[v15.0/forgejo]: 2026-06-10 security patches (#13002)

- fix: prevent stored XSS in user display name on Actions page
- fix: LFS locks must belong to the intended repo, port from Gitea
- fix: prevent unauthorized access to draft releases via API
- fix: prevent writes to OpenID visibility which may affect other users
- fix: prevent viewing private PRs that are linked to public issues on public projects

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/13002
Reviewed-by: Beowulf <beowulf@beocode.eu>

.deadcode-out

@@ -19,7 +19,6 @@ forgejo.org/models/auth
 forgejo.org/models/db
 	TruncateBeans
 	TruncateBeansCascade
-	InTransaction
 	DumpTables
 	GetTableNames
 	extendBeansForCascade

.forgejo/workflows/build-release.yml

@@ -164,7 +164,7 @@ jobs:
 
       - name: build container & release
         if: ${{ secrets.TOKEN != '' }}
-        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.5.1
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.6.0
         with:
           forgejo: "${{ env.GITHUB_SERVER_URL }}"
           owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
@@ -183,7 +183,7 @@ jobs:
 
       - name: build rootless container
         if: ${{ secrets.TOKEN != '' }}
-        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.5.1
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.6.0
         with:
           forgejo: "${{ env.GITHUB_SERVER_URL }}"
           owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"

.forgejo/workflows/publish-release.yml

@@ -44,7 +44,7 @@ jobs:
       - uses: https://data.forgejo.org/actions/checkout@v6
 
       - name: copy & sign
-        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/publish@v5.5.1
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/publish@v5.6.0
         with:
           from-forgejo: ${{ vars.FORGEJO }}
           to-forgejo: ${{ vars.FORGEJO }}

.golangci.yml

@@ -15,6 +15,7 @@ linters:
     - govet
     - importas
     - ineffassign
+    - modernize
     - nakedret
     - nolintlint
     - revive
@@ -45,6 +46,25 @@ linters:
               desc: use forgejo.org/modules/git instead, see https://codeberg.org/forgejo/forgejo/pulls/4941
             - pkg: gopkg.in/yaml.v3
               desc: use go.yaml.in/yaml instead, see https://codeberg.org/forgejo/forgejo/pulls/8956
+        migration-isolation:
+          list-mode: lax
+          files:
+            - "**/models/forgejo_migrations/**"
+          deny:
+            - pkg: "forgejo.org/models"
+              desc: >
+                Migrations must not import application models. Application models will be the most recent schema for
+                Forgejo, while migrations will be operating against the database schema that existed when they were
+                authored.
+            - pkg: "forgejo.org/services"
+              desc: >
+                Migrations must not import application services. Application services will reference application
+                models which will use the most recent schema for Forgejo, while migrations will be operating against the
+                database schema that existed when they were authored.
+          allow:
+            - "forgejo.org/models/db"
+            - "forgejo.org/models/gitea_migrations/base"
+            - "forgejo.org/models/gitea_migrations/test"
     gocritic:
       disabled-checks:
         - ifElseChain
@@ -333,21 +353,6 @@ linters:
       - path: services/actions/trust.go
         linters:
           - nilnil
-      - path: services/auth/basic.go
-        linters:
-          - nilnil
-      - path: services/auth/httpsign.go
-        linters:
-          - nilnil
-      - path: services/auth/oauth2.go
-        linters:
-          - nilnil
-      - path: services/auth/reverseproxy.go
-        linters:
-          - nilnil
-      - path: services/auth/session.go
-        linters:
-          - nilnil
       - path: services/contexttest/context_tests.go
         linters:
           - nilnil

Makefile

@@ -39,7 +39,7 @@ XGO_VERSION := go-1.21.x
 AIR_PACKAGE ?= github.com/air-verse/air@v1 # renovate: datasource=go
 EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3.6.1 # renovate: datasource=go
 GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.9.2 # renovate: datasource=go
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.10.1 # renovate: datasource=go
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4 # renovate: datasource=go
 GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.15 # renovate: datasource=go
 SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.33.2 # renovate: datasource=go
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest

build/lint-locale-usage/handle-tmpl.go

@@ -60,9 +60,13 @@ func (handler Handler) handleTemplateNode(fset *token.FileSet, node tmplParser.N
 
 		case tmplParser.NodeField:
 			nodeField := nodeCommand.Args[0].(*tmplParser.FieldNode)
-			if len(nodeField.Ident) != 2 || !(nodeField.Ident[0] == "locale" || nodeField.Ident[0] == "Locale") {
+			if len(nodeField.Ident) != 2 || nodeField.Ident[0] != "locale" {
 				return
 			}
+			resolvedPos := fset.PositionFor(token.Pos(nodeCommand.Pos), false)
+			if !strings.Contains(resolvedPos.Filename, "templates/mail/") {
+				handler.OnWarning(fset, token.Pos(nodeCommand.Pos), "encountered unexpected .locale usage")
+			}
 			funcname = nodeField.Ident[1]
 
 		case tmplParser.NodeVariable:

cmd/cert.go

@@ -150,8 +150,8 @@ func runCert(ctx context.Context, c *cli.Command) error {
 		BasicConstraintsValid: true,
 	}
 
-	hosts := strings.Split(c.String("host"), ",")
-	for _, h := range hosts {
+	hosts := strings.SplitSeq(c.String("host"), ",")
+	for h := range hosts {
 		if ip := net.ParseIP(h); ip != nil {
 			template.IPAddresses = append(template.IPAddresses, ip)
 		} else {

cmd/dump.go

@@ -12,6 +12,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"slices"
 	"strings"
 	"sync"
 	"time"
@@ -83,11 +84,9 @@ func (o outputType) Join() string {
 }
 
 func (o *outputType) Set(value string) error {
-	for _, enum := range o.Enum {
-		if enum == value {
-			o.selected = value
-			return nil
-		}
+	if slices.Contains(o.Enum, value) {
+		o.selected = value
+		return nil
 	}
 
 	return fmt.Errorf("allowed values are %s", o.Join())
@@ -250,8 +249,8 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 		setupConsoleLogger(log.FATAL, log.CanColorStderr, os.Stderr)
 	} else {
 		for _, suffix := range outputTypeEnum.Enum {
-			if strings.HasSuffix(fileName, "."+suffix) {
-				fileName = strings.TrimSuffix(fileName, "."+suffix)
+			if before, ok := strings.CutSuffix(fileName, "."+suffix); ok {
+				fileName = before
 				break
 			}
 		}
@@ -330,14 +329,12 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 	go dumpDatabase(ctx, archiveJobs, &wg, verbose)
 
 	if len(setting.CustomConf) > 0 {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
+		wg.Go(func() {
 			log.Info("Adding custom configuration file from %s", setting.CustomConf)
 			if err := addFile(archiveJobs, "app.ini", setting.CustomConf, verbose); err != nil {
 				fatal("Failed to include specified app.ini: %v", err)
 			}
-		}()
+		})
 	}
 
 	if ctx.IsSet("skip-custom-dir") && ctx.Bool("skip-custom-dir") {
@@ -361,15 +358,13 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 	if ctx.IsSet("skip-attachment-data") && ctx.Bool("skip-attachment-data") {
 		log.Info("Skipping attachment data")
 	} else {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
+		wg.Go(func() {
 			if err := storage.Attachments.IterateObjects("", func(objPath string, object storage.Object) error {
 				return addObject(archiveJobs, object, path.Join("data", "attachments", objPath), verbose)
 			}); err != nil {
 				fatal("Failed to dump attachments: %v", err)
 			}
-		}()
+		})
 	}
 
 	if ctx.IsSet("skip-package-data") && ctx.Bool("skip-package-data") {
@@ -377,15 +372,13 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 	} else if !setting.Packages.Enabled {
 		log.Info("Package registry not enabled - skipping")
 	} else {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
+		wg.Go(func() {
 			if err := storage.Packages.IterateObjects("", func(objPath string, object storage.Object) error {
 				return addObject(archiveJobs, object, path.Join("data", "packages", objPath), verbose)
 			}); err != nil {
 				fatal("Failed to dump packages: %v", err)
 			}
-		}()
+		})
 	}
 
 	// Doesn't check if LogRootPath exists before processing --skip-log intentionally,
@@ -399,13 +392,11 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 			log.Error("Failed to check if %s exists: %v", setting.Log.RootPath, err)
 		}
 		if isExist {
-			wg.Add(1)
-			go func() {
-				defer wg.Done()
+			wg.Go(func() {
 				if err := addRecursiveExclude(archiveJobs, "log", setting.Log.RootPath, []string{absFileName}, verbose); err != nil {
 					fatal("Failed to include log: %v", err)
 				}
-			}()
+			})
 		}
 	}
 

cmd/dump_repo.go

@@ -143,8 +143,8 @@ func runDumpRepository(stdCtx context.Context, ctx *cli.Command) error {
 		opts.PullRequests = true
 		opts.ReleaseAssets = true
 	} else {
-		units := strings.Split(ctx.String("units"), ",")
-		for _, unit := range units {
+		units := strings.SplitSeq(ctx.String("units"), ",")
+		for unit := range units {
 			switch strings.ToLower(strings.TrimSpace(unit)) {
 			case "":
 				continue

custom/conf/app.example.ini

@@ -457,7 +457,7 @@ INTERNAL_TOKEN =
 ;GLOBAL_TWO_FACTOR_REQUIREMENT = none
 ;;
 ;; Name of cookie used to store authentication information.
-;COOKIE_REMEMBER_NAME = gitea_incredible
+;COOKIE_REMEMBER_NAME = persistent
 ;;
 ;; Reverse proxy authentication header name of user name, email, and full name
 ;REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
@@ -1895,7 +1895,7 @@ LEVEL = Info
 ;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
 ;;
 ;; Session cookie name
-;COOKIE_NAME = i_like_gitea
+;COOKIE_NAME = session
 ;;
 ;; If you use session in https only: true or false. If not set, it defaults to `true` if the ROOT_URL is an HTTPS URL.
 ;COOKIE_SECURE =

docker/rootless/usr/local/bin/gitea

@@ -9,7 +9,7 @@
 # And place the original in /usr/lib/gitea with working files in /data/gitea
 GITEA="/app/gitea/gitea"
 WORK_DIR="/var/lib/gitea"
-APP_INI="/etc/gitea/app.ini"
+APP_INI="/var/lib/gitea/custom/conf/app.ini"
 
 APP_INI_SET=""
 for i in "$@"; do

go.mod

@@ -2,16 +2,16 @@ module forgejo.org
 
 go 1.25.0
 
-toolchain go1.26.1
+toolchain go1.26.4
 
 require (
 	code.forgejo.org/f3/gof3/v3 v3.11.15
 	code.forgejo.org/forgejo-contrib/go-libravatar v0.0.0-20260301104140-add494e31dab
 	code.forgejo.org/forgejo/actions-proto v0.7.0
 	code.forgejo.org/forgejo/go-rpmutils v1.0.0
-	code.forgejo.org/forgejo/levelqueue v1.0.0
+	code.forgejo.org/forgejo/levelqueue v1.1.0
 	code.forgejo.org/forgejo/reply v1.0.2
-	code.forgejo.org/forgejo/runner/v12 v12.7.3
+	code.forgejo.org/forgejo/runner/v12 v12.10.2
 	code.forgejo.org/go-chi/binding v1.0.1
 	code.forgejo.org/go-chi/cache v1.0.1
 	code.forgejo.org/go-chi/captcha v1.0.2
@@ -20,7 +20,7 @@ require (
 	code.superseriousbusiness.org/exif-terminator v0.11.1
 	code.superseriousbusiness.org/go-jpeg-image-structure/v2 v2.3.0
 	codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570
-	connectrpc.com/connect v1.19.1
+	connectrpc.com/connect v1.19.2
 	github.com/42wim/httpsig v1.2.3
 	github.com/42wim/sshsig v0.0.0-20250502153856-5100632e8920
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358
@@ -42,6 +42,7 @@ require (
 	github.com/emersion/go-imap v1.2.1
 	github.com/felixge/fgprof v0.9.5
 	github.com/fsnotify/fsnotify v1.9.0
+	github.com/gdgvda/cron v0.7.0
 	github.com/gliderlabs/ssh v0.3.8
 	github.com/go-ap/activitypub v0.0.0-20231114162308-e219254dc5c9
 	github.com/go-ap/jsonld v0.0.0-20251216162253-e38fa664ea77
@@ -67,15 +68,15 @@ require (
 	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/huandu/xstrings v1.5.0
 	github.com/inbucket/html2text v0.9.0
-	github.com/jackc/pgx/v5 v5.9.1
+	github.com/jackc/pgx/v5 v5.9.2
 	github.com/jhillyerd/enmime/v2 v2.2.0
 	github.com/json-iterator/go v1.1.12
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
 	github.com/klauspost/compress v1.18.4
 	github.com/klauspost/cpuid/v2 v2.2.11
 	github.com/markbates/goth v1.82.0
-	github.com/mattn/go-isatty v0.0.20
-	github.com/mattn/go-sqlite3 v1.14.37
+	github.com/mattn/go-isatty v0.0.22
+	github.com/mattn/go-sqlite3 v1.14.42
 	github.com/meilisearch/meilisearch-go v0.36.0
 	github.com/mholt/archives v0.1.5
 	github.com/microcosm-cc/bluemonday v1.0.27
@@ -88,7 +89,6 @@ require (
 	github.com/pquerna/otp v1.5.0
 	github.com/prometheus/client_golang v1.21.1
 	github.com/redis/go-redis/v9 v9.17.3
-	github.com/robfig/cron/v3 v3.0.1
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
 	github.com/sergi/go-diff v1.4.0
 	github.com/stretchr/testify v1.11.1
@@ -102,16 +102,16 @@ require (
 	gitlab.com/gitlab-org/api/client-go v0.143.2
 	go.uber.org/mock v0.6.0
 	go.yaml.in/yaml/v3 v3.0.4
-	golang.org/x/crypto v0.49.0
-	golang.org/x/image v0.37.0
-	golang.org/x/net v0.52.0
+	golang.org/x/crypto v0.52.0
+	golang.org/x/image v0.41.0
+	golang.org/x/net v0.55.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
-	golang.org/x/sys v0.42.0
-	golang.org/x/text v0.35.0
+	golang.org/x/sys v0.45.0
+	golang.org/x/text v0.37.0
 	google.golang.org/protobuf v1.36.11
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
-	gopkg.in/ini.v1 v1.67.0
+	gopkg.in/ini.v1 v1.67.3
 	mvdan.cc/xurls/v2 v2.6.0
 	xorm.io/builder v0.3.13
 	xorm.io/xorm v1.3.9
@@ -147,7 +147,7 @@ require (
 	github.com/blevesearch/zapx/v14 v14.4.2 // indirect
 	github.com/blevesearch/zapx/v15 v15.4.2 // indirect
 	github.com/blevesearch/zapx/v16 v16.2.8 // indirect
-	github.com/bmatcuk/doublestar/v4 v4.9.1 // indirect
+	github.com/bmatcuk/doublestar/v4 v4.10.0 // indirect
 	github.com/bodgit/plumbing v1.3.0 // indirect
 	github.com/bodgit/sevenzip v1.6.1 // indirect
 	github.com/bodgit/windows v1.0.1 // indirect
@@ -156,6 +156,7 @@ require (
 	github.com/caddyserver/zerossl v0.1.3 // indirect
 	github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
 	github.com/cloudflare/circl v1.6.3 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/davidmz/go-pageant v1.0.2 // indirect
@@ -166,16 +167,13 @@ require (
 	github.com/dsoprea/go-photoshop-info-format v0.0.0-20200609050348-3db9b63b202c // indirect
 	github.com/dsoprea/go-utility/v2 v2.0.0-20221003172846-a3e1774ef349 // indirect
 	github.com/emersion/go-sasl v0.0.0-20231106173351-e73c9f7bad43 // indirect
-	github.com/fatih/color v1.18.0 // indirect
+	github.com/fatih/color v1.19.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-ap/errors v0.0.0-20231003111023-183eef4b31b7 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-enry/go-oniguruma v1.2.1 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-fed/httpsig v1.1.0 // indirect
-	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.8.0 // indirect
-	github.com/go-git/go-git/v5 v5.17.0 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-openapi/jsonpointer v0.22.4 // indirect
 	github.com/go-openapi/jsonreference v0.21.4 // indirect
@@ -204,7 +202,6 @@ require (
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
-	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/klauspost/crc32 v1.3.0 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
@@ -213,7 +210,7 @@ require (
 	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/markbates/going v1.0.3 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
-	github.com/mattn/go-runewidth v0.0.17 // indirect
+	github.com/mattn/go-runewidth v0.0.21 // indirect
 	github.com/mattn/go-shellwords v1.0.12 // indirect
 	github.com/mholt/acmez/v3 v3.1.2 // indirect
 	github.com/miekg/dns v1.1.63 // indirect
@@ -231,6 +228,7 @@ require (
 	github.com/olekukonko/ll v0.0.9 // indirect
 	github.com/olekukonko/tablewriter v1.0.7 // indirect
 	github.com/onsi/ginkgo v1.16.5 // indirect
+	github.com/onsi/gomega v1.34.1 // indirect
 	github.com/philhofer/fwd v1.2.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
@@ -238,8 +236,9 @@ require (
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/rhysd/actionlint v1.7.10 // indirect
+	github.com/rhysd/actionlint v1.7.12 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/robfig/cron/v3 v3.0.1 // indirect
 	github.com/rs/xid v1.6.0 // indirect
 	github.com/sirupsen/logrus v1.9.4 // indirect
 	github.com/sorairolake/lzip-go v0.3.8 // indirect
@@ -257,11 +256,10 @@ require (
 	go.uber.org/zap/exp v0.3.0 // indirect
 	go.yaml.in/yaml/v4 v4.0.0-rc.3 // indirect
 	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
-	golang.org/x/mod v0.33.0 // indirect
+	golang.org/x/mod v0.35.0 // indirect
 	golang.org/x/time v0.15.0 // indirect
-	golang.org/x/tools v0.42.0 // indirect
+	golang.org/x/tools v0.44.0 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
-	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
@@ -274,4 +272,4 @@ replace github.com/gliderlabs/ssh => code.forgejo.org/forgejo/ssh v0.0.0-2024121
 
 replace git.sr.ht/~mariusor/go-xsd-duration => code.forgejo.org/forgejo/go-xsd-duration v0.0.0-20220703122237-02e73435a078
 
-replace xorm.io/xorm v1.3.9 => code.forgejo.org/xorm/xorm v1.3.9-forgejo.8
+replace xorm.io/xorm v1.3.9 => code.forgejo.org/xorm/xorm v1.3.9-forgejo.11

go.sum

@@ -26,12 +26,12 @@ code.forgejo.org/forgejo/go-rpmutils v1.0.0 h1:RZGGeKt70p/WaIEL97pyT6uiiEIoN8/aL
 code.forgejo.org/forgejo/go-rpmutils v1.0.0/go.mod h1:cg+VbgLXfrDPza9T+kBsMb3TVmmzPN4XseT6gDGLSUk=
 code.forgejo.org/forgejo/go-xsd-duration v0.0.0-20220703122237-02e73435a078 h1:RArF5AsF9LH4nEoJxqRxcP5r8hhRfWcId84G82YbqzA=
 code.forgejo.org/forgejo/go-xsd-duration v0.0.0-20220703122237-02e73435a078/go.mod h1:g/V2Hjas6Z1UHUp4yIx6bATpNzJ7DYtD0FG3+xARWxs=
-code.forgejo.org/forgejo/levelqueue v1.0.0 h1:9krYpU6BM+j/1Ntj6m+VCAIu0UNnne1/UfU/XgPpLuE=
-code.forgejo.org/forgejo/levelqueue v1.0.0/go.mod h1:fmG6zhVuqim2rxSFOoasgXO8V2W/k9U31VVYqLIRLhQ=
+code.forgejo.org/forgejo/levelqueue v1.1.0 h1:IgDbeZBdzJhbI8M0hXCQ1qyJIk83cGnBS39D9SRaCAg=
+code.forgejo.org/forgejo/levelqueue v1.1.0/go.mod h1:flCo3rqxrybUXQR2I8TFyiDSsLkOjb71CZOEdAuJmgc=
 code.forgejo.org/forgejo/reply v1.0.2 h1:dMhQCHV6/O3L5CLWNTol+dNzDAuyCK88z4J/lCdgFuQ=
 code.forgejo.org/forgejo/reply v1.0.2/go.mod h1:RyZUfzQLc+fuLIGjTSQWDAJWPiL4WtKXB/FifT5fM7U=
-code.forgejo.org/forgejo/runner/v12 v12.7.3 h1:+thSawVfLeAZaWB6sYeUPvLj4lxYjCIDt/ktvkfX5Rs=
-code.forgejo.org/forgejo/runner/v12 v12.7.3/go.mod h1:OO+Vy9Dww6WNV7GG/6VUWo/0WwXY+ASGlINmAfEA9Ws=
+code.forgejo.org/forgejo/runner/v12 v12.10.2 h1:tU4XiBlmMpQwutKL5QYV1FRTkv2FPrbuymYsucNdNWE=
+code.forgejo.org/forgejo/runner/v12 v12.10.2/go.mod h1:QnCx84rMQJ+DJ4aS9r2BZL0z2a0ZFaVl9EfMnXYl23g=
 code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616 h1:kEZL84+02jY9RxXM4zHBWZ3Fml0B09cmP1LGkDsCfIA=
 code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616/go.mod h1:zpHEXBstFnQYtGnB8k8kQLol82umzn/2/snG7alWVD8=
 code.forgejo.org/go-chi/binding v1.0.1 h1:coKNI+X1NzRN7X85LlrpvBRqk0TXpJ+ja28vusQWEuY=
@@ -42,8 +42,8 @@ code.forgejo.org/go-chi/captcha v1.0.2 h1:vyHDPXkpjDv8bLO9NqtWzZayzstD/WpJ5xwEkA
 code.forgejo.org/go-chi/captcha v1.0.2/go.mod h1:lxiPLcJ76UCZHoH31/Wbum4GUi2NgjfFZLrJkKv1lLE=
 code.forgejo.org/go-chi/session v1.0.3 h1:ByJ9c/UC0AU57hxiGl53TXh+NdBOBwK/bhZ9jyadEwE=
 code.forgejo.org/go-chi/session v1.0.3/go.mod h1:xzGtFrV/agCJoZCUhFDlqAr1he6BrAdqlaprKOB1W90=
-code.forgejo.org/xorm/xorm v1.3.9-forgejo.8 h1:dsSKm2nus0NhHsqYxeuB3Gldk6TtlusD1CBGV6V1SS0=
-code.forgejo.org/xorm/xorm v1.3.9-forgejo.8/go.mod h1:A7sFd3BFmRp20h6drSsCXgQRQdF8Vz8HuCSrzFS3m90=
+code.forgejo.org/xorm/xorm v1.3.9-forgejo.11 h1:EXJVQ4feAFMkpFwtHAHuXkK6TLNYqabR7QTzqL8uObY=
+code.forgejo.org/xorm/xorm v1.3.9-forgejo.11/go.mod h1:C18NeM/SazG/q4eqpWnoNks7GeCyRUNQIe2onniRViU=
 code.gitea.io/sdk/gitea v0.21.0 h1:69n6oz6kEVHRo1+APQQyizkhrZrLsTLXey9142pfkD4=
 code.gitea.io/sdk/gitea v0.21.0/go.mod h1:tnBjVhuKJCn8ibdyyhvUyxrR1Ca2KHEoTWoukNhXQPA=
 code.superseriousbusiness.org/exif-terminator v0.11.1 h1:qnujLH4/Yk/CFtFMmtjozbdV6Ry5G3Q/E/mLlWm/gQI=
@@ -54,8 +54,8 @@ code.superseriousbusiness.org/go-png-image-structure/v2 v2.3.0 h1:I512jiIeXDC4//
 code.superseriousbusiness.org/go-png-image-structure/v2 v2.3.0/go.mod h1:SNHomXNW88o1pFfLHpD4KsCZLfcr4z5dm+xcX5SV10A=
 codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570 h1:TXbikPqa7YRtfU9vS6QJBg77pUvbEb6StRdZO8t1bEY=
 codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570/go.mod h1:IIAjsijsd8q1isWX8MACefDEgTQslQ4stk2AeeTt3kM=
-connectrpc.com/connect v1.19.1 h1:R5M57z05+90EfEvCY1b7hBxDVOUl45PrtXtAV2fOC14=
-connectrpc.com/connect v1.19.1/go.mod h1:tN20fjdGlewnSFeZxLKb0xwIZ6ozc3OQs2hTXy4du9w=
+connectrpc.com/connect v1.19.2 h1:McQ83FGdzL+t60peksi0gXC7MQ/iLKgLduAnThbM0mo=
+connectrpc.com/connect v1.19.2/go.mod h1:tN20fjdGlewnSFeZxLKb0xwIZ6ozc3OQs2hTXy4du9w=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 filippo.io/edwards25519 v1.1.1 h1:YpjwWWlNmGIDyXOn8zLzqiD+9TyIlPhGFG96P39uBpw=
 filippo.io/edwards25519 v1.1.1/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
@@ -142,8 +142,8 @@ github.com/blevesearch/zapx/v15 v15.4.2 h1:sWxpDE0QQOTjyxYbAVjt3+0ieu8NCE0fDRaFx
 github.com/blevesearch/zapx/v15 v15.4.2/go.mod h1:1pssev/59FsuWcgSnTa0OeEpOzmhtmr/0/11H0Z8+Nw=
 github.com/blevesearch/zapx/v16 v16.2.8 h1:SlnzF0YGtSlrsOE3oE7EgEX6BIepGpeqxs1IjMbHLQI=
 github.com/blevesearch/zapx/v16 v16.2.8/go.mod h1:murSoCJPCk25MqURrcJaBQ1RekuqSCSfMjXH4rHyA14=
-github.com/bmatcuk/doublestar/v4 v4.9.1 h1:X8jg9rRZmJd4yRy7ZeNDRnM+T3ZfHv15JiBJ/avrEXE=
-github.com/bmatcuk/doublestar/v4 v4.9.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
+github.com/bmatcuk/doublestar/v4 v4.10.0 h1:zU9WiOla1YA122oLM6i4EXvGW62DvKZVxIe6TYWexEs=
+github.com/bmatcuk/doublestar/v4 v4.10.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/bodgit/plumbing v1.3.0 h1:pf9Itz1JOQgn7vEOE7v7nlEfBykYqvUYioC61TwWCFU=
 github.com/bodgit/plumbing v1.3.0/go.mod h1:JOTb4XiRu5xfnmdnDJo6GmSbSbtSyufrsyZFByMtKEs=
 github.com/bodgit/sevenzip v1.6.1 h1:kikg2pUMYC9ljU7W9SaqHXhym5HyKm8/M/jd31fYan4=
@@ -182,6 +182,8 @@ github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObk
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJv2v7Vk=
+github.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
 github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
 github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@@ -241,8 +243,8 @@ github.com/emersion/go-sasl v0.0.0-20231106173351-e73c9f7bad43/go.mod h1:iL2twTe
 github.com/emersion/go-textwrapper v0.0.0-20200911093747-65d896831594/go.mod h1:aqO8z8wPrjkscevZJFVE1wXJrLpC5LtJG7fqLOsPb2U=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
-github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
+github.com/fatih/color v1.19.0 h1:Zp3PiM21/9Ld6FzSKyL5c/BULoe/ONr9KlbYVOfG8+w=
+github.com/fatih/color v1.19.0/go.mod h1:zNk67I0ZUT1bEGsSGyCZYZNrHuTkJJB+r6Q9VuMi0LE=
 github.com/felixge/fgprof v0.9.5 h1:8+vR6yu2vvSKn08urWyEuxx75NWPEvybbkBirEpsbVY=
 github.com/felixge/fgprof v0.9.5/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZPpayhMM=
 github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=
@@ -253,6 +255,8 @@ github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/gdgvda/cron v0.7.0 h1:LFPZUTbCb5ZpzYxavbQDDbjd6nwTwkiNUWyulOdlY2I=
+github.com/gdgvda/cron v0.7.0/go.mod h1:caBF+mzTZGtQqFE05T1m6u9OmCASY3EK51XAICf3wio=
 github.com/go-ap/activitypub v0.0.0-20231114162308-e219254dc5c9 h1:j2TrkUG/NATGi/EQS+MvEoF79CxiRUmT16ErFroNcKI=
 github.com/go-ap/activitypub v0.0.0-20231114162308-e219254dc5c9/go.mod h1:cJ9Ye0ZNSMN7RzZDBRY3E+8M3Bpf/R1JX22Ir9yX6WI=
 github.com/go-ap/errors v0.0.0-20231003111023-183eef4b31b7 h1:I2nuhyVI/48VXoRCCZR2hYBgnSXa+EuDJf/VyX06TC0=
@@ -280,12 +284,6 @@ github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxI
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-fed/httpsig v1.1.0 h1:9M+hb0jkEICD8/cAiNqEB66R87tTINszBRTjwjQzWcI=
 github.com/go-fed/httpsig v1.1.0/go.mod h1:RCMrTZvN1bJYtofsG4rd5NaO5obxQ5xBkdiS7xsT7bM=
-github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
-github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.8.0 h1:I8hjc3LbBlXTtVuFNJuwYuMiHvQJDq1AT6u4DwDzZG0=
-github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY=
-github.com/go-git/go-git/v5 v5.17.0 h1:AbyI4xf+7DsjINHMu35quAh4wJygKBKBuXVjV/pxesM=
-github.com/go-git/go-git/v5 v5.17.0/go.mod h1:f82C4YiLx+Lhi8eHxltLeGC5uBTXSFa6PC5WW9o4SjI=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
@@ -447,12 +445,10 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.9.1 h1:uwrxJXBnx76nyISkhr33kQLlUqjv7et7b9FjCen/tdc=
-github.com/jackc/pgx/v5 v5.9.1/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
+github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw=
+github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
-github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
-github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
 github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
@@ -514,14 +510,14 @@ github.com/markbates/goth v1.82.0 h1:8j/c34AjBSTNzO7zTsOyP5IYCQCMBTRBHAbBt/PI0bQ
 github.com/markbates/goth v1.82.0/go.mod h1:/DRlcq0pyqkKToyZjsL2KgiA1zbF1HIjE7u2uC79rUk=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.17 h1:78v8ZlW0bP43XfmAfPsdXcoNCelfMHsDmd/pkENfrjQ=
-github.com/mattn/go-runewidth v0.0.17/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-isatty v0.0.22 h1:j8l17JJ9i6VGPUFUYoTUKPSgKe/83EYU2zBC7YNKMw4=
+github.com/mattn/go-isatty v0.0.22/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
+github.com/mattn/go-runewidth v0.0.21 h1:jJKAZiQH+2mIinzCJIaIG9Be1+0NR+5sz/lYEEjdM8w=
+github.com/mattn/go-runewidth v0.0.21/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
 github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
 github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
-github.com/mattn/go-sqlite3 v1.14.37 h1:3DOZp4cXis1cUIpCfXLtmlGolNLp2VEqhiB/PARNBIg=
-github.com/mattn/go-sqlite3 v1.14.37/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.42 h1:MigqEP4ZmHw3aIdIT7T+9TLa90Z6smwcthx+Azv4Cgo=
+github.com/mattn/go-sqlite3 v1.14.42/go.mod h1:pjEuOr8IwzLJP2MfGeTb0A35jauH+C2kbHKBr7yXKVQ=
 github.com/meilisearch/meilisearch-go v0.36.0 h1:N1etykTektXt5KPcSbhBO0d5Xx5NaKj4pJWEM7WA5dI=
 github.com/meilisearch/meilisearch-go v0.36.0/go.mod h1:HBfHzKMxcSbTOvqdfuRA/yf6Vk9IivcwKocWRuW7W78=
 github.com/mholt/acmez/v3 v3.1.2 h1:auob8J/0FhmdClQicvJvuDavgd5ezwLBfKuYmynhYzc=
@@ -612,9 +608,8 @@ github.com/redis/go-redis/v9 v9.17.3 h1:fN29NdNrE17KttK5Ndf20buqfDZwGNgoUr9qjl1D
 github.com/redis/go-redis/v9 v9.17.3/go.mod h1:u410H11HMLoB+TP67dz8rL9s6QW2j76l0//kSOd3370=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
-github.com/rhysd/actionlint v1.7.10 h1:FL3XIEs72G4/++168vlv5FKOWMSWvWIQw1kBCadyOcM=
-github.com/rhysd/actionlint v1.7.10/go.mod h1:ZHX/hrmknlsJN73InPTKsKdXpAv9wVdrJy8h8HAwFHg=
-github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rhysd/actionlint v1.7.12 h1:vQ4GeJN86C0QH+gTUQcs8McmK62OLT3kmakPMtEWYnY=
+github.com/rhysd/actionlint v1.7.12/go.mod h1:krOUhujIsJusovkaYzQ/VNH8PFexjNKqU0q5XI/4w+g=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
@@ -653,6 +648,7 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/syndtr/goleveldb v1.0.0 h1:fBdIW9lB4Iz0n9khmH8w27SJ3QEJ7+IgjPEwGSZiFdE=
@@ -724,8 +720,8 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
-golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
+golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
+golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -734,12 +730,12 @@ golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE
 golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
-golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
-golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.37.0 h1:ZiRjArKI8GwxZOoEtUfhrBtaCN+4b/7709dlT6SSnQA=
-golang.org/x/image v0.37.0/go.mod h1:/3f6vaXC+6CEanU4KJxbcUZyEePbyKbaLoDOe4ehFYY=
+golang.org/x/image v0.41.0 h1:8wS72eGJMJaBxK6okTzd4WaXumUlTVlb753MlsSvTCo=
+golang.org/x/image v0.41.0/go.mod h1:uIc348UZMSvS5Z65CVZ7iDPaNobNFEPeJ4kbqTOszmA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -761,8 +757,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
-golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -793,8 +789,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
-golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -851,8 +847,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -862,8 +858,8 @@ golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
-golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -877,8 +873,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
-golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
@@ -912,8 +908,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
-golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
+golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
+golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -970,12 +966,10 @@ gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df h1:n7WqCuqOuCbNr617RXOY0AWRXxgwEyPp2z+p0+hgMuE=
 gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df/go.mod h1:LRQQ+SO6ZHR7tOkpBDuZnXENFzX8qRjMDMyPD6BRkCw=
-gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
-gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/ini.v1 v1.67.3 h1:iM9Lhz5MRSGhHVGGwCuzG9KO8PoirCXj/m/qTmOJJQw=
+gopkg.in/ini.v1 v1.67.3/go.mod h1:x/cyOwCgZqOkJoDIJ3c1KNHMo10+nLGAhh+kn3Zizss=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
-gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -995,14 +989,14 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-modernc.org/libc v1.67.6 h1:eVOQvpModVLKOdT+LvBPjdQqfrZq+pC39BygcT+E7OI=
-modernc.org/libc v1.67.6/go.mod h1:JAhxUVlolfYDErnwiqaLvUqc8nfb2r6S6slAgZOnaiE=
+modernc.org/libc v1.70.0 h1:U58NawXqXbgpZ/dcdS9kMshu08aiA6b7gusEusqzNkw=
+modernc.org/libc v1.70.0/go.mod h1:OVmxFGP1CI/Z4L3E0Q3Mf1PDE0BucwMkcXjjLntvHJo=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
 modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
-modernc.org/sqlite v1.46.1 h1:eFJ2ShBLIEnUWlLy12raN0Z1plqmFX9Qe3rjQTKt6sU=
-modernc.org/sqlite v1.46.1/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA=
+modernc.org/sqlite v1.48.2 h1:5CnW4uP8joZtA0LedVqLbZV5GD7F/0x91AXeSyjoh5c=
+modernc.org/sqlite v1.48.2/go.mod h1:hWjRO6Tj/5Ik8ieqxQybiEOUXy0NJFNp2tpvVpKlvig=
 mvdan.cc/xurls/v2 v2.6.0 h1:3NTZpeTxYVWNSokW3MKeyVkz/j7uYXYiMtXRUfmjbgI=
 mvdan.cc/xurls/v2 v2.6.0/go.mod h1:bCvEZ1XvdA6wDnxY7jPPjEmigDtvtvPXAD/Exa9IMSk=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=

models/actions/artifact.go

@@ -192,3 +192,12 @@ func SetArtifactDeleted(ctx context.Context, artifactID int64) error {
 	_, err := db.GetEngine(ctx).ID(artifactID).Cols("status").Update(&ActionArtifact{Status: int64(ArtifactStatusDeleted)})
 	return err
 }
+
+// SetArtifactsOfRunDeleted marks all artifacts of the given run as deleted.
+func SetArtifactsOfRunDeleted(ctx context.Context, runID int64) error {
+	_, err := db.GetEngine(ctx).
+		Where("run_id=?", runID).
+		Cols("status").
+		Update(&ActionArtifact{Status: int64(ArtifactStatusPendingDeletion)})
+	return err
+}

models/actions/pre_execution_errors.go

@@ -30,6 +30,7 @@ const (
 	ErrorCodeIncompleteWithMissingOutput
 	ErrorCodeIncompleteWithMissingMatrixDimension
 	ErrorCodeIncompleteWithUnknownCause
+	ErrorCodeUnknownJobInNeeds
 )
 
 func TranslatePreExecutionError(lang translation.Locale, run *ActionRun) string {
@@ -69,6 +70,8 @@ func TranslatePreExecutionError(lang translation.Locale, run *ActionRun) string
 		return lang.TrString("actions.workflow.incomplete_with_missing_matrix_dimension", run.PreExecutionErrorDetails...)
 	case ErrorCodeIncompleteWithUnknownCause:
 		return lang.TrString("actions.workflow.incomplete_with_unknown_cause", run.PreExecutionErrorDetails...)
+	case ErrorCodeUnknownJobInNeeds:
+		return lang.TrString("actions.workflow.unknown_job_in_needs", run.PreExecutionErrorDetails...)
 	}
 	return fmt.Sprintf("<unsupported error: code=%v details=%#v", run.PreExecutionErrorCode, run.PreExecutionErrorDetails)
 }

models/actions/run.go

@@ -153,7 +153,9 @@ func (run *ActionRun) LoadAttributes(ctx context.Context) error {
 
 	if run.TriggerUser == nil {
 		u, err := user_model.GetPossibleUserByID(ctx, run.TriggerUserID)
-		if err != nil {
+		if user_model.IsErrUserNotExist(err) {
+			u = user_model.NewGhostUser()
+		} else if err != nil {
 			return err
 		}
 		run.TriggerUser = u
@@ -255,6 +257,33 @@ func (run *ActionRun) IsDispatchedRun() bool {
 	return run.TriggerEvent == "workflow_dispatch"
 }
 
+// IsValid indicates whether this ActionRun is valid and can be run.
+func (run *ActionRun) IsValid() bool {
+	return run.PreExecutionErrorCode == 0 && run.PreExecutionError == ""
+}
+
+// CanBeRerun indicates whether this ActionRun can be rerun.
+func (run *ActionRun) CanBeRerun() bool {
+	if !run.IsValid() {
+		return false
+	}
+	return run.Status.IsDone()
+}
+
+func (run *ActionRun) PrepareNextAttempt() error {
+	if run.Status != StatusUnknown && !run.Status.IsDone() {
+		return fmt.Errorf("cannot prepare next attempt because run %d is active: %s", run.ID, run.Status.String())
+	}
+
+	run.PreviousDuration = run.Duration()
+
+	run.Status = StatusWaiting
+	run.Started = 0
+	run.Stopped = 0
+
+	return nil
+}
+
 func actionsCountOpenCacheKey(repoID int64) string {
 	return fmt.Sprintf("Actions:CountOpenActionRuns:%d", repoID)
 }
@@ -318,7 +347,7 @@ func UpdateRunApprovalByID(ctx context.Context, id int64, approval ApprovalType,
 func GetRunsNotDoneByRepoIDAndPullRequestPosterID(ctx context.Context, repoID, pullRequestPosterID int64) ([]*ActionRun, error) {
 	var runs []*ActionRun
 	// performance relies on indexes on repo_id and status
-	if err := db.GetEngine(ctx).Where("repo_id=? AND pull_request_poster_id=?", repoID, pullRequestPosterID).And(builder.In("status", []Status{StatusUnknown, StatusWaiting, StatusRunning, StatusBlocked})).Find(&runs); err != nil {
+	if err := db.GetEngine(ctx).Where("repo_id=? AND pull_request_poster_id=?", repoID, pullRequestPosterID).And(builder.In("status", PendingStatuses())).Find(&runs); err != nil {
 		return nil, err
 	}
 	return runs, nil
@@ -327,7 +356,7 @@ func GetRunsNotDoneByRepoIDAndPullRequestPosterID(ctx context.Context, repoID, p
 func GetRunsNotDoneByRepoIDAndPullRequestID(ctx context.Context, repoID, pullRequestID int64) ([]*ActionRun, error) {
 	var runs []*ActionRun
 	// performance relies on indexes on repo_id and status
-	if err := db.GetEngine(ctx).Where("repo_id=? AND pull_request_id=?", repoID, pullRequestID).And(builder.In("status", []Status{StatusUnknown, StatusWaiting, StatusRunning, StatusBlocked})).Find(&runs); err != nil {
+	if err := db.GetEngine(ctx).Where("repo_id=? AND pull_request_id=?", repoID, pullRequestID).And(builder.In("status", PendingStatuses())).Find(&runs); err != nil {
 		return nil, err
 	}
 	return runs, nil

models/actions/run_job.go

@@ -140,6 +140,34 @@ func (job *ActionRunJob) PrepareNextAttempt(initialStatus Status) error {
 	return nil
 }
 
+// CanBeRerun answers whether this ActionRunJob can be rerun. Returns true if it is done and the Run it belongs to
+// is valid. Returns false in all other cases.
+func (job *ActionRunJob) CanBeRerun(ctx context.Context) (bool, error) {
+	if err := job.LoadRun(ctx); err != nil {
+		return false, fmt.Errorf("cannot load run %d of job %d: %w", job.RunID, job.ID, err)
+	}
+
+	if !job.Run.IsValid() {
+		return false, nil
+	}
+	return job.Status.IsDone(), nil
+}
+
+// GetAllAttempts retrieve all the attempts of this job. Limited fields are queried to avoid loading the LogIndexes blob
+// when not needed.
+func (job *ActionRunJob) GetAllAttempts(ctx context.Context) ([]*ActionTask, error) {
+	var attempts []*ActionTask
+	err := db.GetEngine(ctx).
+		Cols("id", "attempt", "status", "started").
+		Where("job_id=?", job.ID).
+		Desc("attempt").
+		Find(&attempts)
+	if err != nil {
+		return nil, err
+	}
+	return attempts, nil
+}
+
 func GetRunJobByID(ctx context.Context, id int64) (*ActionRunJob, error) {
 	var job ActionRunJob
 	has, err := db.GetEngine(ctx).Where("id=?", id).Get(&job)
@@ -338,3 +366,17 @@ func (job *ActionRunJob) EnableOpenIDConnect() (bool, error) {
 	}
 	return jobWorkflow.EnableOpenIDConnect, nil
 }
+
+// AllNeedsExist checks whether this ActionRunJob's Needs can theoretically be met by comparing them with the supplied
+// list of all job IDs that part of a particular workflow run. Returns the list of unknown job IDs found in Needs
+// alongside an indicator whether the check was successful.
+func (job *ActionRunJob) AllNeedsExist(allExistingJobIDs container.Set[string]) ([]string, bool) {
+	unknownJobIDs := []string{}
+	for _, need := range job.Needs {
+		if !allExistingJobIDs.Contains(need) {
+			unknownJobIDs = append(unknownJobIDs, need)
+		}
+	}
+
+	return unknownJobIDs, len(unknownJobIDs) == 0
+}

models/actions/run_job_list.go

@@ -22,6 +22,14 @@ func (jobs ActionJobList) GetRunIDs() []int64 {
 	})
 }
 
+func (jobs ActionJobList) GetJobIDs() container.Set[string] {
+	jobIDs := container.SetOf[string]()
+	for _, job := range jobs {
+		jobIDs.Add(job.JobID)
+	}
+	return jobIDs
+}
+
 func (jobs ActionJobList) LoadRuns(ctx context.Context, withRepo bool) error {
 	runIDs := jobs.GetRunIDs()
 	runs := make(map[int64]*ActionRun, len(runIDs))

models/actions/run_job_list_test.go

@@ -0,0 +1,21 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package actions
+
+import (
+	"testing"
+
+	"forgejo.org/modules/container"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestActionJobList_GetJobIDs(t *testing.T) {
+	jobs := ActionJobList{
+		&ActionRunJob{JobID: "job 1"},
+		&ActionRunJob{JobID: "job 2"},
+	}
+
+	assert.Equal(t, container.SetOf("job 2", "job 1"), jobs.GetJobIDs())
+}

models/actions/run_job_test.go

@@ -8,6 +8,7 @@ import (
 
 	"forgejo.org/models/db"
 	"forgejo.org/models/unittest"
+	"forgejo.org/modules/container"
 	"forgejo.org/modules/timeutil"
 
 	"code.forgejo.org/forgejo/runner/v12/act/jobparser"
@@ -44,7 +45,7 @@ func TestActionRunJob_HTMLURL(t *testing.T) {
 	}{
 		{
 			id:       192,
-			expected: "https://try.gitea.io/user5/repo4/actions/runs/187/jobs/0/attempt/1",
+			expected: "https://try.gitea.io/user5/repo4/actions/runs/187/jobs/0/attempt/3",
 		},
 		{
 			id:       393,
@@ -369,3 +370,154 @@ func TestIsRequestedByRunner(t *testing.T) {
 
 	assert.False(t, emptyHandleJob.IsRequestedByRunner(&differentHandle))
 }
+
+func TestAllNeedsExist(t *testing.T) {
+	testCases := []struct {
+		name               string
+		job                ActionRunJob
+		existingJobIDs     container.Set[string]
+		expectedUnknownIDs []string
+		ok                 bool
+	}{
+		{
+			name:               "no needs",
+			job:                ActionRunJob{Needs: nil},
+			existingJobIDs:     container.Set[string]{},
+			expectedUnknownIDs: []string{},
+			ok:                 true,
+		},
+		{
+			name:               "empty needs",
+			job:                ActionRunJob{Needs: []string{}},
+			existingJobIDs:     container.Set[string]{},
+			expectedUnknownIDs: []string{},
+			ok:                 true,
+		},
+		{
+			name:               "satisfied needs",
+			job:                ActionRunJob{Needs: []string{"job1", "job2"}},
+			existingJobIDs:     container.SetOf("job2", "job1"),
+			expectedUnknownIDs: []string{},
+			ok:                 true,
+		},
+		{
+			name:               "unsatisfied needs",
+			job:                ActionRunJob{Needs: []string{"unknown", "job2"}},
+			existingJobIDs:     container.SetOf("job2", "job1"),
+			expectedUnknownIDs: []string{"unknown"},
+			ok:                 false,
+		},
+		{
+			name:               "comparison is case-sensitive",
+			job:                ActionRunJob{Needs: []string{"Job1", "job2"}},
+			existingJobIDs:     container.SetOf("job2", "job1"),
+			expectedUnknownIDs: []string{"Job1"},
+			ok:                 false,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			unknownIDs, ok := testCase.job.AllNeedsExist(testCase.existingJobIDs)
+
+			assert.Equal(t, testCase.ok, ok)
+			assert.Equal(t, testCase.expectedUnknownIDs, unknownIDs)
+		})
+	}
+}
+
+func TestActionRunJob_CanBeRerun(t *testing.T) {
+	testCases := []struct {
+		name          string
+		job           ActionRunJob
+		canBeRerun    bool
+		expectedError string
+	}{
+		{
+			name:       "job with unknown status",
+			job:        ActionRunJob{Run: &ActionRun{Status: StatusSuccess}, Status: StatusUnknown},
+			canBeRerun: false,
+		},
+		{
+			name:       "successful job",
+			job:        ActionRunJob{Run: &ActionRun{Status: StatusSuccess}, Status: StatusSuccess},
+			canBeRerun: true,
+		},
+		{
+			name:       "failed job",
+			job:        ActionRunJob{Run: &ActionRun{Status: StatusSuccess}, Status: StatusFailure},
+			canBeRerun: true,
+		},
+		{
+			name:       "cancelled job",
+			job:        ActionRunJob{Run: &ActionRun{Status: StatusSuccess}, Status: StatusCancelled},
+			canBeRerun: true,
+		},
+		{
+			name:       "skipped job",
+			job:        ActionRunJob{Run: &ActionRun{Status: StatusSuccess}, Status: StatusSkipped},
+			canBeRerun: true,
+		},
+		{
+			name:       "waiting job",
+			job:        ActionRunJob{Run: &ActionRun{Status: StatusSuccess}, Status: StatusWaiting},
+			canBeRerun: false,
+		},
+		{
+			name:       "blocked job",
+			job:        ActionRunJob{Run: &ActionRun{Status: StatusSuccess}, Status: StatusBlocked},
+			canBeRerun: false,
+		},
+		{
+			name:          "ActionRun is nil",
+			job:           ActionRunJob{ID: 12, Run: nil, Status: StatusSuccess},
+			expectedError: "cannot load run 0 of job 12",
+		},
+		{
+			name:       "with busy run but completed job",
+			job:        ActionRunJob{Run: &ActionRun{Status: StatusRunning}, Status: StatusSuccess},
+			canBeRerun: true,
+		},
+		{
+			name: "with run that cannot be run",
+			job: ActionRunJob{
+				Run:    &ActionRun{Status: StatusRunning, PreExecutionErrorCode: ErrorCodeEventDetectionError},
+				Status: StatusSuccess,
+			},
+			canBeRerun: false,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			result, err := testCase.job.CanBeRerun(t.Context())
+
+			if testCase.expectedError == "" {
+				require.NoError(t, err)
+			} else {
+				require.ErrorContains(t, err, testCase.expectedError)
+			}
+
+			assert.Equal(t, testCase.canBeRerun, result)
+		})
+	}
+}
+
+func TestActionTask_GetAllAttempts(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	job2 := unittest.AssertExistsAndLoadBean(t, &ActionRunJob{ID: 192})
+
+	allAttempts, err := job2.GetAllAttempts(t.Context())
+	require.NoError(t, err)
+
+	require.Len(t, allAttempts, 3)
+	assert.EqualValues(t, 47, allAttempts[0].ID, "ordered by attempt, 1")
+	assert.EqualValues(t, 53, allAttempts[1].ID, "ordered by attempt, 2")
+	assert.EqualValues(t, 52, allAttempts[2].ID, "ordered by attempt, 3")
+
+	// GetAllAttempts doesn't populate all fields; so check expected fields from one of the records
+	assert.EqualValues(t, 3, allAttempts[0].Attempt, "read Attempt field")
+	assert.Equal(t, StatusRunning, allAttempts[0].Status, "read Status field")
+	assert.Equal(t, timeutil.TimeStamp(1683636528), allAttempts[0].Started, "read Started field")
+}

models/actions/run_test.go

@@ -19,9 +19,6 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestGetRunBefore(t *testing.T) {
-}
-
 func TestSetConcurrencyGroup(t *testing.T) {
 	run := ActionRun{}
 	run.SetConcurrencyGroup("abc123")
@@ -96,6 +93,86 @@ func TestIsManualRun(t *testing.T) {
 	assert.False(t, pushRun.IsDispatchedRun())
 }
 
+func TestActionRun_IsValid(t *testing.T) {
+	testCases := []struct {
+		name    string
+		run     ActionRun
+		isValid bool
+	}{
+		{
+			name:    "valid run",
+			run:     ActionRun{},
+			isValid: true,
+		},
+		{
+			name:    "with pre-execution error",
+			run:     ActionRun{PreExecutionErrorCode: ErrorCodeIncompleteRunsOnMissingOutput},
+			isValid: false,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			assert.Equal(t, testCase.isValid, testCase.run.IsValid())
+		})
+	}
+}
+
+func TestActionRun_CanBeRerun(t *testing.T) {
+	testCases := []struct {
+		name       string
+		run        ActionRun
+		canBeRerun bool
+	}{
+		{
+			name:       "run with unknown status",
+			run:        ActionRun{Status: StatusUnknown},
+			canBeRerun: false,
+		},
+		{
+			name:       "successful run",
+			run:        ActionRun{Status: StatusSuccess},
+			canBeRerun: true,
+		},
+		{
+			name:       "failed run",
+			run:        ActionRun{Status: StatusFailure},
+			canBeRerun: true,
+		},
+		{
+			name:       "cancelled run",
+			run:        ActionRun{Status: StatusCancelled},
+			canBeRerun: true,
+		},
+		{
+			name:       "skipped run",
+			run:        ActionRun{Status: StatusSkipped},
+			canBeRerun: true,
+		},
+		{
+			name:       "waiting run",
+			run:        ActionRun{Status: StatusWaiting},
+			canBeRerun: false,
+		},
+		{
+			name:       "blocked run",
+			run:        ActionRun{Status: StatusBlocked},
+			canBeRerun: false,
+		},
+		{
+			name:       "with pre-execution error",
+			run:        ActionRun{PreExecutionErrorCode: ErrorCodeIncompleteRunsOnMissingOutput, Status: StatusSuccess},
+			canBeRerun: false,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			assert.Equal(t, testCase.canBeRerun, testCase.run.CanBeRerun())
+		})
+	}
+}
+
 func TestRepoNumOpenActions(t *testing.T) {
 	require.NoError(t, unittest.PrepareTestDatabase())
 	err := cache.Init()
@@ -606,3 +683,12 @@ jobs:
 	assert.Zero(t, insertedJobs[1].TaskID)
 	assert.Equal(t, StatusWaiting, insertedJobs[1].Status)
 }
+
+func TestActionRunLoadAttributes(t *testing.T) {
+	run := &ActionRun{
+		RepoID:        10,
+		TriggerUserID: 1000,
+	}
+	require.NoError(t, run.LoadAttributes(t.Context()))
+	assert.Equal(t, "ghost", run.TriggerUser.LowerName)
+}

models/actions/schedule.go

@@ -5,7 +5,6 @@ package actions
 
 import (
 	"context"
-	"time"
 
 	"forgejo.org/models/db"
 	repo_model "forgejo.org/models/repo"
@@ -21,7 +20,7 @@ import (
 type ActionSchedule struct {
 	ID                int64
 	Title             string
-	Specs             []string
+	Specs             []*ActionScheduleSpec  `xorm:"-"`
 	RepoID            int64                  `xorm:"index"`
 	Repo              *repo_model.Repository `xorm:"-"`
 	OwnerID           int64                  `xorm:"index"`
@@ -73,25 +72,12 @@ func CreateScheduleTask(ctx context.Context, rows []*ActionSchedule) error {
 			return err
 		}
 
-		// Loop through each schedule spec and create a new spec row
-		now := time.Now()
-
 		for _, spec := range row.Specs {
-			specRow := &ActionScheduleSpec{
-				RepoID:     row.RepoID,
-				ScheduleID: row.ID,
-				Spec:       spec,
-			}
-			// Parse the spec and check for errors
-			schedule, err := specRow.Parse()
-			if err != nil {
-				continue // skip to the next spec if there's an error
-			}
-
-			specRow.Next = timeutil.TimeStamp(schedule.Next(now).Unix())
+			spec.ScheduleID = row.ID
+			spec.RepoID = row.RepoID
 
 			// Insert the new schedule spec row
-			if err = db.Insert(ctx, specRow); err != nil {
+			if err = db.Insert(ctx, spec); err != nil {
 				return err
 			}
 		}

models/actions/schedule_spec.go

@@ -10,9 +10,10 @@ import (
 
 	"forgejo.org/models/db"
 	repo_model "forgejo.org/models/repo"
+	"forgejo.org/modules/optional"
 	"forgejo.org/modules/timeutil"
 
-	"github.com/robfig/cron/v3"
+	"github.com/gdgvda/cron"
 )
 
 // ActionScheduleSpec represents a schedule spec of a workflow file
@@ -27,36 +28,58 @@ type ActionScheduleSpec struct {
 	// started or this entry's schedule is unsatisfiable
 	Next timeutil.TimeStamp `xorm:"index"`
 	// Prev is the last time this job was run, or the zero time if never.
-	Prev timeutil.TimeStamp
-	Spec string
+	Prev     timeutil.TimeStamp
+	Spec     string
+	TimeZone optional.Option[string]
 
 	Created timeutil.TimeStamp `xorm:"created"`
 	Updated timeutil.TimeStamp `xorm:"updated"`
 }
 
+func NewActionScheduleSpec(cron string, tz optional.Option[string], referenceTime time.Time) (*ActionScheduleSpec, error) {
+	spec := &ActionScheduleSpec{
+		Spec:     cron,
+		TimeZone: tz,
+	}
+	cronSchedule, err := spec.Parse()
+	if err != nil {
+		return nil, err
+	}
+
+	spec.Next = timeutil.TimeStamp(cronSchedule.Next(referenceTime).Unix())
+	return spec, nil
+}
+
 // Parse parses the spec and returns a cron.Schedule
 // Unlike the default cron parser, Parse uses UTC timezone as the default if none is specified.
 func (s *ActionScheduleSpec) Parse() (cron.Schedule, error) {
-	parser := cron.NewParser(cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.Dow | cron.Descriptor)
+	parser, err := cron.NewDefaultParser(cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.Dow | cron.Descriptor)
+	if err != nil {
+		return nil, err
+	}
+
 	schedule, err := parser.Parse(s.Spec)
 	if err != nil {
 		return nil, err
 	}
 
-	// If the spec has specified a timezone, use it
-	if strings.HasPrefix(s.Spec, "TZ=") || strings.HasPrefix(s.Spec, "CRON_TZ=") {
+	// If `timezone` is not defined in the workflow, but the spec includes a timezone, use it.
+	if !s.TimeZone.Has() && (strings.HasPrefix(s.Spec, "TZ=") || strings.HasPrefix(s.Spec, "CRON_TZ=")) {
 		return schedule, nil
 	}
 
-	specSchedule, ok := schedule.(*cron.SpecSchedule)
-	// If it's not a spec schedule, like "@every 5m", timezone is not relevant
-	if !ok {
-		return schedule, nil
+	var location *time.Location
+	if present, tz := s.TimeZone.Get(); present {
+		location, err = time.LoadLocation(tz)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		// UTC is the default time zone.
+		location = time.UTC
 	}
 
-	// Set the timezone to UTC
-	specSchedule.Location = time.UTC
-	return specSchedule, nil
+	return schedule.WithLocation(location), nil
 }
 
 func init() {

models/actions/schedule_spec_test.go

@@ -7,6 +7,8 @@ import (
 	"testing"
 	"time"
 
+	"forgejo.org/modules/optional"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -21,50 +23,105 @@ func TestActionScheduleSpec_Parse(t *testing.T) {
 	}()
 	time.Local = tz
 
-	now, err := time.Parse(time.RFC3339, "2024-07-31T15:47:55+08:00")
-	require.NoError(t, err)
-
 	tests := []struct {
-		name    string
-		spec    string
-		want    string
-		wantErr assert.ErrorAssertionFunc
+		name     string
+		refTime  time.Time
+		spec     string
+		timeZone string
+		want     string
+		wantErr  assert.ErrorAssertionFunc
 	}{
 		{
 			name:    "regular",
+			refTime: time.Date(2024, 7, 31, 15, 47, 55, 0, time.Local),
 			spec:    "0 10 * * *",
 			want:    "2024-07-31T10:00:00Z",
 			wantErr: assert.NoError,
 		},
 		{
 			name:    "invalid",
+			refTime: time.Date(2024, 7, 31, 15, 47, 55, 0, time.Local),
 			spec:    "0 10 * *",
 			want:    "",
 			wantErr: assert.Error,
 		},
 		{
-			name:    "with timezone",
+			name:    "with TZ in cron schedule",
+			refTime: time.Date(2024, 7, 31, 15, 47, 55, 0, time.Local),
 			spec:    "TZ=America/New_York 0 10 * * *",
 			want:    "2024-07-31T14:00:00Z",
 			wantErr: assert.NoError,
 		},
 		{
-			name:    "timezone irrelevant",
+			name:    "with CRON_TZ in cron schedule",
+			refTime: time.Date(2024, 7, 31, 15, 47, 55, 0, time.Local),
+			spec:    "CRON_TZ=America/New_York 0 10 * * *",
+			want:    "2024-07-31T14:00:00Z",
+			wantErr: assert.NoError,
+		},
+		{
+			name:     "with separate time zone",
+			refTime:  time.Date(2024, 7, 31, 15, 47, 55, 0, time.Local),
+			spec:     "0 10 * * *",
+			timeZone: "America/New_York",
+			want:     "2024-07-31T14:00:00Z",
+			wantErr:  assert.NoError,
+		},
+		{
+			name:     "separate time zone takes precedence over inlined time zone",
+			refTime:  time.Date(2024, 7, 31, 15, 47, 55, 0, time.Local),
+			spec:     "CRON_TZ=Europe/Berlin 0 10 * * *",
+			timeZone: "America/New_York",
+			want:     "2024-07-31T14:00:00Z",
+			wantErr:  assert.NoError,
+		},
+		{
+			name:    "time zone irrelevant",
+			refTime: time.Date(2024, 7, 31, 15, 47, 55, 0, time.Local),
 			spec:    "@every 5m",
 			want:    "2024-07-31T07:52:55Z",
 			wantErr: assert.NoError,
 		},
+		{
+			// The various cron implementations handle the DST jump forwards differently. The most popular approaches
+			// are (a) scheduling all jobs at 3 o'clock that were supposed to run between 2 and 3 o'clock, or (b)
+			// skipping the execution on that day because any time between 2 and 3 o'clock never happened. Forgejo uses
+			// option B because the code it inherited already did that and was exposed to users.
+			name:     "skips execution during DST jump forwards",
+			refTime:  time.Date(2025, 3, 30, 1, 5, 0, 0, time.UTC),
+			spec:     "10 2 * * *", // The clock jumps at 2 o'clock to 3 o'clock.
+			timeZone: "Europe/Berlin",
+			want:     "2025-03-31T00:10:00Z",
+			wantErr:  assert.NoError,
+		},
+		{
+			name:     "executes a first time before DST jump backwards",
+			refTime:  time.Date(2025, 10, 26, 0, 5, 0, 0, time.UTC),
+			spec:     "10 2 * * *", // The clock jumps at 3 o'clock to 2 o'clock.
+			timeZone: "Europe/Berlin",
+			want:     "2025-10-26T00:10:00Z",
+			wantErr:  assert.NoError,
+		},
+		{
+			name:     "executes a second time after DST jump backwards",
+			refTime:  time.Date(2025, 10, 26, 1, 5, 0, 0, time.UTC),
+			spec:     "10 2 * * *", // The clock jumps at 3 o'clock to 2 o'clock.
+			timeZone: "Europe/Berlin",
+			want:     "2025-10-26T01:10:00Z",
+			wantErr:  assert.NoError,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			s := &ActionScheduleSpec{
-				Spec: tt.spec,
+				Spec:     tt.spec,
+				TimeZone: optional.FromNonDefault(tt.timeZone),
 			}
 			got, err := s.Parse()
 			tt.wantErr(t, err)
 
 			if err == nil {
-				assert.Equal(t, tt.want, got.Next(now).UTC().Format(time.RFC3339))
+				assert.Equal(t, tt.want, got.Next(tt.refTime).UTC().Format(time.RFC3339))
 			}
 		})
 	}

models/actions/schedule_test.go

@@ -0,0 +1,102 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package actions
+
+import (
+	"testing"
+	"time"
+
+	"forgejo.org/models/db"
+	"forgejo.org/models/repo"
+	"forgejo.org/models/unittest"
+	"forgejo.org/models/user"
+	"forgejo.org/modules/optional"
+	"forgejo.org/modules/timeutil"
+	"forgejo.org/modules/webhook"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestScheduleCreateScheduleTask(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	user2 := unittest.AssertExistsAndLoadBean(t, &user.User{ID: 2})
+	repo62 := unittest.AssertExistsAndLoadBean(t, &repo.Repository{ID: 62, Name: "test_workflows", OwnerID: user2.ID})
+
+	content := `
+on:
+  push:
+  schedule:
+    - cron: "2 13 * * *"
+    - cron: "03 13 * * *"
+      timezone: Europe/Paris
+jobs:
+  test:
+    runs-on: debian
+    steps:
+      - run: |
+          echo "OK"
+`
+
+	referenceTime := time.Date(2026, 3, 27, 17, 41, 21, 0, time.UTC)
+
+	specWithoutTZ, err := NewActionScheduleSpec("2 13 * * *", optional.None[string](), referenceTime)
+	require.NoError(t, err)
+
+	specWithTZ, err := NewActionScheduleSpec("3 13 * * *", optional.Some("Europe/Paris"), referenceTime)
+	require.NoError(t, err)
+
+	schedule := &ActionSchedule{
+		Title:             ".forgejo/workflows/test.yaml",
+		Specs:             []*ActionScheduleSpec{specWithoutTZ, specWithTZ},
+		RepoID:            repo62.ID,
+		OwnerID:           user2.ID,
+		WorkflowID:        "test.yaml",
+		WorkflowDirectory: ".forgejo/workflows",
+		TriggerUserID:     -2,
+		Ref:               "main",
+		CommitSHA:         "6af834a5bc97c1a337eb3a21d26903c5cdceca0c",
+		Event:             webhook.HookEventPush,
+		EventPayload:      "{\"action\":\"schedule\"}",
+		Content:           []byte(content),
+	}
+
+	err = CreateScheduleTask(t.Context(), []*ActionSchedule{schedule})
+	require.NoError(t, err)
+
+	schedules, err := db.Find[ActionSchedule](t.Context(), FindScheduleOptions{OwnerID: user2.ID, RepoID: repo62.ID})
+	require.NoError(t, err)
+	require.Len(t, schedules, 1)
+
+	assert.NotZero(t, schedules[0].ID)
+	assert.Equal(t, ".forgejo/workflows/test.yaml", schedules[0].Title)
+	assert.Equal(t, "test.yaml", schedules[0].WorkflowID)
+	assert.Equal(t, ".forgejo/workflows", schedules[0].WorkflowDirectory)
+	assert.Equal(t, int64(-2), schedules[0].TriggerUserID)
+	assert.Equal(t, "main", schedules[0].Ref)
+	assert.Equal(t, "6af834a5bc97c1a337eb3a21d26903c5cdceca0c", schedules[0].CommitSHA)
+	assert.Equal(t, webhook.HookEventPush, schedules[0].Event)
+	assert.JSONEq(t, "{\"action\":\"schedule\"}", schedules[0].EventPayload)
+	assert.Equal(t, []byte(content), schedules[0].Content)
+
+	specs, total, err := FindSpecs(t.Context(), FindSpecOptions{RepoID: repo62.ID})
+	require.NoError(t, err)
+
+	assert.Equal(t, int64(2), total)
+
+	assert.NotZero(t, specs[0].ID)
+	assert.Equal(t, schedules[0].ID, specs[0].ScheduleID)
+	assert.Equal(t, timeutil.TimeStamp(1774699380), specs[0].Next)
+	assert.Equal(t, "3 13 * * *", specs[0].Spec)
+	assert.Equal(t, optional.Some("Europe/Paris"), specs[0].TimeZone)
+	assert.Zero(t, specs[0].Prev)
+
+	assert.NotZero(t, specs[1].ID)
+	assert.Equal(t, schedules[0].ID, specs[1].ScheduleID)
+	assert.Equal(t, timeutil.TimeStamp(1774702920), specs[1].Next)
+	assert.Equal(t, "2 13 * * *", specs[1].Spec)
+	assert.Equal(t, optional.None[string](), specs[1].TimeZone)
+	assert.Zero(t, specs[1].Prev)
+}

models/actions/status.go

@@ -4,6 +4,8 @@
 package actions
 
 import (
+	"slices"
+
 	"forgejo.org/modules/translation"
 
 	runnerv1 "code.forgejo.org/forgejo/actions-proto/runner/v1"
@@ -107,12 +109,7 @@ func (s Status) IsBlocked() bool {
 
 // In returns whether s is one of the given statuses
 func (s Status) In(statuses ...Status) bool {
-	for _, v := range statuses {
-		if s == v {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(statuses, s)
 }
 
 func (s Status) AsResult() runnerv1.Result {

models/actions/task.go

@@ -161,21 +161,6 @@ func (task *ActionTask) UpdateToken(ctx context.Context) error {
 	return UpdateTask(ctx, task, "token_hash", "token_salt", "token_last_eight")
 }
 
-// Retrieve all the attempts from the same job as the target `ActionTask`.  Limited fields are queried to avoid loading
-// the LogIndexes blob when not needed.
-func (task *ActionTask) GetAllAttempts(ctx context.Context) ([]*ActionTask, error) {
-	var attempts []*ActionTask
-	err := db.GetEngine(ctx).
-		Cols("id", "attempt", "status", "started").
-		Where("job_id=?", task.JobID).
-		Desc("attempt").
-		Find(&attempts)
-	if err != nil {
-		return nil, err
-	}
-	return attempts, nil
-}
-
 func GetTaskByID(ctx context.Context, id int64) (*ActionTask, error) {
 	var task ActionTask
 	has, err := db.GetEngine(ctx).Where("id=?", id).Get(&task)
@@ -451,9 +436,7 @@ func CreateTaskForRunner(ctx context.Context, runner *ActionRunner, requestKey,
 }
 
 // Placeholder tasks are created when the status/content of an [ActionRunJob] is resolved by Forgejo without dispatch to
-// a runner, specifically in the case of a workflow call's outer job. It is the responsibility of the caller to
-// increment the job's Attempt field before invoking this method, and to update that field in the database, so that
-// reruns can function for placeholder tasks and provide updated outputs.
+// a runner, specifically in the case of a workflow call's outer job.
 func CreatePlaceholderTask(ctx context.Context, job *ActionRunJob, outputs map[string]string) (*ActionTask, error) {
 	actionTask := &ActionTask{
 		JobID:             job.ID,

models/actions/task_test.go

@@ -6,35 +6,12 @@ package actions
 import (
 	"testing"
 
-	"forgejo.org/models/db"
 	"forgejo.org/models/unittest"
-	"forgejo.org/modules/timeutil"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
-func TestActionTask_GetAllAttempts(t *testing.T) {
-	require.NoError(t, unittest.PrepareTestDatabase())
-
-	var task ActionTask
-	has, err := db.GetEngine(t.Context()).Where("id=?", 47).Get(&task)
-	require.NoError(t, err)
-	require.True(t, has, "load ActionTask from fixture")
-
-	allAttempts, err := task.GetAllAttempts(t.Context())
-	require.NoError(t, err)
-	require.Len(t, allAttempts, 3)
-	assert.EqualValues(t, 47, allAttempts[0].ID, "ordered by attempt, 1")
-	assert.EqualValues(t, 53, allAttempts[1].ID, "ordered by attempt, 2")
-	assert.EqualValues(t, 52, allAttempts[2].ID, "ordered by attempt, 3")
-
-	// GetAllAttempts doesn't populate all fields; so check expected fields from one of the records
-	assert.EqualValues(t, 3, allAttempts[0].Attempt, "read Attempt field")
-	assert.Equal(t, StatusRunning, allAttempts[0].Status, "read Status field")
-	assert.Equal(t, timeutil.TimeStamp(1683636528), allAttempts[0].Started, "read Started field")
-}
-
 func TestActionTask_GetTaskByJobAttempt(t *testing.T) {
 	require.NoError(t, unittest.PrepareTestDatabase())
 
@@ -58,7 +35,7 @@ func TestActionTask_CreatePlaceholderTask(t *testing.T) {
 
 	assert.NotEqualValues(t, 0, task.ID)
 	assert.Equal(t, job.ID, task.JobID)
-	assert.EqualValues(t, 0, task.Attempt)
+	assert.EqualValues(t, 1, task.Attempt)
 	assert.NotEqualValues(t, 0, task.Started)
 	assert.NotEqualValues(t, 0, task.Stopped)
 	assert.Equal(t, job.Status, task.Status)

models/activities/action.go

@@ -132,12 +132,7 @@ func (at ActionType) String() string {
 }
 
 func (at ActionType) InActions(actions ...string) bool {
-	for _, action := range actions {
-		if action == at.String() {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(actions, at.String())
 }
 
 // Action represents user operation type and other information to
@@ -817,3 +812,36 @@ func FixActionCreatedUnixString(ctx context.Context) (int64, error) {
 	}
 	return 0, nil
 }
+
+func (a *Action) IsActionPrivate(ctx context.Context) (bool, error) {
+	if a.IsPrivate {
+		return true, nil
+	}
+
+	a.loadRepo(ctx)
+	if a.Repo == nil {
+		return true, repo_model.ErrRepoNotExist{}
+	}
+
+	repo := a.Repo
+	err := repo.LoadOwner(ctx)
+	if err != nil {
+		return true, err
+	}
+
+	if repo.IsPrivate || repo.Owner.KeepActivityPrivate || repo.Owner.Visibility != structs.VisibleTypePublic {
+		return true, nil
+	}
+
+	a.LoadActUser(ctx)
+	if a.ActUser == nil {
+		return true, user_model.ErrUserNotExist{}
+	}
+
+	user := a.ActUser
+	if user.KeepActivityPrivate || user.Visibility != structs.VisibleTypePublic {
+		return true, nil
+	}
+
+	return false, nil
+}

models/activities/action_test.go

@@ -371,3 +371,28 @@ func TestGetIssueInfos(t *testing.T) {
 		assert.Equal(t, test.field3, issueInfos[2])
 	}
 }
+
+func TestIsPrivate(t *testing.T) {
+	defer unittest.OverrideFixtures("models/activities/fixtures/TestIsPrivate")()
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	tt := []struct {
+		activityID int64
+		private    bool
+	}{
+		{1, true},  // private repo
+		{3, false}, // public activities, public repo
+		{11, true}, // private activities
+	}
+
+	for _, test := range tt {
+		ctx := t.Context()
+		action, err := activities_model.GetActivityByID(ctx, test.activityID)
+		require.NoError(t, err)
+
+		private, err := action.IsActionPrivate(ctx)
+		require.NoError(t, err)
+
+		assert.Equal(t, test.private, private, "action ID: %d", test.activityID)
+	}
+}

models/activities/error.go

@@ -0,0 +1,14 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package activities
+
+import "fmt"
+
+type ErrActivityPrivate struct {
+	id int64
+}
+
+func (err ErrActivityPrivate) Error() string {
+	return fmt.Sprintf("Activity with id %d is private", err.id)
+}

models/activities/fixtures/TestIsPrivate/action.yml

@@ -0,0 +1,7 @@
+- id: 11
+  user_id: 44
+  op_type: 1 # create repo
+  act_user_id: 44 # private user activities
+  repo_id: 60 # public
+  is_private: false
+  created_unix: 1680454039

models/activities/fixtures/TestIsPrivate/user.yml

@@ -0,0 +1,36 @@
+- id: 44
+  lower_name: user44
+  name: user44
+  full_name: user44
+  email: user44@example.com
+  keep_email_private: false
+  email_notifications_preference: enabled
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
+  must_change_password: false
+  login_source: 0
+  login_name: user44
+  type: 0
+  salt: ZogKvWdyEx
+  max_repo_creation: -1
+  is_active: true
+  is_admin: false
+  is_restricted: false
+  allow_git_hook: false
+  allow_import_local: false
+  allow_create_organization: true
+  prohibit_login: false
+  avatar: ""
+  avatar_email: user44@example.com
+  use_custom_avatar: true
+  num_followers: 0
+  num_following: 0
+  num_stars: 0
+  num_repos: 0
+  num_teams: 0
+  num_members: 0
+  visibility: 0
+  repo_admin_change_team_access: false
+  theme: ""
+  keep_activity_private: true
+  created_unix: 1672578380

models/activities/notification_list.go

@@ -210,34 +210,9 @@ func (nl NotificationList) LoadRepos(ctx context.Context) (repo_model.Repository
 	}
 
 	repoIDs := nl.getPendingRepoIDs()
-	repos := make(map[int64]*repo_model.Repository, len(repoIDs))
-	left := len(repoIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
-		rows, err := db.GetEngine(ctx).
-			In("id", repoIDs[:limit]).
-			Rows(new(repo_model.Repository))
-		if err != nil {
-			return nil, nil, err
-		}
-
-		for rows.Next() {
-			var repo repo_model.Repository
-			err = rows.Scan(&repo)
-			if err != nil {
-				rows.Close()
-				return nil, nil, err
-			}
-
-			repos[repo.ID] = &repo
-		}
-		_ = rows.Close()
-
-		left -= limit
-		repoIDs = repoIDs[limit:]
+	repos, err := db.GetByIDs(ctx, "id", repoIDs, &repo_model.Repository{})
+	if err != nil {
+		return nil, nil, err
 	}
 
 	failed := []int{}
@@ -284,34 +259,9 @@ func (nl NotificationList) LoadIssues(ctx context.Context) ([]int, error) {
 	}
 
 	issueIDs := nl.getPendingIssueIDs()
-	issues := make(map[int64]*issues_model.Issue, len(issueIDs))
-	left := len(issueIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
-		rows, err := db.GetEngine(ctx).
-			In("id", issueIDs[:limit]).
-			Rows(new(issues_model.Issue))
-		if err != nil {
-			return nil, err
-		}
-
-		for rows.Next() {
-			var issue issues_model.Issue
-			err = rows.Scan(&issue)
-			if err != nil {
-				rows.Close()
-				return nil, err
-			}
-
-			issues[issue.ID] = &issue
-		}
-		_ = rows.Close()
-
-		left -= limit
-		issueIDs = issueIDs[limit:]
+	issues, err := db.GetByIDs(ctx, "id", issueIDs, &issues_model.Issue{})
+	if err != nil {
+		return nil, err
 	}
 
 	failures := []int{}
@@ -379,34 +329,9 @@ func (nl NotificationList) LoadUsers(ctx context.Context) ([]int, error) {
 	}
 
 	userIDs := nl.getUserIDs()
-	users := make(map[int64]*user_model.User, len(userIDs))
-	left := len(userIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
-		rows, err := db.GetEngine(ctx).
-			In("id", userIDs[:limit]).
-			Rows(new(user_model.User))
-		if err != nil {
-			return nil, err
-		}
-
-		for rows.Next() {
-			var user user_model.User
-			err = rows.Scan(&user)
-			if err != nil {
-				rows.Close()
-				return nil, err
-			}
-
-			users[user.ID] = &user
-		}
-		_ = rows.Close()
-
-		left -= limit
-		userIDs = userIDs[limit:]
+	users, err := db.GetByIDs(ctx, "id", userIDs, &user_model.User{})
+	if err != nil {
+		return nil, err
 	}
 
 	failures := []int{}
@@ -430,34 +355,9 @@ func (nl NotificationList) LoadComments(ctx context.Context) ([]int, error) {
 	}
 
 	commentIDs := nl.getPendingCommentIDs()
-	comments := make(map[int64]*issues_model.Comment, len(commentIDs))
-	left := len(commentIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
-		rows, err := db.GetEngine(ctx).
-			In("id", commentIDs[:limit]).
-			Rows(new(issues_model.Comment))
-		if err != nil {
-			return nil, err
-		}
-
-		for rows.Next() {
-			var comment issues_model.Comment
-			err = rows.Scan(&comment)
-			if err != nil {
-				rows.Close()
-				return nil, err
-			}
-
-			comments[comment.ID] = &comment
-		}
-		_ = rows.Close()
-
-		left -= limit
-		commentIDs = commentIDs[limit:]
+	comments, err := db.GetByIDs(ctx, "id", commentIDs, &issues_model.Comment{})
+	if err != nil {
+		return nil, err
 	}
 
 	failures := []int{}

models/activities/repo_activity.go

@@ -138,10 +138,7 @@ func GetActivityStatsTopAuthors(ctx context.Context, repo *repo_model.Repository
 		return v[i].Commits > v[j].Commits
 	})
 
-	cnt := count
-	if cnt > len(v) {
-		cnt = len(v)
-	}
+	cnt := min(count, len(v))
 
 	return v[:cnt], nil
 }

models/auth/access_token_scope.go

@@ -5,6 +5,7 @@ package auth
 
 import (
 	"fmt"
+	"slices"
 	"strings"
 
 	"forgejo.org/models/perm"
@@ -204,12 +205,7 @@ func GetRequiredScopes(level AccessTokenScopeLevel, scopeCategories ...AccessTok
 
 // ContainsCategory checks if a list of categories contains a specific category
 func ContainsCategory(categories []AccessTokenScopeCategory, category AccessTokenScopeCategory) bool {
-	for _, c := range categories {
-		if c == category {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(categories, category)
 }
 
 // GetScopeLevelFromAccessMode converts permission access mode to scope level

models/auth/oauth2.go

@@ -6,6 +6,7 @@ package auth
 import (
 	"context"
 	"crypto/sha256"
+	"crypto/subtle"
 	"encoding/base32"
 	"encoding/base64"
 	"errors"
@@ -151,9 +152,9 @@ func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {
 	// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 	// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-12#section-3.1
 	contains := func(s string) bool {
-		s = strings.TrimSuffix(strings.ToLower(s), "/")
+		s = strings.TrimSuffix(util.ToUpperASCII(s), "/")
 		for _, u := range app.RedirectURIs {
-			if strings.TrimSuffix(strings.ToLower(u), "/") == s {
+			if strings.TrimSuffix(util.ToUpperASCII(u), "/") == s {
 				return true
 			}
 		}
@@ -408,26 +409,41 @@ func (code *OAuth2AuthorizationCode) GenerateRedirectURI(state string) (*url.URL
 	return redirect, err
 }
 
-// Invalidate deletes the auth code from the database to invalidate this code
+// Invalidate deletes the auth code from the database to invalidate this code.
+// It returns an error if the code was already invalidated (i.e., no rows were deleted),
+// which prevents authorization code replay attacks.
 func (code *OAuth2AuthorizationCode) Invalidate(ctx context.Context) error {
-	_, err := db.GetEngine(ctx).ID(code.ID).NoAutoCondition().Delete(code)
-	return err
+	affected, err := db.GetEngine(ctx).ID(code.ID).NoAutoCondition().Delete(code)
+	if err != nil {
+		return err
+	}
+	if affected == 0 {
+		return fmt.Errorf("authorization code already used or does not exist")
+	}
+	return nil
 }
 
-// ValidateCodeChallenge validates the given verifier against the saved code challenge. This is part of the PKCE implementation.
+// ValidateCodeChallenge validates the given verifier against the saved code challenge. This is part of the PKCE
+// implementation. If a code challenge was set during authorization, a valid verifier MUST be provided.
 func (code *OAuth2AuthorizationCode) ValidateCodeChallenge(verifier string) bool {
+	// If no PKCE was used during authorization, no verifier is needed.
+	if code.CodeChallengeMethod == "" && code.CodeChallenge == "" {
+		return true
+	}
+	// A challenge was set but no verifier provided: reject outright, no comparison or hashing is required.
+	if verifier == "" {
+		return false
+	}
 	switch code.CodeChallengeMethod {
 	case "S256":
 		// base64url(SHA256(verifier)) see https://tools.ietf.org/html/rfc7636#section-4.6
 		h := sha256.Sum256([]byte(verifier))
 		hashedVerifier := base64.RawURLEncoding.EncodeToString(h[:])
-		return hashedVerifier == code.CodeChallenge
+		return subtle.ConstantTimeCompare([]byte(hashedVerifier), []byte(code.CodeChallenge)) == 1
 	case "plain":
-		return verifier == code.CodeChallenge
-	case "":
-		return true
+		return subtle.ConstantTimeCompare([]byte(verifier), []byte(code.CodeChallenge)) == 1
 	default:
-		// unsupported method -> return false
+		// unsupported or empty method with a non-empty challenge -> reject
 		return false
 	}
 }
@@ -490,22 +506,25 @@ func (grant *OAuth2Grant) GenerateNewAuthorizationCode(ctx context.Context, redi
 }
 
 // IncreaseCounter increases the counter and updates the grant
+// IncreaseCounter atomically increments the counter only if it still matches
+// the value loaded into this grant. Returns an error if the counter was already
+// changed by a concurrent request (refresh token replay).
 func (grant *OAuth2Grant) IncreaseCounter(ctx context.Context) error {
-	_, err := db.GetEngine(ctx).ID(grant.ID).Incr("counter").Update(new(OAuth2Grant))
+	affected, err := db.GetEngine(ctx).Where("id = ? AND counter = ?", grant.ID, grant.Counter).
+		Incr("counter").Update(new(OAuth2Grant))
 	if err != nil {
 		return err
 	}
-	updatedGrant, err := GetOAuth2GrantByID(ctx, grant.ID)
-	if err != nil {
-		return err
+	if affected == 0 {
+		return fmt.Errorf("grant counter changed unexpectedly (possible replay)")
 	}
-	grant.Counter = updatedGrant.Counter
+	grant.Counter++
 	return nil
 }
 
 // ScopeContains returns true if the grant scope contains the specified scope
 func (grant *OAuth2Grant) ScopeContains(scope string) bool {
-	for _, currentScope := range strings.Split(grant.Scope, " ") {
+	for currentScope := range strings.SplitSeq(grant.Scope, " ") {
 		if scope == currentScope {
 			return true
 		}

models/auth/oauth2_test.go

@@ -75,6 +75,13 @@ func TestOAuth2Application_ContainsRedirect_Slash(t *testing.T) {
 	assert.False(t, app.ContainsRedirectURI("http://127.0.0.1/other"))
 }
 
+func TestOAuth2Application_ContainsRedirect_Normalization(t *testing.T) {
+	app := &auth_model.OAuth2Application{RedirectURIs: []string{"https://website.com"}}
+	assert.True(t, app.ContainsRedirectURI("https://website.com"))
+	assert.True(t, app.ContainsRedirectURI("https://webSITE.com"))  // ascii uppercase I
+	assert.False(t, app.ContainsRedirectURI("https://websİte.com")) // U+0130 as I, Latin Capital Letter I with Dot Above
+}
+
 func TestOAuth2Application_ValidateClientSecret(t *testing.T) {
 	require.NoError(t, unittest.PrepareTestDatabase())
 	app := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Application{ID: 1})
@@ -147,9 +154,18 @@ func TestGetOAuth2GrantByID(t *testing.T) {
 func TestOAuth2Grant_IncreaseCounter(t *testing.T) {
 	require.NoError(t, unittest.PrepareTestDatabase())
 	grant := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Grant{ID: 1, Counter: 1})
+
+	// First increment succeeds
 	require.NoError(t, grant.IncreaseCounter(db.DefaultContext))
 	assert.Equal(t, int64(2), grant.Counter)
 	unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Grant{ID: 1, Counter: 2})
+
+	// Simulate a stale grant (counter still 1): must fail (concurrent replay)
+	grant.Counter = 1
+	require.Error(t, grant.IncreaseCounter(db.DefaultContext), "stale counter must be rejected")
+
+	// Counter in DB should be unchanged
+	unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Grant{ID: 1, Counter: 2})
 }
 
 func TestOAuth2Grant_ScopeContains(t *testing.T) {
@@ -232,12 +248,33 @@ func TestOAuth2AuthorizationCode_ValidateCodeChallenge(t *testing.T) {
 	}
 	assert.False(t, code.ValidateCodeChallenge("foiwgjioriogeiogjerger"))
 
-	// test no code challenge
+	// test no PKCE at all (no challenge set, no verifier needed)
+	code = &auth_model.OAuth2AuthorizationCode{
+		CodeChallengeMethod: "",
+		CodeChallenge:       "",
+	}
+	assert.True(t, code.ValidateCodeChallenge(""))
+
+	// test PKCE required: challenge was set but verifier is empty
+	code = &auth_model.OAuth2AuthorizationCode{
+		CodeChallengeMethod: "S256",
+		CodeChallenge:       "CjvyTLSdR47G5zYenDA-eDWW4lRrO8yvjcWwbD_deOg",
+	}
+	assert.False(t, code.ValidateCodeChallenge(""), "PKCE required: S256 challenge set but empty verifier must be rejected")
+
+	code = &auth_model.OAuth2AuthorizationCode{
+		CodeChallengeMethod: "plain",
+		CodeChallenge:       "test123",
+	}
+	assert.False(t, code.ValidateCodeChallenge(""), "PKCE required: plain challenge set but empty verifier must be rejected")
+
+	// test challenge stored but method empty (malformed: should reject)
 	code = &auth_model.OAuth2AuthorizationCode{
 		CodeChallengeMethod: "",
 		CodeChallenge:       "foierjiogerogerg",
 	}
-	assert.True(t, code.ValidateCodeChallenge(""))
+	assert.False(t, code.ValidateCodeChallenge(""), "challenge present with empty method must be rejected")
+	assert.False(t, code.ValidateCodeChallenge("foierjiogerogerg"), "challenge present with empty method must be rejected even with matching verifier")
 }
 
 func TestOAuth2AuthorizationCode_GenerateRedirectURI(t *testing.T) {
@@ -262,6 +299,20 @@ func TestOAuth2AuthorizationCode_Invalidate(t *testing.T) {
 	unittest.AssertNotExistsBean(t, &auth_model.OAuth2AuthorizationCode{Code: "authcode"})
 }
 
+func TestOAuth2AuthorizationCode_Invalidate_DoubleUse(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+	code := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2AuthorizationCode{Code: "authcode"})
+
+	// First invalidation should succeed
+	require.NoError(t, code.Invalidate(db.DefaultContext))
+	unittest.AssertNotExistsBean(t, &auth_model.OAuth2AuthorizationCode{Code: "authcode"})
+
+	// Second invalidation of the same code must fail (replay prevention)
+	err := code.Invalidate(db.DefaultContext)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "authorization code already used")
+}
+
 func TestOAuth2AuthorizationCode_TableName(t *testing.T) {
 	assert.Equal(t, "oauth2_authorization_code", new(auth_model.OAuth2AuthorizationCode).TableName())
 }

models/db/context.go

@@ -6,6 +6,9 @@ package db
 import (
 	"context"
 	"database/sql"
+	"errors"
+	"fmt"
+	"slices"
 
 	"xorm.io/builder"
 	"xorm.io/xorm"
@@ -268,6 +271,91 @@ func GetByID[T any](ctx context.Context, id int64) (object *T, exist bool, err e
 	return &bean, true, nil
 }
 
+// Retrieves multiple objects with database queries similar to an xorm `.In(idField, idList)`. idField must be a unique
+// field on the database table, as a map[id]obj is returned and the usage of a non-unique field would result in objects
+// being overwritten in the map.
+//
+// The length of the IN list is constrained to DefaultMaxInSize for each database query, resulting in multiple database
+// queries if the length of the idList exceeds that setting; this constraint prevents exceeding bind parameter
+// limitations or query length limitations in the database engine.
+func GetByIDs[Bean any, Id comparable](ctx context.Context, idField string, idList []Id, bean *Bean) (map[Id]*Bean, error) {
+	retval := make(map[Id]*Bean, len(idList))
+	if len(idList) == 0 {
+		return retval, nil
+	}
+
+	table, err := TableInfo(bean)
+	if err != nil {
+		return nil, fmt.Errorf("unable to fetch table info for bean %v: %w", bean, err)
+	}
+
+	var structFieldName string
+	for _, c := range table.Columns() {
+		if c.Name == idField {
+			structFieldName = c.FieldName
+			break
+		}
+	}
+	if structFieldName == "" {
+		return nil, fmt.Errorf("unable to identify struct field for id field %s", idField)
+	}
+
+	for idChunk := range slices.Chunk(idList, DefaultMaxInSize) {
+		beans := make([]*Bean, 0, len(idChunk))
+		if err := GetEngine(ctx).In(idField, idChunk).Find(&beans); err != nil {
+			return nil, err
+		}
+		for _, bean := range beans {
+			retval[extractFieldValue(bean, structFieldName).(Id)] = bean
+		}
+	}
+
+	return retval, nil
+}
+
+// Retrieves multiple objects with database queries similar to an xorm `.In(field, valueList)`. Similar to GetByIDs,
+// except that a map[Id][]*Bean is returned as the field value is not assumed to be a unique value -- if there are
+// multiple rows in the table for each value, all of them are returned.
+//
+// The length of the IN list is constrained to DefaultMaxInSize for each database query, resulting in multiple database
+// queries if the length of the idList exceeds that setting; this constraint prevents exceeding bind parameter
+// limitations or query length limitations in the database engine.
+func GetByFieldIn[Bean any, Id comparable](ctx context.Context, field string, valueList []Id, bean *Bean) (map[Id][]*Bean, error) {
+	retval := make(map[Id][]*Bean, len(valueList))
+	if len(valueList) == 0 {
+		return retval, nil
+	}
+
+	table, err := TableInfo(bean)
+	if err != nil {
+		return nil, fmt.Errorf("unable to fetch table info for bean %v: %w", bean, err)
+	}
+
+	var structFieldName string
+	for _, c := range table.Columns() {
+		if c.Name == field {
+			structFieldName = c.FieldName
+			break
+		}
+	}
+	if structFieldName == "" {
+		return nil, fmt.Errorf("unable to identify struct field for field %s", field)
+	}
+
+	for idChunk := range slices.Chunk(valueList, DefaultMaxInSize) {
+		beans := make([]*Bean, 0, len(idChunk))
+		if err := GetEngine(ctx).In(field, idChunk).Find(&beans); err != nil {
+			return nil, err
+		}
+		for _, bean := range beans {
+			fieldValue := extractFieldValue(bean, structFieldName).(Id)
+			retval[fieldValue] = append(retval[fieldValue], bean)
+		}
+	}
+
+	return retval, nil
+}
+
 func Exist[T any](ctx context.Context, cond builder.Cond) (bool, error) {
 	if !cond.IsValid() {
 		panic("cond is invalid in db.Exist(ctx, cond). This should not be possible.")
@@ -416,3 +504,68 @@ func inTransaction(ctx context.Context) (*xorm.Session, bool) {
 		return nil, false
 	}
 }
+
+type RetryConfig struct {
+	ErrorIs      []error
+	AttemptCount int
+}
+
+var ErrNestedRetryTxFailure = errors.New("(nested)")
+
+type nestedRetryTxState int
+
+var nestedRetryTx nestedRetryTxState
+
+// Execute the given function in a transaction. RetryConfig will retry the function on an error, if it matches the
+// ErrorIs parameter, up to the total of AttemptCount number of tries. RetryTx cannot be invoked when already within a
+// transaction and will return an error immediately.
+//
+// ErrNestedRetryTxFailure is an error type that will occur when RetryTx is nested within each other, and indicates that
+// an inner RetryTx encountered an error that matched its error list.
+func RetryTx(ctx context.Context, config RetryConfig, f func(ctx context.Context) error) error {
+	matchError := func(err error) bool {
+		for _, possibleError := range config.ErrorIs {
+			if errors.Is(err, possibleError) {
+				return true
+			}
+		}
+		return false
+	}
+
+	// Accept `ErrNestedRetryTxFailure` as error to retry on, means that a nested
+	// RetryTx indicated to retry the whole transaction.
+	config.ErrorIs = append(config.ErrorIs, ErrNestedRetryTxFailure)
+
+	withinRetryTx, present := ctx.Value(nestedRetryTx).(bool)
+	if present && withinRetryTx {
+		// If a caller already started `RetryTx`, then we assume we don't have to actually perform retries here -- we
+		// can attempt the requested function once, and if an error is returned that matches the configured error list,
+		// we'll return that error + ErrNestedRetryTxFailure wrapping.
+		err := f(ctx)
+		if err == nil {
+			return nil
+		} else if matchError(err) {
+			return fmt.Errorf("nested RetryTx; internal Tx failed with error that won't be retried: %w %w", err, ErrNestedRetryTxFailure)
+		}
+		return err
+	} else if InTransaction(ctx) {
+		return errors.New("unsupported operation: attempted to use RetryTx while already within a transaction")
+	} else if config.AttemptCount == 0 {
+		return errors.New("unsupported operation: attempted to use RetryTx with 0 attempts")
+	}
+
+	innerCtx := context.WithValue(ctx, nestedRetryTx, true)
+	var lastError error
+	for range config.AttemptCount {
+		err := WithTx(innerCtx, f)
+		if err == nil {
+			return nil
+		} else if !matchError(err) {
+			return err
+		}
+
+		lastError = err
+	}
+
+	return fmt.Errorf("retry tx failed after %d attempts; last error: %w", config.AttemptCount, lastError)
+}

models/db/context_test.go

@@ -220,3 +220,103 @@ func TestAfterTx(t *testing.T) {
 		})
 	}
 }
+
+func TestRetryTx(t *testing.T) {
+	t.Run("success", func(t *testing.T) {
+		err := db.RetryTx(t.Context(), db.RetryConfig{AttemptCount: 1}, func(ctx context.Context) error {
+			assert.True(t, db.InTransaction(ctx))
+			return nil
+		})
+		require.NoError(t, err)
+	})
+
+	t.Run("fail constantly", func(t *testing.T) {
+		attemptCount := 0
+		testError := errors.New("hello")
+		err := db.RetryTx(t.Context(), db.RetryConfig{
+			AttemptCount: 2,
+			ErrorIs:      []error{testError},
+		}, func(ctx context.Context) error {
+			attemptCount++
+			return testError
+		})
+		require.ErrorIs(t, err, testError)
+		require.ErrorContains(t, err, "2 attempts")
+		assert.Equal(t, 2, attemptCount)
+	})
+
+	t.Run("fail w/ non retriable error", func(t *testing.T) {
+		attemptCount := 0
+		testError := errors.New("hello")
+		err := db.RetryTx(t.Context(), db.RetryConfig{
+			AttemptCount: 2,
+			ErrorIs:      []error{},
+		}, func(ctx context.Context) error {
+			attemptCount++
+			return testError
+		})
+		require.ErrorIs(t, err, testError)
+		assert.Equal(t, 1, attemptCount)
+	})
+
+	t.Run("succeed on retry", func(t *testing.T) {
+		attemptCount := 0
+		testError := errors.New("hello")
+		err := db.RetryTx(t.Context(), db.RetryConfig{
+			AttemptCount: 2,
+			ErrorIs:      []error{testError},
+		}, func(ctx context.Context) error {
+			attemptCount++
+			if attemptCount == 1 {
+				return testError
+			}
+			return nil
+		})
+		require.NoError(t, err)
+		assert.Equal(t, 2, attemptCount)
+	})
+
+	t.Run("nested", func(t *testing.T) {
+		attemptCount := 0
+		testError := errors.New("hello")
+		err := db.RetryTx(t.Context(), db.RetryConfig{
+			AttemptCount: 2,
+		}, func(ctx context.Context) error {
+			attemptCount++
+			return db.RetryTx(ctx, db.RetryConfig{
+				AttemptCount: 2,
+				ErrorIs:      []error{testError},
+			}, func(ctx context.Context) error {
+				if attemptCount == 2 {
+					return nil
+				}
+				return testError
+			})
+		})
+
+		require.NoError(t, err)
+		assert.Equal(t, 2, attemptCount)
+	})
+
+	t.Run("inner RetryTx decides on error", func(t *testing.T) {
+		attemptCount := 0
+		testError := errors.New("hello")
+		err := db.RetryTx(t.Context(), db.RetryConfig{
+			AttemptCount: 2,
+			ErrorIs:      []error{},
+		}, func(ctx context.Context) error {
+			attemptCount++
+			return db.RetryTx(ctx, db.RetryConfig{
+				AttemptCount: 2,
+			}, func(ctx context.Context) error {
+				if attemptCount == 2 {
+					return nil
+				}
+				return testError
+			})
+		})
+
+		require.ErrorIs(t, err, testError)
+		assert.Equal(t, 1, attemptCount)
+	})
+}

models/db/iterate.go

@@ -80,7 +80,7 @@ func Iterate[Bean any](ctx context.Context, cond builder.Cond, f func(ctx contex
 
 func extractFieldValue(bean any, fieldName string) any {
 	v := reflect.ValueOf(bean)
-	if v.Kind() == reflect.Ptr {
+	if v.Kind() == reflect.Pointer {
 		v = v.Elem()
 	}
 	field := v.FieldByName(fieldName)

models/db/list.go

@@ -14,7 +14,7 @@ import (
 
 const (
 	// DefaultMaxInSize represents default variables number on IN () in SQL
-	DefaultMaxInSize     = 50
+	DefaultMaxInSize     = 500
 	defaultFindSliceSize = 10
 )
 

models/db/name.go

@@ -6,6 +6,7 @@ package db
 import (
 	"fmt"
 	"regexp"
+	"slices"
 	"strings"
 	"unicode/utf8"
 
@@ -114,10 +115,8 @@ func IsUsableName(names, patterns []string, name string) error {
 		return ErrNameEmpty
 	}
 
-	for i := range names {
-		if name == names[i] {
-			return ErrNameReserved{name}
-		}
+	if slices.Contains(names, name) {
+		return ErrNameReserved{name}
 	}
 
 	for _, pat := range patterns {

models/dbfs/dbfile.go

@@ -46,10 +46,7 @@ func (f *file) readAt(fileMeta *DbfsMeta, offset int64, p []byte) (n int, err er
 	blobPos := int(offset % f.blockSize)
 	blobOffset := offset - int64(blobPos)
 	blobRemaining := int(f.blockSize) - blobPos
-	needRead := len(p)
-	if needRead > blobRemaining {
-		needRead = blobRemaining
-	}
+	needRead := min(len(p), blobRemaining)
 	if blobOffset+int64(blobPos)+int64(needRead) > fileMeta.FileSize {
 		needRead = int(fileMeta.FileSize - blobOffset - int64(blobPos))
 	}
@@ -66,14 +63,8 @@ func (f *file) readAt(fileMeta *DbfsMeta, offset int64, p []byte) (n int, err er
 		blobData = nil
 	}
 
-	canCopy := len(blobData) - blobPos
-	if canCopy <= 0 {
-		canCopy = 0
-	}
-	realRead := needRead
-	if realRead > canCopy {
-		realRead = canCopy
-	}
+	canCopy := max(len(blobData)-blobPos, 0)
+	realRead := min(needRead, canCopy)
 	if realRead > 0 {
 		copy(p[:realRead], fileData.BlobData[blobPos:blobPos+realRead])
 	}
@@ -113,10 +104,7 @@ func (f *file) Write(p []byte) (n int, err error) {
 		blobPos := int(f.offset % f.blockSize)
 		blobOffset := f.offset - int64(blobPos)
 		blobRemaining := int(f.blockSize) - blobPos
-		needWrite := len(p)
-		if needWrite > blobRemaining {
-			needWrite = blobRemaining
-		}
+		needWrite := min(len(p), blobRemaining)
 		buf := make([]byte, f.blockSize)
 		readBytes, err := f.readAt(fileMeta, blobOffset, buf)
 		if err != nil && !errors.Is(err, io.EOF) {

models/fixtures/action.yml

@@ -81,4 +81,4 @@
   act_user_id: 40
   repo_id: 60 # public
   is_private: false
-  created_unix: 1577404800 # end of heatmap
+  created_unix: 1577404800 # end of heatmap

models/fixtures/action_run_job.yml

@@ -6,7 +6,7 @@
   commit_sha: c2d72f548424103f01ee1dc02889c1e2bff816b0
   is_fork_pull_request: false
   name: job_2
-  attempt: 1
+  attempt: 3
   job_id: job_2
   task_id: 47
   status: 1
@@ -199,7 +199,7 @@
   commit_sha: 985f0301dba5e7b34be866819cd15ad3d8f508ee
   is_fork_pull_request: false
   name: job_2
-  attempt: 0
+  attempt: 1
   job_id: job_2
   task_id: null
   status: 5

models/fixtures/language_stat.yml

@@ -0,0 +1,17 @@
+-
+  id: 1
+  repo_id: 1
+  commit_id: 65f1bf27bc3bf70f64657658635e66094edbcb4d
+  is_primary: true
+  language: 'Go'
+  size: 1023
+  created_unix: 1779733547
+
+-
+  id: 2
+  repo_id: 1
+  commit_id: 65f1bf27bc3bf70f64657658635e66094edbcb4d
+  is_primary: false
+  language: 'PHP'
+  size: 1
+  created_unix: 1779733547

models/fixtures/project_board.yml

@@ -84,3 +84,13 @@
   sorting: 1
   created_unix: 1588117528
   updated_unix: 1588117528
+
+-
+  id: 10
+  project_id: 7
+  title: Default
+  creator_id: 2
+  default: true
+  sorting: 1
+  created_unix: 1588117528
+  updated_unix: 1588117528

models/fixtures/public_key.yml

@@ -9,3 +9,36 @@
   created_unix: 1559593109
   updated_unix: 1565224552
   login_source_id: 0
+-
+  id: 2
+  owner_id: 5
+  name: user5
+  fingerprint: ""
+  content: "user5"
+  mode: 2
+  type: 3
+  created_unix: 1775805112
+  updated_unix: 1775805112
+  login_source_id: 0
+-
+  id: 3
+  owner_id: 9
+  name: user9@localhost
+  fingerprint: "SHA256:K3RfDvtQ/aYVzh6RfXGFxlffLLTRgksf9UQwTlwSM8M"
+  content: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDN7KuFUnlztx/UM6PUTyiBAq5SeIqr+qSVFC6JzLQAh user9@localhost"
+  mode: 2
+  type: 1
+  created_unix: 1775805112
+  updated_unix: 1775805112
+  login_source_id: 0
+-
+  id: 4
+  owner_id: 9
+  name: user9
+  fingerprint: ""
+  content: "user9"
+  mode: 2
+  type: 3
+  created_unix: 1775805112
+  updated_unix: 1775805112
+  login_source_id: 0

models/forgejo_migrations/v14a_actions-approval-and-trust.go

@@ -6,7 +6,6 @@ package forgejo_migrations
 import (
 	"context"
 
-	actions_model "forgejo.org/models/actions"
 	"forgejo.org/models/db"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/timeutil"
@@ -59,6 +58,18 @@ type v14ActionsApprovalAndTrustTrusted struct {
 }
 
 func v14ActionsApprovalAndTrustPopulateTableActionUser(x *xorm.Engine) error {
+	type ActionUser struct {
+		ID                      int64 `xorm:"pk autoincr"`
+		UserID                  int64 `xorm:"INDEX UNIQUE(action_user_index) REFERENCES(user, id)"`
+		RepoID                  int64 `xorm:"INDEX UNIQUE(action_user_index) REFERENCES(repository, id)"`
+		TrustedWithPullRequests bool
+		LastAccess              timeutil.TimeStamp `xorm:"INDEX"`
+	}
+	insertActionUser := func(ctx context.Context, user *ActionUser) error {
+		user.LastAccess = timeutil.TimeStampNow()
+		return db.Insert(ctx, user)
+	}
+
 	//
 	// Users approved once were trusted before and are trusted now.
 	//
@@ -87,7 +98,7 @@ func v14ActionsApprovalAndTrustPopulateTableActionUser(x *xorm.Engine) error {
 	if err := db.WithTx(db.DefaultContext, func(ctx context.Context) error {
 		for _, trusted := range trustedList {
 			log.Debug("v14a_actions-approval-and-trust: repository %d trusts user %d", trusted.RepoID, trusted.UserID)
-			if err := actions_model.InsertActionUser(ctx, &actions_model.ActionUser{
+			if err := insertActionUser(ctx, &ActionUser{
 				RepoID:                  trusted.RepoID,
 				UserID:                  trusted.UserID,
 				TrustedWithPullRequests: true,

models/forgejo_migrations/v14a_actions-approval-and-trust_test.go

@@ -7,11 +7,8 @@ import (
 	"testing"
 	"time"
 
-	actions_model "forgejo.org/models/actions"
 	"forgejo.org/models/db"
 	migration_tests "forgejo.org/models/gitea_migrations/test"
-	repo_model "forgejo.org/models/repo"
-	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/timeutil"
 	webhook_module "forgejo.org/modules/webhook"
 
@@ -20,6 +17,9 @@ import (
 )
 
 func Test_v14ActionsApprovalAndTrustPopulateTableActionUser(t *testing.T) {
+	type ConcurrencyMode int
+	type Status int
+
 	type ActionUser struct {
 		ID     int64 `xorm:"pk autoincr"`
 		UserID int64 `xorm:"INDEX UNIQUE(action_user_index) REFERENCES(user, id)"`
@@ -32,21 +32,18 @@ func Test_v14ActionsApprovalAndTrustPopulateTableActionUser(t *testing.T) {
 	type ActionRun struct {
 		ID            int64
 		Title         string
-		RepoID        int64                  `xorm:"index unique(repo_index) index(concurrency)"`
-		Repo          *repo_model.Repository `xorm:"-"`
-		OwnerID       int64                  `xorm:"index"`
-		WorkflowID    string                 `xorm:"index"`                    // the name of workflow file
-		Index         int64                  `xorm:"index unique(repo_index)"` // a unique number for each run of a repository
-		TriggerUserID int64                  `xorm:"index"`
-		TriggerUser   *user_model.User       `xorm:"-"`
+		RepoID        int64  `xorm:"index unique(repo_index) index(concurrency)"`
+		OwnerID       int64  `xorm:"index"`
+		WorkflowID    string `xorm:"index"`                    // the name of workflow file
+		Index         int64  `xorm:"index unique(repo_index)"` // a unique number for each run of a repository
+		TriggerUserID int64  `xorm:"index"`
 		ScheduleID    int64
 		Ref           string `xorm:"index"` // the commit/tag/… that caused the run
-		IsRefDeleted  bool   `xorm:"-"`
 		CommitSHA     string
 		Event         webhook_module.HookEventType // the webhook event that causes the workflow to run
 		EventPayload  string                       `xorm:"LONGTEXT"`
 		TriggerEvent  string                       // the trigger event defined in the `on` configuration of the triggered workflow
-		Status        actions_model.Status         `xorm:"index"`
+		Status        Status                       `xorm:"index"`
 		Version       int                          `xorm:"version default 0"` // Status could be updated concomitantly, so an optimistic lock is needed
 		// Started and Stopped is used for recording last run time, if rerun happened, they will be reset to 0
 		Started timeutil.TimeStamp
@@ -65,7 +62,7 @@ func Test_v14ActionsApprovalAndTrustPopulateTableActionUser(t *testing.T) {
 		ApprovedBy          int64 `xorm:"index"`
 
 		ConcurrencyGroup string `xorm:"'concurrency_group' index(concurrency)"`
-		ConcurrencyType  actions_model.ConcurrencyMode
+		ConcurrencyType  ConcurrencyMode
 
 		PreExecutionError string `xorm:"LONGTEXT"` // used to report errors that blocked execution of a workflow
 	}
@@ -83,10 +80,10 @@ func Test_v14ActionsApprovalAndTrustPopulateTableActionUser(t *testing.T) {
 
 	require.NoError(t, v14ActionsApprovalAndTrustPopulateTableActionUser(x))
 
-	var users []*actions_model.ActionUser
+	var users []*ActionUser
 	require.NoError(t, db.GetEngine(t.Context()).Select("`repo_id`, `user_id`").OrderBy("`id`").Find(&users))
 	// See models/gitea_migrations/fixtures/Test_v14ActionsApprovalAndTrustPopulateTableActionUser/action_run.yml
-	assert.Equal(t, []*actions_model.ActionUser{
+	assert.Equal(t, []*ActionUser{
 		{
 			UserID: 3,
 			RepoID: 15,

models/forgejo_migrations/v14a_ap-change-fedi-handle-structure.go

@@ -10,15 +10,14 @@ package forgejo_migrations
 
 import (
 	"context"
+	"database/sql"
 	"fmt"
 	"strings"
 
 	"forgejo.org/models/db"
-	"forgejo.org/models/forgefed"
-	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/log"
+	"forgejo.org/modules/timeutil"
 	"forgejo.org/modules/validation"
-	user_service "forgejo.org/services/user"
 
 	"xorm.io/xorm"
 )
@@ -31,6 +30,42 @@ func init() {
 }
 
 func changeActivityPubUsernameFormat(x *xorm.Engine) error {
+	type FederationHost struct {
+		ID         int64              `xorm:"pk autoincr"`
+		HostFqdn   string             `xorm:"host_fqdn UNIQUE(federation_host) INDEX VARCHAR(255) NOT NULL"`
+		HostPort   uint16             `xorm:" UNIQUE(federation_host) INDEX NOT NULL DEFAULT 443"`
+		HostSchema string             `xorm:"NOT NULL DEFAULT 'https'"`
+		Created    timeutil.TimeStamp `xorm:"created"`
+		Updated    timeutil.TimeStamp `xorm:"updated"`
+	}
+	type FederatedUser struct {
+		ID                    int64                  `xorm:"pk autoincr"`
+		UserID                int64                  `xorm:"NOT NULL INDEX user_id"`
+		ExternalID            string                 `xorm:"UNIQUE(federation_user_mapping) NOT NULL"`
+		FederationHostID      int64                  `xorm:"UNIQUE(federation_user_mapping) NOT NULL"`
+		KeyID                 sql.NullString         `xorm:"key_id UNIQUE"`
+		PublicKey             sql.Null[sql.RawBytes] `xorm:"BLOB"`
+		InboxPath             string
+		NormalizedOriginalURL string // This field is just to keep original information. Pls. do not use for search or as ID!
+	}
+	type User struct {
+		ID          int64              `xorm:"pk autoincr"`
+		LowerName   string             `xorm:"UNIQUE NOT NULL"`
+		Name        string             `xorm:"UNIQUE NOT NULL"`
+		CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
+		UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
+	}
+	deleteFederatedUser := func(ctx context.Context, userID int64) error {
+		_, err := db.GetEngine(ctx).Delete(&FederatedUser{UserID: userID})
+		return err
+	}
+	userLogString := func(u *User) string {
+		if u == nil {
+			return "<User nil>"
+		}
+		return fmt.Sprintf("<User %d:%s>", u.ID, u.Name)
+	}
+
 	// Normally, the db.WithTx statement ensures that the database transaction (aka. all changes made
 	// by this migration) will only be committed if the SQL operations inside of the iteration
 	// (db.Iterate) don't return an error.
@@ -45,9 +80,9 @@ func changeActivityPubUsernameFormat(x *xorm.Engine) error {
 	// migrations at a later point and has been kept as-is.
 	return db.WithTx(db.DefaultContext, func(ctx context.Context) error {
 		// The transaction is committed only if modifying all federated users is possible.
-		return db.Iterate(ctx, nil, func(ctx context.Context, federatedUser *user_model.FederatedUser) error {
+		return db.Iterate(ctx, nil, func(ctx context.Context, federatedUser *FederatedUser) error {
 			// localUser represents the "local" representation of an ActivityPub (federated) user
-			localUser := &user_model.User{}
+			localUser := &User{}
 			has, err := db.GetEngine(ctx).ID(federatedUser.UserID).Get(localUser)
 			if err != nil {
 				log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred while getting local user (ID: %d), ignoring...: %e", federatedUser.UserID, err)
@@ -56,7 +91,7 @@ func changeActivityPubUsernameFormat(x *xorm.Engine) error {
 
 			if !has {
 				log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: User missing for federated user: %v", federatedUser)
-				err := user_model.DeleteFederatedUser(ctx, federatedUser.UserID)
+				err := deleteFederatedUser(ctx, federatedUser.UserID)
 				if err != nil {
 					log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred while deleting federated user (%s), ignoring...: %e", federatedUser, err)
 					return nil
@@ -68,24 +103,13 @@ func changeActivityPubUsernameFormat(x *xorm.Engine) error {
 			} else {
 				// Copied from models/forgefed/federationhost_repository.go (forgefed.GetFederationHost),
 				// minus some validation code for FederationHost which we do not otherwise manipulate here.
-				federationHost := new(forgefed.FederationHost)
+				federationHost := new(FederationHost)
 				has, err := db.GetEngine(ctx).ID(federatedUser.FederationHostID).Get(federationHost)
 				if err != nil {
 					log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred while looking up federation host info (for %v), ignoring...: %e", federatedUser, err)
 					return nil
 				} else if !has {
-					log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Federation host for federated user missing, deleting: %v", federatedUser)
-					err := user_model.DeleteFederatedUser(ctx, federatedUser.UserID)
-					if err != nil {
-						log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred while deleting federated user (%v), ignoring...: %e", federatedUser, err)
-						return nil
-					}
-
-					err = user_service.DeleteUser(ctx, localUser, true)
-					if err != nil {
-						log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred while deleting user (%s), ignoring...: %v", localUser.LogString(), err)
-					}
-
+					log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Federation host for federated user %s is missing", federatedUser)
 					return nil
 				}
 
@@ -117,10 +141,10 @@ func changeActivityPubUsernameFormat(x *xorm.Engine) error {
 
 				// Implicitly assumes that there won't be a lower name unique constraint violation.
 				// Potentially a bit paranoid, but why not?
-				userThatShouldntExist := &user_model.User{}
+				userThatShouldntExist := &User{}
 				lowernameTaken, err := db.GetEngine(ctx).Where("lower_name = ?", strings.ToLower(newUsername)).Table("user").Get(userThatShouldntExist)
 				if err != nil {
-					log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred, skipping migration of %s: %e", localUser.LogString(), err)
+					log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred, skipping migration of %s: %e", userLogString(localUser), err)
 					return nil
 				}
 
@@ -128,23 +152,23 @@ func changeActivityPubUsernameFormat(x *xorm.Engine) error {
 					log.Warn(
 						"Migration[v14a_ap-change-fedi-handle-structure]: New username %s for %s already taken by %s, deleting the former...",
 						newUsername,
-						localUser.LogString(),
-						userThatShouldntExist.LogString(),
+						userLogString(localUser),
+						userLogString(userThatShouldntExist),
 					)
-					err := user_model.DeleteFederatedUser(ctx, localUser.ID)
+					err := deleteFederatedUser(ctx, localUser.ID)
 					if err != nil {
-						log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred while deleting federated user (%s), ignoring...: %e", localUser.LogString(), err)
+						log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred while deleting federated user (%s), ignoring...: %e", userLogString(localUser), err)
 					}
 					return nil
 				}
 
 				// Safe to assume that the following operations should just work now.
-				log.Info("Migration[v14a_ap-change-fedi-handle-structure]: Updating username of %s to %s", localUser.LogString(), newUsername)
-				if _, err := db.GetEngine(ctx).ID(localUser.ID).Cols("lower_name", "name").Update(&user_model.User{
+				log.Info("Migration[v14a_ap-change-fedi-handle-structure]: Updating username of %s to %s", userLogString(localUser), newUsername)
+				if _, err := db.GetEngine(ctx).ID(localUser.ID).Cols("lower_name", "name").Update(&User{
 					LowerName: strings.ToLower(newUsername),
 					Name:      newUsername,
 				}); err != nil {
-					log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred when updating federated user's username (%s), ignoring...: %e", localUser.LogString(), err)
+					log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred when updating federated user's username (%s), ignoring...: %e", userLogString(localUser), err)
 					return nil
 				}
 			}

models/forgejo_migrations/v14a_migrate_task_secrets.go

@@ -8,7 +8,6 @@ import (
 	"encoding/base64"
 	"fmt"
 
-	admin_model "forgejo.org/models/admin"
 	"forgejo.org/models/db"
 	"forgejo.org/modules/json"
 	"forgejo.org/modules/keying"
@@ -17,6 +16,7 @@ import (
 	"forgejo.org/modules/secret"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/structs"
+	"forgejo.org/modules/timeutil"
 
 	"xorm.io/builder"
 	"xorm.io/xorm"
@@ -30,6 +30,19 @@ func init() {
 }
 
 func migrateTaskSecrets(x *xorm.Engine) error {
+	type Task struct {
+		ID             int64
+		DoerID         int64              `xorm:"index"`
+		OwnerID        int64              `xorm:"index"`
+		RepoID         int64              `xorm:"index"`
+		PayloadContent string             `xorm:"TEXT"`
+		Created        timeutil.TimeStamp `xorm:"created"`
+	}
+	taskUpdateCols := func(ctx context.Context, task *Task, cols ...string) error {
+		_, err := db.GetEngine(ctx).ID(task.ID).Cols(cols...).Update(task)
+		return err
+	}
+
 	return db.WithTx(db.DefaultContext, func(ctx context.Context) error {
 		sess := db.GetEngine(ctx)
 
@@ -39,7 +52,7 @@ func migrateTaskSecrets(x *xorm.Engine) error {
 		messages := make([]string, 0, 100)
 		ids := make([]int64, 0, 100)
 
-		err := db.Iterate(ctx, builder.Eq{"type": structs.TaskTypeMigrateRepo}, func(ctx context.Context, bean *admin_model.Task) error {
+		err := db.Iterate(ctx, builder.Eq{"type": structs.TaskTypeMigrateRepo}, func(ctx context.Context, bean *Task) error {
 			var opts migration.MigrateOptions
 			err := json.Unmarshal([]byte(bean.PayloadContent), &opts)
 			if err != nil {
@@ -96,7 +109,7 @@ func migrateTaskSecrets(x *xorm.Engine) error {
 			}
 			bean.PayloadContent = string(bs)
 
-			return bean.UpdateCols(ctx, "payload_content")
+			return taskUpdateCols(ctx, bean, "payload_content")
 		})
 
 		if err == nil {
@@ -106,7 +119,7 @@ func migrateTaskSecrets(x *xorm.Engine) error {
 					log.Error("v14a_migrate_task_secrets: %s", message)
 				}
 
-				_, err = sess.In("id", ids).NoAutoCondition().NoAutoTime().Delete(&admin_model.Task{})
+				_, err = sess.In("id", ids).NoAutoCondition().NoAutoTime().Delete(&Task{})
 			}
 		}
 		return err

models/forgejo_migrations/v14a_migrate_webhook_authorization.go

@@ -8,11 +8,11 @@ import (
 	"fmt"
 
 	"forgejo.org/models/db"
-	webhook_model "forgejo.org/models/webhook"
 	"forgejo.org/modules/keying"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/secret"
 	"forgejo.org/modules/setting"
+	"forgejo.org/modules/timeutil"
 
 	"xorm.io/xorm"
 	"xorm.io/xorm/schemas"
@@ -26,6 +26,16 @@ func init() {
 }
 
 func migrateWebhookSecrets(x *xorm.Engine) error {
+	type Webhook struct {
+		ID                           int64  `xorm:"pk autoincr"`
+		RepoID                       int64  `xorm:"INDEX"` // An ID of 0 indicates either a default or system webhook
+		OwnerID                      int64  `xorm:"INDEX"`
+		HeaderAuthorizationEncrypted []byte `xorm:"BLOB"`
+
+		CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
+		UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
+	}
+
 	return db.WithTx(db.DefaultContext, func(ctx context.Context) error {
 		sess := db.GetEngine(ctx)
 
@@ -59,7 +69,7 @@ func migrateWebhookSecrets(x *xorm.Engine) error {
 		messages := make([]string, 0, 100)
 		ids := make([]int64, 0, 100)
 
-		err := db.Iterate(ctx, nil, func(ctx context.Context, bean *webhook_model.Webhook) error {
+		err := db.Iterate(ctx, nil, func(ctx context.Context, bean *Webhook) error {
 			if len(bean.HeaderAuthorizationEncrypted) == 0 {
 				return nil
 			}
@@ -83,7 +93,7 @@ func migrateWebhookSecrets(x *xorm.Engine) error {
 					log.Error("migration[v14a_migrate_webhook_authorization]: %s", message)
 				}
 
-				_, err = sess.In("id", ids).NoAutoCondition().NoAutoTime().Delete(&webhook_model.Webhook{})
+				_, err = sess.In("id", ids).NoAutoCondition().NoAutoTime().Delete(&Webhook{})
 			}
 		}
 		return err

models/forgejo_migrations/v14a_migrate_webhook_authorization_test.go

@@ -7,7 +7,6 @@ import (
 	"testing"
 
 	migration_tests "forgejo.org/models/gitea_migrations/test"
-	webhook_model "forgejo.org/models/webhook"
 	"forgejo.org/modules/keying"
 	"forgejo.org/modules/timeutil"
 	webhook_module "forgejo.org/modules/webhook"
@@ -17,6 +16,7 @@ import (
 )
 
 func Test_MigrateWebhookSecrets(t *testing.T) {
+	type HookContentType int
 	type Webhook struct {
 		ID              int64 `xorm:"pk autoincr"`
 		RepoID          int64 `xorm:"INDEX"`
@@ -24,7 +24,7 @@ func Test_MigrateWebhookSecrets(t *testing.T) {
 		IsSystemWebhook bool
 		URL             string `xorm:"url TEXT"`
 		HTTPMethod      string `xorm:"http_method"`
-		ContentType     webhook_model.HookContentType
+		ContentType     HookContentType
 		Secret          string                  `xorm:"TEXT"`
 		Events          string                  `xorm:"TEXT"`
 		IsActive        bool                    `xorm:"INDEX"`
@@ -45,7 +45,7 @@ func Test_MigrateWebhookSecrets(t *testing.T) {
 		IsSystemWebhook bool
 		URL             string `xorm:"url TEXT"`
 		HTTPMethod      string `xorm:"http_method"`
-		ContentType     webhook_model.HookContentType
+		ContentType     HookContentType
 		Secret          string                  `xorm:"TEXT"`
 		Events          string                  `xorm:"TEXT"`
 		IsActive        bool                    `xorm:"INDEX"`

models/forgejo_migrations/v14a_rework-notification.go

@@ -4,7 +4,6 @@
 package forgejo_migrations
 
 import (
-	activities_model "forgejo.org/models/activities"
 	"forgejo.org/modules/setting"
 
 	"xorm.io/xorm"
@@ -18,9 +17,10 @@ func init() {
 }
 
 func reworkNotification(x *xorm.Engine) error {
+	type NotificationStatus uint8
 	type Notification struct {
-		UserID int64                               `xorm:"NOT NULL INDEX(s)"`
-		Status activities_model.NotificationStatus `xorm:"SMALLINT NOT NULL INDEX(s)"`
+		UserID int64              `xorm:"NOT NULL INDEX(s)"`
+		Status NotificationStatus `xorm:"SMALLINT NOT NULL INDEX(s)"`
 	}
 
 	if err := dropIndexIfExists(x, "notification", "IDX_notification_user_id"); err != nil {

models/forgejo_migrations/v14a_set_remote_user_prohibit_login.go

@@ -5,10 +5,11 @@ package forgejo_migrations
 
 import (
 	"context"
+	"fmt"
 
 	"forgejo.org/models/db"
-	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/log"
+	"forgejo.org/modules/timeutil"
 
 	"xorm.io/builder"
 	"xorm.io/xorm"
@@ -22,13 +23,45 @@ func init() {
 }
 
 func setProhibitLoginActivityPubUser(x *xorm.Engine) error {
+	type UserType int
+	const (
+		UserTypeIndividual           UserType = iota // Historic reason to make it starts at 0.
+		UserTypeOrganization                         // 1
+		UserTypeUserReserved                         // 2
+		UserTypeOrganizationReserved                 // 3
+		UserTypeBot                                  // 4
+		UserTypeRemoteUser                           // 5
+		UserTypeActivityPubUser                      // 6
+	)
+	type User struct {
+		ID             int64  `xorm:"pk autoincr"`
+		Name           string `xorm:"UNIQUE NOT NULL"`
+		Passwd         string `xorm:"NOT NULL"`
+		PasswdHashAlgo string `xorm:"NOT NULL DEFAULT 'argon2'"`
+		Type           UserType
+		Salt           string             `xorm:"VARCHAR(32)"`
+		CreatedUnix    timeutil.TimeStamp `xorm:"INDEX created"`
+		UpdatedUnix    timeutil.TimeStamp `xorm:"INDEX updated"`
+		ProhibitLogin  bool               `xorm:"NOT NULL DEFAULT false"`
+	}
+	type FederatedUser struct {
+		UserID int64 `xorm:"NOT NULL INDEX user_id"`
+	}
+
+	userLogString := func(u *User) string {
+		if u == nil {
+			return "<User nil>"
+		}
+		return fmt.Sprintf("<User %d:%s>", u.ID, u.Name)
+	}
+
 	return db.WithTx(db.DefaultContext, func(ctx context.Context) error {
-		return db.Iterate(ctx, builder.Eq{"type": 5}, func(ctx context.Context, user *user_model.User) error {
-			log.Info("Checking if user %s is created from ActivityPub", user.LogString())
+		return db.Iterate(ctx, builder.Eq{"type": 5}, func(ctx context.Context, user *User) error {
+			log.Info("Checking if user %s is created from ActivityPub", userLogString(user))
 
 			// Users created from f3 also have the RemoteUser user type. All
 			// FederatedUser should reference exactly one User.
-			has, err := db.GetEngine(ctx).Table("federated_user").Get(&user_model.FederatedUser{UserID: user.ID})
+			has, err := db.GetEngine(ctx).Table("federated_user").Get(&FederatedUser{UserID: user.ID})
 			if err != nil {
 				return err
 			}
@@ -37,9 +70,9 @@ func setProhibitLoginActivityPubUser(x *xorm.Engine) error {
 				return nil
 			}
 
-			log.Info("Updating user %s", user.LogString())
-			_, err = db.GetEngine(ctx).Table("user").ID(user.ID).Cols("type", "prohibit_login", "passwd", "salt", "passwd_hash_algo").Update(&user_model.User{
-				Type:           user_model.UserTypeActivityPubUser,
+			log.Info("Updating user %s", userLogString(user))
+			_, err = db.GetEngine(ctx).Table("user").ID(user.ID).Cols("type", "prohibit_login", "passwd", "salt", "passwd_hash_algo").Update(&User{
+				Type:           UserTypeActivityPubUser,
 				ProhibitLogin:  true,
 				Passwd:         "",
 				Salt:           "",

models/forgejo_migrations/v15c_add_mirror_remoteaddressauth.go

@@ -0,0 +1,30 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package forgejo_migrations
+
+import (
+	"xorm.io/xorm"
+)
+
+func init() {
+	registerMigration(&Migration{
+		Description: "replace remote_address with encrypted_remote_address in table mirror",
+		Upgrade:     addMirrorRemoteAddressAuth,
+	})
+}
+
+func addMirrorRemoteAddressAuth(x *xorm.Engine) error {
+	type Mirror struct {
+		EncryptedRemoteAddress []byte `xorm:"BLOB NULL"`
+	}
+	if _, err := x.SyncWithOptions(xorm.SyncOptions{IgnoreDropIndices: true}, new(Mirror)); err != nil {
+		return err
+	}
+	// No data migration is necessary or desired.  `remote_address` contains sanitized URLs which don't have
+	// credentials, so they can't be migrated to `encrypted_remote_address`. Instead, as this data is accessed,
+	// `DecryptOrRecoverRemoteAddress` will recover the fully credentialed contents of the remote address from the git
+	// repo's `origin` remote address.
+	_, err := x.Exec("ALTER TABLE `mirror` DROP COLUMN `remote_address`")
+	return err
+}

models/forgejo_migrations/v15c_add_schedule_spec_time_zones.go

@@ -0,0 +1,31 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package forgejo_migrations
+
+import (
+	"forgejo.org/modules/optional"
+
+	"xorm.io/xorm"
+)
+
+func init() {
+	registerMigration(&Migration{
+		Description: "add time zone support to action_schedule_spec",
+		Upgrade:     addActionScheduleSpecTimeZone,
+	})
+}
+
+func addActionScheduleSpecTimeZone(x *xorm.Engine) error {
+	type ActionScheduleSpec struct {
+		TimeZone optional.Option[string]
+	}
+
+	_, err := x.SyncWithOptions(xorm.SyncOptions{IgnoreDropIndices: true}, new(ActionScheduleSpec))
+	if err != nil {
+		return err
+	}
+
+	_, err = x.Exec("ALTER TABLE action_schedule DROP COLUMN `specs`")
+	return err
+}

models/git/lfs_lock.go

@@ -112,10 +112,10 @@ func GetLFSLock(ctx context.Context, repo *repo_model.Repository, path string) (
 	return rel, nil
 }
 
-// GetLFSLockByID returns release by given id.
-func GetLFSLockByID(ctx context.Context, id int64) (*LFSLock, error) {
+// GetLFSLockByIDAndRepo returns lfs lock by given id and repository id.
+func GetLFSLockByIDAndRepo(ctx context.Context, id, repoID int64) (*LFSLock, error) {
 	lock := new(LFSLock)
-	has, err := db.GetEngine(ctx).ID(id).Get(lock)
+	has, err := db.GetEngine(ctx).ID(id).And("repo_id = ?", repoID).Get(lock)
 	if err != nil {
 		return nil, err
 	} else if !has {
@@ -169,7 +169,7 @@ func DeleteLFSLockByID(ctx context.Context, id int64, repo *repo_model.Repositor
 	}
 	defer committer.Close()
 
-	lock, err := GetLFSLockByID(dbCtx, id)
+	lock, err := GetLFSLockByIDAndRepo(ctx, id, repo.ID)
 	if err != nil {
 		return nil, err
 	}

models/git/lfs_lock_test.go

@@ -0,0 +1,82 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package git
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	repo_model "forgejo.org/models/repo"
+	"forgejo.org/models/unittest"
+	user_model "forgejo.org/models/user"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func createTestLock(t *testing.T, repo *repo_model.Repository, owner *user_model.User) *LFSLock {
+	t.Helper()
+
+	path := fmt.Sprintf("%s-%d-%d", t.Name(), repo.ID, time.Now().UnixNano())
+	lock, err := CreateLFSLock(t.Context(), repo, &LFSLock{
+		OwnerID: owner.ID,
+		Path:    path,
+	})
+	require.NoError(t, err)
+	return lock
+}
+
+func TestGetLFSLockByIDAndRepo(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	repo3 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 3})
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+
+	lockRepo1 := createTestLock(t, repo1, user2)
+	lockRepo3 := createTestLock(t, repo3, user4)
+
+	fetched, err := GetLFSLockByIDAndRepo(t.Context(), lockRepo1.ID, repo1.ID)
+	require.NoError(t, err)
+	assert.Equal(t, lockRepo1.ID, fetched.ID)
+	assert.Equal(t, repo1.ID, fetched.RepoID)
+
+	_, err = GetLFSLockByIDAndRepo(t.Context(), lockRepo1.ID, repo3.ID)
+	require.Error(t, err)
+	assert.True(t, IsErrLFSLockNotExist(err))
+
+	_, err = GetLFSLockByIDAndRepo(t.Context(), lockRepo3.ID, repo1.ID)
+	require.Error(t, err)
+	assert.True(t, IsErrLFSLockNotExist(err))
+}
+
+func TestDeleteLFSLockByIDRequiresRepoMatch(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	repo3 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 3})
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+
+	lockRepo1 := createTestLock(t, repo1, user2)
+	lockRepo3 := createTestLock(t, repo3, user4)
+
+	_, err := DeleteLFSLockByID(t.Context(), lockRepo3.ID, repo1, user2, true)
+	require.Error(t, err)
+	assert.True(t, IsErrLFSLockNotExist(err))
+
+	existing, err := GetLFSLockByIDAndRepo(t.Context(), lockRepo3.ID, repo3.ID)
+	require.NoError(t, err)
+	assert.Equal(t, lockRepo3.ID, existing.ID)
+
+	deleted, err := DeleteLFSLockByID(t.Context(), lockRepo3.ID, repo3, user4, true)
+	require.NoError(t, err)
+	assert.Equal(t, lockRepo3.ID, deleted.ID)
+
+	deleted, err = DeleteLFSLockByID(t.Context(), lockRepo1.ID, repo1, user2, false)
+	require.NoError(t, err)
+	assert.Equal(t, lockRepo1.ID, deleted.ID)
+}

models/git/protected_branch.go

@@ -213,7 +213,7 @@ func (protectBranch *ProtectedBranch) GetUnprotectedFilePatterns() []glob.Glob {
 
 func getFilePatterns(filePatterns string) []glob.Glob {
 	extarr := make([]glob.Glob, 0, 10)
-	for _, expr := range strings.Split(strings.ToLower(filePatterns), ";") {
+	for expr := range strings.SplitSeq(strings.ToLower(filePatterns), ";") {
 		expr = strings.TrimSpace(expr)
 		if expr != "" {
 			if g, err := glob.Compile(expr, '.', '/'); err != nil {

models/gitea_migrations/test/tests.go

@@ -265,7 +265,7 @@ func deleteDB() error {
 
 func removeAllWithRetry(dir string) error {
 	var err error
-	for i := 0; i < 20; i++ {
+	for range 20 {
 		err = os.RemoveAll(dir)
 		if err == nil {
 			break

models/gitea_migrations/v1_11/v111.go

@@ -5,6 +5,7 @@ package v1_11
 
 import (
 	"fmt"
+	"slices"
 
 	"xorm.io/xorm"
 )
@@ -345,10 +346,8 @@ func AddBranchProtectionCanPushAndEnableWhitelist(x *xorm.Engine) error {
 			}
 			return AccessModeWrite <= perm.UnitsMode[UnitTypeCode], nil
 		}
-		for _, id := range protectedBranch.ApprovalsWhitelistUserIDs {
-			if id == reviewer.ID {
-				return true, nil
-			}
+		if slices.Contains(protectedBranch.ApprovalsWhitelistUserIDs, reviewer.ID) {
+			return true, nil
 		}
 
 		// isUserInTeams

models/gitea_migrations/v1_11/v115.go

@@ -146,7 +146,7 @@ func copyOldAvatarToNewLocation(userID int64, oldAvatar string) (string, error)
 		return "", fmt.Errorf("io.ReadAll: %w", err)
 	}
 
-	newAvatar := fmt.Sprintf("%x", md5.Sum([]byte(fmt.Sprintf("%d-%x", userID, md5.Sum(data)))))
+	newAvatar := fmt.Sprintf("%x", md5.Sum(fmt.Appendf(nil, "%d-%x", userID, md5.Sum(data))))
 	if newAvatar == oldAvatar {
 		return newAvatar, nil
 	}

models/gitea_migrations/v1_20/v259.go

@@ -329,7 +329,7 @@ func ConvertScopedAccessTokens(x *xorm.Engine) error {
 	for _, token := range tokens {
 		var scopes []string
 		allNewScopesMap := make(map[AccessTokenScope]bool)
-		for _, oldScope := range strings.Split(token.Scope, ",") {
+		for oldScope := range strings.SplitSeq(token.Scope, ",") {
 			if newScopes, exists := accessTokenScopeMap[OldAccessTokenScope(oldScope)]; exists {
 				for _, newScope := range newScopes {
 					allNewScopesMap[newScope] = true

models/issues/comment.go

@@ -9,6 +9,7 @@ import (
 	"context"
 	"fmt"
 	"html/template"
+	"slices"
 	"strconv"
 	"unicode/utf8"
 
@@ -198,12 +199,7 @@ func (t CommentType) HasMailReplySupport() bool {
 }
 
 func (t CommentType) CountedAsConversation() bool {
-	for _, ct := range ConversationCountedCommentType() {
-		if t == ct {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(ConversationCountedCommentType(), t)
 }
 
 // ConversationCountedCommentType returns the comment types that are counted as a conversation
@@ -619,7 +615,7 @@ func (c *Comment) UpdateAttachments(ctx context.Context, uuids []string) error {
 	if err != nil {
 		return fmt.Errorf("FindRepoAttachmentsByUUID[uuids=%q,repoID=%d]: %w", uuids, c.Issue.RepoID, err)
 	}
-	for i := 0; i < len(attachments); i++ {
+	for i := range attachments {
 		attachments[i].IssueID = c.IssueID
 		attachments[i].CommentID = c.ID
 		if err := repo_model.UpdateAttachment(ctx, attachments[i]); err != nil {
@@ -667,21 +663,6 @@ func (c *Comment) LoadAssigneeUserAndTeam(ctx context.Context) error {
 	return nil
 }
 
-// LoadResolveDoer if comment.Type is CommentTypeCode and ResolveDoerID not zero, then load resolveDoer
-func (c *Comment) LoadResolveDoer(ctx context.Context) (err error) {
-	if c.ResolveDoerID == 0 || c.Type != CommentTypeCode {
-		return nil
-	}
-	c.ResolveDoer, err = user_model.GetUserByID(ctx, c.ResolveDoerID)
-	if err != nil {
-		if user_model.IsErrUserNotExist(err) {
-			c.ResolveDoer = user_model.NewGhostUser()
-			err = nil
-		}
-	}
-	return err
-}
-
 // IsResolved check if an code comment is resolved
 func (c *Comment) IsResolved() bool {
 	return c.ResolveDoerID != 0 && c.Type == CommentTypeCode

models/issues/comment_code.go

@@ -133,7 +133,7 @@ func findCodeComments(ctx context.Context, opts FindCommentsOptions, issue *Issu
 		return nil, err
 	}
 
-	n := 0
+	readyComments := make(CommentList, 0, len(comments))
 	for _, comment := range comments {
 		if re, ok := reviews[comment.ReviewID]; ok && re != nil {
 			// If the review is pending only the author can see the comments (except if the review is set)
@@ -143,17 +143,18 @@ func findCodeComments(ctx context.Context, opts FindCommentsOptions, issue *Issu
 			}
 			comment.Review = re
 		}
-		comments[n] = comment
-		n++
+		readyComments = append(readyComments, comment)
+	}
 
-		if err := comment.LoadResolveDoer(ctx); err != nil {
-			return nil, err
-		}
+	if err := readyComments.LoadResolveDoers(ctx); err != nil {
+		return nil, err
+	}
 
-		if err := comment.LoadReactions(ctx, issue.Repo); err != nil {
-			return nil, err
-		}
+	if err := readyComments.LoadReactions(ctx, issue.Repo); err != nil {
+		return nil, err
+	}
 
+	for _, comment := range readyComments {
 		var err error
 		if comment.RenderedContent, err = markdown.RenderString(&markup.RenderContext{
 			Ctx: ctx,
@@ -165,7 +166,8 @@ func findCodeComments(ctx context.Context, opts FindCommentsOptions, issue *Issu
 			return nil, err
 		}
 	}
-	return comments[:n], nil
+
+	return readyComments, nil
 }
 
 // FetchCodeConversation fetches the code conversation of a given comment (same review, treePath and line number)

models/issues/comment_list.go

@@ -5,6 +5,7 @@ package issues
 
 import (
 	"context"
+	"errors"
 
 	"forgejo.org/models/db"
 	repo_model "forgejo.org/models/repo"
@@ -51,32 +52,9 @@ func (comments CommentList) loadLabels(ctx context.Context) error {
 	}
 
 	labelIDs := comments.getLabelIDs()
-	commentLabels := make(map[int64]*Label, len(labelIDs))
-	left := len(labelIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
-		rows, err := db.GetEngine(ctx).
-			In("id", labelIDs[:limit]).
-			Rows(new(Label))
-		if err != nil {
-			return err
-		}
-
-		for rows.Next() {
-			var label Label
-			err = rows.Scan(&label)
-			if err != nil {
-				_ = rows.Close()
-				return err
-			}
-			commentLabels[label.ID] = &label
-		}
-		_ = rows.Close()
-		left -= limit
-		labelIDs = labelIDs[limit:]
+	commentLabels, err := db.GetByIDs(ctx, "id", labelIDs, &Label{})
+	if err != nil {
+		return err
 	}
 
 	for _, comment := range comments {
@@ -101,21 +79,9 @@ func (comments CommentList) loadMilestones(ctx context.Context) error {
 		return nil
 	}
 
-	milestones := make(map[int64]*Milestone, len(milestoneIDs))
-	left := len(milestoneIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
-		err := db.GetEngine(ctx).
-			In("id", milestoneIDs[:limit]).
-			Find(&milestones)
-		if err != nil {
-			return err
-		}
-		left -= limit
-		milestoneIDs = milestoneIDs[limit:]
+	milestones, err := db.GetByIDs(ctx, "id", milestoneIDs, &Milestone{})
+	if err != nil {
+		return err
 	}
 
 	for _, comment := range comments {
@@ -140,21 +106,9 @@ func (comments CommentList) loadOldMilestones(ctx context.Context) error {
 		return nil
 	}
 
-	milestones := make(map[int64]*Milestone, len(milestoneIDs))
-	left := len(milestoneIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
-		err := db.GetEngine(ctx).
-			In("id", milestoneIDs[:limit]).
-			Find(&milestones)
-		if err != nil {
-			return err
-		}
-		left -= limit
-		milestoneIDs = milestoneIDs[limit:]
+	milestones, err := db.GetByIDs(ctx, "id", milestoneIDs, &Milestone{})
+	if err != nil {
+		return err
 	}
 
 	for _, comment := range comments {
@@ -175,34 +129,9 @@ func (comments CommentList) loadAssignees(ctx context.Context) error {
 	}
 
 	assigneeIDs := comments.getAssigneeIDs()
-	assignees := make(map[int64]*user_model.User, len(assigneeIDs))
-	left := len(assigneeIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
-		rows, err := db.GetEngine(ctx).
-			In("id", assigneeIDs[:limit]).
-			Rows(new(user_model.User))
-		if err != nil {
-			return err
-		}
-
-		for rows.Next() {
-			var user user_model.User
-			err = rows.Scan(&user)
-			if err != nil {
-				rows.Close()
-				return err
-			}
-
-			assignees[user.ID] = &user
-		}
-		_ = rows.Close()
-
-		left -= limit
-		assigneeIDs = assigneeIDs[limit:]
+	assignees, err := db.GetByIDs(ctx, "id", assigneeIDs, &user_model.User{})
+	if err != nil {
+		return err
 	}
 
 	for _, comment := range comments {
@@ -243,34 +172,9 @@ func (comments CommentList) LoadIssues(ctx context.Context) error {
 	}
 
 	issueIDs := comments.getIssueIDs()
-	issues := make(map[int64]*Issue, len(issueIDs))
-	left := len(issueIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
-		rows, err := db.GetEngine(ctx).
-			In("id", issueIDs[:limit]).
-			Rows(new(Issue))
-		if err != nil {
-			return err
-		}
-
-		for rows.Next() {
-			var issue Issue
-			err = rows.Scan(&issue)
-			if err != nil {
-				rows.Close()
-				return err
-			}
-
-			issues[issue.ID] = &issue
-		}
-		_ = rows.Close()
-
-		left -= limit
-		issueIDs = issueIDs[limit:]
+	issues, err := db.GetByIDs(ctx, "id", issueIDs, &Issue{})
+	if err != nil {
+		return err
 	}
 
 	for _, comment := range comments {
@@ -295,36 +199,10 @@ func (comments CommentList) loadDependentIssues(ctx context.Context) error {
 		return nil
 	}
 
-	e := db.GetEngine(ctx)
 	issueIDs := comments.getDependentIssueIDs()
-	issues := make(map[int64]*Issue, len(issueIDs))
-	left := len(issueIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
-		rows, err := e.
-			In("id", issueIDs[:limit]).
-			Rows(new(Issue))
-		if err != nil {
-			return err
-		}
-
-		for rows.Next() {
-			var issue Issue
-			err = rows.Scan(&issue)
-			if err != nil {
-				_ = rows.Close()
-				return err
-			}
-
-			issues[issue.ID] = &issue
-		}
-		_ = rows.Close()
-
-		left -= limit
-		issueIDs = issueIDs[limit:]
+	issues, err := db.GetByIDs(ctx, "id", issueIDs, &Issue{})
+	if err != nil {
+		return err
 	}
 
 	for _, comment := range comments {
@@ -375,34 +253,10 @@ func (comments CommentList) LoadAttachments(ctx context.Context) (err error) {
 		return nil
 	}
 
-	attachments := make(map[int64][]*repo_model.Attachment, len(comments))
 	commentsIDs := comments.getAttachmentCommentIDs()
-	left := len(commentsIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
-		rows, err := db.GetEngine(ctx).
-			In("comment_id", commentsIDs[:limit]).
-			Rows(new(repo_model.Attachment))
-		if err != nil {
-			return err
-		}
-
-		for rows.Next() {
-			var attachment repo_model.Attachment
-			err = rows.Scan(&attachment)
-			if err != nil {
-				_ = rows.Close()
-				return err
-			}
-			attachments[attachment.CommentID] = append(attachments[attachment.CommentID], &attachment)
-		}
-
-		_ = rows.Close()
-		left -= limit
-		commentsIDs = commentsIDs[limit:]
+	attachments, err := db.GetByFieldIn(ctx, "comment_id", commentsIDs, &repo_model.Attachment{})
+	if err != nil {
+		return err
 	}
 
 	for _, comment := range comments {
@@ -411,6 +265,84 @@ func (comments CommentList) LoadAttachments(ctx context.Context) (err error) {
 	return nil
 }
 
+func (comments CommentList) LoadResolveDoers(ctx context.Context) (err error) {
+	relevant := func(c *Comment) bool {
+		return c.ResolveDoerID != 0 && c.Type == CommentTypeCode
+	}
+	userIDs := make(container.Set[int64])
+	for _, comment := range comments {
+		if relevant(comment) {
+			userIDs.Add(comment.ResolveDoerID)
+		}
+	}
+
+	if len(userIDs) == 0 {
+		return nil
+	}
+
+	userMap := make(map[int64]*user_model.User)
+	users, err := user_model.GetUsersByIDs(ctx, userIDs.Slice())
+	if err != nil {
+		return err
+	}
+	for _, user := range users {
+		userMap[user.ID] = user
+	}
+
+	for _, comment := range comments {
+		if !relevant(comment) {
+			continue
+		}
+		resolveDoer, ok := userMap[comment.ResolveDoerID]
+		if !ok {
+			comment.ResolveDoer = user_model.NewGhostUser()
+		} else {
+			comment.ResolveDoer = resolveDoer
+		}
+	}
+
+	return nil
+}
+
+func (comments CommentList) LoadReactions(ctx context.Context, repo *repo_model.Repository) (err error) {
+	loadIssueID := int64(0)
+	loadCommentIDs := make([]int64, 0, len(comments))
+
+	for _, comment := range comments {
+		if loadIssueID == 0 {
+			loadIssueID = comment.IssueID
+		} else if loadIssueID != comment.IssueID {
+			return errors.New("unable to load reactions from comments on different issues than each other")
+		}
+		if comment.Reactions == nil {
+			loadCommentIDs = append(loadCommentIDs, comment.ID)
+		}
+	}
+
+	if loadIssueID == 0 {
+		return nil
+	}
+
+	reactions, err := getReactionsForComments(ctx, loadIssueID, loadCommentIDs)
+	if err != nil {
+		return err
+	}
+
+	allReactions := make(ReactionList, 0, len(reactions))
+	for _, comment := range comments {
+		if comment.Reactions == nil {
+			comment.Reactions = reactions[comment.ID]
+			allReactions = append(allReactions, comment.Reactions...)
+		}
+	}
+
+	if _, err := allReactions.LoadUsers(ctx, repo); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (comments CommentList) getReviewIDs() []int64 {
 	return container.FilterSlice(comments, func(comment *Comment) (int64, bool) {
 		return comment.ReviewID, comment.ReviewID > 0

models/issues/comment_list_test.go

@@ -84,3 +84,111 @@ func TestCommentListLoadUser(t *testing.T) {
 		})
 	}
 }
+
+func TestCommentListLoadResolveDoers(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	issue := unittest.AssertExistsAndLoadBean(t, &Issue{})
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
+	doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	empty := CommentList{}
+	require.NoError(t, empty.LoadResolveDoers(t.Context()))
+
+	comment1, err := CreateComment(db.DefaultContext, &CreateCommentOptions{
+		Type:    CommentTypeCode,
+		Doer:    doer,
+		Repo:    repo,
+		Issue:   issue,
+		Content: "Hello",
+	})
+	require.NoError(t, err)
+	require.NoError(t, MarkConversation(t.Context(), comment1, doer, true))
+	comment1 = unittest.AssertExistsAndLoadBean(t, &Comment{ID: comment1.ID}) // reload after change
+	comment1List := CommentList{comment1}
+	require.NoError(t, comment1List.LoadResolveDoers(t.Context()))
+	require.NotNil(t, comment1.ResolveDoer)
+	assert.Equal(t, doer.ID, comment1.ResolveDoer.ID)
+
+	comment2, err := CreateComment(db.DefaultContext, &CreateCommentOptions{
+		Type:    CommentTypeCode,
+		Doer:    doer,
+		Repo:    repo,
+		Issue:   issue,
+		Content: "Hello again",
+	})
+	require.NoError(t, err)
+	require.NoError(t, MarkConversation(t.Context(), comment2, user_model.NewGhostUser(), true))
+
+	// Reload for fresh objects
+	comment1 = unittest.AssertExistsAndLoadBean(t, &Comment{ID: comment1.ID})
+	comment2 = unittest.AssertExistsAndLoadBean(t, &Comment{ID: comment2.ID})
+
+	comment2List := CommentList{comment1, comment2}
+	require.NoError(t, comment2List.LoadResolveDoers(t.Context()))
+	require.NotNil(t, comment1.ResolveDoer)
+	assert.Equal(t, doer.ID, comment1.ResolveDoer.ID)
+	require.NotNil(t, comment2.ResolveDoer)
+	assert.EqualValues(t, -1, comment2.ResolveDoer.ID)
+}
+
+func TestCommentListLoadReactions(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	issue := unittest.AssertExistsAndLoadBean(t, &Issue{})
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
+	doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	empty := CommentList{}
+	require.NoError(t, empty.LoadReactions(t.Context(), repo))
+
+	comment1, err := CreateComment(db.DefaultContext, &CreateCommentOptions{
+		Type:    CommentTypeCode,
+		Doer:    doer,
+		Repo:    repo,
+		Issue:   issue,
+		Content: "Hello",
+	})
+	require.NoError(t, err)
+	_, err = CreateReaction(t.Context(), &ReactionOptions{
+		Type:      "eyes",
+		DoerID:    doer.ID,
+		IssueID:   issue.ID,
+		CommentID: comment1.ID,
+	})
+	require.NoError(t, err)
+
+	comment1 = unittest.AssertExistsAndLoadBean(t, &Comment{ID: comment1.ID}) // reload after change
+	comment1List := CommentList{comment1}
+	require.NoError(t, comment1List.LoadReactions(t.Context(), repo))
+	require.Len(t, comment1.Reactions, 1)
+	assert.Equal(t, "eyes", comment1.Reactions[0].Type)
+	assert.NotNil(t, comment1.Reactions[0].User)
+
+	comment2, err := CreateComment(db.DefaultContext, &CreateCommentOptions{
+		Type:    CommentTypeCode,
+		Doer:    doer,
+		Repo:    repo,
+		Issue:   issue,
+		Content: "Hello again",
+	})
+	require.NoError(t, err)
+	_, err = CreateReaction(t.Context(), &ReactionOptions{
+		Type:      "rocket",
+		DoerID:    doer.ID,
+		IssueID:   issue.ID,
+		CommentID: comment2.ID,
+	})
+	require.NoError(t, err)
+
+	// Reload for fresh objects
+	comment1 = unittest.AssertExistsAndLoadBean(t, &Comment{ID: comment1.ID})
+	comment2 = unittest.AssertExistsAndLoadBean(t, &Comment{ID: comment2.ID})
+
+	comment2List := CommentList{comment1, comment2}
+	require.NoError(t, comment2List.LoadReactions(t.Context(), repo))
+	require.Len(t, comment1.Reactions, 1)
+	require.Len(t, comment2.Reactions, 1)
+	assert.Equal(t, "rocket", comment2.Reactions[0].Type)
+	assert.NotNil(t, comment2.Reactions[0].User)
+}

models/issues/comment_test.go

@@ -52,12 +52,29 @@ func TestFetchCodeConversations(t *testing.T) {
 
 	issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 2})
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+	_, err := issues_model.CreateReaction(t.Context(), &issues_model.ReactionOptions{
+		Type:      "eyes",
+		DoerID:    2,
+		IssueID:   issue.ID,
+		CommentID: 4,
+	})
+	require.NoError(t, err)
+	require.NoError(t, issues_model.MarkConversation(t.Context(),
+		unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: 4}),
+		user, true))
+
 	res, err := issues_model.FetchCodeConversations(db.DefaultContext, issue, user, false)
 	require.NoError(t, err)
-	assert.Contains(t, res, "README.md")
-	assert.Contains(t, res["README.md"], int64(4))
-	assert.Len(t, res["README.md"][4], 1)
-	assert.Equal(t, int64(4), res["README.md"][4][0][0].ID)
+	require.Contains(t, res, "README.md")
+	require.Contains(t, res["README.md"], int64(4))
+	require.Len(t, res["README.md"][4], 1)
+	require.Len(t, res["README.md"][4][0], 1)
+	comment := res["README.md"][4][0][0]
+	assert.Equal(t, int64(4), comment.ID)
+	assert.NotNil(t, comment.ResolveDoer)
+	require.Len(t, comment.Reactions, 1)
+	r := comment.Reactions[0]
+	assert.NotNil(t, r.User)
 
 	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 	res, err = issues_model.FetchCodeConversations(db.DefaultContext, issue, user2, false)

models/issues/issue_list.go

@@ -6,6 +6,7 @@ package issues
 import (
 	"context"
 	"fmt"
+	"slices"
 
 	"forgejo.org/models/db"
 	project_model "forgejo.org/models/project"
@@ -40,21 +41,9 @@ func (issues IssueList) LoadRepositories(ctx context.Context) (repo_model.Reposi
 	}
 
 	repoIDs := issues.getRepoIDs()
-	repoMaps := make(map[int64]*repo_model.Repository, len(repoIDs))
-	left := len(repoIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
-		err := db.GetEngine(ctx).
-			In("id", repoIDs[:limit]).
-			Find(&repoMaps)
-		if err != nil {
-			return nil, fmt.Errorf("find repository: %w", err)
-		}
-		left -= limit
-		repoIDs = repoIDs[limit:]
+	repoMaps, err := db.GetByIDs(ctx, "id", repoIDs, &repo_model.Repository{})
+	if err != nil {
+		return nil, fmt.Errorf("find repository: %w", err)
 	}
 
 	for _, issue := range issues {
@@ -96,21 +85,9 @@ func (issues IssueList) LoadPosters(ctx context.Context) error {
 }
 
 func getPostersByIDs(ctx context.Context, posterIDs []int64) (map[int64]*user_model.User, error) {
-	posterMaps := make(map[int64]*user_model.User, len(posterIDs))
-	left := len(posterIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
-		err := db.GetEngine(ctx).
-			In("id", posterIDs[:limit]).
-			Find(&posterMaps)
-		if err != nil {
-			return nil, err
-		}
-		left -= limit
-		posterIDs = posterIDs[limit:]
+	posterMaps, err := db.GetByIDs(ctx, "id", posterIDs, &user_model.User{})
+	if err != nil {
+		return nil, err
 	}
 	return posterMaps, nil
 }
@@ -135,21 +112,15 @@ func (issues IssueList) LoadLabels(ctx context.Context) error {
 
 	issueLabels := make(map[int64][]*Label, len(issues)*3)
 	issueIDs := issues.getIssueIDs()
-	left := len(issueIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+	for issueIDChunk := range slices.Chunk(issueIDs, db.DefaultMaxInSize) {
 		rows, err := db.GetEngine(ctx).Table("label").
 			Join("LEFT", "issue_label", "issue_label.label_id = label.id").
-			In("issue_label.issue_id", issueIDs[:limit]).
+			In("issue_label.issue_id", issueIDChunk).
 			Asc("label.name").
 			Rows(new(LabelIssue))
 		if err != nil {
 			return err
 		}
-
 		for rows.Next() {
 			var labelIssue LabelIssue
 			err = rows.Scan(&labelIssue)
@@ -166,8 +137,6 @@ func (issues IssueList) LoadLabels(ctx context.Context) error {
 		if err1 := rows.Close(); err1 != nil {
 			return fmt.Errorf("IssueList.LoadLabels: Close: %w", err1)
 		}
-		left -= limit
-		issueIDs = issueIDs[limit:]
 	}
 
 	for _, issue := range issues {
@@ -189,21 +158,9 @@ func (issues IssueList) LoadMilestones(ctx context.Context) error {
 		return nil
 	}
 
-	milestoneMaps := make(map[int64]*Milestone, len(milestoneIDs))
-	left := len(milestoneIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
-		err := db.GetEngine(ctx).
-			In("id", milestoneIDs[:limit]).
-			Find(&milestoneMaps)
-		if err != nil {
-			return err
-		}
-		left -= limit
-		milestoneIDs = milestoneIDs[limit:]
+	milestoneMaps, err := db.GetByIDs(ctx, "id", milestoneIDs, &Milestone{})
+	if err != nil {
+		return err
 	}
 
 	for _, issue := range issues {
@@ -216,25 +173,19 @@ func (issues IssueList) LoadMilestones(ctx context.Context) error {
 func (issues IssueList) LoadProjects(ctx context.Context) error {
 	issueIDs := issues.getIssueIDs()
 	projectMaps := make(map[int64]*project_model.Project, len(issues))
-	left := len(issueIDs)
 
 	type projectWithIssueID struct {
 		*project_model.Project `xorm:"extends"`
 		IssueID                int64
 	}
 
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
-
-		projects := make([]*projectWithIssueID, 0, limit)
+	for issueIDChunk := range slices.Chunk(issueIDs, db.DefaultMaxInSize) {
+		projects := make([]*projectWithIssueID, 0, len(issueIDChunk))
 		err := db.GetEngine(ctx).
 			Table("project").
 			Select("project.*, project_issue.issue_id").
 			Join("INNER", "project_issue", "project.id = project_issue.project_id").
-			In("project_issue.issue_id", issueIDs[:limit]).
+			In("project_issue.issue_id", issueIDChunk).
 			Find(&projects)
 		if err != nil {
 			return err
@@ -242,8 +193,6 @@ func (issues IssueList) LoadProjects(ctx context.Context) error {
 		for _, project := range projects {
 			projectMaps[project.IssueID] = project.Project
 		}
-		left -= limit
-		issueIDs = issueIDs[limit:]
 	}
 
 	for _, issue := range issues {
@@ -264,15 +213,10 @@ func (issues IssueList) LoadAssignees(ctx context.Context) error {
 
 	assignees := make(map[int64][]*user_model.User, len(issues))
 	issueIDs := issues.getIssueIDs()
-	left := len(issueIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+	for issueIDChunk := range slices.Chunk(issueIDs, db.DefaultMaxInSize) {
 		rows, err := db.GetEngine(ctx).Table("issue_assignees").
 			Join("INNER", "`user`", "`user`.id = `issue_assignees`.assignee_id").
-			In("`issue_assignees`.issue_id", issueIDs[:limit]).OrderBy(user_model.GetOrderByName()).
+			In("`issue_assignees`.issue_id", issueIDChunk).OrderBy(user_model.GetOrderByName()).
 			Rows(new(AssigneeIssue))
 		if err != nil {
 			return err
@@ -293,8 +237,6 @@ func (issues IssueList) LoadAssignees(ctx context.Context) error {
 		if err1 := rows.Close(); err1 != nil {
 			return fmt.Errorf("IssueList.loadAssignees: Close: %w", err1)
 		}
-		left -= limit
-		issueIDs = issueIDs[limit:]
 	}
 
 	for _, issue := range issues {
@@ -324,36 +266,9 @@ func (issues IssueList) LoadPullRequests(ctx context.Context) error {
 		return nil
 	}
 
-	pullRequestMaps := make(map[int64]*PullRequest, len(issuesIDs))
-	left := len(issuesIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
-		rows, err := db.GetEngine(ctx).
-			In("issue_id", issuesIDs[:limit]).
-			Rows(new(PullRequest))
-		if err != nil {
-			return err
-		}
-
-		for rows.Next() {
-			var pr PullRequest
-			err = rows.Scan(&pr)
-			if err != nil {
-				if err1 := rows.Close(); err1 != nil {
-					return fmt.Errorf("IssueList.loadPullRequests: Close: %w", err1)
-				}
-				return err
-			}
-			pullRequestMaps[pr.IssueID] = &pr
-		}
-		if err1 := rows.Close(); err1 != nil {
-			return fmt.Errorf("IssueList.loadPullRequests: Close: %w", err1)
-		}
-		left -= limit
-		issuesIDs = issuesIDs[limit:]
+	pullRequestMaps, err := db.GetByIDs(ctx, "issue_id", issuesIDs, &PullRequest{})
+	if err != nil {
+		return err
 	}
 
 	for _, issue := range issues {
@@ -371,37 +286,10 @@ func (issues IssueList) LoadAttachments(ctx context.Context) (err error) {
 		return nil
 	}
 
-	attachments := make(map[int64][]*repo_model.Attachment, len(issues))
 	issuesIDs := issues.getIssueIDs()
-	left := len(issuesIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
-		rows, err := db.GetEngine(ctx).
-			In("issue_id", issuesIDs[:limit]).
-			Rows(new(repo_model.Attachment))
-		if err != nil {
-			return err
-		}
-
-		for rows.Next() {
-			var attachment repo_model.Attachment
-			err = rows.Scan(&attachment)
-			if err != nil {
-				if err1 := rows.Close(); err1 != nil {
-					return fmt.Errorf("IssueList.loadAttachments: Close: %w", err1)
-				}
-				return err
-			}
-			attachments[attachment.IssueID] = append(attachments[attachment.IssueID], &attachment)
-		}
-		if err1 := rows.Close(); err1 != nil {
-			return fmt.Errorf("IssueList.loadAttachments: Close: %w", err1)
-		}
-		left -= limit
-		issuesIDs = issuesIDs[limit:]
+	attachments, err := db.GetByFieldIn(ctx, "issue_id", issuesIDs, &repo_model.Attachment{})
+	if err != nil {
+		return err
 	}
 
 	for _, issue := range issues {
@@ -418,15 +306,10 @@ func (issues IssueList) loadComments(ctx context.Context, cond builder.Cond) (er
 
 	comments := make(map[int64][]*Comment, len(issues))
 	issuesIDs := issues.getIssueIDs()
-	left := len(issuesIDs)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+	for issueIDChunk := range slices.Chunk(issuesIDs, db.DefaultMaxInSize) {
 		rows, err := db.GetEngine(ctx).Table("comment").
 			Join("INNER", "issue", "issue.id = comment.issue_id").
-			In("issue.id", issuesIDs[:limit]).
+			In("issue.id", issueIDChunk).
 			Where(cond).
 			Rows(new(Comment))
 		if err != nil {
@@ -447,8 +330,6 @@ func (issues IssueList) loadComments(ctx context.Context, cond builder.Cond) (er
 		if err1 := rows.Close(); err1 != nil {
 			return fmt.Errorf("IssueList.loadComments: Close: %w", err1)
 		}
-		left -= limit
-		issuesIDs = issuesIDs[limit:]
 	}
 
 	for _, issue := range issues {
@@ -484,18 +365,12 @@ func (issues IssueList) loadTotalTrackedTimes(ctx context.Context) (err error) {
 		}
 	}
 
-	left := len(ids)
-	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
-
+	for idChunk := range slices.Chunk(ids, db.DefaultMaxInSize) {
 		// select issue_id, sum(time) from tracked_time where issue_id in (<issue ids in current page>) group by issue_id
 		rows, err := db.GetEngine(ctx).Table("tracked_time").
 			Where("deleted = ?", false).
 			Select("issue_id, sum(time) as time").
-			In("issue_id", ids[:limit]).
+			In("issue_id", idChunk).
 			GroupBy("issue_id").
 			Rows(new(totalTimesByIssue))
 		if err != nil {
@@ -516,8 +391,6 @@ func (issues IssueList) loadTotalTrackedTimes(ctx context.Context) (err error) {
 		if err1 := rows.Close(); err1 != nil {
 			return fmt.Errorf("IssueList.loadTotalTrackedTimes: Close: %w", err1)
 		}
-		left -= limit
-		ids = ids[limit:]
 	}
 
 	for _, issue := range issues {

models/issues/issue_stats.go

@@ -94,10 +94,7 @@ func GetIssueStats(ctx context.Context, opts *IssuesOptions) (*IssueStats, error
 	// ids in a temporary table and join from them.
 	accum := &IssueStats{}
 	for i := 0; i < len(opts.IssueIDs); {
-		chunk := i + MaxQueryParameters
-		if chunk > len(opts.IssueIDs) {
-			chunk = len(opts.IssueIDs)
-		}
+		chunk := min(i+MaxQueryParameters, len(opts.IssueIDs))
 		stats, err := getIssueStatsChunk(ctx, opts, opts.IssueIDs[i:chunk])
 		if err != nil {
 			return nil, err

models/issues/issue_test.go

@@ -5,6 +5,7 @@ package issues_test
 
 import (
 	"fmt"
+	"slices"
 	"sort"
 	"sync"
 	"testing"
@@ -311,7 +312,7 @@ func TestIssue_ResolveMentions(t *testing.T) {
 		for i, user := range resolved {
 			ids[i] = user.ID
 		}
-		sort.Slice(ids, func(i, j int) bool { return ids[i] < ids[j] })
+		slices.Sort(ids)
 		assert.Equal(t, expected, ids)
 	}
 
@@ -338,7 +339,7 @@ func TestResourceIndex(t *testing.T) {
 	require.NoError(t, err)
 
 	var wg sync.WaitGroup
-	for i := 0; i < 100; i++ {
+	for i := range 100 {
 		wg.Add(1)
 		t.Run(fmt.Sprintf("issue %d", i+1), func(t *testing.T) {
 			t.Parallel()
@@ -369,7 +370,7 @@ func TestCorrectIssueStats(t *testing.T) {
 	issueAmount := issues_model.MaxQueryParameters + 10
 
 	var wg sync.WaitGroup
-	for i := 0; i < issueAmount; i++ {
+	for i := range issueAmount {
 		wg.Add(1)
 		go func(i int) {
 			testInsertIssue(t, fmt.Sprintf("Issue %d", i+1), "Bugs are nasty", 0)

models/issues/issue_update.go

@@ -244,7 +244,7 @@ func UpdateIssueAttachments(ctx context.Context, issue *Issue, uuids []string) (
 	if err != nil {
 		return fmt.Errorf("FindRepoAttachmentsByUUID[uuids=%q,repoID=%d]: %w", uuids, issue.RepoID, err)
 	}
-	for i := 0; i < len(attachments); i++ {
+	for i := range attachments {
 		attachments[i].IssueID = issue.ID
 		if err := repo_model.UpdateAttachment(ctx, attachments[i]); err != nil {
 			return fmt.Errorf("update attachment [id: %d]: %w", attachments[i].ID, err)

models/issues/pull_list.go

@@ -63,7 +63,7 @@ func GetUnmergedPullRequestsByHeadInfoMax(ctx context.Context, repoID, olderThan
 }
 
 // GetUnmergedPullRequestsByHeadInfo returns all pull requests that are open and has not been merged
-func GetUnmergedPullRequestsByHeadInfo(ctx context.Context, repoID int64, branch string) ([]*PullRequest, error) {
+func GetUnmergedPullRequestsByHeadInfo(ctx context.Context, repoID int64, branch string) (PullRequestList, error) {
 	prs := make([]*PullRequest, 0, 2)
 	sess := db.GetEngine(ctx).
 		Join("INNER", "issue", "issue.id = pull_request.issue_id").
@@ -82,18 +82,44 @@ func CanMaintainerWriteToBranch(ctx context.Context, p access_model.Permission,
 	}
 
 	prs, err := GetUnmergedPullRequestsByHeadInfo(ctx, p.Units[0].RepoID, branch)
+	// All these error cases return `false` to defer to the safer choice of not allowing write access on an error.
 	if err != nil {
+		log.Error("GetUnmergedPullRequestsByHeadInfo failed: %s", err)
+		return false
+	} else if issues, err := prs.LoadIssues(ctx); err != nil {
+		log.Error("LoadIssues failed: %s", err)
+		return false
+	} else if err := issues.LoadPosters(ctx); err != nil {
+		log.Error("LoadPosters failed: %s", err)
+		return false
+	} else if err := prs.LoadHeadRepos(ctx); err != nil {
+		log.Error("LoadHeadRepos failed: %s", err)
 		return false
 	}
 
 	for _, pr := range prs {
 		if pr.AllowMaintainerEdit {
+			// PR Poster must have write access to the head, so that when they turned on "AllowMaintainerEdit" they
+			// delegated that write access to the maintainers of the PR base.  If they don't currently have write
+			// access, they can't delegate that access.
+			poster := pr.Issue.Poster
+			posterHeadPerm, err := access_model.GetUserRepoPermission(ctx, pr.HeadRepo, poster)
+			if err != nil {
+				log.Error("GetUserRepoPermission failed: %s", err)
+				continue
+			}
+			if !posterHeadPerm.CanWrite(unit.TypeCode) {
+				continue
+			}
+
 			err = pr.LoadBaseRepo(ctx)
 			if err != nil {
+				log.Error("LoadBaseRepo failed: %s", err)
 				continue
 			}
 			prPerm, err := access_model.GetUserRepoPermission(ctx, pr.BaseRepo, user)
 			if err != nil {
+				log.Error("GetUserRepoPermission failed: %s", err)
 				continue
 			}
 			if prPerm.CanWrite(unit.TypeCode) {
@@ -240,6 +266,25 @@ func (prs PullRequestList) LoadIssues(ctx context.Context) (IssueList, error) {
 	return issueList, nil
 }
 
+func (prs PullRequestList) LoadHeadRepos(ctx context.Context) error {
+	repoIDs := []int64{}
+	for _, pr := range prs {
+		repoIDs = append(repoIDs, pr.HeadRepoID)
+	}
+	repos, err := db.GetByIDs(ctx, "id", repoIDs, &repo_model.Repository{})
+	if err != nil {
+		return err
+	}
+	for _, pr := range prs {
+		repo, ok := repos[pr.HeadRepoID]
+		if !ok {
+			return fmt.Errorf("unable to find repo %d", pr.HeadRepoID)
+		}
+		pr.HeadRepo = repo
+	}
+	return nil
+}
+
 // GetIssueIDs returns all issue ids
 func (prs PullRequestList) GetIssueIDs() []int64 {
 	return container.FilterSlice(prs, func(pr *PullRequest) (int64, bool) {

models/issues/reaction.go

@@ -7,6 +7,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"slices"
 
 	"forgejo.org/models/db"
 	repo_model "forgejo.org/models/repo"
@@ -176,6 +177,34 @@ func FindReactions(ctx context.Context, opts FindReactionsOptions) (ReactionList
 	return reactions, count, err
 }
 
+func getReactionsForComments(ctx context.Context, issueID int64, commentIDs []int64) (map[int64]ReactionList, error) {
+	reactions := make(map[int64]ReactionList, len(commentIDs))
+
+	for commentIDChunk := range slices.Chunk(commentIDs, db.DefaultMaxInSize) {
+		rows, err := db.GetEngine(ctx).
+			Where(builder.Eq{"issue_id": issueID}).
+			In("reaction.`type`", setting.UI.Reactions).
+			In("comment_id", commentIDChunk).
+			Rows(&Reaction{})
+		if err != nil {
+			return nil, err
+		}
+
+		for rows.Next() {
+			var reaction Reaction
+			err = rows.Scan(&reaction)
+			if err != nil {
+				_ = rows.Close()
+				return nil, err
+			}
+			reactions[reaction.CommentID] = append(reactions[reaction.CommentID], &reaction)
+		}
+
+		_ = rows.Close()
+	}
+	return reactions, nil
+}
+
 func createReaction(ctx context.Context, opts *ReactionOptions) (*Reaction, error) {
 	reaction := &Reaction{
 		Type:      opts.Type,

models/issues/review.go

@@ -457,6 +457,11 @@ func SubmitReview(ctx context.Context, doer *user_model.User, issue *Issue, revi
 			if official, err = IsOfficialReviewer(ctx, issue, doer); err != nil {
 				return nil, nil, err
 			}
+			// delete previous review requests from the same user
+			reviewCond := builder.Eq{"reviewer_id": doer.ID, "issue_id": issue.ID}
+			if _, err := sess.Where(reviewCond.And(builder.Eq{"type": ReviewTypeRequest})).Delete(new(Review)); err != nil {
+				return nil, nil, err
+			}
 		}
 
 		review.Official = official
@@ -511,10 +516,14 @@ func SubmitReview(ctx context.Context, doer *user_model.User, issue *Issue, revi
 
 // GetReviewByIssueIDAndUserID get the latest review of reviewer for a pull request
 func GetReviewByIssueIDAndUserID(ctx context.Context, issueID, userID int64) (*Review, error) {
+	return GetReviewByIssueIDUserIDAndTypes(ctx, issueID, userID, []ReviewType{ReviewTypeApprove, ReviewTypeReject, ReviewTypeRequest})
+}
+
+func GetReviewByIssueIDUserIDAndTypes(ctx context.Context, issueID, userID int64, types []ReviewType) (*Review, error) {
 	review := new(Review)
 
 	has, err := db.GetEngine(ctx).Where(
-		builder.In("type", ReviewTypeApprove, ReviewTypeReject, ReviewTypeRequest).
+		builder.In("type", types).
 			And(builder.Eq{"issue_id": issueID, "reviewer_id": userID, "original_author_id": 0})).
 		Desc("id").
 		Get(review)
@@ -707,12 +716,12 @@ func RemoveReviewRequest(ctx context.Context, issue *Issue, reviewer, doer *user
 	}
 	defer committer.Close()
 
-	review, err := GetReviewByIssueIDAndUserID(ctx, issue.ID, reviewer.ID)
+	review, err := GetReviewByIssueIDUserIDAndTypes(ctx, issue.ID, reviewer.ID, []ReviewType{ReviewTypeRequest})
 	if err != nil && !IsErrReviewNotExist(err) {
 		return nil, err
 	}
 
-	if review == nil || review.Type != ReviewTypeRequest {
+	if review == nil {
 		return nil, nil
 	}
 

models/issues/review_list.go

@@ -20,7 +20,7 @@ type ReviewList []*Review
 // LoadReviewers loads reviewers
 func (reviews ReviewList) LoadReviewers(ctx context.Context) error {
 	reviewerIDs := make([]int64, len(reviews))
-	for i := 0; i < len(reviews); i++ {
+	for i := range reviews {
 		reviewerIDs[i] = reviews[i].ReviewerID
 	}
 	reviewers, err := user_model.GetPossibleUserByIDs(ctx, reviewerIDs)

models/issues/review_test.go

@@ -321,6 +321,82 @@ func TestAddReviewRequest(t *testing.T) {
 	assert.True(t, issues_model.IsErrReviewRequestOnClosedPR(err))
 }
 
+func TestSubmitPendingReviewDeletesReviewRequest(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	pull := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: 1})
+	require.NoError(t, pull.LoadIssue(db.DefaultContext))
+	issue := pull.Issue
+	require.NoError(t, issue.LoadRepo(db.DefaultContext))
+	reviewer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+	reviewRequest, err := issues_model.CreateReview(db.DefaultContext, issues_model.CreateReviewOptions{
+		Issue:    issue,
+		Reviewer: reviewer,
+		Type:     issues_model.ReviewTypeRequest,
+	})
+	require.NoError(t, err)
+
+	// creating a pending review should NOT remove review requests
+	reviewPending, err := issues_model.CreateReview(db.DefaultContext, issues_model.CreateReviewOptions{
+		Issue:    issue,
+		Reviewer: reviewer,
+		Type:     issues_model.ReviewTypePending,
+	})
+	require.NoError(t, err)
+	unittest.AssertExistsIf(t, true, &issues_model.Review{ID: reviewRequest.ID})
+	// submitting a pending review to finish it SHOULD remove review requests
+	_, _, err = issues_model.SubmitReview(
+		db.DefaultContext,
+		reviewer,
+		issue,
+		issues_model.ReviewTypeReject,
+		"test content",
+		reviewPending.CommitID,
+		false,
+		[]string{},
+	)
+	require.NoError(t, err)
+	unittest.AssertNotExistsBean(t, &issues_model.Review{ID: reviewRequest.ID})
+}
+
+// this test is for handling a state correctly that should never exist, but is representable and was
+// achievable thanks to #12243
+func TestReviewRequestDeletesReviewRequestsBeforeRejectedReviews(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+	sess := db.GetEngine(db.DefaultContext)
+
+	pull := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: 1})
+	require.NoError(t, pull.LoadIssue(db.DefaultContext))
+	issue := pull.Issue
+	require.NoError(t, issue.LoadRepo(db.DefaultContext))
+	reviewer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+	doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+
+	// this one will end up being a ReviewTypeRequest. We are initially creating it as
+	// ReviewTypeReject to avoid it being deleted on making the actual rejected review
+	reviewRequest, err := issues_model.CreateReview(db.DefaultContext, issues_model.CreateReviewOptions{
+		Issue:    issue,
+		Reviewer: reviewer,
+		Type:     issues_model.ReviewTypeReject,
+	})
+	require.NoError(t, err)
+	// this review is an actual rejected review that somehow managed to be saved without deleting
+	// reviewRequest. This is a state that is representable and is/was achievable thanks to #12243
+	_, err = issues_model.CreateReview(db.DefaultContext, issues_model.CreateReviewOptions{
+		Issue:    issue,
+		Reviewer: reviewer,
+		Type:     issues_model.ReviewTypeReject,
+	})
+	require.NoError(t, err)
+	reviewRequest.Type = issues_model.ReviewTypeRequest
+	_, err = sess.ID(reviewRequest.ID).Cols("type").Update(reviewRequest)
+	require.NoError(t, err)
+
+	_, err = issues_model.RemoveReviewRequest(db.DefaultContext, issue, reviewer, doer)
+	require.NoError(t, err)
+	unittest.AssertNotExistsBean(t, &issues_model.Review{ID: reviewRequest.ID})
+}
+
 func TestAddTeamReviewRequest(t *testing.T) {
 	defer unittest.OverrideFixtures("models/fixtures/TestAddTeamReviewRequest")()
 	require.NoError(t, unittest.PrepareTestDatabase())

models/issues/tracked_time.go

@@ -350,10 +350,7 @@ func GetIssueTotalTrackedTime(ctx context.Context, opts *IssuesOptions, isClosed
 	// we get the statistics in smaller chunks and get accumulates
 	var accum int64
 	for i := 0; i < len(opts.IssueIDs); {
-		chunk := i + MaxQueryParameters
-		if chunk > len(opts.IssueIDs) {
-			chunk = len(opts.IssueIDs)
-		}
+		chunk := min(i+MaxQueryParameters, len(opts.IssueIDs))
 		time, err := getIssueTotalTrackedTimeChunk(ctx, opts, isClosed, opts.IssueIDs[i:chunk])
 		if err != nil {
 			return 0, err

models/organization/team.go

@@ -161,10 +161,16 @@ func (t *Team) LoadRepositories(ctx context.Context) (err error) {
 	return err
 }
 
-// LoadMembers returns paginated members in team of organization.
+// LoadMembers loads the members of the team in t.Members.
 func (t *Team) LoadMembers(ctx context.Context) (err error) {
+	return t.LoadPaginatedMembers(ctx, db.ListOptionsAll)
+}
+
+// LoadPaginatedMembers loads paginated members of the team in t.Members.
+func (t *Team) LoadPaginatedMembers(ctx context.Context, listOptions db.ListOptions) (err error) {
 	t.Members, err = GetTeamMembers(ctx, &SearchMembersOptions{
-		TeamID: t.ID,
+		ListOptions: listOptions,
+		TeamID:      t.ID,
 	})
 	return err
 }

models/packages/debian/search.go

@@ -76,22 +76,35 @@ func ExistPackages(ctx context.Context, opts *PackageSearchOptions) (bool, error
 
 // SearchPackages gets the packages matching the search options
 func SearchPackages(ctx context.Context, opts *PackageSearchOptions, iter func(*packages.PackageFileDescriptor)) error {
-	return db.GetEngine(ctx).
+	// Forgejo's db library doesn't have an iterate method that allows us to do this query, *sorted*, in chunks.  xorm's
+	// `Iterate` isn't usable because sometimes we are in a transaction, and GetPackageFileDescriptor will make
+	// supplemental DB calls which will fail in xorm's Iterate as the same connection will come back from
+	// db.GetEngine(ctx) due to the transaction, and that connection is already being used for the iterate.
+	//
+	// Aside from the reasons we can't do this iteratively, `SearchPackages` is only used when we're rebuilding the
+	// package index, and the caller `buildPackagesIndices` is already building *three* in-memory files referencing all
+	// this same information -- so the memory usage to load this information in one chunk shouldn't be significantly
+	// worse than the index rebuild side anyway.
+	pfs := make([]*packages.PackageFile, 0, 100)
+	err := db.GetEngine(ctx).
 		Table("package_file").
 		Select("package_file.*").
 		Join("INNER", "package_version", "package_version.id = package_file.version_id").
 		Join("INNER", "package", "package.id = package_version.package_id").
 		Where(opts.toCond()).
 		Asc("package.lower_name", "package_version.created_unix").
-		Iterate(&packages.PackageFile{}, func(i int, bean any) error {
-			pf := bean.(*packages.PackageFile)
-			pfd, err := packages.GetPackageFileDescriptor(ctx, pf)
-			if err != nil {
-				return err
-			}
-			iter(pfd)
-			return nil
-		})
+		Find(&pfs)
+	if err != nil {
+		return err
+	}
+	for _, pf := range pfs {
+		pfd, err := packages.GetPackageFileDescriptor(ctx, pf)
+		if err != nil {
+			return err
+		}
+		iter(pfd)
+	}
+	return nil
 }
 
 // GetDistributions gets all available distributions

models/packages/package_version.go

@@ -5,11 +5,13 @@ package packages
 
 import (
 	"context"
+	"errors"
 	"strconv"
 	"strings"
 
 	"forgejo.org/models/db"
 	"forgejo.org/modules/optional"
+	"forgejo.org/modules/setting"
 	"forgejo.org/modules/timeutil"
 	"forgejo.org/modules/util"
 
@@ -155,6 +157,25 @@ func HasVersionFileReferences(ctx context.Context, versionID int64) (bool, error
 	})
 }
 
+func (pv *PackageVersion) LockForUpdate(ctx context.Context) error {
+	if !db.InTransaction(ctx) {
+		return errors.New("invalid state for PackageVersion.LockForUpdate: database is not in a transaction")
+	} else if setting.Database.Type.IsSQLite3() {
+		// SQLite both doesn't support "SELECT ... FOR UPDATE", and it's irrelevant for SQLite as the entire database is
+		// locked for write when a write transaction is open.
+		return nil
+	}
+
+	pvfu := PackageVersion{}
+	has, err := db.GetEngine(ctx).ID(pv.ID).ForUpdate().Get(&pvfu)
+	if err != nil {
+		return err
+	} else if !has {
+		return ErrPackageNotExist
+	}
+	return nil
+}
+
 // SearchValue describes a value to search
 // If ExactMatch is true, the field must match the value otherwise a LIKE search is performed.
 type SearchValue struct {

models/perm/access/repo_permission.go

@@ -6,6 +6,7 @@ package access
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	actions_model "forgejo.org/models/actions"
 	"forgejo.org/models/db"
@@ -115,7 +116,8 @@ func (p *Permission) CanWriteIssuesOrPulls(isPull bool) bool {
 }
 
 func (p *Permission) LogString() string {
-	format := "<Permission AccessMode=%s, %d Units, %d UnitsMode(s): [ "
+	var format strings.Builder
+	format.WriteString("<Permission AccessMode=%s, %d Units, %d UnitsMode(s): [ ")
 	args := []any{p.AccessMode.String(), len(p.Units), len(p.UnitsMode)}
 
 	for i, unit := range p.Units {
@@ -127,15 +129,15 @@ func (p *Permission) LogString() string {
 				config = err.Error()
 			}
 		}
-		format += "\nUnits[%d]: ID: %d RepoID: %d Type: %s Config: %s"
+		format.WriteString("\nUnits[%d]: ID: %d RepoID: %d Type: %s Config: %s")
 		args = append(args, i, unit.ID, unit.RepoID, unit.Type.LogString(), config)
 	}
 	for key, value := range p.UnitsMode {
-		format += "\nUnitMode[%-v]: %-v"
+		format.WriteString("\nUnitMode[%-v]: %-v")
 		args = append(args, key.LogString(), value.LogString())
 	}
-	format += " ]>"
-	return fmt.Sprintf(format, args...)
+	format.WriteString(" ]>")
+	return fmt.Sprintf(format.String(), args...)
 }
 
 func GetActionRepoPermission(ctx context.Context, repo *repo_model.Repository, task *actions_model.ActionTask) (Permission, error) {

models/project/column_test.go

@@ -164,7 +164,7 @@ func Test_NewColumn(t *testing.T) {
 	require.NoError(t, err)
 	assert.Len(t, columns, 3)
 
-	for i := 0; i < maxProjectColumns-3; i++ {
+	for i := range maxProjectColumns - 3 {
 		err := NewColumn(db.DefaultContext, &Column{
 			Title:     fmt.Sprintf("column-%d", i+4),
 			ProjectID: project1.ID,

models/pull/review_state.go

@@ -6,6 +6,7 @@ package pull
 import (
 	"context"
 	"fmt"
+	"maps"
 
 	"forgejo.org/models/db"
 	"forgejo.org/modules/log"
@@ -100,9 +101,7 @@ func mergeFiles(oldFiles, newFiles map[string]ViewedState) map[string]ViewedStat
 		return oldFiles
 	}
 
-	for file, viewed := range newFiles {
-		oldFiles[file] = viewed
-	}
+	maps.Copy(oldFiles, newFiles)
 	return oldFiles
 }
 

models/repo.go

@@ -14,10 +14,8 @@ import (
 	asymkey_model "forgejo.org/models/asymkey"
 	"forgejo.org/models/db"
 	issues_model "forgejo.org/models/issues"
-	access_model "forgejo.org/models/perm/access"
 	repo_model "forgejo.org/models/repo"
 	"forgejo.org/models/unit"
-	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/log"
 	"forgejo.org/services/stats"
 
@@ -277,7 +275,7 @@ func DoctorUserStarNum(ctx context.Context) (err error) {
 }
 
 // DeleteDeployKey delete deploy keys
-func DeleteDeployKey(ctx context.Context, doer *user_model.User, id int64) error {
+func DeleteDeployKey(ctx context.Context, id, repoID int64) error {
 	key, err := asymkey_model.GetDeployKeyByID(ctx, id)
 	if err != nil {
 		if asymkey_model.IsErrDeployKeyNotExist(err) {
@@ -286,21 +284,10 @@ func DeleteDeployKey(ctx context.Context, doer *user_model.User, id int64) error
 		return fmt.Errorf("GetDeployKeyByID: %w", err)
 	}
 
-	// Check if user has access to delete this key.
-	if !doer.IsAdmin {
-		repo, err := repo_model.GetRepositoryByID(ctx, key.RepoID)
-		if err != nil {
-			return fmt.Errorf("GetRepositoryByID: %w", err)
-		}
-		has, err := access_model.IsUserRepoAdmin(ctx, repo, doer)
-		if err != nil {
-			return fmt.Errorf("GetUserRepoPermission: %w", err)
-		} else if !has {
-			return asymkey_model.ErrKeyAccessDenied{
-				UserID: doer.ID,
-				KeyID:  key.ID,
-				Note:   "deploy",
-			}
+	if key.RepoID != repoID {
+		return asymkey_model.ErrKeyAccessDenied{
+			KeyID: key.ID,
+			Note:  "deploy",
 		}
 	}
 

models/repo/language_stats.go

@@ -33,13 +33,18 @@ func init() {
 	db.RegisterModel(new(LanguageStat))
 }
 
+// LoadAttributes loads attributes
+func (stat *LanguageStat) LoadAttributes() {
+	stat.Color = enry.GetColor(stat.Language)
+}
+
 // LanguageStatList defines a list of language statistics
 type LanguageStatList []*LanguageStat
 
 // LoadAttributes loads attributes
 func (stats LanguageStatList) LoadAttributes() {
 	for i := range stats {
-		stats[i].Color = enry.GetColor(stats[i].Language)
+		stats[i].LoadAttributes()
 	}
 }
 

models/repo/mirror.go

@@ -6,10 +6,14 @@ package repo
 
 import (
 	"context"
+	"errors"
+	"net/url"
 	"time"
 
 	"forgejo.org/models/db"
+	"forgejo.org/modules/keying"
 	"forgejo.org/modules/log"
+	"forgejo.org/modules/optional"
 	"forgejo.org/modules/timeutil"
 	"forgejo.org/modules/util"
 )
@@ -31,7 +35,9 @@ type Mirror struct {
 	LFS         bool   `xorm:"lfs_enabled NOT NULL DEFAULT false"`
 	LFSEndpoint string `xorm:"lfs_endpoint TEXT"`
 
-	RemoteAddress string `xorm:"VARCHAR(2048)"`
+	// Encrypted remote address w/ credentials; can be NULL if a mirror has not performed a sync since this field was
+	// introduced, in which case the remote address exists only in the repo's configured git remote on disk.
+	EncryptedRemoteAddress []byte `xorm:"BLOB NULL"`
 }
 
 func init() {
@@ -73,6 +79,71 @@ func (m *Mirror) ScheduleNextUpdate() {
 	}
 }
 
+// InsertMirror inserts a mirror to database. RemoteAddress must be provided so that it can be encrypted and stored
+// during the insert process.
+func (m *Mirror) InsertWithAddress(ctx context.Context, addr string) error {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		if _, err := db.GetEngine(ctx).Insert(m); err != nil {
+			return err
+		}
+		return m.UpdateRemoteAddress(ctx, addr)
+	})
+}
+
+// Stores a credential-free version of the address in `RemoteAddress`, encrypts the original into `RemoteAddressAuth`,
+// and stores both in the database. The ID of the mirror must be known, so this must be done after the mirror is
+// inserted.
+func (m *Mirror) UpdateRemoteAddress(ctx context.Context, addr string) error {
+	if m.ID == 0 {
+		return errors.New("must persist mirror to database before using UpdateRemoteAddress")
+	}
+
+	m.EncryptedRemoteAddress = keying.PullMirror.Encrypt(
+		[]byte(addr),
+		keying.ColumnAndID("remote_address_auth", m.ID),
+	)
+	_, err := db.GetEngine(ctx).ID(m.ID).Cols("encrypted_remote_address").Update(m)
+	return err
+}
+
+// Retrieves the encrypted remote address and decrypts it. Note that this field is expected to be absent for mirrors
+// created before the introduction of EncryptedRemoteAddress, in which case credentials are not known to Forgejo
+// directly (but may be on-disk in the repository's config file) and None will be returned.
+func (m *Mirror) DecryptRemoteAddress() (optional.Option[string], error) {
+	if m.EncryptedRemoteAddress == nil {
+		return optional.None[string](), nil
+	}
+
+	contents, err := keying.PullMirror.Decrypt(m.EncryptedRemoteAddress, keying.ColumnAndID("remote_address_auth", m.ID))
+	if err != nil {
+		return optional.None[string](), err
+	}
+	return optional.Some(string(contents)), nil
+}
+
+// Retrieves the remote address but sanitizes it of sensitive credentials. May be absent for mirrors created before the
+// introduction of EncryptedRemoteAddress.
+func (m *Mirror) SanitizedRemoteAddress() (optional.Option[string], error) {
+	maybeAddr, err := m.DecryptRemoteAddress()
+	if err != nil {
+		return optional.None[string](), err
+	} else if has, addr := maybeAddr.Get(); has {
+		parsedURL, err := url.Parse(addr)
+		if err != nil {
+			return optional.None[string](), err
+		}
+
+		// Remove the password if present.  Retain the username for consistency with `AddAuthCredentialHelperForRemote`
+		// which retains the username for the `git clone` command line, which ends up as the remote URL in the mirror's
+		// git config.
+		if parsedURL.User != nil {
+			parsedURL.User = url.User(parsedURL.User.Username())
+		}
+		return optional.Some(parsedURL.String()), nil
+	}
+	return optional.None[string](), nil
+}
+
 // GetMirrorByRepoID returns mirror information of a repository.
 func GetMirrorByRepoID(ctx context.Context, repoID int64) (*Mirror, error) {
 	m := &Mirror{RepoID: repoID}
@@ -115,9 +186,3 @@ func MirrorsIterate(ctx context.Context, limit int, f func(idx int, bean any) er
 	}
 	return sess.Iterate(new(Mirror), f)
 }
-
-// InsertMirror inserts a mirror to database
-func InsertMirror(ctx context.Context, mirror *Mirror) error {
-	_, err := db.GetEngine(ctx).Insert(mirror)
-	return err
-}

models/repo/release.go

@@ -608,6 +608,7 @@ func InsertReleases(ctx context.Context, rels ...*Release) error {
 		if len(rel.Attachments) > 0 {
 			for i := range rel.Attachments {
 				rel.Attachments[i].ReleaseID = rel.ID
+				rel.Attachments[i].RepoID = rel.RepoID
 			}
 
 			if _, err := sess.NoAutoTime().Insert(rel.Attachments); err != nil {

models/repo/release_test.go

@@ -20,11 +20,14 @@ func TestMigrate_InsertReleases(t *testing.T) {
 		UUID: "a0eebc91-9c0c-4ef7-bb6e-6bb9bd380a12",
 	}
 	r := &Release{
+		RepoID:      1001,
 		Attachments: []*Attachment{a},
 	}
 
 	err := InsertReleases(db.DefaultContext, r)
 	require.NoError(t, err)
+
+	assert.EqualValues(t, 1001, unittest.AssertExistsAndLoadBean(t, &Attachment{UUID: "a0eebc91-9c0c-4ef7-bb6e-6bb9bd380a12"}).RepoID)
 }
 
 func TestReleaseLoadRepo(t *testing.T) {

models/repo/repo.go

@@ -9,6 +9,7 @@ import (
 	"errors"
 	"fmt"
 	"html/template"
+	"maps"
 	"net"
 	"net/url"
 	"path/filepath"
@@ -292,6 +293,28 @@ func (repo *Repository) AfterLoad() {
 	repo.NumOpenProjects = repo.NumProjects - repo.NumClosedProjects
 }
 
+// LoadLanguage loads the primary language of the repository, if one exists.
+// If one doesn't exists `nil` is still returned.
+func (repo *Repository) LoadLanguage(ctx context.Context) error {
+	if repo.PrimaryLanguage != nil {
+		return nil
+	}
+
+	var stat LanguageStat
+	has, err := db.GetEngine(ctx).
+		Where("`repo_id` = ? AND `is_primary` = ? AND `language` != ?", repo.ID, true, "other").
+		Get(&stat)
+	if err != nil {
+		return fmt.Errorf("unable to find the primary languages: %w", err)
+	}
+	if has {
+		stat.LoadAttributes()
+		repo.PrimaryLanguage = &stat
+	}
+
+	return nil
+}
+
 // LoadAttributes loads attributes of the repository.
 func (repo *Repository) LoadAttributes(ctx context.Context) error {
 	// Load owner
@@ -299,20 +322,11 @@ func (repo *Repository) LoadAttributes(ctx context.Context) error {
 		return fmt.Errorf("load owner: %w", err)
 	}
 
-	// Load primary language
-	stats := make(LanguageStatList, 0, 1)
-	if err := db.GetEngine(ctx).
-		Where("`repo_id` = ? AND `is_primary` = ? AND `language` != ?", repo.ID, true, "other").
-		Find(&stats); err != nil {
-		return fmt.Errorf("find primary languages: %w", err)
-	}
-	stats.LoadAttributes()
-	for _, st := range stats {
-		if st.RepoID == repo.ID {
-			repo.PrimaryLanguage = st
-			break
-		}
+	// Load the primary language.
+	if err := repo.LoadLanguage(ctx); err != nil {
+		return fmt.Errorf("load language: %w", err)
 	}
+
 	return nil
 }
 
@@ -543,9 +557,7 @@ func (repo *Repository) ComposeMetas(ctx context.Context) map[string]string {
 func (repo *Repository) ComposeDocumentMetas(ctx context.Context) map[string]string {
 	if len(repo.DocumentRenderingMetas) == 0 {
 		metas := map[string]string{}
-		for k, v := range repo.ComposeMetas(ctx) {
-			metas[k] = v
-		}
+		maps.Copy(metas, repo.ComposeMetas(ctx))
 		metas["mode"] = "document"
 		repo.DocumentRenderingMetas = metas
 	}
@@ -786,8 +798,8 @@ func GetRepositoryByName(ctx context.Context, ownerID int64, name string) (*Repo
 
 // getRepositoryURLPathSegments returns segments (owner, reponame) extracted from a url
 func getRepositoryURLPathSegments(repoURL string) []string {
-	if strings.HasPrefix(repoURL, setting.AppURL) {
-		return strings.Split(strings.TrimPrefix(repoURL, setting.AppURL), "/")
+	if after, ok := strings.CutPrefix(repoURL, setting.AppURL); ok {
+		return strings.Split(after, "/")
 	}
 
 	sshURLVariants := [4]string{
@@ -798,8 +810,8 @@ func getRepositoryURLPathSegments(repoURL string) []string {
 	}
 
 	for _, sshURL := range sshURLVariants {
-		if strings.HasPrefix(repoURL, sshURL) {
-			return strings.Split(strings.TrimPrefix(repoURL, sshURL), "/")
+		if after, ok := strings.CutPrefix(repoURL, sshURL); ok {
+			return strings.Split(after, "/")
 		}
 	}
 

models/repo/repo_list.go

@@ -361,7 +361,7 @@ func SearchRepositoryCondition(opts *SearchRepoOptions) builder.Cond {
 	}
 
 	// Restrict repositories to those the OwnerID owns or contributes to as per opts.Collaborate
-	if opts.OwnerID > 0 {
+	if opts.OwnerID != 0 {
 		accessCond := builder.NewCond()
 		if !opts.Collaborate.ValueOrZeroValue() {
 			accessCond = builder.Eq{"owner_id": opts.OwnerID}
@@ -401,7 +401,7 @@ func SearchRepositoryCondition(opts *SearchRepoOptions) builder.Cond {
 	if opts.Keyword != "" {
 		// separate keyword
 		subQueryCond := builder.NewCond()
-		for _, v := range strings.Split(opts.Keyword, ",") {
+		for v := range strings.SplitSeq(opts.Keyword, ",") {
 			if opts.TopicOnly {
 				subQueryCond = subQueryCond.Or(builder.Eq{"topic.name": strings.ToLower(v)})
 			} else {
@@ -416,7 +416,7 @@ func SearchRepositoryCondition(opts *SearchRepoOptions) builder.Cond {
 		keywordCond := builder.In("id", subQuery)
 		if !opts.TopicOnly {
 			likes := builder.NewCond()
-			for _, v := range strings.Split(opts.Keyword, ",") {
+			for v := range strings.SplitSeq(opts.Keyword, ",") {
 				likes = likes.Or(builder.Like{"lower_name", strings.ToLower(v)})
 
 				// If the string looks like "org/repo", match against that pattern too

models/repo/repo_unit.go

@@ -237,10 +237,8 @@ func (cfg *ActionsConfig) IsWorkflowDisabled(file string) bool {
 }
 
 func (cfg *ActionsConfig) DisableWorkflow(file string) {
-	for _, workflow := range cfg.DisabledWorkflows {
-		if file == workflow {
-			return
-		}
+	if slices.Contains(cfg.DisabledWorkflows, file) {
+		return
 	}
 
 	cfg.DisabledWorkflows = append(cfg.DisabledWorkflows, file)

models/repo/topic.go

@@ -20,6 +20,9 @@ func init() {
 	db.RegisterModel(new(RepoTopic))
 }
 
+// MaxTopicsPerRepo caps the amount of topics allowed per repository.
+const MaxTopicsPerRepo = 25
+
 var topicPattern = regexp.MustCompile(`^[a-z0-9][-.a-z0-9]*$`)
 
 // Topic represents a topic of repositories

models/repo/upload.go

@@ -117,7 +117,7 @@ func DeleteUploads(ctx context.Context, uploads ...*Upload) (err error) {
 	defer committer.Close()
 
 	ids := make([]int64, len(uploads))
-	for i := 0; i < len(uploads); i++ {
+	for i := range uploads {
 		ids[i] = uploads[i].ID
 	}
 	if err = db.DeleteByIDs[Upload](ctx, ids...); err != nil {

models/secret/secret.go

@@ -20,7 +20,7 @@ import (
 
 var (
 	namePattern            = regexp.MustCompile("(?i)^[A-Z_][A-Z0-9_]*$")
-	forbiddenPrefixPattern = regexp.MustCompile("(?i)^FORGEJO_|GITEA_|GITHUB_")
+	forbiddenPrefixPattern = regexp.MustCompile("(?i)^(FORGEJO_|GITEA_|GITHUB_|[0-9])")
 
 	ErrInvalidName = util.NewInvalidArgumentErrorf("invalid secret name")
 )

models/secret/secret_test.go

@@ -257,12 +257,18 @@ func TestSecretValidateName(t *testing.T) {
 		valid bool
 	}{
 		{"FORGEJO_", false},
+		{"PRE_FORGEJO_", true},
+		{"PRE_FORGEJO_SUF", true},
 		{"FORGEJO_123", false},
 		{"FORGEJO_ABC", false},
 		{"GITEA_", false},
+		{"PRE_GITEA_", true},
+		{"PRE_GITEA_SUF", true},
 		{"GITEA_123", false},
 		{"GITEA_ABC", false},
 		{"GITHUB_", false},
+		{"PRE_GITHUB_", true},
+		{"PRE_GITHUB_SUF", true},
 		{"GITHUB_123", false},
 		{"GITHUB_ABC", false},
 		{"123_TEST", false},