://data.forgejo.org/forgejo/upload-artifact@v4
         with:
           name: test-artifacts.zip
           path: tests/e2e/test-artifacts/
@@ -154,7 +145,7 @@ jobs:
     runs-on: docker
     needs: [backend-checks, frontend-checks, test-unit]
     container:
-      image: 'data.forgejo.org/oci/node:24-trixie'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
       options: --tmpfs /tmp:exec,noatime
     name: ${{ format('test-remote-cacher ({0})', matrix.cacher.name) }}
     strategy:
@@ -176,11 +167,13 @@ jobs:
       cacher:
         image: ${{ matrix.cacher.image }}
         options: ${{ matrix.cacher.options }}
-        env:
-          ALLOW_EMPTY_PASSWORD: 'yes' # redis & valkey will immediately shutdown with no defined password unless overridden
     steps:
-      - uses: https://data.forgejo.org/actions/checkout@v6
+      - uses: https://data.forgejo.org/actions/checkout@v4
       - uses: ./.forgejo/workflows-composite/setup-env
+      - name: install git >= 2.42
+        uses: ./.forgejo/workflows-composite/apt-install-from
+        with:
+          packages: git
       - uses: ./.forgejo/workflows-composite/build-backend
       - run: |
           su forgejo -c 'make test-remote-cacher test-check'
@@ -188,13 +181,13 @@ jobs:
         env:
           RACE_ENABLED: 'true'
           TAGS: bindata
-          TEST_REDIS_SERVER: cacher:6379
+          TEST_REDIS_SERVER: cacher:${{ matrix.cacher.port }}
   test-mysql:
     if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
     runs-on: docker
     needs: [backend-checks, frontend-checks]
     container:
-      image: 'data.forgejo.org/oci/node:24-trixie'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
       options: --tmpfs /tmp:exec,noatime
     services:
       mysql:
@@ -208,12 +201,12 @@ jobs:
           MYSQL_EXTRA_FLAGS: --innodb-adaptive-flushing=OFF --innodb-buffer-pool-size=4G --innodb-log-buffer-size=128M --innodb-flush-log-at-trx-commit=0 --innodb-flush-log-at-timeout=30 --innodb-flush-method=nosync --innodb-fsync-threshold=1000000000 --disable-log-bin
         options: --tmpfs /bitnami/mysql/data:noatime
     steps:
-      - uses: https://data.forgejo.org/actions/checkout@v6
+      - uses: https://data.forgejo.org/actions/checkout@v4
       - uses: ./.forgejo/workflows-composite/setup-env
-      - name: install dependencies
-        run: apt-get update -qq && apt-get -q install -qq -y git-lfs
-        env:
-          DEBIAN_FRONTEND: noninteractive
+      - name: install dependencies & git >= 2.42
+        uses: ./.forgejo/workflows-composite/apt-install-from
+        with:
+          packages: git git-lfs
       - uses: ./.forgejo/workflows-composite/build-backend
       - run: |
           su forgejo -c 'make test-mysql-migration test-mysql'
@@ -225,7 +218,7 @@ jobs:
     runs-on: docker
     needs: [backend-checks, frontend-checks]
     container:
-      image: 'data.forgejo.org/oci/node:24-trixie'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
       options: --tmpfs /tmp:exec,noatime
     services:
       minio:
@@ -235,8 +228,7 @@ jobs:
           MINIO_ROOT_PASSWORD: 12345678
         options: --tmpfs /bitnami/minio/data
       ldap:
-        image: data.forgejo.org/oci/forgejo-test-openldap:1
-        options: --memory 500M
+        image: data.forgejo.org/oci/test-openldap:latest
       pgsql:
         image: data.forgejo.org/oci/bitnami/postgresql:16
         env:
@@ -246,12 +238,12 @@ jobs:
           POSTGRESQL_EXTRA_FLAGS: -c full_page_writes=off
         options: --tmpfs /bitnami/postgresql
     steps:
-      - uses: https://data.forgejo.org/actions/checkout@v6
+      - uses: https://data.forgejo.org/actions/checkout@v4
       - uses: ./.forgejo/workflows-composite/setup-env
-      - name: install dependencies
-        run: apt-get update -qq && apt-get -q install -qq -y git-lfs
-        env:
-          DEBIAN_FRONTEND: noninteractive
+      - name: install dependencies & git >= 2.42
+        uses: ./.forgejo/workflows-composite/apt-install-from
+        with:
+          packages: git git-lfs
       - uses: ./.forgejo/workflows-composite/build-backend
       - run: |
           su forgejo -c 'make test-pgsql-migration test-pgsql'
@@ -265,15 +257,15 @@ jobs:
     runs-on: docker
     needs: [backend-checks, frontend-checks]
     container:
-      image: 'data.forgejo.org/oci/node:24-trixie'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
       options: --tmpfs /tmp:exec,noatime
     steps:
-      - uses: https://data.forgejo.org/actions/checkout@v6
+      - uses: https://data.forgejo.org/actions/checkout@v4
       - uses: ./.forgejo/workflows-composite/setup-env
-      - name: install dependencies
-        run: apt-get update -qq && apt-get -q install -qq -y git-lfs
-        env:
-          DEBIAN_FRONTEND: noninteractive
+      - name: install dependencies & git >= 2.42
+        uses: ./.forgejo/workflows-composite/apt-install-from
+        with:
+          packages: git git-lfs
       - uses: ./.forgejo/workflows-composite/build-backend
       - run: |
           su forgejo -c 'make test-sqlite-migration test-sqlite'
@@ -293,23 +285,10 @@ jobs:
       - test-remote-cacher
       - test-unit
     container:
-      image: 'data.forgejo.org/oci/node:24-trixie'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
       options: --tmpfs /tmp:exec,noatime
     steps:
-      - uses: https://data.forgejo.org/actions/checkout@v6
+      - uses: https://data.forgejo.org/actions/checkout@v4
       - uses: ./.forgejo/workflows-composite/setup-env
       - run: su forgejo -c 'make deps-backend deps-tools'
       - run: su forgejo -c 'make security-check'
-  semgrep:
-    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
-    name: semgrep/ci
-    runs-on: docker
-    container:
-      image: 'data.forgejo.org/oci/semgrep:latest'
-    steps:
-      - run: apk add nodejs # required for actions/checkout
-      - uses: https://data.forgejo.org/actions/checkout@v6
-      - name: self-check semgrep rules
-        run: semgrep --test .semgrep/tests/ --config .semgrep/config/
-      - name: semgrep ci
-        run: semgrep ci --config .semgrep/config/ --metrics=off

.gitignore

@@ -37,8 +37,6 @@ _testmain.go
 
 *coverage.out
 coverage.all
-coverage.html
-coverage.html.gz
 coverage/
 cpu.out
 
@@ -55,8 +53,6 @@ cpu.out
 *.log
 *.log.*.gz
 
-/build/lint-locale/lint-locale
-/build/lint-locale-usage/lint-locale-usage
 /gitea
 /gitea-vet
 /debug
@@ -107,7 +103,6 @@ cpu.out
 /.air
 /.go-licenses
 /.cur-deadcode-out
-/.deadcode.diff
 
 # Files and folders that were previously generated
 /public/assets/img/webpack
@@ -134,4 +129,3 @@ prime/
 
 # Manpage
 /man
-tests/integration/api_activitypub_person_inbox_useractivity_test.go

.golangci.yml

@@ -1,4 +1,3 @@
----
 version: "2"
 output:
   sort-order:
@@ -13,9 +12,7 @@ linters:
     - forbidigo
     - gocritic
     - govet
-    - importas
     - ineffassign
-    - modernize
     - nakedret
     - nolintlint
     - revive
@@ -26,7 +23,6 @@ linters:
     - unused
     - usetesting
     - wastedassign
-    - nilnil
   settings:
     depguard:
       rules:
@@ -34,6 +30,10 @@ linters:
           deny:
             - pkg: encoding/json
               desc: use gitea's modules/json instead of encoding/json
+            - pkg: github.com/unknwon/com
+              desc: use gitea's util and replacements
+            - pkg: io/ioutil
+              desc: use os or io instead
             - pkg: golang.org/x/exp
               desc: it's experimental and unreliable
             - pkg: forgejo.org/modules/git/internal
@@ -42,51 +42,9 @@ linters:
               desc: do not use the ini package, use gitea's config system instead
             - pkg: github.com/minio/sha256-simd
               desc: use crypto/sha256 instead, see https://codeberg.org/forgejo/forgejo/pulls/1528
-            - pkg: github.com/go-git/go-git
-              desc: use forgejo.org/modules/git instead, see https://codeberg.org/forgejo/forgejo/pulls/4941
-            - pkg: gopkg.in/yaml.v3
-              desc: use go.yaml.in/yaml instead, see https://codeberg.org/forgejo/forgejo/pulls/8956
-        migration-isolation:
-          list-mode: lax
-          files:
-            - "**/models/forgejo_migrations/**"
-          deny:
-            - pkg: "forgejo.org/models"
-              desc: >
-                Migrations must not import application models. Application models will be the most recent schema for
-                Forgejo, while migrations will be operating against the database schema that existed when they were
-                authored.
-            - pkg: "forgejo.org/services"
-              desc: >
-                Migrations must not import application services. Application services will reference application
-                models which will use the most recent schema for Forgejo, while migrations will be operating against the
-                database schema that existed when they were authored.
-          allow:
-            - "forgejo.org/models/db"
-            - "forgejo.org/models/gitea_migrations/base"
-            - "forgejo.org/models/gitea_migrations/test"
     gocritic:
       disabled-checks:
         - ifElseChain
-    importas:
-      alias:
-        # Specific overrides that would violate the default rules further below.
-        - pkg: forgejo.org/models/db
-          alias: ""
-        - pkg: forgejo.org/models/organization
-          alias: org_model
-
-        - pkg: forgejo.org/services/context
-          alias: app_context
-        - pkg: forgejo.org/services/doctor
-          alias: doctor
-        - pkg: forgejo.org/services/repository
-          alias: repo_service
-
-        # Make sure that we follow a consistent naming for model and service aliases.
-        - pkg: 'forgejo.org/(model|service)s/(\w+)'
-          alias: '${2}_${1}'
-
     revive:
       severity: error
       rules:
@@ -121,10 +79,6 @@ linters:
         - name: unreachable-code
         - name: var-declaration
         - name: var-naming
-          arguments:
-            - []
-            - []
-            - - skip-package-name-checks: true
         - name: redefines-builtin-id
           disabled: true
     staticcheck:
@@ -132,10 +86,7 @@ linters:
         - all
     testifylint:
       disable:
-        - error-is-as
         - go-require
-    nilnil:
-      only-two: false
   exclusions:
     generated: lax
     presets:
@@ -160,7 +111,7 @@ linters:
           - errcheck
           - gocyclo
           - gosec
-        path: models/gitea_migrations/v
+        path: models/migrations/v
       - linters:
           - forbidigo
         path: cmd
@@ -186,215 +137,6 @@ linters:
       - linters:
           - staticcheck
         text: "(ST1005|ST1003|QF1001):"
-
-      # TODO: eventually remove this section entirely
-      - path: cmd/admin_auth_ldap_test.go
-        linters:
-          - nilnil
-      - path: cmd/admin_auth_oauth_test.go
-        linters:
-          - nilnil
-      - path: cmd/admin_auth_pam_test.go
-        linters:
-          - nilnil
-      - path: cmd/cmd.go
-        linters:
-          - nilnil
-      - path: cmd/forgejo/actions.go
-        linters:
-          - nilnil
-      - path: models/actions/run.go
-        linters:
-          - nilnil
-      - path: models/actions/task.go
-        linters:
-          - nilnil
-      - path: models/activities/action_list.go
-        linters:
-          - nilnil
-      - path: models/asymkey/gpg_key_object_verification.go
-        linters:
-          - nilnil
-      - path: models/auth/oauth2.go
-        linters:
-          - nilnil
-      - path: models/db/collation.go
-        linters:
-          - nilnil
-      - path: models/dbfs/dbfile.go
-        linters:
-          - nilnil
-      - path: models/forgejo_migrations_legacy/v32.go
-        linters:
-          - nilnil
-      - path: models/forgejo_migrations_legacy/v32_test.go
-        linters:
-          - nilnil
-      - path: models/db/context.go
-        linters:
-          - nilnil
-      - path: models/git/branch_list.go
-        linters:
-          - nilnil
-      - path: models/git/lfs_lock.go
-        linters:
-          - nilnil
-      - path: models/git/protected_branch.go
-        linters:
-          - nilnil
-      - path: models/git/protected_tag.go
-        linters:
-          - nilnil
-      - path: models/issues/issue.go
-        linters:
-          - nilnil
-      - path: models/issues/issue_xref.go
-        linters:
-          - nilnil
-      - path: models/issues/review.go
-        linters:
-          - nilnil
-      - path: models/organization/org_user.go
-        linters:
-          - nilnil
-      - path: models/quota/rule.go
-        linters:
-          - nilnil
-      - path: models/repo/archiver.go
-        linters:
-          - nilnil
-      - path: models/repo/fork.go
-        linters:
-          - nilnil
-      - path: models/repo/topic.go
-        linters:
-          - nilnil
-      - path: models/user/email_address.go
-        linters:
-          - nilnil
-      - path: models/user/list.go
-        linters:
-          - nilnil
-      - path: models/user/user.go
-        linters:
-          - nilnil
-      - path: models/repo/repo.go
-        linters:
-          - nilnil
-      - path: modules/git/commit.go
-        linters:
-          - nilnil
-      - path: modules/git/foreachref/parser.go
-        linters:
-          - nilnil
-      - path: modules/git/last_commit_cache.go
-        linters:
-          - nilnil
-      - path: modules/git/log_name_status.go
-        linters:
-          - nilnil
-      - path: modules/graceful/net_unix.go
-        linters:
-          - nilnil
-      - path: modules/indexer/internal/bleve/util.go
-        linters:
-          - nilnil
-      - path: modules/indexer/issues/util.go
-        linters:
-          - nilnil
-      - path: modules/optional/serialization.go
-        linters:
-          - nilnil
-      - path: modules/setting/storage.go
-        linters:
-          - nilnil
-      - path: routers/api/packages/chef/auth.go
-        linters:
-          - nilnil
-      - path: routers/api/packages/container/auth.go
-        linters:
-          - nilnil
-      - path: routers/api/packages/nuget/auth.go
-        linters:
-          - nilnil
-      - path: routers/api/packages/swift/swift.go
-        linters:
-          - nilnil
-      - path: routers/web/auth/oauth.go
-        linters:
-          - nilnil
-      - path: routers/web/repo/compare.go
-        linters:
-          - nilnil
-      - path: routers/web/repo/release.go
-        linters:
-          - nilnil
-      - path: routers/web/repo/setting/runners.go
-        linters:
-          - nilnil
-      - path: routers/web/repo/setting/secrets.go
-        linters:
-          - nilnil
-      - path: routers/web/repo/setting/variables.go
-        linters:
-          - nilnil
-      - path: services/actions/context.go
-        linters:
-          - nilnil
-      - path: services/actions/task.go
-        linters:
-          - nilnil
-      - path: services/actions/trust.go
-        linters:
-          - nilnil
-      - path: services/contexttest/context_tests.go
-        linters:
-          - nilnil
-      - path: services/gitdiff/csv.go
-        linters:
-          - nilnil
-      - path: services/issue/assignee.go
-        linters:
-          - nilnil
-      - path: routers/api/packages/conan/auth.go
-        linters:
-          - nilnil
-      - path: services/issue/commit.go
-        linters:
-          - nilnil
-      - path: services/issue/issue.go
-        linters:
-          - nilnil
-      - path: services/migrations/onedev.go
-        linters:
-          - nilnil
-      - path: services/packages/cargo/index.go
-        linters:
-          - nilnil
-      - path: services/pull/check.go
-        linters:
-          - nilnil
-      - path: services/pull/comment.go
-        linters:
-          - nilnil
-      - path: services/pull/merge.go
-        linters:
-          - nilnil
-      - path: services/pull/review.go
-        linters:
-          - nilnil
-      - path: services/remote/promote.go
-        linters:
-          - nilnil
-      - path: services/repository/archiver/archiver.go
-        linters:
-          - nilnil
-      - path: services/repository/generate_repo_commit.go
-        linters:
-          - nilnil
-      - path: services/repository/repository.go
-        linters:
-          - nilnil
     paths:
       - node_modules
       - public

.mockery.yml

@@ -1,17 +0,0 @@
-formatter: gofmt
-template: testify
-packages:
-  forgejo.org/modules/nosql:
-    config:
-      filename: mocks.go # make mocks public so that external packages can use
-  forgejo.org/services/auth/method:
-  forgejo.org/services/authz:
-    config:
-      filename: authorization_reducer_mock.go # make mocks public so that external packages can use
-  code.forgejo.org/go-chi/cache:
-    interfaces:
-      Cache:
-        config:
-          pkgname: cache
-          dir: modules/cache
-          filename: mocks.go # make mocks public, not `_test.go`, so that external packages can mock caching

.node-version

@@ -1 +0,0 @@
-24.15.0

.release-notes-assistant.yaml

@@ -5,10 +5,8 @@ branch-find-version: 'v(?P<version>\d+\.\d+)/forgejo'
 branch-to-version: '${version}.0'
 branch-from-version: 'v%[1]d.%[2]d/forgejo'
 tag-from-version: 'v%[1]d.%[2]d.%[3]d'
-supported-release-count: 3
 branch-known:
-# replace with v15 when v11 becomes EOL
-  - 'v11.0/forgejo'
+  - 'v7.0/forgejo'
 cleanup-line: 'sed -Ee "s/^(feat|fix):\s*//g" -e "s/^\[WIP\] //" -e "s/^WIP: //" -e "s;\[(UI|BUG|FEAT|v.*?/forgejo)\]\s*;;g"'
 render-header: |
 

.semgrep/config/auth.yaml

@@ -1,111 +0,0 @@
-rules:
-  - id: forgejo-api-use-resource-SearchRepoOptions
-    patterns:
-      - pattern: |
-          repo_model.SearchRepoOptions{...}
-      - pattern-not: |
-          repo_model.SearchRepoOptions{
-            ...,
-            AuthorizationReducer: ctx.Reducer,
-            ...
-          }
-    languages:
-      - go
-    message: >
-      SearchRepoOptions does not take into account fine-grained access token limitations.  Include the
-      AuthorizationReducer field.
-    severity: ERROR
-    paths:
-      include:
-        - "/routers/api/**/*.go"
-
-  - id: forgejo-api-use-resource-SearchRepoOptions
-    patterns:
-      - pattern: |
-          organization.SearchTeamRepoOptions{...}
-      - pattern-not: |
-          organization.SearchTeamRepoOptions{
-            ...,
-            AuthorizationReducer: ctx.Reducer,
-            ...
-          }
-    languages:
-      - go
-    message: >
-      SearchTeamRepoOptions does not take into account fine-grained access token limitations.  Include the
-      AuthorizationReducer field.
-    severity: ERROR
-    paths:
-      include:
-        - "/routers/api/**/*.go"
-
-  - id: forgejo-api-use-resource-GetUserRepoPermission
-    patterns:
-      - pattern: |
-          $X.GetUserRepoPermission($CTX, $REPO, $DOER)
-      - metavariable-type:
-          metavariable: $CTX
-          types:
-            - "*context.APIContext"
-    languages:
-      - go
-    message: >
-      GetUserRepoPermission does not take into account fine-grained access token limitations.  Use
-      GetUserRepoPermissionWithReducer.
-    fix: |
-      $X.GetUserRepoPermissionWithReducer($CTX, $REPO, $DOER, $CTX.Reducer)
-    severity: ERROR
-
-  - id: forgejo-api-suspicious-GetUserRepoPermission
-    patterns:
-      - pattern: $X.GetUserRepoPermission($CTX, $REPO, $DOER)
-      - pattern-not: # don't match if identical to forgejo-api-use-resource-GetUserRepoPermission
-          patterns:
-          - pattern: |
-              $X.GetUserRepoPermission($CTX, $REPO, $DOER)
-          - metavariable-type:
-              metavariable: $CTX
-              types:
-                - "*context.APIContext"
-    languages:
-      - go
-    message: >
-      API code is accessing GetUserRepoPermission which does not take into account fine-grained access token
-      limitations.  Should this use GetUserRepoPermissionWithReducer?
-    severity: ERROR
-    paths:
-      include:
-        - "/routers/api/**/*.go"
-
-  - id: forgejo-api-direct-IsAdmin-check
-    patterns:
-      - pattern: |
-          ctx.Doer.IsAdmin
-    languages:
-      - go
-    message: |
-      ctx.Doer.IsAdmin does not take into account limited API access tokens.  Use ctx.IsUserSiteAdmin() instead.
-    fix: |
-      ctx.IsUserSiteAdmin()
-    severity: ERROR
-    paths:
-      include:
-        - "/routers/api/**/*.go"
-
-  - id: forgejo-api-direct-repo-Admin-check
-    patterns:
-      - pattern: |
-          ctx.Repo.IsAdmin()
-      - pattern: |
-          ctx.Repo.IsOwner()
-    languages:
-      - go
-    message: |
-      ctx.Repo.IsAdmin/IsOwner() does not take into account limited API access tokens.  Use ctx.IsUserRepoAdmin() instead.
-    fix: |
-      ctx.IsUserRepoAdmin()
-    severity: ERROR
-    paths:
-      include:
-        - "/routers/api/**/*.go"
-

.semgrep/config/go.yaml

@@ -1,18 +0,0 @@
-rules:
-  - id: forgejo-switch-empty-case
-    pattern-either:
-      - pattern: |-
-          switch $_ {
-            case $_:
-          }
-      - patterns:
-        - pattern: |-
-            switch {
-              case $_:
-            }
-    languages:
-      - go
-    severity: ERROR
-    message: >
-      switch has a case block with no content. This is treated as "break" by Go, but developers may confuse it for
-      "fallthrough".  To fix this error, disambiguate by using "break" or "fallthrough".

.semgrep/config/logic.yaml

@@ -1,11 +0,0 @@
-rules:
-  - id: forgejo-logic-suspicious-OwnerID-check
-    pattern: |-
-      $X.OwnerID > 0
-    languages:
-      - go
-    severity: ERROR
-    message: >
-      Many resources like comments or runners cannot only be owned by regular users, which have positive IDs, but also
-      by predefined system users like Ghost or Forgejo Actions that have negative IDs. In those cases, ownership checks
-      should only exclude 0: `OwnerID != 0`.

.semgrep/config/xorm.yaml

@@ -1,24 +0,0 @@
-rules:
-  - id: xorm-sync-missing-ignore-drop-indices
-    patterns:
-      - pattern-either:
-          - pattern: |
-              $X.Sync(...)
-          - pattern: |
-              $X.SyncWithOptions($OPTS, ...)
-      - pattern-not: |
-          $X.SyncWithOptions(xorm.SyncOptions{..., IgnoreDropIndices: true, ...}, ...)
-      - metavariable-type:
-          metavariable: $X
-          types:
-            - "*xorm.Engine"
-            - "*xorm.Session"
-    paths:
-      exclude:
-        - /models/gitea_migrations/**/*.go
-        - /models/forgejo_migrations_legacy/**/*.go
-    languages:
-      - go
-    message: |
-      xorm Sync operation may drop indices if used on an incomplete bean definition for an existing table. Use SyncWithOptions with IgnoreDropIndices: true instead.
-    severity: ERROR

.semgrep/tests/auth.fixed.go

@@ -1,58 +0,0 @@
-// Copyright 2016 The Gogs Authors. All rights reserved.
-// Copyright 2020 The Gitea Authors.
-// SPDX-License-Identifier: MIT
-
-package repo
-
-import (
-	"net/http"
-
-	"forgejo.org/models/db"
-	access_model "forgejo.org/models/perm/access"
-	repo_model "forgejo.org/models/repo"
-	api "forgejo.org/modules/structs"
-	"forgejo.org/routers/api/v1/utils"
-	"forgejo.org/services/context"
-	"forgejo.org/services/convert"
-)
-
-// ListForks list a repository's forks
-func ListForks(ctx *context.APIContext) {
-	forks, total, err := repo_model.GetForks(ctx, ctx.Repo.Repository, ctx.Doer, utils.GetListOptions(ctx))
-	if err != nil {
-		ctx.Error(http.StatusInternalServerError, "GetForks", err)
-		return
-	}
-	apiForks := make([]*api.Repository, len(forks))
-	for i, fork := range forks {
-		// ruleid:forgejo-api-use-resource-GetUserRepoPermission
-		permission, err := access_model.GetUserRepoPermissionWithReducer(ctx, fork, ctx.Doer, ctx.Reducer)
-		// ok:forgejo-api-use-resource-GetUserRepoPermission
-		permission, err := access_model.GetUserRepoPermissionWithReducer(ctx, fork, ctx.Doer, ctx.Reducer)
-		if err != nil {
-			ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)
-			return
-		}
-		apiForks[i] = convert.ToRepo(ctx, fork, permission)
-	}
-}
-
-// getStarredRepos returns the repos that the user with the specified userID has
-// starred
-func getStarredRepos(ctx std_context.Context, user *user_model.User, private bool, listOptions db.ListOptions) ([]*api.Repository, error) {
-	starredRepos, err := repo_model.GetStarredRepos(ctx, user.ID, private, listOptions)
-	if err != nil {
-		return nil, err
-	}
-
-	repos := make([]*api.Repository, len(starredRepos))
-	for i, starred := range starredRepos {
-		// ruleid:forgejo-api-suspicious-GetUserRepoPermission
-		permission, err := access_model.GetUserRepoPermission(ctx, starred, user)
-		if err != nil {
-			return nil, err
-		}
-		repos[i] = convert.ToRepo(ctx, starred, permission)
-	}
-	return repos, nil
-}

.semgrep/tests/auth.go

@@ -1,58 +0,0 @@
-// Copyright 2016 The Gogs Authors. All rights reserved.
-// Copyright 2020 The Gitea Authors.
-// SPDX-License-Identifier: MIT
-
-package repo
-
-import (
-	"net/http"
-
-	"forgejo.org/models/db"
-	access_model "forgejo.org/models/perm/access"
-	repo_model "forgejo.org/models/repo"
-	api "forgejo.org/modules/structs"
-	"forgejo.org/routers/api/v1/utils"
-	"forgejo.org/services/context"
-	"forgejo.org/services/convert"
-)
-
-// ListForks list a repository's forks
-func ListForks(ctx *context.APIContext) {
-	forks, total, err := repo_model.GetForks(ctx, ctx.Repo.Repository, ctx.Doer, utils.GetListOptions(ctx))
-	if err != nil {
-		ctx.Error(http.StatusInternalServerError, "GetForks", err)
-		return
-	}
-	apiForks := make([]*api.Repository, len(forks))
-	for i, fork := range forks {
-		// ruleid:forgejo-api-use-resource-GetUserRepoPermission
-		permission, err := access_model.GetUserRepoPermission(ctx, fork, ctx.Doer)
-		// ok:forgejo-api-use-resource-GetUserRepoPermission
-		permission, err := access_model.GetUserRepoPermissionWithReducer(ctx, fork, ctx.Doer, ctx.Reducer)
-		if err != nil {
-			ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)
-			return
-		}
-		apiForks[i] = convert.ToRepo(ctx, fork, permission)
-	}
-}
-
-// getStarredRepos returns the repos that the user with the specified userID has
-// starred
-func getStarredRepos(ctx std_context.Context, user *user_model.User, private bool, listOptions db.ListOptions) ([]*api.Repository, error) {
-	starredRepos, err := repo_model.GetStarredRepos(ctx, user.ID, private, listOptions)
-	if err != nil {
-		return nil, err
-	}
-
-	repos := make([]*api.Repository, len(starredRepos))
-	for i, starred := range starredRepos {
-		// ruleid:forgejo-api-suspicious-GetUserRepoPermission
-		permission, err := access_model.GetUserRepoPermission(ctx, starred, user)
-		if err != nil {
-			return nil, err
-		}
-		repos[i] = convert.ToRepo(ctx, starred, permission)
-	}
-	return repos, nil
-}

.semgrep/tests/go.go

@@ -1,44 +0,0 @@
-// Copyright 2014 The Gogs Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"context"
-	"os"
-	"os/signal"
-	"strings"
-	"syscall"
-
-	_ "net/http/pprof" // Used for debugging if enabled and a web server is running
-
-	"forgejo.org/modules/setting"
-)
-
-func setPortEmptyCaseBad(port string) error {
-	setting.AppURL = strings.Replace(setting.AppURL, setting.HTTPPort, port, 1)
-	setting.HTTPPort = port
-
-	// ruleid:forgejo-switch-empty-case
-	switch setting.Protocol {
-	case setting.HTTPUnix:
-	case setting.FCGI:
-	case setting.FCGIUnix:
-	default:
-		defaultLocalURL := string(setting.Protocol) + "://"
-	}
-
-	// ok:forgejo-switch-empty-case
-	switch setting.Protocol {
-	case setting.HTTPUnix:
-		break
-	case setting.FCGI:
-		break
-	case setting.FCGIUnix:
-		break
-	default:
-		defaultLocalURL := string(setting.Protocol) + "://"
-	}
-
-	return nil
-}

.semgrep/tests/logic.go

@@ -1,35 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package actions
-
-import "xorm.io/builder"
-
-type FindRunJobOptions struct {
-	RepoID  int64
-	OwnerID int64
-}
-
-func (opts FindRunJobOptions) Bad() builder.Cond {
-	cond := builder.NewCond()
-	if opts.RepoID > 0 {
-		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
-	}
-	// ruleid:forgejo-logic-suspicious-OwnerID-check
-	if opts.OwnerID > 0 {
-		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
-	}
-	return cond
-}
-
-func (opts FindRunJobOptions) Good() builder.Cond {
-	cond := builder.NewCond()
-	if opts.RepoID > 0 {
-		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
-	}
-	// ok:forgejo-logic-suspicious-OwnerID-check
-	if opts.OwnerID != 0 {
-		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
-	}
-	return cond
-}

.semgrep/tests/xorm.go

@@ -1,45 +0,0 @@
-// Copyright 2025 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: GPL-3.0-or-later
-
-package forgejo_migrations
-
-import (
-	"io/fs"
-
-	"forgejo.org/modules/timeutil"
-
-	"xorm.io/xorm"
-)
-
-type ActionUser struct {
-	ID     int64 `xorm:"pk autoincr"`
-	UserID int64 `xorm:"INDEX UNIQUE(action_user_index) REFERENCES(user, id)"`
-	RepoID int64 `xorm:"INDEX UNIQUE(action_user_index) REFERENCES(repository, id)"`
-
-	TrustedWithPullRequests bool
-
-	LastAccess timeutil.TimeStamp `xorm:"INDEX"`
-}
-
-func testSyncBad1(x *xorm.Engine) error {
-	// ruleid:xorm-sync-missing-ignore-drop-indices
-	return x.Sync(new(ActionUser))
-}
-
-func testSyncBad2(x *xorm.Engine) error {
-	// ruleid:xorm-sync-missing-ignore-drop-indices
-	_, err = x.SyncWithOptions(xorm.SyncOptions{IgnoreDropIndices: false}, bean)
-	return err
-}
-
-func testSyncGood1(x *xorm.Engine) error {
-	// ok:xorm-sync-missing-ignore-drop-indices
-	_, err = x.SyncWithOptions(xorm.SyncOptions{IgnoreDropIndices: true}, bean)
-	return err
-}
-
-func testSyncGood2(x *fs.File) error {
-	// ok:xorm-sync-missing-ignore-drop-indices
-	_, err = x.Sync()
-	return err
-}

CODEOWNERS

@@ -38,25 +38,5 @@ routers/.* @gusted
 options/locale/.* @0ko
 options/locale_next/.* @0ko
 
-# lint-locale-usage
-build/lint-locale-usage/.* @fogti
-models/unit/.* @fogti
-services/migrations/lint-locale-usage/.* @fogti
-
 # Personal interest
 .*/webhook.* @oliverpool
-
-# Often work with, and on, the API
-modules/structs/.* @Cyborus
-routers/api/v1/.* @Cyborus
-routers/api/forgejo/.* @Cyborus
-tests/integration/api_.* @Cyborus
-
-# Federation code, requires care to be taken with regards to interoperability
-# and backwards compatibility due to the way signatures work.
-services/federation/.* @famfo @0xllx0
-modules/forgefed/.* @famfo @0xllx0
-models/forgefed/.* @famfo @0xllx0
-routers/api/v1/activitypub/.* @famfo @0xllx0
-tests/integration/api_activitypub_.* @famfo @0xllx0
-tests/integration/activitypub_.* @famfo @0xllx0

Dockerfile

@@ -1,6 +1,6 @@
 FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/xx AS xx
 
-FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.26-alpine3.23 AS build-env
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.24-alpine3.22 AS build-env
 
 ARG GOPROXY
 ENV GOPROXY=${GOPROXY:-https://proxy.golang.org,direct}
@@ -51,7 +51,7 @@ RUN chmod 755 /tmp/local/usr/bin/entrypoint \
               /go/src/forgejo.org/environment-to-ini
 RUN chmod 644 /go/src/forgejo.org/contrib/autocompletion/bash_autocomplete
 
-FROM data.forgejo.org/oci/alpine:3.23
+FROM data.forgejo.org/oci/alpine:3.22
 ARG RELEASE_VERSION
 LABEL maintainer="contact@forgejo.org" \
       org.opencontainers.image.authors="Forgejo" \

Dockerfile.rootless

@@ -1,6 +1,6 @@
 FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/xx AS xx
 
-FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.26-alpine3.23 AS build-env
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.24-alpine3.22 AS build-env
 
 ARG GOPROXY
 ENV GOPROXY=${GOPROXY:-https://proxy.golang.org,direct}
@@ -49,7 +49,7 @@ RUN chmod 755 /tmp/local/usr/local/bin/docker-entrypoint.sh \
               /go/src/forgejo.org/environment-to-ini
 RUN chmod 644 /go/src/forgejo.org/contrib/autocompletion/bash_autocomplete
 
-FROM data.forgejo.org/oci/alpine:3.23
+FROM data.forgejo.org/oci/alpine:3.22
 ARG RELEASE_VERSION
 LABEL maintainer="contact@forgejo.org" \
       org.opencontainers.image.authors="Forgejo" \
@@ -86,8 +86,8 @@ RUN addgroup \
     -G git \
     git
 
-RUN mkdir -p /var/lib/gitea
-RUN chown git:git /var/lib/gitea
+RUN mkdir -p /var/lib/gitea /etc/gitea
+RUN chown git:git /var/lib/gitea /etc/gitea
 
 COPY --from=build-env /tmp/local /
 RUN cd /usr/local/bin ; ln -s gitea forgejo
@@ -103,9 +103,13 @@ ENV GITEA_CUSTOM=/var/lib/gitea/custom
 ENV GITEA_TEMP=/tmp/gitea
 ENV TMPDIR=/tmp/gitea
 
+# Legacy config file for backwards compatibility
+# TODO: remove on next major version release
+ENV GITEA_APP_INI_LEGACY=/etc/gitea/app.ini
+
 ENV GITEA_APP_INI=${GITEA_CUSTOM}/conf/app.ini
 ENV HOME="/var/lib/gitea/git"
-VOLUME ["/var/lib/gitea"]
+VOLUME ["/var/lib/gitea", "/etc/gitea"]
 WORKDIR /var/lib/gitea
 
 ENTRYPOINT ["/usr/bin/dumb-init", "--", "/usr/local/bin/docker-entrypoint.sh"]

Makefile

@@ -37,18 +37,17 @@ endif
 XGO_VERSION := go-1.21.x
 
 AIR_PACKAGE ?= github.com/air-verse/air@v1 # renovate: datasource=go
-EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3.6.1 # renovate: datasource=go
-GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.9.2 # renovate: datasource=go
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4 # renovate: datasource=go
-GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.15 # renovate: datasource=go
-SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.33.2 # renovate: datasource=go
+EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3.3.0 # renovate: datasource=go
+GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.8.0 # renovate: datasource=go
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.6 # renovate: datasource=go
+GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.11 # renovate: datasource=go
+SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.31.0 # renovate: datasource=go
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
-GO_LICENSES_PACKAGE ?= github.com/google/go-licenses/v2@v2.0.1 # renovate: datasource=go
+GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1.6.0 # renovate: datasource=go
 GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 # renovate: datasource=go
-DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.45.0 # renovate: datasource=go
-ERRORTYPE_PACKAGE ?= fillmore-labs.com/errortype@v0.0.11 # renovate: datasource=go
-RENOVATE_NPM_PACKAGE ?= renovate@43.160.6 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
-MOCKERY_PACKAGE ?= github.com/vektra/mockery/v3@v3.7.0 # renovate: datasource=go
+DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.34.0 # renovate: datasource=go
+GOMOCK_PACKAGE ?= go.uber.org/mock/mockgen@v0.5.2 # renovate: datasource=go
+RENOVATE_NPM_PACKAGE ?= renovate@41.1.4 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
 
 # https://github.com/disposable-email-domains/disposable-email-domains/commits/main/
 DISPOSABLE_EMAILS_SHA ?= 0c27e671231d27cf66370034d7f6818037416989 # renovate: ...
@@ -116,6 +115,9 @@ LDFLAGS := $(LDFLAGS) -X "main.ReleaseVersion=$(RELEASE_VERSION)" -X "main.MakeV
 
 LINUX_ARCHS ?= linux/amd64,linux/386,linux/arm-5,linux/arm-6,linux/arm64
 
+ifeq ($(HAS_GO), yes)
+	GO_TEST_PACKAGES ?= $(filter-out $(shell $(GO) list forgejo.org/models/migrations/...) $(shell $(GO) list forgejo.org/models/forgejo_migrations/...) forgejo.org/tests/integration/migration-test forgejo.org/tests forgejo.org/tests/integration forgejo.org/tests/e2e,$(shell $(GO) list ./...))
+endif
 REMOTE_CACHER_MODULES ?= cache nosql session queue
 GO_TEST_REMOTE_CACHER_PACKAGES ?= $(addprefix forgejo.org/modules/,$(REMOTE_CACHER_MODULES))
 
@@ -157,6 +159,9 @@ GO_SOURCES += $(shell find $(GO_DIRS) -type f -name "*.go" ! -path modules/optio
 GO_SOURCES += $(GENERATED_GO_DEST)
 GO_SOURCES_NO_BINDATA := $(GO_SOURCES)
 
+ifeq ($(HAS_GO), yes)
+	MIGRATION_PACKAGES := $(shell $(GO) list forgejo.org/models/migrations/... forgejo.org/models/forgejo_migrations/...)
+endif
 
 ifeq ($(filter $(TAGS_SPLIT),bindata),bindata)
 	GO_SOURCES += $(BINDATA_DEST)
@@ -233,9 +238,6 @@ help:
 	@echo " - test-frontend-coverage           test frontend files and display code coverage"
 	@echo " - test-backend                     test backend files"
 	@echo " - test-remote-cacher               test backend files that use a remote cache"
-	@echo " - coverage-run*                    test and collect coverages in the coverage/data directory"
-	@echo " - coverage-show-html               display coverage-run results in an HTML page"
-	@echo " - coverage-show-percent            display coverage-run per package coverage percentage"
 	@echo " - test-e2e-sqlite[\#name.test.e2e] test end to end using playwright and sqlite"
 	@echo " - webpack                          build webpack files"
 	@echo " - svg                              build svg files"
@@ -245,7 +247,7 @@ help:
 	@echo " - generate-license                 update license files"
 	@echo " - generate-gitignore               update gitignore files"
 	@echo " - generate-manpage                 generate manpage"
-	@echo " - generate-mockery                 generate mockery files"
+	@echo " - generate-gomock                  generate gomock files"
 	@echo " - generate-forgejo-api             generate the forgejo API from spec"
 	@echo " - forgejo-api-validate             check if the forgejo API matches the specs"
 	@echo " - generate-swagger                 generate the swagger spec from code comments"
@@ -280,24 +282,6 @@ show-version-minor: verify-version
 show-version-api: verify-version
 	@echo ${FORGEJO_VERSION_API}
 
-###
-# Package computation targets
-###
-
-# Target to compute GO_TEST_PACKAGES - only runs when needed
-.PHONY: compute-go-test-packages
-compute-go-test-packages:
-ifeq ($(HAS_GO), yes)
-	$(eval GO_TEST_PACKAGES ?= $(filter-out $(shell $(GO) list forgejo.org/models/gitea_migrations/...) $(shell $(GO) list forgejo.org/models/forgejo_migrations_legacy/...) $(shell $(GO) list forgejo.org/models/forgejo_migrations/...) forgejo.org/tests/integration/migration-test forgejo.org/tests forgejo.org/tests/integration forgejo.org/tests/e2e,$(shell $(GO) list ./...)))
-endif
-
-# Target to compute MIGRATION_PACKAGES - only runs when needed
-.PHONY: compute-migration-packages
-compute-migration-packages:
-ifeq ($(HAS_GO), yes)
-	$(eval MIGRATION_PACKAGES := $(shell $(GO) list forgejo.org/models/gitea_migrations/... forgejo.org/models/forgejo_migrations_legacy/... forgejo.org/models/forgejo_migrations/...))
-endif
-
 ###
 # Check system and environment requirements
 ###
@@ -323,7 +307,7 @@ git-check:
 node-check:
 	$(eval MIN_NODE_VERSION_STR := $(shell grep -Eo '"node":.*[0-9.]+"' package.json | sed -n 's/.*[^0-9.]\([0-9.]*\)"/\1/p'))
 	$(eval MIN_NODE_VERSION := $(shell printf "%03d%03d%03d" $(shell echo '$(MIN_NODE_VERSION_STR)' | tr '.' ' ')))
-	$(eval NODE_VERSION := $(shell printf "%03d%03d%03d" $(shell node -v | cut -c2- | sed 's:-.*::' | tr '.' ' ');))
+	$(eval NODE_VERSION := $(shell printf "%03d%03d%03d" $(shell node -v | cut -c2- | tr '.' ' ');))
 	$(eval NPM_MISSING := $(shell hash npm > /dev/null 2>&1 || echo 1))
 	@if [ "$(NODE_VERSION)" -lt "$(MIN_NODE_VERSION)" -o "$(NPM_MISSING)" = "1" ]; then \
 		echo "Forgejo requires Node.js $(MIN_NODE_VERSION_STR) or greater and npm to build. You can get it at https://nodejs.org/en/download/"; \
@@ -433,7 +417,7 @@ lint: lint-frontend lint-backend
 lint-fix: lint-frontend-fix lint-backend-fix
 
 .PHONY: lint-frontend
-lint-frontend: lint-js tsc lint-css
+lint-frontend: lint-js lint-css
 
 .PHONY: lint-frontend-fix
 lint-frontend-fix: lint-js-fix lint-css-fix
@@ -466,7 +450,7 @@ lint-swagger: node_modules
 
 .PHONY: lint-renovate
 lint-renovate: node_modules
-	npx --yes --package $(RENOVATE_NPM_PACKAGE) -- renovate-config-validator --no-global .forgejo/renovate.json > .lint-renovate 2>&1 || true
+	npx --yes --package $(RENOVATE_NPM_PACKAGE) -- renovate-config-validator > .lint-renovate 2>&1 || true
 	@if grep --quiet --extended-regexp -e '^( ERROR:)' .lint-renovate ; then cat .lint-renovate ; rm .lint-renovate ; exit 1 ; fi
 	@rm .lint-renovate
 
@@ -476,7 +460,7 @@ lint-locale:
 
 .PHONY: lint-locale-usage
 lint-locale-usage:
-	$(GO) run ./build/lint-locale-usage/bin --allow-masked-usages-from=build/lint-locale-usage/allowed-masked-usage.txt
+	$(GO) run build/lint-locale-usage/lint-locale-usage.go
 
 .PHONY: lint-md
 lint-md: node_modules
@@ -486,23 +470,10 @@ RUN_DEADCODE = $(GO) run $(DEADCODE_PACKAGE) -generated=false -f='{{println .Pat
 
 .PHONY: lint-go
 lint-go:
-	$(GO) run $(GOLANGCI_LINT_PACKAGE) run $(GOLANGCI_LINT_ARGS) \
-	|| (code=$$?; echo "Please run 'make lint-go-fix' and commit the result"; exit $${code})
+	$(GO) run $(GOLANGCI_LINT_PACKAGE) run $(GOLANGCI_LINT_ARGS)
 	$(RUN_DEADCODE) > .cur-deadcode-out
-	@$(DIFF) .deadcode-out .cur-deadcode-out >.deadcode.diff || true
-	@if grep -qE '^[+][^+]' .deadcode.diff ; then \
-		cat .deadcode.diff ; \
-		echo "Looks like you added dead code, please evaluate and remove or use it."; \
-		echo "If you are sure the dead code should stay around, please run 'make lint-go-fix',"; \
-		echo "commit the result and explain the reason in the commit message / PR description."; \
-		exit 1; \
-	fi
-	@if grep -qE '^[-][^-]' .deadcode.diff ; then \
-		cat .deadcode.diff ; \
-		echo "Looks like you removed dead code. Thank you!"; \
-		echo "Run 'make lint-go-fix' and commit the result to accept."; \
-	fi
-	$(GO) run $(ERRORTYPE_PACKAGE) ./...
+	@$(DIFF) .deadcode-out .cur-deadcode-out \
+	|| (code=$$?; echo "Please run 'make lint-go-fix' and commit the result"; exit $${code})
 
 .PHONY: lint-go-fix
 lint-go-fix:
@@ -528,16 +499,7 @@ lint-disposable-emails-fix:
 
 .PHONY: security-check
 security-check:
-	$(GO) run $(GOVULNCHECK_PACKAGE) -show color ./...
-
-.PHONY: tsc
-tsc: node_modules
-	npx tsc --noEmit
-
-# target for PRs to be pushed. Mandatory to succeed in CI
-.PHONY: pr-go
-pr-go: deps-backend deps-tools lint-backend tidy-check swagger-check lint-swagger fmt-check swagger-validate
-	TAGS=bindata $(MAKE) backend
+	go run $(GOVULNCHECK_PACKAGE) -show color ./...
 
 ###
 # Development and testing targets
@@ -560,14 +522,14 @@ watch-backend: go-check
 test: test-frontend test-backend
 
 .PHONY: test-backend
-test-backend: | compute-go-test-packages
+test-backend:
 	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@TZ=UTC GITEA_ROOT="$(CURDIR)" $(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_PACKAGES)
+	@$(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_PACKAGES)
 
 .PHONY: test-remote-cacher
 test-remote-cacher:
 	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	GITEA_ROOT="$(CURDIR)" $(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_REMOTE_CACHER_PACKAGES)
+	@$(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_REMOTE_CACHER_PACKAGES)
 
 .PHONY: test-frontend
 test-frontend: node_modules
@@ -590,39 +552,20 @@ test-check:
 	fi
 
 .PHONY: test\#%
-test\#%: | compute-go-test-packages
+test\#%:
 	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@TZ=UTC GITEA_ROOT="$(CURDIR)" $(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)
+	@$(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)
 
-coverage-merge:
-	rm -fr coverage/merged ; mkdir -p coverage/merged
-	$(GO) tool covdata merge -i `find coverage/data -name 'covmeta.*' | sed -e 's|/covmeta.*|,|' | tr -d '\n' | sed -e 's/,$$//'` -o coverage/merged
+.PHONY: coverage
+coverage:
+	grep '^\(mode: .*\)\|\(.*:[0-9]\+\.[0-9]\+,[0-9]\+\.[0-9]\+ [0-9]\+ [0-9]\+\)$$' coverage.out > coverage-bodged.out
+	grep '^\(mode: .*\)\|\(.*:[0-9]\+\.[0-9]\+,[0-9]\+\.[0-9]\+ [0-9]\+ [0-9]\+\)$$' integration.coverage.out > integration.coverage-bodged.out
+	$(GO) run build/gocovmerge.go integration.coverage-bodged.out coverage-bodged.out > coverage.all
 
-coverage-convert: coverage-merge
-	$(GO) tool covdata textfmt -i=coverage/merged -o=coverage/textfmt.out
-
-coverage-show-html: coverage-convert
-	( cd coverage ; $(GO) tool cover -html=textfmt.out -o coverage.html )
-	xdg-open coverage/coverage.html
-
-coverage-show-percentage: coverage-convert
-	go tool cover -func=coverage/textfmt.out
-
-coverage-run: | compute-go-test-packages
-	contrib/coverage-helper.sh test_packages $(COVERAGE_TEST_PACKAGES)
-
-coverage-run-%: generate-ini-% | compute-migration-packages
-  #
-  # Migration tests go first
-  #
-	$(MAKE) GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/$*.ini COVERAGE_TEST_ARGS= COVERAGE_TEST_PACKAGES=forgejo.org/tests/integration/migration-test coverage-run
-	for pkg in $(MIGRATION_PACKAGES); do \
-		$(MAKE) GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/$*.ini COVERAGE_TEST_DATABASE=$* COVERAGE_TEST_ARGS= COVERAGE_TEST_PACKAGES=$$pkg coverage-run ; \
-	done
-  #
-  # All other integration tests follow
-  #
-	$(MAKE) GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/$*.ini COVERAGE_TEST_DATABASE=$* COVERAGE_TEST_PACKAGES=forgejo.org/tests/integration coverage-run
+.PHONY: unit-test-coverage
+unit-test-coverage:
+	@echo "Running unit-test-coverage $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
+	@$(GOTEST) $(GOTESTFLAGS) -timeout=20m -tags='$(TEST_TAGS)' -cover -coverprofile coverage.out $(GO_TEST_PACKAGES) && echo "\n==>\033[32m Ok\033[m\n" || exit 1
 
 .PHONY: tidy
 tidy:
@@ -695,7 +638,6 @@ generate-ini-pgsql:
 		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
 		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
 		-e 's|{{TEST_STORAGE_TYPE}}|$(or $(TEST_STORAGE_TYPE),minio)|g' \
-		-e 's|{{TEST_S3_HOST}}|$(or $(TEST_S3_HOST),minio:9000)|g' \
 			tests/pgsql.ini.tmpl > tests/pgsql.ini
 
 .PHONY: test-pgsql
@@ -742,7 +684,7 @@ test-e2e-mysql\#%: playwright e2e.mysql.test generate-ini-mysql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.mysql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e/$*
 
 .PHONY: test-e2e-pgsql
-GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.initest-e2e-pgsql: playwright e2e.pgsql.test generate-ini-pgsql
+test-e2e-pgsql: playwright e2e.pgsql.test generate-ini-pgsql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.pgsql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e
 
 .PHONY: test-e2e-pgsql\#%
@@ -765,6 +707,14 @@ bench-mysql: integrations.mysql.test generate-ini-mysql
 bench-pgsql: integrations.pgsql.test generate-ini-pgsql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./integrations.pgsql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
 
+.PHONY: integration-test-coverage
+integration-test-coverage: integrations.cover.test generate-ini-mysql
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./integrations.cover.test -test.coverprofile=integration.coverage.out
+
+.PHONY: integration-test-coverage-sqlite
+integration-test-coverage-sqlite: integrations.cover.sqlite.test generate-ini-sqlite
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.cover.sqlite.test -test.coverprofile=integration.coverage.out
+
 integrations.mysql.test: git-check $(GO_SOURCES)
 	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration -o integrations.mysql.test
 
@@ -774,6 +724,12 @@ integrations.pgsql.test: git-check $(GO_SOURCES)
 integrations.sqlite.test: git-check $(GO_SOURCES)
 	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration -o integrations.sqlite.test -tags '$(TEST_TAGS)'
 
+integrations.cover.test: git-check $(GO_SOURCES)
+	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.test
+
+integrations.cover.sqlite.test: git-check $(GO_SOURCES)
+	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.sqlite.test -tags '$(TEST_TAGS)'
+
 .PHONY: migrations.mysql.test
 migrations.mysql.test: $(GO_SOURCES) generate-ini-mysql
 	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration/migration-test -o migrations.mysql.test
@@ -790,34 +746,34 @@ migrations.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTESTCOMPILEDRUNPREFIX) ./migrations.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX)
 
 .PHONY: migrations.individual.mysql.test
-migrations.individual.mysql.test: $(GO_SOURCES) | compute-migration-packages
+migrations.individual.mysql.test: $(GO_SOURCES)
 	for pkg in $(MIGRATION_PACKAGES); do \
 		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1; \
 	done
 
 .PHONY: migrations.individual.sqlite.test\#%
 migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' forgejo.org/models/gitea_migrations/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' forgejo.org/models/migrations/$*
 
 .PHONY: migrations.individual.pgsql.test
-migrations.individual.pgsql.test: $(GO_SOURCES) | compute-migration-packages
+migrations.individual.pgsql.test: $(GO_SOURCES)
 	for pkg in $(MIGRATION_PACKAGES); do \
 		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1;\
 	done
 
 .PHONY: migrations.individual.pgsql.test\#%
 migrations.individual.pgsql.test\#%: $(GO_SOURCES) generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' forgejo.org/models/gitea_migrations/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' forgejo.org/models/migrations/$*
 
 .PHONY: migrations.individual.sqlite.test
-migrations.individual.sqlite.test: $(GO_SOURCES) generate-ini-sqlite | compute-migration-packages
+migrations.individual.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
 	for pkg in $(MIGRATION_PACKAGES); do \
 		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1; \
 	done
 
 .PHONY: migrations.individual.sqlite.test\#%
 migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' forgejo.org/models/gitea_migrations/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' forgejo.org/models/migrations/$*
 
 e2e.mysql.test: $(GO_SOURCES)
 	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/e2e -o e2e.mysql.test
@@ -968,20 +924,22 @@ deps-tools:
 	$(GO) install $(XGO_PACKAGE)
 	$(GO) install $(GO_LICENSES_PACKAGE)
 	$(GO) install $(GOVULNCHECK_PACKAGE)
-	$(GO) install $(ERRORTYPE_PACKAGE)
-	$(GO) install $(MOCKERY_PACKAGE)
+	$(GO) install $(GOMOCK_PACKAGE)
 
 node_modules: package-lock.json
 	npm install --no-save
 	@touch node_modules
 
+.venv: poetry.lock
+	poetry install
+	@touch .venv
+
 .PHONY: fomantic
 fomantic:
 	rm -rf $(FOMANTIC_WORK_DIR)/build
 	cd $(FOMANTIC_WORK_DIR) && npm install --no-save
 	cp -f $(FOMANTIC_WORK_DIR)/theme.config.less $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/theme.config
 	cp -rf $(FOMANTIC_WORK_DIR)/_site $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/
-	rm -rf $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/themes/default/modules/dropdown.overrides
 	$(SED_INPLACE) -e 's/  overrideBrowserslist\r/  overrideBrowserslist: ["defaults"]\r/g' $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/tasks/config/tasks.js
 	cd $(FOMANTIC_WORK_DIR) && npx gulp -f node_modules/fomantic-ui/gulpfile.js build
 	# fomantic uses "touchstart" as click event for some browsers, it's not ideal, so we force fomantic to always use "click" as click event
@@ -1024,9 +982,9 @@ generate-license:
 generate-gitignore:
 	$(GO) run build/generate-gitignores.go
 
-.PHONY: generate-mockery
-generate-mockery:
-	$(GO) run $(MOCKERY_PACKAGE)
+.PHONY: generate-gomock
+generate-gomock:
+	$(GO) run $(GOMOCK_PACKAGE) -package mock -destination ./modules/queue/mock/redisuniversalclient.go forgejo.org/modules/nosql RedisClient
 
 .PHONY: generate-images
 generate-images: | node_modules

README.md

@@ -6,7 +6,7 @@
 Hi there! Tired of big platforms playing monopoly?
 Providing Git hosting for your project, friends, company or community?
 **Forgejo** (/for'd͡ʒe.jo/ inspired by forĝejo – the Esperanto word for *forge*) has you covered with its intuitive interface,
-light and easy hosting and a lot of built-in functionality.
+light and easy hosting and a lot of builtin functionality.
 
 Forgejo was [created in 2022](https://forgejo.org/2022-12-15-hello-forgejo/)
 because we think that the project should be owned by an independent community.

RELEASE-NOTES.md

@@ -4,7 +4,7 @@ A minor or major Forgejo release is published every [three months](https://forge
 
 A [patch or minor release](https://semver.org/spec/v2.0.0.html) (e.g. upgrading from v7.0.0 to v7.0.1 or v7.1.0) does not require manual intervention. But [major releases](https://semver.org/spec/v2.0.0.html#spec-item-8) where the first version number changes (e.g. upgrading from v1.21 to v7.0) contain breaking changes and the release notes explain how to deal with them.
 
-The release notes of each release [are available in the release-notes-published directory of this repository](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published), starting with [Forgejo 7.0.7](release-notes-published/7.0.7.md) and [Forgejo 8.0.1](release-notes-published/8.0.1.md).
+The release notes of each release [are available in the release-notes-published directory of this repository](release-notes-published), starting with [Forgejo 7.0.7](release-notes-published/7.0.7.md) and [Forgejo 8.0.1](release-notes-published/8.0.1.md).
 
 ## 9.0.2
 
@@ -130,10 +130,6 @@ A [companion blog post](https://forgejo.org/2024-07-release-v8-0/) provides addi
   - [PR](https://codeberg.org/forgejo/forgejo/pulls/3334): <!--number 3334 --><!--number--><!--description Added support for the `workflow_dispatch` workflow trigger-->added support for the [`workflow_dispatch` trigger](https://forgejo.org/docs/v8.0/user/actions/#onworkflow_dispatch) in Forgejo Actions.<!--description-->
   - [PR](https://codeberg.org/forgejo/forgejo/pulls/3307): <!--number 3307 --><!--number--><!--description Support [Proof Key for Code Exchange (PKCE - RFC7636)](https://www.rfc-editor.org/rfc/rfc7636) for external login using the OpenID Connect authentication source.-->support [Proof Key for Code Exchange (PKCE - RFC7636)](https://www.rfc-editor.org/rfc/rfc7636) for external login using the OpenID Connect authentication source.<!--description-->
   - [PR](https://codeberg.org/forgejo/forgejo/pulls/3139): <!--number 3139 --><!--number--><!--description Allow hiding auto generated release archives-->allow hiding auto generated release archives.<!--description-->
-  - [PR](https://codeberg.org/forgejo/forgejo/pulls/3952): Update of Chroma from v2.13.0: to v2.14.0:
-    - [`1e983e7`](https://github.com/alecthomas/chroma/commit/1e983e7) lexers/cue: support CUE attributes ([#&#8203;961](https://github.com/alecthomas/chroma/issues/961))
-    - [`9347b55`](https://github.com/alecthomas/chroma/commit/9347b55) Add Gleam syntax highlighting ([#&#8203;959](https://github.com/alecthomas/chroma/issues/959))
-    - [`2580aaa`](https://github.com/alecthomas/chroma/commit/2580aaa) Add Bazel bzlmod support into Python lexer ([#&#8203;947](https://github.com/alecthomas/chroma/issues/947))
 - **Bug fixes**
   - [PR](https://codeberg.org/forgejo/forgejo/pulls/4732) ([backported from](https://codeberg.org/forgejo/forgejo/pulls/4715)): <!--number 4732 --><!--number--><!--description -->Show the AGit label on merged pull requests.<!--description-->
   - [PR](https://codeberg.org/forgejo/forgejo/pulls/4689) ([backported from](https://codeberg.org/forgejo/forgejo/pulls/4687)): <!--number 4689 --><!--number--><!--description -->Fixed: issue state change via the API is not idempotent.<!--description-->
@@ -150,9 +146,6 @@ A [companion blog post](https://forgejo.org/2024-07-release-v8-0/) provides addi
   - [PR](https://codeberg.org/forgejo/forgejo/pulls/3442): <!--number 3442 --><!--number--><!--description Save updated empty comments instead of skipping the update silently, [which prevented the removal of attachments of such comments](https://codeberg.org/forgejo/forgejo/issues/3424).-->Fixed: it is not possible to remove attachments from an empty comment.<!--description-->
   - [PR](https://codeberg.org/forgejo/forgejo/pulls/3430): <!--number 3430 --><!--number--><!--description Fixed a bug where the `/api/v1/repos/{owner}/{repo}/wiki` API endpoints were using a hardcoded "master" branch for the wiki, rather than the branch they really use.-->Fixed: the `/api/v1/repos/{owner}/{repo}/wiki` API endpoints is using a hardcoded "master" branch for the wiki, rather than the branch they really use.<!--description-->
   - [PR](https://codeberg.org/forgejo/forgejo/pulls/3379): <!--number 3379 --><!--number--><!--description -->Fixed: using the API to search for users, the results are not paged by default an the default paging limits are not respected.<!--description-->
-  - [PR](https://codeberg.org/forgejo/forgejo/pulls/3952): Update of Chroma from v2.13.0: to v2.14.0:
-    - [`736c0ea`](https://github.com/alecthomas/chroma/commit/736c0ea) Typescript: Several fixes ([#&#8203;952](https://github.com/alecthomas/chroma/issues/952))
-    - [`e5c25d0`](https://github.com/alecthomas/chroma/commit/e5c25d0) Org: Keep all newlines ([#&#8203;951](https://github.com/alecthomas/chroma/issues/951))
 - **Localization**
   - [PR](https://codeberg.org/forgejo/forgejo/pulls/4661) ([backported from](https://codeberg.org/forgejo/forgejo/pulls/4568)): <!--number 4661 --><!--number--><!--description -->24 July updates<!--description-->
   - [PR](https://codeberg.org/forgejo/forgejo/pulls/4565) ([backported from](https://codeberg.org/forgejo/forgejo/pulls/4451)): <!--number 4565 --><!--number--><!--description -->19 July updates<!--description-->

build/code-batch-process.go

@@ -74,7 +74,7 @@ func newFileCollector(fileFilter string, batchSize int) (*fileCollector, error)
 		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`tests/integration/migration-test`))
 		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`modules/git/tests`))
 		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`models/fixtures`))
-		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`models/gitea_migrations/fixtures`))
+		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`models/migrations/fixtures`))
 		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`services/gitdiff/testdata`))
 	}
 
@@ -181,7 +181,7 @@ func parseArgs() (mainOptions map[string]string, subCmd string, subArgs []string
 			break
 		}
 	}
-	return mainOptions, subCmd, subArgs
+	return
 }
 
 func showUsage() {

build/lint-locale-usage/allowed-masked-usage.txt

@@ -1,17 +0,0 @@
-# translation tooling test keys
-meta.last_line
-translation_meta.test
-
-# models/admin/task.go: instances of $TranslatableMessage.Format
-# this also gets instantiated as a Messenger once
-repo.migrate.migrating_failed.error
-
-# modules/setting/ui.go
-themes.names.
-
-# services/context/context.go
-relativetime.
-
-# templates/repo/settings/webhook/link_menu.tmpl, templates/webhook/new.tmpl: repo.settings.web_hook_name_
-# tests/integration/repo_archive_text_test.go
-repo.settings.

build/lint-locale-usage/bin/handle-go.go

@@ -1,208 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// Copyright 2025 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package main
-
-import (
-	"fmt"
-	"go/ast"
-	goParser "go/parser"
-	"go/token"
-	"reflect"
-	"slices"
-	"strconv"
-	"strings"
-
-	llu "forgejo.org/build/lint-locale-usage"
-	lluAsymKey "forgejo.org/models/asymkey/lint-locale-usage"
-	lluUnit "forgejo.org/models/unit/lint-locale-usage"
-	lluMigrate "forgejo.org/services/migrations/lint-locale-usage"
-)
-
-// the `Handle*File` functions follow the following calling convention:
-// * `fname` is the name of the input file
-// * `src` is either `nil` (then the function invokes `ReadFile` to read the file)
-//   or the contents of the file as {`[]byte`, or a `string`}
-
-func HandleGoFile(handler llu.Handler, fname string, src any) error {
-	fset := token.NewFileSet()
-	node, err := goParser.ParseFile(fset, fname, src, goParser.SkipObjectResolution|goParser.ParseComments)
-	if err != nil {
-		return llu.LocatedError{
-			Location: fname,
-			Kind:     "Go parser",
-			Err:      err,
-		}
-	}
-
-	ast.Inspect(node, func(n ast.Node) bool {
-		return HandleGoNode(handler, fset, fname, n)
-	})
-
-	return nil
-}
-
-func HandleGoNode(handler llu.Handler, fset *token.FileSet, fname string, n ast.Node) bool {
-	// search for function calls of the form `anything.Tr(any-string-lit, ...)`
-
-	switch n2 := n.(type) {
-	case *ast.CallExpr:
-		if len(n2.Args) == 0 {
-			return true
-		}
-		funSel, ok := n2.Fun.(*ast.SelectorExpr)
-		if !ok {
-			return true
-		}
-
-		ltf, ok := handler.LocaleTrFunctions[funSel.Sel.Name]
-		if !ok {
-			return true
-		}
-
-		var gotUnexpectedInvoke *int
-
-		for _, argNum := range ltf {
-			if len(n2.Args) <= int(argNum) {
-				argc := len(n2.Args)
-				gotUnexpectedInvoke = &argc
-			} else {
-				handler.HandleGoTrArgument(fset, n2.Args[int(argNum)], "")
-			}
-		}
-
-		if gotUnexpectedInvoke != nil {
-			handler.OnUnexpectedInvoke(fset, funSel.Sel.NamePos, funSel.Sel.Name, *gotUnexpectedInvoke)
-		}
-
-	case *ast.CompositeLit:
-		if strings.HasSuffix(fname, "models/unit/unit.go") {
-			lluUnit.HandleCompositeUnit(handler, fset, n2)
-		} else if strings.Contains(fname, "models/asymkey/") {
-			lluAsymKey.HandleCompositeErrorReason(handler, fset, n2)
-		}
-
-	case *ast.FuncDecl:
-		if matchInsPrefix := handler.HandleGoCommentGroup(fset, n2.Doc, "llu:returnsTrKeyWeak"); matchInsPrefix != nil {
-			results := n2.Type.Results.List
-			if len(results) != 1 {
-				handler.OnWarning(fset, n2.Type.Func, fmt.Sprintf("function %s has unexpected return type; expected single return value", n2.Name.Name))
-				return true
-			}
-
-			ast.Inspect(n2.Body, func(n ast.Node) bool {
-				// search for return stmts
-				// TODO: what about nested functions?
-				if ret, ok := n.(*ast.ReturnStmt); ok {
-					for _, res := range ret.Results {
-						ast.Inspect(res, func(n ast.Node) bool {
-							if expr, ok := n.(ast.Expr); ok {
-								handler.HandleGoTrArgument(fset, expr, *matchInsPrefix)
-							}
-							return true
-						})
-					}
-					return false
-				}
-				return true
-			})
-		}
-
-		if matchInsPrefix := handler.HandleGoCommentGroup(fset, n2.Doc, "llu:returnsTrKey"); matchInsPrefix != nil {
-			results := n2.Type.Results.List
-			if len(results) != 1 {
-				handler.OnWarning(fset, n2.Type.Func, fmt.Sprintf("function %s has unexpected return type; expected single return value", n2.Name.Name))
-				return true
-			}
-
-			ast.Inspect(n2.Body, func(n ast.Node) bool {
-				// search for return stmts
-				if ret, ok := n.(*ast.ReturnStmt); ok {
-					for _, res := range ret.Results {
-						handler.HandleGoTrArgument(fset, res, *matchInsPrefix)
-					}
-					return false
-				} else if _, ok := n.(*ast.FuncDecl); ok {
-					ast.Inspect(n, func(n2 ast.Node) bool {
-						return HandleGoNode(handler, fset, fname, n2)
-					})
-					// don't search inside nested functions for return stmts
-					return false
-				}
-				return true
-			})
-		}
-
-		if strings.HasSuffix(fname, "services/migrations/migrate.go") {
-			lluMigrate.HandleMessengerInFunc(handler, fset, n2)
-		}
-		return true
-	case *ast.GenDecl:
-		switch n2.Tok {
-		case token.CONST, token.VAR:
-			matchInsPrefix := handler.HandleGoCommentGroup(fset, n2.Doc, " llu:TrKeys")
-			if matchInsPrefix == nil {
-				return true
-			}
-			for _, spec := range n2.Specs {
-				// interpret all contained strings as message IDs
-				ast.Inspect(spec, func(n ast.Node) bool {
-					if argLit, ok := n.(*ast.BasicLit); ok {
-						handler.HandleGoTrBasicLit(fset, argLit, *matchInsPrefix)
-						return false
-					}
-					return true
-				})
-			}
-
-		case token.TYPE:
-			// modules/web/middleware/binding.go:Validate uses the convention that structs
-			// entries can have tags.
-			// In particular, `locale:$msgid` should be handled; any fields with `form:-` shouldn't.
-			// Problem: we don't know which structs are forms, actually.
-
-			for _, spec := range n2.Specs {
-				tspec := spec.(*ast.TypeSpec)
-				structNode, ok := tspec.Type.(*ast.StructType)
-				if !ok || !(strings.HasSuffix(tspec.Name.Name, "Form") ||
-					(tspec.Doc != nil &&
-						slices.ContainsFunc(tspec.Doc.List, func(c *ast.Comment) bool {
-							return c.Text == "// swagger:model"
-						}))) {
-					continue
-				}
-				for _, field := range structNode.Fields.List {
-					if field.Names == nil {
-						continue
-					}
-					if len(field.Names) != 1 {
-						handler.OnWarning(fset, field.Type.Pos(), "unsupported multiple field names")
-						continue
-					}
-					msgidPos := field.Names[0].NamePos
-					msgid := "form." + field.Names[0].Name
-					if field.Tag != nil && field.Tag.Kind == token.STRING {
-						rawTag, err := strconv.Unquote(field.Tag.Value)
-						if err != nil {
-							handler.OnWarning(fset, field.Tag.ValuePos, "invalid tag value encountered")
-							continue
-						}
-						tag := reflect.StructTag(rawTag)
-						if tag.Get("form") == "-" {
-							continue
-						}
-						tmp := tag.Get("locale")
-						if len(tmp) != 0 {
-							msgidPos = field.Tag.ValuePos
-							msgid = tmp
-						}
-					}
-					handler.OnMsgid(fset, msgidPos, msgid, true)
-				}
-			}
-		}
-	}
-
-	return true
-}

build/lint-locale-usage/bin/lint-locale-usage.go

@@ -1,404 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// Copyright 2025 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package main
-
-import (
-	"bufio"
-	"errors"
-	"flag"
-	"fmt"
-	"go/token"
-	"io/fs"
-	"os"
-	"path/filepath"
-	"regexp"
-	"sort"
-	"strings"
-
-	llu "forgejo.org/build/lint-locale-usage"
-	"forgejo.org/modules/container"
-	"forgejo.org/modules/translation/localeiter"
-)
-
-// this works by first gathering all valid source string IDs from `en-US` reference files
-// and then checking if all used source strings are actually defined
-
-func InitLocaleTrFunctions() map[string][]uint {
-	ret := make(map[string][]uint)
-
-	f0 := []uint{0}
-	ret["Tr"] = f0
-	ret["TrString"] = f0
-	ret["TrHTML"] = f0
-
-	ret["TrPluralString"] = []uint{1}
-	ret["TrN"] = []uint{1, 2}
-
-	return ret
-}
-
-type StringTrie interface {
-	Matches(key []string) bool
-}
-
-type StringTrieMap map[string]StringTrie
-
-func printfPatternToRegex(key string) (string, bool) {
-	parts := strings.Split(key, "%")
-	if len(parts) < 2 {
-		return key, false
-	}
-	var pattern strings.Builder
-	pattern.WriteString("^")
-	pattern.WriteString(parts[0])
-	skip := false
-	for _, part := range parts[1:] {
-		if skip {
-			skip = false
-			continue
-		}
-		if len(part) == 0 {
-			// "%%"
-			pattern.WriteString("%")
-			continue
-		}
-		switch part[0] {
-		case 'd':
-			pattern.WriteString("[0-9]+")
-		default:
-			pattern.WriteString("[A-Za-z0-9]*")
-		}
-		pattern.WriteString(part[1:])
-	}
-	pattern.WriteString("$")
-	return pattern.String(), true
-}
-
-func (m StringTrieMap) Matches(key []string) bool {
-	if len(key) == 0 || m == nil {
-		return true
-	}
-	value, ok := m[key[0]]
-	if !ok {
-		for altKey, value := range m {
-			// TODO: cache mapping $printfFormatString -> $regexpCompileOutput
-			pattern, found := printfPatternToRegex(altKey)
-			if !found {
-				continue
-			}
-			matched, err := regexp.MatchString(pattern, key[0])
-			if err != nil {
-				panic(fmt.Sprintf("unable to compile regexp '%s': %s", pattern, err.Error()))
-			}
-			if matched && (value == nil || value.Matches(key[1:])) {
-				return true
-			}
-		}
-		return false
-	}
-	if value == nil {
-		return true
-	}
-	return value.Matches(key[1:])
-}
-
-func (m StringTrieMap) Insert(key []string) {
-	if m == nil {
-		return
-	}
-
-	switch len(key) {
-	case 0:
-		return
-
-	case 1:
-		m[key[0]] = nil
-
-	default:
-		if value, ok := m[key[0]]; ok {
-			if value == nil {
-				return
-			}
-		} else {
-			m[key[0]] = make(StringTrieMap)
-		}
-		m[key[0]].(StringTrieMap).Insert(key[1:])
-	}
-}
-
-func ParseAllowedMaskedUsages(fname string, usedMsgids container.Set[string], allowedMaskedPrefixes StringTrieMap, chkMsgid func(msgid string) bool) error {
-	file, err := os.Open(fname)
-	if err != nil {
-		return llu.LocatedError{
-			Location: fname,
-			Kind:     "Open",
-			Err:      err,
-		}
-	}
-	defer file.Close()
-
-	scanner := bufio.NewScanner(file)
-	lno := 0
-	for scanner.Scan() {
-		lno++
-		line := strings.TrimSpace(scanner.Text())
-		if line == "" || strings.HasPrefix(line, "#") {
-			continue
-		}
-		if linePrefix, found := strings.CutSuffix(line, "."); found || strings.Contains(line, "%") {
-			allowedMaskedPrefixes.Insert(strings.Split(linePrefix, "."))
-		} else {
-			if !chkMsgid(line) {
-				return llu.LocatedError{
-					Location: fmt.Sprintf("%s: line %d", fname, lno),
-					Kind:     "undefined msgid",
-					Err:      errors.New(line),
-				}
-			}
-			usedMsgids.Add(line)
-		}
-	}
-	if err := scanner.Err(); err != nil {
-		return llu.LocatedError{
-			Location: fname,
-			Kind:     "Scanner",
-			Err:      err,
-		}
-	}
-	return nil
-}
-
-func Usage() {
-	outp := flag.CommandLine.Output()
-	fmt.Fprintf(outp, "Usage of %s:\n", os.Args[0])
-	flag.PrintDefaults()
-
-	fmt.Fprintf(outp, "\nThis command assumes that it gets started from the project root directory.\n")
-
-	fmt.Fprintf(outp, "\nExit codes:\n")
-	for _, i := range []string{
-		"0\tsuccess, no issues found",
-		"1\tunable to walk directory tree",
-		"2\tunable to parse locale ini/json files",
-		"3\tunable to parse go or text/template files",
-		"4\tfound missing message IDs",
-		"5\tfound unused message IDs",
-	} {
-		fmt.Fprintf(outp, "\t%s\n", i)
-	}
-
-	fmt.Fprintf(outp, "\nSpecial Go doc comments:\n")
-	for _, i := range []string{
-		"//llu:returnsTrKeyWeak",
-		"\tcan be used in front of functions to indicate",
-		"\tthat the function returns message IDs (allows nesting inside complicated function calls)",
-		"\tWARNING: this currently doesn't support nested functions properly",
-		"",
-		"//llu:returnsTrKey",
-		"\tcan be used in front of functions to indicate",
-		"\tthat the function returns message IDs (doesn't allow nesting inside complicated function calls)",
-		"\tWARNING: this currently doesn't support nested functions properly",
-		"",
-		"//llu:returnsTrKeySuffix prefix.",
-		"\tsimilar to llu:returnsTrKey, but the given prefix is prepended",
-		"\tto the found strings before interpreting them as msgids",
-		"",
-		"// llu:TrKeys",
-		"\tcan be used in front of 'const' and 'var' blocks",
-		"\tin order to mark all contained strings as message IDs",
-		"",
-		"// llu:TrKeysSuffix prefix.",
-		"\tlike llu:returnsTrKeySuffix, but for 'const' and 'var' blocks",
-	} {
-		if i == "" {
-			fmt.Fprintf(outp, "\n")
-		} else {
-			fmt.Fprintf(outp, "\t%s\n", i)
-		}
-	}
-}
-
-//nolint:forbidigo
-func main() {
-	allowMissingMsgids := false
-	allowUnusedMsgids := false
-	allowWeakMissingMsgids := true
-	usedMsgids := make(container.Set[string])
-	allowedMaskedPrefixes := make(StringTrieMap)
-
-	// It's possible for execl to hand us an empty os.Args.
-	if len(os.Args) == 0 {
-		flag.CommandLine = flag.NewFlagSet("lint-locale-usage", flag.ExitOnError)
-	} else {
-		flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
-	}
-	flag.CommandLine.Usage = Usage
-	flag.Usage = Usage
-
-	flag.BoolVar(
-		&allowMissingMsgids,
-		"allow-missing-msgids",
-		false,
-		"don't return an error code if missing message IDs are found",
-	)
-	flag.BoolVar(
-		&allowWeakMissingMsgids,
-		"allow-weak-missing-msgids",
-		true,
-		"Don't return an error code if missing 'weak' (e.g. \"form.$msgid\") message IDs are found",
-	)
-	flag.BoolVar(
-		&allowUnusedMsgids,
-		"allow-unused-msgids",
-		false,
-		"don't return an error code if unused message IDs are found",
-	)
-
-	msgids := make(container.Set[string])
-
-	localeFile := filepath.Join(filepath.Join("options", "locale"), "locale_en-US.ini")
-	localeContent, err := os.ReadFile(localeFile)
-	if err != nil {
-		fmt.Printf("%s:\tERROR: %s\n", localeFile, err.Error())
-		os.Exit(2)
-	}
-
-	if err = localeiter.IterateMessagesContent(localeContent, func(trKey, trValue string) error {
-		msgids[trKey] = struct{}{}
-		return nil
-	}); err != nil {
-		fmt.Printf("%s:\tERROR: %s\n", localeFile, err.Error())
-		os.Exit(2)
-	}
-
-	localeFile = filepath.Join(filepath.Join("options", "locale_next"), "locale_en-US.json")
-	localeContent, err = os.ReadFile(localeFile)
-	if err != nil {
-		fmt.Printf("%s:\tERROR: %s\n", localeFile, err.Error())
-		os.Exit(2)
-	}
-
-	if err := localeiter.IterateMessagesNextContent(localeContent, func(trKey, pluralForm, trValue string) error {
-		// ignore plural form
-		msgids[trKey] = struct{}{}
-		return nil
-	}); err != nil {
-		fmt.Printf("%s:\tERROR: %s\n", localeFile, err.Error())
-		os.Exit(2)
-	}
-
-	gotAnyMsgidError := false
-
-	flag.Func(
-		"allow-masked-usages-from",
-		"supply a file containing a newline-separated list of allowed masked usages",
-		func(argval string) error {
-			return ParseAllowedMaskedUsages(argval, usedMsgids, allowedMaskedPrefixes, func(msgid string) bool {
-				return msgids.Contains(msgid)
-			})
-		},
-	)
-	flag.Parse()
-
-	onError := func(err error) {
-		if err == nil {
-			return
-		}
-		fmt.Println(err.Error())
-		os.Exit(3)
-	}
-
-	handler := llu.Handler{
-		OnMsgidPattern: func(fset *token.FileSet, pos token.Pos, msgidPattern string) {
-			msgidPatternSplit := strings.Split(msgidPattern, ".")
-			allowedMaskedPrefixes.Insert(msgidPatternSplit)
-		},
-		OnMsgidPrefix: func(fset *token.FileSet, pos token.Pos, msgidPrefix string, truncated bool) {
-			msgidPrefixSplit := strings.Split(msgidPrefix, ".")
-			if !truncated {
-				allowedMaskedPrefixes.Insert(msgidPrefixSplit)
-			} else if !allowedMaskedPrefixes.Matches(msgidPrefixSplit) {
-				gotAnyMsgidError = true
-				fmt.Printf("%s:\tmissing msgid prefix: %s\n", fset.Position(pos).String(), msgidPrefix)
-			}
-		},
-		OnMsgid: func(fset *token.FileSet, pos token.Pos, msgid string, weak bool) {
-			if strings.Contains(msgid, "%") {
-				fmt.Printf("%s:\tunexpected msgid pattern: %s\n", fset.Position(pos).String(), msgid)
-				return
-			}
-			if !msgids.Contains(msgid) {
-				if weak && allowWeakMissingMsgids {
-					return
-				}
-				gotAnyMsgidError = true
-				fmt.Printf("%s:\tmissing msgid: %s\n", fset.Position(pos).String(), msgid)
-			} else {
-				usedMsgids.Add(msgid)
-			}
-		},
-		OnUnexpectedInvoke: func(fset *token.FileSet, pos token.Pos, funcname string, argc int) {
-			gotAnyMsgidError = true
-			fmt.Printf("%s:\tunexpected invocation of %s with %d arguments\n", fset.Position(pos).String(), funcname, argc)
-		},
-		OnWarning: func(fset *token.FileSet, pos token.Pos, msg string) {
-			fmt.Printf("%s:\tWARNING: %s\n", fset.Position(pos).String(), msg)
-		},
-		LocaleTrFunctions: llu.InitLocaleTrFunctions(),
-	}
-
-	if err := filepath.WalkDir(".", func(fpath string, d fs.DirEntry, err error) error {
-		if err != nil {
-			if os.IsNotExist(err) {
-				return nil
-			}
-			return err
-		}
-		name := d.Name()
-		if d.IsDir() {
-			if name == "docker" || name == ".git" || name == "node_modules" {
-				return fs.SkipDir
-			}
-		} else if name == "bindata.go" || fpath == "modules/translation/i18n/i18n_test.go" || fpath == "modules/translation/i18n/i18n_ini_test.go" {
-			// skip false positives
-		} else if strings.HasSuffix(name, ".go") {
-			onError(HandleGoFile(handler, fpath, nil))
-		} else if strings.HasSuffix(name, ".tmpl") {
-			if strings.HasPrefix(fpath, "tests") && strings.HasSuffix(name, ".ini.tmpl") {
-				// skip false positives
-			} else {
-				onError(handler.HandleTemplateFile(fpath, nil))
-			}
-		}
-		return nil
-	}); err != nil {
-		fmt.Printf("walkdir ERROR: %s\n", err.Error())
-		os.Exit(1)
-	}
-
-	unusedMsgids := []string{}
-
-	for msgid := range msgids {
-		if !usedMsgids.Contains(msgid) && !allowedMaskedPrefixes.Matches(strings.Split(msgid, ".")) {
-			unusedMsgids = append(unusedMsgids, msgid)
-		}
-	}
-
-	sort.Strings(unusedMsgids)
-
-	if len(unusedMsgids) != 0 {
-		fmt.Printf("=== unused msgids (%d): ===\n", len(unusedMsgids))
-		for _, msgid := range unusedMsgids {
-			fmt.Printf("- %s\n", msgid)
-		}
-	}
-
-	if !allowMissingMsgids && gotAnyMsgidError {
-		os.Exit(4)
-	}
-	if !allowUnusedMsgids && len(unusedMsgids) != 0 {
-		os.Exit(5)
-	}
-}

build/lint-locale-usage/handle-go.go

@@ -1,123 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// Copyright 2025 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package lintLocaleUsage
-
-import (
-	"fmt"
-	"go/ast"
-	"go/token"
-	"strconv"
-	"strings"
-)
-
-func (handler Handler) HandleGoTrBasicLit(fset *token.FileSet, argLit *ast.BasicLit, prefix string) {
-	if argLit.Kind == token.STRING {
-		// extract string content
-		arg, err := strconv.Unquote(argLit.Value)
-		if err != nil {
-			return
-		}
-		// found interesting strings
-		arg = prefix + arg
-		if strings.HasSuffix(arg, ".") || strings.HasSuffix(arg, "_") {
-			prep, trunc := PrepareMsgidPrefix(arg)
-			if trunc {
-				handler.OnWarning(fset, argLit.ValuePos, fmt.Sprintf("needed to truncate message id prefix: %s", arg))
-			}
-			handler.OnMsgidPrefix(fset, argLit.ValuePos, prep, trunc)
-		} else {
-			handler.OnMsgid(fset, argLit.ValuePos, arg, false)
-		}
-	}
-}
-
-func (handler Handler) HandleGoTrArgument(fset *token.FileSet, n ast.Expr, prefix string) {
-	switch n := n.(type) {
-	case *ast.BasicLit:
-		handler.HandleGoTrBasicLit(fset, n, prefix)
-
-	case *ast.BinaryExpr:
-		if n.Op != token.ADD {
-			// pass
-		} else if argLit, ok := n.X.(*ast.BasicLit); ok && argLit.Kind == token.STRING {
-			// extract string content
-			arg, err := strconv.Unquote(argLit.Value)
-			if err != nil {
-				return
-			}
-			// found interesting strings
-			arg = prefix + arg
-			prep, trunc := PrepareMsgidPrefix(arg)
-			if trunc {
-				handler.OnWarning(fset, argLit.ValuePos, fmt.Sprintf("needed to truncate message id prefix: %s", arg))
-			}
-			handler.OnMsgidPrefix(fset, argLit.ValuePos, prep, trunc)
-		}
-
-	case *ast.CallExpr:
-		if selExpr, ok := n.Fun.(*ast.SelectorExpr); ok {
-			if xIdent, xok := selExpr.X.(*ast.Ident); !xok || xIdent.Name != "fmt" {
-				return
-			}
-			if selExpr.Sel.Name != "Sprintf" {
-				handler.OnWarning(fset, selExpr.Sel.NamePos, fmt.Sprintf("unexpected formatting function encountered: %s", selExpr.Sel.Name))
-				return
-			}
-			if len(n.Args) == 0 {
-				handler.OnWarning(fset, selExpr.Sel.NamePos, fmt.Sprintf("unexpected formatting function invocation (no arguments) of '%s'", selExpr.Sel.Name))
-				return
-			}
-
-			if argLit, ok := n.Args[0].(*ast.BasicLit); ok && argLit.Kind == token.STRING {
-				// extract string content
-				arg, err := strconv.Unquote(argLit.Value)
-				if err != nil {
-					return
-				}
-				if strings.Contains(arg, " ") {
-					handler.OnWarning(fset, argLit.ValuePos, fmt.Sprintf(
-						"formatting function invocation of '%s' with weird msgid format string: %s",
-						selExpr.Sel.Name,
-						arg,
-					))
-					return
-				}
-				// found interesting strings
-				handler.OnMsgidPattern(fset, argLit.ValuePos, prefix+arg)
-			}
-		}
-	}
-}
-
-func (handler Handler) HandleGoCommentGroup(fset *token.FileSet, cg *ast.CommentGroup, commentPrefix string) *string {
-	if cg == nil {
-		return nil
-	}
-	var matches []token.Pos
-	matchInsPrefix := ""
-	commentPrefix = "//" + commentPrefix
-	for _, comment := range cg.List {
-		ctxt := strings.TrimSpace(comment.Text)
-		if ctxt == commentPrefix {
-			matches = append(matches, comment.Slash)
-		} else if after, found := strings.CutPrefix(ctxt, commentPrefix+"Suffix "); found {
-			matches = append(matches, comment.Slash)
-			matchInsPrefix = strings.TrimSpace(after)
-		}
-	}
-	switch len(matches) {
-	case 0:
-		return nil
-	case 1:
-		return &matchInsPrefix
-	default:
-		handler.OnWarning(
-			fset,
-			matches[0],
-			fmt.Sprintf("encountered multiple %s... directives, ignoring", strings.TrimSpace(commentPrefix)),
-		)
-		return &matchInsPrefix
-	}
-}

build/lint-locale-usage/handle-tmpl.go

@@ -1,244 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// Copyright 2025 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package lintLocaleUsage
-
-import (
-	"fmt"
-	"go/token"
-	"os"
-	"strings"
-	"text/template"
-	tmplParser "text/template/parse"
-
-	fjTemplates "forgejo.org/modules/templates"
-	"forgejo.org/modules/util"
-)
-
-// derived from source: modules/templates/scopedtmpl/scopedtmpl.go, L169-L213
-func (handler Handler) handleTemplateNode(fset *token.FileSet, node tmplParser.Node) {
-	switch node.Type() {
-	case tmplParser.NodeAction:
-		handler.handleTemplatePipeNode(fset, node.(*tmplParser.ActionNode).Pipe)
-	case tmplParser.NodeList:
-		nodeList := node.(*tmplParser.ListNode)
-		handler.handleTemplateFileNodes(fset, nodeList.Nodes)
-	case tmplParser.NodePipe:
-		handler.handleTemplatePipeNode(fset, node.(*tmplParser.PipeNode))
-	case tmplParser.NodeTemplate:
-		handler.handleTemplatePipeNode(fset, node.(*tmplParser.TemplateNode).Pipe)
-	case tmplParser.NodeIf:
-		nodeIf := node.(*tmplParser.IfNode)
-		handler.handleTemplateBranchNode(fset, nodeIf.BranchNode)
-	case tmplParser.NodeRange:
-		nodeRange := node.(*tmplParser.RangeNode)
-		handler.handleTemplateBranchNode(fset, nodeRange.BranchNode)
-	case tmplParser.NodeWith:
-		nodeWith := node.(*tmplParser.WithNode)
-		handler.handleTemplateBranchNode(fset, nodeWith.BranchNode)
-
-	case tmplParser.NodeCommand:
-		nodeCommand := node.(*tmplParser.CommandNode)
-
-		handler.handleTemplateFileNodes(fset, nodeCommand.Args)
-
-		if len(nodeCommand.Args) < 2 {
-			return
-		}
-
-		funcname := ""
-		switch nodeCommand.Args[0].Type() {
-		case tmplParser.NodeChain:
-			nodeChain := nodeCommand.Args[0].(*tmplParser.ChainNode)
-			if nodeIdent, ok := nodeChain.Node.(*tmplParser.IdentifierNode); ok {
-				if nodeIdent.Ident != "ctx" || len(nodeChain.Field) != 2 || nodeChain.Field[0] != "Locale" {
-					return
-				}
-				funcname = nodeChain.Field[1]
-			}
-
-		case tmplParser.NodeField:
-			nodeField := nodeCommand.Args[0].(*tmplParser.FieldNode)
-			if len(nodeField.Ident) != 2 || nodeField.Ident[0] != "locale" {
-				return
-			}
-			resolvedPos := fset.PositionFor(token.Pos(nodeCommand.Pos), false)
-			if !strings.Contains(resolvedPos.Filename, "templates/mail/") {
-				handler.OnWarning(fset, token.Pos(nodeCommand.Pos), "encountered unexpected .locale usage")
-			}
-			funcname = nodeField.Ident[1]
-
-		case tmplParser.NodeVariable:
-			nodeVar := nodeCommand.Args[0].(*tmplParser.VariableNode)
-			if len(nodeVar.Ident) != 3 || !(nodeVar.Ident[0] == "$" && nodeVar.Ident[1] == "locale") {
-				return
-			}
-			funcname = nodeVar.Ident[2]
-		}
-
-		var gotUnexpectedInvoke *int
-		ltf, ok := handler.LocaleTrFunctions[funcname]
-		if !ok {
-			return
-		}
-
-		for _, argNum := range ltf {
-			if len(nodeCommand.Args) >= int(argNum+2) {
-				handler.handleTemplateMsgid(fset, nodeCommand.Args[int(argNum+1)])
-			} else {
-				argc := len(nodeCommand.Args) - 1
-				gotUnexpectedInvoke = &argc
-			}
-		}
-
-		if gotUnexpectedInvoke != nil {
-			handler.OnUnexpectedInvoke(fset, token.Pos(nodeCommand.Pos), funcname, *gotUnexpectedInvoke)
-		}
-
-	default:
-	}
-}
-
-func (handler Handler) handleTemplateMsgid(fset *token.FileSet, node tmplParser.Node) {
-	// the column numbers are a bit "off", but much better than nothing
-	pos := token.Pos(node.Position())
-
-	switch node.Type() {
-	case tmplParser.NodeString:
-		nodeString := node.(*tmplParser.StringNode)
-		// found interesting strings
-		handler.OnMsgid(fset, pos, nodeString.Text, false)
-
-	case tmplParser.NodePipe:
-		nodePipe := node.(*tmplParser.PipeNode)
-		handler.handleTemplatePipeNode(fset, nodePipe)
-
-		if len(nodePipe.Cmds) == 0 {
-			handler.OnWarning(fset, pos, fmt.Sprintf("unsupported invocation of locate function (no commands): %s", node.String()))
-		} else if len(nodePipe.Cmds) != 1 {
-			handler.OnWarning(fset, pos, fmt.Sprintf("unsupported invocation of locate function (too many commands): %s", node.String()))
-			return
-		}
-		nodeCommand := nodePipe.Cmds[0]
-		if len(nodeCommand.Args) < 2 {
-			handler.OnWarning(fset, pos, fmt.Sprintf("unsupported invocation of locate function (not enough arguments): %s", node.String()))
-			return
-		}
-
-		nodeIdent, ok := nodeCommand.Args[0].(*tmplParser.IdentifierNode)
-		if !ok || (nodeIdent.Ident != "print" && nodeIdent.Ident != "printf") {
-			// handler.OnWarning(fset, pos, fmt.Sprintf("unsupported invocation of locate function (bad command): %s", node.String()))
-			return
-		}
-
-		nodeString, ok := nodeCommand.Args[1].(*tmplParser.StringNode)
-		if !ok {
-			//handler.OnWarning(
-			//	fset,
-			//	pos,
-			//	fmt.Sprintf("unsupported invocation of locate function (string should be first argument to %s): %s", nodeIdent.Ident, node.String()),
-			//)
-			return
-		}
-
-		msgidPrefix := nodeString.Text
-		stringPos := token.Pos(nodeString.Pos)
-
-		if len(nodeCommand.Args) == 2 {
-			// found interesting strings
-			handler.OnMsgid(fset, stringPos, msgidPrefix, false)
-		} else {
-			if nodeIdent.Ident == "printf" {
-				// found interesting strings
-				if !(strings.HasSuffix(msgidPrefix, ".%s") && strings.Count(msgidPrefix, "%") == 1) {
-					handler.OnMsgidPattern(fset, stringPos, msgidPrefix)
-					return
-				}
-				msgidPrefix = strings.TrimSuffix(msgidPrefix, "%s")
-			}
-
-			msgidPrefixFin, truncated := PrepareMsgidPrefix(msgidPrefix)
-			if truncated {
-				handler.OnWarning(fset, stringPos, fmt.Sprintf("needed to truncate message id prefix: %s", msgidPrefix))
-			}
-
-			// found interesting strings
-			handler.OnMsgidPrefix(fset, stringPos, msgidPrefixFin, truncated)
-		}
-
-	default:
-		// handler.OnWarning(fset, pos, fmt.Sprintf("unknown invocation of locate function: %s", node.String()))
-	}
-}
-
-func (handler Handler) handleTemplatePipeNode(fset *token.FileSet, pipeNode *tmplParser.PipeNode) {
-	if pipeNode == nil {
-		return
-	}
-
-	// NOTE: we can't pass `pipeNode.Cmds` to handleTemplateFileNodes due to incompatible argument types
-	for _, node := range pipeNode.Cmds {
-		handler.handleTemplateNode(fset, node)
-	}
-}
-
-func (handler Handler) handleTemplateBranchNode(fset *token.FileSet, branchNode tmplParser.BranchNode) {
-	handler.handleTemplatePipeNode(fset, branchNode.Pipe)
-	handler.handleTemplateFileNodes(fset, branchNode.List.Nodes)
-	if branchNode.ElseList != nil {
-		handler.handleTemplateFileNodes(fset, branchNode.ElseList.Nodes)
-	}
-}
-
-func (handler Handler) handleTemplateFileNodes(fset *token.FileSet, nodes []tmplParser.Node) {
-	for _, node := range nodes {
-		handler.handleTemplateNode(fset, node)
-	}
-}
-
-// the `Handle*File` functions follow the following calling convention:
-// * `fname` is the name of the input file
-// * `src` is either `nil` (then the function invokes `ReadFile` to read the file)
-//   or the contents of the file as {`[]byte`, or a `string`}
-
-func (handler Handler) HandleTemplateFile(fname string, src any) error {
-	var tmplContent []byte
-	switch src2 := src.(type) {
-	case nil:
-		var err error
-		tmplContent, err = os.ReadFile(fname)
-		if err != nil {
-			return LocatedError{
-				Location: fname,
-				Kind:     "ReadFile",
-				Err:      err,
-			}
-		}
-	case []byte:
-		tmplContent = src2
-	case string:
-		// SAFETY: we do not modify tmplContent below
-		tmplContent = util.UnsafeStringToBytes(src2)
-	default:
-		panic("invalid type for 'src'")
-	}
-
-	fset := token.NewFileSet()
-	fset.AddFile(fname, 1, len(tmplContent)).SetLinesForContent(tmplContent)
-	// SAFETY: we do not modify tmplContent2 below
-	tmplContent2 := util.UnsafeBytesToString(tmplContent)
-
-	tmpl := template.New(fname)
-	tmpl.Funcs(fjTemplates.NewFuncMap())
-	tmplParsed, err := tmpl.Parse(tmplContent2)
-	if err != nil {
-		return LocatedError{
-			Location: fname,
-			Kind:     "Template parser",
-			Err:      err,
-		}
-	}
-	handler.handleTemplateFileNodes(fset, tmplParsed.Root.Nodes)
-	return nil
-}

build/lint-locale-usage/handler.go

@@ -1,63 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// Copyright 2025 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package lintLocaleUsage
-
-import (
-	"go/token"
-	"strings"
-)
-
-type LocatedError struct {
-	Location string
-	Kind     string
-	Err      error
-}
-
-func (e LocatedError) Error() string {
-	var sb strings.Builder
-
-	sb.WriteString(e.Location)
-	sb.WriteString(":\t")
-	if e.Kind != "" {
-		sb.WriteString(e.Kind)
-		sb.WriteString(": ")
-	}
-	sb.WriteString("ERROR: ")
-	sb.WriteString(e.Err.Error())
-
-	return sb.String()
-}
-
-func InitLocaleTrFunctions() map[string][]uint {
-	ret := make(map[string][]uint)
-
-	f0 := []uint{0}
-	ret["Tr"] = f0
-	ret["TrString"] = f0
-	ret["TrHTML"] = f0
-
-	ret["TrPluralString"] = []uint{1}
-	ret["TrN"] = []uint{1, 2}
-
-	return ret
-}
-
-type Handler struct {
-	OnMsgid            func(fset *token.FileSet, pos token.Pos, msgid string, weak bool)
-	OnMsgidPrefix      func(fset *token.FileSet, pos token.Pos, msgidPrefix string, truncated bool)
-	OnMsgidPattern     func(fset *token.FileSet, pos token.Pos, msgidPattern string)
-	OnUnexpectedInvoke func(fset *token.FileSet, pos token.Pos, funcname string, argc int)
-	OnWarning          func(fset *token.FileSet, pos token.Pos, msg string)
-	LocaleTrFunctions  map[string][]uint
-}
-
-// Truncating a message id prefix to the last dot
-func PrepareMsgidPrefix(s string) (string, bool) {
-	index := strings.LastIndexByte(s, 0x2e)
-	if index == -1 {
-		return "", true
-	}
-	return s[:index], index != len(s)-1
-}

build/lint-locale-usage/lint-locale-usage.go

@@ -0,0 +1,383 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package main
+
+import (
+	"fmt"
+	"go/ast"
+	goParser "go/parser"
+	"go/token"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"text/template"
+	tmplParser "text/template/parse"
+
+	"forgejo.org/modules/container"
+	fjTemplates "forgejo.org/modules/templates"
+	"forgejo.org/modules/translation/localeiter"
+	"forgejo.org/modules/util"
+)
+
+// this works by first gathering all valid source string IDs from `en-US` reference files
+// and then checking if all used source strings are actually defined
+
+type LocatedError struct {
+	Location string
+	Kind     string
+	Err      error
+}
+
+func (e LocatedError) Error() string {
+	var sb strings.Builder
+
+	sb.WriteString(e.Location)
+	sb.WriteString(":\t")
+	if e.Kind != "" {
+		sb.WriteString(e.Kind)
+		sb.WriteString(": ")
+	}
+	sb.WriteString("ERROR: ")
+	sb.WriteString(e.Err.Error())
+
+	return sb.String()
+}
+
+func InitLocaleTrFunctions() map[string][]uint {
+	ret := make(map[string][]uint)
+
+	f0 := []uint{0}
+	ret["Tr"] = f0
+	ret["TrString"] = f0
+	ret["TrHTML"] = f0
+
+	ret["TrPluralString"] = []uint{1}
+	ret["TrN"] = []uint{1, 2}
+
+	return ret
+}
+
+type Handler struct {
+	OnMsgid            func(fset *token.FileSet, pos token.Pos, msgid string)
+	OnUnexpectedInvoke func(fset *token.FileSet, pos token.Pos, funcname string, argc int)
+	LocaleTrFunctions  map[string][]uint
+}
+
+// the `Handle*File` functions follow the following calling convention:
+// * `fname` is the name of the input file
+// * `src` is either `nil` (then the function invokes `ReadFile` to read the file)
+//   or the contents of the file as {`[]byte`, or a `string`}
+
+func (handler Handler) HandleGoFile(fname string, src any) error {
+	fset := token.NewFileSet()
+	node, err := goParser.ParseFile(fset, fname, src, goParser.SkipObjectResolution)
+	if err != nil {
+		return LocatedError{
+			Location: fname,
+			Kind:     "Go parser",
+			Err:      err,
+		}
+	}
+
+	ast.Inspect(node, func(n ast.Node) bool {
+		// search for function calls of the form `anything.Tr(any-string-lit, ...)`
+
+		call, ok := n.(*ast.CallExpr)
+		if !ok || len(call.Args) < 1 {
+			return true
+		}
+
+		funSel, ok := call.Fun.(*ast.SelectorExpr)
+		if !ok {
+			return true
+		}
+
+		ltf, ok := handler.LocaleTrFunctions[funSel.Sel.Name]
+		if !ok {
+			return true
+		}
+
+		var gotUnexpectedInvoke *int
+
+		for _, argNum := range ltf {
+			if len(call.Args) >= int(argNum+1) {
+				argLit, ok := call.Args[int(argNum)].(*ast.BasicLit)
+				if !ok || argLit.Kind != token.STRING {
+					continue
+				}
+
+				// extract string content
+				arg, err := strconv.Unquote(argLit.Value)
+				if err == nil {
+					// found interesting strings
+					handler.OnMsgid(fset, argLit.ValuePos, arg)
+				}
+			} else {
+				argc := len(call.Args)
+				gotUnexpectedInvoke = &argc
+			}
+		}
+
+		if gotUnexpectedInvoke != nil {
+			handler.OnUnexpectedInvoke(fset, funSel.Sel.NamePos, funSel.Sel.Name, *gotUnexpectedInvoke)
+		}
+
+		return true
+	})
+
+	return nil
+}
+
+// derived from source: modules/templates/scopedtmpl/scopedtmpl.go, L169-L213
+func (handler Handler) handleTemplateNode(fset *token.FileSet, node tmplParser.Node) {
+	switch node.Type() {
+	case tmplParser.NodeAction:
+		handler.handleTemplatePipeNode(fset, node.(*tmplParser.ActionNode).Pipe)
+	case tmplParser.NodeList:
+		nodeList := node.(*tmplParser.ListNode)
+		handler.handleTemplateFileNodes(fset, nodeList.Nodes)
+	case tmplParser.NodePipe:
+		handler.handleTemplatePipeNode(fset, node.(*tmplParser.PipeNode))
+	case tmplParser.NodeTemplate:
+		handler.handleTemplatePipeNode(fset, node.(*tmplParser.TemplateNode).Pipe)
+	case tmplParser.NodeIf:
+		nodeIf := node.(*tmplParser.IfNode)
+		handler.handleTemplateBranchNode(fset, nodeIf.BranchNode)
+	case tmplParser.NodeRange:
+		nodeRange := node.(*tmplParser.RangeNode)
+		handler.handleTemplateBranchNode(fset, nodeRange.BranchNode)
+	case tmplParser.NodeWith:
+		nodeWith := node.(*tmplParser.WithNode)
+		handler.handleTemplateBranchNode(fset, nodeWith.BranchNode)
+
+	case tmplParser.NodeCommand:
+		nodeCommand := node.(*tmplParser.CommandNode)
+
+		handler.handleTemplateFileNodes(fset, nodeCommand.Args)
+
+		if len(nodeCommand.Args) < 2 {
+			return
+		}
+
+		nodeChain, ok := nodeCommand.Args[0].(*tmplParser.ChainNode)
+		if !ok {
+			return
+		}
+
+		nodeIdent, ok := nodeChain.Node.(*tmplParser.IdentifierNode)
+		if !ok || nodeIdent.Ident != "ctx" || len(nodeChain.Field) != 2 || nodeChain.Field[0] != "Locale" {
+			return
+		}
+
+		ltf, ok := handler.LocaleTrFunctions[nodeChain.Field[1]]
+		if !ok {
+			return
+		}
+
+		var gotUnexpectedInvoke *int
+
+		for _, argNum := range ltf {
+			if len(nodeCommand.Args) >= int(argNum+2) {
+				nodeString, ok := nodeCommand.Args[int(argNum+1)].(*tmplParser.StringNode)
+				if ok {
+					// found interesting strings
+					// the column numbers are a bit "off", but much better than nothing
+					handler.OnMsgid(fset, token.Pos(nodeString.Pos), nodeString.Text)
+				}
+			} else {
+				argc := len(nodeCommand.Args) - 1
+				gotUnexpectedInvoke = &argc
+			}
+		}
+
+		if gotUnexpectedInvoke != nil {
+			handler.OnUnexpectedInvoke(fset, token.Pos(nodeChain.Pos), nodeChain.Field[1], *gotUnexpectedInvoke)
+		}
+
+	default:
+	}
+}
+
+func (handler Handler) handleTemplatePipeNode(fset *token.FileSet, pipeNode *tmplParser.PipeNode) {
+	if pipeNode == nil {
+		return
+	}
+
+	// NOTE: we can't pass `pipeNode.Cmds` to handleTemplateFileNodes due to incompatible argument types
+	for _, node := range pipeNode.Cmds {
+		handler.handleTemplateNode(fset, node)
+	}
+}
+
+func (handler Handler) handleTemplateBranchNode(fset *token.FileSet, branchNode tmplParser.BranchNode) {
+	handler.handleTemplatePipeNode(fset, branchNode.Pipe)
+	handler.handleTemplateFileNodes(fset, branchNode.List.Nodes)
+	if branchNode.ElseList != nil {
+		handler.handleTemplateFileNodes(fset, branchNode.ElseList.Nodes)
+	}
+}
+
+func (handler Handler) handleTemplateFileNodes(fset *token.FileSet, nodes []tmplParser.Node) {
+	for _, node := range nodes {
+		handler.handleTemplateNode(fset, node)
+	}
+}
+
+func (handler Handler) HandleTemplateFile(fname string, src any) error {
+	var tmplContent []byte
+	switch src2 := src.(type) {
+	case nil:
+		var err error
+		tmplContent, err = os.ReadFile(fname)
+		if err != nil {
+			return LocatedError{
+				Location: fname,
+				Kind:     "ReadFile",
+				Err:      err,
+			}
+		}
+	case []byte:
+		tmplContent = src2
+	case string:
+		// SAFETY: we do not modify tmplContent below
+		tmplContent = util.UnsafeStringToBytes(src2)
+	default:
+		panic("invalid type for 'src'")
+	}
+
+	fset := token.NewFileSet()
+	fset.AddFile(fname, 1, len(tmplContent)).SetLinesForContent(tmplContent)
+	// SAFETY: we do not modify tmplContent2 below
+	tmplContent2 := util.UnsafeBytesToString(tmplContent)
+
+	tmpl := template.New(fname)
+	tmpl.Funcs(fjTemplates.NewFuncMap())
+	tmplParsed, err := tmpl.Parse(tmplContent2)
+	if err != nil {
+		return LocatedError{
+			Location: fname,
+			Kind:     "Template parser",
+			Err:      err,
+		}
+	}
+	handler.handleTemplateFileNodes(fset, tmplParsed.Root.Nodes)
+	return nil
+}
+
+// This command assumes that we get started from the project root directory
+//
+// Possible command line flags:
+//
+//	--allow-missing-msgids        don't return an error code if missing message IDs are found
+//
+// EXIT CODES:
+//
+//	0  success, no issues found
+//	1  unable to walk directory tree
+//	2  unable to parse locale ini/json files
+//	3  unable to parse go or text/template files
+//	4  found missing message IDs
+//
+//nolint:forbidigo
+func main() {
+	allowMissingMsgids := false
+	for _, arg := range os.Args[1:] {
+		if arg == "--allow-missing-msgids" {
+			allowMissingMsgids = true
+		}
+	}
+
+	onError := func(err error) {
+		if err == nil {
+			return
+		}
+		fmt.Println(err.Error())
+		os.Exit(3)
+	}
+
+	msgids := make(container.Set[string])
+
+	localeFile := filepath.Join(filepath.Join("options", "locale"), "locale_en-US.ini")
+	localeContent, err := os.ReadFile(localeFile)
+	if err != nil {
+		fmt.Printf("%s:\tERROR: %s\n", localeFile, err.Error())
+		os.Exit(2)
+	}
+
+	if err = localeiter.IterateMessagesContent(localeContent, func(trKey, trValue string) error {
+		msgids[trKey] = struct{}{}
+		return nil
+	}); err != nil {
+		fmt.Printf("%s:\tERROR: %s\n", localeFile, err.Error())
+		os.Exit(2)
+	}
+
+	localeFile = filepath.Join(filepath.Join("options", "locale_next"), "locale_en-US.json")
+	localeContent, err = os.ReadFile(localeFile)
+	if err != nil {
+		fmt.Printf("%s:\tERROR: %s\n", localeFile, err.Error())
+		os.Exit(2)
+	}
+
+	if err := localeiter.IterateMessagesNextContent(localeContent, func(trKey, pluralForm, trValue string) error {
+		// ignore plural form
+		msgids[trKey] = struct{}{}
+		return nil
+	}); err != nil {
+		fmt.Printf("%s:\tERROR: %s\n", localeFile, err.Error())
+		os.Exit(2)
+	}
+
+	gotAnyMsgidError := false
+
+	handler := Handler{
+		OnMsgid: func(fset *token.FileSet, pos token.Pos, msgid string) {
+			if !msgids.Contains(msgid) {
+				gotAnyMsgidError = true
+				fmt.Printf("%s:\tmissing msgid: %s\n", fset.Position(pos).String(), msgid)
+			}
+		},
+		OnUnexpectedInvoke: func(fset *token.FileSet, pos token.Pos, funcname string, argc int) {
+			gotAnyMsgidError = true
+			fmt.Printf("%s:\tunexpected invocation of %s with %d arguments\n", fset.Position(pos).String(), funcname, argc)
+		},
+		LocaleTrFunctions: InitLocaleTrFunctions(),
+	}
+
+	if err := filepath.WalkDir(".", func(fpath string, d fs.DirEntry, err error) error {
+		if err != nil {
+			if os.IsNotExist(err) {
+				return nil
+			}
+			return err
+		}
+		name := d.Name()
+		if d.IsDir() {
+			if name == "docker" || name == ".git" || name == "node_modules" {
+				return fs.SkipDir
+			}
+		} else if name == "bindata.go" || fpath == "modules/translation/i18n/i18n_test.go" {
+			// skip false positives
+		} else if strings.HasSuffix(name, ".go") {
+			onError(handler.HandleGoFile(fpath, nil))
+		} else if strings.HasSuffix(name, ".tmpl") {
+			if strings.HasPrefix(fpath, "tests") && strings.HasSuffix(name, ".ini.tmpl") {
+				// skip false positives
+			} else {
+				onError(handler.HandleTemplateFile(fpath, nil))
+			}
+		}
+		return nil
+	}); err != nil {
+		fmt.Printf("walkdir ERROR: %s\n", err.Error())
+		os.Exit(1)
+	}
+
+	if !allowMissingMsgids && gotAnyMsgidError {
+		os.Exit(4)
+	}
+}

build/lint-locale-usage/lint-locale-usage_test.go

@@ -7,26 +7,24 @@ import (
 	"go/token"
 	"testing"
 
-	llu "forgejo.org/build/lint-locale-usage"
-
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
-func buildHandler(ret *[]string) llu.Handler {
-	return llu.Handler{
-		OnMsgid: func(fset *token.FileSet, pos token.Pos, msgid string, weak bool) {
+func buildHandler(ret *[]string) Handler {
+	return Handler{
+		OnMsgid: func(fset *token.FileSet, pos token.Pos, msgid string) {
 			*ret = append(*ret, msgid)
 		},
 		OnUnexpectedInvoke: func(fset *token.FileSet, pos token.Pos, funcname string, argc int) {},
-		LocaleTrFunctions:  llu.InitLocaleTrFunctions(),
+		LocaleTrFunctions:  InitLocaleTrFunctions(),
 	}
 }
 
 func HandleGoFileWrapped(t *testing.T, fname, src string) []string {
 	var ret []string
 	handler := buildHandler(&ret)
-	require.NoError(t, HandleGoFile(handler, fname, src))
+	require.NoError(t, handler.HandleGoFile(fname, src))
 	return ret
 }
 

cmd/actions.go

@@ -28,7 +28,6 @@ func subcmdActionsGenRunnerToken() *cli.Command {
 	return &cli.Command{
 		Name:    "generate-runner-token",
 		Usage:   "Generate a new token for a runner to use to register with the server",
-		Before:  noDanglingArgs,
 		Action:  runGenerateActionsRunnerToken,
 		Aliases: []string{"grt"},
 		Flags: []cli.Flag{

cmd/admin.go

@@ -37,7 +37,6 @@ func subcmdRepoSyncReleases() *cli.Command {
 	return &cli.Command{
 		Name:   "repo-sync-releases",
 		Usage:  "Synchronize repository releases with tags",
-		Before: noDanglingArgs,
 		Action: runRepoSyncReleases,
 	}
 }
@@ -47,6 +46,7 @@ func subcmdRegenerate() *cli.Command {
 		Name:  "regenerate",
 		Usage: "Regenerate specific files",
 		Commands: []*cli.Command{
+			microcmdRegenHooks,
 			microcmdRegenKeys,
 		},
 	}
@@ -63,8 +63,6 @@ func subcmdAuth() *cli.Command {
 			microcmdAuthUpdateLdapBindDn(),
 			microcmdAuthAddLdapSimpleAuth(),
 			microcmdAuthUpdateLdapSimpleAuth(),
-			microcmdAuthAddPAM(),
-			microcmdAuthUpdatePAM(),
 			microcmdAuthAddSMTP(),
 			microcmdAuthUpdateSMTP(),
 			microcmdAuthList(),
@@ -77,7 +75,6 @@ func subcmdSendMail() *cli.Command {
 	return &cli.Command{
 		Name:   "sendmail",
 		Usage:  "Send a message to all users",
-		Before: noDanglingArgs,
 		Action: runSendMail,
 		Flags: []cli.Flag{
 			&cli.StringFlag{
@@ -106,7 +103,7 @@ func idFlag() *cli.Int64Flag {
 	}
 }
 
-func runRepoSyncReleases(ctx context.Context, c *cli.Command) error {
+func runRepoSyncReleases(ctx context.Context, _ *cli.Command) error {
 	ctx, cancel := installSignals(ctx)
 	defer cancel()
 

cmd/admin_auth.go

@@ -17,21 +17,11 @@ import (
 	"github.com/urfave/cli/v3"
 )
 
-type (
-	authService struct {
-		initDB            func(ctx context.Context) error
-		createAuthSource  func(context.Context, *auth_model.Source) error
-		updateAuthSource  func(context.Context, *auth_model.Source) error
-		getAuthSourceByID func(ctx context.Context, id int64) (*auth_model.Source, error)
-	}
-)
-
 func microcmdAuthDelete() *cli.Command {
 	return &cli.Command{
 		Name:   "delete",
 		Usage:  "Delete specific auth source",
 		Flags:  []cli.Flag{idFlag()},
-		Before: noDanglingArgs,
 		Action: runDeleteAuth,
 	}
 }
@@ -40,7 +30,6 @@ func microcmdAuthList() *cli.Command {
 	return &cli.Command{
 		Name:   "list",
 		Usage:  "List auth sources",
-		Before: noDanglingArgs,
 		Action: runListAuth,
 		Flags: []cli.Flag{
 			&cli.IntFlag{
@@ -71,16 +60,6 @@ func microcmdAuthList() *cli.Command {
 	}
 }
 
-// newAuthService creates a service with default functions.
-func newAuthService() *authService {
-	return &authService{
-		initDB:            initDB,
-		createAuthSource:  auth_model.CreateSource,
-		updateAuthSource:  auth_model.UpdateSource,
-		getAuthSourceByID: auth_model.GetSourceByID,
-	}
-}
-
 func runListAuth(ctx context.Context, c *cli.Command) error {
 	ctx, cancel := installSignals(ctx)
 	defer cancel()

cmd/admin_auth_ldap.go

@@ -14,6 +14,15 @@ import (
 	"github.com/urfave/cli/v3"
 )
 
+type (
+	authService struct {
+		initDB            func(ctx context.Context) error
+		createAuthSource  func(context.Context, *auth.Source) error
+		updateAuthSource  func(context.Context, *auth.Source) error
+		getAuthSourceByID func(ctx context.Context, id int64) (*auth.Source, error)
+	}
+)
+
 func commonLdapCLIFlags() []cli.Flag {
 	return []cli.Flag{
 		&cli.StringFlag{
@@ -133,9 +142,8 @@ func ldapSimpleAuthCLIFlags() []cli.Flag {
 
 func microcmdAuthAddLdapBindDn() *cli.Command {
 	return &cli.Command{
-		Name:   "add-ldap",
-		Usage:  "Add new LDAP (via Bind DN) authentication source",
-		Before: noDanglingArgs,
+		Name:  "add-ldap",
+		Usage: "Add new LDAP (via Bind DN) authentication source",
 		Action: func(ctx context.Context, cli *cli.Command) error {
 			return newAuthService().addLdapBindDn(ctx, cli)
 		},
@@ -145,9 +153,8 @@ func microcmdAuthAddLdapBindDn() *cli.Command {
 
 func microcmdAuthUpdateLdapBindDn() *cli.Command {
 	return &cli.Command{
-		Name:   "update-ldap",
-		Usage:  "Update existing LDAP (via Bind DN) authentication source",
-		Before: noDanglingArgs,
+		Name:  "update-ldap",
+		Usage: "Update existing LDAP (via Bind DN) authentication source",
 		Action: func(ctx context.Context, cli *cli.Command) error {
 			return newAuthService().updateLdapBindDn(ctx, cli)
 		},
@@ -157,9 +164,8 @@ func microcmdAuthUpdateLdapBindDn() *cli.Command {
 
 func microcmdAuthAddLdapSimpleAuth() *cli.Command {
 	return &cli.Command{
-		Name:   "add-ldap-simple",
-		Usage:  "Add new LDAP (simple auth) authentication source",
-		Before: noDanglingArgs,
+		Name:  "add-ldap-simple",
+		Usage: "Add new LDAP (simple auth) authentication source",
 		Action: func(ctx context.Context, cli *cli.Command) error {
 			return newAuthService().addLdapSimpleAuth(ctx, cli)
 		},
@@ -169,9 +175,8 @@ func microcmdAuthAddLdapSimpleAuth() *cli.Command {
 
 func microcmdAuthUpdateLdapSimpleAuth() *cli.Command {
 	return &cli.Command{
-		Name:   "update-ldap-simple",
-		Usage:  "Update existing LDAP (simple auth) authentication source",
-		Before: noDanglingArgs,
+		Name:  "update-ldap-simple",
+		Usage: "Update existing LDAP (simple auth) authentication source",
 		Action: func(ctx context.Context, cli *cli.Command) error {
 			return newAuthService().updateLdapSimpleAuth(ctx, cli)
 		},
@@ -179,6 +184,16 @@ func microcmdAuthUpdateLdapSimpleAuth() *cli.Command {
 	}
 }
 
+// newAuthService creates a service with default functions.
+func newAuthService() *authService {
+	return &authService{
+		initDB:            initDB,
+		createAuthSource:  auth.CreateSource,
+		updateAuthSource:  auth.UpdateSource,
+		getAuthSourceByID: auth.GetSourceByID,
+	}
+}
+
 // parseAuthSource assigns values on authSource according to command line flags.
 func parseAuthSource(c *cli.Command, authSource *auth.Source) {
 	if c.IsSet("name") {

cmd/admin_auth_oauth.go

@@ -86,11 +86,6 @@ func oauthCLIFlags() []cli.Flag {
 			Value: nil,
 			Usage: "Scopes to request when to authenticate against this OAuth2 source",
 		},
-		&cli.StringFlag{
-			Name:  "attribute-ssh-public-key",
-			Value: "",
-			Usage: "Claim name providing SSH public keys for this source",
-		},
 		&cli.StringFlag{
 			Name:  "required-claim-name",
 			Value: "",
@@ -125,24 +120,6 @@ func oauthCLIFlags() []cli.Flag {
 			Name:  "group-team-map-removal",
 			Usage: "Activate automatic team membership removal depending on groups",
 		},
-		&cli.BoolFlag{
-			Name:  "allow-username-change",
-			Usage: "Allow users to change their username",
-		},
-		&cli.StringFlag{
-			Name:  "quota-group-claim-name",
-			Value: "",
-			Usage: "Claim name providing quota group names for this source",
-		},
-		&cli.StringFlag{
-			Name:  "quota-group-map",
-			Value: "",
-			Usage: "JSON mapping between groups and quota groups",
-		},
-		&cli.BoolFlag{
-			Name:  "quota-group-map-removal",
-			Usage: "Activate automatic quota group removal depending on groups",
-		},
 	}
 }
 
@@ -150,8 +127,7 @@ func microcmdAuthAddOauth() *cli.Command {
 	return &cli.Command{
 		Name:   "add-oauth",
 		Usage:  "Add new Oauth authentication source",
-		Before: noDanglingArgs,
-		Action: newAuthService().addOauth,
+		Action: runAddOauth,
 		Flags:  oauthCLIFlags(),
 	}
 }
@@ -160,8 +136,7 @@ func microcmdAuthUpdateOauth() *cli.Command {
 	return &cli.Command{
 		Name:   "update-oauth",
 		Usage:  "Update existing Oauth authentication source",
-		Before: noDanglingArgs,
-		Action: newAuthService().updateOauth,
+		Action: runUpdateOauth,
 		Flags:  append(oauthCLIFlags()[:1], append([]cli.Flag{idFlag()}, oauthCLIFlags()[1:]...)...),
 	}
 }
@@ -188,7 +163,6 @@ func parseOAuth2Config(_ context.Context, c *cli.Command) *oauth2.Source {
 		IconURL:                       c.String("icon-url"),
 		SkipLocalTwoFA:                c.Bool("skip-local-2fa"),
 		Scopes:                        c.StringSlice("scopes"),
-		AttributeSSHPublicKey:         c.String("attribute-ssh-public-key"),
 		RequiredClaimName:             c.String("required-claim-name"),
 		RequiredClaimValue:            c.String("required-claim-value"),
 		GroupClaimName:                c.String("group-claim-name"),
@@ -196,18 +170,14 @@ func parseOAuth2Config(_ context.Context, c *cli.Command) *oauth2.Source {
 		RestrictedGroup:               c.String("restricted-group"),
 		GroupTeamMap:                  c.String("group-team-map"),
 		GroupTeamMapRemoval:           c.Bool("group-team-map-removal"),
-		AllowUsernameChange:           c.Bool("allow-username-change"),
-		QuotaGroupClaimName:           c.String("quota-group-claim-name"),
-		QuotaGroupMap:                 c.String("quota-group-map"),
-		QuotaGroupMapRemoval:          c.Bool("quota-group-map-removal"),
 	}
 }
 
-func (a *authService) addOauth(ctx context.Context, c *cli.Command) error {
+func runAddOauth(ctx context.Context, c *cli.Command) error {
 	ctx, cancel := installSignals(ctx)
 	defer cancel()
 
-	if err := a.initDB(ctx); err != nil {
+	if err := initDB(ctx); err != nil {
 		return err
 	}
 
@@ -219,7 +189,7 @@ func (a *authService) addOauth(ctx context.Context, c *cli.Command) error {
 		}
 	}
 
-	return a.createAuthSource(ctx, &auth_model.Source{
+	return auth_model.CreateSource(ctx, &auth_model.Source{
 		Type:     auth_model.OAuth2,
 		Name:     c.String("name"),
 		IsActive: true,
@@ -227,7 +197,7 @@ func (a *authService) addOauth(ctx context.Context, c *cli.Command) error {
 	})
 }
 
-func (a *authService) updateOauth(ctx context.Context, c *cli.Command) error {
+func runUpdateOauth(ctx context.Context, c *cli.Command) error {
 	if !c.IsSet("id") {
 		return errors.New("--id flag is missing")
 	}
@@ -235,11 +205,11 @@ func (a *authService) updateOauth(ctx context.Context, c *cli.Command) error {
 	ctx, cancel := installSignals(ctx)
 	defer cancel()
 
-	if err := a.initDB(ctx); err != nil {
+	if err := initDB(ctx); err != nil {
 		return err
 	}
 
-	source, err := a.getAuthSourceByID(ctx, c.Int64("id"))
+	source, err := auth_model.GetSourceByID(ctx, c.Int64("id"))
 	if err != nil {
 		return err
 	}
@@ -274,10 +244,6 @@ func (a *authService) updateOauth(ctx context.Context, c *cli.Command) error {
 		oAuth2Config.Scopes = c.StringSlice("scopes")
 	}
 
-	if c.IsSet("attribute-ssh-public-key") {
-		oAuth2Config.AttributeSSHPublicKey = c.String("attribute-ssh-public-key")
-	}
-
 	if c.IsSet("required-claim-name") {
 		oAuth2Config.RequiredClaimName = c.String("required-claim-name")
 	}
@@ -300,19 +266,6 @@ func (a *authService) updateOauth(ctx context.Context, c *cli.Command) error {
 	if c.IsSet("group-team-map-removal") {
 		oAuth2Config.GroupTeamMapRemoval = c.Bool("group-team-map-removal")
 	}
-	if c.IsSet("quota-group-claim-name") {
-		oAuth2Config.QuotaGroupClaimName = c.String("quota-group-claim-name")
-	}
-	if c.IsSet("quota-group-map") {
-		oAuth2Config.QuotaGroupMap = c.String("quota-group-map")
-	}
-	if c.IsSet("quota-group-map-removal") {
-		oAuth2Config.QuotaGroupMapRemoval = c.Bool("quota-group-map-removal")
-	}
-
-	if c.IsSet("allow-username-change") {
-		oAuth2Config.AllowUsernameChange = c.Bool("allow-username-change")
-	}
 
 	// update custom URL mapping
 	customURLMapping := &oauth2.CustomURLMapping{}
@@ -347,5 +300,5 @@ func (a *authService) updateOauth(ctx context.Context, c *cli.Command) error {
 	oAuth2Config.CustomURLMapping = customURLMapping
 	source.Cfg = oAuth2Config
 
-	return a.updateAuthSource(ctx, source)
+	return auth_model.UpdateSource(ctx, source)
 }

cmd/admin_auth_oauth_test.go

@@ -1,886 +0,0 @@
-// Copyright 2025 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: GPL-3.0-or-later
-
-package cmd
-
-import (
-	"context"
-	"testing"
-
-	"forgejo.org/models/auth"
-	"forgejo.org/modules/test"
-	"forgejo.org/services/auth/source/oauth2"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"github.com/urfave/cli/v3"
-)
-
-func TestAddOauth(t *testing.T) {
-	// Mock cli functions to do not exit on error
-	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
-
-	// Test cases
-	cases := []struct {
-		args   []string
-		source *auth.Source
-		errMsg string
-	}{
-		// case 0
-		{
-			args: []string{
-				"oauth-test",
-				"--name", "oauth2 (via openidConnect) source full",
-				"--provider", "openidConnect",
-				"--key", "client id",
-				"--secret", "client secret",
-				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
-				"--use-custom-urls", "",
-				"--custom-tenant-id", "tenant id",
-				"--custom-auth-url", "https://example.com/auth",
-				"--custom-token-url", "https://example.com/token",
-				"--custom-profile-url", "https://example.com/profile",
-				"--custom-email-url", "https://example.com/email",
-				"--icon-url", "https://example.com/icon.svg",
-				"--skip-local-2fa",
-				"--scopes", "address",
-				"--scopes", "email",
-				"--scopes", "phone",
-				"--scopes", "profile",
-				"--attribute-ssh-public-key", "ssh_public_key",
-				"--required-claim-name", "can_access",
-				"--required-claim-value", "yes",
-				"--group-claim-name", "groups",
-				"--admin-group", "admin",
-				"--restricted-group", "restricted",
-				"--group-team-map", `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
-				"--group-team-map-removal",
-				"--allow-username-change",
-				"--quota-group-claim-name", "quota_groups",
-				"--quota-group-map", `{"oauth_group_1": ["quota_group_1"], "oauth_group_2": ["quota_group_2"]}`,
-				"--quota-group-map-removal",
-			},
-			source: &auth.Source{
-				Type:     auth.OAuth2,
-				Name:     "oauth2 (via openidConnect) source full",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Provider:                      "openidConnect",
-					ClientID:                      "client id",
-					ClientSecret:                  "client secret",
-					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
-					CustomURLMapping: &oauth2.CustomURLMapping{
-						AuthURL:    "https://example.com/auth",
-						TokenURL:   "https://example.com/token",
-						ProfileURL: "https://example.com/profile",
-						EmailURL:   "https://example.com/email",
-						Tenant:     "tenant id",
-					},
-					IconURL:               "https://example.com/icon.svg",
-					Scopes:                []string{"address", "email", "phone", "profile"},
-					AttributeSSHPublicKey: "ssh_public_key",
-					RequiredClaimName:     "can_access",
-					RequiredClaimValue:    "yes",
-					GroupClaimName:        "groups",
-					AdminGroup:            "admin",
-					GroupTeamMap:          `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
-					GroupTeamMapRemoval:   true,
-					QuotaGroupClaimName:   "quota_groups",
-					QuotaGroupMap:         `{"oauth_group_1": ["quota_group_1"], "oauth_group_2": ["quota_group_2"]}`,
-					QuotaGroupMapRemoval:  true,
-					RestrictedGroup:       "restricted",
-					SkipLocalTwoFA:        true,
-					AllowUsernameChange:   true,
-				},
-			},
-		},
-		// case 1
-		{
-			args: []string{
-				"oauth-test",
-				"--name", "oauth2 (via openidConnect) source min",
-				"--provider", "openidConnect",
-				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
-			},
-			source: &auth.Source{
-				Type:     auth.OAuth2,
-				Name:     "oauth2 (via openidConnect) source min",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Provider:                      "openidConnect",
-					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
-					Scopes:                        []string{},
-				},
-			},
-		},
-		// case 2
-		{
-			args: []string{
-				"oauth-test",
-				"--name", "oauth2 (via openidConnect) source `--use-custom-urls` required for `--custom-*` flags",
-				"--custom-tenant-id", "tenant id",
-				"--custom-auth-url", "https://example.com/auth",
-				"--custom-token-url", "https://example.com/token",
-				"--custom-profile-url", "https://example.com/profile",
-				"--custom-email-url", "https://example.com/email",
-			},
-			source: &auth.Source{
-				Type:     auth.OAuth2,
-				Name:     "oauth2 (via openidConnect) source `--use-custom-urls` required for `--custom-*` flags",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Scopes: []string{},
-				},
-			},
-		},
-		// case 3
-		{
-			args: []string{
-				"oauth-test",
-				"--name", "oauth2 (via openidConnect) source `--scopes` aggregates multiple uses",
-				"--provider", "openidConnect",
-				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
-				"--scopes", "address",
-				"--scopes", "email",
-				"--scopes", "phone",
-				"--scopes", "profile",
-			},
-			source: &auth.Source{
-				Type:     auth.OAuth2,
-				Name:     "oauth2 (via openidConnect) source `--scopes` aggregates multiple uses",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Provider:                      "openidConnect",
-					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
-					Scopes:                        []string{"address", "email", "phone", "profile"},
-				},
-			},
-		},
-		// case 4
-		{
-			args: []string{
-				"oauth-test",
-				"--name", "oauth2 (via openidConnect) source `--scopes` supports commas as separators",
-				"--provider", "openidConnect",
-				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
-				"--scopes", "address,email,phone,profile",
-			},
-			source: &auth.Source{
-				Type:     auth.OAuth2,
-				Name:     "oauth2 (via openidConnect) source `--scopes` supports commas as separators",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Provider:                      "openidConnect",
-					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
-					Scopes:                        []string{"address", "email", "phone", "profile"},
-				},
-			},
-		},
-		// case 5
-		{
-			args: []string{
-				"oauth-test",
-				"--name", "oauth2 (via openidConnect) source",
-				"--provider", "openidConnect",
-			},
-			errMsg: "invalid Auto Discovery URL:  (this must be a valid URL starting with http:// or https://)",
-		},
-		// case 6
-		{
-			args: []string{
-				"oauth-test",
-				"--name", "oauth2 (via openidConnect) source",
-				"--provider", "openidConnect",
-				"--auto-discover-url", "example.com",
-			},
-			errMsg: "invalid Auto Discovery URL: example.com (this must be a valid URL starting with http:// or https://)",
-		},
-		// case 7
-		{
-			args: []string{
-				"oauth-test",
-				"--name", "oauth2 source with quota group claim name",
-				"--provider", "openidConnect",
-				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
-				"--quota-group-claim-name", "quota_groups",
-			},
-			source: &auth.Source{
-				Type:     auth.OAuth2,
-				Name:     "oauth2 source with quota group claim name",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Provider:                      "openidConnect",
-					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
-					Scopes:                        []string{},
-					QuotaGroupClaimName:           "quota_groups",
-				},
-			},
-		},
-		// case 8
-		{
-			args: []string{
-				"oauth-test",
-				"--name", "oauth2 source with quota group map",
-				"--provider", "openidConnect",
-				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
-				"--quota-group-map", `{"oauth_group_1": ["quota_group_1"], "oauth_group_2": ["quota_group_2"]}`,
-			},
-			source: &auth.Source{
-				Type:     auth.OAuth2,
-				Name:     "oauth2 source with quota group map",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Provider:                      "openidConnect",
-					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
-					Scopes:                        []string{},
-					QuotaGroupMap:                 `{"oauth_group_1": ["quota_group_1"], "oauth_group_2": ["quota_group_2"]}`,
-				},
-			},
-		},
-		// case 9
-		{
-			args: []string{
-				"oauth-test",
-				"--name", "oauth2 source with quota group map removal",
-				"--provider", "openidConnect",
-				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
-				"--quota-group-map-removal",
-			},
-			source: &auth.Source{
-				Type:     auth.OAuth2,
-				Name:     "oauth2 source with quota group map removal",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Provider:                      "openidConnect",
-					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
-					Scopes:                        []string{},
-					QuotaGroupMapRemoval:          true,
-				},
-			},
-		},
-		// case 10
-		{
-			args: []string{
-				"oauth-test",
-				"--name", "oauth2 source with all quota group fields",
-				"--provider", "openidConnect",
-				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
-				"--quota-group-claim-name", "quota_groups",
-				"--quota-group-map", `{"developers": ["dev_quota"], "admins": ["admin_quota"]}`,
-				"--quota-group-map-removal",
-			},
-			source: &auth.Source{
-				Type:     auth.OAuth2,
-				Name:     "oauth2 source with all quota group fields",
-				IsActive: true,
-				Cfg: &oauth2.Source{
-					Provider:                      "openidConnect",
-					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
-					Scopes:                        []string{},
-					QuotaGroupClaimName:           "quota_groups",
-					QuotaGroupMap:                 `{"developers": ["dev_quota"], "admins": ["admin_quota"]}`,
-					QuotaGroupMapRemoval:          true,
-				},
-			},
-		},
-	}
-
-	for n, c := range cases {
-		// Mock functions.
-		var createdAuthSource *auth.Source
-		service := &authService{
-			initDB: func(context.Context) error {
-				return nil
-			},
-			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				createdAuthSource = authSource
-				return nil
-			},
-			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				assert.FailNow(t, "should not call updateAuthSource", "case: %d", n)
-				return nil
-			},
-			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {
-				assert.FailNow(t, "should not call getAuthSourceByID", "case: %d", n)
-				return nil, nil
-			},
-		}
-
-		// Create a copy of command to test
-		app := cli.Command{}
-		app.Flags = microcmdAuthAddOauth().Flags
-		app.Action = service.addOauth
-
-		// Run it
-		err := app.Run(t.Context(), c.args)
-		if c.errMsg != "" {
-			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
-		} else {
-			require.NoError(t, err, "case %d: should have no errors", n)
-			assert.Equal(t, c.source, createdAuthSource, "case %d: wrong authSource", n)
-		}
-	}
-}
-
-func TestUpdateOauth(t *testing.T) {
-	// Mock cli functions to do not exit on error
-	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
-
-	// Test cases
-	cases := []struct {
-		args               []string
-		id                 int64
-		existingAuthSource *auth.Source
-		authSource         *auth.Source
-		errMsg             string
-	}{
-		// case 0
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "23",
-				"--name", "oauth2 (via openidConnect) source full",
-				"--provider", "openidConnect",
-				"--key", "client id",
-				"--secret", "client secret",
-				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
-				"--use-custom-urls", "",
-				"--custom-tenant-id", "tenant id",
-				"--custom-auth-url", "https://example.com/auth",
-				"--custom-token-url", "https://example.com/token",
-				"--custom-profile-url", "https://example.com/profile",
-				"--custom-email-url", "https://example.com/email",
-				"--icon-url", "https://example.com/icon.svg",
-				"--skip-local-2fa",
-				"--scopes", "address",
-				"--scopes", "email",
-				"--scopes", "phone",
-				"--scopes", "profile",
-				"--attribute-ssh-public-key", "ssh_public_key",
-				"--required-claim-name", "can_access",
-				"--required-claim-value", "yes",
-				"--group-claim-name", "groups",
-				"--admin-group", "admin",
-				"--restricted-group", "restricted",
-				"--group-team-map", `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
-				"--group-team-map-removal",
-			},
-			id: 23,
-			existingAuthSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg:  &oauth2.Source{},
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Name: "oauth2 (via openidConnect) source full",
-				Cfg: &oauth2.Source{
-					Provider:                      "openidConnect",
-					ClientID:                      "client id",
-					ClientSecret:                  "client secret",
-					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
-					CustomURLMapping: &oauth2.CustomURLMapping{
-						AuthURL:    "https://example.com/auth",
-						TokenURL:   "https://example.com/token",
-						ProfileURL: "https://example.com/profile",
-						EmailURL:   "https://example.com/email",
-						Tenant:     "tenant id",
-					},
-					IconURL:               "https://example.com/icon.svg",
-					Scopes:                []string{"address", "email", "phone", "profile"},
-					AttributeSSHPublicKey: "ssh_public_key",
-					RequiredClaimName:     "can_access",
-					RequiredClaimValue:    "yes",
-					GroupClaimName:        "groups",
-					AdminGroup:            "admin",
-					GroupTeamMap:          `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
-					GroupTeamMapRemoval:   true,
-					RestrictedGroup:       "restricted",
-					// `--skip-local-2fa` is currently ignored.
-					// SkipLocalTwoFA:        true,
-				},
-			},
-		},
-		// case 1
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-				},
-			},
-		},
-		// case 2
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--name", "oauth2 (via openidConnect) source full",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Name: "oauth2 (via openidConnect) source full",
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-				},
-			},
-		},
-		// case 3
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--provider", "openidConnect",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					Provider:         "openidConnect",
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-				},
-			},
-		},
-		// case 4
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--key", "client id",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					ClientID:         "client id",
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-				},
-			},
-		},
-		// case 5
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--secret", "client secret",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					ClientSecret:     "client secret",
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-				},
-			},
-		},
-		// case 6
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--auto-discover-url", "https://example.com/.well-known/openid-configuration",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					OpenIDConnectAutoDiscoveryURL: "https://example.com/.well-known/openid-configuration",
-					CustomURLMapping:              &oauth2.CustomURLMapping{},
-				},
-			},
-		},
-		// case 7
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--use-custom-urls", "",
-				"--custom-tenant-id", "tenant id",
-				"--custom-auth-url", "https://example.com/auth",
-				"--custom-token-url", "https://example.com/token",
-				"--custom-profile-url", "https://example.com/profile",
-				"--custom-email-url", "https://example.com/email",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{
-						AuthURL:    "https://example.com/auth",
-						TokenURL:   "https://example.com/token",
-						ProfileURL: "https://example.com/profile",
-						EmailURL:   "https://example.com/email",
-						Tenant:     "tenant id",
-					},
-				},
-			},
-		},
-		// case 8
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--name", "oauth2 (via openidConnect) source `--use-custom-urls` required for `--custom-*` flags",
-				"--custom-tenant-id", "tenant id",
-				"--custom-auth-url", "https://example.com/auth",
-				"--custom-token-url", "https://example.com/token",
-				"--custom-profile-url", "https://example.com/profile",
-				"--custom-email-url", "https://example.com/email",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Name: "oauth2 (via openidConnect) source `--use-custom-urls` required for `--custom-*` flags",
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-				},
-			},
-		},
-		// case 9
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--icon-url", "https://example.com/icon.svg",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-					IconURL:          "https://example.com/icon.svg",
-				},
-			},
-		},
-		// case 10
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--name", "oauth2 (via openidConnect) source `--skip-local-2fa` is currently ignored",
-				"--skip-local-2fa",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Name: "oauth2 (via openidConnect) source `--skip-local-2fa` is currently ignored",
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-					// `--skip-local-2fa` is currently ignored.
-					// SkipLocalTwoFA: true,
-				},
-			},
-		},
-		// case 11
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--name", "oauth2 (via openidConnect) source `--scopes` aggregates multiple uses",
-				"--scopes", "address",
-				"--scopes", "email",
-				"--scopes", "phone",
-				"--scopes", "profile",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Name: "oauth2 (via openidConnect) source `--scopes` aggregates multiple uses",
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-					Scopes:           []string{"address", "email", "phone", "profile"},
-				},
-			},
-		},
-		// case 12
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--name", "oauth2 (via openidConnect) source `--scopes` supports commas as separators",
-				"--scopes", "address,email,phone,profile",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Name: "oauth2 (via openidConnect) source `--scopes` supports commas as separators",
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-					Scopes:           []string{"address", "email", "phone", "profile"},
-				},
-			},
-		},
-		// case 13
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--attribute-ssh-public-key", "ssh_public_key",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping:      &oauth2.CustomURLMapping{},
-					AttributeSSHPublicKey: "ssh_public_key",
-				},
-			},
-		},
-		// case 14
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--required-claim-name", "can_access",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping:  &oauth2.CustomURLMapping{},
-					RequiredClaimName: "can_access",
-				},
-			},
-		},
-		// case 15
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--required-claim-value", "yes",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping:   &oauth2.CustomURLMapping{},
-					RequiredClaimValue: "yes",
-				},
-			},
-		},
-		// case 16
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--group-claim-name", "groups",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-					GroupClaimName:   "groups",
-				},
-			},
-		},
-		// case 17
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--admin-group", "admin",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-					AdminGroup:       "admin",
-				},
-			},
-		},
-		// case 18
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--restricted-group", "restricted",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-					RestrictedGroup:  "restricted",
-				},
-			},
-		},
-		// case 19
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--group-team-map", `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-					GroupTeamMap:     `{"org_a_team_1": {"organization-a": ["Team 1"]}, "org_a_all_teams": {"organization-a": ["Team 1", "Team 2", "Team 3"]}}`,
-				},
-			},
-		},
-		// case 20
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--group-team-map-removal",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping:    &oauth2.CustomURLMapping{},
-					GroupTeamMapRemoval: true,
-				},
-			},
-		},
-		// case 21
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "23",
-				"--group-team-map-removal=false",
-			},
-			id: 23,
-			existingAuthSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					GroupTeamMapRemoval: true,
-				},
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping:    &oauth2.CustomURLMapping{},
-					GroupTeamMapRemoval: false,
-				},
-			},
-		},
-		// case 22
-		{
-			args: []string{
-				"oauth-test",
-			},
-			errMsg: "--id flag is missing",
-		},
-		// case 23
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--quota-group-claim-name", "quota_groups",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping:    &oauth2.CustomURLMapping{},
-					QuotaGroupClaimName: "quota_groups",
-				},
-			},
-		},
-		// case 24
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--quota-group-map", `{"oauth_group_1": ["quota_group_1"], "oauth_group_2": ["quota_group_2"]}`,
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping: &oauth2.CustomURLMapping{},
-					QuotaGroupMap:    `{"oauth_group_1": ["quota_group_1"], "oauth_group_2": ["quota_group_2"]}`,
-				},
-			},
-		},
-		// case 25
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--quota-group-map-removal",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping:     &oauth2.CustomURLMapping{},
-					QuotaGroupMapRemoval: true,
-				},
-			},
-		},
-		// case 26
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "24",
-				"--quota-group-map-removal=false",
-			},
-			id: 24,
-			existingAuthSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					QuotaGroupMapRemoval: true,
-				},
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping:     &oauth2.CustomURLMapping{},
-					QuotaGroupMapRemoval: false,
-				},
-			},
-		},
-		// case 27
-		{
-			args: []string{
-				"oauth-test",
-				"--id", "1",
-				"--quota-group-claim-name", "quota_groups",
-				"--quota-group-map", `{"developers": ["dev_quota"], "admins": ["admin_quota"]}`,
-				"--quota-group-map-removal",
-			},
-			authSource: &auth.Source{
-				Type: auth.OAuth2,
-				Cfg: &oauth2.Source{
-					CustomURLMapping:     &oauth2.CustomURLMapping{},
-					QuotaGroupClaimName:  "quota_groups",
-					QuotaGroupMap:        `{"developers": ["dev_quota"], "admins": ["admin_quota"]}`,
-					QuotaGroupMapRemoval: true,
-				},
-			},
-		},
-	}
-
-	for n, c := range cases {
-		// Mock functions.
-		var updatedAuthSource *auth.Source
-		service := &authService{
-			initDB: func(context.Context) error {
-				return nil
-			},
-			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				assert.FailNow(t, "should not call createAuthSource", "case: %d", n)
-				return nil
-			},
-			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				updatedAuthSource = authSource
-				return nil
-			},
-			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {
-				if c.id != 0 {
-					assert.Equal(t, c.id, id, "case %d: wrong id", n)
-				}
-				if c.existingAuthSource != nil {
-					return c.existingAuthSource, nil
-				}
-				return &auth.Source{
-					Type: auth.OAuth2,
-					Cfg:  &oauth2.Source{},
-				}, nil
-			},
-		}
-
-		// Create a copy of command to test
-		app := cli.Command{}
-		app.Flags = microcmdAuthUpdateOauth().Flags
-		app.Action = service.updateOauth
-
-		// Run it
-		err := app.Run(t.Context(), c.args)
-		if c.errMsg != "" {
-			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
-		} else {
-			require.NoError(t, err, "case %d: should have no errors", n)
-			assert.Equal(t, c.authSource, updatedAuthSource, "case %d: wrong authSource", n)
-		}
-	}
-}

cmd/admin_auth_pam.go

@@ -1,145 +0,0 @@
-// Copyright 2025 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"context"
-	"errors"
-
-	auth_model "forgejo.org/models/auth"
-	"forgejo.org/services/auth/source/pam"
-
-	"github.com/urfave/cli/v3"
-)
-
-func pamCLIFlags() []cli.Flag {
-	return []cli.Flag{
-		&cli.StringFlag{
-			Name:  "name",
-			Value: "",
-			Usage: "Application Name",
-		},
-		&cli.StringFlag{
-			Name:  "service-name",
-			Value: "PLAIN",
-			Usage: "PAM service name",
-		},
-		&cli.StringFlag{
-			Name:  "email-domain",
-			Value: "",
-			Usage: "PAM email domain",
-		},
-		&cli.BoolFlag{
-			Name:  "skip-local-2fa",
-			Usage: "Skip 2FA to log on.",
-			Value: true,
-		},
-		&cli.BoolFlag{
-			Name:  "active",
-			Usage: "This Authentication Source is Activated.",
-			Value: true,
-		},
-	}
-}
-
-func microcmdAuthAddPAM() *cli.Command {
-	return &cli.Command{
-		Name:   "add-pam",
-		Usage:  "Add new PAM authentication source",
-		Before: noDanglingArgs,
-		Action: newAuthService().addPAM,
-		Flags:  pamCLIFlags(),
-	}
-}
-
-func microcmdAuthUpdatePAM() *cli.Command {
-	return &cli.Command{
-		Name:   "update-pam",
-		Usage:  "Update existing PAM authentication source",
-		Before: noDanglingArgs,
-		Action: newAuthService().updatePAM,
-		Flags:  append(pamCLIFlags()[:1], append([]cli.Flag{idFlag()}, pamCLIFlags()[1:]...)...),
-	}
-}
-
-func parsePAMConfig(_ context.Context, c *cli.Command) *pam.Source {
-	return &pam.Source{
-		ServiceName:    c.String("service-name"),
-		EmailDomain:    c.String("email-domain"),
-		SkipLocalTwoFA: c.Bool("skip-local-2fa"),
-	}
-}
-
-func (a *authService) addPAM(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
-	defer cancel()
-
-	if err := a.initDB(ctx); err != nil {
-		return err
-	}
-
-	if !c.IsSet("name") || len(c.String("name")) == 0 {
-		return errors.New("name must be set")
-	}
-	if !c.IsSet("service-name") || len(c.String("service-name")) == 0 {
-		return errors.New("service-name must be set")
-	}
-	active := true
-	if c.IsSet("active") {
-		active = c.Bool("active")
-	}
-
-	config := parsePAMConfig(ctx, c)
-
-	return a.createAuthSource(ctx, &auth_model.Source{
-		Type:     auth_model.PAM,
-		Name:     c.String("name"),
-		IsActive: active,
-		Cfg:      config,
-	})
-}
-
-func (a *authService) updatePAM(ctx context.Context, c *cli.Command) error {
-	if !c.IsSet("id") {
-		return errors.New("--id flag is missing")
-	}
-
-	ctx, cancel := installSignals(ctx)
-	defer cancel()
-
-	if err := a.initDB(ctx); err != nil {
-		return err
-	}
-
-	source, err := a.getAuthSource(ctx, c, auth_model.PAM)
-	if err != nil {
-		return err
-	}
-
-	pamConfig := source.Cfg.(*pam.Source)
-
-	if c.IsSet("name") {
-		source.Name = c.String("name")
-	}
-
-	if c.IsSet("service-name") {
-		pamConfig.ServiceName = c.String("service-name")
-	}
-
-	if c.IsSet("email-domain") {
-		pamConfig.EmailDomain = c.String("email-domain")
-	}
-
-	if c.IsSet("skip-local-2fa") {
-		pamConfig.SkipLocalTwoFA = c.Bool("skip-local-2fa")
-	}
-
-	if c.IsSet("active") {
-		source.IsActive = c.Bool("active")
-	}
-
-	source.Cfg = pamConfig
-
-	return a.updateAuthSource(ctx, source)
-}

cmd/admin_auth_pam_test.go

@@ -1,293 +0,0 @@
-// Copyright 2019 The Gitea Authors. All rights reserved.
-// Copyright 2025 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"context"
-	"testing"
-
-	"forgejo.org/models/auth"
-	"forgejo.org/modules/test"
-	"forgejo.org/services/auth/source/pam"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"github.com/urfave/cli/v3"
-)
-
-func TestPamService(t *testing.T) {
-	// Mock cli functions to do not exit on error
-	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
-
-	// Test cases
-	cases := []struct {
-		args   []string
-		source *auth.Source
-		errMsg string
-	}{
-		// case 0
-		{
-			args: []string{
-				"pam-test",
-				"--name", "Pam Service",
-				"--service-name", "myservice",
-			},
-			source: &auth.Source{
-				Type:     auth.PAM,
-				Name:     "Pam Service",
-				IsActive: true,
-				Cfg: &pam.Source{
-					ServiceName:    "myservice",
-					EmailDomain:    "",
-					SkipLocalTwoFA: true,
-				},
-			},
-		},
-		// case 1
-		{
-			args: []string{
-				"pam-test",
-				"--name", "Pam Service",
-				"--service-name", "myservice",
-				"--email-domain", "testdomain.org",
-				"--skip-local-2fa",
-			},
-			source: &auth.Source{
-				Type:     auth.PAM,
-				Name:     "Pam Service",
-				IsActive: true,
-				Cfg: &pam.Source{
-					ServiceName:    "myservice",
-					EmailDomain:    "testdomain.org",
-					SkipLocalTwoFA: true,
-				},
-			},
-		},
-		// case 2
-		{
-			args: []string{
-				"pam-test",
-				"--service-name", "myservice",
-				"--email-domain", "testdomain.org",
-				"--skip-local-2fa", "false",
-				"--active", "true",
-			},
-			errMsg: "name must be set",
-		},
-		// case 3
-		{
-			args: []string{
-				"pam-test",
-				"--name", "Pam Service",
-				"--email-domain", "testdomain.org",
-				"--skip-local-2fa", "false",
-				"--active", "true",
-			},
-			errMsg: "service-name must be set",
-		},
-	}
-
-	for n, c := range cases {
-		// Mock functions.
-		var createdAuthSource *auth.Source
-		service := &authService{
-			initDB: func(context.Context) error {
-				return nil
-			},
-			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				createdAuthSource = authSource
-				return nil
-			},
-			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				assert.FailNow(t, "should not call updateAuthSource", "case: %d", n)
-				return nil
-			},
-			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {
-				assert.FailNow(t, "should not call getAuthSourceByID", "case: %d", n)
-				return nil, nil
-			},
-		}
-
-		// Create a copy of command to test
-		app := cli.Command{}
-		app.Flags = microcmdAuthAddPAM().Flags
-		app.Action = service.addPAM
-
-		// Run it
-		err := app.Run(t.Context(), c.args)
-		if c.errMsg != "" {
-			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
-		} else {
-			require.NoError(t, err, "case %d: should have no errors", n)
-			assert.Equal(t, c.source, createdAuthSource, "case %d: wrong authSource", n)
-		}
-	}
-}
-
-func TestUpdatePAM(t *testing.T) {
-	// Mock cli functions to do not exit on error
-	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
-
-	// Test cases
-	cases := []struct {
-		args               []string
-		id                 int64
-		existingAuthSource *auth.Source
-		authSource         *auth.Source
-		errMsg             string
-	}{
-		// case 0
-		{
-			args: []string{
-				"pam-test",
-				"--id", "23",
-				"--name", "PAM Service",
-				"--service-name", "myservice",
-			},
-			id: 23,
-			existingAuthSource: &auth.Source{
-				Type:     auth.PAM,
-				IsActive: true,
-				Cfg:      &pam.Source{},
-			},
-			authSource: &auth.Source{
-				Type:     auth.PAM,
-				Name:     "PAM Service",
-				IsActive: true,
-				Cfg: &pam.Source{
-					ServiceName: "myservice",
-				},
-			},
-		},
-		// case 1
-		{
-			args: []string{
-				"pam-test",
-				"--id", "1",
-			},
-			authSource: &auth.Source{
-				Type: auth.PAM,
-				Cfg:  &pam.Source{},
-			},
-		},
-		// case 2
-		{
-			args: []string{
-				"pam-test",
-				"--id", "1",
-				"--name", "pam service",
-			},
-			authSource: &auth.Source{
-				Type: auth.PAM,
-				Name: "pam service",
-				Cfg:  &pam.Source{},
-			},
-		},
-		// case 3
-		{
-			args: []string{
-				"pam-test",
-				"--id", "1",
-				"--active=false",
-			},
-			existingAuthSource: &auth.Source{
-				Type:     auth.PAM,
-				IsActive: true,
-				Cfg:      &pam.Source{},
-			},
-			authSource: &auth.Source{
-				Type:     auth.PAM,
-				IsActive: false,
-				Cfg:      &pam.Source{},
-			},
-		},
-		// case 4
-		{
-			args: []string{
-				"pam-test",
-				"--id", "1",
-				"--service-name", "myservice",
-			},
-			authSource: &auth.Source{
-				Type: auth.PAM,
-				Cfg: &pam.Source{
-					ServiceName: "myservice",
-				},
-			},
-		},
-		// case 5
-		{
-			args: []string{
-				"pam-test",
-				"--id", "1",
-				"--skip-local-2fa=false",
-			},
-			authSource: &auth.Source{
-				Type: auth.PAM,
-				Cfg: &pam.Source{
-					SkipLocalTwoFA: false,
-				},
-			},
-		},
-		// case 6
-		{
-			args: []string{
-				"pam-test",
-				"--id", "1",
-				"--email-domain", "testdomain.org",
-			},
-			authSource: &auth.Source{
-				Type: auth.PAM,
-				Cfg: &pam.Source{
-					EmailDomain: "testdomain.org",
-				},
-			},
-		},
-	}
-
-	for n, c := range cases {
-		// Mock functions.
-		var updatedAuthSource *auth.Source
-		service := &authService{
-			initDB: func(context.Context) error {
-				return nil
-			},
-			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				assert.FailNow(t, "should not call createAuthSource", "case: %d", n)
-				return nil
-			},
-			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				updatedAuthSource = authSource
-				return nil
-			},
-			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {
-				if c.id != 0 {
-					assert.Equal(t, c.id, id, "case %d: wrong id", n)
-				}
-				if c.existingAuthSource != nil {
-					return c.existingAuthSource, nil
-				}
-				return &auth.Source{
-					Type: auth.PAM,
-					Cfg:  &pam.Source{},
-				}, nil
-			},
-		}
-
-		// Create a copy of command to test
-		app := cli.Command{}
-		app.Flags = microcmdAuthUpdatePAM().Flags
-		app.Action = service.updatePAM
-
-		// Run it
-		err := app.Run(t.Context(), c.args)
-		if c.errMsg != "" {
-			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
-		} else {
-			require.NoError(t, err, "case %d: should have no errors", n)
-			assert.Equal(t, c.authSource, updatedAuthSource, "case %d: wrong authSource", n)
-		}
-	}
-}

cmd/admin_auth_stmp.go

@@ -78,7 +78,6 @@ func microcmdAuthAddSMTP() *cli.Command {
 	return &cli.Command{
 		Name:   "add-smtp",
 		Usage:  "Add new SMTP authentication source",
-		Before: noDanglingArgs,
 		Action: runAddSMTP,
 		Flags:  smtpCLIFlags(),
 	}
@@ -88,7 +87,6 @@ func microcmdAuthUpdateSMTP() *cli.Command {
 	return &cli.Command{
 		Name:   "update-smtp",
 		Usage:  "Update existing SMTP authentication source",
-		Before: noDanglingArgs,
 		Action: runUpdateSMTP,
 		Flags:  append(smtpCLIFlags()[:1], append([]cli.Flag{idFlag()}, smtpCLIFlags()[1:]...)...),
 	}

cmd/admin_regenerate.go

@@ -7,18 +7,37 @@ import (
 	"context"
 
 	asymkey_model "forgejo.org/models/asymkey"
+	"forgejo.org/modules/graceful"
+	repo_service "forgejo.org/services/repository"
 
 	"github.com/urfave/cli/v3"
 )
 
-var microcmdRegenKeys = &cli.Command{
-	Name:   "keys",
-	Usage:  "Regenerate authorized_keys file",
-	Before: noDanglingArgs,
-	Action: runRegenerateKeys,
+var (
+	microcmdRegenHooks = &cli.Command{
+		Name:   "hooks",
+		Usage:  "Regenerate git-hooks",
+		Action: runRegenerateHooks,
+	}
+
+	microcmdRegenKeys = &cli.Command{
+		Name:   "keys",
+		Usage:  "Regenerate authorized_keys file",
+		Action: runRegenerateKeys,
+	}
+)
+
+func runRegenerateHooks(ctx context.Context, _ *cli.Command) error {
+	ctx, cancel := installSignals(ctx)
+	defer cancel()
+
+	if err := initDB(ctx); err != nil {
+		return err
+	}
+	return repo_service.SyncRepositoryHooks(graceful.GetManager().ShutdownContext())
 }
 
-func runRegenerateKeys(ctx context.Context, c *cli.Command) error {
+func runRegenerateKeys(ctx context.Context, _ *cli.Command) error {
 	ctx, cancel := installSignals(ctx)
 	defer cancel()
 

cmd/admin_user.go

@@ -17,7 +17,6 @@ func subcmdUser() *cli.Command {
 			microcmdUserChangePassword(),
 			microcmdUserDelete(),
 			microcmdUserGenerateAccessToken(),
-			microcmdUserCreateAuthorizedIntegration(),
 			microcmdUserMustChangePassword(),
 			microcmdUserResetMFA(),
 		},

cmd/admin_user_change_password.go

@@ -21,7 +21,6 @@ func microcmdUserChangePassword() *cli.Command {
 	return &cli.Command{
 		Name:   "change-password",
 		Usage:  "Change a user's password",
-		Before: noDanglingArgs,
 		Action: runChangePassword,
 		Flags: []cli.Flag{
 			&cli.StringFlag{

cmd/admin_user_create.go

@@ -23,7 +23,6 @@ func microcmdUserCreate() *cli.Command {
 	return &cli.Command{
 		Name:   "create",
 		Usage:  "Create a new user in database",
-		Before: noDanglingArgs,
 		Action: runCreateUser,
 		Flags: []cli.Flag{
 			&cli.StringFlag{
@@ -205,15 +204,7 @@ func runCreateUser(ctx context.Context, c *cli.Command) error {
 
 	// create the access token
 	if accessTokenScope != "" {
-		t := &auth_model.AccessToken{
-			Name:  accessTokenName,
-			UID:   u.ID,
-			Scope: accessTokenScope,
-
-			// maintain legacy behaviour until new CLI options are added -- token has access to all resources, is not
-			// fine-grained
-			ResourceAllRepos: true,
-		}
+		t := &auth_model.AccessToken{Name: accessTokenName, UID: u.ID, Scope: accessTokenScope}
 		if err := auth_model.NewAccessToken(ctx, t); err != nil {
 			return err
 		}

cmd/admin_user_delete.go

@@ -40,7 +40,6 @@ func microcmdUserDelete() *cli.Command {
 				Usage: "Purge user, all their repositories, organizations and comments",
 			},
 		},
-		Before: noDanglingArgs,
 		Action: runDeleteUser,
 	}
 }

cmd/admin_user_generate_access_token.go

@@ -40,7 +40,6 @@ func microcmdUserGenerateAccessToken() *cli.Command {
 				Usage: `Comma separated list of scopes to apply to access token, examples: "all", "public-only,read:issue", "write:repository,write:user"`,
 			},
 		},
-		Before: noDanglingArgs,
 		Action: runGenerateAccessToken,
 	}
 }
@@ -86,10 +85,6 @@ func runGenerateAccessToken(ctx context.Context, c *cli.Command) error {
 	}
 	t.Scope = accessTokenScope
 
-	// maintain legacy behaviour until new CLI options are added -- token has access to all resources, is not
-	// fine-grained
-	t.ResourceAllRepos = true
-
 	// create the token
 	if err := auth_model.NewAccessToken(ctx, t); err != nil {
 		return err

cmd/admin_user_generate_authorized_integration.go

@@ -1,225 +0,0 @@
-// Copyright 2026 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: GPL-3.0-or-later
-
-package cmd
-
-import (
-	"bytes"
-	"context"
-	"errors"
-	"fmt"
-	"os"
-	"strings"
-
-	auth_model "forgejo.org/models/auth"
-	"forgejo.org/models/db"
-	"forgejo.org/models/repo"
-	user_model "forgejo.org/models/user"
-	"forgejo.org/modules/json"
-	"forgejo.org/services/authz"
-
-	"github.com/urfave/cli/v3"
-)
-
-func microcmdUserCreateAuthorizedIntegration() *cli.Command {
-	return &cli.Command{
-		Name: "create-authorized-integration",
-		Description: `Creates an authorized integration. Authorized integrations allow Forgejo to
-receive JWTs from external sources, validate their claims against
-user-defined rules, and grant access to Forgejo's API on behalf of a user.
-
-The issuer may be set to "urn:forgejo:authorized-integrations:actions"
-to support JWTs from the local instance's Forgejo Actions, utilizing the
-enable-openid-connect flag in a workflow.`,
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:     "username",
-				Aliases:  []string{"u"},
-				Usage:    "Username",
-				Required: true,
-			},
-			&cli.StringFlag{
-				Name:     "name",
-				Usage:    "Name of the authorized integration for later identification",
-				Required: true,
-			},
-			&cli.StringFlag{
-				Name:  "description",
-				Usage: "Optional description for the authorized integration",
-			},
-
-			// JWT validation:
-			&cli.StringFlag{
-				Name:     "issuer",
-				Usage:    `JWT issuer ('iss' claim), example: https://forgejo.example.org/api/actions`,
-				Required: true,
-			},
-			&cli.StringMapFlag{
-				Name:  "claim-eq",
-				Value: map[string]string{},
-				Usage: `Zero-or-more claim equality checks, formatted as claim=value, example: "actor=someuser"`,
-			},
-			&cli.StringMapFlag{
-				Name:  "claim-glob",
-				Value: map[string]string{},
-				Usage: `Zero-or-more claim glob checks, formatted as claim=value, example: "sub=repo:forgejo/*:pull_request"`,
-			},
-			// nested claim support omitted for now -- pretty complex for a CLI
-
-			// Permissions available on successful auth:
-			&cli.StringSliceFlag{
-				Name:  "scope",
-				Value: []string{"all"},
-				Usage: `One-or-more scopes to apply to access token, examples: "all", "read:issue", "write:repository"`,
-			},
-			&cli.StringSliceFlag{
-				Name:  "repo",
-				Value: []string{"all"},
-				Usage: `Zero-or-more specific repositories that can be accessed, or "all" to allow access to all repositories, example: "owner1/repo1"`,
-			},
-		},
-		Before: noDanglingArgs,
-		Action: runCreateAuthorizedIntegration,
-	}
-}
-
-func runCreateAuthorizedIntegration(ctx context.Context, c *cli.Command) error {
-	if !c.IsSet("username") {
-		return errors.New("you must provide a username to generate a token for")
-	}
-
-	ctx, cancel := installSignals(ctx)
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-
-	user, err := user_model.GetUserByName(ctx, c.String("username"))
-	if err != nil {
-		return err
-	}
-
-	ai := &auth_model.AuthorizedIntegration{
-		UserID:      user.ID,
-		Name:        c.String("name"),
-		Description: c.String("description"),
-	}
-
-	var rules []auth_model.ClaimRule
-	ai.Issuer = c.String("issuer")
-	for claim, value := range c.StringMap("claim-eq") {
-		rules = append(rules, auth_model.ClaimRule{
-			Claim:      claim,
-			Comparison: auth_model.ClaimEqual,
-			Value:      value,
-		})
-	}
-	for claim, value := range c.StringMap("claim-glob") {
-		rules = append(rules, auth_model.ClaimRule{
-			Claim:      claim,
-			Comparison: auth_model.ClaimGlob,
-			Value:      value,
-		})
-	}
-	ai.ClaimRules = &auth_model.ClaimRules{Rules: rules}
-
-	scopes := strings.Join(c.StringSlice("scope"), ",")
-	accessTokenScope, err := auth_model.AccessTokenScope(scopes).Normalize()
-	if err != nil {
-		return fmt.Errorf("invalid access token scope provided: %w", err)
-	}
-	ai.Scope = accessTokenScope
-
-	allRepos := false
-	repos := []*repo.Repository{}
-	for _, repoName := range c.StringSlice("repo") {
-		if repoName == "all" {
-			allRepos = true
-		} else {
-			split := strings.Split(repoName, "/")
-			if len(split) != 2 {
-				return fmt.Errorf("invalid repo name: %q", split)
-			}
-			owner := split[0]
-			name := split[1]
-			repo, err := repo.GetRepositoryByOwnerAndName(ctx, owner, name)
-			if err != nil {
-				return err
-			}
-			repos = append(repos, repo)
-		}
-	}
-	ai.ResourceAllRepos = allRepos
-
-	rr := make([]*auth_model.AuthorizedIntegResourceRepo, len(repos))
-	for i := range repos {
-		rr[i] = &auth_model.AuthorizedIntegResourceRepo{RepoID: repos[i].ID}
-	}
-	if err := authz.ValidateAuthorizedIntegration(ai, rr); err != nil {
-		return err
-	}
-
-	err = db.WithTx(ctx, func(ctx context.Context) error {
-		if err := auth_model.InsertAuthorizedIntegration(ctx, ai); err != nil {
-			return err
-		}
-		if !allRepos {
-			if err := auth_model.InsertAuthorizedIntegrationResourceRepos(ctx, ai.ID, rr); err != nil {
-				return err
-			}
-		}
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-
-	type ClaimRuleDescription struct {
-		Description string                     `json:"description"`
-		Claim       string                     `json:"claim"`
-		Comparison  auth_model.ClaimComparison `json:"compare"`
-		Value       string                     `json:"value"`
-	}
-	output := struct {
-		Message     string                 `json:"message"`
-		Name        string                 `json:"name"`
-		Description string                 `json:"description,omitempty"`
-		Issuer      string                 `json:"issuer"`
-		Audience    string                 `json:"audience"`
-		ClaimRules  []ClaimRuleDescription `json:"claim_rules"`
-	}{
-		Message:     "Authorized integration was successfully created.",
-		Name:        ai.Name,
-		Description: ai.Description,
-		Issuer:      ai.Issuer,
-		Audience:    ai.Audience,
-	}
-	for _, cr := range ai.ClaimRules.Rules {
-		var description string
-		switch cr.Comparison {
-		case auth_model.ClaimEqual:
-			description = fmt.Sprintf("%q = %q", cr.Claim, cr.Value)
-		case auth_model.ClaimGlob:
-			description = fmt.Sprintf("%q matches %q", cr.Claim, cr.Value)
-		}
-		output.ClaimRules = append(output.ClaimRules, ClaimRuleDescription{
-			Description: description,
-			Claim:       cr.Claim,
-			Comparison:  cr.Comparison,
-			Value:       cr.Value,
-		})
-	}
-
-	raw, err := json.Marshal(output)
-	if err != nil {
-		return err
-	}
-	var indent bytes.Buffer
-	if err := json.Indent(&indent, raw, "", "  "); err != nil {
-		return err
-	}
-	os.Stdout.Write(indent.Bytes())
-
-	return nil
-}

cmd/admin_user_list.go

@@ -18,7 +18,6 @@ func microcmdUserList() *cli.Command {
 	return &cli.Command{
 		Name:   "list",
 		Usage:  "List users",
-		Before: noDanglingArgs,
 		Action: runListUsers,
 		Flags: []cli.Flag{
 			&cli.BoolFlag{

cmd/admin_user_reset_mfa.go

@@ -17,7 +17,6 @@ func microcmdUserResetMFA() *cli.Command {
 	return &cli.Command{
 		Name:   "reset-mfa",
 		Usage:  "Remove all two-factor authentication configurations for a user",
-		Before: noDanglingArgs,
 		Action: runResetMFA,
 		Flags: []cli.Flag{
 			&cli.StringFlag{

cmd/cert.go

@@ -31,7 +31,6 @@ func cmdCert() *cli.Command {
 		Usage: "Generate self-signed certificate",
 		Description: `Generate a self-signed X.509 certificate for a TLS server.
 Outputs to 'cert.pem' and 'key.pem' and will overwrite existing files.`,
-		Before: noDanglingArgs,
 		Action: runCert,
 		Flags: []cli.Flag{
 			&cli.StringFlag{
@@ -150,8 +149,8 @@ func runCert(ctx context.Context, c *cli.Command) error {
 		BasicConstraintsValid: true,
 	}
 
-	hosts := strings.SplitSeq(c.String("host"), ",")
-	for h := range hosts {
+	hosts := strings.Split(c.String("host"), ",")
+	for _, h := range hosts {
 		if ip := net.ParseIP(h); ip != nil {
 			template.IPAddresses = append(template.IPAddresses, ip)
 		} else {

cmd/cmd.go

@@ -1,5 +1,4 @@
 // Copyright 2018 The Gitea Authors. All rights reserved.
-// Copyright 2026 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
 // Package cmd provides subcommands to the gitea binary - such as "web" or
@@ -13,7 +12,6 @@ import (
 	"io"
 	"os"
 	"os/signal"
-	"slices"
 	"strings"
 	"syscall"
 
@@ -42,19 +40,6 @@ func argsSet(c *cli.Command, args ...string) error {
 	return nil
 }
 
-// When a CLI command is intended to be used only with flags and no other arbitrary args, noDanglingArgs will validate
-// the end-user's usage.
-func noDanglingArgs(ctx context.Context, c *cli.Command) (context.Context, error) {
-	if c.Args().Len() != 0 {
-		args := c.Args().Slice()
-		if slices.Contains(args, "false") {
-			println("Hint: boolean false must be specified as a single arg, eg. '--restricted=false', not '--restricted false'")
-		}
-		return nil, fmt.Errorf("unexpected arguments: %s", strings.Join(c.Args().Slice(), ", "))
-	}
-	return nil, nil
-}
-
 // confirm waits for user input which confirms an action
 func confirm() (bool, error) {
 	var response string
@@ -90,9 +75,26 @@ If this is the intended configuration file complete the [database] section.`, se
 	return nil
 }
 
-// installSignals returns a context that's cancelled on the SIGINT and SIGTERM signals or if the passed ctx is cancelled.
 func installSignals(ctx context.Context) (context.Context, context.CancelFunc) {
-	return signal.NotifyContext(ctx, syscall.SIGINT, syscall.SIGTERM)
+	ctx, cancel := context.WithCancel(ctx)
+	go func() {
+		// install notify
+		signalChannel := make(chan os.Signal, 1)
+
+		signal.Notify(
+			signalChannel,
+			syscall.SIGINT,
+			syscall.SIGTERM,
+		)
+		select {
+		case <-signalChannel:
+		case <-ctx.Done():
+		}
+		cancel()
+		signal.Reset()
+	}()
+
+	return ctx, cancel
 }
 
 func setupConsoleLogger(level log.Level, colorize bool, out io.Writer) {
@@ -133,18 +135,3 @@ func PrepareConsoleLoggerLevel(defaultLevel log.Level) func(ctx context.Context,
 		return ctx, nil
 	}
 }
-
-func multipleBefore(beforeFuncs ...cli.BeforeFunc) cli.BeforeFunc {
-	return func(ctx context.Context, cli *cli.Command) (context.Context, error) {
-		for _, beforeFunc := range beforeFuncs {
-			bctx, err := beforeFunc(ctx, cli)
-			if err != nil {
-				return bctx, err
-			}
-			if bctx != nil {
-				ctx = bctx
-			}
-		}
-		return ctx, nil
-	}
-}

cmd/cmd_test.go

@@ -1,39 +0,0 @@
-// Copyright 2026 The Forgejo Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-package cmd
-
-import (
-	"context"
-	"fmt"
-	"runtime"
-	"syscall"
-	"testing"
-	"time"
-)
-
-func Test_installSignals(t *testing.T) {
-	if runtime.GOOS == "windows" {
-		t.Skipf("Windows does not terminate in an awaitable manner")
-		return
-	}
-
-	for _, s := range []syscall.Signal{syscall.SIGTERM, syscall.SIGINT} {
-		t.Run(fmt.Sprintf("Context is terminated on %s", s), func(t *testing.T) {
-			// Register the signal handler. context.Background() is chosen deliberately,
-			// because unlike t.Context(), we can be sure that it's not cancelled by a
-			// different handler.
-			ctx, cancel := installSignals(context.Background())
-			t.Cleanup(cancel)
-
-			// Send the signal in the background.
-			go syscall.Kill(syscall.Getpid(), s)
-
-			select {
-			case <-time.Tick(time.Second * 10):
-				t.Fatalf("Context not cancelled via signal after 10 seconds")
-			case <-ctx.Done():
-				t.Logf("Context was cancelled")
-			}
-		})
-	}
-}

cmd/doctor.go

@@ -6,8 +6,6 @@ package cmd
 import (
 	"context"
 	"fmt"
-	"image"
-	"io"
 	golog "log"
 	"os"
 	"path/filepath"
@@ -15,18 +13,13 @@ import (
 	"text/tabwriter"
 
 	"forgejo.org/models/db"
-	git_model "forgejo.org/models/git"
-	"forgejo.org/models/gitea_migrations"
-	migrate_base "forgejo.org/models/gitea_migrations/base"
-	repo_model "forgejo.org/models/repo"
-	user_model "forgejo.org/models/user"
+	"forgejo.org/models/migrations"
+	migrate_base "forgejo.org/models/migrations/base"
 	"forgejo.org/modules/container"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/setting"
-	"forgejo.org/modules/storage"
 	"forgejo.org/services/doctor"
 
-	exif_terminator "code.superseriousbusiness.org/exif-terminator"
 	"github.com/urfave/cli/v3"
 )
 
@@ -41,8 +34,6 @@ func cmdDoctor() *cli.Command {
 			cmdDoctorCheck(),
 			cmdRecreateTable(),
 			cmdDoctorConvert(),
-			cmdAvatarStripExif(),
-			cmdCleanupCommitStatuses(),
 		},
 	}
 }
@@ -52,7 +43,6 @@ func cmdDoctorCheck() *cli.Command {
 		Name:        "check",
 		Usage:       "Diagnose and optionally fix problems",
 		Description: "A command to diagnose problems with the current Forgejo instance according to the given configuration. Some problems can optionally be fixed by modifying the database or data storage.",
-		Before:      noDanglingArgs,
 		Action:      runDoctorCheck,
 		Flags: []cli.Flag{
 			&cli.BoolFlag{
@@ -108,63 +98,6 @@ You should back-up your database before doing this and ensure that your database
 	}
 }
 
-func cmdAvatarStripExif() *cli.Command {
-	return &cli.Command{
-		Name:   "avatar-strip-exif",
-		Usage:  "Strip EXIF metadata from all images in the avatar storage",
-		Before: noDanglingArgs,
-		Action: runAvatarStripExif,
-	}
-}
-
-func cmdCleanupCommitStatuses() *cli.Command {
-	return &cli.Command{
-		Name:  "cleanup-commit-status",
-		Usage: "Cleanup extra records in commit_status table",
-		Description: `Forgejo suffered from a bug which caused the creation of more entries in the
-"commit_status" table than necessary. This operation removes the redundant
-data caused by the bug. Removing this data is almost always safe.
-These redundant records can be accessed by users through the API, making it
-possible, but unlikely, that removing it could have an impact to
-integrating services (API: /repos/{owner}/{repo}/commits/{ref}/statuses).
-
-It is safe to run while Forgejo is online.
-
-On very large Forgejo instances, the performance of operation will improve
-if the buffer-size option is used with large values. Approximately 130 MB of
-memory is required for every 100,000 records in the buffer.
-
-Bug reference: https://codeberg.org/forgejo/forgejo/issues/10671
-`,
-
-		Before: multipleBefore(noDanglingArgs, PrepareConsoleLoggerLevel(log.INFO)),
-		Action: runCleanupCommitStatus,
-		Flags: []cli.Flag{
-			&cli.BoolFlag{
-				Name:    "verbose",
-				Aliases: []string{"V"},
-				Usage:   "Show process details",
-			},
-			&cli.BoolFlag{
-				Name:  "dry-run",
-				Usage: "Report statistics from the operation but do not modify the database",
-			},
-			&cli.IntFlag{
-				Name:  "buffer-size",
-				Usage: "Record count per query while iterating records; larger values are typically faster but use more memory",
-				// See IterateByKeyset's documentation for performance notes which led to the choice of the default
-				// buffer size for this operation.
-				Value: 100000,
-			},
-			&cli.IntFlag{
-				Name:  "delete-chunk-size",
-				Usage: "Number of records to delete per DELETE query",
-				Value: 1000,
-			},
-		},
-	}
-}
-
 func runRecreateTable(stdCtx context.Context, ctx *cli.Command) error {
 	stdCtx, cancel := installSignals(stdCtx)
 	defer cancel()
@@ -209,7 +142,7 @@ func runRecreateTable(stdCtx context.Context, ctx *cli.Command) error {
 			return err
 		}
 
-		if err := gitea_migrations.EnsureUpToDate(engine); err != nil {
+		if err := migrations.EnsureUpToDate(engine); err != nil {
 			return err
 		}
 
@@ -297,94 +230,3 @@ func runDoctorCheck(stdCtx context.Context, ctx *cli.Command) error {
 	}
 	return doctor.RunChecks(stdCtx, colorize, ctx.Bool("fix"), checks)
 }
-
-func runAvatarStripExif(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-	if err := storage.Init(); err != nil {
-		return err
-	}
-
-	type HasCustomAvatarRelativePath interface {
-		CustomAvatarRelativePath() string
-	}
-
-	doExifStrip := func(obj HasCustomAvatarRelativePath, name string, target_storage storage.ObjectStorage) error {
-		if obj.CustomAvatarRelativePath() == "" {
-			return nil
-		}
-
-		log.Info("Stripping avatar for %s...", name)
-
-		avatarFile, err := target_storage.Open(obj.CustomAvatarRelativePath())
-		if err != nil {
-			return fmt.Errorf("storage.Avatars.Open: %w", err)
-		}
-		_, imgType, err := image.DecodeConfig(avatarFile)
-		if err != nil {
-			return fmt.Errorf("image.DecodeConfig: %w", err)
-		}
-
-		// reset io.Reader for exif termination scan
-		_, err = avatarFile.Seek(0, io.SeekStart)
-		if err != nil {
-			return fmt.Errorf("avatarFile.Seek: %w", err)
-		}
-
-		cleanedData, err := exif_terminator.Terminate(avatarFile, imgType)
-		if err != nil && strings.Contains(err.Error(), "cannot be processed") {
-			// expected error for an image type that isn't supported by exif_terminator
-			log.Info("... image type %s is not supported by exif_terminator, skipping.", imgType)
-			return nil
-		} else if err != nil {
-			return fmt.Errorf("error cleaning exif data: %w", err)
-		}
-
-		if err := storage.SaveFrom(target_storage, obj.CustomAvatarRelativePath(), func(w io.Writer) error {
-			_, err := io.Copy(w, cleanedData)
-			return err
-		}); err != nil {
-			return fmt.Errorf("Failed to create dir %s: %w", obj.CustomAvatarRelativePath(), err)
-		}
-
-		log.Info("... completed %s.", name)
-
-		return nil
-	}
-
-	err := db.Iterate(ctx, nil, func(ctx context.Context, user *user_model.User) error {
-		return doExifStrip(user, fmt.Sprintf("user %s", user.Name), storage.Avatars)
-	})
-	if err != nil {
-		return err
-	}
-
-	err = db.Iterate(ctx, nil, func(ctx context.Context, repo *repo_model.Repository) error {
-		return doExifStrip(repo, fmt.Sprintf("repo %s", repo.Name), storage.RepoAvatars)
-	})
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func runCleanupCommitStatus(ctx context.Context, cli *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-
-	bufferSize := cli.Int("buffer-size")
-	deleteChunkSize := cli.Int("delete-chunk-size")
-	dryRun := cli.Bool("dry-run")
-	log.Debug("bufferSize = %d, deleteChunkSize = %d, dryRun = %v", bufferSize, deleteChunkSize, dryRun)
-
-	return git_model.CleanupCommitStatus(ctx, bufferSize, deleteChunkSize, dryRun)
-}

cmd/doctor_convert.go

@@ -20,7 +20,6 @@ func cmdDoctorConvert() *cli.Command {
 		Name:        "convert",
 		Usage:       "Convert the database",
 		Description: "A command to convert an existing MySQL database from utf8 to utf8mb4",
-		Before:      noDanglingArgs,
 		Action:      runDoctorConvert,
 	}
 }

cmd/dump.go

@@ -8,13 +8,11 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"io/fs"
+	"io"
 	"os"
 	"path"
 	"path/filepath"
-	"slices"
 	"strings"
-	"sync"
 	"time"
 
 	"forgejo.org/models/db"
@@ -25,43 +23,36 @@ import (
 	"forgejo.org/modules/util"
 
 	"code.forgejo.org/go-chi/session"
-	"github.com/mholt/archives"
+	"github.com/mholt/archiver/v3"
 	"github.com/urfave/cli/v3"
 )
 
-func addObject(archiveJobs chan archives.ArchiveAsyncJob, object fs.File, customName string, verbose bool) error {
+func addReader(w archiver.Writer, r io.ReadCloser, info os.FileInfo, customName string, verbose bool) error {
 	if verbose {
 		log.Info("Adding file %s", customName)
 	}
 
-	info, err := object.Stat()
-	if err != nil {
-		return err
-	}
-
-	ch := make(chan error)
-
-	archiveJobs <- archives.ArchiveAsyncJob{
-		File: archives.FileInfo{
-			FileInfo:      info,
-			NameInArchive: customName,
-			Open: func() (fs.File, error) {
-				return object, nil
-			},
+	return w.Write(archiver.File{
+		FileInfo: archiver.FileInfo{
+			FileInfo:   info,
+			CustomName: customName,
 		},
-		Result: ch,
-	}
-
-	return <-ch
+		ReadCloser: r,
+	})
 }
 
-func addFile(archiveJobs chan archives.ArchiveAsyncJob, filePath, absPath string, verbose bool) error {
-	file, err := os.Open(absPath) // Closed by archiver
+func addFile(w archiver.Writer, filePath, absPath string, verbose bool) error {
+	file, err := os.Open(absPath)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+	fileInfo, err := file.Stat()
 	if err != nil {
 		return err
 	}
 
-	return addObject(archiveJobs, file, filePath, verbose)
+	return addReader(w, file, fileInfo, filePath, verbose)
 }
 
 func isSubdir(upper, lower string) (bool, error) {
@@ -84,9 +75,11 @@ func (o outputType) Join() string {
 }
 
 func (o *outputType) Set(value string) error {
-	if slices.Contains(o.Enum, value) {
-		o.selected = value
-		return nil
+	for _, enum := range o.Enum {
+		if enum == value {
+			o.selected = value
+			return nil
+		}
 	}
 
 	return fmt.Errorf("allowed values are %s", o.Join())
@@ -108,57 +101,6 @@ var outputTypeEnum = &outputType{
 	Default: "zip",
 }
 
-func getArchiverByType(outType string) (archives.ArchiverAsync, error) {
-	var archiver archives.ArchiverAsync
-	switch outType {
-	case "zip":
-		archiver = archives.Zip{
-			Compression:          8,
-			SelectiveCompression: false,
-		}
-	case "tar":
-		archiver = archives.Tar{}
-	case "tar.sz":
-		archiver = archives.CompressedArchive{
-			Archival:    archives.Tar{},
-			Compression: archives.Sz{},
-		}
-	case "tar.gz":
-		archiver = archives.CompressedArchive{
-			Archival:    archives.Tar{},
-			Compression: archives.Gz{},
-		}
-	case "tar.xz":
-		archiver = archives.CompressedArchive{
-			Archival:    archives.Tar{},
-			Compression: archives.Xz{},
-		}
-	case "tar.bz2":
-		archiver = archives.CompressedArchive{
-			Archival:    archives.Tar{},
-			Compression: archives.Bz2{},
-		}
-	case "tar.br":
-		archiver = archives.CompressedArchive{
-			Archival:    archives.Tar{},
-			Compression: archives.Brotli{},
-		}
-	case "tar.lz4":
-		archiver = archives.CompressedArchive{
-			Archival:    archives.Tar{},
-			Compression: archives.Lz4{},
-		}
-	case "tar.zst":
-		archiver = archives.CompressedArchive{
-			Archival:    archives.Tar{},
-			Compression: archives.Zstd{},
-		}
-	default:
-		return nil, fmt.Errorf("unsupported output type: %s", outType)
-	}
-	return archiver, nil
-}
-
 // CmdDump represents the available dump sub-command.
 func cmdDump() *cli.Command {
 	return &cli.Command{
@@ -166,7 +108,6 @@ func cmdDump() *cli.Command {
 		Usage: "Dump Forgejo files and database",
 		Description: `Dump compresses all related files and database into zip file.
 It can be used for backup and capture Forgejo server image to send to maintainer`,
-		Before: noDanglingArgs,
 		Action: runDump,
 		Flags: []cli.Flag{
 			&cli.StringFlag{
@@ -252,8 +193,8 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 		setupConsoleLogger(log.FATAL, log.CanColorStderr, os.Stderr)
 	} else {
 		for _, suffix := range outputTypeEnum.Enum {
-			if before, ok := strings.CutSuffix(fileName, "."+suffix); ok {
-				fileName = before
+			if strings.HasSuffix(fileName, "."+suffix) {
+				fileName = strings.TrimSuffix(fileName, "."+suffix)
 				break
 			}
 		}
@@ -313,177 +254,46 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 		return err
 	}
 
-	archiveJobs := make(chan archives.ArchiveAsyncJob)
-	wg := sync.WaitGroup{}
-	archiver, err := getArchiverByType(outType)
+	var iface any
+	if fileName == "-" {
+		iface, err = archiver.ByExtension(fmt.Sprintf(".%s", outType))
+	} else {
+		iface, err = archiver.ByExtension(fileName)
+	}
 	if err != nil {
 		fatal("Failed to get archiver for extension: %v", err)
 	}
 
+	w, _ := iface.(archiver.Writer)
+	if err := w.Create(file); err != nil {
+		fatal("Creating archiver.Writer failed: %v", err)
+	}
+	defer w.Close()
+
 	if ctx.IsSet("skip-repository") && ctx.Bool("skip-repository") {
 		log.Info("Skipping local repositories")
 	} else {
 		log.Info("Dumping local repositories... %s", setting.RepoRootPath)
-		wg.Add(1)
-		go dumpRepos(ctx, archiveJobs, &wg, absFileName, verbose)
-	}
+		if err := addRecursiveExclude(w, "repos", setting.RepoRootPath, []string{absFileName}, verbose); err != nil {
+			fatal("Failed to include repositories: %v", err)
+		}
 
-	wg.Add(1)
-	go dumpDatabase(ctx, archiveJobs, &wg, verbose)
-
-	if len(setting.CustomConf) > 0 {
-		wg.Go(func() {
-			log.Info("Adding custom configuration file from %s", setting.CustomConf)
-			if err := addFile(archiveJobs, "app.ini", setting.CustomConf, verbose); err != nil {
-				fatal("Failed to include specified app.ini: %v", err)
+		if ctx.IsSet("skip-lfs-data") && ctx.Bool("skip-lfs-data") {
+			log.Info("Skipping LFS data")
+		} else if !setting.LFS.StartServer {
+			log.Info("LFS not enabled - skipping")
+		} else if err := storage.LFS.IterateObjects("", func(objPath string, object storage.Object) error {
+			info, err := object.Stat()
+			if err != nil {
+				return err
 			}
-		})
-	}
 
-	if ctx.IsSet("skip-custom-dir") && ctx.Bool("skip-custom-dir") {
-		log.Info("Skipping custom directory")
-	} else {
-		wg.Add(1)
-		go dumpCustom(archiveJobs, &wg, absFileName, verbose)
-	}
-
-	isExist, err := util.IsExist(setting.AppDataPath)
-	if err != nil {
-		log.Error("Failed to check if %s exists: %v", setting.AppDataPath, err)
-	}
-	if isExist {
-		log.Info("Packing data directory...%s", setting.AppDataPath)
-
-		wg.Add(1)
-		go dumpData(ctx, archiveJobs, &wg, absFileName, verbose)
-	}
-
-	if ctx.IsSet("skip-attachment-data") && ctx.Bool("skip-attachment-data") {
-		log.Info("Skipping attachment data")
-	} else {
-		wg.Go(func() {
-			if err := storage.Attachments.IterateObjects("", func(objPath string, object storage.Object) error {
-				return addObject(archiveJobs, object, path.Join("data", "attachments", objPath), verbose)
-			}); err != nil {
-				fatal("Failed to dump attachments: %v", err)
-			}
-		})
-	}
-
-	if ctx.IsSet("skip-package-data") && ctx.Bool("skip-package-data") {
-		log.Info("Skipping package data")
-	} else if !setting.Packages.Enabled {
-		log.Info("Package registry not enabled - skipping")
-	} else {
-		wg.Go(func() {
-			if err := storage.Packages.IterateObjects("", func(objPath string, object storage.Object) error {
-				return addObject(archiveJobs, object, path.Join("data", "packages", objPath), verbose)
-			}); err != nil {
-				fatal("Failed to dump packages: %v", err)
-			}
-		})
-	}
-
-	// Doesn't check if LogRootPath exists before processing --skip-log intentionally,
-	// ensuring that it's clear the dump is skipped whether the directory's initialized
-	// yet or not.
-	if ctx.IsSet("skip-log") && ctx.Bool("skip-log") {
-		log.Info("Skipping log files")
-	} else {
-		isExist, err := util.IsExist(setting.Log.RootPath)
-		if err != nil {
-			log.Error("Failed to check if %s exists: %v", setting.Log.RootPath, err)
-		}
-		if isExist {
-			wg.Go(func() {
-				if err := addRecursiveExclude(archiveJobs, "log", setting.Log.RootPath, []string{absFileName}, verbose); err != nil {
-					fatal("Failed to include log: %v", err)
-				}
-			})
+			return addReader(w, object, info, path.Join("data", "lfs", objPath), verbose)
+		}); err != nil {
+			fatal("Failed to dump LFS objects: %v", err)
 		}
 	}
 
-	// Wait for all jobs to finish before closing the channel
-	// ArchiveAsync will only return after the channel is closed
-	go func() {
-		wg.Wait()
-		close(archiveJobs)
-	}()
-
-	if err := archiver.ArchiveAsync(stdCtx, file, archiveJobs); err != nil {
-		_ = util.Remove(fileName)
-
-		fatal("Archiving failed: %v", err)
-	}
-
-	if fileName != "-" {
-		if err := os.Chmod(fileName, 0o600); err != nil {
-			log.Info("Can't change file access permissions mask to 0600: %v", err)
-		}
-
-		log.Info("Finished dumping in file %s", fileName)
-	} else {
-		log.Info("Finished dumping to stdout")
-	}
-
-	return nil
-}
-
-func dumpData(ctx *cli.Command, archiveJobs chan archives.ArchiveAsyncJob, wg *sync.WaitGroup, absFileName string, verbose bool) {
-	defer wg.Done()
-
-	var excludes []string
-	if setting.SessionConfig.OriginalProvider == "file" {
-		var opts session.Options
-		if err := json.Unmarshal([]byte(setting.SessionConfig.ProviderConfig), &opts); err != nil {
-			fatal("Failed to parse session config: %v", err)
-		}
-		excludes = append(excludes, opts.ProviderConfig)
-	}
-
-	if ctx.IsSet("skip-index") && ctx.Bool("skip-index") {
-		log.Info("Skipping bleve index data")
-		excludes = append(excludes, setting.Indexer.RepoPath)
-		excludes = append(excludes, setting.Indexer.IssuePath)
-	}
-
-	if ctx.IsSet("skip-repo-archives") && ctx.Bool("skip-repo-archives") {
-		log.Info("Skipping repository archives data")
-		excludes = append(excludes, setting.RepoArchive.Storage.Path)
-	}
-
-	excludes = append(excludes, setting.RepoRootPath)
-	excludes = append(excludes, setting.LFS.Storage.Path)
-	excludes = append(excludes, setting.Attachment.Storage.Path)
-	excludes = append(excludes, setting.Packages.Storage.Path)
-	excludes = append(excludes, setting.Log.RootPath)
-	excludes = append(excludes, absFileName)
-	if err := addRecursiveExclude(archiveJobs, "data", setting.AppDataPath, excludes, verbose); err != nil {
-		fatal("Failed to include data directory: %v", err)
-	}
-}
-
-func dumpCustom(archiveJobs chan archives.ArchiveAsyncJob, wg *sync.WaitGroup, absFileName string, verbose bool) {
-	defer wg.Done()
-
-	customDir, err := os.Stat(setting.CustomPath)
-	if err == nil && customDir.IsDir() {
-		if is, _ := isSubdir(setting.AppDataPath, setting.CustomPath); !is {
-			if err := addRecursiveExclude(archiveJobs, "custom", setting.CustomPath, []string{absFileName}, verbose); err != nil {
-				fatal("Failed to include custom: %v", err)
-			}
-		} else {
-			log.Info("Custom dir %s is inside data dir %s, skipping", setting.CustomPath, setting.AppDataPath)
-		}
-	} else {
-		log.Info("Custom dir %s does not exist, skipping", setting.CustomPath)
-	}
-}
-
-func dumpDatabase(ctx *cli.Command, archiveJobs chan archives.ArchiveAsyncJob, wg *sync.WaitGroup, verbose bool) {
-	defer wg.Done()
-
-	var err error
 	tmpDir := ctx.String("tempdir")
 	if tmpDir == "" {
 		tmpDir, err = os.MkdirTemp("", "forgejo-dump-*")
@@ -524,32 +334,139 @@ func dumpDatabase(ctx *cli.Command, archiveJobs chan archives.ArchiveAsyncJob, w
 		fatal("Failed to dump database: %v", err)
 	}
 
-	if err := addFile(archiveJobs, "forgejo-db.sql", dbDump.Name(), verbose); err != nil {
+	if err := addFile(w, "forgejo-db.sql", dbDump.Name(), verbose); err != nil {
 		fatal("Failed to include forgejo-db.sql: %v", err)
 	}
-}
 
-func dumpRepos(ctx *cli.Command, archiveJobs chan archives.ArchiveAsyncJob, wg *sync.WaitGroup, absFileName string, verbose bool) {
-	defer wg.Done()
-
-	if err := addRecursiveExclude(archiveJobs, "repos", setting.RepoRootPath, []string{absFileName}, verbose); err != nil {
-		fatal("Failed to include repositories: %v", err)
+	if len(setting.CustomConf) > 0 {
+		log.Info("Adding custom configuration file from %s", setting.CustomConf)
+		if err := addFile(w, "app.ini", setting.CustomConf, verbose); err != nil {
+			fatal("Failed to include specified app.ini: %v", err)
+		}
 	}
 
-	if ctx.IsSet("skip-lfs-data") && ctx.Bool("skip-lfs-data") {
-		log.Info("Skipping LFS data")
-	} else if !setting.LFS.StartServer {
-		log.Info("LFS not enabled - skipping")
-	} else if err := storage.LFS.IterateObjects("", func(objPath string, object storage.Object) error {
-		return addObject(archiveJobs, object, path.Join("data", "lfs", objPath), verbose)
+	if ctx.IsSet("skip-custom-dir") && ctx.Bool("skip-custom-dir") {
+		log.Info("Skipping custom directory")
+	} else {
+		customDir, err := os.Stat(setting.CustomPath)
+		if err == nil && customDir.IsDir() {
+			if is, _ := isSubdir(setting.AppDataPath, setting.CustomPath); !is {
+				if err := addRecursiveExclude(w, "custom", setting.CustomPath, []string{absFileName}, verbose); err != nil {
+					fatal("Failed to include custom: %v", err)
+				}
+			} else {
+				log.Info("Custom dir %s is inside data dir %s, skipping", setting.CustomPath, setting.AppDataPath)
+			}
+		} else {
+			log.Info("Custom dir %s does not exist, skipping", setting.CustomPath)
+		}
+	}
+
+	isExist, err := util.IsExist(setting.AppDataPath)
+	if err != nil {
+		log.Error("Failed to check if %s exists: %v", setting.AppDataPath, err)
+	}
+	if isExist {
+		log.Info("Packing data directory...%s", setting.AppDataPath)
+
+		var excludes []string
+		if setting.SessionConfig.OriginalProvider == "file" {
+			var opts session.Options
+			if err = json.Unmarshal([]byte(setting.SessionConfig.ProviderConfig), &opts); err != nil {
+				return err
+			}
+			excludes = append(excludes, opts.ProviderConfig)
+		}
+
+		if ctx.IsSet("skip-index") && ctx.Bool("skip-index") {
+			log.Info("Skipping bleve index data")
+			excludes = append(excludes, setting.Indexer.RepoPath)
+			excludes = append(excludes, setting.Indexer.IssuePath)
+		}
+
+		if ctx.IsSet("skip-repo-archives") && ctx.Bool("skip-repo-archives") {
+			log.Info("Skipping repository archives data")
+			excludes = append(excludes, setting.RepoArchive.Storage.Path)
+		}
+
+		excludes = append(excludes, setting.RepoRootPath)
+		excludes = append(excludes, setting.LFS.Storage.Path)
+		excludes = append(excludes, setting.Attachment.Storage.Path)
+		excludes = append(excludes, setting.Packages.Storage.Path)
+		excludes = append(excludes, setting.Log.RootPath)
+		excludes = append(excludes, absFileName)
+		if err := addRecursiveExclude(w, "data", setting.AppDataPath, excludes, verbose); err != nil {
+			fatal("Failed to include data directory: %v", err)
+		}
+	}
+
+	if ctx.IsSet("skip-attachment-data") && ctx.Bool("skip-attachment-data") {
+		log.Info("Skipping attachment data")
+	} else if err := storage.Attachments.IterateObjects("", func(objPath string, object storage.Object) error {
+		info, err := object.Stat()
+		if err != nil {
+			return err
+		}
+
+		return addReader(w, object, info, path.Join("data", "attachments", objPath), verbose)
 	}); err != nil {
-		fatal("Failed to dump LFS objects: %v", err)
+		fatal("Failed to dump attachments: %v", err)
 	}
+
+	if ctx.IsSet("skip-package-data") && ctx.Bool("skip-package-data") {
+		log.Info("Skipping package data")
+	} else if !setting.Packages.Enabled {
+		log.Info("Package registry not enabled - skipping")
+	} else if err := storage.Packages.IterateObjects("", func(objPath string, object storage.Object) error {
+		info, err := object.Stat()
+		if err != nil {
+			return err
+		}
+
+		return addReader(w, object, info, path.Join("data", "packages", objPath), verbose)
+	}); err != nil {
+		fatal("Failed to dump packages: %v", err)
+	}
+
+	// Doesn't check if LogRootPath exists before processing --skip-log intentionally,
+	// ensuring that it's clear the dump is skipped whether the directory's initialized
+	// yet or not.
+	if ctx.IsSet("skip-log") && ctx.Bool("skip-log") {
+		log.Info("Skipping log files")
+	} else {
+		isExist, err := util.IsExist(setting.Log.RootPath)
+		if err != nil {
+			log.Error("Failed to check if %s exists: %v", setting.Log.RootPath, err)
+		}
+		if isExist {
+			if err := addRecursiveExclude(w, "log", setting.Log.RootPath, []string{absFileName}, verbose); err != nil {
+				fatal("Failed to include log: %v", err)
+			}
+		}
+	}
+
+	if fileName != "-" {
+		if err = w.Close(); err != nil {
+			_ = util.Remove(fileName)
+			fatal("Failed to save %s: %v", fileName, err)
+		}
+
+		if err := os.Chmod(fileName, 0o600); err != nil {
+			log.Info("Can't change file access permissions mask to 0600: %v", err)
+		}
+	}
+
+	if fileName != "-" {
+		log.Info("Finish dumping in file %s", fileName)
+	} else {
+		log.Info("Finish dumping to stdout")
+	}
+
+	return nil
 }
 
 // addRecursiveExclude zips absPath to specified insidePath inside writer excluding excludeAbsPath
-// archives.FilesFromDisk doesn't support excluding files, so we have to do it manually
-func addRecursiveExclude(archiveJobs chan archives.ArchiveAsyncJob, insidePath, absPath string, excludeAbsPath []string, verbose bool) error {
+func addRecursiveExclude(w archiver.Writer, insidePath, absPath string, excludeAbsPath []string, verbose bool) error {
 	absPath, err := filepath.Abs(absPath)
 	if err != nil {
 		return err
@@ -574,11 +491,10 @@ func addRecursiveExclude(archiveJobs chan archives.ArchiveAsyncJob, insidePath,
 		}
 
 		if file.IsDir() {
-			if err := addFile(archiveJobs, currentInsidePath, currentAbsPath, false); err != nil {
+			if err := addFile(w, currentInsidePath, currentAbsPath, false); err != nil {
 				return err
 			}
-
-			if err := addRecursiveExclude(archiveJobs, currentInsidePath, currentAbsPath, excludeAbsPath, verbose); err != nil {
+			if err = addRecursiveExclude(w, currentInsidePath, currentAbsPath, excludeAbsPath, verbose); err != nil {
 				return err
 			}
 		} else {
@@ -596,7 +512,7 @@ func addRecursiveExclude(archiveJobs chan archives.ArchiveAsyncJob, insidePath,
 				shouldAdd = targetStat.Mode().IsRegular()
 			}
 			if shouldAdd {
-				if err := addFile(archiveJobs, currentInsidePath, currentAbsPath, verbose); err != nil {
+				if err = addFile(w, currentInsidePath, currentAbsPath, verbose); err != nil {
 					return err
 				}
 			}

cmd/dump_repo.go

@@ -28,7 +28,6 @@ func cmdDumpRepository() *cli.Command {
 		Name:        "dump-repo",
 		Usage:       "Dump the repository from git/github/gitea/gitlab",
 		Description: "This is a command for dumping the repository data.",
-		Before:      noDanglingArgs,
 		Action:      runDumpRepository,
 		Flags: []cli.Flag{
 			&cli.StringFlag{
@@ -83,11 +82,6 @@ wiki, issues, labels, releases, release_assets, milestones, pull_requests, comme
 }
 
 func runDumpRepository(stdCtx context.Context, ctx *cli.Command) error {
-	setupConsoleLogger(log.INFO, log.CanColorStderr, os.Stderr)
-
-	// setting.DisableLoggerInit()
-	setting.LoadSettings() // cannot access skip_tls_verify settings otherwise
-
 	stdCtx, cancel := installSignals(stdCtx)
 	defer cancel()
 
@@ -143,8 +137,8 @@ func runDumpRepository(stdCtx context.Context, ctx *cli.Command) error {
 		opts.PullRequests = true
 		opts.ReleaseAssets = true
 	} else {
-		units := strings.SplitSeq(ctx.String("units"), ",")
-		for unit := range units {
+		units := strings.Split(ctx.String("units"), ",")
+		for _, unit := range units {
 			switch strings.ToLower(strings.TrimSpace(unit)) {
 			case "":
 				continue

cmd/dump_test.go

@@ -4,32 +4,40 @@
 package cmd
 
 import (
+	"io"
 	"os"
 	"testing"
 
-	"github.com/mholt/archives"
+	"github.com/mholt/archiver/v3"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
-func mockArchiverAsync(ch chan archives.ArchiveAsyncJob, files *[]string) {
-	for job := range ch {
-		*files = append(*files, job.File.NameInArchive)
-		job.Result <- nil
-	}
+type mockArchiver struct {
+	addedFiles []string
+}
+
+func (mockArchiver) Create(out io.Writer) error {
+	return nil
+}
+
+func (m *mockArchiver) Write(f archiver.File) error {
+	m.addedFiles = append(m.addedFiles, f.Name())
+	return nil
+}
+
+func (mockArchiver) Close() error {
+	return nil
 }
 
 func TestAddRecursiveExclude(t *testing.T) {
 	t.Run("Empty", func(t *testing.T) {
-		ch := make(chan archives.ArchiveAsyncJob)
-		var files []string
-		go mockArchiverAsync(ch, &files)
-
 		dir := t.TempDir()
+		archiver := &mockArchiver{}
 
-		err := addRecursiveExclude(ch, "", dir, []string{}, false)
+		err := addRecursiveExclude(archiver, "", dir, []string{}, false)
 		require.NoError(t, err)
-		assert.Empty(t, files)
+		assert.Empty(t, archiver.addedFiles)
 	})
 
 	t.Run("Single file", func(t *testing.T) {
@@ -38,25 +46,20 @@ func TestAddRecursiveExclude(t *testing.T) {
 		require.NoError(t, err)
 
 		t.Run("No exclude", func(t *testing.T) {
-			ch := make(chan archives.ArchiveAsyncJob)
-			var files []string
-			go mockArchiverAsync(ch, &files)
+			archiver := &mockArchiver{}
 
-			err := addRecursiveExclude(ch, "", dir, nil, false)
+			err = addRecursiveExclude(archiver, "", dir, nil, false)
 			require.NoError(t, err)
-
-			assert.Len(t, files, 1)
-			assert.Contains(t, files, "example")
+			assert.Len(t, archiver.addedFiles, 1)
+			assert.Contains(t, archiver.addedFiles, "example")
 		})
 
 		t.Run("With exclude", func(t *testing.T) {
-			ch := make(chan archives.ArchiveAsyncJob)
-			var files []string
-			go mockArchiverAsync(ch, &files)
+			archiver := &mockArchiver{}
 
-			err := addRecursiveExclude(ch, "", dir, []string{dir + "/example"}, false)
+			err = addRecursiveExclude(archiver, "", dir, []string{dir + "/example"}, false)
 			require.NoError(t, err)
-			assert.Empty(t, files)
+			assert.Empty(t, archiver.addedFiles)
 		})
 	})
 
@@ -70,57 +73,46 @@ func TestAddRecursiveExclude(t *testing.T) {
 		require.NoError(t, err)
 
 		t.Run("No exclude", func(t *testing.T) {
-			ch := make(chan archives.ArchiveAsyncJob)
-			var files []string
-			go mockArchiverAsync(ch, &files)
+			archiver := &mockArchiver{}
 
-			err := addRecursiveExclude(ch, "", dir, nil, false)
+			err = addRecursiveExclude(archiver, "", dir, nil, false)
 			require.NoError(t, err)
-			assert.Len(t, files, 5)
-
-			assert.Contains(t, files, "deep")
-			assert.Contains(t, files, "deep/nested")
-			assert.Contains(t, files, "deep/nested/folder")
-			assert.Contains(t, files, "deep/nested/folder/example")
-			assert.Contains(t, files, "deep/nested/folder/another-file")
+			assert.Len(t, archiver.addedFiles, 5)
+			assert.Contains(t, archiver.addedFiles, "deep")
+			assert.Contains(t, archiver.addedFiles, "deep/nested")
+			assert.Contains(t, archiver.addedFiles, "deep/nested/folder")
+			assert.Contains(t, archiver.addedFiles, "deep/nested/folder/example")
+			assert.Contains(t, archiver.addedFiles, "deep/nested/folder/another-file")
 		})
 
 		t.Run("Exclude first directory", func(t *testing.T) {
-			ch := make(chan archives.ArchiveAsyncJob)
-			var files []string
-			go mockArchiverAsync(ch, &files)
+			archiver := &mockArchiver{}
 
-			err := addRecursiveExclude(ch, "", dir, []string{dir + "/deep"}, false)
+			err = addRecursiveExclude(archiver, "", dir, []string{dir + "/deep"}, false)
 			require.NoError(t, err)
-			assert.Empty(t, files)
+			assert.Empty(t, archiver.addedFiles)
 		})
 
 		t.Run("Exclude nested directory", func(t *testing.T) {
-			ch := make(chan archives.ArchiveAsyncJob)
-			var files []string
-			go mockArchiverAsync(ch, &files)
+			archiver := &mockArchiver{}
 
-			err := addRecursiveExclude(ch, "", dir, []string{dir + "/deep/nested/folder"}, false)
+			err = addRecursiveExclude(archiver, "", dir, []string{dir + "/deep/nested/folder"}, false)
 			require.NoError(t, err)
-			assert.Len(t, files, 2)
-
-			assert.Contains(t, files, "deep")
-			assert.Contains(t, files, "deep/nested")
+			assert.Len(t, archiver.addedFiles, 2)
+			assert.Contains(t, archiver.addedFiles, "deep")
+			assert.Contains(t, archiver.addedFiles, "deep/nested")
 		})
 
 		t.Run("Exclude file", func(t *testing.T) {
-			ch := make(chan archives.ArchiveAsyncJob)
-			var files []string
-			go mockArchiverAsync(ch, &files)
+			archiver := &mockArchiver{}
 
-			err := addRecursiveExclude(ch, "", dir, []string{dir + "/deep/nested/folder/example"}, false)
+			err = addRecursiveExclude(archiver, "", dir, []string{dir + "/deep/nested/folder/example"}, false)
 			require.NoError(t, err)
-			assert.Len(t, files, 4)
-
-			assert.Contains(t, files, "deep")
-			assert.Contains(t, files, "deep/nested")
-			assert.Contains(t, files, "deep/nested/folder")
-			assert.Contains(t, files, "deep/nested/folder/another-file")
+			assert.Len(t, archiver.addedFiles, 4)
+			assert.Contains(t, archiver.addedFiles, "deep")
+			assert.Contains(t, archiver.addedFiles, "deep/nested")
+			assert.Contains(t, archiver.addedFiles, "deep/nested/folder")
+			assert.Contains(t, archiver.addedFiles, "deep/nested/folder/another-file")
 		})
 	})
 }

cmd/forgejo/actions.go

@@ -102,11 +102,6 @@ func SubcmdActionsRegister(ctx context.Context) *cli.Command {
 				Value: "",
 				Usage: "version of the runner (not required since v1.21)",
 			},
-			&cli.BoolFlag{
-				Name:  "ephemeral",
-				Value: false,
-				Usage: "instruct Forgejo to permanently unregister this runner after it has run one job",
-			},
 		},
 	}
 }
@@ -177,7 +172,6 @@ func RunRegister(ctx context.Context, cli *cli.Command) error {
 	scope := cli.String("scope")
 	name := cli.String("name")
 	version := cli.String("version")
-	ephemeral := cli.Bool("ephemeral")
 	labels, err := getLabels(cli)
 	if err != nil {
 		return err
@@ -205,7 +199,7 @@ func RunRegister(ctx context.Context, cli *cli.Command) error {
 		return err
 	}
 
-	runner, err := actions_model.RegisterRunner(ctx, owner, repo, secret, labels, name, version, ephemeral)
+	runner, err := actions_model.RegisterRunner(ctx, owner, repo, secret, labels, name, version)
 	if err != nil {
 		return fmt.Errorf("error while registering runner: %v", err)
 	}
@@ -218,7 +212,9 @@ func RunRegister(ctx context.Context, cli *cli.Command) error {
 
 func RunGenerateSecret(ctx context.Context, cli *cli.Command) error {
 	runner := actions_model.ActionRunner{}
-	runner.GenerateToken()
+	if err := runner.GenerateToken(); err != nil {
+		return err
+	}
 	if _, err := fmt.Fprintf(ContextGetStdout(ctx), "%s", runner.Token); err != nil {
 		panic(err)
 	}

cmd/forgejo/f3.go

@@ -24,6 +24,7 @@ import (
 )
 
 func CmdF3(ctx context.Context) *cli.Command {
+	ctx = f3_logger.ContextSetLogger(ctx, util.NewF3Logger(nil, log.GetLogger(log.DEFAULT)))
 	return &cli.Command{
 		Name:  "f3",
 		Usage: "F3",
@@ -37,9 +38,7 @@ func SubcmdF3Mirror(ctx context.Context) *cli.Command {
 	mirrorCmd := f3_cmd.CreateCmdMirror()
 	mirrorCmd.Before = prepareWorkPathAndCustomConf(ctx)
 	f3Action := mirrorCmd.Action
-	mirrorCmd.Action = func(ctx context.Context, cli *cli.Command) error {
-		return runMirror(ctx, cli, f3Action)
-	}
+	mirrorCmd.Action = func(ctx context.Context, cli *cli.Command) error { return runMirror(ctx, cli, f3Action) }
 	return mirrorCmd
 }
 
@@ -68,8 +67,6 @@ func runMirror(ctx context.Context, c *cli.Command, action cli.ActionFunc) error
 		if err := models.Init(ctx); err != nil {
 			return err
 		}
-
-		ctx = f3_logger.ContextSetLogger(ctx, util.NewF3Logger(nil, log.GetLogger(log.DEFAULT)))
 	}
 
 	err := action(ctx, c)

cmd/forgejo/forgejo.go

@@ -126,9 +126,7 @@ func installSignals(ctx context.Context) (context.Context, context.CancelFunc) {
 		)
 		select {
 		case <-signalChannel:
-			break
 		case <-ctx.Done():
-			break
 		}
 		cancel()
 		signal.Reset()

cmd/generate.go

@@ -19,7 +19,7 @@ import (
 func cmdGenerate() *cli.Command {
 	return &cli.Command{
 		Name:  "generate",
-		Usage: "Generate Forgejo's secrets/keys/tokens",
+		Usage: "Generate Gitea's secrets/keys/tokens",
 		Commands: []*cli.Command{
 			subcmdSecret(),
 		},
@@ -42,7 +42,6 @@ func microcmdGenerateInternalToken() *cli.Command {
 	return &cli.Command{
 		Name:   "INTERNAL_TOKEN",
 		Usage:  "Generate a new INTERNAL_TOKEN",
-		Before: noDanglingArgs,
 		Action: runGenerateInternalToken,
 	}
 }
@@ -52,7 +51,6 @@ func microcmdGenerateLfsJwtSecret() *cli.Command {
 		Name:    "JWT_SECRET",
 		Aliases: []string{"LFS_JWT_SECRET"},
 		Usage:   "Generate a new JWT_SECRET",
-		Before:  noDanglingArgs,
 		Action:  runGenerateLfsJwtSecret,
 	}
 }
@@ -61,7 +59,6 @@ func microcmdGenerateSecretKey() *cli.Command {
 	return &cli.Command{
 		Name:   "SECRET_KEY",
 		Usage:  "Generate a new SECRET_KEY",
-		Before: noDanglingArgs,
 		Action: runGenerateSecretKey,
 	}
 }
@@ -94,7 +91,10 @@ func runGenerateLfsJwtSecret(ctx context.Context, c *cli.Command) error {
 }
 
 func runGenerateSecretKey(ctx context.Context, c *cli.Command) error {
-	secretKey := generate.NewSecretKey()
+	secretKey, err := generate.NewSecretKey()
+	if err != nil {
+		return err
+	}
 
 	fmt.Printf("%s", secretKey)
 

cmd/hook.go

@@ -231,13 +231,15 @@ Forgejo or set your environment appropriately.`, "")
 		}
 	}
 
+	supportProcReceive := git.CheckGitVersionAtLeast("2.29") == nil
+
 	for scanner.Scan() {
 		// TODO: support news feeds for wiki
 		if isWiki {
 			continue
 		}
 
-		fields := bytes.Split(scanner.Bytes(), []byte(" "))
+		fields := bytes.Fields(scanner.Bytes())
 		if len(fields) != 3 {
 			continue
 		}
@@ -248,25 +250,31 @@ Forgejo or set your environment appropriately.`, "")
 		total++
 		lastline++
 
-		// All references should be checked because permission check was delayed.
-		oldCommitIDs[count] = oldCommitID
-		newCommitIDs[count] = newCommitID
-		refFullNames[count] = refFullName
-		count++
-		fmt.Fprint(out, "*")
+		// If the ref is a branch or tag, check if it's protected
+		// if supportProcReceive all ref should be checked because
+		// permission check was delayed
+		if supportProcReceive || refFullName.IsBranch() || refFullName.IsTag() {
+			oldCommitIDs[count] = oldCommitID
+			newCommitIDs[count] = newCommitID
+			refFullNames[count] = refFullName
+			count++
+			fmt.Fprint(out, "*")
 
-		if count >= hookBatchSize {
-			fmt.Fprintf(out, " Checking %d references\n", count)
+			if count >= hookBatchSize {
+				fmt.Fprintf(out, " Checking %d references\n", count)
 
-			hookOptions.OldCommitIDs = oldCommitIDs
-			hookOptions.NewCommitIDs = newCommitIDs
-			hookOptions.RefFullNames = refFullNames
-			extra := private.HookPreReceive(ctx, username, reponame, hookOptions)
-			if extra.HasError() {
-				return fail(ctx, extra.UserMsg, "HookPreReceive(batch) failed: %v", extra.Error)
+				hookOptions.OldCommitIDs = oldCommitIDs
+				hookOptions.NewCommitIDs = newCommitIDs
+				hookOptions.RefFullNames = refFullNames
+				extra := private.HookPreReceive(ctx, username, reponame, hookOptions)
+				if extra.HasError() {
+					return fail(ctx, extra.UserMsg, "HookPreReceive(batch) failed: %v", extra.Error)
+				}
+				count = 0
+				lastline = 0
 			}
-			count = 0
-			lastline = 0
+		} else {
+			fmt.Fprint(out, ".")
 		}
 		if lastline >= hookBatchSize {
 			fmt.Fprint(out, "\n")
@@ -295,7 +303,35 @@ Forgejo or set your environment appropriately.`, "")
 
 // runHookUpdate process the update hook: https://git-scm.com/docs/githooks#update
 func runHookUpdate(ctx context.Context, c *cli.Command) error {
-	return nil
+	// Now if we're an internal don't do anything else
+	if isInternal, _ := strconv.ParseBool(os.Getenv(repo_module.EnvIsInternal)); isInternal {
+		return nil
+	}
+
+	ctx, cancel := installSignals(ctx)
+	defer cancel()
+
+	if c.NArg() != 3 {
+		return nil
+	}
+	args := c.Args().Slice()
+
+	// The arguments given to the hook are in order: reference name, old commit ID and new commit ID.
+	refFullName := git.RefName(args[0])
+	newCommitID := args[2]
+
+	// Only process pull references.
+	if !refFullName.IsPull() {
+		return nil
+	}
+
+	// Empty new commit ID means deletion.
+	if git.IsEmptyCommitID(newCommitID, nil) {
+		return fail(ctx, fmt.Sprintf("The deletion of %s is skipped as it's an internal reference.", refFullName), "")
+	}
+
+	// If the new comment isn't empty it means modification.
+	return fail(ctx, fmt.Sprintf("The modification of %s is skipped as it's an internal reference.", refFullName), "")
 }
 
 func runHookPostReceive(ctx context.Context, c *cli.Command) error {
@@ -369,7 +405,7 @@ Forgejo or set your environment appropriately.`, "")
 			continue
 		}
 
-		fields := bytes.Split(scanner.Bytes(), []byte(" "))
+		fields := bytes.Fields(scanner.Bytes())
 		if len(fields) != 3 {
 			continue
 		}
@@ -452,17 +488,10 @@ func hookPrintResults(results []private.HookPostReceiveBranchResult) {
 		fmt.Fprintln(os.Stderr, "")
 		if res.Create {
 			fmt.Fprintf(os.Stderr, "Create a new pull request for '%s':\n", res.Branch)
-			fmt.Fprintf(os.Stderr, "  %s\n", res.CreateURL)
-		}
-		if len(res.PullURLS) != 0 {
-			if len(res.PullURLS) >= 2 {
-				fmt.Fprint(os.Stderr, "Visit the existing pull requests:\n")
-			} else {
-				fmt.Fprint(os.Stderr, "Visit the existing pull request:\n")
-			}
-			for _, url := range res.PullURLS {
-				fmt.Fprintf(os.Stderr, "  %s\n", url)
-			}
+			fmt.Fprintf(os.Stderr, "  %s\n", res.URL)
+		} else {
+			fmt.Fprint(os.Stderr, "Visit the existing pull request:\n")
+			fmt.Fprintf(os.Stderr, "  %s\n", res.URL)
 		}
 		fmt.Fprintln(os.Stderr, "")
 		_ = os.Stderr.Sync()
@@ -484,6 +513,10 @@ Forgejo or set your environment appropriately.`, "")
 		return nil
 	}
 
+	if git.CheckGitVersionAtLeast("2.29") != nil {
+		return fail(ctx, "No proc-receive support", "current git version doesn't support proc-receive.")
+	}
+
 	reader := bufio.NewReader(os.Stdin)
 	repoUser := os.Getenv(repo_module.EnvRepoUsername)
 	repoName := os.Getenv(repo_module.EnvRepoName)
@@ -568,7 +601,7 @@ Forgejo or set your environment appropriately.`, "")
 	hookOptions.RefFullNames = make([]git.RefName, 0, hookBatchSize)
 
 	for {
-		// note: pktLineTypeUnknown means pktLineTypeFlush and pktLineTypeData all allowed
+		// note: pktLineTypeUnknow means pktLineTypeFlush and pktLineTypeData all allowed
 		rs, err = readPktLine(ctx, reader, pktLineTypeUnknown)
 		if err != nil {
 			return err

cmd/hook_test.go

@@ -14,9 +14,6 @@ import (
 	"testing"
 	"time"
 
-	"forgejo.org/modules/git"
-	"forgejo.org/modules/json"
-	"forgejo.org/modules/private"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/test"
 
@@ -165,132 +162,41 @@ func TestDelayWriter(t *testing.T) {
 	})
 }
 
-func TestRunHookPrePostReceive(t *testing.T) {
-	// Setup the environment.
-	defer test.MockVariableValue(&setting.InternalToken, "Random")()
-	defer test.MockVariableValue(&setting.InstallLock, true)()
-	defer test.MockVariableValue(&setting.Git.VerbosePush, true)()
-	t.Setenv("SSH_ORIGINAL_COMMAND", "true")
+func TestRunHookUpdate(t *testing.T) {
+	app := cli.Command{}
+	app.Commands = []*cli.Command{subcmdHookUpdate()}
 
-	tests := []struct {
-		name        string
-		inputLine   string
-		oldCommitID string
-		newCommitID string
-		refFullName string
-	}{
-		{
-			name:        "base case",
-			inputLine:   "00000000000000000000 00000000000000000001 refs/head/main\n",
-			oldCommitID: "00000000000000000000",
-			newCommitID: "00000000000000000001",
-			refFullName: "refs/head/main",
-		},
-		{
-			name:        "nbsp case",
-			inputLine:   "00000000000000000000 00000000000000000001 refs/head/ma\u00A0in\n",
-			oldCommitID: "00000000000000000000",
-			newCommitID: "00000000000000000001",
-			refFullName: "refs/head/ma\u00A0in",
-		},
-	}
+	t.Run("Removal of internal reference", func(t *testing.T) {
+		defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
+		defer test.MockVariableValue(&setting.IsProd, false)()
+		finish := captureOutput(t, os.Stderr)
 
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// Setup the Stdin.
-			f, err := os.OpenFile(t.TempDir()+"/stdin", os.O_RDWR|os.O_CREATE|os.O_EXCL, 0o666)
-			require.NoError(t, err)
-			_, err = f.Write([]byte(tt.inputLine))
-			require.NoError(t, err)
-			_, err = f.Seek(0, 0)
-			require.NoError(t, err)
-			defer test.MockVariableValue(os.Stdin, *f)()
+		err := app.Run(t.Context(), []string{"./forgejo", "update", "refs/pull/1/head", "0a51ae26bc73c47e2f754560c40904cf14ed51a9", "0000000000000000000000000000000000000000"})
+		out := finish()
+		require.Error(t, err)
 
-			// Setup the server that processes the hooks.
-			var serverError error
-			var hookOpts *private.HookOptions
+		assert.Contains(t, out, "The deletion of refs/pull/1/head is skipped as it's an internal reference.")
+	})
 
-			ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				body, err := io.ReadAll(r.Body)
-				if err != nil {
-					serverError = err
-					w.WriteHeader(500)
-					return
-				}
+	t.Run("Update of internal reference", func(t *testing.T) {
+		defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()
+		defer test.MockVariableValue(&setting.IsProd, false)()
+		finish := captureOutput(t, os.Stderr)
 
-				err = json.Unmarshal(body, &hookOpts)
-				if err != nil {
-					serverError = err
-					w.WriteHeader(500)
-					return
-				}
+		err := app.Run(t.Context(), []string{"./forgejo", "update", "refs/pull/1/head", "0a51ae26bc73c47e2f754560c40904cf14ed51a9", "0000000000000000000000000000000000000001"})
+		out := finish()
+		require.Error(t, err)
 
-				w.WriteHeader(200)
+		assert.Contains(t, out, "The modification of refs/pull/1/head is skipped as it's an internal reference.")
+	})
 
-				resp := &private.HookPostReceiveResult{}
-				bytes, err := json.Marshal(resp)
-				if err != nil {
-					serverError = err
-					return
-				}
+	t.Run("Removal of branch", func(t *testing.T) {
+		err := app.Run(t.Context(), []string{"./forgejo", "update", "refs/head/main", "0a51ae26bc73c47e2f754560c40904cf14ed51a9", "0000000000000000000000000000000000000000"})
+		require.NoError(t, err)
+	})
 
-				_, err = w.Write(bytes)
-				if err != nil {
-					serverError = err
-					return
-				}
-			}))
-			defer ts.Close()
-			defer test.MockVariableValue(&setting.LocalURL, ts.URL+"/")()
-
-			t.Run("pre-receive", func(t *testing.T) {
-				app := cli.Command{}
-				app.Commands = []*cli.Command{subcmdHookPreReceive()}
-
-				finish := captureOutput(t, os.Stdout)
-				err = app.Run(t.Context(), []string{"./forgejo", "pre-receive"})
-				require.NoError(t, err)
-				out := finish()
-				require.Empty(t, out)
-
-				require.NoError(t, serverError)
-				require.NotNil(t, hookOpts)
-
-				require.Len(t, hookOpts.OldCommitIDs, 1)
-				assert.Equal(t, tt.oldCommitID, hookOpts.OldCommitIDs[0])
-				require.Len(t, hookOpts.NewCommitIDs, 1)
-				assert.Equal(t, tt.newCommitID, hookOpts.NewCommitIDs[0])
-				require.Len(t, hookOpts.RefFullNames, 1)
-				assert.Equal(t, git.RefName(tt.refFullName), hookOpts.RefFullNames[0])
-			})
-
-			// seek stdin back to beginning
-			_, err = f.Seek(0, 0)
-			require.NoError(t, err)
-			// reset state from prev test
-			serverError = nil
-			hookOpts = nil
-
-			t.Run("post-receive", func(t *testing.T) {
-				app := cli.Command{}
-				app.Commands = []*cli.Command{subcmdHookPostReceive()}
-
-				finish := captureOutput(t, os.Stdout)
-				err = app.Run(t.Context(), []string{"./forgejo", "post-receive"})
-				require.NoError(t, err)
-				out := finish()
-				require.Empty(t, out)
-
-				require.NoError(t, serverError)
-				require.NotNil(t, hookOpts)
-
-				require.Len(t, hookOpts.OldCommitIDs, 1)
-				assert.Equal(t, tt.oldCommitID, hookOpts.OldCommitIDs[0])
-				require.Len(t, hookOpts.NewCommitIDs, 1)
-				assert.Equal(t, tt.newCommitID, hookOpts.NewCommitIDs[0])
-				require.Len(t, hookOpts.RefFullNames, 1)
-				assert.Equal(t, git.RefName(tt.refFullName), hookOpts.RefFullNames[0])
-			})
-		})
-	}
+	t.Run("Not enough arguments", func(t *testing.T) {
+		err := app.Run(t.Context(), []string{"./forgejo", "update"})
+		require.NoError(t, err)
+	})
 }

cmd/keys.go

@@ -21,7 +21,7 @@ func cmdKeys() *cli.Command {
 		Name:        "keys",
 		Usage:       "(internal) Should only be called by SSH server",
 		Description: "Queries the Forgejo database to get the authorized command for a given ssh key fingerprint",
-		Before:      multipleBefore(noDanglingArgs, PrepareConsoleLoggerLevel(log.FATAL)),
+		Before:      PrepareConsoleLoggerLevel(log.FATAL),
 		Action:      runKeys,
 		Flags: []cli.Flag{
 			&cli.StringFlag{

cmd/mailer.go

@@ -24,10 +24,10 @@ func runSendMail(ctx context.Context, c *cli.Command) error {
 	}
 
 	subject := c.String("title")
-	confirmSkipped := c.Bool("force")
+	confirmSkiped := c.Bool("force")
 	body := c.String("content")
 
-	if !confirmSkipped {
+	if !confirmSkiped {
 		if len(body) == 0 {
 			fmt.Print("warning: Content is empty")
 		}

cmd/main.go

@@ -80,6 +80,7 @@ func appGlobalFlags() []cli.Flag {
 func prepareSubcommandWithConfig(command *cli.Command, globalFlags func() []cli.Flag) {
 	command.Flags = append(globalFlags(), command.Flags...)
 	command.Action = prepareWorkPathAndCustomConf(command.Action)
+	command.HideHelp = true
 	if command.Name != "help" {
 		command.Commands = append(command.Commands, cmdHelp())
 	}
@@ -198,6 +199,7 @@ func innerNewMainApp(version, versionExtra string, subCmdsStandaloneArgs, subCmd
 	}
 	app.Flags = append(app.Flags, cli.VersionFlag)
 	app.Flags = append(app.Flags, globalFlags()...)
+	app.HideHelp = true // use our own help action to show helps (with more information like default config)
 	app.Before = PrepareConsoleLoggerLevel(log.INFO)
 	for i := range subCmdWithConfig {
 		prepareSubcommandWithConfig(subCmdWithConfig[i], globalFlags)

cmd/main_test.go

@@ -8,7 +8,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"os"
 	"path/filepath"
 	"strings"
 	"testing"
@@ -63,12 +62,7 @@ func runTestApp(app *cli.Command, args ...string) (runResult, error) {
 }
 
 func TestCliCmd(t *testing.T) {
-	path, err := os.Executable()
-	if err != nil {
-		panic(err)
-	}
-
-	defaultWorkPath := filepath.Dir(path)
+	defaultWorkPath := filepath.Dir(setting.AppPath)
 	defaultCustomPath := filepath.Join(defaultWorkPath, "custom")
 	defaultCustomConf := filepath.Join(defaultCustomPath, "conf/app.ini")
 
@@ -114,11 +108,6 @@ func TestCliCmd(t *testing.T) {
 			cmd: "./gitea test-cmd --config /tmp/app-other.ini",
 			exp: makePathOutput("/tmp", "/tmp/custom", "/tmp/app-other.ini"),
 		},
-		{
-			env: map[string]string{"GITEA_WORK_DIR": "/tmp"},
-			cmd: "./gitea forgejo-cli --help",
-			exp: "(subcommand help template)",
-		},
 	}
 
 	for _, c := range cases {

cmd/manager.go

@@ -39,7 +39,6 @@ func subcmdShutdown() *cli.Command {
 				Name: "debug",
 			},
 		},
-		Before: noDanglingArgs,
 		Action: runShutdown,
 	}
 }
@@ -53,7 +52,6 @@ func subcmdRestart() *cli.Command {
 				Name: "debug",
 			},
 		},
-		Before: noDanglingArgs,
 		Action: runRestart,
 	}
 }
@@ -67,7 +65,6 @@ func subcmdReloadTemplates() *cli.Command {
 				Name: "debug",
 			},
 		},
-		Before: noDanglingArgs,
 		Action: runReloadTemplates,
 	}
 }
@@ -76,7 +73,6 @@ func subcmdFlushQueues() *cli.Command {
 	return &cli.Command{
 		Name:   "flush-queues",
 		Usage:  "Flush queues in the running process",
-		Before: noDanglingArgs,
 		Action: runFlushQueues,
 		Flags: []cli.Flag{
 			&cli.DurationFlag{
@@ -99,7 +95,6 @@ func subCmdProcesses() *cli.Command {
 	return &cli.Command{
 		Name:   "processes",
 		Usage:  "Display running processes within the current process",
-		Before: noDanglingArgs,
 		Action: runProcesses,
 		Flags: []cli.Flag{
 			&cli.BoolFlag{

cmd/manager_logging.go

@@ -44,11 +44,6 @@ func defaultLoggingFlags() []cli.Flag {
 			Aliases: []string{"e"},
 			Usage:   "Matching expression for the logger",
 		},
-		&cli.StringFlag{
-			Name:    "exclusion",
-			Aliases: []string{"x"},
-			Usage:   "Exclusion for the logger",
-		},
 		&cli.StringFlag{
 			Name:    "prefix",
 			Aliases: []string{"p"},
@@ -77,7 +72,6 @@ func subcmdLogging() *cli.Command {
 						Name: "debug",
 					},
 				},
-				Before: noDanglingArgs,
 				Action: runPauseLogging,
 			}, {
 				Name:  "resume",
@@ -87,7 +81,6 @@ func subcmdLogging() *cli.Command {
 						Name: "debug",
 					},
 				},
-				Before: noDanglingArgs,
 				Action: runResumeLogging,
 			}, {
 				Name:  "release-and-reopen",
@@ -97,7 +90,6 @@ func subcmdLogging() *cli.Command {
 						Name: "debug",
 					},
 				},
-				Before: noDanglingArgs,
 				Action: runReleaseReopenLogging,
 			}, {
 				Name:      "remove",
@@ -159,7 +151,6 @@ func subcmdLogging() *cli.Command {
 								Usage:   "Compression level to use",
 							},
 						}...),
-						Before: noDanglingArgs,
 						Action: runAddFileLogger,
 					}, {
 						Name:  "conn",
@@ -186,7 +177,6 @@ func subcmdLogging() *cli.Command {
 								Usage:   "Host address and port to connect to (defaults to :7020)",
 							},
 						}...),
-						Before: noDanglingArgs,
 						Action: runAddConnLogger,
 					},
 				},
@@ -202,7 +192,6 @@ func subcmdLogging() *cli.Command {
 						Usage: "Switch off SQL logging",
 					},
 				},
-				Before: noDanglingArgs,
 				Action: runSetLogSQL,
 			},
 		},
@@ -297,9 +286,6 @@ func commonAddLogger(ctx context.Context, c *cli.Command, mode string, vals map[
 	if len(c.String("expression")) > 0 {
 		vals["expression"] = c.String("expression")
 	}
-	if len(c.String("exclusion")) > 0 {
-		vals["exclusion"] = c.String("exclusion")
-	}
 	if len(c.String("prefix")) > 0 {
 		vals["prefix"] = c.String("prefix")
 	}

cmd/migrate.go

@@ -7,7 +7,7 @@ import (
 	"context"
 
 	"forgejo.org/models/db"
-	"forgejo.org/models/gitea_migrations"
+	"forgejo.org/models/migrations"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/setting"
 
@@ -20,7 +20,6 @@ func cmdMigrate() *cli.Command {
 		Name:        "migrate",
 		Usage:       "Migrate the database",
 		Description: "This is a command for migrating the database, so that you can run 'forgejo admin user create' before starting the server.",
-		Before:      noDanglingArgs,
 		Action:      runMigrate,
 	}
 }
@@ -44,7 +43,7 @@ func runMigrate(stdCtx context.Context, ctx *cli.Command) error {
 		if err != nil {
 			return err
 		}
-		return gitea_migrations.Migrate(masterEngine)
+		return migrations.Migrate(masterEngine)
 	}); err != nil {
 		log.Fatal("Failed to initialize ORM engine: %v", err)
 		return err

cmd/migrate_storage.go

@@ -13,7 +13,7 @@ import (
 	actions_model "forgejo.org/models/actions"
 	"forgejo.org/models/db"
 	git_model "forgejo.org/models/git"
-	"forgejo.org/models/gitea_migrations"
+	"forgejo.org/models/migrations"
 	packages_model "forgejo.org/models/packages"
 	repo_model "forgejo.org/models/repo"
 	user_model "forgejo.org/models/user"
@@ -32,7 +32,6 @@ func cmdMigrateStorage() *cli.Command {
 		Name:        "migrate-storage",
 		Usage:       "Migrate the storage",
 		Description: "Copies stored files from storage configured in app.ini to parameter-configured storage",
-		Before:      noDanglingArgs,
 		Action:      runMigrateStorage,
 		Flags: []cli.Flag{
 			&cli.StringFlag{
@@ -200,7 +199,7 @@ func runMigrateStorage(stdCtx context.Context, ctx *cli.Command) error {
 	log.Info("Configuration file: %s", setting.CustomConf)
 
 	if err := db.InitEngineWithMigration(context.Background(), func(e db.Engine) error {
-		return gitea_migrations.Migrate(e.(*xorm.Engine))
+		return migrations.Migrate(e.(*xorm.Engine))
 	}); err != nil {
 		log.Fatal("Failed to initialize ORM engine: %v", err)
 		return err